International Association for Cryptologic Research

International Association
for Cryptologic Research

IACR News

Here you can see all recent updates to the IACR webpage. These updates are also available:

email icon
via email
RSS symbol icon
via RSS feed

29 July 2024

Jelle Vos, Mauro Conti, Zekeriya Erkin
ePrint Report ePrint Report
A common misconception is that the computational abilities of circuits composed of additions and multiplications are restricted to simple formulas only. Such arithmetic circuits over finite fields are actually capable of computing any function, including equality checks, comparisons, and other highly non-linear operations. While all those functions are computable, the challenge lies in computing them efficiently. We refer to this search problem as arithmetization. Arithmetization is a key problem in secure computation, as techniques like homomorphic encryption and secret sharing compute arithmetic circuits rather than the high-level programs that programmers are used to. The objective in arithmetization has typically been to minimize the number of multiplications (multiplicative size), as multiplications in most secure computation techniques are significantly more expensive to compute than additions. However, the multiplicative depth of a circuit arguably plays an even more important role in deciding the computational cost: For homomorphic encryption, it strongly affects the choice of cryptographic parameters and the number of bootstrapping operations required, which are orders of magnitude more expensive to compute than multiplications. In fact, if we can limit the multiplicative depth of a circuit such that we do not need to perform any bootstrapping, we can omit the large bootstrapping keys required to perform them all together. We argue that arithmetization should be treated as a multi-objective minimization problem, in which a trade-off can be made between a circuit's multiplicative size and depth. We present efficient depth-aware arithmetization methods for many primitive operations such as exponentiation, univariate functions, equality checks, comparisons, and ANDs and ORs, which take into account that squaring can be cheaper than arbitrary multiplications, and we study how to compose them.
Expand
Theophilus Agama
ePrint Report ePrint Report
Exploiting the notion of carries, we obtain improved upper bounds for the length of the shortest addition chains $\iota(2^n-1)$ producing $2^n-1$. Most notably, we show that if $2^n-1$ has carries of degree at most $$\kappa(2^n-1)=\frac{1}{2}(\iota(n)-\lfloor \frac{\log n}{\log 2}\rfloor+\sum \limits_{j=1}^{\lfloor \frac{\log n}{\log 2}\rfloor}\{\frac{n}{2^j}\})$$ then the inequality $$\iota(2^n-1)\leq n+1+\sum \limits_{j=1}^{\lfloor \frac{\log n}{\log 2}\rfloor}\bigg(\{\frac{n}{2^j}\}-\xi(n,j)\bigg)+\iota(n)$$ holds for all $n\in \mathbb{N}$ with $n\geq 4$, where $\iota(\cdot)$ denotes the length of the shortest addition chain producing $\cdot$, $\{\cdot\}$ denotes the fractional part of $\cdot$ and where $\xi(n,1):=\{\frac{n}{2}\}$ with $\xi(n,2)=\{\frac{1}{2}\lfloor \frac{n}{2}\rfloor\}$ and so on.
Expand

28 July 2024

Sapporo, Japan, 17 December - 19 December 2024
Event Calendar Event Calendar
Event date: 17 December to 19 December 2024
Submission deadline: 16 August 2024
Notification: 11 October 2024
Expand

27 July 2024

Dfns
Job Posting Job Posting
Help us build the leading wallet infrastructure for the multi-trillion-dollar digital asset industry. Work closely with our top leadership, including the CTO, CPO, and Head of Security, and collaborate with a talented team of Cryptographers, Security Engineers and Protocol Engineers. We’re looking for a Lead Cryptographer with expertise in developing secure, efficient cryptographic protocols focused namely on multi-party computation, threshold cryptography, and post-quantum cryptography. You will collaborate with library developers and solutions architects to enhance our cryptographic solutions, aligning them with the company’s needs and objectives.

Expand
CIMA.science
Job Posting Job Posting
As a system developer, you will contribute to the creation of a complex decentralized system involving smart contract technology, offchain communication protocols, and identity management. CIMA.Science is a startup company whose mission is the innovative application of decentralized consensus protocols through both horizontal and vertical integration across a wide range of technologies. A key initiative is the creation of an autonomous transaction platform that allows individuals to securely conduct transactions with others across jurisdictional boundaries, establishing trust and legal certainty without the need for intermediaries. Additionally, individuals can opt for a decentralized identity, facilitating their proper integration into the commerce stream. Our goal is to bring the blockchain technology to people in an inclusive manner, with little environment impact, and with high security and resilience objectives. The plan is to build up a R&D team. We will release open source software and nurture expertise. We follow and contribute to cutting edge research. We work on the Unlimitrust Campus in Prilly with tight connections with academic partners.

