International Association
for Cryptologic Research

Private set union (PSU) is a cryptographic protocol that allows two parties to compute the union of their sets without revealing anything else. Despite some efficient PSU protocols that have been proposed, they mainly focus on the balanced setting, where the sets held by the parties are of similar size. Recently, Tu et al. (CCS 2023) proposed the first unbalanced PSU protocol which achieves sublinear communication complexity in the size of the larger set.

In this paper, we are interested in improving the efficiency of the unbalanced PSU protocol. We find that oblivious key-value store (OKVS) data structure plays an essential role in the most recently proposed PSU constructions and formalize unbalanced PSU as an OKVS decoding process with sublinear communication. Our key insight lies in when OKVS satisfies sparsity property, obtaining the necessary decoding information precisely aligns with the batch private information retrieval (BatchPIR) problem. We give two concrete constructions of unbalanced PSU protocols based on different OKVS encoding strategies. The first is based on oblivious PRF (OPRF) and a newly introduced cryptographic protocol called permuted private equality test, while the second is based on re-randomizable public key encryption. Both our two constructions achieve sublinear communication complexity in the size of the larger set.

We implement our two unbalanced PSU protocols and compare them with the state-of-the-art unbalanced PSU of Tu et al. Experiments show that our protocols achieve a $1.3-5.6\times $ speedup in running time and $2.1-11.8\times$ shrinking in communication cost, depending on set sizes and network environments.

Clarifying the robustness of authenticated encryption (AE) schemes, such as security under nonce misuse or Release of Unverified Plaintext (RUP), is critically important due to the extensive use of AEs in real-world applications. We present a comprehensive analysis of the robustness of well-known standards, namely GCM, CCM, and OCB3. Despite many existing studies, we uncovered several robustness properties for them that were not known in the literature. In particular, we show that both GCM and CCM maintain authenticity under RUP. Moreover, CCM keeps this feature even if a nonce is misused. Together with existing analysis, our work gives a complete picture of the robustness of these standards for the first time. Our results also imply several new robust AE schemes based on GCM and CCM.

Payment Channel Networks (PCNs) have been highlighted as viable solutions to address the scalability issues in current permissionless blockchains. They facilitate off-chain transactions, significantly reducing the load on the blockchain. However, the extensive reuse of multi-hop routes in the same direction poses a risk of channel depletion, resulting in involved channels becoming unidirectional or even closing, thereby compromising the sustainability and scalability of PCNs. Even more concerning, existing rebalancing protocol solutions heavily rely on trust assumptions and scripting languages, resulting in compromised universality and reliability.

In this paper, we present Horcrux, a universal and efficient multi-party virtual channel protocol without relying on extra trust assumptions, scripting languages, or the perpetual online requirement. Horcrux fundamentally addresses the channel depletion problem using a novel approach termed flow neutrality, which minimizes the impact on channel balance allocations during multi-hop payments (MHPs). Additionally, we formalize the security properties of Horcrux by modeling it within the Global Universal Composability framework and provide a formal security proof.

We implement Horcrux on a real Lightning Network dataset, comprising 10,529 nodes and 38,910 channels, and compare it to the state-of-the-art rebalancing schemes such as Shaduf [NDSS'22], Thora [CCS'22], and Revive [CCS'17]. The experimental results demonstrate that (1) the entire process of Horcrux costs less than 1 USD, significantly lower than Shaduf; (2) Horcrux achieves a $12\%$-$30\%$ increase in payment success ratio and reduces user deposits required for channels by $70\%$-$91\%$; (3) the performance of Horcrux improves by $1.2x$-$1.5x$ under long-term operation; and (4) Horcrux maintains a nearly zero channel depletion rate, whereas both Revive and Shaduf result in thousands of depleted channels.

We are using the extended Maiorana-McFarland construction to create new bent functions. When we start with a bent function of dimension s-r, we can produce a new function of dimension s+r while ensuring that its balance is limited to the set of vectors with an even Hamming weight in its domain. We also compare this approach with the case where r=1 and apply it multiple times. Finally, we provide an algorithm as an example, focusing on the case where r=2 and another algorithm using r=1 two times.

A fixed length tweakable enciphering scheme (TES) is the appropriate cryptographic functionality for low level disk encryption. Research on TES over the last two decades have led to a number of proposals many of which have already been implemented using FPGAs. This paper considers the FPGA implementations of two more recent and promising TESs, namely AEZ and FAST. The relevant architectures are described and simulation results on the Xilinx Virtex 5 and Virtex 7 FPGAs are presented. For comparison, two IEEE standard schemes, XCB and EME2 are considered. The results indicate that FAST outperforms the other schemes making it a serious candidate for future incorporation by disk manufacturers and standardisation bodies.

