International Association
for Cryptologic Research

This paper presents a collection of lessons learned from analyzing the real-world security of various Byzantine Fault Tolerant (BFT) consensus protocol implementations. Drawing upon our experience as a team of security experts who have both developed and audited BFT systems, including BA★, HotStuff variants, Paxos variants, and DAG-based algorithms like Narwhal and Bullshark, we identify and analyze a variety of security vulnerabilities discovered in the translation of theoretical protocols into real-world code. Our analysis covers a range of issues, including subtle logic errors, concurrency bugs, cryptographic vulnerabilities, and mismatches between the theoretical model and the implementation. We provide detailed case studies illustrating these vulnerabilities, discuss their potential impact, and propose mitigation strategies. This work aims to provide valuable insights for both designers and implementers of BFT consensus protocols, ultimately contributing to the development of more secure and reliable distributed systems.

Users of decentralized finance (DeFi) applications face significant risks from adversarial actions that manipulate the order of transactions to extract value from users. Such actions---an adversarial form of what is called maximal-extractable value (MEV)---impact both individual outcomes and the stability of the DeFi ecosystem. MEV exploitation, moreover, is being institutionalized through an architectural paradigm known Proposer-Builder Separation (PBS).

This work introduces a system called PROF (PRotected Order Flow) that is designed to limit harmful forms of MEV in existing PBS systems. PROF aims at this goal using two ideas. First, PROF imposes an ordering on a set ("bundle") of privately input transactions and enforces that ordering all the way through to block production-preventing transaction-order manipulation. Second, PROF creates bundles whose inclusion is profitable to block producers, thereby ensuring that bundles see timely inclusion in blocks.

PROF is backward-compatible, meaning that it works with existing and future PBS designs. PROF is also compatible with any desired algorithm for ordering transactions within a PROF bundle (e.g., first-come, first-serve, fee-based, etc.). It executes efficiently, i.e., with low latency, and requires no additional trust assumptions among PBS entities. We quantitatively and qualitatively analyze PROF’s incentive structure, and its utility to users compared with existing solutions. We also report on inclusion likelihood of PROF transactions, and concrete latency numbers through our end-to-end implementation.

In this paper, we describe a low-latency block cipher (ARADI) and authenticated encryption mode (LLAMA) intended to support memory encryption applications.

Private Set Intersection (PSI) enables a sender and a receiver to jointly compute the intersection of their sets without disclosing other information about items not in the intersection. However, in many cases of joint data analysis, it is not just the items outside the intersection that are sensitive but the items within it. To protect such sensitive information, prior work presents a Differentially Private version of PSI (DPSI) based on a circuit-PSI using Fully Homomorphic Encryption. However, their concrete protocol is somewhat inefficient compared with the state-of-the-art (SOTA) circuit-PSI.

In this paper, we revisit the DPSI definition and formalize its ideal functionality. We identify the key desiderata required by PSI-related tools to construct DPSI and propose two frameworks to construct efficient DPSI protocols. The first one generalizes the idea of existing DPSI, showing that any circuit-PSI can be used to construct DPSI. We obtain a more efficient DPSI protocol by plugging the SOTA circuit-PSI protocol in the framework. The second one helps to obtain a more efficient DPSI protocol based on the multi-query Reverse Private Membership Test (mqRPMT) that was previously used to construct Private Set Operation (PSO). However, mqRPMT additionally leaks the intersection size to the sender. We bound such leakage using differential privacy by padding random dummy items in input sets. We implement numerous constructions based on our frameworks. Experiments show that our protocols significantly outperform the existing DPSI construction, 2.5-22.6$\times$ more communication efficient and up to 110.5-151.8$\times$ faster. Our work also shows a new use case for mqRPMT besides obtaining PSO.

