International Association
for Cryptologic Research

A Proof of Exponentiation (PoE) allows a prover to efficiently convince a verifier that $y=x^e$ in some group of unknown order. PoEs are the basis for practical constructions of Verifiable Delay Functions (VDFs), which, in turn, are important for various higher-level protocols in distributed computing. In applications such as distributed consensus, many PoEs are generated regularly, motivating protocols for secure aggregation of batches of statements into a few statements to improve the efficiency for both parties. Rotem (TCC 2021) recently presented two such generic batch PoEs.

In this work, we introduce two batch PoEs that outperform both proposals of Rotem and we evaluate their practicality. First, we show that the two batch PoEs of Rotem can be combined to improve the overall efficiency by at least a factor of two. Second, we revisit the work of Bellare, Garay, and Rabin (EUROCRYPT 1998) on batch verification of digital signatures and show that, under the low order assumption, their bucket test can be securely adapted to the setting of groups of unknown order. The resulting batch PoE quickly outperforms the state of the art in the expected number of group multiplications with the growing number of instances, and it decreases the cost of batching by an order of magnitude already for hundreds of thousands of instances. Importantly, it is the first batch PoE that significantly decreases both the proof size and complexity of verification. Our experimental evaluations show that even a non-optimized implementation achieves such improvements, which would match the demands of real-life systems requiring large-scale PoE processing.

Finally, even though our proof techniques are conceptually similar to Rotem, we give an improved analysis of the application of the low order assumption towards secure batching of PoE instances, resulting in a tight reduction, which is important when setting the security parameter in practice.

We give an alternative derivation of (N,N)-isogenies between fast Kummer surfaces which complements existing works based on the theory of theta functions. We use this framework to produce explicit formulae for the case of N = 3, and show that the resulting algorithms are more efficient than all prior (3,3)-isogeny algorithms.

The notion of collaborative zk-SNARK is introduced by Ozdemir and Boneh (USENIX 2022), which allows multiple parties to jointly create a zk-SNARK proof over distributed secrets (also known as the witness). This approach ensures the privacy of the witness, as no corrupted servers involved in the proof generation can learn anything about the honest servers' witness. Later, Garg et al. continued the study, focusing on how to achieve faster proof generation (USENIX 2023). However, their approach requires a powerful server that is responsible for the most resource-intensive computations and communications during the proof generation. This requirement results in a scalability bottleneck, making their protocols unable to handle large-scale circuits.

In this work, we address this issue by lifting a zk-SNARK called Libra (Crypto 2019) to a collaborative zk-SNARK and achieve a fully distributed proof generation, where all servers take roughly the same portion of the total workload. Further, our protocol can be adapted to be secure against a malicious adversary by incorporating some verification mechanisms. With 128 consumer machines and a 4Gbps network, we successfully generate a proof for a data-parallel circuit containing $2^{23}$ gates in merely 2.5 seconds and take only 0.5 GB memory for each server. This represents a $19\times$ speed-up, compared to a local Libra prover. Our benchmark further indicates an impressive 877$\times$ improvement in running time and a 992$\times$ enhancement in communication compared to the implementation in previous work. Furthermore, our protocol is capable of handling larger circuits, making it scalable in practice.

To enable parallel processing, the Directed Acyclic Graph (DAG) structure is introduced to the design of asynchronous Byzantine Fault Tolerant (BFT) consensus protocols, known as DAG-based BFT. Existing DAG-based BFT protocols operate in successive waves, with each wave containing three or four Reliable Broadcast (RBC) rounds to broadcast data, resulting in high latency due to the three communication steps required in each RBC. For instance, Tusk, a state-of-the-art DAG-based BFT protocol, has a good-case latency of 7 communication steps and an expected worst latency of 21 communication steps.

