International Association
for Cryptologic Research

This paper introduces CycleFold, a new and conceptually simple approach to instantiate folding-scheme-based recursive arguments over a cycle of elliptic curves, for the purpose of realizing incrementally verifiable computation (IVC). Existing approach to solve this problem originates from BCTV (CRYPTO'14) who describe their approach for a SNARK-based recursive argument, and it was adapted by Nova (CRYPTO'22) to a folding-scheme-based recursive argument. A downside of this approach is that it represents a folding scheme verifier as a circuit on both curves in the cycle. (e.g., with Nova, this requires $\approx$10,000 multiplication gates on both curves in the cycle).

CycleFold’s starting point is the observation that folding-scheme-based recursive arguments can be efficiently instantiated without a cycle of elliptic curves—except for a few scalar multiplications in their verifiers (2 in Nova, 1 in HyperNova, and 3 in ProtoStar). Accordingly, CycleFold uses the second curve in the cycle to merely represent a single scalar multiplication ($\approx$1,000--1,500 multiplication gates). CycleFold then folds invocations of that tiny circuit on the first curve in the cycle. This is nearly an order of magnitude improvement over the prior state-of-the-art in terms of circuit sizes on the second curve. CycleFold is particularly beneficial when instantiating folding-scheme-based recursive arguments over “half pairing” cycles (e.g., BN254/Grumpkin) as it keeps the circuit on the non-pairing-friendly curve minimal. The running instance in a CycleFold-based recursive argument consists of an instance on the first curve and a tiny instance on the second curve. Both instances can be proven using a zkSNARK defined over the scalar field of the first curve.

On the conceptual front, with CycleFold, an IVC construction and nor its security proof has to explicitly reason about the cycle of elliptic curves. Finally, due to its simplicity, CycleFold-based recursive argument can be more easily be adapted to support parallel proving with the so-called "binary tree" IVC.

Recently, Abdalla, Gong and Wee (Crypto 2020) provided the first functional encryption scheme for attribute-weighted sums (AWS), where encryption takes as input $N$ (unbounded) attribute-value pairs $\{\vec{x}_i, \vec{z}_i\}_{I \in [N]}$ where $\vec{x}_i$ is public and $\vec{z}_i$ is private, the secret key is associated with an arithmetic branching programs $f$, and decryption returns the weighted sum ${\sum}_{{i \in [N]}} f(\vec{x}_i)^\top \vec{z}_i$, leaking no additional information about the $\vec{z}_i$'s. We extend FE for AWS to the significantly more challenging multi-party setting and provide the first construction for {\it attribute-based} multi-input FE (MIFE) supporting AWS. For $i \in [n]$, encryptor $i$ can choose an attribute $\vec{y}_i$ together with AWS input $\{\vec{x}_{i,j}, \vec{z}_{i,j}\}$ where $j \in [N_i]$ and $N_i$ is unbounded, the key generator can choose an access control policy $g_i$ along with its AWS function $h_i$ for each $i \in [n]$, and the decryptor can compute

$$\sum_{i \in [n]}\sum_{j \in [N_{i}]}h_{i}(\vec{x}_{i,j})^{\top}\vec{z}_{i,j} \text{ iff } g_{i}(\vec{y}_{i}) =0 \text{ for all } i \in [n]$$ Previously, the only known attribute based MIFE was for the inner product functionality (Abdalla et al.~Asiacrypt 2020), where additionally, $\vec{y}_i$ had to be fixed during setup and must remain the same for all ciphertexts in a given slot. Our attribute based MIFE implies the notion of multi-input {\it attribute based encryption} (\miabe) recently studied by Agrawal, Yadav and Yamada (Crypto 2022) and Francati, Friolo, Malavolta and Venturi (Eurocrypt 2023), for a conjunction of predicates represented as arithmetic branching programs (ABP). Along the way, we also provide the first constructions of multi-client FE (MCFE) and dynamic decentralized FE (DDFE) for the AWS functionality. Previously, the best known MCFE and DDFE schemes were for inner products (Chotard et al.~ePrint 2018, Abdalla, Benhamouda and Gay, Asiacrypt 2019, and Chotard et al.~Crypto 2020). Our constructions are based on pairings and proven selectively secure under the matrix DDH assumption.

We are looking for two PhD students who will work on cryptography and privacy-enhancing technologies with applications in advanced metering infrastructure (AMI) and data analytics. The positions are a fully funded PhD position. The candidates must hold a Master's degree in Computer Science, Electrical and Computer Engineering, or a related area, and a have a strong background in mathematics and cryptography and good programming skills. The application materials should contain a curriculum vitae, a research statement, transcripts of Bachelor's and Master's and the name and contact information of two references. The starting date is January 2024, but applications will be accepted until the position is filled.

