International Association
for Cryptologic Research

IDentity-based Password Authentication and Key Establishment (ID-PAKE) is an interesting trade-off between the security and efficiency, specially due to the removal of costly Public Key Infrastructure (PKI). However, we observe that previous PAKE schemes such as Beguinet et al. (ACNS 2023), Pan et al. (ASIACRYPT 2023) , Abdallah et al. (CRYPTO 2020) etc. fail to achieve important security properties such as weak/strong Perfect Forward Secrecy (s-PFS), user authentication and resistance to replay attack. In addition, to the best of our knowledge, no previous (P)AKE (either ID- based or PKI-based (P)AKEs) could achieve s-PFS with two-rounds of communication. In this paper, we propose a highly efficient ID-PAKE scheme with s-PFS and KGC-FS using only two rounds of communication, where each party only performs a single pairing operation. We compare our work with previous single pairing-based schemes i.e. Tomida et al. (ESORICS 2019) and Lian et al. (ESORICS 2020) and show that they suffer either s-PFS, KGC-FS attack and replay attack. In order to achieve a privacy-preserving PAKE scheme, we give a fix to Lian et al. (ESORICS 2020) in terms of KGC-FS and user authentication.

We prove the security of our scheme under standard assumptions such as Discrete Logarithms (DL) and q-strong Diffie-Hellman(q-sDH) assumption in ID-eCK model. Finally, we conduct a proof-of-concept implementation of our scheme vs. previous single pairing-based schemes and show that our scheme imposes the least computation cost and stands in the middle of previous scheme regarding communication cost.

This paper presents the first Distributed Oblivious RAM (DORAM) protocol that achieves sub-logarithmic communication overhead without computational assumptions. That is, given $n$ $d$-bit memory locations, we present an information-theoretically secure protocol which requires $o(d \cdot \log(n))$ bits of communication per access (when $d = \Omega(\log^2(n)$).

This comes as a surprise, since the Goldreich-Ostrovsky lower bound shows that the related problem of Oblivious RAMs requires logarithmic overhead in the number of memory locations accessed. It was shown that this bound also applies in the multi-server ORAM setting, and therefore also applies in the DORAM setting. Achieving sub-logarithmic communication therefore requires accessing and using $\Omega(\log(n) \cdot d)$ bits of memory, without engaging in communication for each bit accessed. Techniques such as Fully Homomorphic Encryption and Function Secret Sharing allow secure selection of the relevant memory locations with small communication overhead, but introduce computational assumptions.

In this paper we show that it is possible to avoid a logarithmic communication overhead even without any computational assumptions. Concretely, we present a 3-party honest-majority DORAM that is secure against semi-honest adversaries. The protocol has communication cost $$\Theta\left((\log^2(n) + d) \cdot \frac{\log(n)}{\log(\log(n)}\right)$$ For any $d = \Omega(\log^2(n))$ the overhead is therefore $\Theta(\log(n)/\log(\log(n)))$. Additionally, we show a subtle flaw in a common approach for analyzing the security of Oblivious Hash Tables. We prove our construction secure using an alternative approach.

Since the existing tropical cryptographic protocols are either susceptible to the Kotov-Ushakov attack and its generalization, or to attacks based on tropical matrix periodicity and predictive behaviour, several attempts have been made to propose protocols that resist such attacks. Despite these attempts, many of the proposed protocols remain vulnerable to attacks targeting the underlying hidden problems, one of which we call the tropical two-sided discrete logarithm with shift. An illustrative case is the tropical Stickel protocol, which, when formulated with a single monomial instead of a polynomial, becomes susceptible to attacks based on solutions of the above mentioned tropical version of discrete logarithm. In this paper we will formally introduce the tropical two-sided discrete logarithm with shift, discuss how it is solved, and subsequently demonstrate an attack on a key exchange protocol based on the tropical semiring of pairs. This particular protocol is compromised due to the existence of efficient (albeit heuristic) solution of the tropical two-sided logarithm problem, and this highlights the ongoing challenges in search of a "good" key exchange protocol in tropical cryptography.

