International Association
for Cryptologic Research

The Security and Privacy Lab of the Department of Computer Science at the University of Innsbruck, Austria offers a doctoral (Phd student/University assistant) position in the area of Symmetric Cryptography for Secure and Private Computation. A successful candidate should have an excellent academic record from master's or equivalent curriculum in Mathematics, Computer Science, or related fields, and is expected to do cutting edge research in cryptography. Previous knowledge/experience in the area of cryptography or security is a plus.

The University of Innsbruck is located in the heart of the Alps, in the capital city of the Austrian state of Tyrol. The Security and Privacy Lab is engaged in research on a range of topics, including cryptography, privacy enhancing technologies (PETs) and digital currencies. Our working language is English.

How to apply? Formal application must be submitted via https://lfuonline.uibk.ac.at/public/karriereportal.details?asg_id_in=13843

Inquiries regarding the position and application to: arnab.roy[AT]uibk.ac.at

Closing date for applications:

Contact: Dr. Arnab Roy

More information: https://informationsecurity.uibk.ac.at/pdfs/vacancies/vacancy_note_MIP-13843.pdf

We are looking for a postdoc to work on one of the following topics:
- secret sharing schemes and information theory,
- side-channels attacks,
- acceleration of cryptographic primitives.
The successful candidates will be employed on a full-time contract starting at the beginning of 2024. The contract is for 2 years. The application deadline is November 25, 2023.
More details at https://crises-deim.urv.cat/web/positions

Closing date for applications:

Contact: Oriol Farràs (oriol.farras@urv.cat)

More information: https://crises-deim.urv.cat/web/positions

Applications are invited for a post-doctoral fellow position in any of these areas: cryptographic hardware/software systems, blockchain technology and digital payments. The successful candidate will join Professor Anwar Hasan’s research group at the University of Waterloo. Applicants with a recent Ph.D. in Computer Engineering, Computer Science or a related discipline, and publications at premium venues are encouraged to email pdf copies of their CVs and cover letters to Professor Anwar Hasan (ahasan at uwaterloo.ca). Application deadline: November 6, 2023 for full consideration. After this deadline, applications will be processed as they arrive.

Closing date for applications:

Contact: Anwar Hasan

Monash cybersecurity group has several openings for PhD positions. The topics of interest are

1. Post-quantum cryptography (based on lattices and/or hash) and its applications e.g. to blockchain
2. Privacy-enhancing technologies (e.g. zero-knowledge proofs) and their applications

We provide

1. highly competitive tuition fee and stipend scholarships
2. opportunities to collaborate with leading academic and industry experts in the related areas
3. opportunities to participate in international grant-funded projects
4. collaborative and friendly research environment
5. an opportunity to live/study in one of the most liveable and safest cities in the world

The positions will be filled as soon as suitable candidates are found.

Requirements. Strong mathematical and cryptography backgrounds are required. Some knowledge/experience in coding (for example, Python, C/C++, and/or SageMath) is a plus. Candidates must have completed (or be about to complete within the next 6 months) a significant research component either as part of their undergraduate (honours) degree or masters degree. They should have excellent English verbal and written communication skills.

How to apply. Please fill out the following form (also clickable from the advertisement title): https://docs.google.com/forms/d/e/1FAIpQLSetFZLvDNug5SzzE-iH97P9TGzFGkZB-ly_EBGOrAYe3zUYBw/viewform?usp=sf_link

Closing date for applications:

Contact: Ron Steinfeld

More information: https://docs.google.com/forms/d/e/1FAIpQLSetFZLvDNug5SzzE-iH97P9TGzFGkZB-ly_EBGOrAYe3zUYBw/viewform?usp=sf_link

The Computer Science Department at New Jersey Institute of Technology (NJIT) invites applications for multiple tenure-track faculty positions starting in Fall 2024, as follows:
- Tenure-track positions in cybersecurity
- Tenure-track position in all areas of computer science
We aim to hire at the rank of Assistant Professor, but exceptional candidates at higher ranks will also be considered. Candidates with doctorates from top worldwide institutions are especially welcome to apply.

NJIT is a Carnegie R1 Doctoral University (Very High Research Activity), with $167M research expenditures in FY22. The Computer Science Department has 31 tenured/tenure track faculty, with eight NSF CAREER, one DARPA Young Investigator, and one DoE Early Career awardees. The Computer Science Department enrolls over 3,200 students at all levels across eleven programs of study and takes part, alongside the Departments of Informatics and Data Science, in the Ying Wu College of Computing (YWCC). YWCC comprises has an enrollment of more than 4,700 students in computing disciplines, and graduates over 1,000 computing professionals every year; as such, it is the largest producer of computing talent in the tri-state (NY, NJ, CT) area.