Modular addition is often the most complex component of typical Addition-Rotation-XOR (ARX) ciphers, and the division property is the most effective tool for detecting integral distinguishers. Thus, having a precise division property model for modular addition is crucial in the search for integral distinguishers in ARX ciphers.

Current division property models for modular addition either (a) express the operation as a Boolean circuit and apply standard propagation rules for basic operations (COPY, XOR, AND), or (b) treat it as a sequence of smaller functions with carry bits, modeling each function individually. Both approaches were originally proposed for the two-subset bit-based division property (2BDP), which is theoretically imprecise and may overlook some balanced bits.

Recently, more precise versions of the division property, such as parity sets, three-subset bit-based division property without unknown subsets (3BDPwoU) or monomial prediction (MP), and algebraic transition matrices have been proposed. However, little attention has been given to modular addition within these precise models.

The propagation rule for the precise division property of a vectorial Boolean function $\boldsymbol{f}$ requires that $\boldsymbol{u}$ can propagate to $\boldsymbol{v}$ if and only if the monomial $\pi_{\boldsymbol{u}}({\boldsymbol{x}})$ appears in $\pi_{\boldsymbol{v}}( \boldsymbol{f} )$. Braeken and Semaev (FSE 2005) studied the algebraic structure of modular addition and showed that for $\boldsymbol{x} \boxplus \boldsymbol{y} = \boldsymbol{z}$, the monomial $\pi_{\boldsymbol{u}}(\boldsymbol{x})\pi_{\boldsymbol{v}}(\boldsymbol{v})$ appears in $\pi_{\boldsymbol{w}}(\boldsymbol{w})$ if and only if $\boldsymbol{u} + \boldsymbol{v} = \boldsymbol{w}$. Their theorem directly leads to a precise division property model for modular addition. Surprisingly, this model has not been applied in division property searches, to the best of our knowledge.

In this paper, we apply Braeken and Semaev's theorem to search for integral distinguishers in ARX ciphers, leading to several new results. First, we improve the state-of-the-art integral distinguishers for all variants of the Speck family, significantly enhancing search efficiency for Speck-32/48/64/96 and detecting new integral distinguishers for Speck-48/64/96/128. Second, we determine the exact degrees of output bits for $7$-round Speck-$32$ and all/16/2 output bits for $2/3/4$-round Alzette for the first time. Third, we revisit the choice of rotation parameters in Speck instances, providing a criterion that enhances resistance against integral distinguishers. Additionally, we offer a simpler proof for Braeken and Semaev's theorem using monomial prediction, demonstrating the potential of division property methods in the study of Boolean functions.

We hope that the proposed methods will be valuable in the future design of ARX ciphers.

In 2023, Mfungo et al. presented an image encryption scheme that relies on a series of diffusion techniques and uses a chaotic map to generate three secret keys. Note that two out of three keys are dynamically generated based on the size of the original image, while the remaining key is static. The authors claim that their proposal offers $149$ bits of security. Unfortunately, we found a chosen plaintext attack that requires $2$ oracle queries and has a worse case complexity of $\mathcal O(2^{32})$. If the attacker has access to $1$ encryption oracle query and $1$ decryption oracle query, we can lower the complexity to $\mathcal O(2^{18.58})$. Encrypting an image with Mfungo et al.'s scheme has a worst case complexity of $\mathcal O(2^{33})$. Therefore, both our attacks are faster than encrypting an image. Our attacks are feasible because the dynamic keys remain unchanged for different plaintext images of the same size, and the static key remains the same for all images.

Identity-based threshold signature (IDTS) enables the generation of valid signatures without revealing cryptographic keys in the signing process. While current protocols have achieved much progress in their efficiency, many schemes easily suffer from denial-of-service attacks in which misbehaving parties could keep from generating signatures without being caught. The identifiable abort property is designed to withstand such an attack in some recent IDTS protocols. However, all these schemes require many rounds of interaction for the resulting signature or utilize cryptographic techniques, which have a high complexity. In this study, we put forward a novel IDTS protocol that can achieve identifiable abort and resist arbitrary collusion attacks. Precisely, this ensures that corrupted parties are responsible in case of failure and cannot jointly obtain the input of honest parties. Moreover, we present the ideal IDTS functionality and provide the provable security of the proposed protocol with the global random oracle model. Our scheme has non-interactive signing, compatibility with the offline/online settings, and practical efficiency for the online phase. Finally, we give theoretical analyses and experimental results of our solution, showing that the signing time is less than two milliseconds and that the scheme is suitable for resource-constrained settings.

