International Association
for Cryptologic Research

Who we are?

Promise Protocols is one of the fastest growing FinTech companies in Silicon Valley. Promise delivers cash analytics and cash access to thousands of small businesses, that operate with volatile cash balances. We are a platform company whose aim is to automate the hardest parts of small business financial management. We are sometimes the last company many small business merchants come to when no one else will help their businesses stay alive.

Why work at Promise?

We are a high-energy, innovation-focused team of engineers and technologists who want to make running a small business less painful for owners all over the world. Promise’s environment is highly collaborative, and the ideal candidate will have an eye for detail and be a team player who enjoys working with others to find cutting-edge solutions to tricky problems. Come join us!

What we are looking for in the Senior Software Engineer?

Promise Protocols is looking for a passionate and experienced developer with cryptography experience to help develop, build and deploy a distributed, fault-tolerant P2P payments and exchange platform.

This role is ideal for cryptography scientists or software engineers with deep experience and familiarity with evolving and established cryptographic protocols and their implementation.

What you will be responsible doing?

1. Develop, build and deploy crypto protocols in distributed p2p systems

2. Work with core internal team and external open source community

3. Collaborate with teammates to produce protocol specifications

4. Collaborate and support other teams in developing crypto economic consensus protocol

5. Develop and maintain interfaces for platform API

6. Identify and recommend technologies to solve technical challenges

Closing date for applications:

Contact: Please send a request to jobs (at) promiseprotocols.com

More information: https://aquila-1.workable.com/jobs/772792

The 38th annual International Conference on the Theory and Applications of Cryptographic Techniques, Eurocrypt 2019, will be held in Darmstadt, Germany on May 19-23, 2019. It is one of the three flagship conferences of the International Association for Cryptologic Research (IACR) and is devoted to all aspects of cryptology.

The IACR is soliciting for affiliated events to be held in conjunction with Eurocrypt 2019 on Saturday, May 18, and/or Sunday, May 19. Each such event is expected to provide a forum for discussing a specific topic of the broad cryptographic world (theory, practice, implementation, standardizations, industry, etc.). The format of the event (e.g., workshop, tutorial, panel, etc.) is up to the organizers.

Information about proposing an affiliated event can be found at https://eurocrypt.iacr.org/2019/callforaffiliatedevents.html. Proposals are due September 2.

Event date: 14 April to 17 April 2019
Submission deadline: 12 October 2018
Notification: 21 December 2018

This work proposes the first fine-grained configurable cell array specifically tailored for cryptographic implementations. The proposed architecture can be added to future FPGAs as an application-specific configurable building block, or to an ASIC as an embedded FPGA (eFPGA). The goal is to map cryptographic ciphers on combinatorial cells that are more efficient than general purpose lookup tables in terms of silicon area, configuration memory and combinatorial delay. As a first step in this research direction, we focus on block ciphers and we derive the most suitable cell structure for mapping state-of-the-art algorithms. We develop the related automated design flow, exploiting the synthesis capabilities of Synopsys Design Compiler and the routing capabilities of Xilinx ISE. Our solution is the first cryptography-oriented fine-grained architecture that can be configured using common hardware description languages. We evaluate the performance of our solution by mapping a number of well-known block ciphers onto our new cells. The obtained results show that our proposed architecture drastically outperforms commercial FPGAs in terms of silicon area and configuration memory resources, while obtaining a similar throughput.

The Cyber Security Researchers of Waikato (CROW) - the first cyber security lab in NZ - created the NZ Cyber Security Challenge, and leads the Ministry of Business, Innovation and Employment funded STRATUS project (NZD12.2 mil). CROW collaborates with 58 other local and international organisations, including STRATUS end-user partners Interpol and NZ Police.

We are seeking to appoint a full time fixed term Research Fellow to contribute to our research objectives associated with cybercrime, computer security and cloud computing. This position has responsibilities to achieve research objectives associated with the STRATUS industry partners.