To formally apply for the position, please submit your application materials at https://academicjobsonline.org/ajo/jobs/25687. NJIT recognizes the importance of Diversity, Equity, and Inclusion (DEI) in academia and society at large. Candidates who have a track record in DEI are requested to also submit an optional Diversity Statement. Applications received by December 31, 2023 will receive full consideration. However, applications are reviewed until all the positions are filled. Contact address for inquiries: cs-faculty-search@njit.edu.

Closing date for applications:

Contact: Reza Curtmola

More information: https://academicjobsonline.org/ajo/jobs/25687

A PhD scholarship is available for a strong candidate interested in doing a PhD in privacy-preserving machine learning at Monash University, a world top 50 university located in Melbourne (frequently ranked among the 10 most liveable cities in the world).

Closing date for applications:

Contact: Rafael Dowsley Email: rafael.dowsley@monash.edu

In this work, we consider the problem of secure key leasing, also known as revocable cryptography (Agarwal et. al. Eurocrypt' 23, Ananth et. al. TCC' 23), as a strengthened security notion of its predecessor put forward in Ananth et. al. Eurocrypt' 21. This problem aims to leverage unclonable nature of quantum information to allow a lessor to lease a quantum key with reusability for evaluating a classical functionality. Later, the lessor can request the lessee to provably delete the key and then the lessee will be completely deprived of the capability to evaluate the function. In this work, we construct a secure key leasing scheme to lease a decryption key of a (classical) public-key, homomorphic encryption scheme from standard lattice assumptions. Our encryption scheme is exactly identical to the (primal) version of Gentry-Sahai-Waters homomorphic encryption scheme with a carefully chosen public key matrix. We achieve strong form of security where:

* The entire protocol (including key generation and verification of deletion) uses merely classical communication between a classical leaser (client) and a quantum lessee (server).

* Assuming standard assumptions, our security definition ensures that every computationally bounded quantum adversary could only simultaneously provide a valid classical deletion certificate and yet distinguish ciphertexts with at most negligible probability.

Our security relies on the hardness of learning with errors assumption. Our scheme is the first scheme to be based on a standard assumption and satisfying the two properties mentioned above.

The main technical novelty in our work is the design of an FHE scheme that enables us to apply elegant analyses done in the context of classically verifiable proofs of quantumness from LWE (Brakerski et. al.(FOCS'18, JACM'21) and its parallel amplified version in Radian et. al.(AFT'21)) to the setting of secure leasing. This connection leads to a modular construction and arguably simpler proofs than previously known. An important technical component we prove along the way is an amplified quantum search-to-decision reduction: we design an extractor that uses a quantum distinguisher (who has an internal quantum state) for decisional LWE, to extract secrets with success probability amplified to almost one. This technique might be of independent interest.

This paper re-analyzes the algorithm proposed by Guedes, Assis, and Lula in 2012, which they claimed that the algorithm can break Blum-Micali Pseudorandom number generator in polynomial time. We used a 5×5 transformation matrix instead of the original 2×2 transformation matrix, which can include terms that they missed in their analysis. We proved that their proposed algorithm cannot break the pseudorandom number generator, because during the amplitude amplification process, two iterations of the circuit is the same as an identity gate. To solve this problem, we proposed a corrected algorithm based on Grover’s Search Algorithm for NP-complete problems, which breaks the Blum-Micali Pseudorandom number generator in \(\mathcal{O}(n^4 2^{n/2})\). We conclude that the Blum-Micali Pseudorandom number generator is still quantum resistant. This study indicates that the discrete logarithm problem and prime factorization could still be the foundations of quantum-resistant cryptographical applications.

In this short note, we show that under a mild number-theoretic conjecture, recovering an integer from its Jacobi signature modulo $N = p^2q$, for primes $p$ and $q$, is as hard as factoring $N$.

