International Association
for Cryptologic Research

This work is dedicated to APN and AB functions which are optimal against differential and linear cryptanlysis when used as S-boxes in block ciphers. They also have numerous applications in other branches of mathematics and information theory such as coding theory, sequence design, combinatorics, algebra and projective geometry. In this paper we give an overview of known constructions of APN and AB functions, in particular, those leading to infinite classes of these functions. Among them, the bivariate construction method, the idea first introduced in 2011 by the third author of the present paper, turned out to be one of the most fruitful. It has been known since 2011 that one of the families derived from the bivariate construction contains the infinite families derived by Dillon's hexanomial method. Whether the former family is larger than the ones it contains has stayed an open problem which we solve in this paper. Further we consider the general bivariate construction from 2013 by the third author and study its relation to the recently found infinite families of bivariate APN functions.

Cloud storage is becoming increasingly popular among end users that outsource their personal data to services such as Dropbox or Google Drive. For security, uploaded data should ideally be encrypted under a key that is controlled and only known by the user. Current solutions that support user-centric encryption either require the user to manage strong cryptographic keys, or derive keys from weak passwords. While the former has massive usability issues and requires secure storage by the user, the latter approach is more convenient but offers only little security. The recent concept of password-authenticated secret-sharing (PASS) enables users to securely derive strong keys from weak passwords by leveraging a distributed server setup, and has been considered a promising step towards secure and usable encryption. However, using PASS for encryption is not as suitable as originally thought: it only considers the (re)construction of a \emph{single}, static key -- whereas practical encryption will require the management of \emph{many}, object-specific keys. Using a dedicated PASS instance for every key makes the solution vulnerable against online attacks, inherently leaks access patterns to the servers and poses the risk of permanent data loss when an incorrect password is used at encryption. We therefore propose a new protocol that directly targets the problem of boostrapping encryption from a single password: distributed password-authenticated symmetric key encryption DPASE.

DPASE offers strong security and usability, such as protecting the user's password against online and offline attacks, and ensuring message privacy and ciphertext integrity as long as at least one server is honest. We formally define the desired security properties in the UC framework and propose a provably secure instantiation. The core of our protocol is a new type of OPRF that allows to extend a previous partially-blind-query with a follow-up request and will be used to blindly carry over passwords across evaluations and avoid online attacks. Our (proof-of-concept) implementation of DPASE uses $10$ exponentiations at the user, $4$ exponentiations and $2$ pairings at each server, takes $105.58$ ms to run with $2$ servers and has a server throughput of $40$ encryptions per second.

In this paper, we study the effect of two modifications to multivariate public key encryption schemes: internal perturbation (ip), and Q_+. Focusing on the Dob encryption scheme, a construction utilising these modifications, we accurately predict the number of degree fall polynomials produced in a Gröbner basis attack, up to and including degree five. The predictions remain accurate even when fixing variables. Based on this new theory we design a novel attack on the Dob encryption scheme, which breaks Dob using the parameters suggested by its designers. While our work primarily focuses on the Dob encryption scheme, we also believe that the presented techniques will be of particular interest to the analysis of other big-field schemes.

Decentralized cryptocurrencies still suffer from three interrelated weaknesses: Low transaction rates, high transaction fees, and long confirmation times. Payment Channels promise to be a solution to these issues, and many constructions for real-life cryptocurrencies, such as Bitcoin, are known. Somewhat surprisingly, no such solution is known for Monero, the largest privacy-preserving cryptocurrency, without requiring system-wide changes like a hard-fork of its blockchain.

