International Association
for Cryptologic Research

Adaptor signature is a novel cryptographic primitive which ties together the signature and the leakage of a secret value. It has become an important tool for solving the scalability and interoperability problems in the blockchain. Aumayr et al. (Asiacrypt 2021) recently provide the formalization of the adaptor signature and present a provably secure ECDSA-based adaptor signature, which requires zero-knowledge proof in the pre-signing phase to ensure the signer works correctly. However, the number of zero-knowledge proofs is linear with the number of participants.

In this paper, we propose efficient ECDSA-based adaptor signature schemes and give security proofs based on ECDSA. In our schemes, the zero-knowledge proofs in the pre-signing phase can be generated in a batch and offline. Meanwhile, the online pre-signing algorithm is similar to the ECDSA signing algorithm and can enjoy the same efficiency as ECDSA. In particular, considering specific verification scenarios, such as (batched) atomic swaps, our schemes can reduce the number of zero-knowledge proofs in the pre-signing phase to one, independent of the number of participants. Last, we conduct an experimental evaluation, demonstrating that the performance of our ECDSA-based adaptor signature reduces online pre-signing time by about 60% compared with the state-of-the-art ECDSA-based adaptor signature.

Garbled Circuit (GC) techniques usually work with Boolean circuits. Despite intense interest, efficient arithmetic generalizations of GC were only known from heavy assumptions, such as LWE.

We construct arithmetic garbled circuits from circular correlation robust hashes, the assumption underlying the celebrated Free XOR garbling technique. Let $\lambda$ denote a computational security parameter, and consider the integers $\mathbb{Z}_m$ for any $m \geq 2$. Let $\ell = \lceil \log_2 m \rceil$ be the bit length of $\mathbb{Z}_m$ values. We garble arithmetic circuits over $\mathbb{Z}_m$ where the garbling of each gate has size $O(\ell \cdot \lambda)$ bits. Constrast this with Boolean-circuit-based arithmetic, requiring $O(\ell^2\cdot \lambda)$ bits via the schoolbook multiplication algorithm, or $O(\ell^{1.585}\cdot \lambda)$ bits via Karatsuba's algorithm.

Our arithmetic gates are compatible with Boolean operations and with Garbled RAM, allowing to garble complex programs of arithmetic values.

Event date: 14 March to 15 March 2024
Submission deadline: 18 February 2024
Notification: 26 February 2024

Event date: 14 August to 16 August 2024
Submission deadline: 10 March 2024
Notification: 31 May 2024

Our modern society relies upon numerous electronic devices that use encryption to communicate and operate securely. However, even strong cryptography can break when the device hardware is attacked. Thus, the University of Amsterdam is looking for a strong MSc graduate that is interested in Side-Channel Analysis, Hardware Security and Cryptographic Implementations.

What are you going to do?

Conduct high-quality research in the field of Side-Channel Analysis and Cryptographic Engineering, resulting in academic publications in peer-reviewed international conferences

Contribute to the open-source teaching material in our Bachelor and Master courses (in English)

Meet regularly with your academic supervisor and the international team to discuss and analyse the technical details of your ongoing research

Perform research-oriented internships in the industry

Your experience and profile:

Completed or soon-to-be-completed MSc in Computer Security, Computer Science, Mathematics, Computer Engineering, Electrical Engineering or related discipline

Strong interest in learning hardware security, applied cryptography and side-channel analysis, through regular tutoring by the academic supervisor

Background in Machine Learning, Signal Processing and/or background in Cryptography, Computer Security

Fluency in oral and written English, good presentation skills

Apply using the link:

https://vacatures.uva.nl/UvA/job/PhD-in-Side-Channel-Analysis/786914702/

Closing date for applications:

Contact: Kostas Papagiannopoulos, k.papagiannopoulos@uva.nl, kostaspap88@gmail.com

More information: https://vacatures.uva.nl/UvA/job/PhD-in-Side-Channel-Analysis/786914702/

The Young Investigator Group “COSYS - Control Systems and Cyber Security Lab” at the Chair of IT Security at the Brandenburg University of Technology Cottbus-Senftenberg has open PhD/Postdoc positions in the following areas:

• Privacy-enhancing technologies in cyber-physical systems.
• AI-based network attack detection and simulation
• AI-enabled penetration testing

The available positions are funded as 100% TV-L E13 tariff in Germany and limited until 31.07.2026, with possibility for extension. Candidates must hold a Master’s degree (PhD degree for Postdocs) or equivalent in Computer Science or related disciplines, or be close to completing it. If you are interested, please send your CV, transcript of records from your Master studies, and an electronic version of your Master's thesis (if possible), as a single pdf file. Applications will be reviewed until the positions are filled.