A PhD in cyber security, cybercrime, computer science or a related field is essential as is having demonstrated research ability in cyber security and cybercrime. A requirement of this position is the ability to commercialise research prototypes into products/services and the demonstrated ability to publish in high quality academic journals, work collaboratively with others and undertake some teaching if required.

Preference will be given to candidates who have work experience with cybercrime, security, intelligence, or law enforcement agencies including work experience in the cybercrime, security digital forensics, machine learning, applied cryptography, etc.

Salary will be in the range of NZ$74,034 to $89,163 per year, depending on qualifications, skills and experience.

This position is fixed-term until October 2020, and will be opened until filled.

Enquiries of an academic nature should be directed to Associate Professor Ryan Ko – Director, NZ Institute for Security and Crime Science, email: ryan.ko AT waikato.ac.nz

Closing date for applications: 4 January 2019

Contact: Associate Professor Ryan Ko, ryan.ko AT waikato.ac.nz

More information: https://www.waikato.ac.nz/vacancies/current-vacancies

Round5 is a Public Key Encryption and Key Encapsulation Mechanism (KEM) based on General Learning with Rounding (GLWR), a lattice problem. We argue that the ring variant of GLWR is better suited for embedded targets than the more common RLWE (Ring Learning With Errors) due to significantly shorter keys and messages. Round5 incorporates GLWR with error correction, building on design features from NIST Post-Quantum Standardization candidates Round2 and Hila5. The proposal avoids Number Theoretic Transforms (NTT), allowing more flexibility in parameter selection and making it simpler to implement. We discuss implementation techniques of Round5 ring variants and compare them to other NIST PQC candidates on lightweight Cortex M4 platform. We show that Round5 offers not only the shortest key and ciphertext sizes among Lattice-based candidates, but also currently has leading performance and implementation size characteristics.

Blockchain technology like Bitcoin is a rapidly growing field of research which has found a wide array of applications. However, the power consumption of the mining process in the Bitcoin blockchain alone is estimated to be at least as high as the electricity consumption of Ireland which constitutes a serious liability to the widespread adoption of blockchain technology. We propose a novel instantiation of a proof of human-work which is a cryptographic proof that an amount of human work has been exercised, and show its use in the mining process of a blockchain. Next to our instantiation there is only one other instantiation known which relies on indistinguishability obfuscation, a cryptographic primitive whose existence is only conjectured. In contrast, our construction is based on the cryptographic principle of multiparty computation (which we use in a black box manner) and thus is the first known feasible proof of human-work scheme. Our blockchain mining algorithm called uMine, can be regarded as an alternative energy-efficient approach to mining.

Transparency logs allow users to audit a potentially malicious service, paving the way towards a more accountable Internet. For example, Certificate Transparency (CT) enables domain owners to audit Certificate Authorities (CAs) and detect impersonation attacks. Yet to achieve their full potential, trans- parency logs must be efficiently auditable. Specifically, everyone should be able to verify both (non)membership of log entries and that the log remains append-only. Unfortunately, current transparency logs either provide small-sized (non)membership proofs or small-sized append-only proofs, but never both. In fact, one of the proofs always requires bandwidth linear in the size of the log, making it expensive for everyone to audit the log and resulting in a few “opaque” trusted auditors. In this paper, we address this gap with a new primitive called an append-only authenticated dictionary (AAD). Our construction is the first to achieve (poly)logarithmic size for both proof types. Moreover, our experimental evaluation is very encouraging: for reasonable application scenarios, our AAD reduces the total communication bandwidth in transparency schemes by more than 200x, compared to previous approaches.