Functional Encryption (FE) is a powerful notion of encryption which enables computations and partial message recovery of encrypted data. In FE, each decryption key is associated with a function $f$ such that decryption recovers the function evaluation $f(m)$ from an encryption of $m$. Informally, security states that a user with access to function keys $\mathsf{sk}_{f_1}, \mathsf{sk}_{f_2}, \ldots$ (and so on) can only learn $f_1(m), f_2(m), \ldots$ (and so on) but nothing more about the message. The system is said to be $q$-bounded collusion resistant if the security holds as long as an adversary gets access to at most $q = q(\lambda)$ decryption keys. In the last decade, numerous works have proposed many FE constructions from a wide array of algebraic and general cryptographic assumptions, and proved their security in the bounded collusion model.

However, until very recently, all these works studied bounded collusion resistance in a "static model", where the collusion bound $q$ was a global system parameter. While the static collusion model led to great research progress in the community, it has many major drawbacks. Very recently, Agrawal et al. (Crypto 2021) and Garg et al. (Eurocrypt 2022) independently introduced the "dynamic model" for bounded collusion resistance, where the collusion bound $q$ was a fluid parameter that was not globally set but only chosen by each encryptor. The dynamic collusion model enabled harnessing the many virtues of the static collusion model, while avoiding its various drawbacks.

In this work, we give a simple and generic approach to upgrade any scheme from the static collusion model to the dynamic collusion model. Our result captures all existing results in the dynamic model in the form of a single unified framework, and also gives new results as simple corollaries with a lot more potential in the future. An interesting artifact of our result is that it gives a generic way to match existing lower bounds in functional encryption.

The Applied Security and Information Assurance (APSIA) research group invites applications from highly-motivated candidates holding a PhD with a strong track record to contribute to the research specialities, see topics below. The APSIA team of SnT is a dynamic research group, some 15 strong, conducting research on the design and analysis of crypto primitives and protocols, security-critical systems, information assurance, and privacy. Specialities of the group include quantum and post-quantum (quantum resistant) cryptography, secure voting systems. For further information you may check: www.uni.lu/snt-en/research-groups/apsia/

Closing date for applications:

Contact: Peter Y A Ryan

More information: http://emea3.mrted.ly/3q4lu

Do you want to be part of QuSoft, the world-leading centre for quantum software in Amsterdam? The University of Amsterdam (UvA) and the Centrum Wiskunde & Informatica (CWI) each have an opening for a tenure-track or tenured position in the area of quantum computing. We are seeking applications from both early-career researchers (as early as final year of PhD) and highly experienced researchers (comparable to associate or full professor level). Depending on the level of seniority, a tenure-track or a tenured position will be offered to you.

Both positions will be part of QuSoft, the Dutch research centre for quantum software, launched in 2015 to combine the quantum computing research of CWI and of the University of Amsterdam. QuSoft’s mission is to use the extraordinary properties of quantum mechanics, such as superposition, interference and entanglement, to develop new algorithms, communication protocols, and applications for small and medium-sized prototypes as well as larger quantum computers. QuSoft values diversity and inclusion, and improving the gender representation within QuSoft is an urgent concern. To this end, we will, among equally qualified candidates, prioritise applications from women researchers (including identifying as).

The positions are in the area of quantum computing, particularly in one or more of the following subareas:

• quantum algorithms,
• quantum complexity theory,
• quantum error-correction and fault-tolerance,
• quantum cryptography,
• quantum simulation of molecules and materials,
• quantum information theory.

  Closing date for applications:

  Contact: Stacey Jeffery

  More information: https://vacatures.uva.nl/UvA/job/QuSoft/800609602/

The Quantum Information (QI) and PolSys teams at LIP6, Sorbonne University, are looking for a postdoctoral researcher to work on research topics at the intersection of modern, post-quantum, and quantum cryptography. The potential topics include, but are not limited to, secure quantum multi-party computation, Hybrid Authenticated Authenticated Key Exchange, ....

The post-doc will conduct research at the intersection of theoretical cryptography and practical experiments on a quantum optical testbed to demonstrate a practical quantum advantage in terms of security and/or efficiency for advanced quantum cryptographic protocols.

The post-doc will be jointly supervised by Alex B. Grilo (CNRS, Sorbonne University), Eleni Diamanti (CNRS, Sorbonne University), and Ludovic Perret (EPITA & Sorbonne University). The ideal candidate will hold a PhD in quantum cryptography or cryptography with a strong motivation to work at the intersection of these two domains. Programming skills are a plus.