Closing date for applications:

Contact: Ivan Pryvalov (ivan.pryvalov@b-tu.de)

We are looking for two motivated PhD students in the area of cryptography. The candidates will work at the Institute of Cybersecurity and Cryptology at the University of Wollongong. The research topic is public-key cryptography, especially about post-quantum cryptography and privacy-preserving cryptography. The positions are fully funded and will start at 1st July 2024 or thereafter. The period of the position is 3 years. The applicants should have a solid background in Computer Science or Mathematics (or relevant fields). Furthermore, it is preferable that the applicants have some research experience in the field of (public-key) cryptography. If interested, please send your CV, transcripts and a short paragraph about your research background and research interest to contact.

Closing date for applications:

Contact: Dr. Zuoxia Yu (given name_first name at uow.edu.au)

The Security and Privacy Research Unit at TU Wien is offering a fully funded PhD position in Formal Methods for Security and Privacy under the supervision of Univ.-Prof. Dr. Matteo Maffei.
Your profile:

• Master degree in computer science or equivalent (degree completion by employment start)
• Excellent English, communication, and teamwork skills
• Background in formal methods (e.g., automated reasoning, type systems, or proof assistants) or cryptography
• Experience in research is a plus

We offer:

• A job in an internationally renowned group, which regularly publishes in top security venues, and consists of an international, diverse, and inclusive team with expertise in formal methods, cryptography, security, privacy, and blockchains
• Diverse research topics in formal methods for security and privacy, with a specific focus on cryptographic protocols and blockchains
• An international English-speaking environment (German not required)
• A competitive salary
• Flexible hours

Applications are to be performed online (https://tools.spycode.at/recruiting/call/5). The application material should include:

• Motivation letter
• Bachelor/Master’s transcripts
• Publication list (if available)
• Curriculum vitae
• Contact information for two referees

We strongly encourage applications from underrepresented groups. Applications are welcome until the position is filled. The applications will be evaluated in a bi-weekly fashion, and applicants will be contacted only in case they are selected for an interview.

Closing date for applications:

Contact: Univ.-Prof. Dr. Matteo Maffei

More information: https://tools.spycode.at/recruiting/call/5

We are looking for a junior professor (tenure track) in privacy technologies. More specifically this research will concentrate on privacy technologies with an integrated view on technical, legal and user aspects. The research program should address privacy enhancing technologies focusing on one or more of the following areas: computing on encrypted data (MPC, FHE, ..), zero-knowledge protocols, identity management, privacy-friendly authentication protocols, network level privacy, distributed ledgers, and context-based services. It is expected that the research touches a broad range of application areas. As a junior researcher you will be appointed as tenure track assistant professor (“tenure track docent”) for a period of 5 years, starting in 2024Q4. After this period and a positive evaluation, you obtain a tenured position as associate professor.

Closing date for applications:

Contact: Bart.Preneel@kuleuven.be, Vincent.Rijmen@kuleuven.be

We are looking for a postdoc with expertise on electronic-voting or related topics. The successful post holder is expected to start 1 May 2024 or as soon as possible thereafter and will run until 31st October 2026. The position will be based in the Department of Computer Science and its highly regarded Surrey Centre for Cyber Security (SCCS), working with Dr. Cătălin Drăgan.

The Surrey Centre for Cyber Security (SCCS) is a widely recognized centre of excellence for cyber security research and teaching. There are approximately 17 permanent academic members and 15 non-academic researchers with expertise on voting, formal modelling and verification, applied cryptography, trust systems, social media, communication and networks, and blockchain and distributed ledger technologies over key sectors such as government, finance, communications, transport and cross-sector technologies.

