International Association
for Cryptologic Research

In recent years, the research community has made great progress in improving techniques for privacy-preserving computation such as fully homomorphic encryption (FHE). Despite the progress, there remain open challenges, mostly in the areas of performance and usability, to further advance the adoption of these technologies. This work provides multiple contributions to improve the current state-of-the-art in both areas.

More specifically, we significantly simplify the bootstrapping idea by Carpov, Izabach`ene, and Mollimard [1] for Boolean-based FHE schemes such as FHEW or TFHE, making the concept usable in practice. Based on our simplifications, we provide an easy-to-use interface for amortized bootstrapping implementing our improvements in the open-source library FHE-Deck and provide new parameter sets for multi-bit encryptions with state-of-the-art security.

We build a toolset that compiles high-level code such as C++ to code that executes operations on encrypted data. For this toolset, we propose the first non-trivial FHE-specific optimizations in synthesizing privacy-preserving circuits from high-level code, namely look-up table (LUT) grouping and adder substitution. Using LUT grouping, we reduce the number of bootstrapping required by almost 35 % on average, while for adder substitution, we reduce the number of required bootstrapping by up to 80 % for certain use cases. Overall, the execution time is up to 3.8× faster using our optimizations compared to previous state-of-the-art circuit synthesis.

On-chain mixers, such as Tornado Cash (TC), have become a popular privacy solution for many non-privacy-preserving blockchain users. These mixers enable users to deposit a fixed amount of coins and withdraw them to another address, while effectively reducing the linkability between these addresses and securely obscuring their transaction history. However, the high cost of interacting with existing on-chain mixer smart contracts prohibits standard users from using the mixer, mainly due to the use of computationally expensive cryptographic primitives. For instance, the deposit cost of TC on Ethereum is approximately $1.1m$ gas (i.e., $66$ USD in June 2023), which is $53\times$ higher than issuing a base transfer transaction.

In this work, we introduce the Merkle Pyramid Builder approach, to incrementally build the Merkle tree in an on-chain mixer and update the tree per batch of deposits, which can therefore decrease the overall cost of using the mixer. Our evaluation results highlight the effectiveness of this approach, showcasing a significant reduction of up to $7\times$ in the amortized cost of depositing compared to state-of-the-art on-chain mixers. Importantly, these improvements are achieved without compromising users' privacy. Furthermore, we propose the utilization of verifiable computations to shift the responsibility of Merkle tree updates from on-chain smart contracts to off-chain clients, which can further reduce deposit costs. Additionally, our analysis demonstrates that our designs ensure fairness by distributing Merkle tree update costs among clients over time.

Quantum key distribution (QKD) constitutes the most widespread family of information preservation techniques in the context of Quantum Cryptography. However, these techniques must deal with a series of technological challenges that prevent their efficient implementation, in space, as well as in exclusively terrestrial configurations. Moreover, the current smallsat constellations of Low Earth Orbit (LEO with an altitude of approx. 500 km) added to other satellites in Medium Earth Orbit (MEO), and geostationary orbits (GEO), plus a large amount of space debris present around the planet, have become a serious obstacle for Astronomy. In this work, a classic alternative to QKD is presented, also based on a symmetric key, but with low cost, and high efficiency, which dispenses with all the implementation problems present in the QKD protocols and does not require the use of satellites, and which we will call non-distributable key sharing (NDKS). Due to its low cost, simplicity of implementation, and high efficiency, NDKS is presented as an ideal solution to the problem of cybersecurity on the Internet of Things (IoT), in general, and IoT-fog-clouds, in particular.

The 2023 election is being held to fill the three IACR Director positions currently held by Masayuki Abe, Tancrède Lepoint and Moti Yung, whose 3-year terms are ending.

Nominations are due by October 1st, 2023.
Information about nomination is available at https://iacr.org/elections/2023/announcement.html.

The position is funded by the Norwegian Research Council in the projects: “Lightweight Cryptography for Future Smart Networks” and “OffPAD - Optimizing balance between high security and usability. An innovative approach to endpoint security”.

The NIST Post Quantum Cryptography Standardization is expected to end in 2024, and post-quantum cryptography will be required to secure all sensitive information in the years to come shortly after, e.g., in protocols such as TLS, SSH, FIDO and other systems. Additionally, NIST have announces a new call for quantum secure digital signature algorithms.

This project aims to conduct research on lightweight post-quantum protocols and primitives, including symmetric key primitives, and improve upon the frameworks used today regarding communication size, computation complexity and secure and efficient implementation of long-term security cryptographic primitives.