The lattice-based post-quantum cryptosystem NTRU is used by Google for protecting Google’s internal communication. In NTRU, polynomial multiplication is one of bottleneck. In this paper, we explore the interactions between polynomial multiplication, Toeplitz matrix–vector product, and vectorization with architectural insights. For a unital commutative ring $R$, a positive integer $n$, and an element $\zeta \in R$, we reveal the benefit of vector-by-scalar multiplication instructions while multiplying in $R[x] / \langle x^n - \zeta \rangle$. We aim at designing an algorithm exploiting no algebraic and number–theoretic properties of $n$ and $\zeta$. An obvious way is to multiply in $R[x]$ and reduce modulo $x^n - \zeta$. Since the product in $R[x]$ is a polynomial of degree at most $2n − 2$, one usually chooses a polynomial modulus $g$ such that (i) $deg(g) \geq 2n − 1$, and (ii) there exists a well-studied fast polynomial multiplication algorithm f for multiplying in $R[x] / \langle g \rangle$. We deviate from common approaches and point out a novel insight with dual modules and vector-by-scalar multiplications. Conceptually, we relate the module-theoretic dual of $R[x] / \langle x^n - \zeta \rangle$ and $R[x] / \langle g \rangle$ with Toeplitz matrix-vector products, and demonstrate the benefit of Toeplitz matrix-vector products with vector-by-scalar multiplication instructions. It greatly reduces the register pressure, and allows us to multiply with essentially no permutation instructions that are commonly used in vectorized implementation. We implement the ideas for the NTRU parameter sets ntruhps2048677 and ntruhrss701 on a Cortex-A72 implementing the Armv8.0-A architecture with the single-instruction-multiple-data (SIMD) technology Neon. For polynomial multiplications, our implementation is 2.18× and 2.23× for ntruhps2048677 and ntruhrsss701 than the state-of-the-art optimized implementation. We also vectorize the polynomial inversions and sorting network by employing existing techniques and translating AVX2-optimized implementations into Neon. Compared to the state-of-the-art optimized implementation, our key generation, encapsulation, and decapsulation for ntruhps2048677 are 7.67×, 2.48×, and 1.77× faster, respectively. For ntruhrss701, our key generation, encapsulation, and decapsulation are 7.99×, 1.47×, and 1.56× faster, respectively.

Circuit-based Private Set Intersection (circuit-PSI) enables two parties, a client and a server, with their input sets $X$ and $Y$ respectively, to securely compute a function $f$ on the intersection $X \cap Y$, while keeping $X \cap Y$ secret from both parties. Although several computationally efficient circuit-PSI protocols have been proposed recently, they most focus on the balanced scenario where $|X|$ is similar to $|Y|$. However, in many realistic scenarios, a circuit-PSI protocol may be performed in the unbalanced case where $|X|$ is remarkably smaller than $|Y|$ (e.g., the client is a constrained device holding a small set, while the server is a service provider holding a large set). Directly applying existing protocols to this scenario will lead to significant efficiency issues because the communication complexity of the protocols scales at least linearly with the size of the larger set, i.e., $\max(|X|, |Y|)$.

In this work, we put forth efficient constructions for unbalanced circuit-PSI with sublinear communication complexity in the size of the larger set. The main insight is that we formalize unbalanced circuit-PSI as obliviously retrieving values corresponding to keys from a set of key-value pairs. To this end, we present a new functionality called Oblivious Key-Value Retrieval (OKVR) and design the OKVR protocol from a new notion called sparse Oblivious Key-Value Stores (sparse OKVS). We conduct extensive experiments and the results show that our constructions remarkably outperform the state-of-the-art circuit-PSI schemes (EUROCRYPT'19, PETs'22, CCS'22), i.e., $1.84 \sim 48.86 \times$ communication improvement and $1.50 \sim39.81 \times$ faster computation. Very recently, Son and Jeong (AsiaCCS'23) also present unbalanced circuit-PSI protocols, and our constructions outperform them by $1.18 \sim 15.99 \times$ and $1.22 \sim 10.44 \times$ in communication and computation overhead, respectively, depending on set sizes and network environments.

We consider the problem of creating, or issuing, zero-knowledge proofs obliviously. In this setting, a prover interacts with a verifier to produce a proof, known only to the verifier. The resulting proof is transferable and can be verified non-interactively by anyone. Crucially, the actual proof cannot be linked back to the interaction that produced it.

This notion generalizes common approaches to designing blind signatures, which can be seen as the special case of proving "knowledge of a signing key", and extends the seminal work of Camenisch and Stadler ('97). We propose a provably secure construction of oblivious proofs, focusing on discrete-logarithm representation equipped with AND-composition.