Qualifications:

• We are looking for applicants that demonstrate strong research and analytical skills, have strong communication skills and enthusiasm for developing their own research ideas.
• Applicants should have expertise in one of the following areas: e-voting, or formal verification of cryptographic protocols, or provable security.
• A PhD in Computer Science, Mathematics, or other closely related area (or be on course of getting one very soon at the time of application).

To apply use https://jobs.surrey.ac.uk/Vacancy.aspx?id=13834

For informal enquiries and further information please contact Dr. Cătălin Drăgan.

Closing date for applications:

Contact: Dr. Cătălin Drăgan c.dragan@surrey.ac.uk

More information: https://jobs.surrey.ac.uk/Vacancy.aspx?id=13834

Description
As Cryptographic Engineering Lead you are responsible for defining the roadmap for cryptographic innovation consistent with the requirements of different projects that are developed in the company and delivering of the cryptographic primitives implementation.
Duties

Define a short, mid and long term roadmap for implementation of cryptographic primitives.

Synchronize with the Technical Manager, and CTO to validate the roadmap, requirements and strategy for the cryptographic engineering team.

Interact and coordinate with research, engineering and product management teams.

Define and structure the team that is required to satisfy this roadmap.

Manage a team of cryptographers, organize the development methodologies and enforce the best practices defined by the engineering division.

Provide secure implementations of the cryptographic primitives that are required by IO projects.

Read and review cryptographic research papers and contribute when possible to implement them as prototypes.

Design, specify, implement, improve cryptographic primitives in production-grade software.

Review, integrate, improve common cryptographic primitives, and translate them to other programming languages
Key Competencies

Senior expertise in developing cryptographic primitives in C/C++ and Rust

Senior expertise in standard cryptography domains Ability to learn new domains like zero knowledge proofs and MPC and project innovation roadmaps

Understanding and experience of implementing cryptographic primitives delivered by researchers

Experience with formal verification and security audits of cryptographic libraries

Expertise in security best practices

Experience with quick check or other property-based testing Ability to manage multiple projects simultaneously
Education / Experience

A Master or PhD degree such as computer science, software engineering, mathematics or a related technical discipline. A solid experience in managing small teams of cryptographic engineers.

Closing date for applications:

Contact: marios.nicolaides@iohk.io

More information: https://apply.workable.com/io-global/j/A7EE304D9F/

We are looking for candidates to work in a digital trust project. The candidates are expected to meet the following requirements.

* A PhD degree in computer science or related fields

* Good background in cybersecurity and digital forensics.

* Experience in biometric-based authentication for smartphone users.

* Practical experience in machine learning and AI.

* Strong analytical skill.

* Publication records in *top* cybersecurity conferences/journals.

* Good programming skill in C/C++ and Python/Java.

* Excellent communication and writing skills in English.

* Great team player.

Only short-listed candidates will be contacted for interview. Successful candidates will be offered internationally competitive remuneration. Interested candidates please send your CV to Prof. Jianying Zhou [jianying_zhou@sutd.edu.sg].

Closing date for applications:

Contact: Prof. Jianying Zhou [jianying_zhou@sutd.edu.sg].

More information: http://jianying.space/

After NIST’s selection of Dilithium as the primary future standard for quantum-secure digital signatures, increased efforts to understand its implementation security properties are required to enable widespread adoption on embedded devices. Concretely, there are still many open questions regarding the susceptibility of Dilithium to fault attacks. This is especially the case for Dilithium’s randomized (or hedged) signing mode, which, likely due to devastating implementation attacks on the deterministic mode, was selected as the default by NIST. This work takes steps towards closing this gap by presenting two new key-recovery fault attacks on randomized/hedged Dilithium. Both attacks are based on the idea of correcting faulty signatures after signing. A successful correction yields the value of a secret intermediate that carries information on the key. After gathering many faulty signatures and corresponding correction values, it is possible to solve for the signing key via either simple linear algebra or lattice-reduction techniques. Our first attack extends a previously published attack based on an instruction-skipping fault to the randomized setting. Our second attack injects faults in the matrix A, which is part of the public key. As such, it is not sensitive to side-channel leakage and has, potentially for this reason, not seen prior analysis regarding faults. We show that for Dilithium2, the attacks allow key recovery with as little as 1024 and 512 faulty signatures, respectively, with each signature generated by injecting a single targeted fault. We also demonstrate how our attacks can be adapted to circumvent several popular fault countermeasures with a moderate increase in the computational runtime and the number of required faulty signatures. These results are verified using both simulated faults and clock glitches on an ARM-based microcontroller. The presented attacks demonstrate that also randomized Dilithium can be subject to diverse fault attacks, that certain countermeasures might be easily bypassed, and that potential fault targets reach beyond side-channel sensitive operations. Still, many further operations are likely also susceptible, implying the need for increased analysis efforts in the future.