In this work, we close this gap by presenting \textsc{PayMo}, the first payment channel protocol that is fully compatible with Monero. \textsc{PayMo} does not require any modification of Monero and can be readily used to perform off-chain payments. Notably, transactions in \textsc{PayMo} are identical to standard transactions in Monero, therefore not hampering the coins' fungibility. Using \textsc{PayMo}, we also construct the first fully compatible secure atomic-swap protocol for Monero: One can now securely swap a token of Monero with a token of several major cryptocurrencies such as Bitcoin, Ethereum, Ripple, Cardano, etc. Before our work, it was not known how to implement secure atomic swaps protocols for Monero without forcing a hard fork. Our main technical contribution is a new construction of an efficient verifiable timed linkable ring signature, where signatures can be hidden for a pre-determined amount of time, in a verifiable way. Our scheme is fully compatible with the transaction scheme of Monero and it might be of independent interest. We implemented \textsc{PayMo} and our results show that, even with high network latency and with a single CPU core, two regular users can perform up to 93500 payments over a span of 2 minutes (the block production rate of Monero). This is approximately five orders of magnitude improvement over the current payment rate of Monero.

Nowadays, virtually all products and services offered by financial institutions are backed by technology. While the frontend banking services seem to be simple, the core-banking backend systems and architecture are complex and often based on legacy technologies. Customer-facing applications and services are evolving rapidly, yet they have data dependencies on core banking systems running on ancient technology standards.

While those legacy systems are preferred for their stability, reliability, availability, and security properties, in adapting the frontends and services many security and privacy issues can occur. Clearly, this issues are arising as those systems have been designed decades ago, without considering the enormous amounts of data that they are required to handle and also considering different threat scenarios. Moreover, the trend towards using new technologies such as Distributed Ledger Technologies (DLT) has also emerged in the financial sector. As the nodes in DLT systems are decentralized, additional security threats come to light.

The focus of this work is the security of financial technologies in the FinTech domain. We provide relevant categorization and taxonomies for a better understanding of the main cyber-attack types, and suitable countermeasures. Our findings are supported by using security-by-design principles for some selected critical financial use-cases, and include a detailed discussion of the resulting threats, attack vectors and security recommendations.

To further strengthen and complement the expertise in our group, we are looking for outstanding researchers and teachers in the area of computer security. We have three faculty openings at the Assistant Professor, Associate Professor or Full Professor level (depending on the candidates, different combinations are possible). Possible focus areas for these positions include, but are not limited to, systems security, network security, hardware security, security analysis, usability of security, cryptography, formal methods in security, and privacy-enhancing technologies.

In the Master's programme in Computing Science our group is responsible for the specialisation in cybersecurity, and together with the Data Science group we are setting up a joint specialisation in cybersecurity and artificial intelligence (AI). As we seek to broaden our field of expertise, we especially encourage candidates in computer security disciplines outside the field of cryptography and those with expertise in both computer security and AI to apply. In view of our group's current gender balance, we strongly encourage qualified women to apply.

As we have multiple positions at different seniority levels available, the required qualifications for each of the three levels are different.

You will be appointed in the Digital Security Group at the Institute for Computing and Information Sciences (iCIS) of the Faculty of Science. The faculty is internationally renowned for the quality of its research. The Digital Security Group is one of the leading groups in computer security in the Netherlands and Europe, with, for example, 4 ERC grants in the last decade and strong involvement in European projects.

Closing date for applications:

Contact: Prof.dr.ir. Joan Daemen, joan@cs.ru.nl

More information: https://www.ru.nl/english/working-at/vacature/details-vacature/?recid=1132394&pad=%2fenglish&doel=embed&taal=uk

Intrinsic ID is an embedded security company, specializing in authentication technologies that protect Internet of Things devices and payment transactions; ensure safe connectivity; authenticate sensors and semiconductor chips; and protect sensitive military data & systems. Our approach is based on patented techniques in SRAM PUF.

Intrinsic ID currently has four open positions to expand its R&D team in Eindhoven and support the development of Intrinsic ID’s security solutions and products.

