International Association
for Cryptologic Research

Traceable range proof (TRP) plays a major role in the construction of regulatable privacy-preserving blockchains, as it empowers regulators with traceability of the hidden amount in each transaction. In this paper, we give new constructions of TRPs with improved efficiency and more regulatory functions. In particular, we introduce sTBoRP: a simplified traceable Borromean range proof directly from Borromean ring signature without additional validity proofs for tracing keys, sTBoRP can be applied for multiple regulation between different regulators, and can be further modified to be secure against malicious regulators. Moreover, we introduce jTBuRP: a modified traceable Bulletproofs range proof to support joint regulation against collusion attack of malicious regulators, by improving the generation algorithm of tracing keys. We also give the security proofs for both schemes and give the comparisons of efficiency and security.

Let $f:\{-1,1\}^n\rightarrow \{-1,1\}$ be with total degree $d$, and $\widehat{f}(i)$ be the linear Fourier coefficients of $f$. The relationship between the sum of linear coefficients and the total degree is a foundational problem in theoretical computer science. In 2012, O'Donnell Conjectured that \[ \sum_{i=1}^n \widehat{f}(i)\le d\cdot {d-1 \choose \lfloor\frac{d-1}{2}\rfloor}2^{1-d}. \] In this paper, we prove that the conjecture is equivalent to a conjecture on the cryptographic Boolean function. We then prove that the conjecture is true for $d=1,n-1$. Moreover, we count the number of $f$'s such that the upper bound is achieved.

Event date: 24 May to 26 May 2020

Constructing an elliptic curve of prime order has a significant role in elliptic curve cryptography. For security purposes, we need an elliptic curve of almost prime order. In this paper, we propose an efficient technique to generate an elliptic curve of nearly prime order. In practice, this algorithm produces an elliptic curve of order 2 times a prime number. Therefore, these elliptic curves are appropriate for practical uses. Presently, the most known working algorithms for generating elliptic curves of prime order are based on complex multiplication. The advantages of the proposed technique are: it does not require a deep mathe- matical theory, it is easy to implement in any programming language and produces an elliptic curve with a remarkably simple expression.

We provide an inclusive environment and are committed to a recruitment process free from discrimination. We believe that supporting a variety of career trajectories is vital for world class computer science to flourish. The post holder will create and disseminate knowledge through initiating and conducting original research, through publication and by seeking external funding, and through developing and delivering undergraduate and postgraduate programmes in computer security, and computer science. They may also seek non-academic impact, recognising the importance of Computer Science to society. They will also contribute to the School’s operation through management, leadership and enterprise activities, and other School events. The successful candidate will normally hold a higher degree (usually PhD) in computer science, engineering, mathematics or a closely related field, or equivalent qualifications or experience. They will have significant research experience and it would be beneficial if they can demonstrate an ability to balance long-term fundamental research with short-term applied projects. A growing international research record in computer science (or related inter-disciplinary areas), evident from publications in leading international conferences and journals, is required. Candidates must have the ability to design, deliver, assess and revise teaching programmes and be experienced in developing appropriate approaches to learning and teaching. They will also have the ability to contribute to School/Departmental management processes. To download the full job description and details of this position and submit an electronic application online please click on the Apply Online button below or visit https://www.birmingham.ac.uk/staff/jobs/index.aspx

Closing date for applications:

Contact: Kate Campbell, k.campbell.1@bham.ac.uk

More information: http://www.download.bham.ac.uk/vacancies/jd/95549.pdf

An opportunity has arisen for a 3-year postdoctoral researcher to be appointed as soon as possible. The candidate will be concerned with design and analysis of different cryptographic primitives and protocols. Examples may include lightweight identification and authentication protocols, key management protocols providing long-term security, incremental cryptographic primitives, and quantum-secure protocols based on different post-quantum primitives. Technique of formal analysis, including reductionist security and suitable symbolic analysis methods, may be used.

The candidate will work on a project entitled "Lightweight Cryptography for Future Smart Networks" funded by the Norwegian Research Council. The project will develop new primitives and protocols for lightweight cryptography fitting the needs of the two critical and strongly related future network architectures, IoT and 5G.

Postdoctoral candidates are normally remunerated from NOK 515 200 before tax per year. Completion of a doctoral degree in cryptology or network security is required.

