International Association
for Cryptologic Research

We are proud to announce the winners of the 2023 IACR Test-of-Time Award for Asiacrypt.
The IACR Test-of-Time Award honors papers published at the 3 IACR flagship conferences 15 years ago which have had a lasting impact on the field. This year, we are announcing the winners for each conference separately.

The Test-of-Time award for Asiacrypt 2008 is awarded to:

Preimage Attacks on 3, 4, and 5-Pass HAVAL, by Kazumaro Aoki and Yu Sasaki, for providing new attack frameworks in symmetric-key cryptanalysis by formally introducing the Meet-in-the-Middle Preimage Attacks against hash functions, which was later generalized into key-recovery attacks against block ciphers, and collision attacks against hash functions..

For more information, see https://www.iacr.org/testoftime.

Congratulations to the winners!

Event date: 14 August to 16 August 2024
Submission deadline: 7 April 2024
Notification: 20 May 2024

The Applied Cryptography Unit (https://groups.oist.jp/appcrypto) at the Okinawa Institute of Science and Technology (OIST) is seeking to hire up to four postdoctoral scholars in cryptography.

The research unit, led by Prof. Carlos Cid, was established in 2022, to conduct research in the design and analysis of modern cryptographic primitives and schemes used to protect confidentiality and integrity of data, both in the classical and in the quantum settings. The Applied Cryptography Unit is also part of OIST Center for Quantum Technologies (https://www.oist.jp/ocqt).

To forge and develop the Unit's research activities, we are seeking to hire up to four outstanding post-doctoral researchers to join us, to work in the following topics: post-quantum / quantum cryptography (design and analysis), quantum cryptanalysis, post-quantum cryptographic techniques for privacy-preserving mechanisms.

The postdocs will be provided with funding and access to world-class facilities to pursue their research. The Unit aims to establish a highly collaborative environment, and we expect there will be several opportunities to work with other research groups at OIST, in Japan and overseas.

For more information about the role, and how to apply, see: https://www.oist.jp/careers/postdoctoral-scholars-applied-cryptography-unit

Closing date for applications:

Contact: Carlos Cid (carlos.cid@oist.jp)

More information: https://www.oist.jp/careers/postdoctoral-scholars-applied-cryptography-unit

The Department of Information and Communications Technologies of the public Pompeu Fabra University, Barcelona, Catalonia, Spain, invites applications for a tenure track faculty position. The candidate must have a PhD (or equivalent) in computer science or a closely related field and have a strong background in design focused on computer networks, communication protocols in computer networks and/or cybersecurity. A successful candidate should have a solid research track record in all areas of computer networks, computer communication protocols and cybersecurity Teaching excellence will be highly considered, as well as experience in first year engineering courses related to computer networking topics and their protocols, wireless communication technologies, and mentoring students at the undergraduate and graduate levels. Previous experience in professional service will also be valued, as the candidate might be required to assume some management responsibilities. Gross annual salary: 41.039,60€ Qualifications ​The candidate must have a PhD (or equivalent) in computer science or a closely related field and have a strong background in design focused on computer networks, communication protocols in computer networks and/or cybersecurity. A successful candidate should have a solid research track record in all areas of computer networks, computer communication protocols and cybersecurity. Teaching excellence will be highly considered, as well as experience in first year engineering courses related to computer networking topics and their protocols, wireless communication technologies, and mentoring students at the undergraduate and graduate levels. Must demonstrate ability to work in other areas that complement well with the department's research (in distributed systems, biomedical engineering,machine learning, artificial intelligence, digital systems of audiovisual technologies, or data science). Must demonstrate ability to attract external funding and the potential to secure partnerships or consultancies with the private sector. It is desirable that the candidate demonstrates leading research projects with social and economic impact.

Closing date for applications:

Contact: horacio.saggion@upf.edu

More information: https://apply.interfolio.com/135150

Privacy-preserving blueprints enable users to create escrows using the auditor's public key. An escrow encrypts the evaluation of a function $P(t,x)$, where $t$ is a secret input used to generate the auditor's key and $x$ is the user's private input to escrow generation. Nothing but $P(t,x)$ is revealed even to a fully corrupted auditor. The original definition and construction (Kohlweiss et al., EUROCRYPT'23) only support the evaluation of functions on an input $x$ provided by a single user.

