International Association
for Cryptologic Research

The splitting field $F$ of the polynomial $Y^n-2$ is an extension over $\mathbb{Q}$ generated by $\zeta_n=\exp(2 \pi \sqrt{-1} /n)$ and $\sqrt[n]{2}$. When $n$ ($\geq 8$) is a power-of-two integer, the degree of $F$ over $\mathbb{Q}$ is $n^2/4$. In this paper, we lay the foundation for applying the Order-LWE in $\mathcal{R}=\mathbb{Z}[\zeta_n, \sqrt[n]{2}]$ to cryptographic uses. More specifically, We will compute the Galois group $\text{Gal}\left(F/\mathbb{Q} \right)$ and the canonical embedding of $F$ into $\mathbb{C}^{n^2/4}$. Then we study the trace pairings of the integral basis $\zeta_n^{k_0} \sqrt[n]{2}^{k_1}$ and obtain its dual explicitly, which will be crucial when we study the error distributions on the ideal lattices associated with $\mathcal{R}$.

Moreover, we design a Two-Variable Number Theoretic Transform (2NTT) algorithm for the quotient $\mathcal{R}_p=\mathcal{R}/p\mathcal{R}$, where $p$ is a prime number such that $Y^n \equiv 2 \bmod p$ has $n$ distinct solutions. Compared to the one-variable NTT, a crucial advantage of 2NTT is that it enjoys a quadratic saving of twiddle factors. Hence, it is very interesting to see how to leverage this quadratic saving to boost the performance of 2NTT in practical implementations.

In 1982, Yao introduced the problem of comparing two private values, thereby launching the study of protocols for secure multi-party computation (MPC). Since then, comparison protocols have undergone extensive study and found widespread applications.

We survey state-of-the-art comparison protocols for an arbitrary number of parties, decompose them into smaller primitives and analyse their communication complexity under the usual assumption that the underlying MPC protocol does preprocessing and computes linear operations without communication. We then develop two new comparison protocols and explain why they are faster than similar protocols, including those that are commonly used in practice: they reduce the number of online multiplications, without increasing preprocessing or round complexity. More concretely, online bandwidth is reduced by more than half for the standard comparison protocols whose round complexity is logarithmic in the bit-length, whereas for constant round comparison protocols the reduction is two-thirds.

Key Encapsulation Mechanisms (KEMs) are a critical building block for hybrid encryption and modern security protocols, notably in the post-quantum setting. Given the asymmetric public key of a recipient, the primitive establishes a shared secret key between sender and recipient. In recent years, a large number of abstract designs and concrete implementations of KEMs have been proposed, notably in the context of the NIST selection process for post-quantum primitives. The traditional security notion for KEMs has been the IND-CCA notion that was designed for public-key encryption (PKE). In recent work additional properties, such as robustness and anonymity, were lifted from the PKE setting to the KEMs setting.

In this work we introduce several stronger security notions for KEMs. Our new properties formalize in which sense outputs of the KEM uniquely determine, i.e., bind, other values. Our new notions are based on two orthogonal observations: First, unlike PKEs, KEMs establish a unique key, which leads to natural binding properties for the established keys. Our new binding properties can be used, e.g., to prove the absence of attacks that were not captured by prior security notions, such as re-encapsulation attacks. If we regard KEMs as one-pass key exchanges, our key-binding properties correspond to implicit key agreement properties. Second, to prove the absence of weak keys, we have to consider not only honestly generated key pairs but also adversarially-generated key pairs.

We define a hierarchy of security notions for KEMs based on our observations. We position properties from the literature within our hierarchy, provide separating examples, and give examples of real world KEMs in the context of our hierarchy.

In recent years, actively secure SPDZ-like protocols for dishonest majority, like SPD$\mathbb Z_{2^k}$, Overdrive2k, and MHz2k, over base rings $\mathbb Z_{2^k}$ have become more and more efficient. In this paper, we present a new actively secure MPC protocol Multipars that outperforms these state-of-the-art protocols over $\mathbb Z_{2^k}$ by more than a factor of 2 in the two-party setup in terms of communication. Multipars is the first actively secure N-party protocol over $\mathbb Z_{2^k}$ that is based on linear homomorphic encryption (LHE) in the offline phase (instead of oblivious transfer or somewhat homomorphic encryption in previous works). The strong performance of Multipars relies on a new adaptive packing for BGV ciphertexts that allows us to reduce the parameter size of the encryption scheme and the overall communication cost. Additionally, we use modulus switching for further size reduction, a new type of enhanced CPA security over $\mathbb Z_{2^k}$, a truncation protocol for Beaver triples, and a new LHE-based offline protocol without sacrificing over $\mathbb Z_{2^k}$.