We also give three applications of our framework. First, we give a publicly verifiable version of the classical Diffie-Hellman based Oblivious PRF. This yields new constructions of blind signatures and publicly verifiable anonymous tokens. Second, we show how to "upgrade" keyed-verification anonymous credentials (Chase et al., CCS'14) to also be concurrently secure blind signatures on the same set of attributes. Crucially, our upgrade maintains the performance and functionality of the credential in the keyed-verification setting, we only change issuance. We observe that the existing issuer proof that the credential is well-formed may be verified by anyone; creating it with our framework makes it a blind signature, adding public verifiability to the credential system. Finally, we provide a variation of the U-Prove credential system that is provably one-more unforgeable with concurrent issuance sessions. This constitutes a fix for the attack illustrated by Benhamouda et al. (EUROCRYPT'21).

Beyond these example applications, as our results are quite general, we expect they may enable modular design of new primitives with concurrent security, a goal that has historically been challenging to achieve.

The BUFF transform is a generic transformation for digital signature schemes, with the purpose of obtaining additional security properties beyond standard unforgeability, e.g., exclusive ownership and non-resignability. In the call for additional post-quantum signatures, these were explicitly mentioned by the NIST as ``additional desirable security properties'', and some of the submissions indeed refer to the BUFF transform with the purpose of achieving them, while some other submissions follow the design of the BUFF transform without mentioning it explicitly.

In this work, we show the following negative results regarding the non-resignability property in general, and the BUFF transform in particular. In the plain model, we observe by means of a simple attack that any signature scheme for which the message has a high entropy given the signature does not satisfy the non-resignability property (while non-resignability is trivially not satisfied if the message can be efficiently computed from its signature). Given that the BUFF transform has high entropy in the message given the signature, it follows that the BUFF transform does not achieve non-resignability whenever the random oracle is instantiated with a hash function, no matter what hash function.

When considering the random oracle model (ROM), the matter becomes slightly more delicate since prior works did not rigorously define the non-resignability property in the ROM. For the natural extension of the definition to the ROM, we observe that our impossibility result still holds, despite there having been positive claims about the non-resignability of the BUFF transform in the ROM. Indeed, prior claims of the non-resignability of the BUFF transform rely on faulty argumentation.

On the positive side, we prove that a salted version of the BUFF transform satisfies a slightly weaker variant of non-resignability in the ROM, covering both classical and quantum attacks, if the entropy requirement in the (weakened) definition of non-resignability is statistical; for the computational variant, we show yet another negative result.

Ring signature (RS) allows users to demonstrate to verifiers their membership within a specified group (ring) without disclosing their identities. Based on this, RS can be used as a privacy protection technology for users' identities in blockchain. However, there is currently a lack of RS schemes that are fully applicable to the blockchain applications: Firstly, users can only spend a UTXO once, and the current RS schemes are not yet perfect in a one-time manner. At the same time, the current RS schemes are not sufficiently developed in terms of regulation. Secondly, the size of the current RS is mostly linearly related to the number of ring members. When there are many members, the transaction processing speed is slow. We propose a one-time and revocable ring signature with logarithmic size in blockchain based on the Sigma-Protocols. Our scheme compresses the RS size and enables users to sign in the blockchain transactions. The scheme allows two RS generated with the same private key for a same UTXO to be linked together. Additionally, it allows regulatory authority to recover the signer's identity at any time. A security model was presented, and its security properties, namely, unforgeability, anonymity, one-time, revocability, and non-slanderability were proven in the random oracle model. Our scheme compresses the RS size to where is the number of ring users, enabling blockchain transactions to have better processing speeds. And it can prevent double-spending attacks in blockchain and allows regulatory authority to recover the identity of the signer.

The algebraic degree of a vectorial Boolean function is one of the main parameters driving the cost of its hardware implementation. Thus, finding decompositions of functions into sequences of functions of lower algebraic degrees has been explored to reduce the cost of implementations. In this paper, we consider such decompositions of permutations over $\mathbb{F}_{2^n}$. We prove the existence of decompositions using quadratic and linear power permutations for all permutations when $2^n-1$ is a prime, and we prove the non-existence of such decompositions for power permutations of differential uniformity strictly lower than $16$ when $4|n$. We also prove that any permutation admits a decomposition into quadratic power permutations and affine permutations of the form $ax+b$ if $4 \nmid n$. Furthermore, we prove that any permutation admits a decomposition into cubic power permutations and affine permutations. Finally, we present a decomposition of the PRESENT S-Box using the power permutation $x^7$ and affine permutations.