Applicants should send an expression of interest to Colin Boyd together with a recent CV.

Closing date for applications:

Contact: Prof Colin Boyd

The Cryptanalysis Taskforce at Nanyang Technological University in Singapore led by Prof. Jian Guo is seeking for candidates to fill 3 postdoctoral research fellow positions on symmetric-key cryptography, including but not limited to the following sub-areas:

• tool aided cryptanalysis, such as MILP, CP, STP, and SAT
• machine learning aided cryptanalysis and designs
• privacy-preserving friendly symmetric-key designs
• quantum cryptanalysis
• cryptanalysis against SHA-3 and AES

Established in 2014, the Cryptanalysis Taskforce is a group dedicated for research in symmetric-key cryptography. Since then, the team has been active in both publications in and services for IACR. It has done quite some cryptanalysis work on targets such as SHA-3, and is expanding its interests to the areas mentioned above, with strong funding support from the university and government agencies in Singapore. We offer competitive salary package with extremely low tax, as well as excellent environment dedicating for research in Singapore. The contract will be initially for 2 years, and has the possibility to be extended. Candidates are expected to have proven record of publications in IACR conferences. Interested candidates are to send their CV and 2 reference letters to Jian Guo. Review of applicants will start immediately until the positions are filled. More information about the Cryptanalysis Taskforce research group can be found via http://team.crypto.sg

Closing date for applications:

Contact: Asst Prof. Jian Guo, guojian@ntu.edu.sg

More information: http://team.crypto.sg

Juan de la Cierva Grants 2019 for Young Doctors – Call for Expression of Interest The Research group on Cryptology and Information Security (GiCSI) of the Spanish National Research Council is seeking highly motivated professionals in conducting research in the area of blockchain-based protocols, security protocols, cryptographic privacy-enhancing technologies, data curation protocols and fake news detection. There are two types of Juan de la Cierva grants: Juan de la Cierva Training Grants (Juan de la Cierva-Formación) are aimed at candidates that have been awarded their PhD between 01/01/2018 and 31/12/2019. These grants are aimed to complete their postdoctoral research training in Spanish R&D centers other than those in which they carried out their predoctoral training. Juan de la Cierva Incorporation Grants (Juan de la Cierva-Incorporación) are aimed at those who were awarded their PhD between 01/01/2015 and 31/12/2017. These grants are intended to strengthen the grantee’s acquired skills during a first stage of postdoctoral training. Interested candidates are encouraged to contact us as soon as possible. Deadline: 18/12/2019-15/01/2020 Contact: David Arroyo, david.arroyo (at) cscic.es

Closing date for applications:

Contact: David Arroyo Guardeño, email: david.arroyo (at) csic.es

More information: http://www.ciencia.gob.es/portal/site/MICINN/menuitem.791459a43fdf738d70fd325001432ea0/?vgnextoid=909662ecfa1de610VgnVCM

We introduce new authenticated key exchange protocols which on one hand do not resort to standard public key setups with corresponding assumptions of computationally hard problems, but on the other hand are more efficient than distributing symmetric keys among the participants. To this end, we rely on a trusted central authority distributing key material which size is independent of the total number of users, and which allows the users to obtain shared secret keys. We analyze the security of our construction taking into account various attack models. Importantly, only symmetric primitives are needed in the protocol making it an alternative to quantum-safe key exchange protocols which rely on hardness assumptions.

The videos of talks at CHES 2019 are now on the IACR YouTube channel

Recently, Srinath and Chandrasekaran have proposed an undeniable blind signature scheme (UBSS) from supersingular isogeny to provide signer’s control in a quantum-resistant blind signature. However, certain weaknesses of undeniable signature have already been observed and have been overcome by formalizing the designated verifier signature (DVS). In this paper, we explore the possibility of generic construction of a DVS from hard homogeneous spaces. Further, following this motivation, we realize a quantum-resistant designated verifier blind signature (DVBS) scheme based on supersingular isogenies from the proposed generic construction. In contrast to the UBSS, our construction do not require interactive communication between the signer and the verifier, yet engages the signer in the verification. The compact signature adds more security properties in a quantum-resistant blind signature to be useful in specific applications including electronic tendering, online auctions etc.