Positions:

• Hardware Design Engineer
• Hardware Verification Engineer
• Embedded Security Engineer
• Sr. Embedded Software Engineer / Architect

What we offer at Intrinsic ID:

• Competitive salary and benefits
• Career development opportunities in a fast-growing company
• Diverse and challenging problem-solving opportunities in a dynamic workplace
• An excellent working atmosphere
• The opportunity to be a part of a team with unparalleled experience in hardware and software security

Applications can be done directly on our website: https://www.intrinsic-id.com/company/careers

Closing date for applications:

Contact: Geert-Jan Schrijen, CTO (Geert.Jan.Schrijen@intrinsic-id.com)

More information: https://www.intrinsic-id.com/company/careers/

Monash University is ranked 55 in the QS 2021 world rankings and 64 in the Times HE 2021 world rankings. Monash University, Malaysia campus is recruiting 20 postdoc fellows in key areas including security/crypto+AI/ML: https://sites.google.com/monash.edu/postdoc/home High quality candidates who have a PhD, or are completing their PhD, are encouraged to apply. The candidate will join a team of security/AI researchers in collaboration with colleagues from the Australia campus. Current research directions including generative adversarial networks, adversarial machine learning, deepfakes, AI/ML for security. We also welcome crypto/security researchers looking to focus on crypto/security for/with AI/ML. Contact Professor Raphaël Phan for more details.

Closing date for applications:

Contact: Professor Raphaël Phan

More information: https://sites.google.com/monash.edu/postdoc/home

Event date: 23 July to 26 July 2021
Submission deadline: 1 February 2021
Notification: 15 April 2021

The registration for RWC 2021 (virtual) is now open at https://rwc.iacr.org/2021/registration.php
Attendance is free but attendees are required to pay the IACR membership fee for 2022 if they have not already paid it (USD 50 for regular attendees and USD 25 for student attendee).

The conference program is coming soon - talks will be roughly 4pm UTC - 7.30pm UTC on January 11-14.

A Postdoc position is available on the areas Cryptography and/or Blockchain. Candidates with interests in one or both areas are encouraged to apply.

The starting date can be anytime in Spring or Summer of 2021.

For more information and to apply please contact Prof. Foteini Baldimtsi at foteini@gmu.edu

Closing date for applications:

Contact: Foteini Baldimtsi

The 2020 election was held to fill three of nine IACR Director positions. 719 votes have been cast. The results are below, with elected candidates marked in bold:

Directors:
Masayuki Abe: 384
Britta Hale: 222
Tancrède Lepoint: 352
Emmanuel Thomé : 212
Moti Yung : 345

Congratulations to all elected members and thank to you all candidates for your contributions to the IACR and willingness to serve.

Election verification data can be found at https://vote.heliosvoting.org/helios/e/IACR2020Election.

Nextcloud provides a server side encryption feature that is implemented by the Default Encryption Module. This paper presents cryptographic vulnerabilities that existed within the Default Encryption Module as well as other shortcomings that still need to be addressed. The vulnerabilities allowed an attacker to break the provided confidentiality and integrity protection guarantees. There is a high risk that ownCloud also contains some of the issues presented in this paper as it still has cryptographic code in common with Nextcloud.

In this paper, we present a detailed study of the cost of the quantum key search attack using Grover. We consider the popular Feedback Shift Register (FSR) based ciphers Grain-128-AEAD, TinyJAMBU, LIZARD, and Grain-v1 considering the NIST's MAXDEPTH depth restriction. We design reversible quantum circuits for these ciphers and also provide the QISKIT implementations for estimating gate counts. Our results show that cryptanalysis is possible with gate count less than $2^{170}$. In this direction, we also study the scenario where initial keystreams may be discarded before using it for encryption so that the Grovers attack on key search becomes costly in terms of circuit repetition. Finally, we connect Grover with BSW sampling for stream ciphers with low sampling resistance. We implement this attack on LIZARD (secret key size of 120 bits, state 121 bits, and security equivalent to 80 bits) and successfully recover the internal states with $2^{40.5}$ queries to the cryptographic oracle and $ 2^{40} $ amount of data. Our results provide a clear view of the exact status of quantum cryptanalysis against FSR based symmetric ciphers.