Closing date for applications:

Contact: Kalikinkar Mandal (kmandal@unb.ca)

We are seeking a highly motivated 3-6 month intern to assist in a project on the security of neural networks. Strong background in linear algebra and probability theory is required. Prior experience with Verilog hardware description language (HDL) and Cadence electronic design automation (EDA) tools for application-specific integrated circuit (ASIC) design is preferred, but not mandatory. Research internships will be available year-round, beginning in the Fall of 2023, and visa sponsorship will be provided for international applicants. The starting date for the position is flexible and comes with a competitive salary.

Closing date for applications:

Contact: Please contact Dr. Seetal Potluri (spotluri@albany.edu) for more information.

UAlbany is seeking a highly motivated 3-6 month intern to assist in a project on building accelerators for homomorphic encryption. Strong background in classical cryptography, modular arithmetic, and number theory is required. Students with prior experience with Verilog hardware description language (HDL) and Cadence electronic design automation (EDA) tools for application-specific integrated circuit (ASIC) design are preferred. Research internships will be available year-round, beginning in the Fall of 2023, and visa sponsorship will be provided for international applicants. The starting date for the position is flexible and comes with a competitive salary.

Closing date for applications:

Contact: Please contact Dr. Seetal Potluri (spotluri@albany.edu) for more information.

This is an exciting opportunity to join the University of Birmingham’s Centre for Cyber Security and Privacy on the EPSRC funded project ‘IOTEE: Securing and analysing trusted execution beyond the CPU, led by Prof David Oswald and Prof Mark Ryan.

Trusted Execution Environments (TEEs) allow users to run their software in a secure enclave while assuring the integrity and confidentiality of data and applications. However, cloud computing these days relies heavily on peripherals such as GPUs, NICs, and FPGAs. Extending the security guarantees of CPU-based TEEs to such accelerators is currently not possible. New technologies are being proposed to address this, notably the PCIe Trusted Device Interface Security Protocol (TDISP). In this project, together with researchers at the University of Southampton, we will thoroughly evaluate the security guarantees of this new PCIe standard and its ability to provide trusted execution against strong adversaries. This will involve the use of formal modelling, as well as researching various software and hardware attacks and countermeasures against them.

This project is aligned with the UK's Research Institute for Secure Hardware and Embedded System (RISE), and the successful candidate will have the chance to disseminate their findings at relevant events. They will also have the opportunity to closely work with the team of Dr Ahmad Atamli and Prof Vladi Sassone (both University of Southampton) as the main academic project partner.

Candidates should have a PhD e.g. in cyber security, computer science, or electrical engineering. They should have experience in embedded security, binary analysis, physical attacks such as side-channel analysis and fault injection, and/or formal modelling; evidenced through publications in highly ranked conferences/journals in the field. In exceptional circumstances, we will also consider candidates without a PhD but with equivalent industry experience.

Applications are accepted until14 August 2023, using the following link https://edzz.fa.em3.oraclecloud.com/hcmUI/CandidateExperience/en/sites/CX_6001/job/2681/

Closing date for applications:

Contact: Informal enquiries can be made to David Oswald: d.f.oswald@bham.ac.uk

More information: https://edzz.fa.em3.oraclecloud.com/hcmUI/CandidateExperience/en/sites/CX_6001/job/2681/

Technology Innovation Institute (TII) is a publicly funded research institute, based in Abu Dhabi, United Arab Emirates. It is home to a diverse community of leading scientists, engineers, mathematicians, and researchers from across the globe, transforming problems and roadblocks into pioneering research and technology prototypes that help move society ahead.

Cryptography Research Center

In our connected digital world, secure and reliable cryptography is the foundation of digital information security and data integrity. We address the world’s most pressing cryptographic questions. Our work covers post-quantum cryptography, lightweight cryptography, cloud encryption schemes, secure protocols, quantum cryptographic technologies and cryptanalysis.

Job Description:

We are seeking a skilled and motivated individual to join our team in a hardware engineer internship position with expertise in hardware acceleration. The ideal candidate will have experience working with fully-homomorphic encryption and a strong background on FPGA design for acceleration.