To reduce latency, we propose GradedDAG, a new DAG-based BFT consensus protocol based on our adapted RBC called Graded RBC (GRBC) and the Consistent Broadcast (CBC), with each wave consisting of only one GRBC round and one CBC round. Through GRBC, a replica can deliver data with a grade of 1 or 2, and a non-faulty replica delivering the data with grade 2 can ensure that more than 2/3 of replicas have delivered the same data. Meanwhile, through CBC, data delivered by different non-faulty replicas must be identical. In each wave, a block in the GRBC round will be elected as the leader. If a leader block has been delivered with grade 2, it and all its ancestor blocks can be committed. GradedDAG offers a good-case latency of 4 communication steps and an expected worst latency of 7.5 communication steps, significantly lower than the state-of-theart. Experimental results demonstrate GradedDAG’s feasibility and efficiency.

We implement a secure platform for statistical analysis over multiple organizations and multiple datasets. We provide a suite of protocols for different variants of JOIN and GROUP-BY operations. JOIN allows combining data from multiple datasets based on a common column. GROUP-BY allows aggregating rows that have the same values in a column or a set of columns, and then apply some aggregation summary on the rows (such as sum, count, median, etc.). Both operations are fundamental tools for relational databases. One example use case of our platform is in data marketing in which an analyst would join purchase histories and membership information, and then obtain statistics, such as "Which products were bought by people earning this much per annum?"

Both JOIN and GROUP-BY involve many variants, and we design protocols for several common procedures. In particular, we propose a novel group-by-median protocol that has not been known so far. Our protocols rely on sorting protocols, and work in the honest majority setting and against malicious adversaries. To the best of our knowledge, this is the first implementation of JOIN and GROUP-BY protocols secure against a malicious adversary.

Adaptor signature is a novel cryptographic primitive which ties together the signature and the leakage of a secret value. It has become an important tool for solving the scalability and interoperability problems in the blockchain. Aumayr et al. (Asiacrypt 2021) recently provide the formalization of the adaptor signature and present a provably secure ECDSA-based adaptor signature, which requires zero-knowledge proof in the pre-signing phase to ensure the signer works correctly. However, the number of zero-knowledge proofs is linear with the number of participants.

In this paper, we propose efficient ECDSA-based adaptor signature schemes and give security proofs based on ECDSA. In our schemes, the zero-knowledge proofs in the pre-signing phase can be generated in a batch and offline. Meanwhile, the online pre-signing algorithm is similar to the ECDSA signing algorithm and can enjoy the same efficiency as ECDSA. In particular, considering specific verification scenarios, such as (batched) atomic swaps, our schemes can reduce the number of zero-knowledge proofs in the pre-signing phase to one, independent of the number of participants. Last, we conduct an experimental evaluation, demonstrating that the performance of our ECDSA-based adaptor signature reduces online pre-signing time by about 60% compared with the state-of-the-art ECDSA-based adaptor signature.

Garbled Circuit (GC) techniques usually work with Boolean circuits. Despite intense interest, efficient arithmetic generalizations of GC were only known from heavy assumptions, such as LWE.

We construct arithmetic garbled circuits from circular correlation robust hashes, the assumption underlying the celebrated Free XOR garbling technique. Let $\lambda$ denote a computational security parameter, and consider the integers $\mathbb{Z}_m$ for any $m \geq 2$. Let $\ell = \lceil \log_2 m \rceil$ be the bit length of $\mathbb{Z}_m$ values. We garble arithmetic circuits over $\mathbb{Z}_m$ where the garbling of each gate has size $O(\ell \cdot \lambda)$ bits. Constrast this with Boolean-circuit-based arithmetic, requiring $O(\ell^2\cdot \lambda)$ bits via the schoolbook multiplication algorithm, or $O(\ell^{1.585}\cdot \lambda)$ bits via Karatsuba's algorithm.

Our arithmetic gates are compatible with Boolean operations and with Garbled RAM, allowing to garble complex programs of arithmetic values.

Event date: 14 March to 15 March 2024
Submission deadline: 18 February 2024
Notification: 26 February 2024

Event date: 14 August to 16 August 2024
Submission deadline: 10 March 2024
Notification: 31 May 2024

Our modern society relies upon numerous electronic devices that use encryption to communicate and operate securely. However, even strong cryptography can break when the device hardware is attacked. Thus, the University of Amsterdam is looking for a strong MSc graduate that is interested in Side-Channel Analysis, Hardware Security and Cryptographic Implementations.

What are you going to do?