The postdoc will be part of the NTNU Applied Cryptology Lab, a multidisciplinary research group consisting of members from the Department of Information Security and Communication Technology and the Department of Mathematical Sciences at NTNU.

A list of possible, but not limited to, post-quantum cryptography research topics for the postdoctoral position are:

Usability of lightweight primitives and protocols

Low communication key exchange and encryption

Lightweight ZKP and digital signatures

Efficient implementations in HW and SW

Side-channel security analysis

Your hosts will be Professor Danilo Gligoroski, Professor Stig Frode Mjølsnes, and/or Associate Professor Tjerand Silde.

Closing date for applications:

Contact: Associate Professor Tjerand Silde (tjerand.silde@ntnu.no)

More information: https://www.jobbnorge.no/en/available-jobs/job/248833/postdoctoral-fellow-in-lightweight-post-quantum-cryptography

We are hiring a PhD student to work on a project investigating privacy preserving yet auditable cryptographic protocols for decentralized applications. The student will be working in one (or more) of the following areas: secure multiparty computation, zero knowledge, anonymous credentials, blockchain consensus, cryptocurrencies, differential privacy.

The ideal candidate should have a background in computer science or mathematics, with a focus on complexity theory, number theory, algebra and probability theory. Previous research experience in security and cryptography (specially in cryptographic protocols) is most welcome. Moreover, the candidate should be motivated and enthusiastic about theoretical research in cryptography.

ITU is located in beautiful Copenhagen, which is well connected by flight to many locations. We offer a competitive salary following Danish standards as well as travel funding for scientific visits and events. As a resident in Denmark, the student will also have access to the excellent public education and health systems.

Candidates are welcome to contact Bernardo David by email for any questions. Notice, however, that all applications must be submitted via the official URL.

Closing date for applications:

Contact: Bernardo David (beda@itu.dk)

More information: https://candidate.hr-manager.net/ApplicationInit.aspx?cid=119&ProjectId=181605&DepartmentId=3439&MediaId=5

IDEAS NCBR Sp. z o.o. is a scientific and research centre operating in the field of artificial intelligence and digital economy, whose mission is to support the development of these technologies in Poland by creating a platform connecting the academic and business environment. IDEAS NCBR Sp. z o.o. was founded by the National Centre for Research and Development (NCBR) and is a part of NCBR Group. Our goal is to build in Poland the largest, friendly to conduct innovative research platform, to educate a new generation of scientists focused on the practical application of the developed algorithms and their subsequent commercialization in the industry, finance, medicine and other branches of the economy. IDEAS NCBR is now seeking to appoint a Group Leader in Cybersecurity with Emphasis on Post-quantum Cryptography who will build and lead the most recognizable research group (circa 20 people) in this area. Candidates with Post-quantum Cryptography expertise are strongly encouraged to apply. Reporting to the President, the Group Leader will develop and lead an exciting programme of research and innovation projects aligned with the vision and mission of IDEAS NCBR. The Group Leader will also act as an ambassador for IDEAS NCBR, representing the centre nationally and internationally, forging links with universities and industry, and identifying relevant opportunities for commercialisation.

Closing date for applications:

Contact: Marta Krzyżycka

More information: https://ideas-ncbr.softgarden.io/job/34064687?l=pl

As the pioneer center in Asia focusing on the quantum transition, the Quantum-Safe Migration Center (QSMC) was initiated by Chelpis Quantum Tech in 2023. Through collaborations with Taiwan's academic institutions, industry professionals, and semiconductor manufacturers, we're committed to providing swift and efficient solutions for transitioning to the quantum era and minimizing the potential threats quantum computing may pose to information systems.
Chelpis Quantum Tech was established in 2017, drawing its team from the Fast Cryptography Laboratory at National Taiwan University. Our primary focus has been research and development of post-quantum cryptographic systems and the creation of related cryptographic applications.

QSMC is looking for an applied post-quantum cryptography researcher to join our research team in Taipei, Taiwan.
We currently have three research focus areas and candidates should be experienced in at least one:

• PQC Hardware
• Formally-verified PQC Software
• New PQC primitives (in particular, candidates of the recent NIST PQC digital signature competition)

Candidates should hold a PhD in cryptography or a closely related field and have a track record in applied post-quantum cryptography with publications at top cryptography or security conferences. Responsibilities:

• Work on research projects and publish at top-tier cryptography and security conferences
• Collaborate with researchers in Taiwan and internationally
• Present research on international workshops and conferences
• Contribute to standardization efforts such as NIST PQC
• Consult Chelpis' other teams in all aspects of post-quantum cryptography

If you are interested, please send your CV to Ming Chih (my.chih@chelpis.com) and Matthias Kannwischer (matthias@chelpis.com) to schedule an informal discussion.