We address this limitation by introducing updatable privacy-preserving blueprint schemes (UPPB), which enhance the original notion with the ability for multiple parties to non-interactively update the private value $x$ in a blueprint. Moreover, a UPPB scheme allows for verifying that a blueprint is the result of a sequence of valid updates while revealing nothing else.

We present uBlu, an efficient instantiation of UPPB for computing a comparison between private user values and a private threshold $t$ set by the auditor, where the current value $x$ is the cumulative sum of private inputs, which enables applications such as privacy-preserving anti-money laundering and location tracking. Additionally, we show the feasibility of the notion generically for all value update functions and (binary) predicates from FHE and NIZKs.

Our main technical contribution is a technique to keep the size of primary blueprint components independent of the number of updates and reasonable for practical applications. This is achieved by elegantly extending an algebraic NIZK by Couteau and Hartmann (CRYPTO'20) with an update function and making it compatible with our additive updates. This result is of independent interest and may find additional applications thanks to the concise size of our proofs.

We introduce a new cryptographic primitive, called Completely Anonymous Signed Encryption (CASE). CASE is a public-key authenticated encryption primitive, that offers anonymity for senders as well as receivers. A "case-packet" should appear, without a (decryption) key for opening it, to be a blackbox that reveals no information at all about its contents. To decase a case-packet fully - so that the message is retrieved and authenticated - a verifcation key is also required. Defining security for this primitive is subtle. We present a relatively simple Chosen Objects Attack (COA) security definition. Validating this definition, we show that it implies a comprehensive indistinguishability-preservation definition in the real-ideal paradigm. To obtain the latter definition, we extend the Cryptographic Agents framework of [2, 3] to allow maliciously created objects. We also provide a novel and practical construction for COA-secure CASE under standard assumptions in public-key cryptography, and in the standard model. We believe CASE can be a staple in future cryptographic libraries, thanks to its robust security guarantees and efficient instantiations based on standard assumptions.

A central advantage of deploying cryptosystems is that the security of large high-sensitive data sets can be reduced to the security of a very small key. The most popular way to manage keys is to use a $(t,n)-$threshold secret sharing scheme: a user splits her/his key into $n$ shares, distributes them among $n$ key servers, and can recover the key with the aid of any $t$ of them. However, it is vulnerable to device destruction: if all key servers and user's devices break down, the key will be permanently lost. We propose a $\mathrm{\underline{D}}$estruction-$\mathrm{\underline{R}}$esistant $\mathrm{\underline{K}}$ey $\mathrm{\underline{M}}$anagement scheme, dubbed DRKM, which ensures the key availability even if destruction occurs. In DRKM, a user utilizes her/his $n^{*}$ personal identification factors (PIFs) to derive a cryptographic key but can retrieve the key using any $t^{*}$ of the $n^{*}$ PIFs. As most PIFs can be retrieved by the user $\textit{per se}$ without requiring $\textit{stateful}$ devices, destruction resistance is achieved. With the integration of a $(t,n)-$threshold secret sharing scheme, DRKM also provides $\textit{portable}$ key access for the user (with the aid of any $t$ of $n$ key servers) before destruction occurs. DRKM can be utilized to construct a destruction-resistant cryptosystem (DRC) in tandem with any backup system. We formally prove the security of DRKM, implement a DRKM prototype, and conduct a comprehensive performance evaluation to demonstrate its high efficiency. We further utilize Cramer's Rule to reduce the required buffer to retrieve a key from 25 MB to 40 KB (for 256-bit security).

We introduce an efficient SNARK for towers of binary fields. Adapting Brakedown (CRYPTO '23), we construct a multilinear polynomial commitment scheme suitable for polynomials over tiny fields, including that with 2 elements. Our commitment scheme, unlike those of previous works, treats small-field polynomials with zero embedding overhead. We further introduce binary-field adaptations of HyperPlonk's (EUROCRYPT '23) product and permutation checks, as well as of Lasso's lookup. Our scheme's binary PLONKish variant captures standard hash functions—like Keccak-256 and Grøstl—extremely efficiently. With recourse to thorough performance benchmarks, we argue that our scheme can efficiently generate precisely those Keccak-256-proofs which critically underlie modern efforts to scale Ethereum.