PhD or master's degree with strong background in hardware design

Experience with Linux kernel driver development is desired but not required

Contribute to the design and improvement of acceleration frameworks

Familiarity with HW/SW co-design integrated over PCIe on FPGAs is desirable

Ability to work in a team with diverse background and research experiences

Good oral and written communication skills

Design and implement efficient hardware acceleration solutions to accelerate fully-homomorphic encryption operations

Conduct system-level performance evaluations and troubleshoot any hardware or software issues

Closing date for applications:

Contact:

Dr. Kashif Nawaz - Director
Kashif.nawaz@tii.ae

Fully Homomorphic Encryption (FHE) has emerged as a promising technology for processing encrypted data without the need for decryption. Despite its potential, its practical implementation has faced challenges due to substantial computational overhead. To address this issue, we propose the $first$ chiplet-based FHE accelerator design `REED', which enables scalability and offers high throughput, thereby enhancing homomorphic encryption deployment in real-world scenarios. It incorporates well-known wafer yield issues during fabrication which significantly impacts production costs. In contrast to state-of-the-art approaches, we also address data exchange overhead by proposing a non-blocking inter-chiplet communication strategy. We incorporate novel pipelined Number Theoretic Transform and automorphism techniques, leveraging parallelism and providing high throughput.

Experimental results demonstrate that REED 2.5D integrated circuit consumes 177 mm$^2$ chip area, 82.5 W average power in 7nm technology, and achieves an impressive speedup of up to 5,982$\times$ compared to a CPU (24-core 2$\times$Intel X5690), and 2$\times$ better energy efficiency and 50\% lower development cost than state-of-the-art ASIC accelerator. To evaluate its practical impact, we are the $first$ to benchmark an encrypted deep neural network training. Overall, this work successfully enhances the practicality and deployability of fully homomorphic encryption in real-world scenarios.

Vehicle-to-grid (V2G) networks, as an emerging smart grid paradigm, can be integrated with renewable energy resources to provide power services and manage electricity demands. When accessing electricity services, an electric vehicle(EV) typically provides authentication or/and payment information containing identifying data to a service provider, which raises privacy concerns as malicious entities might trace EV activity or exploit personal information. Although numerous anonymous authentication and payment schemes have been presented for V2G networks, no such privacy-preserving scheme supports authentication and payment simultaneously. Therefore, this paper is the first to present a privacy-preserving authentication scheme with anonymous payment for V2G networks (PAP, for short). In addition, this scheme also supports accountability and revocability, which are practical features to prevent malicious behavior; minimal attribute disclosure, which maximizes the privacy of EV when responding to the service provider's flexible access policies; payment binding, which guarantees the accountability in the payment phase; user-controlled linkability, which enables EV to decide whether different authentication sessions are linkable for continuous services. On the performance side, we implement PAP with the pairing cryptography library, then evaluate it on different hardware platforms, showing that it is essential for V2G applications.

The KpqC competition has begun in 2022, that aims to standardize Post-Quantum Cryptography (PQC) in the Republic of Korea. Among the 16 submissions of the KpqC competition, the lattice-based schemes exhibit the most promising and balanced features in performance. In this paper, we propose an effective classical CCA attack to recover the transmitted session key for NTRU+, one of the lattice-based Key Encapsulation Mechanisms (KEM) proposed in the KpqC competition, for the first time. With the proposed attacks, we show that all the suggested parameters of NTRU+ do not satisfy the claimed security. We also suggest a way to modify the NTRU+ scheme to defend our attack.

In this paper we continue the study of two-round broadcast-optimal MPC, where broadcast is used in one of the two rounds, but not in both. We consider the realistic scenario where the round that does not use broadcast is asynchronous. Since a first asynchronous round (even when followed by a round of broadcast) does not admit any secure computation, we introduce a new notion of asynchrony which we call $(t_d, t_m)$-asynchrony. In this new notion of asynchrony, an adversary can delay or drop up to $t_d$ of a given party's incoming messages; we refer to $t_d$ as the deafness threshold. Similarly, the adversary can delay or drop up to $t_m$ of a given party's outgoing messages; we refer to $t_m$ as the muteness threshold.

We determine which notions of secure two-round computation are achievable when the first round is $(t_d, t_m)$-asynchronous, and the second round is over broadcast. Similarly, we determine which notions of secure two-round computation are achievable when the first round is over broadcast, and the second round is (fully) asynchronous. We consider the cases where a PKI is available, when only a CRS is available but private communication in the first round is possible, and the case when only a CRS is available and no private communication is possible before the parties have had a chance to exchange public keys.