We present HPolyC, a construction which builds on Poly1305, XChaCha12, and a single block cipher invocation per message to offer length-preserving encryption with a fast constant-time implementation where crypto instructions are absent. On an ARM Cortex-A7 processor, HPolyC decrypts 4096-byte messages at 14.5 cycles per byte, over four times faster than AES-256-XTS. Assuming secure primitives, we prove an advantage bound of $\approx 2^{-111}q^2(l + 156)$, where $q$ is the number of queries and $l$ is the sum of message and tweak length in bits.

The computer science department at the University of Twente is expanding its capacity and is looking for candidates at levels ranging from junior to more senior, for both combined research and education positions (assistant / associate professor), and education positions (lecturer).

Cybersecurity (broadly conceived) is by all means among the topics of interest!

The full announcement of these positions can be found here:
https://www.utwente.nl/en/organization/careers/vacancy/!/421417/6-assistantassociate-professors-and-lecturers-in-computer-science

Closing date for applications: 31 August 2018

More information: https://www.utwente.nl/en/organization/careers/vacancy/

The cryptography group at the Institute of Computer Science of the University of Tartu seeks 1-2 postdoctoral researchers in cryptography. The positions will be supporting an EU H2020 project on privacy-enhancing cryptography for distributed ledgers (PRIViILEDGE). The candidate(s) should have a strong track record in cryptography, and in particular in the design of efficient privacy-preserving protocols (e.g., zero-knowledge proofs) and/or blockchain.

We expect candidates to be able to develop and devote significant time to their own research agenda around the theme of the project. Successful candidates will help to design and evaluate privacy-enhancing cryptographic techniques for blockchains (e.g., SNARKs) and perform other research duties to help with the project, collaborate with partners and ensure the smooth administration of the project including the timely delivery of research output.

The EU H2020 project PRIViLEDGE requires travel to and collaboration with colleagues throughout the European Union. Full travel and equipment budget is available to support the activities of the project.

For any inquiries or to apply for the positions, submit a full research curriculum-vitae (cv), names of two references, and a research statement to Prof Helger Lipmaa (firstname.lastname (at) ut.ee) clearly indicating the position sought. This is crucial since we have several open positions.

The project started from January 1, 2018, and will last for three years. In the case of interest, the candidates may later seek further employment (the group has other projects, some of which have a later ending date) but this is not necessarily guaranteed. The position will stay open until we find a suitable candidate; please apply early.

Closing date for applications: 1 September 2018

Contact: Helger Lipmaa

More information: https://crypto.cs.ut.ee/index.php/Projects/PRIViLEDGE

Event date: 5 June to 7 June 2019
Submission deadline: 22 January 2019
Notification: 22 March 2019

Recent works by Kellaris et al. (CCS’16) and Lacharite et al. (SP’18) demonstrated attacks of data recovery for encrypted databases that support rich queries such as range queries. In this paper, we develop the first data recovery attacks on encrypted databases supporting one-dimensional k-nearest neighbor (k-NN) queries, which are widely used in spatial data management. Our attacks exploit a generic k-NN query leakage profile: the attacker observes the identifiers of matched records. We consider both unordered responses, where the leakage is a set, and ordered responses, where the leakage is a k-tuple ordered by distance from the query point.

As a first step, we perform a theoretical feasibility study on exact reconstruction, i.e., recovery of the exact plaintext values of the encrypted database. For ordered responses, we show that exact reconstruction is feasible if the attacker has additional access to some auxiliary information that is normally not available in practice. For unordered responses, we prove that exact reconstruction is impossible due to the infinite number of valid reconstructions. As a next step, we propose practical and more realistic approximate reconstruction attacks so as to recover an approximation of the plaintext values. For ordered responses, we show that after observing enough query responses, the attacker can approximate the client’s encrypted database with considerable accuracy. For unordered responses we characterize the set of valid reconstructions as a convex polytope in a k-dimensional space and present a rigorous attack that reconstructs the plaintext database with bounded approximation error.

