International Association
for Cryptologic Research

I am searching for outstanding Ph.D. candidates to start in the early months of 2023. The positions will be part of the Coding and Cryptography group at TU/e.

Possible topics fall into the field of provable security with a focus on the construction of efficient cryptographic building blocks and protocols, including

• (post-quantum) secure key exchange and messaging protocols and
  
• (post-quantum) secure digital signatures and public key encryption in realistic security models
  
• impossibility results/lower bounds for provably secure constructions.

The fully-funded positions offer exciting research in a highly international research environment. Candidates from outside of the Netherlands can be eligible for an additional tax reduction scheme.

Requirements:

• a Master's degree (or equivalent) with excellent grades in computer science, mathematics, or IT security.
  
• strong mathematical and/or algorithmic/theoretical CS background.
  
• good knowledge of cryptography and provable security.
  
• good written and verbal communication skills in English (Dutch is not required).

TU/e embraces diversity and inclusion. Therefore, people from all backgrounds are invited to apply, without regard to sex, gender, race, ethnicity, nationality, age, socioeconomic status, identity, visible or invisible disability, religion, or sexual orientation.

To apply, prepare a single PDF file that includes a CV with a course list and grades. The application deadline is December 15th, 2022.

Applications and questions can be directed to s.schage@tue.nl.

Closing date for applications:

Contact: Sven Schäge

More information: https://www.tue.nl/en/research/research-groups/mathematics/discrete-mathematics/coding-theory-and-cryptology/

The Department of Computer Science at the University of York has several PhD studentships available for exceptional Home (UK & Ireland) and Overseas students through the Doctoral Centre for Safe, Ethical and Secure Computing (SEtS).

The Cyber Security and Privacy Research Group at the Department calls for students who are interested in pursuing a PhD in the following topics:

• Security of New and Emerging Networks: including security of Internet of Things (IoT) devices and networks, security and safety in robotics and autonomous systems, security and safety of unmanned aerial vehicles (UAV), and security of underwater networks and communications,
• Usable Security and Privacy: Web measurement to analyse and combat web tracking, developing privacy-enhancing technologies. usable security and privacy, and human factors in cyber security and privacy,
• Applied Cryptography: Design and analysis of provably-secure cryptographic schemes and protocols, especially those that preserve or enhance privacy, and including but not limited to automated formal analysis and mechanisation of proofs of security protocols,
• Malware Analysis and Detection: including different types of malware, such as ransomware and spyware, malware targeting mobile platforms (e.g. Android) or industrial control systems and critical infrastructure,
• Machine Learning for IoT Security: Machine learning techniques for IoT behavioural fingerprinting and attack detection for network security, and
• Privacy-Preserving Machine Learning: Edge based machine learning systems such as federated learning, and how to quantify, control, and manage privacy in such systems.

The available projects are supervised by a combination of faculty members including Dr. Roberto Metere, Dr. Siamak F. Shahandashti, Dr. Vasileios Vasilakis, Dr. Yuchen Zhao, and Dr. Poonam Yadav.

For more information please visit https://docs.google.com/document/d/1VtrNtFG1zy54o0BzymHj56gY--YEw2ch3EG18gnb3Lc

Closing date for applications:

Contact: sets-csp-group@york.ac.uk

More information: https://docs.google.com/document/d/1VtrNtFG1zy54o0BzymHj56gY--YEw2ch3EG18gnb3Lc

The Department of Computer Science is a research-intensive department made up of over 70 academics delivering on-campus programmes to more than 800 students and online courses to over 1500 students. Our vision is to be internationally leading on education and research into engineering safe, ethical and secure computational systems.

The Department of Computer Science is recruiting up to six lecturers to support the development and delivery of our degree programmes at both undergraduate and postgraduate level. This would include the ability to teach across our general range of subjects as well as more specialist modules in their own research area. We are particularly seeking candidates who enhance our existing research groups. Candidates must be able to supervise projects in one or more of the following key areas: Cyber Security, Artificial Intelligence and Data Analysis. We would consider candidates with non-traditional academic backgrounds where they have significant experience of working with, or in, a safety-critical industry.

Closing date for applications:

Contact: For informal enquiries: please contact Prof. Iain Bate at iain.bate@york.ac.uk.