Closing date for applications:

Contact: Alfio Lanuto (OBJECT: System developer)

More information: https://cima.science

Expand
Input-Output Global
Job Posting Job Posting
Summary

As a Cryptographic Engineer in Applied Cryptography, you will play a vital role in developing and implementing cryptographic solutions. You'll work alongside a team of talented individuals, contributing to various projects ranging from prototyping new cryptographic products to optimizing existing ones. You will collaborate closely with software architects, product managers, and other team members to successfully deliver high-quality cryptographic solutions that meet market demands.

You will need to have a strong foundation in engineering principles and a keen interest in cryptography. This role offers an exciting opportunity to work on cutting-edge technologies while continuously learning and growing in applied cryptography.

Duties

As a Cryptographic Engineer, you'll play a pivotal role in implementing Zero-Knowledge (ZK) circuits tailored for integration within the Midnight chain. Your focus will involve leveraging recursive proof technologies, particularly those based on Halo2, to create proofs regarding the Midnight state. These proofs are designed to interface with other ecosystems, such as Cardano, providing a secure and efficient means to interact and exchange information across platforms. Your duties will include:

  • Working with teams across time zones
  • Working independently on software development tasks
  • Being proactive and requiring minimal supervision or mentoring to complete tasks
  • Contribute to the development and delivery of cryptographic products
  • Assist in prototyping new cryptographic solutions
  • Implement cryptographic primitives according to established specifications
  • Collaborate with team members to review cryptographic protocols and proposed primitives
  • Document code and APIs clearly and comprehensively
  • Adhere to software engineering best practices during the development process
  • Closing date for applications:

    Contact: Marios Nicolaides

    More information: https://apply.workable.com/io-global/j/E68F9E4337/

    Expand
    University of Wollongong, Australia
    Job Posting Job Posting
    These positions are supported by the prestigious Australian Research Council Laureate Fellowship on "Secure Cloud Computing from Cryptography: The Rise of Pragmatic Cryptography". You will contribute to research conducted at the Institute of Cybersecurity and Cryptology, focusing on cryptography particularly with the application on developing secure cloud computing. You will also be supervising PhD students. The Institute of Cybersecurity and Cryptology at the University of Wollongong is a premier research institute that conducts research in cybersecurity and cryptology. The institute was awarded the Excellence of Research Assessment with score 5 (well above the world standard) for cryptography research, which is the only score given to a University in Australia. Please apply online (not via email)

    Closing date for applications:

    Contact: Prof. Willy Susilo

    More information: https://www.uow.edu.au/about/jobs/jobs-available/#en/sites/CX_1/requisitions/preview/4659/?

    Expand
    Munich, Germany, 23 June - 26 June 2025
    Event Calendar Event Calendar
    Event date: 23 June to 26 June 2025
    Submission deadline: 9 September 2024
    Notification: 11 November 2024
    Expand
    Bhilai, India, 9 January - 11 February 2025
    Event Calendar Event Calendar
    Event date: 9 January to 11 February 2025
    Submission deadline: 15 August 2024
    Notification: 30 September 2024
    Expand
    Taipei, Taiwan, 8 April - 10 April 2025
    Event Calendar Event Calendar
    Event date: 8 April to 10 April 2025
    Submission deadline: 25 October 2024
    Notification: 6 January 2025
    Expand
    Toronto, Canada, 13 August - 15 August 2025
    Event Calendar Event Calendar
    Event date: 13 August to 15 August 2025
    Expand