A secure multiparty computation (MPC) allows several parties to compute a function over their inputs while keeping their inputs private. In its basic setting, the protocol involves only parties that hold inputs. In distributed MPC, there are also external servers who perform a distributed protocol that executes the needed computation, without learning information on the inputs and outputs. Here we propose distributed protocols for several fundamental MPC functionalities. We begin with a Distributed Scalar Product (DSP) protocol for computing scalar products of private vectors. We build upon DSP in designing various protocols for Oblivious Transfer (OT): k-out-of-N OT, Priced OT, and Generalized OT. We also use DSP for Oblivious Polynomial Evaluation (OPE) and Oblivious Multivariate Polynomial Evaluation (OMPE). All those problems involve a sender and a receiver, both of whom hold private vectors; the goal is to let the receiver learn the scalar product of those two vectors. However, in each of these problems the receiver must submit a vector of a specified form. Hence, a crucial ingredient in our protocols is a sub-protocol for validating that the receiver’s vector complies with the relevant restrictions, without learning anything else on that vector. Therefore, while previous studies presented distributed protocols for 1-out-of-N OT and OPE, our protocols are the first ones that are secure against malicious receivers. Our distributed protocols for the other OT variants and for OMPE are the first ones that handle such problems. In addition, while previous art assumed semi-honest servers, we present protocols that are secure even when some of the servers are malicious. Our protocols offer information-theoretic security and they are very efficient.

In post-quantum cryptography, permutations are frequently employed to construct cryptographic primitives. Careful design and implementation of sampling random unbiased permutations is essential for efficiency and protection against side-channel attacks. Nevertheless, there is a lack of systematic research on this topic. Our work seeks to fill this gap by studying the most prominent permutation sampling algorithms and assessing their advantages and limitations. We combine theoretical and experimental comparisons and provide a C library with the implementations of the algorithms discussed. Furthermore, we introduce a new sampling algorithm tailored for cryptographic applications.

Universal thresholdizer (UT) was proposed by Boneh et al. in CRYPTO'18 as a general framework for thresholdizing non-threshold cryptographic primitives where a set of $N$ servers, each gets a share such that any set of $k$ servers, each produces a partial result, which can be combined to generate the final result. In many applications of threshold cryptography such as the protection of private keys in a digital wallet, the combining operation of partial results must be protected. In this paper, we extend the UT framework to include password authentication for such protection. We formalize the notion of password protected universal thresholdizer (PPUT) that requires the knowledge of a password to execute the protocol, propose a general construction of PPUT, and prove its security. Our construction uses threshold password authenticated key exchange (TPAKE) with simulation-based security as one of the main building blocks. We define simulation-based security of TPAKE in stand-alone model and give a construction using threshold fully-homomorphic encryption. As an application of PPUT, we propose a new primitive called password protected threshold signature. All the proposed constructions are secure in the standard model, and can be instantiated from lattices.

We explore the possibility of obtaining general-purpose obfuscation for all circuits by way of making only simple, local, functionality preserving random perturbations in the circuit structure. Towards this goal, we use the additional structure provided by reversible circuits, but no additional algebraic structure.

We start by formulating a new (and relatively weak) obfuscation task regarding the ability to obfuscate random circuits of bounded length. We call such obfuscators random input & output (RIO) obfuscators. We then show how to construct indistinguishability obfuscators for all (unbounded length) circuits given only an RIO obfuscator --- under a new assumption regarding the pseudorandomness of sufficiently long random reversible circuits with known functionality, which in turn builds on a conjecture made by Gowers (Comb. Prob. Comp. '96) regarding the pseudorandomness of bounded-size random reversible circuits. Furthermore, the constructed obfuscators satisfy a new measure of security - called random output indistinguishability (ROI) obfuscation - which is significantly stronger than IO and may be of independent interest.