We prove a tight parallel repetition theorem for $3$-message computationally-secure quantum interactive protocols between an efficient challenger and an efficient adversary. We also prove under plausible assumptions that the security of $4$-message computationally secure protocols does not generally decrease under parallel repetition. These mirror the classical results of Bellare, Impagliazzo, and Naor [BIN97]. Finally, we prove that all quantum argument systems can be generically compiled to an equivalent $3$-message argument system, mirroring the transformation for quantum proof systems [KW00, KKMV07].

As immediate applications, we show how to derive hardness amplification theorems for quantum bit commitment schemes (answering a question of Yan [Yan22]), EFI pairs (answering a question of Brakerski, Canetti, and Qian [BCQ23]), public-key quantum money schemes (answering a question of Aaronson and Christiano [AC13]), and quantum zero-knowledge argument systems. We also derive an XOR lemma [Yao82] for quantum predicates as a corollary.

The Boolean map $\chi_n^{(k)}:\mathbb{F}_{2^k}^n\rightarrow \mathbb{F}_{2^k}^n$, $x\mapsto u$ given by $u_i=x_i+(x_{(i+1)\ \mathrm{mod}\ n}+1)x_{(i+2)\ \mathrm{mod}\ n}$ appears in various permutations as a part of cryptographic schemes such as KECCAK-f, ASCON, Xoodoo, Rasta, and Subterranean (2.0). Schoone and Daemen investigated some important algebraic properties of $\chi_n^{(k)}$ in [IACR Cryptology ePrint Archive 2023/1708]. In particular, they showed that $\chi_n^{(k)}$ is not bijective when $n$ is even, when $n$ is odd and $k$ is even, and when $n$ is odd and $k$ is a multiple of $3$. They left the remaining cases as a conjecture. In this paper, we examine this conjecture by taking some smaller sub-cases into account by reinterpreting the problem via the Gröbner basis approach. As a result, we prove that $\chi_n^{(k)}$ is not bijective when $n$ is a multiple of 3 or 5, and $k$ is a multiple of 5 or 7. We then present an algorithmic method that solves the problem for any given arbitrary $n$ and $k$ by generalizing our approach. We also discuss the systematization of our proof and computational boundaries.

CRYSTALS-Kyber is a key-encapsulation mechanism, whose security is based on the hardness of solving the learning-with-errors (LWE) problem over module lattices. As in its specification, Kyber prescribes the usage of the Number Theoretic Transform (NTT) for efficient polynomial multiplication. Side-channel assisted attacks against Post-Quantum Cryptography (PQC) algorithms like Kyber remain a concern in the ongoing standardization process of quantum-computer-resistant cryptosystems. Among the attacks, correlation power analysis (CPA) is emerging as a popular option because it does not require detailed knowledge about the attacked device and can reveal the secret key even if the recorded power traces are extremely noisy. In this paper, we present a two-step attack to achieve a full-key recovery on lattice-based cryptosystems that utilize NTT for efficient polynomial multiplication. First, we use CPA to recover a portion of the secret key from the power consumption of these polynomial multiplications in the decryption process. Then, using the information, we are able to fully recover the secret key by constructing an LWE problem with a smaller lattice rank and solving it with lattice reduction algorithms. Our attack can be expanded to other cryptosystems using NTT-based polynomial multiplication, including Saber. It can be further parallelized and experiments on simulated traces show that the whole process can be done within 20 minutes on a 16-core machine with 200 traces. Compared to other CPA attacks targeting NTT in the cryptosystems, our attack achieves lower runtime in practice. Furthermore, we can theoretically decrease the number of traces needed by using lattice reduction if the same measurement is used. Our lattice attack also outperforms the state-of-the-art result on integrating side-channel hints into lattices, however, the improvement heavily depends on the implementation of the NTT chosen by the users.