The Shell sort algorithm is one of the most practically effective sorting algorithms. However, it is difficult to execute this algorithm with its intended running time complexity on data encrypted using fully homomorphic encryption (FHE), because the insertion sort in Shell sort has to be performed by considering the worst-case input data. In this paper, in order for the sorting algorithm to be used on FHE data, we modify the Shell sort with an additional parameter $\alpha$ and a gap sequence of powers of two. The modified Shell sort is found to have the trade-off between the running time complexity of $O(n^{3/2}\sqrt{\alpha+\log\log n})$ and the sorting failure probability of $2^{-\alpha}$. Its running time complexity is close to the intended running time complexity of $O(n^{3/2})$ and the sorting failure probability can be made very low with slightly increased running time. Further, the optimal window length of the modified Shell sort is also derived via convex optimization. The proposed analysis of the modified Shell sort is numerically confirmed by using randomly generated arrays. Further, the performance of the modified Shell sort is numerically compared with the case of Ciura's optimal gap sequence and the case of the optimal window length obtained through the convex optimization.

In 2020 Xin et al.proposed a new identity-based quantum signature based on Bell states scheme. By using a one-time padding (OTP) for both-side transfer operations like, "XOR", Hadamard H, and Y, they confirmed the security of the proposed scheme. However, after analyses, we found that the scheme cannot resist both the existing forgery attack and meaningful message attack. Therefore, we modified their scheme to include the required security, unforgeability, which is very important in quantum signature scheme.

At CRYPTO '12, Landecker et al. introduced the cascaded LRW2 (or CLRW2) construction, and proved that it is a secure tweakable block cipher up to roughly $ 2^{2n/3} $ queries. Recently, Mennink presented a distinguishing attack on CLRW2 in $ 2n^{1/2}2^{3n/4} $ queries. In the same paper, he discussed some non-trivial bottlenecks in proving tight security bound, i.e. security up to $ 2^{3n/4} $ queries. Subsequently, he proved security up to $ 2^{3n/4} $ queries for a variant of CLRW2 using $ 4 $-wise independent AXU assumption and the restriction that each tweak value occurs at most $ 2^{n/4} $ times. Moreover, his proof relies on a version of mirror theory which is yet to be publicly verified. In this paper, we resolve the bottlenecks in Mennink's approach and prove that the original CLRW2 is indeed a secure tweakable block cipher up to roughly $ 2^{3n/4} $ queries. To do so, we develop two new tools: first, we give a probabilistic result that provides improved bound on the joint probability of some special collision events; second, we present a variant of Patarin's mirror theory in tweakable permutation settings with a self-contained and concrete proof. Both these results are of generic nature, and can be of independent interests. To demonstrate the applicability of these tools, we also prove tight security up to roughly $ 2^{3n/4} $ queries for a variant of DbHtS, called DbHtS-p, that uses two independent universal hash functions.

Verifiable outsourcing systems offload a large computation to a remote server, but require that the remote server provide a succinct proof, called a SNARK, that proves that the server carried out the computation correctly. Real-world applications of this approach can be found in several blockchain systems that employ verifiable outsourcing to process a large number of transactions off-chain. This reduces the on-chain work to simply verifying a succinct proof that transaction processing was done correctly. In practice, verifiable outsourcing of state updates is done by updating the leaves of a Merkle tree, recomputing the resulting Merkle root, and proving using a SNARK that the state update was done correctly.

In this work, we use a combination of existing and novel techniques to implement an RSA accumulator inside of a SNARK, and use it as a replacement for a Merkle tree. We specifically optimize the accumulator for compatibility with SNARKs. Our experiments show that the resulting system can dramatically reduce costs compared to existing approaches that use Merkle trees for committing to the current state. These results apply broadly to any system that needs to offload batches of state updates to an untrusted server.

Solving the equation $P_a(X):=X^{q+1}+X+a=0$ over finite field $\GF{Q}$, where $Q=p^n, q=p^k$ and $p$ is a prime, arises in many different contexts including finite geometry, the inverse Galois problem \cite{ACZ2000}, the construction of difference sets with Singer parameters \cite{DD2004}, determining cross-correlation between $m$-sequences \cite{DOBBERTIN2006,HELLESETH2008} and to construct error-correcting codes \cite{Bracken2009}, as well as to speed up the index calculus method for computing discrete logarithms on finite fields \cite{GGGZ2013,GGGZ2013+} and on algebraic curves \cite{M2014}.