Closing date for applications:

Contact:

• Ming Chih (my.chih@chelpis.com)
• Matthias Kannwischer (matthias@chelpis.com)

More information: https://www.qsmc.org/

Help bring research to life and drive your career forward with the National Research Council of Canada (NRC), Canada's largest research and technology organization. We are looking for a Research Officer to join our Cryptography and Quantum Computing team, and to support NRC’s Digital Technologies Research Centre (NRC-DT). The Research Officer would be someone who shares our core values of Integrity, Excellence, Respect and Creativity. Our Cryptography and Quantum Computing team conducts research on quantum/post-quantum cryptography, privacy-preserving computing, and quantum computing. Some of our current projects are on quantum-secure V2V communication, obfuscated (quantum) computing, biometric authentication, privacy preserving record linkage, and secure machine learning. We are looking for an enthusiastic applied cryptographer who can work closely with our cryptographic researchers on the design and implementation of cryptographic algorithms and protocols. The primary responsibility of the researcher in this position is to support the goals of NRC and the activities of the Digital Technologies Research Centre in conducting research of international calibre in cryptography, machine learning, and other related topics. The researcher will work in a team environment with other researchers and technical experts in world-class facilities. The researcher will be called on to participate in international evaluations or demonstrations of the team’s applied technologies. About the Digital Technologies Research Centre We make digital technologies smarter and more intuitive for Canadians and Canadian businesses by exploring uses of data and information in innovative and meaningful ways to solve real problems. Our focus is advanced analytics, computer vision, natural language processing and artificial intelligence technologies. Education PhD in computer science, mathematics, engineering, with a specialization in cryptography, security, or privacy is required for this position.

Closing date for applications:

Contact: https://recruitment-recrutement.nrc-cnrc.gc.ca/job/Various-Locations-Applied-Cryptography-Research-Officer-ON/572782617/

More information: https://recruitment-recrutement.nrc-cnrc.gc.ca/job/Various-Locations-Applied-Cryptography-Research-Officer-ON/572782617/

The recent technological advances in Post-Quantum Cryptography (PQC) rise the questions of robust implementations of new asymmetric cryptographic primitives in today’s technology. This is the case for the lattice-based CRYSTALS-Kyber algorithm which has been selected as the first NIST standard for Public Key Encryption (PKE) and Key Encapsulation Mechanisms (KEM). We have notably to make sure the Kyber implementation is resilient against physical attacks like Side-Channel Analysis (SCA) and Fault Injection Attacks (FIA). To reach this goal, we propose to use the masking countermeasure, more precisely the generic Direct Sum Masking method (DSM). By taking inspiration of a previous paper on AES, we extend the method to finite fields of characteristic prime other than 2 and even-length codes. In particular, we investigated its application to Keccak, which is the hash-based function used in Kyber. We also provided the first masked implementation of Kyber providing both SCA and FIA resilience while not requiring any conversion between different masking methods.

Keller and Sun (ICML'22) have found a gap in the accuracy between floating-point deep learning in cleartext and secure quantized deep learning using multi-party computation. We have discovered that this gap is caused by a bug in the implementation of max-pooling. In this note, we present updated figures to support this conclusion. We also add figures for another network on CIFAR-10.

Contact discovery is a crucial component of social applications, facilitating interactions between registered contacts. This work introduces Arke, a novel approach to contact discovery that addresses the limitations of existing solutions in terms of privacy, scalability, and reliance on trusted third parties. Arke ensures the unlinkability of user interactions, mitigates enumeration attacks, and operates without single points of failure or trust. Notably, Arke is the first contact discovery system whose performance is independent of the total number of users and the first that can operate in a Byzantine setting. It achieves its privacy goals through an unlinkable handshake mechanism built on top of an identity-based non-interactive key exchange. By leveraging a custom distributed architecture, Arke forgoes the expense of consensus to achieve scalability while maintaining consistency in a Byzantine fault tolerant environment. Performance evaluations demonstrate that Arke can support enough throughput to operate at a planetary scale while maintaining sub-second latencies in a large geo-distributed setting.

Succinct Non-interactive Arguments of Knowledge (SNARKs) allow an untrusted prover to establish that it correctly ran some "witness-checking procedure" on a witness. A zkVM (short for zero-knowledge Virtual Machine) is a SNARK that allows the witness-checking procedure to be specified as a computer program written in the assembly language of a specific instruction set architecture (ISA).

A $\textit{front-end}$ converts computer programs into a lower-level representation such as an arithmetic circuit or generalization thereof. A SNARK for circuit-satisfiability can then be applied to the resulting circuit.