More information: https://jobs.york.ac.uk/vacancy/lecturers-505454.html

The post-quantum cryptography research group at the Department of Software Systems and Cybersecurity, Faculty of Information Technology, Monash University, Australia, has Ph.D. student scholarship openings for research projects funded by our Algorand Centre of Excellence ACE-SIP Program, including in particular the following areas:

1. Post-quantum cryptographic primitives and their practical applications in blockchain protocols.

2. Post-quantum Zero Knowledge Proof and SNARK protocols and their applications for privacy preserving blockchain transactions and smart contracts.

Students will have the opportunity to work in an excellent research environment and collaborate with experts in cryptography and blockchain systems, and with Algorand industry partners.

Monash University is among the leading universities in Australia and is located in Melbourne, ranked as Australia's most liveable city and among the most liveable cities in the world.

Applicants should have (or expected to complete in the next 12 months) a Masters or Honours equivalent qualification with a research thesis, with excellent grades in mathematics, theoretical computer science, cryptography, or closely related areas. They should have excellent English verbal and written communication skills. Programming experience and skills, especially in Sagemath/python/Magma and/or C/C++, are also highly desirable.

Closing date for applications:

Contact: To apply, email ron.steinfeld@monash.edu by 30 Nov 2022 with the subject “Algorand ACE PQC PhD Application” and attach a single pdf with cover letter stating research interests, CV (including qualifications with GPA grades, reference contact details), and ugrad and pgrad transcripts.

More information: http://ace-sip.org/

Hardware Security Research Labs (HECTOR) at North Carolina State University is seeking two PhD student to carry out the research in funded projects on side-channel security and fault injection attacks on cryptography and AI/ML hardware.

To apply for the position, please send the following to aaysu@ncsu.edu :
1) Your detailed CV.
2) Your relevant publications (or pending papers).

Applicants with MS and industry experience will be favored. The projects cover full tuition fee, benefits (including health insurance), and the typical annual stipend in my group is $30k-35k – exceptions can be made for outstanding applicants.

Closing date for applications:

Contact: Dr. Aydin Aysu (aaysu@ncsu.edu)

The application security and cryptography group at the Lucerne School of Information Technology in Rotkreuz, Switzerland has open positions for PhD students and research associates to work on applied cryptography and quantum information projects.

Doctoral Position in Cryptography & Quantum Information (https://recruitingapp-2678.umantis.com/Vacancies/2467/Description/1)

Senior Research Associate Cryptography and Quantum Information (https://recruitingapp-2678.umantis.com/Vacancies/2466/Description/1)

Senior Research Associate Security Software Engineer (https://recruitingapp-2678.umantis.com/Vacancies/2465/Description/1) Candidates should have a strong background in IT security and cryptography and/or good software engineering skills; knowledge in quantum information is advantageous.

Closing date for applications:

Contact: For questions contact Esther Hänggi; applications via the link in the main text

The cryptography group at University of Wuppertal in Germany is offering positions for Ph.D. students and postdoctoral researchers. Our group is working on various topics on the foundations of real-world cryptography.

We are looking for new team members with a strong background in cryptography, theoretical computer science, or mathematics and a very strong interest in topics such as (post-quantum secure) cryptographic protocols, concrete security of real-world cryptosystems, and the possibility and impossibility of formal security proofs for practical cryptosystems.

We offer positions in an active research group with a strong research orientation. All positions are fully funded and equipped with a competitive salary (100% E13), and will remain open until filled. The starting date can be arranged flexibly, in the period from spring to summer 2023.

The city of Wuppertal is centrally located and offers a wide range of attracttions at affordable living costs. Cities such as Cologne, Düsseldorf, Essen and the Ruhr area can be reached in under 30 minutes by public transportation. Wuppertal was listed as one of the 20 best places to visit by CNN Travel in 2020 (https://edition.cnn.com/travel/article/places-to-visit-2020/index.html).

Please contact Tibor Jager or the team members for further information on the positions, the group, or the environment.