The position is for 12 months, renewable for up to 24 months, with a flexible start date. It is offered in the framework of the QSNP project, a European Quantum Flagship project aiming to develop quantum cryptography technology.

The PolSys team has strong expertise in post-quantum-cryptography whilst the QI team is an interdisciplinary research group covering computer science, theoretical physics and experimental quantum optics. We are based in LIP6, Sorbonne Université, in central Paris, and are founding members of interdisciplinary centers the Quantum Information Centre Sorbonne and the Paris Centre for Quantum Technologies. We strive to promote equality, diversity, inclusion and tolerance.

Applicants should send their CV, and a cover letter and arrange for at least two references to be sent to the contact person given below. The deadline for applications is 30/09/2024.

Closing date for applications:

Contact: Ludovic Perret

We are proud to announce the winners of the 2024 IACR Test-of-Time Award for Crypto.

The IACR Test-of-Time Award honors papers published at the 3 IACR flagship conferences 15 years ago which have had a lasting impact on the field.

The Test-of-Time award for Crypto 2009 is awarded to the following two papers:

Dual-System Encryption, by Brent Waters.
For introducing the dual-system technique, breaking through the partitioning-reductions barrier of pairing-based cryptography and enabling new and improved pairing-based cryptosystems.

Reconstructing RSA Private Keys from Random Key Bits, by Nadia Heninger and Hovav Shacham.
For introducing the go-to tool for side channel attacks on CRT-RSA that played a pivotal role in helping secure the Internet.

For more information, see https://www.iacr.org/testoftime.

Congratulations to all winners!

Event date: 28 April to 1 May 2025

Event date: 17 March to 21 March 2025

At EUROCRYPT'20, Bao et al. have shown that three-round cascading of $\textsf{LRW1}$ construction, which they dubbed as $\textsf{TNT}$, is a strong tweakable pseudorandom permutation that provably achieves $2n/3$-bit security bound. Jha et al. showed a birthday bound distinguishing attack on $\textsf{TNT}$ and invalidated the proven security bound and proved a tight birthday bound security on the $\textsf{TNT}$ construction in EUROCRYPT'24. In a recent work, Datta et al. have shown that four round cascading of the $\textsf{LRW1}$ construction, which they dubbed as $\textsf{CLRW1}^4$ is a strong tweakable pseudorandom permutation that provably achieves $3n/4$-bit security. In this paper, we propose a variant of the $\textsf{TNT}$ construction, called $\textsf{b-TNT1}$, and proved its security up to $2^{3n/4}$ queries. However, unlike $\textsf{CLRW1}^4$, $\textsf{b-TNT1}$ requires three block cipher calls along with a field multiplication. Besides, we also propose another variant of the $\textsf{TNT}$ construction, called $\textsf{b-TNT2}$ and showed a similar security bound. Compared to $\textsf{b-TNT1}$, $\textsf{b-TNT2}$ requires four block cipher calls. Nevertheless, its execution of block cipher calls can be pipelined which makes it efficient over $\textsf{CLRW1}^4$. We have also experimentally verified that both $\textsf{b-TNT1}$ and $\textsf{b-TNT2}$ outperform $\textsf{CLRW1}^4$.

A crucial component of any zero-knowledge system is operations with finite fields. This, in turn, leads to the implementation of the fundamental operation: multiplying two big integers. In the realm of Bitcoin, this problem gets revisited, as Bitcoin utilizes its own stack-based and not Turing-complete scripting system called Bitcoin Script. Inspired by Elliptic Curve scalar multiplication, this paper introduces the $w$-windowed method for multiplying two numbers. We outperform state-of-the-art approaches, including BitVM’s implementation. Finally, we also show how the windowed method can lead to optimizations not only in big integer arithmetic solely but in more general arithmetic problems.

We show that the DAG-based consensus protocol Tusk [DKSS22] does not achieve liveness, at least under certain reasonable assumptions on the implementation that are consistent with its specification. In addition, we give a simple 2-round variation of Tusk with lower latency and strong liveness properties, but with suboptimal resilience. We also show that another 2-round protocol, GradedDAG [DZX+24], which has optimal resilience, also has liveness problems analogous to Tusk.