We describe a new front-end technique called Jolt that applies to a variety of ISAs. Jolt arguably realizes a vision called the $\textit{lookup singularity}$, which seeks to produce circuits that only perform lookups into pre-determined lookup tables. The circuits output by Jolt primarily perform lookups into a gigantic lookup table, of size more than $2^{128}$, that depends only on the ISA. The validity of the lookups are proved via a new $\textit{lookup argument}$ called Lasso described in a companion work (Setty, Thaler, and Wahby, e-print 2023). Although size-$2^{128}$ tables are vastly too large to materialize in full, the tables arising in Jolt are structured, avoiding costs that grow linearly with the table size.

We describe performance and auditability benefits of Jolt compared to prior zkVMs, focusing on the popular RISC-V ISA as a concrete example. The dominant cost for the Jolt prover applied to this ISA (on $64$-bit data types) is cryptographically committing to about six $256$-bit field elements per step of the RISC-V CPU. This compares favorably to prior zkVM provers, even those focused on far simpler VMs.

This paper introduces Lasso, a new family of lookup arguments, which allow an untrusted prover to commit to a vector $a \in \mathbb{F}^m$ and prove that all entries of a reside in some predetermined table $t \in \mathbb{F}^n$. Lasso’s performance characteristics unlock the so-called "lookup singularity". Lasso works with any multilinear polynomial commitment scheme, and provides the following efficiency properties.

For $m$ lookups into a table of size $n$, Lasso’s prover commits to just $m + n$ field elements. Moreover, the committed field elements are small, meaning that, no matter how big the field $\mathbb{F}$ is, they are all in the set $\{0, . . . , m\}$. When using a multiexponentiation-based commitment scheme, this results in the prover’s costs dominated by only $O(m + n)$ group operations (e.g., elliptic curve point additions), plus the cost to prove an evaluation of a multilinear polynomial whose evaluations over the Boolean hypercube are the table entries. This represents a significant improvement in prover costs over prior lookup arguments (e.g., plookup, Halo2’s lookups, lookup arguments based on logarithmic derivatives).

Unlike all prior lookup arguments, if the table $t$ is structured (in a precise sense that we define), then no party needs to commit to $t$, enabling the use of much larger tables than prior works (e.g., of size $2^{128}$ or larger). Moreover, Lasso’s prover only "pays" in runtime for table entries that are accessed by the lookup operations. This applies to tables commonly used to implement range checks, bitwise operations, big-number arithmetic, and even transitions of a full-fledged CPU such as RISC-V. Specifically, for any integer parameter $c > 1$, Lasso’s prover’s dominant cost is committing to $3 \cdot c \cdot m + c \cdot n^{1/c}$ field elements. Furthermore, all these field elements are “small”, meaning they are in the set $\{0, . . . , \max{(m, n^{1/c}, q)} − 1\}$, where $q$ is the maximum value in $a$.

Lasso’s starting point is Spark, a time-optimal polynomial commitment scheme for sparse polynomials in Spartan (CRYPTO 2020). We first provide a stronger security analysis for Spark. Spartan’s security analysis assumed that certain metadata associated with a sparse polynomial is committed by an honest party (this is acceptable for its purpose in Spartan, but not for Lasso). We prove that Spark remains secure even when that metadata is committed by a malicious party. This provides the first "standard" commitment scheme for sparse multilinear polynomials with optimal prover costs. We then generalize Spark to directly support a lookup argument for both structured and unstructured tables, with the efficiency characteristics noted above.

Password-based authentication is an extensively used method to authenticate users. It uses cryptography to communicate the authentication process. On the contrary, the physically unclonable function (PUF)-based authentication mechanism is also gaining popularity rapidly due to its usability in IoT devices. It is a lightweight authentication mechanism that does not use cryptography protocol. PUF-based authentication mechanisms cannot authenticate users. To overcome the drawback of PUF, we introduce a software-defined unclonable function (SUF, for short). Contrary to the PUF, the SUF is used to authenticate users, not devices. We use SUF to implement a lightweight password-based authentication mechanism termed Authentica. Authentica bridges the gap between the password-based and the PUF-based authentication mechanism. Authentica does not use cryptography for authentication. However, we establish challenge-response using cryptography during the registration phase, which is a one-time cost. Authentica addresses a) impersonation attacks, b) collision attacks, c) dictionary and rainbow table attacks, d) replay attacks, e) DDoS attacks, f) the domino effect issues, and g) the challenge-response database leakage issues.