This paper presents new blind signatures for which concurrent security, in the random oracle model, can be proved from variants of the computational Diffie-Hellman (CDH) assumption in pairing-free groups without relying on the algebraic group model (AGM). With the exception of careful instantiations of generic non-black box techniques following Fischlin's paradigm (CRYPTO '06), prior works without the AGM in the pairing-free regime have only managed to prove security for a-priori bounded concurrency.

Our most efficient constructions rely on the chosen-target CDH assumption, which has been used to prove security of Blind BLS by Boldyreva (PKC '03), and can be seen as blind versions of signatures by Goh and Jarecki (EUROCRYPT '03) and Chevallier-Mames (CRYPTO'05). We also give a less efficient scheme with security based on (plain) CDH which builds on top of a natural pairing-free variant of Rai-Choo (Hanzlik, Loss, and Wagner, EUROCRYPT '23). Our schemes have signing protocols that consist of four (in order to achieve regular unforgeability) or five moves (for strong unforgeability).

The blindness of our schemes is either computational (assuming the hardness of the discrete logarithm problem), or statistical in the random oracle model.

Syndrome-based early epidemic warning plays a vital role in preventing and controlling unknown epidemic outbreaks. It monitors the frequency of each syndrome, issues a warning if some frequency is aberrant, identifies potential epidemic outbreaks, and alerts governments as early as possible. Existing systems adopt a cloud-assisted paradigm to achieve cross-facility statistics on the syndrome frequencies. However, in these systems, all symptom data would be directly leaked to the cloud, which causes critical security and privacy issues.

In this paper, we first analyze syndrome-based early epidemic warning systems and formalize two security notions, i.e., symptom confidentiality and frequency confidentiality, according to the inherent security requirements. We propose EpiOracle, a cross-facility early warning scheme for unknown epidemics. EpiOracle ensures that the contents and frequencies of syndromes will not be leaked to any unrelated parties; moreover, our construction uses only a symmetric-key encryption algorithm and cryptographic hash functions (e.g., [CBC]AES and SHA-3), making it highly efficient. We formally prove the security of EpiOracle in the random oracle model. We also implement an EpiOracle prototype and evaluate its performance using a set of real-world symptom lists. The evaluation results demonstrate its practical efficiency.

Event date: 5 March to 8 March 2024
Submission deadline: 25 November 2023
Notification: 22 December 2023

Event date: 5 March to 8 March 2024
Submission deadline: 10 December 2023
Notification: 10 January 2024

Event date: 5 March to 8 March 2024
Submission deadline: 15 December 2023
Notification: 10 January 2024

Event date: 5 March to 8 March 2024
Submission deadline: 10 December 2023
Notification: 10 January 2024

The Max Planck Institutes (MPIs) for Informatics, for Security & Privacy, and for Software Systems invite applications for tenure-track faculty in all areas of computer science. We expect to fill several positions.

A doctoral degree in computer science or related fields and an outstanding research record are required. Successful candidates are expected to build a team and pursue a highly visible research agenda, both independently and in collaboration with other groups.

The institutes are part of a network of over 80 MPIs, Germany’s premier basic-research institutes. MPIs have an established record of world-class, foundational research in the sciences, technology, and the humanities. The institutes offer a unique environment that combines the best aspects of a university department and a research laboratory: Faculty enjoy full academic freedom, lead a team of doctoral students and post-docs, and have the opportunity to teach university courses; at the same time, they enjoy ongoing institutional funding in addition to third-party funds, a technical infrastructure unrivaled for an academic institution, as well as internationally competitive compensation.

We maintain an international and diverse work environment and seek applications from outstanding researchers worldwide. The working language is English; knowledge of the German language is not required for a successful career at the institutes.

MPIs are committed to fostering a diverse, inclusive, and global academic community, and consider qualified applicants for employment without discrimination on the basis of gender, race, disability, ethnic or social origin, or any other legally protected status. We particularly encourage applications from groups that are underrepresented in computer science. We welcome applications from dual-career couples and will do our best to try and accommodate their needs.

The initial tenure-track appointment is for six years. A permanent contract can be awarded upon a successful tenure evalution in the sixth year.

Closing date for applications:

Contact: Qualified candidates should apply using the application portal at https://apply.cis.mpg.de. The review of applications will begin on December 1st, 2023.