Closing date for applications:

Contact: Tibor Jager

More information: https://itsc.uni-wuppertal.de/en/

We construct the most efficient (in the argument size and the verifier's computation) known falsifiable set (non-)membership NIZK $\Pi^*$, where the membership (resp., non-membership) argument consists of only $9$ (resp., $15$) group elements. It also has a universal CRS. $\Pi^*$ is based on the novel concept of determinantal accumulators. Determinantal primitives have a similar relation to recent pairing-based (non-succinct) NIZKs of Couteau and Hartmann (Crypto 2020) and Couteau et al. (CLPØ, Asiacrypt 2021) that structure-preserving primitives have to the NIZKs of Groth and Sahai. $\Pi^*$ is considerably more efficient than known falsifiable based set (non-)membership NIZKs. We also extend CLPØ by proposing efficient (non-succinct) set non-membership arguments for a large class of languages.

At CRYPTO 1994, Cramer, Damg{\aa}rd and Schoenmakers proposed a general method to construct proofs of knowledge (PoKs), especially for $k$-out-of-$n$ partial knowledge, of which relations can be expressed in disjunctive normal form (DNF). Since then, proofs of $k$-out-of-$n$ partial knowledge have attracted much attention and some efficient constructions have been proposed. However, many practical scenarios require efficient PoK protocols for partial knowledge in other forms.

In this paper, we mainly focus on PoK protocols for $k$-conjunctive normal form ($k$-CNF) relations, which have $n$ statements and can be expressed as follows: (i) $k$ statements constitute a clause via ``OR'' operations, and (ii) the relation consists of multiple clauses via ``AND'' operations. We propose an alternative Sigma protocol (called DAG-$\Sigma$ protocol) for $k$-CNF relations (in the discrete logarithm setting), by converting these relations to directed acyclic graphs (DAGs). Our DAG-$\Sigma$ protocol achieves less communication cost and smaller computational overhead compared with Cramer et al.'s general method.

Threshold ring signatures are digital signatures that allow $t$ parties to sign a message while hiding their identity in a larger set of $n$ users called ''ring''. Recently, Aranha et al. [PKC 2022] introduced the notion of \emph{extendable} threshold ring signatures (ETRS). ETRS allow one to update, in a non-interactive manner, a threshold ring signature on a certain message so that the updated signature has a greater threshold, and/or an augmented set of potential signers. An application of this primitive is anonymous count me in. A first signer creates a ring signature with a sufficiently large ring announcing a proposition in the signed message. After such cause becomes \emph{public}, other parties can anonymously decide to support that proposal by producing an updated signature. Crucially, such applications rely on partial signatures being posted on a \emph{publicly accessible} bulletin board since users may not know/trust each other.

In this paper, we first point out that even if anonymous count me in was suggested as an application of ETRS, the anonymity notion proposed in the previous work is insufficient in many application scenarios. Indeed, the existing notion guarantees anonymity only against adversaries who just see the last signature, and are not allowed to access the ''full evolution" of an ETRS. This is in stark contrast with applications where partial signatures are posted in a public bulletin board. We therefore propose stronger anonymity definitions and construct a new ETRS that satisfies such definitions. Interestingly, while satisfying stronger anonymity properties, our ETRS asymptotically improves on the two ETRS presented in prior work [PKC 2022] in terms of both time complexity and signature size. Our ETRS relies on extendable non-interactive witness-indistinguishable proof of knowledge (ENIWI PoK), a novel technical tool that we formalize and construct, and that may be of independent interest. We build our constructions from pairing groups under the SXDH assumption.

TinyJAMBU is one of the finalists in the NIST lightweight standardization competition. This paper presents full round practical zero-sum distinguishers on the keyed permutation used in TinyJAMBU. We propose a full round zero-sum distinguisher on the 128- and 192-bit key variants and a reduced round zero-sum distinguisher for the 256-bit key variant in the known-key settings. Our best known-key distinguisher works with $2^{16}$ data/time complexity on the full 128-bit version and with $2^{23}$ data/time complexity on the full 192-bit version. For the 256-bit ver- sion, we can distinguish 1152 rounds (out of 1280 rounds) in the known- key settings. In addition, we present the best zero-sum distinguishers in the secret-key settings: with complexity $2^{23}$ we can distinguish 544 rounds in the forward direction or 576 rounds in the backward direction. For finding the zero-sum distinguisher, we bound the algebraic degree of the TinyJAMBU permutation using the monomial prediction technique proposed by Hu et al. at ASIACRYPT 2020. We model the monomial prediction rule on TinyJAMBU in MILP and find upper bounds on the degree by computing the parity of the number of solutions.