Event date: 11 November to 15 June 2021
Submission deadline: 15 June 2021
Notification: 30 June 2021

Event date: 2 December to 3 December 2020

Event date: 26 July to 28 July 2021
Submission deadline: 15 February 2021
Notification: 12 April 2021

Typical approaches for minimizing the round complexity of multi-party computation (MPC) do so at the cost of increased communication complexity (CC) or reliance on setup assumptions. A notable exception is the recent work of Ananth et al. [TCC 2019], which used Functional Encryption (FE) combiners to obtain a round optimal (two-round) semi-honest MPC in the plain model with CC proportional to the depth and input-output length of the circuit being computed---we refer to such protocols as circuit scalable. This leaves open the question of obtaining communication efficient malicious security in the plain model which we answer in this work:

1) We provide a round-preserving black-box compiler that compiles a wide class of MPC protocols into a circuit-scalable maliciously secure MPC in the plain model, assuming a (succinct) FE combiner. By using our compiler with a round-optimal MPC, we derive the first round-optimal and circuit-scalable maliciously secure MPC in the plain model.

2) We provide a round-preserving black-box compiler that compiles a wide class of MPC protocols into a circuit-independent---i.e., with CC that depends only on the input-output length of the circuit---maliciously secure MPC in the plain model, assuming Multi-Key Fully-Homomorphic Encryption (MFHE). Again, by using this second compiler with a round-optimal MPC, we derive the first round-optimal and circuit-independent maliciously secure MPC in the plain model. This is the best to-date CC for a round-optimal malicious MPC protocol, which is even communication-optimal when the output size of the function being evaluated is smaller than its input size (e.g., for boolean functions).

Our compilers assume the existence of four-round maliciously secure oblivious transfer which can be obtained from standard cryptographic assumptions.

We describe a novel type of weak cryptographic private key that can exist in any discrete logarithm based public-key cryptosystem set in a group of prime order $p$ where $p-1$ has small divisors. Unlike the weak private keys based on numerical size (such as smaller private keys, or private keys lying in an interval) that will always exist in any DLP cryptosystems, our type of weak private keys occurs purely due to parameter choice of $p$, and hence, can be removed with appropriate value of $p$. Using the theory of implicit group representations, we present algorithms that can determine whether a key is weak, and if so, recover the private key from the corresponding public key. We analyze several elliptic curves proposed in the literature and in various standards, giving counts of the number of keys that can be broken with relatively small amounts of computation. Our results show that many of these curves, including some from standards, have a considerable number of such weak private keys. We also use our methods to show that none of the 14 outstanding Certicom Challenge problem instances are weak in our sense, up to a certain weakness bound.

In TCC 2017 Goyal and Goyal proposed the first -- and currently only-- construction of a publicly verifiable zero-knowledge  (pvZK) proof system that leverages a blockchain as a setup assumption. Such construction can be instantiated only through proof-of-stake blockchains and  presents a few more limitations and assumptions:   (1)  the adversary can only perform static corruption of the stakeholders,   (2) keys of the stakeholders must also allow for encryption, and  (3) honest stakeholders must never leak their secret keys  (even when no stake is left with respect to those keys).

In this work, we first show that, even if all the above limitations/assumptions hold,  a malicious verifier could still violate the zero-knowledge property by leveraging smart contracts. We show an  ``attack of the clones''  that allows a malicious verifier to clone some of the stakeholder capabilities via a smart contract that is designed after the proof is received from the prover. This leaves open the question of constructing publicly verifiable zero-knowledge proofs from blockchains. Moreover, it raises the issue of using blockchains as setup assumptions since they evolve over time and could even become unreliable in the future.   Then, we provide a publicly verifiable zero-knowledge proof system,  based on any blockchain (i.e., not only proof-of-stake) that, very roughly, satisfies the following unpredictability property.  Sufficiently many future honest blocks added to the blockchain contain a high min-entropy string in a specific location (e.g., a new wallet for cashing the mining reward). Our proof system is secure against a verifier/prover that can corrupt blockchain players adaptively. In particular,  it remains zero knowledge even if the blockchain eventually collapses and all blockchain players are controlled by the zero-knowledge adversary.