    25 July 2024

    JAIPUR, India, 16 December - 20 December 2024
    Event Calendar Event Calendar
    Event date: 16 December to 20 December 2024
    Expand
    Xinyi Ji, Jiankuo Dong, Junhao Huang, Zhijian Yuan, Wangchen Dai, Fu Xiao, Jingqiang Lin
    ePrint Report ePrint Report
    The field of post-quantum cryptography (PQC) is continuously evolving. Many researchers are exploring efficient PQC implementation on various platforms, including x86, ARM, FPGA, GPU, etc. In this paper, we present an Efficient CryptOgraphy CRYSTALS (ECO-CRYSTALS) implementation on standard 64-bit RISC-V Instruction Set Architecture (ISA). The target schemes are two winners of the National Institute of Standards and Technology (NIST) PQC competition: CRYSTALS-Kyber and CRYSTALS-Dilithium, where the two most time-consuming operations are Keccak and polynomial multiplication. Notably, this paper is the first to deploy Kyber and Dilithium on the 64-bit RISC-V ISA. Firstly, we propose a better scheduling strategy for Keccak, which is specifically tailored for the 64-bit dual-issue RISC-V architecture. Our 24-round Keccak permutation (Keccak-$p$[1600,24]) achieves a 59.18% speed-up compared to the reference implementation. Secondly, we apply two modular arithmetic (Montgomery arithmetic and Plantard arithmetic) in the polynomial multiplication of Kyber and Dilithium to get a better lazy reduction. Then, we propose a flexible dual-instruction-issue scheme of Number Theoretic Transform (NTT). As for the matrix-vector multiplication, we introduce a row-to-column processing methodology to minimize the expensive memory access operations. Compared to the reference implementation, we obtain a speedup of 53.85%$\thicksim$85.57% for NTT, matrix-vector multiplication, and INTT in our ECO-CRYSTALS. Finally, our ECO-CRYSTALS implementation for key generation, encapsulation, and decapsulation in Kyber achieves 399k, 448k, and 479k cycles respectively, achieving speedups of 60.82%, 63.93%, and 65.56% compared to the NIST reference implementation. Similarly, our ECO-CRYSTALS implementation for key generation, sign, and verify in Dilithium reaches 1,364k, 3,191k, and 1,369k cycles, showcasing speedups of 54.84%, 64.98%, and 57.20%, respectively.
    Expand
    Qianqian Yang, Ling Song, Nana Zhang, Danping Shi, Libo Wang, Jiahao Zhao, Lei Hu, Jian Weng
    ePrint Report ePrint Report
    The rectangle attack has shown to be a very powerful form of cryptanalysis against block ciphers. Given a rectangle distinguisher, one expects to mount key recovery attacks as efficiently as possible. In the literature, there have been four algorithms for rectangle key recovery attacks. However, their performance varies from case to case. Besides, numerous are the applications where the attacks lack optimality. In this paper, we delve into the rectangle key recovery and propose a unified and generic key recovery algorithm, which supports any possible attacking parameters. Not only does it encompass the four existing rectangle key recovery algorithms, but it also reveals five new types of attacks that were previously overlooked. Further, we put forward a counterpart for boomerang key recovery attacks, which supports any possible attacking parameters as well. Along with these new key recovery algorithms, we propose a framework to automatically determine the best parameters for the attack. To demonstrate the efficiency of the new key recovery algorithms, we apply them to \serpent, \aes-192, \craft, \skinny, and \deoxysbc-256 based on existing distinguishers, yielding a series of improved attacks.
    Expand
    Peihan Miao, Xinyi Shi, Chao Wu, Ruofan Xu
    ePrint Report ePrint Report
    Privacy-preserving machine learning (PPML) enables multiple distrusting parties to jointly train ML models on their private data without revealing any information beyond the final trained models. In this work, we study the client-aided two-server setting where two non-colluding servers jointly train an ML model on the data held by a large number of clients. By involving the clients in the training process, we develop efficient protocols for training algorithms including linear regression, logistic regression, and neural networks. In particular, we introduce novel approaches to securely computing inner product, sign check, activation functions (e.g., ReLU, logistic function), and division on secret shared values, leveraging lightweight computation on the client side. We present constructions that are secure against semi-honest clients and further enhance them to achieve security against malicious clients. We believe these new client-aided techniques may be of independent interest.