With the potential arrival of quantum computers, it is essential to build cryptosystems resistant to attackers with the computing power of a quantum computer. With Shor's algorithm, cryptosystems based on discrete logarithms and factorization become obsolete. Reason why NIST has launching two competitions in 2016 and 2023 to standardize post-quantum cryptosystems (such as KEM and signature ) based on problems supposed to resist attacks using quantum computers. EagleSign was prosed to NIT competition in Jun 2023 as an additional signature. An improvement called EagleSign-V2 was proposed in December 2023 but Tibouchi and Pells prove that these two variants don't hold the zero knowledge property. In this document we present the family of lattices based post-quantum signatures called EagleSignV3. They are secure and efficient successors of both EagleSign-V1 (NIST, June 2023) and EagleSign-V2 (NIST forum, December 2023). The public key of EagleSignV3 is based on a mix of MLE (Module Learning with Error) and MNTRU (module variant of the famous NTRU problem). The instantiations EagleSignV3 are new variants of the EagleSign signatures family posted to NIST competition in June 2023 as additional signatures. EagleSignV3 uses the rejection of Lyubashevsky-2012 to achieve the zero-knowledge property. The main difference between EagleSign and Dilithium is the public key. We have two instantiations based either on ring or on module. The sizes of the ring based variant of EagleSignV3 are close to those of Dilithium but the sizes of its module based instantiation is bigger than those of Dilithium. NB: The implementation of EagleSign-V1 is available on NIST website and those of EagleSign-V2 can be found on Github at https://github.com/EagleSignteam/EagleSign_v2 and in NIST forum as a comment on improvements on EagleSign in December 2023. The implementation of EagleSign-V3 can be deduced from those of EagleSignV2.

In this work, we continue the analysis of the binding properties of implicitly-rejecting key-encapsulation mechanisms (KEMs) obtained via the Fujisaki-Okamoto (FO) transform. These binding properties, in earlier literature known under the term robustness, thwart attacks that can arise when using KEMs in larger protocols. Recently, Cremers et al. (ePrint'24) introduced a framework for binding notions, encompassing previously existing but also new ones. While implicitly-rejecting KEMs have been analyzed with respect to multiple of these notions, there are still several gaps. We complete the picture by providing positive and negative results for the remaining notions. Further, we show how to apply our results to the code-based KEMs BIKE and HQC, which are among the round-4 candidates in NISTs PQC standardization process. Through this, we close a second gap as our results finish the analysis of the binding notions for the NIST round-4 KEMs.

The virtualization of network functions is a promising technology, which can enable mobile network operators to provide more flexibility and better resilience for their infrastructure and services. Yet, virtualization comes with challenges, as 5G operators will require a means of verifying the state of the virtualized network components (e.g. Virtualized Network Functions (VNFs) or managing hypervisors) in order to fulfill security and privacy commitments. One such means is the use of attestation protocols. In this paper, we focus on Collective Remote Attestation (cRA), which is used to attest the state of a group of devices. Although cRA has been extensively studied in the context of IoT, it has not been used yet in virtualized mobile networks, a different use-case, with constraints of its own.

In this paper, we propose the first protocol to efficiently and securely attest a group of Virtualized Network Functions which make up a VNF Forwarding Graph. Our protocol comes with strong and provable guarantees of: unforgeability of attestation, the linkability of attestations for related components, and the privacy of sensitive configuration details for the infrastructure provider. In particular, we are the first to formally define and analyze such properties for VNF-FG attestation. Finally, through our Proof-of-Concept implementation, we show that our construction is not only strongly secure, but also efficient.

Homomorphic Encryption (HE) is a cutting-edge cryptographic technique that enables computations on encrypted data to be mirrored on the original data. This has quickly attracted substantial interest from the research community due to its extensive practical applications, such as in cloud computing and privacy-preserving machine learning.

In addition to confidentiality, the importance of authenticity has emerged to ensure data integrity during transmission and evaluation. To address authenticity, various primitives have been developed including Homomorphic Authenticator (HA). Corresponding security notions have also been introduced by extending the existing notions to their homomorphic versions.