We have implemented Multipars and therewith provide the fastest preprocessing phase over $\mathbb Z_{2^k}$. Our evaluation shows that Multipars offers at least a factor of 8 lower communication costs and up to a factor of 15 faster runtime in the WAN setting compared to the currently best available actively secure MPC implementation over $\mathbb Z_{2^k}$.

We present a side-channel attack on CRYSTALS-Dilithium, a post-quantum secure digital signature scheme, with two variants of post-processing. The side-channel attack exploits information leakage in the secret key unpacking procedure of the signing algorithm to recover the coefficients of the polynomials in the secret key vectors ${\bf s}_1$ and ${\bf s}_2$ by profiled deep learning-assisted power analysis. In the first variant, one half of the coefficients of ${\bf s}_1$ and ${\bf s}_2$ is recovered by power analysis and the rest is derived by solving a system of linear equations based on ${\bf t} = {\bf A}{\bf s}_1 + {\bf s}_2$, where ${\bf A}$ and ${\bf t}$ are parts of the public key. This case assumes knowledge of the least significant bits of the vector ${\bf t}$, ${\bf t}_0$. The second variant waives this requirement. However, to succeed, it needs a larger portion of ${\bf s}_1$ to be recovered by power analysis. The remainder of ${\bf s}_1$ is obtained by lattice reduction. Once the full ${\bf s}_1$ is recovered, all the other information necessary for generating valid signatures can be trivially derived from the public key. We evaluate both variants on an ARM Cortex-M4 implementation of Dilithium-2. The profiling stage (trace capture and neural network training) takes less than 10 hours. In the attack assuming that ${\bf t}_0$ is known, the probability of successfully recovering the full vector ${\bf s}_1$ from a single trace captured from a different from profiling device is non-negligible (9%). The success rate approaches 100% if multiple traces are available for the attack. Our results demonstrate the necessity of protecting the secret key of CRYSTALS-Dilithium from single-trace attacks and call for a reassessment of the role of compression of the public key vector ${\bf t}$ in the security of CRYSTALS-Dilithium implementations.

This paper studies a multi-party private set union (mPSU), a fundamental cryptographic problem that allows multiple parties to compute the union of their respective datasets without revealing any additional information. We propose an efficient mPSU protocol which is secure in the presence of any number of colluding semi-honest participants. Our protocol avoids computationally expensive homomorphic operations or generic multi-party computation, thus providing an efficient solution for mPSU.

The crux of our protocol lies in the utilization of new cryptographic tools, namely, Membership Oblivious Transfer (mOT) and Conditional Oblivious Pseudorandom Function (cOPRF). We believe that the mOT and cOPRF may be of independent interest.

We implement our mPSU protocol and evaluate their performance. Our protocol shows an improvement of up to $55\times$ and $776.18\times$ bandwidth cost compared to the existing state-of-the-art protocols.

We study the following broad question about cryptographic primitives: is it possible to achieve security against an arbitrary $\mathsf{poly}(n)$-time adversary with $O(\log n)$-size messages? It is common knowledge that the answer is ``no'' unless information-theoretic security is possible. In this work, we revisit this question by considering the setting of cryptography with public information and computational security.

We obtain the following results, assuming variants of well-studied intractability assumptions:

1) A private simultaneous messages (PSM) protocol for every $f:[n]\times[n]\to\{0, 1\}$ requiring $(1+\epsilon)\log n$-bit messages for most functions and $(2+\epsilon)\log n$-bit messages for the remaining ones. We apply this towards non-interactive secure 3-party computation with similar message size in the preprocessing model, improving over previous 2-round protocols.

2) A secret-sharing scheme for any ``forbidden-graph'' access structure on $n$ nodes with $O(\log n)$ share size.

3) On the negative side, we show that computational threshold secret-sharing schemes with public information require share size $\Omega(\log \log n)$. For arbitrary access structures, we show that computational security does not help with 1-bit shares.