    We implement our protocols and compare them with the two-server PPML protocols presented in SecureML (Mohassel and Zhang, S&P'17) across various settings and ABY2.0 (Patra et al., Usenix Security'21) theoretically. We demonstrate that with the assistance of untrusted clients in the training process, we can significantly improve both the communication and computational efficiency by orders of magnitude. Our protocols compare favorably in all the training algorithms on both LAN and WAN networks.
    Expand
    Jianming Lin, Chang-An Zhao, Yuhao Zheng
    ePrint Report ePrint Report
    For many pairing-based cryptographic protocols such as Direct Anonymous Attestation (DAA) schemes, the arithmetic on the first pairing subgroup $\mathbb{G}_1$ is more fundamental. Such operations heavily depend on the sizes of prime fields. At the 192-bit security level, Gasnier and Guillevic presented a curve named GG22D7-457 with CM-discriminant $D = 7$ and embedding degree $k = 22$. Compared to other well-known pairing-friendly curves at the same security level, the curve GG22D7-457 has smaller prime field size and $\rho$-value, which benefits from the fast operations on $\mathbb{G}_1$. However, the pairing computation on GG22D7-457 is not efficient. In this paper, we investigate to derive a higher performance for the pairing computation on GG22D7-457. We first propose novel formulas of the super-optimal pairing on this curve by utilizing a $2$-isogeny as GLV-endomorphism. Besides, this tool can be generalized to more generic families of pairing-friendly curves with $n$-isogenies as endomorphisms. In our paper, we provide the explicit formulas for the super-optimal pairings exploiting $2, 3$-isogenies. Finally, we make a concrete computational cost analysis and implement the pairing computations on curve GG22D7-457 using our approaches. In terms of Miller function evaluation, employing the techniques in this paper obtain a saving of $24.44\% $ in $\mathbb{F}_p$-multiplications compared to the optimal ate pairing. As for the running time, the experimental results illustrate that the Miller loop on GG22D7-457 by utilizing our methods is $26.0\%$ faster than the state-of-the-art. Additionally, the performance of the super-optimal pairing on GG22D7-457 is competitive compared to the well-known pairing-friendly curves at the 192-bit security level. These results show that GG22D7-457 becomes an attractive candidate for the pairing-based protocols. Furthermore, our techniques have the potential to enhance the applications of super-optimal pairings on more pairing-friendly curves.
    Expand
    Rafael Carrera Rodriguez, Emanuele Valea, Florent Bruguier, Pascal Benoit
    ePrint Report ePrint Report
    The rapid evolution of post-quantum cryptography, spurred by standardization efforts such as those led by NIST, has highlighted the prominence of lattice-based cryptography, notably exemplified by CRYSTALS-Kyber. However, concerns persist regarding the security of cryptographic implementations, particularly in the face of Side-Channel Attacks (SCA). The usage of operations like the Number Theoretic Transform (NTT) in CRYSTALS-Kyber introduces vulnerabilities to SCA, especially single-trace ones, such as soft-analytical side-channel attacks. To address this threat, Ravi et al. proposed local masking as a countermeasure by randomizing the NTT’s twiddle factors, but its implementation and security implications require further investigation. This paper presents a hardware implementation of the NTT with local masking, evaluating its performance, area utilization, and security impacts. Additionally, it analyzes the vulnerabilities inherent in local masking and assesses its practical security effectiveness through non-specific t-tests, showing that there are configurations of local masking that are more prone to leakage than others.
    Expand
    Hugues RANDRIAMBOLOLONA
    ePrint Report ePrint Report
    We present a new distinguisher for alternant and Goppa codes, whose complexity is subexponential in the error-correcting capability, hence better than that of generic decoding algorithms. Moreover it does not suffer from the strong regime limitations of the previous distinguishers or structure recovery algorithms: in particular, it applies to the codes used in the Classic McEliece candidate for postquantum cryptography standardization. The invariants that allow us to distinguish are graded Betti numbers of the homogeneous coordinate ring of a shortening of the dual code.

    Since its introduction in 1978, this is the first time an analysis of the McEliece cryptosystem breaks the exponential barrier.
    Expand
    Amin Abdulrahman, Felix Oberhansl, Hoang Nguyen Hien Pham, Jade Philipoom, Peter Schwabe, Tobias Stelzer, Andreas Zankl
    ePrint Report ePrint Report
    This paper presents extensions to the OpenTitan hardware root of trust that aim at enabling high-performance lattice-based cryptography. We start by carefully optimizing ML-KEM and ML-DSA - the two primary algorithms selected by NIST for standardization - in software targeting the OTBN accelerator. Based on profiling results of these implementations, we propose tightly integrated extensions to OTBN, specifically an interface from OTBN to OpenTitan's Keccak accelerator (KMAC core) and extensions to the OTBN ISA to support operations on 256-bit vectors. We implement these extensions in hardware and show that we achieve a speedup by a factor between 6 and 9 for different operations and parameter sets of ML-KEM and ML-DSA compared to our baseline implementation on unmodified OTBN. This speedup is achieved with an increase in cell count of less than 12% in OTBN, which corresponds to an increase of less than 2% for the full Earlgrey OpenTitan core.
    Expand
    Zhengjun Cao, Lihua Liu
    ePrint Report ePrint Report
    We show that the authentication protocol [IEEE Internet Things J., 2023, 10(1), 867-876] is not correctly specified, because the server cannot complete its computations. To revise, the embedded device needs to compute an extra point multiplication over the underlying elliptic curve. We also find the protocol cannot provide anonymity, not as claimed. It can only provide pseudonymity.
    Expand
    ◄ Previous Next ►