Recently, Geraud-Stewart and Naccache proposed two trapdoors based on matrix products. In this paper, we answer the call for cryptanalysis. We explore how using the trace and determinant of a matrix can be used to attack their constructions. We fully break their first construction in a polynomial-time attack. We show an information leak in the second construction using characteristic polynomials, and provide an attack using traces that decreases the bit security by about half.

We are looking for motivated, bright, and hard-working student that wish to pursue a PhD in Cryptography. The candidate will work on cryptographic research topics such as:

• zero-knowledge proofs & SNARKs
• polynomial/vector commitments & lookup arguments
• searchable encryption
• encrypted database query evaluation
• TEE-assisted cryptography

Other areas are possible, the specific research topic will be determined based on the common interests of the candidate and the supervisor.

Applicant's profile

• MSc or BSc degree in Computer Science or related field.
• Excellent programming skills.
• Very good understanding of CS fundamentals: algorithm analysis, data structures, etc.
• Good understanding of cryptographic primitives: hashing, encryption, commitments, etc.
• Strong enthusiasm for research.

Ideal candidates have prior knowledge in implementing cryptographic primitives or a relevant project. Solid background in theoretical computer science (complexity analysis, reduction proofs, etc.), or experience in programming for trusted-hardware environments (Intel SGX, ARM TrustZone, etc.) is also a big plus.

Work environment

HKUST offers guaranteed funding for the PhD duration with competitive stipends. Our CSE department consistently ranks very high in global Computer Science and Engineering rankings. Our graduates typically produce research output of the highest quality and consistently staff world-class institutions. The lab offers a creative work environment that is ideal for excellent research.

Interested applicants, please send your CV and a short research statement to Prof. Dimitrios Papadopoulos.

Closing date for applications:

Contact: dipapado (at) cse.ust.hk

This PhD studentship offers an exciting opportunity to delve into the rapidly evolving fields of Cybersecurity and Artificial Intelligence (AI). As AI technologies become increasingly integrated into enterprise systems, the need to secure these systems against sophisticated cyber threats has never been more critical. This research project at the University of Sheffield is focused on addressing these challenges by developing advanced methods to protect AI systems from cyber attacks, ensuring their reliability, integrity, and resilience in real-world environments. As a PhD candidate, you will join the Security of Advanced Systems Research Group, working on cutting-edge research that bridges the gap between AI innovation and cybersecurity. Your work will involve identifying and analyzing vulnerabilities in AI systems, creating robust models capable of withstanding adversarial attacks, and implementing state-of-the-art security measures to safeguard AI infrastructures. Additionally, you will have the opportunity to collaborate with industry leaders, contributing to the development of new cybersecurity standards for AI. This studentship is ideal for individuals passionate about AI and cybersecurity who are eager to contribute to the protection of critical technologies. The position is open to candidates worldwide, offering a unique chance to make a significant impact in a high-demand field. Research Themes Include: Analyzing vulnerabilities in AI systems Developing robust AI models resistant to adversarial attacks Implementing advanced security measures within AI infrastructures Collaborating with industry leaders to set new cybersecurity standards for AI Position Details: Starting Date: Flexible, with preferred start dates in September 2024 or January 2025. Location: Department of Computer Science, University of Sheffield, UK. Duration: 3 years Additional Note: International candidates are encouraged to apply. Please note that supplementary funding may be required to cover the tuition fee differential.

Closing date for applications:

Contact: To apply, please send your CV, a letter of motivation, and academic transcripts to aryan.pasikhani@sheffield.ac.uk. Be sure to include [PhD-CyberAI] in the subject line of your email.

The Institute of Science and Technology Austria (ISTA) invites for faculty applications in all areas of computer science including security, cryptography and privacy, candidates working in systems and more applied topics are especially encouraged to apply.

Interdisciplinary applications bridging between areas are particularly encouraged to apply.

Assistant professors start with independent group leader positions for six years, progressing to tenured positions after a positive evaluation by international peers.

Tenured positions welcome distinguished scientists with proven leadership in research.

At ISTA, we promote a diverse and inclusive working environment and are committed to the principle of equal employment opportunities for all applicants, free of discrimination. We strongly encourage individuals from underrepresented groups to apply.

ISTA is an interdisciplinary research institution that combines basic science research with graduate education in theoretical and experimental research in Mathematical and Physical Sciences, Life Sciences, and Information and System Sciences.

Why ISTA

• Impactful research in a vibrant, international, and interdisciplinary research environment.