Despite these advancements, formalizing the security of HE and HA remains challenging due to the novelty of these primitives and complexity of application scenarios involving message evaluation. It is inclusive which definitions in this zoo of notions are insufficient or overly complex. Moreover, HE and HA are designed to be combined to construct a secure communication channel that ensures both confidentiality and authenticity. However, the security of such compositions is not always clear when game-based notions are used to formalize security.

To bridge this gap, we conduct a constructive analysis through the lens of com- posable security. This method enables us to examine the security properties of each primitive in isolation and to more effectively evaluate their security when integrated into a larger system. We introduce the concepts of a confidential channel and an au- thenticated channel to specify the security requirements for HE and HA, respectively. We make a comparison with existing game-based notions to determine whether they adequately capture the intended security objectives.

We then analyze whether the composition of HE and HA constructs a Homomorphic Authenticated Encryption (HAE) that provides both confidentiality and authenticity in presence of message evaluation. Specifically, we examine a serial composition of HE and HA, corresponding to Encrypt-then-MAC (EtM) composition for constructing classical AE.

The impossible boomerang (IB) attack was first introduced by Lu in his doctoral thesis and subsequently published at DCC in 2011. The IB attack is a variant of the impossible differential (ID) attack by incorporating the idea of the boomerang attack. In this paper, we revisit the IB attack, and introduce the incompatibility of two characteristics in boomerang to the construction of an IB distinguisher. With our methodology, all the constructions of IB distinguisher are represented in a unified manner. Moreover, we show that the related-(twea)key IB distinguishers possess more freedom than the ones of ID so that it can cover more rounds. We also propose a new tool based on Mixed-Integer Quadratically-Constrained Programming (MIQCP) to search for IB attacks. To illustrate the power of the IB attack, we mount attacks against three tweakable block ciphers: Deoxys-BC, Joltik-BC and SKINNY. For Deoxys-BC, we propose a related-tweakey IB attack on 14-round Deoxys-BC-384, which improves the best previous related-tweakey ID attack by 2 rounds, and we improve the data complexity of the best previous related-tweakey ID attack on 10-round Deoxys-BC-256. For Joltik-BC, we propose the best attacks against 10-round Joltik-BC-128 and 14-round Joltik-BC-192 with related-tweakey IB attack. For SKINNY-n-3n, we propose a 27-round related-tweakey IB attack, which improves both the time and the memory complexities of the best previous ID attack. We also propose the first related-tweakey IB attack on 28 round SKINNY-n-3n, which improves the previous best ID attack by one round.

Summary

As a Cryptographic Engineer in Applied Cryptography, you will play a vital role in developing and implementing cryptographic solutions. You'll work alongside a team of talented individuals, contributing to various projects ranging from prototyping new cryptographic products to optimizing existing ones. You will collaborate closely with software architects, product managers, and other team members to successfully deliver high-quality cryptographic solutions that meet market demands.

You will need to have a strong foundation in engineering principles and a keen interest in cryptography. This role offers an exciting opportunity to work on cutting-edge technologies while continuously learning and growing in applied cryptography.

Duties

As a Cryptographic Engineer, you'll play a pivotal role in implementing Zero-Knowledge (ZK) circuits tailored for integration within the Midnight chain. Your focus will involve leveraging recursive proof technologies, particularly those based on Halo2, to create proofs regarding the Midnight state. These proofs are designed to interface with other ecosystems, such as Cardano, providing a secure and efficient means to interact and exchange information across platforms. Your duties will include:

Working with teams across time zones

Working independently on software development tasks

Being proactive and requiring minimal supervision or mentoring to complete tasks

Contribute to the development and delivery of cryptographic products

Assist in prototyping new cryptographic solutions

Implement cryptographic primitives according to established specifications

Collaborate with team members to review cryptographic protocols and proposed primitives

Document code and APIs clearly and comprehensively

Adhere to software engineering best practices during the development process

Closing date for applications:

Contact: Marios Nicolaides

More information: https://apply.workable.com/io-global/j/E68F9E4337/