The encryption processes and cryptosystems are very important. We use them to protect our private information over the Internet. Cellular automata are ones of the computational models that can also be used in cryptosystems. The advantage of the cellular automata is their abilities to work in parallel, and thus can reduce the encryption time. Some applications require the encryption time to be small, so this paper aims to reduce the encryption time of the cellular automata cryptosystems. We propose a new technique to permit the cryptosystems to get the avalanche effect faster. This avalanche effect is one of the desired properties for cryptosystems. In the proposed technique, the new type of neighbor is defined, a sequence of neighbor tuples. We apply our technique to Seredynski and Bouvry’s work, and the results show that the number of iterations can be reduced up to three times. This makes our cellular automata cryptosystems run faster. The relationship between the size of the neighbor and the size of the cellular automata, and the effect of neighbor sequences to the hardware implementations are left for further studies.

Zero-knowledge range proofs play a critical role in confidential transactions (CT) on blockchain systems. They are used to prove the non-negativity of committed transaction payments without disclosing the exact values. Logarithmic-sized range proofs with transparent setups, e.g., Bulletproofs, which aim to prove a committed value lies in the range $[0, 2^N-1]$ where $N$ is the bit length of the range, have gained growing popularity for communication-critical blockchain systems as they increase scalability by allowing a block to accommodate more transactions. In this paper, we propose SwiftRange, a new type of logarithmic-sized zero-knowledge range argument with a transparent setup in the discrete logarithm setting. Our argument can be a drop-in replacement for range proofs in blockchain-based confidential transactions. Compared with Bulletproofs, our argument has higher computational efficiency and lower round complexity while incurring comparable communication overheads for CT-friendly ranges, where $N \in \{32,64\}$. Specifically, a SwiftRange achieves 1.61$\times$ and 1.32$\times$ proving efficiency with no more than 1.1$\times$ communication costs for both ranges, respectively. More importantly, our argument offers a $2.3\times$ increase in verification efficiency. Furthermore, our argument has a smaller size when $N \leq 16$, making it competitive for many other communication-critical applications. Our argument supports the aggregation of multiple single arguments for greater efficiency in communication and verification. Finally, we benchmarked our argument against the state-of-the-art range proofs to demonstrate its practicality.

In this work, we propose a novel single-trace key recovery attack targeting side-channel leakage from the key-generation procedure of Kyber KEM. Our attack exploits the inherent nature of the Module-Learning With Errors (Module-LWE) problem used in Kyber KEM. We demonstrate that the inherent reliance of Kyber KEM on the Module-LWE problem results in a higher number of repeated computations with the secret key, compared to the Ring-LWE problem of similar security level. We exploit leakage from the pointwise multiplication operation in the key-generation procedure, and take advantage of the properties of the Module-LWE instance to enable a potential single trace key recovery attack. We validated the efficacy of our attack on both simulated and real traces, and we performed experiments on both the reference and assembly optimized implementation of Kyber KEM, taken from the pqm4 library, a well-known benchmarking and testing framework for PQC schemes on the ARM Cortex-M4 microcontroller. We also analyze the applicability of our attack on the countermeasures against traditional SCA such as masking and shuffling. We believe our work motivates more research towards SCA resistant implementation of key-generation procedure for Kyber KEM.

Time-Lock puzzles (TLP) are cryptographic protocols that enable a client to lock a message in such a way that a server can only unlock it after a specific time period. However, existing TLPs have certain limitations: (i) they assume that both the client and server always possess sufficient computational resources and (ii) they solely focus on the lower time bound for finding a solution, disregarding the upper bound that guarantees a regular server can find a solution within a certain time frame. Additionally, existing TLPs designed to handle multiple puzzles either (a) entail high verification costs or (b) lack generality, requiring identical time intervals between consecutive solutions. To address these limitations, this paper introduces, for the first time, the concept of a "Delegated Time-Lock Puzzle" and presents a protocol called "Efficient Delegated Time- Lock Puzzle" (ED-TLP) that realises this concept. ED-TLP allows the client and server to delegate their resource-demanding tasks to third-party helpers. It facilitates real-time verification of solution correctness and efficiently handles multiple puzzles with varying time intervals. ED-TLP ensures the delivery of solutions within predefined time limits by incorporating both an upper bound and a fair payment algorithm. We have implemented ED-TLP and conducted a comprehensive analysis of its overheads, demonstrating the efficiency of the construction

Side-channel attacks are a fundamental threat to the security of cryptographic implementations. One of the most prominent countermeasures against side-channel attacks is masking, where each intermediate value of the computation is secret shared, thereby concealing the computation's sensitive information. An important security model to study the security of masking schemes is the random probing model, in which the adversary obtains each intermediate value of the computation with some probability $p$. To construct secure masking schemes, an important building block is the refreshing gadget, which updates the randomness of the secret shared intermediate values. Recently, Dziembowski, Faust, and Zebrowski (ASIACRYPT'19) analyzed the security of a simple refreshing gadget by using a new technique called the leakage diagram.