We study sleepy consensus in the known participation model, where replicas are aware of the minimum number of awake honest replicas. Compared to prior works that almost all assume the unknown participation model, we provide a fine-grained treatment of sleepy consensus in the known participation model and show some interesting results. First, we present a synchronous atomic broadcast protocol with $5\Delta+2\delta$ expected latency and $2\Delta+2\delta$ best-case latency, where $\Delta$ is the bound on network delay and $\delta$ is the actual network delay. In contrast, the best-known result in the unknown participation model (MMR, CCS 2023) achieves $14\Delta$ latency, more than twice the latency of our protocol. Second, in the partially synchronous network (the value of $\Delta$ is unknown), we show that without changing the conventional $n \geq 3f+1$ assumption, one can only obtain a secure sleepy consensus by making the stable storage assumption (where replicas need to store intermediate consensus parameters in stable storage). Finally, still in the partially synchronous network but not assuming stable storage, we prove the bounds on $n \geq 3f+2s+1$ without the global awake time (GAT) assumption (all honest replicas become awake after GAT) and $n \geq 3f+s+1$ with the GAT assumption, where $s$ is the maximum number of honest replicas that may become asleep simultaneously. Using these bounds, we transform HotStuff (PODC 2019) into a sleepy consensus protocol via a timeoutQC mechanism and a low-cost recovery protocol.

Secure transformer inference has emerged as a prominent research topic following the proliferation of ChatGPT. Existing solutions are typically interactive, involving substantial communication load and numerous interaction rounds between the client and the server.

In this paper, we propose NEXUS the first non-interactive protocol for secure transformer inference, where the client is only required to submit an encrypted input and await the encrypted result from the server. Central to NEXUS are two innovative techniques: SIMD ciphertext compression/decompression, and SIMD slots folding. Consequently, our approach achieves a speedup of 2.8$\times$ and a remarkable bandwidth reduction of 368.6$\times$, compared to the state-of-the-art solution presented in S&P '24.

The implementation security of post-quantum cryptography (PQC) algorithms has emerged as a critical concern with the PQC standardization process reaching its end. In a side-channel-assisted chosen-ciphertext attack, the attacker builds linear inequalities on secret key components and uses the belief propagation (BP) algorithm to solve. The number of inequalities leverages the query complexity of the attack, so the fewer the better. In this paper, we use the PQC standard algorithm Kyber512 as a study case to construct bilateral inequalities on key variables with substantially narrower intervals using a side-channel-assisted oracle. The number of such inequalities required to recover the key with probability 1 utilizing the BP algorithm is reduced relative to previous unilateral inequalities. Furthermore, we introduce strategies aimed at further refining the interval of inequalities. Diving into the BP algorithm, we discover a measure metric named JSD-metric that can gauge the tightness of an inequality. We then develop a heuristic strategy and a machine learning-based strategy to utilize the JSD-metrics to contract boundaries of inequalities even with fewer inequalities given, thus improving the information carried by the system of linear inequalities. This contraction strategy is at the algorithmic level and has the potential to be employed in all attacks endeavoring to establish a system of inequalities concerning key variables.