Conduct high-quality research in the field of Side-Channel Analysis and Cryptographic Engineering, resulting in academic publications in peer-reviewed international conferences

Contribute to the open-source teaching material in our Bachelor and Master courses (in English)

Meet regularly with your academic supervisor and the international team to discuss and analyse the technical details of your ongoing research

Perform research-oriented internships in the industry

Your experience and profile:

Completed or soon-to-be-completed MSc in Computer Security, Computer Science, Mathematics, Computer Engineering, Electrical Engineering or related discipline

Strong interest in learning hardware security, applied cryptography and side-channel analysis, through regular tutoring by the academic supervisor

Background in Machine Learning, Signal Processing and/or background in Cryptography, Computer Security

Fluency in oral and written English, good presentation skills

Apply using the link:

https://vacatures.uva.nl/UvA/job/PhD-in-Side-Channel-Analysis/786914702/

Closing date for applications:

Contact: Kostas Papagiannopoulos, k.papagiannopoulos@uva.nl, kostaspap88@gmail.com

More information: https://vacatures.uva.nl/UvA/job/PhD-in-Side-Channel-Analysis/786914702/

The Young Investigator Group “COSYS - Control Systems and Cyber Security Lab” at the Chair of IT Security at the Brandenburg University of Technology Cottbus-Senftenberg has open PhD/Postdoc positions in the following areas:

• Privacy-enhancing technologies in cyber-physical systems.
• AI-based network attack detection and simulation
• AI-enabled penetration testing

The available positions are funded as 100% TV-L E13 tariff in Germany and limited until 31.07.2026, with possibility for extension. Candidates must hold a Master’s degree (PhD degree for Postdocs) or equivalent in Computer Science or related disciplines, or be close to completing it. If you are interested, please send your CV, transcript of records from your Master studies, and an electronic version of your Master's thesis (if possible), as a single pdf file. Applications will be reviewed until the positions are filled.

Closing date for applications:

Contact: Ivan Pryvalov (ivan.pryvalov@b-tu.de)

We are looking for two motivated PhD students in the area of cryptography. The candidates will work at the Institute of Cybersecurity and Cryptology at the University of Wollongong. The research topic is public-key cryptography, especially about post-quantum cryptography and privacy-preserving cryptography. The positions are fully funded and will start at 1st July 2024 or thereafter. The period of the position is 3 years. The applicants should have a solid background in Computer Science or Mathematics (or relevant fields). Furthermore, it is preferable that the applicants have some research experience in the field of (public-key) cryptography. If interested, please send your CV, transcripts and a short paragraph about your research background and research interest to contact.

Closing date for applications:

Contact: Dr. Zuoxia Yu (given name_first name at uow.edu.au)

The Security and Privacy Research Unit at TU Wien is offering a fully funded PhD position in Formal Methods for Security and Privacy under the supervision of Univ.-Prof. Dr. Matteo Maffei.
Your profile:

• Master degree in computer science or equivalent (degree completion by employment start)
• Excellent English, communication, and teamwork skills
• Background in formal methods (e.g., automated reasoning, type systems, or proof assistants) or cryptography
• Experience in research is a plus

We offer:

• A job in an internationally renowned group, which regularly publishes in top security venues, and consists of an international, diverse, and inclusive team with expertise in formal methods, cryptography, security, privacy, and blockchains
• Diverse research topics in formal methods for security and privacy, with a specific focus on cryptographic protocols and blockchains
• An international English-speaking environment (German not required)
• A competitive salary
• Flexible hours

Applications are to be performed online (https://tools.spycode.at/recruiting/call/5). The application material should include:

• Motivation letter
• Bachelor/Master’s transcripts
• Publication list (if available)
• Curriculum vitae
• Contact information for two referees

We strongly encourage applications from underrepresented groups. Applications are welcome until the position is filled. The applications will be evaluated in a bi-weekly fashion, and applicants will be contacted only in case they are selected for an interview.