In this work, we follow the approach of Dziembowski et al. and significantly improve its methodology. Concretely, we refine the notion of a leakage diagram via so-called dependency graphs, and show how to use this technique for arbitrary complex circuits via composition results and approximation techniques. To illustrate the power of our new techniques, as a case study, we designed provably secure parallel gadgets for the random probing model, and adapted the ISW multiplication such that all gadgets can be parallelized. Finally, we evaluate concrete security levels, and show how our new methodology can further improve the concrete security level of masking schemes. This results in a compiler provable secure up to a noise level of $ O({1})$ for affine circuits and $ O({1}/{\sqrt{n}})$ in general.

An attribute-based credential system enables users to prove possession of a credential and statements over certified attributes to verifiers in zero-knowledge while maintaining anonymity and unlinkability. In a relational anonymous credential system, users can further prove their relationship to other entities in their social graph, such as position in an organizational hierarchy or friends-of-friends status in an online social network graph, while protecting their own privacy and that of other users involved in the social graph. While traditional anonymous credential schemes make no provisions for privacy-preserving relationship predicates, a relational credential system is more usable, because it can facilitate relationship-based access control with a wide range of predicates and offers strong privacy guarantees for relationship proofs. We propose the first relational credential scheme, based on a new $q$-SDH graph signature scheme and an efficient zero-knowledge proof system for graph predicates. We rigorously prove the security for the proposed scheme and provide a benchmark using Facebook social graphs.

Blockchain has attracted significant attention in recent years due to its potential to revolutionize various industries by providing trustlessness. To comprehensively examine blockchain systems, this article presents both a macro-level overview on the most popular blockchain systems, and a micro-level analysis on a general blockchain framework and its crucial components. The macro-level exploration provides a big picture on the endeavors made by blockchain professionals over the years to enhance the blockchain performance while the micro-level investigation details the blockchain building blocks for deep technology comprehension. More specifically, this article introduces a general modular blockchain analytic framework that decomposes a blockchain system into interacting modules and then examines the major modules to cover the essential blockchain components of network, consensus, and distributed ledger at the micro-level. The framework as well as the modular analysis jointly build a foundation for designing scalable, flexible, and application-adaptive blockchains that can meet diverse requirements. Additionally, this article explores popular technologies that can be integrated with blockchain to expand functionality and highlights major challenges. Such a study provides critical insights to overcome the obstacles in designing novel blockchain systems and facilitates the further development of blockchain as a digital infrastructure to service new applications.

Side-channel attacks against cryptographic implementations are mitigated by the application of masking and hiding countermeasures. Hiding countermeasures attempt to reduce the Signal-to-Noise Ratio of measurements by adding noise or desynchronization effects during the execution of the cryptographic operations. To bypass these protections, attackers adopt signal processing techniques such as pattern alignment, filtering, averaging, or resampling. Convolutional neural networks have shown the ability to reduce the effect of countermeasures without the need for trace preprocessing, especially alignment, due to their shift invariant property. Data augmentation techniques are also considered to improve the regularization capacity of the network, which improves generalization and, consequently, reduces the attack complexity.

In this work, we deploy systematic experiments to investigate the benefits of data augmentation techniques against masked AES implementations when they are also protected with hiding countermeasures. Our results show that, for each countermeasure and dataset, a specific neural network architecture requires a particular data augmentation configuration to achieve significantly improved attack performance. Our results clearly show that data augmentation should be a standard process when targeting datasets with hiding countermeasures in deep learning-based side-channel attacks.

The open-source hardware IP model has recently started gaining popularity in the developer community. This model offers the integrated circuit (IC) developers wider standardization, faster time-to-market and richer platform for research. In addition, open-source hardware conforms to the Kerckhoff’s principle of a publicly-known algorithm and thus helps to enhance security. However, when security comes into consideration, source transparency is only one part of the solution. A complex global IC supply chain stands between the source and the final product. Hence, even if the source is known, the finished product is not guaranteed to match it. In this article, we propose the Open Scan model, in which, in addition to the source code, the IC vendor contributes a library-independent information on scan insertion. With scan information available, the user or a certification lab can perform partial reverse engineering of the IC to verify conformance to the advertised source. Compliance lists of open-source programs, such as of the OpenTitan cryptographic IC, can be amended to include this requirement. The Open Scan model addresses accidental and dishonest deviations from the golden model and partially addresses malicious modifications, known as hardware Trojans. We verify the efficiency of the proposed method in simulation with the Trust-Hub Trojan benchmarks and with several open-source benchmarks, in which we randomly insert modifications.