The above positive results guarantee that any adversary of size $n^{o(\log n)}$ achieves an $n^{-\Omega(1)}$ distinguishing advantage. We show how to make the advantage negligible by slightly increasing the asymptotic message size, still improving over all known constructions. The security of our constructions is based on the conjectured hardness of variants of the planted clique problem, which was extensively studied in the algorithms, statistical inference, and complexity theory communities. Our work provides the first applications of such assumptions improving the efficiency of mainstream cryptographic primitives, gives evidence for the necessity of such assumptions, and suggests new questions in this domain that may be of independent interest.

Recently, a novel secure quantum bit commitment (QBC) protocol has been proposed [29]. However, the protocol requires Alice and Bob to share Bell states in advance, making the protocol lacking in practicality. In this paper, we propose two new unconditionally secure quantum bit commitment protocols that do not require pre-shared Bell states based on entangled and non-entangled states, respectively. Their security stems from quantum mechanical properties such as quantum superposition, quantum entanglement, no-cloning theorem, and no-communication theorem. Furthermore, by combining the proposed QBC with Yao's quantum oblivious transfer (QOT) model, we can obtain an unconditionally secure QOT protocol.

A file system provides secure deletion if, after a file is deleted, an attacker with physical possession of the storage device cannot recover any data from the deleted file. Unfortunately, secure deletion is not provided by commodity file systems. Even file systems which explicitly desire to provide secure deletion are challenged by the subtleties of hardware controllers on modern storage devices; those controllers obscure the mappings between logical blocks and physical blocks, silently duplicate physical blocks, and generally make it hard for host-level software to make reliable assumptions about how file data is kept on the device. State-of-the-art frameworks for secure deletion also have no crash consistency, meaning that an ill-timed power outage or software fault will desynchonize keys and the associated encrypted file data, corrupting the file system.

In this paper, we present Holepunch, a new software-level approach for implementing secure deletion. Holepunch treats the storage device as a black box, providing secure deletion via cryptographic erasure. Holepunch uses per-file keys to transparently encrypt outgoing file writes and decrypt incoming file reads, ensuring that all physical data in the storage device is always encrypted. Holepunch uses puncturable pseudorandom functions (PPRFs) to quickly access file keys; upon the deletion of file $f$, Holepunch updates the PPRF so that, even if the PPRF is recovered, the PPRF cannot be used to generate $f$'s key. By using PPRFs instead of the key trees leveraged by prior work, Holepunch reduces both the memory pressure caused by key management and the number of disk IOs needed to access files. Holepunch stores its master key in secure TPM storage, and uses a novel journaling scheme to provide crash consistency between TPM state and on-disk state.

Modern secure messaging protocols typically aim to provide deniability. Achieving this requires that convincing cryptographic transcripts can be forged without the involvement of genuine users. In this work, we observe that parties may wish to revoke deniability and avow a conversation after it has taken place. We propose a new protocol called Not-on-the-Record-Yet (NOTRY) which enables users to prove a prior conversation transcript is genuine. As a key building block we propose avowable designated verifier proofs which may be of independent interest. Our implementation incurs roughly 8× communication and computation overhead over the standard Signal protocol during regular operation. We find it is nonetheless deployable in a realistic setting as key exchanges (the source of the overhead) still complete in just over 1ms on a modern computer. The avowal protocol induces only constant computation and communication performance for the communicating parties and scales linearly in the number of messages avowed for the verifier—in the tens of milliseconds per avowal.

Hard lattice problems are predominant in constructing post-quantum cryptosystems. However, we need to continue developing post-quantum cryptosystems based on other quantum hard problems to prevent a complete collapse of post-quantum cryptography due to a sudden breakthrough in solving hard lattice problems. Solving large multivariate quadratic systems is one such quantum hard problem.

Unbalanced Oil-Vinegar is a signature scheme based on the hardness of solving multivariate equations. In this work, we present a post-quantum digital signature algorithm VDOO (Vinegar-Diagonal-Oil-Oil) based on solving multivariate equations. We introduce a new layer called the diagonal layer over the oil-vinegar-based signature scheme Rainbow. This layer helps to improve the security of our scheme without increasing the parameters considerably. Due to this modification, the complexity of the main computational bottleneck of multivariate quadratic systems i.e. the Gaussian elimination reduces significantly. Thus making our scheme one of the fastest multivariate quadratic signature schemes. Further, we show that our carefully chosen parameters can resist all existing state-of-the-art attacks. The signature sizes of our scheme for the National Institute of Standards and Technology's security level of I, III, and V are 96, 226, and 316 bytes, respectively. This is the smallest signature size among all known post-quantum signature schemes of similar security.