Closing date for applications:

Contact: Univ.-Prof. Dr. Matteo Maffei

More information: https://tools.spycode.at/recruiting/call/5

We are looking for a junior professor (tenure track) in privacy technologies. More specifically this research will concentrate on privacy technologies with an integrated view on technical, legal and user aspects. The research program should address privacy enhancing technologies focusing on one or more of the following areas: computing on encrypted data (MPC, FHE, ..), zero-knowledge protocols, identity management, privacy-friendly authentication protocols, network level privacy, distributed ledgers, and context-based services. It is expected that the research touches a broad range of application areas. As a junior researcher you will be appointed as tenure track assistant professor (“tenure track docent”) for a period of 5 years, starting in 2024Q4. After this period and a positive evaluation, you obtain a tenured position as associate professor.

Closing date for applications:

Contact: Bart.Preneel@kuleuven.be, Vincent.Rijmen@kuleuven.be

We are looking for a postdoc with expertise on electronic-voting or related topics. The successful post holder is expected to start 1 May 2024 or as soon as possible thereafter and will run until 31st October 2026. The position will be based in the Department of Computer Science and its highly regarded Surrey Centre for Cyber Security (SCCS), working with Dr. Cătălin Drăgan.

The Surrey Centre for Cyber Security (SCCS) is a widely recognized centre of excellence for cyber security research and teaching. There are approximately 17 permanent academic members and 15 non-academic researchers with expertise on voting, formal modelling and verification, applied cryptography, trust systems, social media, communication and networks, and blockchain and distributed ledger technologies over key sectors such as government, finance, communications, transport and cross-sector technologies.

Qualifications:

• We are looking for applicants that demonstrate strong research and analytical skills, have strong communication skills and enthusiasm for developing their own research ideas.
• Applicants should have expertise in one of the following areas: e-voting, or formal verification of cryptographic protocols, or provable security.
• A PhD in Computer Science, Mathematics, or other closely related area (or be on course of getting one very soon at the time of application).

To apply use https://jobs.surrey.ac.uk/Vacancy.aspx?id=13834

For informal enquiries and further information please contact Dr. Cătălin Drăgan.

Closing date for applications:

Contact: Dr. Cătălin Drăgan c.dragan@surrey.ac.uk

More information: https://jobs.surrey.ac.uk/Vacancy.aspx?id=13834

Description
As Cryptographic Engineering Lead you are responsible for defining the roadmap for cryptographic innovation consistent with the requirements of different projects that are developed in the company and delivering of the cryptographic primitives implementation.
Duties

Define a short, mid and long term roadmap for implementation of cryptographic primitives.

Synchronize with the Technical Manager, and CTO to validate the roadmap, requirements and strategy for the cryptographic engineering team.

Interact and coordinate with research, engineering and product management teams.

Define and structure the team that is required to satisfy this roadmap.

Manage a team of cryptographers, organize the development methodologies and enforce the best practices defined by the engineering division.

Provide secure implementations of the cryptographic primitives that are required by IO projects.

Read and review cryptographic research papers and contribute when possible to implement them as prototypes.

Design, specify, implement, improve cryptographic primitives in production-grade software.

Review, integrate, improve common cryptographic primitives, and translate them to other programming languages
Key Competencies

Senior expertise in developing cryptographic primitives in C/C++ and Rust

Senior expertise in standard cryptography domains Ability to learn new domains like zero knowledge proofs and MPC and project innovation roadmaps

Understanding and experience of implementing cryptographic primitives delivered by researchers

Experience with formal verification and security audits of cryptographic libraries

Expertise in security best practices

Experience with quick check or other property-based testing Ability to manage multiple projects simultaneously
Education / Experience

A Master or PhD degree such as computer science, software engineering, mathematics or a related technical discipline. A solid experience in managing small teams of cryptographic engineers.

Closing date for applications:

Contact: marios.nicolaides@iohk.io

More information: https://apply.workable.com/io-global/j/A7EE304D9F/

We are looking for candidates to work in a digital trust project. The candidates are expected to meet the following requirements.

* A PhD degree in computer science or related fields

* Good background in cybersecurity and digital forensics.

* Experience in biometric-based authentication for smartphone users.

* Practical experience in machine learning and AI.

* Strong analytical skill.

* Publication records in *top* cybersecurity conferences/journals.