As multidimensional spatial data can be efficiently processed by mapping it to one dimension via Hilbert curves, we demonstrate our approximate reconstruction attacks on privacy-sensitive geolocation data. Our experiments on real-world datasets show that our attacks reconstruct the plaintext values with relative error ranging from 2.9% to 0.003%.

Randomness is essential but expensive resource for cryptography, and secure (and efficient) implementations of randomness using pseudorandom generators (PRGs) are much concerned in this area. On the other hand, implementations of randomness without losing the correctness of the underlying cryptosystem should be important but seem to be less concerned in the literature. The results in this paper show that the problem of the correct implementation of randomness in cryptosystems is in general non-trivial even by using secure PRGs. Namely, we construct two examples with the following properties:

- There are a secure and correct public key encryption (PKE) scheme (with negligible decryption error probability) and a secure PRG satisfying that, implementing the key generation algorithm by using the PRG makes the scheme incorrect. The reason of this phenomenon is that, the standard formulation of correctness of PKE schemes does in general not imply that erroneous keys (that yield non-negligible decryption error probability for some plaintext) are efficiently detectable.

- There are a secure and correct PKE scheme and a PRG secure against uniform distinguishers, satisfying that, implementing the encryption algorithm by using the PRG makes the scheme incorrect. The reason of this phenomenon is that, when a PKE scheme is incorrect, a plaintext that yields non-negligible decryption error probability is in general not efficiently samplable by a uniform algorithm; hence security of the PRG against non-uniform distinguishers is required. We also discuss a possibility to avoid the reliance on PRGs secure against non-uniform distinguishers.

Thermal laser stimulation (TLS) is a failure analysis technique, which can be deployed by an adversary to localize and read out stored secrets in the SRAM of a chip. To this date, a few proof-of-concept experiments based on TLS or similar approaches have been reported in the literature, which do not reflect a real attack scenario. Therefore, it is still questionable whether this attack technique is applicable to modern ICs equipped with side-channel countermeasures. The primary aim of this work is to assess the feasibility of launching a TLS attack against a device with robust security features. To this end, we select a modern FPGA, and more specifically, its key memory, the so-called battery-backed SRAM (BBRAM), as a target. We demonstrate that an attacker is able to extract the stored 256-bit AES key used for the decryption of the FPGA’s bitstream, by conducting just a single non-invasive measurement. Moreover, it becomes evident that conventional countermeasures are incapable of preventing our attack since the FPGA is turned off during key recovery. Based on our time measurements, the required effort to develop the attack is shown to be less than 7 hours. To avert this powerful attack, we propose a low-cost and CMOS compatible countermeasure circuit, which is capable of protecting the BBRAM from TLS attempts even when the FPGA is powered off. Using a proof-of-concept prototype of our countermeasure, we demonstrate its effectiveness against TLS key extraction attempts.

We provide lattice-based protocols allowing to prove relations among committed integers. While the most general zero-knowledge proof techniques can handle arithmetic circuits in the lattice setting, adapting them to prove statements over the integers is non-trivial, at least if we want to handle exponentially large integers while working with a polynomial-size modulus $q$. For a polynomial $L$, we provide zero-knowledge arguments allowing a prover to convince a verifier that committed $L$-bit bitstrings $x$, $y$ and $z$ are the binary representations of integers $X$, $Y$ and $Z$ satisfying $Z=X+Y$ over $\mathbb{Z}$. The complexity of our arguments is only linear in $L$. Using them, we construct arguments allowing to prove inequalities $X<Z$ among committed integers, as well as arguments showing that a committed $X$ belongs to a public interval $[\alpha,\beta]$, where $\alpha$ and $\beta$ can be arbitrarily large. Our range arguments have logarithmic cost (i.e., linear in $L$) in the maximal range magnitude. Using these tools, we obtain zero-knowledge arguments showing that a committed element $X$ does not belong to a public set $S$ using $\widetilde{\mathcal{O}}(n \cdot \log |S|)$ bits of communication, where $n$ is the security parameter. We finally give a protocol allowing to argue that committed $L$-bit integers $X$, $Y$ and $Z$ satisfy multiplicative relations $Z=XY$ over the integers, with communication cost subquadratic in $L$. To this end, we use our protocol for integer addition to prove the correct recursive execution of Karatsuba's multiplication algorithm. The security of our protocols relies on standard lattice assumptions with polynomial modulus and polynomial approximation factor.