We then investigate the possibility of constructing RIO obfuscators using local, functionality preserving perturbations. Our approach is rooted in statistical mechanics and can be thought of as locally ``thermalizing'' a circuit while preserving its functionality. We provide candidate constructions along with a pathway for analyzing the security of such strategies.

Given the power of program obfuscation, viability of the proposed approach would provide an alternative route to realizing almost all cryptographic tasks under hardness assumptions that are very different from standard ones. Furthermore, our specific candidate obfuscators are relatively efficient: the obfuscated version of an n-wire, m-gate (reversible) circuit with security parameter k has n wires and poly(n,k)m gates. We hope that our initial exploration will motivate further study of this alternative path to cryptography.

We study a fundamental problem in Multi-Party Computation, which we call the Multiple Millionaires’ Problem (MMP). Given a set of private integer inputs, the problem is to identify the subset of inputs that equal the maximum (or minimum) of that set, without revealing any further information on the inputs beyond what is implied by the desired output. Such a problem is a natural extension of the Millionaires’ Problem, which is the very first Multi-Party Computation problem that was presented in Andrew Yao’s seminal work [31]. A closely related problem is MaxP, in which the value of the maximum is sought. We propose several approaches towards the solution of those fundamental problems as well as concrete solutions, and compare their performance. As applications of privacy-preserving computation are more and more commonly implemented in industrial systems, MMP and MaxP become important building blocks in privacy-preserving statistics, machine learning, auctions and other domains. One of the prominent advantages of our novel protocols is their simplicity. As they solve fundamental problems that are essential building blocks in various application scenarios, we believe that our systematic study of solutions to those problems, and the comparison between them, will serve well future researchers and practitioners of secure distributed computing.

Distributed models for differential privacy (DP), such as the local and shuffle models, allow for differential privacy without having to trust a single central dataholder. They do however typically require adding more noise than the central model. One commonly iterated remark is that achieving DP with similar accuracy as in the central model is directly achievable by \textit{emulating the trusted party}, using general multiparty computation (MPC), which computes a canonical DP mechanism such as the Laplace or Gaussian mechanism. There have been a few works proposing concrete protocols for doing this but as of yet, all of them either require honest majorities, only allow passive corruptions, only allow computing aggregate functions, lack formal claims of what type of DP is achieved or are not computable in polynomial time by a finite computer. In this work, we propose the first efficiently computable protocol for emulating a dataholder running the geometric mechanism, and which retains its security and DP properties in the presence of dishonest majorities and active corruptions. To this end, we first analyse why current definitions of computational DP are unsuitable for this setting and introduce a new version of computational DP, SIM$^*$-CDP. We then demonstrate the merit of this new definition by proving that our protocol satisfies it. Further, we use the protocol to compute two-party inner products with computational DP and with similar levels of accuracy as in the central model, being the first to do so. Finally, we provide an open-sourced implementation of our protocol and benchmark its practical performance.

We present a general method to simplify soundness proofs under certain conditions. Given an adversary $\mathcal{A}$ able to break a scheme $S$ with non-negligible probability $t$, we define the concept of $\textit{trace}$ of a $\textit{winning configuration}$, which is already implicitly used in soundness proofs. If a scheme can be constructed that (1) takes a random configuration $e$, being the inputs and execution environment of $\mathcal{A}$, (2) "guesses" a trace, (3) modifies $e$ based on its guess so that the modified configuration $e'$ is statistically indistinguishable from the original one, (4) is then able to execute $\mathcal{A}$ correctly under the condition that $e'$ is a winning configuration and that $B$'s guess of the trace was correct, and finally (5) that during its execution $\mathcal{A}$ is unable extract any information about $B$'s guess, then the probability of $B$ winning can be expressed as a simple function of $t$ and the bit-length of the trace, namely $\frac{t}{2^m}$. Soundness then results if $2^m$ is polynomial in the security parameter.

To illustrate the concept, a concrete application of this method to a simple binary voting scheme is then described in detail.