* Good programming skill in C/C++ and Python/Java.

* Excellent communication and writing skills in English.

* Great team player.

Only short-listed candidates will be contacted for interview. Successful candidates will be offered internationally competitive remuneration. Interested candidates please send your CV to Prof. Jianying Zhou [jianying_zhou@sutd.edu.sg].

Closing date for applications:

Contact: Prof. Jianying Zhou [jianying_zhou@sutd.edu.sg].

More information: http://jianying.space/

After NIST’s selection of Dilithium as the primary future standard for quantum-secure digital signatures, increased efforts to understand its implementation security properties are required to enable widespread adoption on embedded devices. Concretely, there are still many open questions regarding the susceptibility of Dilithium to fault attacks. This is especially the case for Dilithium’s randomized (or hedged) signing mode, which, likely due to devastating implementation attacks on the deterministic mode, was selected as the default by NIST. This work takes steps towards closing this gap by presenting two new key-recovery fault attacks on randomized/hedged Dilithium. Both attacks are based on the idea of correcting faulty signatures after signing. A successful correction yields the value of a secret intermediate that carries information on the key. After gathering many faulty signatures and corresponding correction values, it is possible to solve for the signing key via either simple linear algebra or lattice-reduction techniques. Our first attack extends a previously published attack based on an instruction-skipping fault to the randomized setting. Our second attack injects faults in the matrix A, which is part of the public key. As such, it is not sensitive to side-channel leakage and has, potentially for this reason, not seen prior analysis regarding faults. We show that for Dilithium2, the attacks allow key recovery with as little as 1024 and 512 faulty signatures, respectively, with each signature generated by injecting a single targeted fault. We also demonstrate how our attacks can be adapted to circumvent several popular fault countermeasures with a moderate increase in the computational runtime and the number of required faulty signatures. These results are verified using both simulated faults and clock glitches on an ARM-based microcontroller. The presented attacks demonstrate that also randomized Dilithium can be subject to diverse fault attacks, that certain countermeasures might be easily bypassed, and that potential fault targets reach beyond side-channel sensitive operations. Still, many further operations are likely also susceptible, implying the need for increased analysis efforts in the future.

We study sleepy consensus in the known participation model, where replicas are aware of the minimum number of awake honest replicas. Compared to prior works that almost all assume the unknown participation model, we provide a fine-grained treatment of sleepy consensus in the known participation model and show some interesting results. First, we present a synchronous atomic broadcast protocol with $5\Delta+2\delta$ expected latency and $2\Delta+2\delta$ best-case latency, where $\Delta$ is the bound on network delay and $\delta$ is the actual network delay. In contrast, the best-known result in the unknown participation model (MMR, CCS 2023) achieves $14\Delta$ latency, more than twice the latency of our protocol. Second, in the partially synchronous network (the value of $\Delta$ is unknown), we show that without changing the conventional $n \geq 3f+1$ assumption, one can only obtain a secure sleepy consensus by making the stable storage assumption (where replicas need to store intermediate consensus parameters in stable storage). Finally, still in the partially synchronous network but not assuming stable storage, we prove the bounds on $n \geq 3f+2s+1$ without the global awake time (GAT) assumption (all honest replicas become awake after GAT) and $n \geq 3f+s+1$ with the GAT assumption, where $s$ is the maximum number of honest replicas that may become asleep simultaneously. Using these bounds, we transform HotStuff (PODC 2019) into a sleepy consensus protocol via a timeoutQC mechanism and a low-cost recovery protocol.

Secure transformer inference has emerged as a prominent research topic following the proliferation of ChatGPT. Existing solutions are typically interactive, involving substantial communication load and numerous interaction rounds between the client and the server.

In this paper, we propose NEXUS the first non-interactive protocol for secure transformer inference, where the client is only required to submit an encrypted input and await the encrypted result from the server. Central to NEXUS are two innovative techniques: SIMD ciphertext compression/decompression, and SIMD slots folding. Consequently, our approach achieves a speedup of 2.8$\times$ and a remarkable bandwidth reduction of 368.6$\times$, compared to the state-of-the-art solution presented in S&P '24.