Common verification steps in cryptographic protocols, such as signature or message authentication code checks or the validation of elliptic curve points, are crucial for the overall security of the protocol. Yet implementation errors omitting these steps easily remain unnoticed, as often the protocol will function perfectly anyways. One of the most prominent examples is Apple's goto fail bug where the erroneous certificate verification skipped over several of the required steps, marking invalid certificates as correctly verified. This vulnerability went undetected for at least 17 months.

We propose here a mechanism which supports the detection of such errors on a cryptographic level. Instead of merely returning the binary acceptance decision, we let the verification return more fine-grained information in form of what we call a confirmation code. The reader may think of the confirmation code as disposable information produced as part of the relevant verification steps. In case of an implementation error like the goto fail bug, the confirmation code would then miss essential elements.

The question arises now how to verify the confirmation code itself. We show how to use confirmation codes to tie security to basic functionality at the overall protocol level, making erroneous implementations be detected through the protocol not functioning properly. More concretely, we discuss the usage of confirmation codes in secure connections, established via a key exchange protocol and secured through the derived keys. If some verification steps in a key exchange protocol execution are faulty, then so will be the confirmation codes, and because we can let the confirmation codes enter key derivation, the connection of the two parties will eventually fail. In consequence, an implementation error like goto fail would now be detectable through a simple connection test.

This paper presents a provably secure, higher-order, and leakage-resilient (LR) rekeying scheme named LR Rekeying with Random oracle Repetition (LR4), along with a quantitative security evaluation methodology. Many existing LR cryptographies are based on a concept of leveled implementation, which still essentially require a leak-free sanctuary (i.e., differential power analysis (DPA)-resistant component(s)) for some parts. In addition, although several LR pseudorandom functions (PRFs) based on only bounded DPA-resistant components have been developed, their validity and effectiveness for rekeying usage still need to be determined. In contrast, LR4 is formally proven under a leakage model that captures the practical goal of side-channel attack (SCA) protection (e.g., masking with a practical order) and assumes no unbounded DPA-resistant sanctuary. This proof suggests that LR4 resists exponential invocations (up to the birthday bound of key size) without using any unbounded leak-free component, which is the first of its kind. Moreover, we present a quantitative SCA success rate evaluation methodology for LR4 that combines the bounded leakage models for LR cryptography and a state-of-the-art information-theoretical SCA evaluation method. We validate its soundness and effectiveness as a DPA countermeasure through a numerical evaluation; that is, the number of secure calls of a symmetric primitive increases exponentially by increasing a security parameter under practical conditions.

In this paper, we present a new distinguisher for the Tweak-aNd-Tweak (TNT) tweakable block cipher with $O(2^{n/2})$ complexity. The distinguisher is an adaptive chosen ciphertext distinguisher, unlike previous attacks that are only non-adaptive chosen plaintext attacks. However, the attack contradicts the security claims made by the designers. Given TNT can be seen as the three-round CLRW1 tweakable block cipher, our attack matches its more conservative bound. We provide the distinguisher description, a probabilistic analysis of its behaviour, experimental verification and an analysis of why the proof fails to capture the security of TNT. In summary, the distinguisher is based on collision counting and exploits non-uniformity in the statistical behaviour of random permutations. It reduces the goal of finding the collision to solving a difference equation defined over a random permutation. Due to this relation, the number of collisions observed by the distinguisher is twice as expected from an ideal tweakable block cipher.

Classic BFT consensus protocols guarantee safety and liveness for all clients if fewer than one-third of replicas are faulty. However, in applications such as high-value payments, some clients may want to prioritize safety over liveness. Flexible consensus allows each client to opt for a higher safety resilience, albeit at the expense of reduced liveness resilience. We present the first construction that allows optimal safety--liveness tradeoff for every client simultaneously. This construction is modular and is realized as an add-on applied on top of an existing consensus protocol. The add-on consists of an additional round of voting and permanent locking done by the replicas, to sidestep a sub-optimal quorum-intersection-based constraint present in previous solutions. We adapt our construction to the existing Ethereum protocol to derive optimal flexible confirmation rules that clients can adopt unilaterally without requiring system-wide changes. This is possible because existing Ethereum protocol features can double as the extra voting and locking. We demonstrate an implementation using Ethereum's consensus API.

Decentralized Finance (DeFi) is a new paradigm in the creation, distribution, and utilization of financial services via the integration of blockchain technology. Our research conducts a comprehensive introduction and meticulous classification of various DeFi applications. Beyond that, we thoroughly analyze these risks from both technical and economic perspectives, spanning multiple layers. Lastly, we point out research directions in DeFi, encompassing areas of technological advancements, innovative economics, and privacy optimization.