Symmetric Private Information Retrieval (SPIR) is a stronger PIR protocol that ensures both client and server privacy. In many cases, the client needs authorization from the data subject before querying data. However, this also means that the server can learn the identity of the data subject. To solve such problems, we propose a new SPIR primitive, called authorized symmetric keyword information retrieval protocol (ASKPIR). Specifically, we designed an efficient DID identification algorithm based on the Pedersen Commitment, which is used to solve the identity management and privacy problems of data subject when data is shared by multiple parties in a distributed environment. Then, we present a novel authorization algorithm combining NIZK proof and DID, which can preserve client privacy. Finally, to improve the efficiency of client retrieval, our protocol constructs PSI-Payload with mqRPMT and OTE so as to support batch keyword searches. In addition, we provide a formal security analysis for the anonymity and unforgeability of the protocol and demonstrate that ASKPIR can achieve malicious security under the UC framework. Theoretical analysis and experimental results show that the ASKPIR protocol is more efficient than other related works and solves the problem of incompatibility between data subject authorization and client privacy.

This study presents an efficient persistent memory encryption mechanism, named Crystalor, which efficiently realizes a secure persistent/non-volatile memory based on an authentication tree with structural optimization, such as the split counter (SC). Crystalor can completely exploit the advantage of metadata compression techniques, whereas existing mechanisms are incompatible with such optimization. Meanwhile, Crystalor incurs almost no latency overhead under the nominal operation conditions for realizing the crash consistency/recoverability. We implement Crystalor with a state-of-the-art parallelizable authentication tree instance, namely ELM (IEEE TIFS 2022), and evaluate the effectiveness by both algorithmic analyses and system-level simulation in comparison with the existing state-of-the-art ones (e.g., SCUE in HPCA 2023). For protecting a 4 TB memory, Crystalor requires 29–62% fewer clock cycles per memory read/write operation than SCUE owing to the compatibility with the SC. In addition, Crystalor and SCUE require 312GB and 554GB memory overheads for metadata, respectively, which indicates that Crystalor achieves a reduction of memory overhead by 44%. The result of the system-level simulation using the gem5 simulator indicates that Crystalor achieves a reduction of the workload execution time by up to 11.5% from SCUE. Moreover, Crystalor can offer a lazy recovery, which makes recovery several thousand times faster than SCUE.

We show that the Xu et al.'s authentication and key agreement scheme [IEEE Trans. Ind. Informatics, 18(10), 7118-7127, 2022] is flawed. (1) It confused some operations for bilinear maps and presented some inconsistent computations. (2) It failed to keep anonymity, not as claimed. The adversary can use any device's public key stored in the blockchain to test some verification equations so as to reveal the identity of a target device.

The Peregrine signature scheme is one of the candidates in the ongoing Korean post-quantum cryptography competition. It is proposed as a high-speed variant of Falcon, which is a hash-and-sign signature scheme over NTRU lattices and one of the schemes selected by NIST for standardization. To this end, Peregrine replaces the lattice Gaussian sampler in the Falcon signing procedure with a new sampler based on the centered binomial distribution. While this modification offers significant advantages in terms of efficiency and implementation, it does not come with a provable guarantee that signatures do not leak information about the signing key. Unfortunately, lattice-based signature schemes in the hash-and-sign paradigm that lack such a guarantee (such as GGH, NTRUSign or DRS) have generally proved insecure.

In this paper, we show that Peregrine is no exception, by demonstrating a practical key recovery attack against it. We observe that the support of Peregrine signatures is a hidden transformation of some public distribution and still leaks information about the signing key. By adapting the parallelepiped-learning technique of Nguyen and Regev (Eurocrypt 2006), we show that the signing key can be recovered from a relatively small number of signatures. The learning technique alone yields an approximate version of the key, from which we can recover the exact key using a decoding technique due to Thomas Prest (PKC 2023).

For the reference implementation (resp. the official specification version) of Peregrine-512, we fully recover the secret key with good probability in a few hours given around 25,000 (resp. 11 million) signature samples.

The IACR strongly condemns the atrocities perpetrated by Hamas against Israel. We are outraged and horrified by this dreadful assault on civilians: Israelis of all religions, ages, and backgrounds; tourists; and foreign workers. We stand in solidarity with the people of Israel.

Our heartfelt sympathy and support go out to our members everywhere who are affected by that attack, and to all those who are suffering its ongoing consequences.

Approved by the IACR board of directors, October 18, 2023