Efficient polynomial multiplication routines are critical to the performance of lattice-based post-quantum cryptography (PQC). As PQC standards only recently started to emerge, CPUs still lack specialized instructions to accelerate such routines. Meanwhile, deep learning has grown immeasurably in importance. Its workloads call for teraflops-level of processing power for linear algebra operations, mainly matrix multiplication. Computer architects have responded by introducing ISA extensions, coprocessors and special-purpose cores to accelerate such operations. In particular, Apple ships an undocumented matrix-multiplication coprocessor, AMX, in hundreds of millions of mobile phones, tablets and personal computers. Our work repurposes AMX to implement polynomial multiplication and applies it to the NTRU cryptosystem, setting new speed records on the Apple M1 and M3 systems-on-chip (SoCs).

Let n stands for the length of digital signatures with quadratic multivariate public rule in n variables. We construct postquantum secure procedure to sign O(n^t), t ≥1 digital documents with the signature of size n in time O(n^{3+t}). It allows to sign O(n^t), t <1 in time O(n^4). The procedure is defined in terms of Algebraic Cryptography. Its security rests on the semigroup based protocol of Noncommutative Cryptography referring to complexity of the decomposition of the collision element into composition into given generators. The protocol uses the semigroup of Eulerian transformations of variety (K*)^n where K* is a nontrivial multiplicative group of the finite commutative ring K. Its execution complexity is O(n^3). Additionally we use this protocol to define asymmetric cryptosystem with the space of plaintexts and ciphertexts (K*)^n which allows users to encrypt and decrypt O(n^t) documents of size n in time O(n^{3+[t]}) where [x] stands for the flow function from x. Finally we suggest protocol based cryptosystem working with plaintext space (K*)^n and the space of ciphertext K^n which allows decryption of O(n^t), t>1 documents of size n in time O(n^{t+3}), t>1. The multivariate encryption map has linear degree O(n) and density O(n^4). We discuss the idea of public key with Eulerian transformations which allows to sign O(n^t), t≥0 documents in time O(n^{t+2}). The idea of delivery and usage of several Eulerian and quadratic transformations is also discussed.

Homomorphic encryption enables public computation over encrypted data. In the past few decades, homomorphic encryption has become a staple of both the theory and practice of cryptography. Nevertheless, while there is a general loose understanding of what it means for a scheme to be homomorphic, to date there is no single unifying minimal definition that captures all schemes. In this work, we propose a new definition, which we refer to as combinatorially homomorphic encryption, which attempts to give a broad base that captures the intuitive meaning of homomorphic encryption and draws a clear line between trivial and nontrivial homomorphism.

Our notion relates the ability to accomplish some task when given a ciphertext, to accomplishing the same task without the ciphertext, in the context of communication complexity. Thus, we say that a scheme is combinatorially homomorphic if there exists a communication complexity problem $f(x,y)$ (where $x$ is Alice's input and $y$ is Bob's input) which requires communication $c$, but can be solved with communication less than $c$ when Alice is given in addition also an encryption $E_k(y)$ of Bob's input (using Bob's key $k$).

We show that this definition indeed captures pre-existing notions of homomorphic encryption and (suitable variants are) sufficiently strong to derive prior known implications of homomorphic encryption in a conceptually appealing way. These include constructions of (lossy) public-key encryption from homomorphic private-key encryption, as well as collision-resistant hash functions and private information retrieval schemes.