The conventional Byzantine fault tolerance (BFT) paradigm requires replicated state machines to execute deterministic operations only. In practice, numerous applications and scenarios, especially in the era of blockchains, contain various sources of non-determinism. Despite decades of research on BFT, we still lack an efficient and easy-to-deploy solution for BFT with non-determinism—BFT-ND, especially in the asynchronous setting. We revisit the problem of BFT-ND and provide a formal and asynchronous treatment of BFT-ND. In particular, we design and implement Block-ND that insightfully separates the task of agreeing on the order of transactions from the task of agreement on the state: Block-ND allows reusing existing BFT implementations; on top of BFT, we reduce the agreement on the state to multivalued Byzantine agreement (MBA), a somewhat neglected primitive by practical systems. Block-ND is completely asynchronous as long as the underlying BFT is asynchronous. We provide a new MBA construction significantly faster than existing MBA constructions. We instantiate Block-ND in both the partially synchronous setting (with PBFT, OSDI 1999) and the purely asynchronous setting (with PACE, CCS 2022). Via a 91-instance WAN deployment on Amazon EC2, we show that Block-ND has only marginal performance degradation compared to conventional BFT.

Symmetric cryptography primitives are constructed by iterative applications of linear and nonlinear layers. Constructing efficient circuits for these layers, even for the linear one, is challenging. In 1997, Paar proposed a heuristic to minimize the number of XORs (modulo 2 addition) necessary to implement linear layers. In this study, we slightly modify Paar’s heuristics to find implementations for nonlinear Boolean functions, in particular to homogeneous Boolean functions. Additionally, we show how this heuristic can be used to construct circuits for generic Boolean functions with small number of AND gates, by exploiting affine equivalence relations.

Although having been popular for a long time, Byzantine Fault Tolerance (BFT) consensus under the partially-synchronous network is denounced to be inefficient or even infeasible in recent years, which calls for a more robust asynchronous consensus. On the other hand, almost all the existing asynchronous consensus are too complicated to understand and even suffer from the termination problem. Motivated by the above problems, we propose SimpleFT in this paper, which is a simple asynchronous consensus and is mainly inspired by the simplicity of the Bitcoin protocol. With a re-understanding of the Bitcoin protocol, we disassemble the life cycle of a block into three phases, namely proposal, dissemination, and confirmation. Corresponding to these phases, we devise or introduce the sortition algorithm, reliable broadcast algorithm, and quorum certificate mechanism in SimpleFT, respectively. To make full use of the network resources and improve the system throughput, we further introduce the layered architecture to SimpleFT, which enables multiple blocks to be confirmed at the same height. Comprehensive analysis is made to validate the correctness of SimpleFT and various experiments are conducted to demonstrate its efficient performance.

The transition to post-quantum cryptography has been an enormous challenge and effort for cryptographers over the last decade, with impressive results such as the future NIST standards. However, the latter has so far only considered central cryptographic mechanisms (signatures or KEM) and not more advanced ones, e.g., targeting privacy-preserving applications. Of particular interest is the family of solutions called blind signatures, group signatures and anonymous credentials, for which standards already exist, and which are deployed in billions of devices. Such a family does not have, at this stage, an efficient post-quantum counterpart although very recent works improved this state of affairs by offering two different alternatives: either one gets a system with rather large elements but a security proved under standard assumptions or one gets a more efficient system at the cost of ad-hoc interactive assumptions or weaker security models. Moreover, all these works have only considered size complexity without implementing the quite complex building blocks their systems are composed of. In other words, the practicality of such systems is still very hard to assess, which is a problem if one envisions a post-quantum transition for the corresponding systems/standards.

In this work, we propose a construction of so-called signature with efficient protocols (SEP), which is the core of such privacy-preserving solutions. By revisiting the approach by Jeudy et al. (Crypto 2023) we manage to get the best of the two alternatives mentioned above, namely short sizes with no compromise on security. To demonstrate this, we plug our SEP in an anonymous credential system, achieving credentials of less than 80 KB. In parallel, we fully implemented our system, and in particular the complex zero-knowledge framework of Lyubashevsky et al. (Crypto'22), which has, to our knowledge, not be done so far. Our work thus not only improves the state-of-the-art on privacy-preserving solutions, but also significantly improves the understanding of efficiency and implications for deployment in real-world systems.