Searchable symmetric encryption (SSE) schemes are commonly proposed to enable search in a protected unstructured documents such as email archives or any set of sensitive text files. However, some SSE schemes have been recently proposed in order to protect relational databases. Most of the previous attacks on SSE schemes have only targeted its common use case, protecting unstructured data. In this work, we propose a new inference attack on relational databases protected via SSE schemes. Our inference attack enables a passive adversary with only basic knowledge about the meta-data information of the target relational database to recover the attribute names of some observed queries. This violates query privacy since the attribute name of a query is secret.

In this document, we introduce PKP-DSS: a Digital Signature Scheme based on the so-called Permuted Kernel Problem (PKP). PKP is an NP-complete algebraic problem that consists of finding a kernel vector with particular entries for a publicly known matrix. It's simple, and needs only basic linear algebra. Hence, this problem was used to develop the first Identification Scheme (IDS) which has an efficient implementation on low-cost smart cards. We construct PKP-DSS from a Zero-Knowledge Identification Scheme (ZK-IDS) based on PKP. We derive the signature scheme PKP-DSS by using the traditional Fiat-Shamir (FS) transform. Thus, PKP-DSS has a security that can be provably reduced, in the (classical) random oracle model, to essentially the hardness of random instances of PKP. Following the State-of-the-art attacks of PKP, we propose several sets of parameters for different security levels. Each parameter set arises signatures of length smaller than the other signatures derived from Zero-Knowledge identification schemes. In particular, PKP-DSS-128 gives a signature size about $29$ KBytes for $128$ bits of classical security, while the best known signature schemes built from a ZK-IDS (such as MQDSS, Picnic,... ) give bigger signatures ($> 32$ KB).

Two vectorial Boolean functions are ``CCZ-equivalent'' if there exists an affine permutation mapping the graph of one to the other. It preserves many of the cryptographic properties of a function such as its differential and Walsh spectra, which is why it could be used by Dillon et al. to find the first APN permutation on an even number of variables. However, the meaning of this form of equivalence remains unclear. In fact, to the best of our knowledge, it is not known how to partition a CCZ-equivalence class into its Extended-Affine (EA) equivalence classes; EA-equivalence being a simple particular case of CCZ-equivalence.

In this paper, we characterize CCZ-equivalence as a property of the zeroes in the Walsh spectrum of a function $F : \mathbb{F}_2^{n} \to \mathbb{F}_2^{m}$ or, equivalently, of the zeroes in its Difference Distribution Table. We use this framework to show how to efficiently upper bound the number of distinct EA-equivalence classes in a given CCZ-equivalence class. More importantly, we prove that it is possible to go from a specific member of any EA-equivalence class to a specific member of another EA-equivalence class in the same CCZ-equivalence class using an operation called \emph{twisting}; so that CCZ-equivalence can be reduced to the association of EA-equivalence and twisting. Twisting a function is a simple process and its possibility is equivalent to the existence of a particular decomposition of the function considered. Using this knowledge, we revisit several results from the literature on CCZ-equivalence and show how they can be interpreted in light of our new framework.

Our results rely on a new concept, the ``thickness'' of a space (or linear permutation), which can be of independent interest.

A verifiable delay function (VDF) is an important tool used for adding delay in decentralized applications. This short note briefly surveys and compares two recent beautiful Verifiable Delay Functions (VDFs), one due to Pietrzak and the other due to Wesolowski. We also provide a new computational proof of security for one of them, and compare the complexity assumptions needed for both schemes.