More information: https://www.cis.mpg.de/tenure-track-openings-at-max-planck-institutes-in-computer-science/

The threat of large-scale, general-purpose quantum computers to existing public-key cryptographic solutions has lead to global efforts to standardise post-quantum cryptography as a replacement. One of the front-runners for problems to base post-quantum cryptography on are hard problems on lattices. On the other hand, lattices have emerged as a central building block for more advanced cryptographic functionalities such as fully-homomorphic encryption and zero-knowledge proof systems.

We are inviting applications for PhD studentships in the cryptography lab at King’s College London. Specifically, we are looking for applicants to work with us in the area of lattice-based cryptography, broadly defined.

The PhD could cover studying the underlying hard mathematical problems, cryptanalysis, constructions or applications of lattice-techniques. This can cover post-quantum aspects of lattice-based cryptography and/or advanced functionalities.

We seek applicants with a background in mathematics and/or computer science or related disciplines.

The applicant would work with

• Ngoc Khanh Nguyen

  https://dblp.org/pid/75/9806-1.html

  ngoc_khanh.nguyen@kcl.ac.uk or

• Eamonn W. Postlethwaite

  https://dblp.org/pid/218/7300.html

  eamonn.postlethwaite@kcl.ac.uk (*) or

• Martin Albrecht

  https://dblp.uni-trier.de/pid/92/7397.html

  martin.albrecht@kcl.ac.uk

and we encourage applicants to reach out to one or more of the above to discuss the position informally before applying. To apply, please go to

https://www.kcl.ac.uk/study/postgraduate-research/areas/computer-science-research-mphil-phd

A first deadline for applications is mid January. These are fully-funded positions covering both (international) fees and maintenance. The latter is at the UKRI rate, see https://www.ukri.org/news/ukri-publishes-stipend-and-postgraduate-research-consultation/

(*live in January, beforehand please reach out to Martin Albrecht to be put in touch.)

Closing date for applications:

Contact:

• Ngoc Khanh Nguyen ngoc_khanh.nguyen@kcl.ac.uk or
• Eamonn W. Postlethwaite eamonn.postlethwaite@kcl.ac.uk (*) or
• Martin Albrecht martin.albrecht@kcl.ac.uk

More information: https://www.kcl.ac.uk/study/postgraduate-research/areas/computer-science-research-mphil-phd

A backdoored Pseudorandom Generator (PRG) is a PRG which looks pseudorandom to the outside world, but a saboteur can break PRG security by planting a backdoor into a seemingly honest choice of public parameters, $pk$, for the system. Backdoored PRGs became increasingly important due to revelations about NIST’s backdoored Dual EC PRG, and later results about its practical exploitability.

Motivated by this, at Eurocrypt'15 Dodis et al. [21] initiated the question of immunizing backdoored PRGs. A $k$-immunization scheme repeatedly applies a post-processing function to the output of $k$ backdoored PRGs, to render any (unknown) backdoors provably useless. For $k=1$, [21] showed that no deterministic immunization is possible, but then constructed "seeded" $1$-immunizer either in the random oracle model, or under strong non-falsifiable assumptions. As our first result, we show that no seeded $1$-immunization scheme can be black-box reduced to any efficiently falsifiable assumption.

This motivates studying $k$-immunizers for $k\ge 2$, which have an additional advantage of being deterministic (i.e., "seedless"). Indeed, prior work at CCS'17 [37] and CRYPTO'18 [7] gave supporting evidence that simple $k$-immunizers might exist, albeit in slightly different settings. Unfortunately, we show that simple standard model proposals of [37, 7] (including the XOR function [7]) provably do not work in our setting. On a positive, we confirm the intuition of [37] that a (seedless) random oracle is a provably secure $2$-immunizer. On a negative, no (seedless) $2$-immunization scheme can be black-box reduced to any efficiently falsifiable assumption, at least for a large class of natural $2$-immunizers which includes all "cryptographic hash functions."

In summary, our results show that $k$-immunizers occupy a peculiar place in the cryptographic world. While they likely exist, and can be made practical and efficient, it is unlikely one can reduce their security to a "clean" standard-model assumption.