Event date: 9 September to 13 September 2024

Event date: 5 April 2024
Submission deadline: 2 February 2024
Notification: 5 March 2024

Event date: 30 July to 2 August 2024
Submission deadline: 28 February 2024
Notification: 3 May 2024

Event date: 1 July 2024
Submission deadline: 1 July 2024

POSITION OVERVIEW Position title: Assistant Professor, Security and Privacy Salary range: The salary range for this position is $115,000 - $125,000 academic year (nine-month basis) for Assistant Professors. Starting salary is commensurate with qualifications and experience. The posted UC salary scales set the minimum pay determined by rank and/or step at appointment. “Off-scale salaries” and other components of pay, i.e., a salary that is higher than the published system-wide salary at the designated rank and step, are offered when necessary to meet competitive conditions. See salary scales titled (Faculty--Ladder Ranks-- Business/Economics/Engineering) Percent time: Full-time, 100% Anticipated start: July 1, 2024, with the academic year beginning in September 2024. Degree requirements must be met by June 30, 2025 for employment beyond that date.

Closing date for applications:

Contact: Ioannis Demertzis or Alvaro Cardenas

More information: https://recruit.ucsc.edu/JPF01635

AIT is Austria's s largest research and technology organisation for applied research, located in Vienna.
The cryptography team is conducting research in the domain of public key cryptography, including secure communication, privacy-enhancing technologies, and long-term and post-quantum security. Our research covers the full spectrum from idea creation to the development of prototypes and demonstrators.

The team is seeking to grow, and is therefore looking for a PhD-student in the fields of privacy and security in distributed systems.

Through our AIT-PhD programme with 150 internationals students, conducted in collaboration with renowned universities, applicants will have the opportunity to conduct their PhD thesis in collaboration with our experts and our national and international project partners from industry or other research institutions.

Requirements:

• Applicants are required to hold a MSc degree (or equivalent) in computer science, mathematics, or a related field
• Basic knowledge of cryptography (at least one course specializing on cryptography) is expected
• Special interest in applied research and the solution of practical problems, in particular in the areas of cryptography and information security
• High level of commitment and ability to work in a team
• Good knowledge of a programming language (e.g., C/C++, Rust, Java, Python) and software development is a plus
• Very good written and oral English skills; knowledge of German is not a requirement

AIT values diversity and is committed to equality.

The minimum gross annual salary on a full-time basis (38,5 h / week) according to the collective agreement is EUR 53.578,--. The actual salary will be determined individually, based on your qualifications and experience. In addition, we offer company benefits, flexible working conditions, individual training and career opportunities.

All applications (including cover letter and full CV) need to be submitted using the following link: https://jobs.ait.ac.at/Job/224352

Closing date for applications:

Contact: Stephan Krenn (stephan.krenn[at]ait.ac.at)

More information: https://jobs.ait.ac.at/Job/224352

The School of Cyber Science and Engineering (formerly known as the School of Information Security Engineering) of Shanghai Jiao Tong University was founded in October 2000. It was the first school-level training base for high-level information security professionals in China and was jointly established by the Ministry of Education of China, the Ministry of Science and Technology of China, and the Shanghai Municipal People’s Government. The undergraduate and postgraduate students of the school mainly come from the top 100 key high schools and 985/double first-class universities in China. The school is ranked among the best cyberspace security nationwide every year. The school has a solid foundation and strength in the field of academic research and technological innovation on cyberspace security. The school is committed to building a world-class academic research center, cultivating the talents of the country and society. The school is in great demand of a number of world renowned professors, outstanding young researchers, full-time research fellows and post-doctors. The school now has a few positions available at the rank of tenure-track Assistant/Associate Professors, tenured Full Professors as well as Research Assistants/Associates and Post-Doctors in theory and practice of cyberspace security.

Applicants should have (a) a doctoral degree in Computer Science, Electronic Engineering, Communication, Mathematics or Statistics; (b) an established track record in research and scholarship; (c) expertise in the cryptographic and security research areas; and (d) a demonstrated commitment to excellence in teaching.

The school will provide highly competitive remuneration packages and assist applicants to apply for various national, provincial and ministerial level talent programs such as “Outstanding Youth Talents Program”, Shanghai “Talents Program”,etc. We will also assist on employment of spouses, schooling for children and medical care.

Closing date for applications:

Contact:
Chaoping Xing, emial: xingcp@sjtu.edu.cn; Ni Liang, email: liangni@sjtu.edu.cn