Event date: 10 April to 12 April 2024
Submission deadline: 26 January 2024

Event date: 11 March to 15 March 2024

The Opportunity: The successful candidate will contribute to the formal security specification and design of cryptographic protocols in the Open Finance area. In Open Finance we envision multiple entities, each holding private data, that want to perform joint computation over this data to offer to customers the best possible financial products. The main goal of the project is to investigate what are the security requirements for Open Finance, and then provide a formal security specification (e.g., in the Universal Composable framework) of such a system. The successful candidate will then work on designing a protocol that matches this security definition, and in the final stage of the project, will implement part of the system, focusing on a specific use case. The candidate will be supported by members of the Business School to successfully complete the first phase of the project related to understanding the basic security requirements of an Open Finance system. The majority of the project will be related to the formal design of the system that will be supported by members of the School of Informatics. The project is funded by Input-Output Global. Candidates must have a Ph.D. (or nearing completion) in cryptography or related fields. Evidence of strong research experience as demonstrated through publications at top-tier conferences or high-impact journals is essential. We are looking for a highly motivated candidate with strong initiative and commitment to excellence, and an ability to conduct world-class research. For more info, we refer to the application page.

Application deadline 16/01/2024 23:59 GMT

Closing date for applications:

Contact: Michele Ciampi michele.ciampi@ed.ac.uk

More information: https://elxw.fa.em3.oraclecloud.com/hcmUI/CandidateExperience/en/sites/CX_1001/job/9280

We are looking for a highly motivated post-doctoral researcher in post-quantum cryptography with particular emphasis on multivariate-based cryptography.
As a recent response to the recent NIST call for new post-quantum secure signature schemes, 11 multivariate-based signature schemes were submitted. The goal of the post-doc is to focus on cryptanalysis of these submissions and more specifically on methods from algebraic geometry that can aid in breaking said systems.
Specific Skills Required: The candidate should hold a PhD degree in mathematics and/or computer science, preferably with experience in algebraic geometry and with multivariate cryptography in particular.
The position is for 1 year (with a possible extension of an extra year depending on performance) and can start on any date after 01/01/2024. You can apply for this job until 31/01/2024.

Closing date for applications:

Contact: frederik.vercauteren[at]esat.kuleuven.be

More information: https://www.esat.kuleuven.be/cosic/vacancies/

Indiana University Bloomington (IUB) invites applications for multiple, open rank tenured/tenure-track faculty positions in the field of cybersecurity in the Luddy School of Informatics, Computing, and Engineering; the Kelley School of Business; and the O’Neill School of Public and Environmental Affairs These 10‐month appointments would ideally start August 1, 2024, although the start date is negotiable. These positions are located on the campus of Indiana University, Bloomington. This is an opportunity for a leader interested in shaping the future of cybersecurity in key areas of strength at Indiana University. Of course junior faculty applicants are not expected to be PIs but to have a research agenda with clear potential and plans to pursue external funding.

Closing date for applications:

Contact: faculty1@indiana.edu

More information: https://indiana.peopleadmin.com/postings/21666

We are looking for two bright and motivated PhD students for two 3-year fully funded PhD positions starting 1 June 2024 (negotiable). The project is financed by the Independent Research Fund Denmark, and it is a collaboration between DTU, the University of Cambridge (UK), the Royal Holloway University of London (UK), and Stony Brook University (USA). It is an excellent opportunity to be involved in advanced research on cyber-security and cyber-deception, with important practical applications.

The two positions are part of the project Loki: Situational aware collaborative bio-inspired cyber-deception. This project, inspired by Norse mythology, with Loki being a shape-shifter god and a master of trickery, aims at redefining and evolving the emerging field of cyber-deception. Here, we attempt to deceive attackers by creating fake vulnerable systems that are aware of their surroundings and are constantly shifting. The project takes inspiration from nature (e.g., from the mimicry phenomenon) to synthesize sophisticated deception.