• Advanced facilities and comprehensive scientific support.

• Attractive salaries and generous resources.

• Guaranteed annual funding, including support for PhD students and postdocs.

• Graduate school with highly selective admissions.

• Professional development opportunities and employee support services.

• On-campus childcare facilities.

• Inclusive working environment.

• Proximity to Vienna, consistently ranked among the most livable cities worldwide.

The closing date for applications is November 28, 2024.

Closing date for applications:

Contact: For more information on the application process please go to https://www.ista.ac.at/en/jobs/faculty/

More information: https://www.ista.ac.at/en/jobs/faculty/

Event date: 16 December to 17 December 2024
Submission deadline: 15 September 2024
Notification: 30 October 2024

Tsinghua University in China and Nanyang Technological University in Singapore are jointly seeking for candidates to fill several post-doctoral research fellow positions on symmetric-key cryptography with a tentative duration of 2 years. Topics include but are not limited to the following sub-areas:

• tool aided cryptanalysis, such as MILP, CP, STP, and SAT
• machine learning aided cryptanalysis and designs
• privacy-preserving friendly symmetric-key designs
• quantum cryptanalysis
• provable security
• cryptanalysis against SHA-2, SHA-3, and AES
• threshold cryptography

Candidates will have the chance to spend half of the time with Assoc Prof Xiaoyang Dong at Tsinghua University, China, and the other half with Assoc Prof Jian Guo at Nanyang Technological University in Singapore. Candidates with strong record of publications in IACR conferences (Asiacrypt, Crypto, Eurocrypt, FSE) are encouraged to apply. These positions are available immediately until filled.

Closing date for applications:

Contact: Assoc Prof Xiaoyang Dong, xiaoyangdong@tsinghua.edu.cn

The Cryptography Research Group at University College Cork (UCC) is looking for a highly motivated Post-Doctoral or Senior Post-Doctoral Researcher in differential privacy and related privacy preservation techinques. The researchers will be employed on an industry-funded research project sponsored by a major Internet company. The successful candidate will work under the supervision of Dr Paolo Palmieri, Senior Lecturer in Cyber Securit, and Prof. Barry O’Sullivan, Professor of Computer Science, in the School of Computer Science & Information Technology, University College Cork, Ireland.

Candidates should hold a PhD degree in cryptography, cyber security or related areas, with a good track record of publications. Ideally, they will have experience in one or more of the following areas: differential privacy, anonymity, re-identification and/or cryptography-based privacy enhancing technologies. Candidates with a background in other areas of cryptography/privacy/security, but with a strong interest in differential privacy will also be considered. A strong mathematical background is expected, complemented with programming skills. Experience with relevant libraries such as IBM Diffprivlib, Opacus, SecretFlow etc. is an asset.

The position is until December 2025, with a possibility of extension subject to availability of funding. The successful candidates will be appointed at Post-Doctoral or Senior Post-Doctoral level depending on their experience and qualifications. A budget for travel, equipment, publications and other research expenses is available as part of the project.

The Cryptography Research Group is led by Dr Paolo Palmieri and consists of 8 researchers at doctoral and post-doctoral level. The hired researcher will be encouraged to collaborate with other members of the group, and to take a mentoring role with some of the more junior researchers. There will also be ample opportunities to work with the group’s extensive network of international collaborations. The role will be based in Insight - SFI Research Centre for Data Analytics, as part of the SFI Empower Spoke.

Closing date for applications:

Contact: Informal inquiries can be made in confidence to Dr. Paolo Palmieri, at: p.palmieri@cs.ucc.ie

Applications should be submitted through the University portal at https://ore.ucc.ie/ (search for reference number: 078931). E-mail applications cannot be considered.

More information: https://security.ucc.ie/vacancies.html

It is well known that the best small private exponent attack against RSA is that when the private exponent $d < N^{0.292}$, one can factor the RSA modulus $N = pq$. However, the bound $N^{0.292}$ is very difficult to achieve directly since we need to deal with some lattice with very high dimension, which seems infeasible by now. Recently, Li et al. proposed a practical attack that can solve cases when $d$ approaches $N^{0.292}$ within a month for $1024$ bit $N$. In this paper, we propose an improved practical small private exponent attack by enumerating the most significant bits of $p + q$. Together with some skills in implementations, we can also achieve the bound $N^{0.292}$, but with significantly less time compared to previous work.