Subsequently, in \cite{Bluher2004,HK2008,HK2010,BTT2014,Bluher2016,KM2019,CMPZ2019,MS2019}, the $\GF{Q}$-zeros of $P_a(X)$ have been studied: in \cite{Bluher2004} it was shown that the possible values of the number of the zeros that $P_a(X)$ has in $\GF{Q}$ is $0$, $1$, $2$ or $p^{\gcd(n, k)}+1$. Some criteria for the number of the $\GF{Q}$-zeros of $P_a(x)$ were found in \cite{HK2008,HK2010,BTT2014,KM2019,MS2019}. However, while the ultimate goal is to identify all the $\GF{Q}$-zeros, even in the case $p=2$, it was solved only under the condition $\gcd(n, k)=1$ \cite{KM2019}.

We discuss this equation without any restriction on $p$ and $\gcd(n,k)$. New criteria for the number of the $\GF{Q}$-zeros of $P_a(x)$ are proved. For the cases of one or two $\GF{Q}$-zeros, we provide explicit expressions for these rational zeros in terms of $a$. For the case of $p^{\gcd(n, k)}+1$ rational zeros, we provide a parametrization of such $a$'s and express the $p^{\gcd(n, k)}+1$ rational zeros by using that parametrization.

We show that many symmetric cryptography primitives would not be less safe with significantly fewer rounds. To support this claim, we review the cryptanalysis progress in the last 20 years, examine the reasons behind the current number of rounds, and analyze the risk of doing fewer rounds. Advocating a rational and scientific approach to round numbers selection, we propose revised number of rounds for AES, BLAKE2, ChaCha, and SHA-3, which offer more consistent security margins across primitives and make them much faster, without increasing the security risk.

Almost perfect nonlinear (APN) and almost bent (AB) functions are integral components of modern block ciphers and play a fundamental role in symmetric cryptography. In this paper, we describe a procedure for searching for quadratic APN functions with coefficients in GF(2) over the finite fields GF(2^n) and apply this procedure to classify all such functions over GF(2^n) with n up to 9. We discover two new APN functions (which are also AB) over GF(2^9) that are CCZ-inequivalent to any known APN function over this field. We also verify that there are no quadratic APN functions with coefficients in GF(2) over GF(2^n) with n between 6 and 8 other than the currently known ones.

In 2017, Ward Beullens et al. submitted Lifted Unbalanced Oil and Vinegar (LUOV), a signature scheme based on the famous multivariate public key cryptosystem (MPKC) called Unbalanced Oil and Vinegar (UOV), to NIST for the competition for post-quantum public key scheme standardization. The defining feature of LUOV is that, though the public key $\mathcal{P}$ works in the extension field of degree $r$ of $\mathbb{F}_2$, the coefficients of $\mathcal{P}$ come from $\mathbb{F}_2$. This is done to significantly reduce the size of $\mathcal{P}$. The LUOV scheme is now in the second round of the NIST PQC standardization process. In this paper we introduce a new attack on LUOV. It exploits the "lifted" structure of LUOV to reduce direct attacks on it to those over a subfield.

While end-to-end encryption protocols with strong security are known and widely used in practice, designing a protocol that scales efficiently to large groups and enjoys similar security guarantees remains an open problem. The only known approaches to date are ART (Cohn-Gordon et al., CCS18) and TreeKEM (IETF, The Messaging Layer Security Protocol, draft). ART enjoys a security proof, albeit with a superexponential bound, and is not dynamic enough for practical purposes. TreeKEM has not been proven secure at this point and can suffer some efficiency issues due to dynamic group operations (i.e. adding and removing users). As a first contribution we present a variant of TreeKEM, that we call Tainted TreeKEM, which can be more efficient than TreeKEM depending on the distribution of add and remove operations. Our second contribution is a security proof for Tainted TreeKEM (and also TreeKEM) with a meaningful security bound against active and adaptive adversaries, showing that the protocol supports post compromise security and forward security. Concretely, we achieve an only slightly superpolynomial security loss of q^{\log\log(n)}, where n is the group size and q the total number of (update/remove/invite) operations.