Closing date for applications:

Contact: Emmanouil Vasilomanolakis

More information: https://efzu.fa.em2.oraclecloud.com/hcmUI/CandidateExperience/en/sites/CX_1/job/2909/?utm_medium=jobshare

We are looking for motivated, bright, and hard-working students who wish to pursue a PhD in Cryptography. The main areas of focus are zero-knowledge proofs, oblivious primitives on Trusted Execution Environments (Intel SGX, ARM TrustZone, etc.), and encrypted database query evaluation; other areas of cryptography are also possible. Ideal candidates have prior knowledge of implementing cryptographic primitives and a solid background in theoretical computer science (complexity analysis, reduction proofs, etc.). Experience in programming for TEEs is also a big plus. Interested candidates send an e-mail with your latest CV and a short paragraph on your topics of interest.

Closing date for applications:

Contact: Prof. Dimitrios Papadopoulos (dipapado at cse.ust.hk)

We are looking for a Postdoctoral Researcher who wants to join the cryptography group in the CSE Section at DTU. The successful candidate will work on the QUID-PRO project in the field of Threshold Post-Quantum Cryptography. The position will start on May 1st 2024 or later and be for two years. The candidate should hold a PhD degree in Computer Science or a related field and have a strong record related to any of the following research topics: threshold cryptography, cryptographic protocols, post-quantum cryptography.

Responsibilities and qualifications

The successful candidate will work alongside the 4 permanent researchers and currently 6 PhD students in the Cryptography Group at DTU. The main task is to explore novel efficient threshold protocols which potentially remain secure against quantum attackers or other long-term attacks. Student (bachelor/master) or PhD co-supervision can be done if desired by the candidate but is not mandatory. There is no teaching requirement, although the candidate may conduct individual lectures if desired.
The ideal candidate has:

• PhD (or equivalent) in computer science or a related field, with a specialization on cryptographic protocols, threshold cryptography or post-quantum cryptography.
• Profound knowledge and experience in either cryptographic protocols such as multiparty computation and threshold protocols, or post-quantum cryptography such as lattice-based cryptography, isogeny-based cryptography or other post-quantum techniques.
• Strong track record with publications at competitive academic conferences or journals
• Very good written and oral English skills
• Software engineering experience is not necessary, but a plus.

Salary and terms of employment

The appointment will be based on the collective agreement with the Danish Confederation of Professional Associations. The allowance will be agreed upon with the relevant union. The position will start on 1 May 2024 or later and be for two years.

Closing date for applications:

Contact: Carsten Baum

More information: https://efzu.fa.em2.oraclecloud.com/hcmUI/CandidateExperience/en/sites/CX_1/job/2888/?utm_medium=jobshare

We are looking for a bright, ambitious, and motivated PhD student to join the cryptography group in the Cybersecurity Engineering Section at DTU Compute in the Copenhagen region of Denmark. The 3-year PhD position will preferably start on June 1st 2024 or thereafter. The goal of the PhD project is to improve the state of threshold post-quantum cryptography. You will join the growing cryptography team at DTU and be able to work with researchers in- and outside of the Copenhagen region and Denmark.

Responsibilities and qualifications

Your main task will be to design new threshold cryptographic algorithms with post-quantum security.
You will investigate distributed alternatives to existing post-quantum algorithms such as Dilithium, Falcon and Picnic, and the long-term security of threshold cryptography, in particular with respect to proactive and post-quantum security. To succeed in this research effort, you will gain familiarity with:

• post-quantum cryptographic primitives such as signatures or OPRFs
• threshold cryptographic techniques such as secret sharing and multiparty computation
• cryptographic foundations of post-quantum cryptography such as lattices, MPC-in-the-head, FHE and similar tools

In addition to the research project, you will conduct a limited amount of small-class teaching during your PhD period.
As formal qualification, you must have a two-year master's degree (120 ECTS points) or a similar degree with an academic level equivalent to a two-year master's degree.
Furthermore, to ensure a smooth start into the project, it is preferable that you have previous experience with either threshold or post-quantum cryptography.

Salary and appointment terms

The appointment will be based on the collective agreement with the Danish Confederation of Professional Associations. The allowance will be agreed upon with the relevant union. The period of employment is 3 years.
The position is a full-time position and the starting date is 1 June 2024 or according to mutual agreement.

Closing date for applications:

Contact: Carsten Baum

More information: https://efzu.fa.em2.oraclecloud.com/hcmUI/CandidateExperience/da/sites/CX_1/job/2872/