Coppersmith's method, combined with the Jochemsz-May strategy, is widely used to find the small roots of multivariate polynomials for cryptanalysis. At Asiacrypt'23, Meers and Nowakowski improved the Jochemsz-May strategy from a single polynomial equation to a system of polynomial equations and proposed a new method, called Automated Coppersmith. Note that it is typically a tedious and non-trivial task to determine asymptotic upper bounds for Coppersmith’s method and manual analysis has to be performed anew when a new set of polynomials is considered. By making certain heuristic assumption, Meers and Nowakowski showed that the bound can be obtained using Lagrange interpolation with the computer, but it is still time-consuming. Moreover, we find that sometimes the interpolation method may get stuck in local convergence, which will result in an incorrect bound when a natural termination strategy is employed in the method.

In this paper, we revisit the Jochemsz-May strategy as well as the work of Meers and Nowakowski and point out that the bound can be obtained by calculating the leading coefficient of some Hilbert function, which is exactly the volume of the corresponding Newton polytope. To this end, we introduce the concept of Sumsets theory and propose a series of related results and algorithms. Compared with the Automated Coppersmith, we overcome the issue of getting stuck in local convergence and directly eliminate the time-consuming calculation for $f^m$ in Automated Coppersmith when $m$ is large, which brings a 1000x$\sim$1200x improvement in running time for some polynomials in our experiment.

Additionally, our new method offers a new perspective on understanding Automated Coppersmith, thus providing proof of Meers and Nowakowski's Heuristic 2 for the system of a single polynomial.

Let $(N,e)$ be a public key of the RSA cryptosystem, and $d$ be the corresponding private key. In practice, we usually choose a small $e$ for quick encryption. In this paper, we improve partial private key exposure attacks against RSA with MSBs of $d$ and small $e$. The key idea is that under such a setting we can usually obtain more information about the prime factors of $N$ and then, by solving a univariate modular polynomial equation using Coppersmith's method, $N$ can be factored in polynomial time. Compared to previous results, we reduce the number of the leaked bits in $d$ that are needed to mount the attack by $\log_2 (e)$ bits. For $e=65537$, previous work required an additional enumeration of 17 bits to achieve our new bound, resulting in a $2^{10}$ (or 1,024x) increase in time consumption. Furthermore, our experiments show that for a $1024$-bit modulus $N$, our attack can achieve the theoretical bound on a simple personal computer, which verifies the new method.

Recently, the NSA has proposed a block cipher called ARADI and a mode of operation called LLAMA for memory encryption applications. In this note, we comment on this proposal, on its suitability for the intended application, and describe an attack on LLAMA that breaks confidentiality of ciphertext and allows a straightforward forgery attack breaking integrity of ciphertext (INT-CTXT) using a related-IV attack. Both attacks have negligible complexity.

The notion of (Receiver-) Anamorphic Encryption was put forth recently to show that a dictator (i.e., an overreaching government), which demands to get the receiver’s private key and even dictates messages to the sender, cannot prevent the receiver from getting an additional covert anamorphic message from a sender. The model required an initial private collaboration to share some secret. There may be settings though where an initial collaboration may be impossible or performance-wise prohibitive, or cases when we need an immediate message to be sent without private key generation (e.g., by any casual sender in need). This situation, to date, somewhat limits the applicability of anamorphic encryption.

To overcome this, in this work, we put forth the new notion of “public-key anamorphic encryption,” where, without any initialization, any sender that has not coordinated in any shape or form with the receiver, can nevertheless, under the dictator control of the receiver’s private key, send the receiver an additional anamorphic secret message hidden from the dictator. We define the new notion with its unique new properties, and then prove that, quite interestingly, the known CCA-secure Koppula-Waters (KW) system is, in fact, public-key anamorphic.

We then describe how a public-key anamorphic scheme can support a new hybrid anamorphic encapsulation mode (KDEM) where the public-key anamorphic part serves a bootstrapping mechanism to activate regular anamorphic messages in the same ciphertext, thus together increasing the anamorphic channel capacity.

Looking at the state of research thus far, we observe that the initial system (Eurocrypt’22) that was shown to have regular anamorphic properties is the CCA-secure Naor-Yung (and other related schemes). Here we identify that the KW CCA-secure scheme also provides a new type of anamorphism. Thus, this situation is hinting that there may be a connection between some types of CCA-secure schemes and some type of anamorphic schemes (in spite of the fact that the goals of the two primitives are fundamentally different); this question is foundational in nature. Given this, we identify a sufficient condition for a “CCA-secure scheme which is black-box reduced from a CPA secure scheme” to directly give rise to an “anamorphic encryption scheme!” Furthermore, we identify one extra property of the reduction, that yields a public-key anamorphic scheme as defined here.