Various systematic modifications of vectorial Boolean functions have been used for finding new previously unknown classes of S-boxes with good or even optimal differential uniformity and nonlinearity. Recently, a new method was proposed for modification a component of a bijective vectorial Boolean function by using a linear function. It was shown that the modified function remains bijective under the assumption that the inverse of the function admits a linear structure. A previously known construction of such a modification based on bijective Gold functions in odd dimension is a special case of this type of modification. In this paper, we show that the existence of a linear structure is necessary. Further, we consider replacement of a component of a bijective vectorial Boolean function in the general case. We prove that a permutation on $\mathbb{F}_2^n$ remains bijective if and only if the replacement is done by composing the permutation with an unbalanced Feistel transformation where the round function is any Boolean function on $\mathbb{F}_2^{n-1}$.

We present Baloo, the first protocol for lookup tables where the prover work is linear on the amount of lookups and independent of the size of the table. Baloo is built over the lookup arguments of Caulk and Caulk+, and the framework for linear relations of Rafols and Zapico. Our protocol supports commit-and-prove expansions: the prover selects the subtable containing the elements used in the lookup, that is unknown to the verifier, commits to it and later prove relation with the committed element. This feature makes Baloo especially suitable for prover input-ouput relations on hash functions, and in particular to instantiate the Ethereum Virtual Machine (EVM).

The existing works on privacy-preserving recommender systems based on homomorphic encryption do not filter top-k most relevant items on the server side. As a result, sending the encrypted rating vector for all items to the user retrieving the top-k items is necessary. This incurs significant computation and communication costs on the user side.

In this work, we employ private sorting at the server to reduce the user-side overheads. In private sorting, the values and corresponding positions of elements must remain private. We use an existing private sorting protocol by Foteini and Olga and tailor it to the privacy-preserving top-k recommendation applications. We enhance it to use secure bit decomposition in the private comparison routine of the protocol. This leads to a notable reduction in cost overheads of users as well as the servers, especially at the keyserver where the computation cost is reduced to half. The dataserver does not have to perform costly encryption and decryption operations. It performs computationally less expensive modular exponentiation operations. Since the private comparison operation contributes significantly to the overall cost overhead, making it efficient enhances the sorting protocol’s performance. Our security analysis concludes that the proposed scheme is as secure as the original protocol.

Fully Homomorphic Encryption (FHE) promises to secure our data on the untrusted cloud, while allowing arbitrary computations. Present research shows that while there are pos- sibilities of side channel exploitations on the client side targeting the encryption or key-generation processes, the encrypted data on the cloud is secure against practical attacks. The current paper shows that it is possible for adversaries to inject perturbations in the ciphertexts stored in the cloud to result in decryption errors. Most importantly, we highlight that when the client reports of such aberrations to the cloud service provider the complete secret key can be extracted in few attempts. Technically, this implies a break of the IND-CVA (Indistinguishability against Ciphertext Verification Attacks) security of the FHE schemes. The underlying core methodology of the attack is to exploit the dependence of the error in the ciphertexts to the timing of homomorphic computations. These correlations can lead to timing templates which when used in conjunction with the error- induced decryption errors as reported by the client can lead to an accurate estimation of the ciphertext errors. As the security of the underlying Learning with Errors (LWE) collapse with the leakage of the errors, the adversary is capable of ascertaining the secret keys. We demonstrate this attack on two well-known FHE libraries, namely FHEW and TFHE, where we need 7, 23 and 28 queries to the client for each error recovery respectively. We mounted full key recovery attack on TFHE (without and with bootstrapping) and FHEW with key sizes 630 and 500 bits with 1260, 703 and 1003 correct errors and 31948, 21273 and 9073 client queries respectively.

Voter registration is an essential part of almost any election process, and its security is a critical component of election security. Yet, despite notable compromises of voter registration systems, relatively little academic work has been devoted to securing voter registration systems, compared to research on other aspects of election security. In this paper, we present a systematic treatment of voter registration system security. We propose the first rigorous definitional framework for voter registration systems, describing the entities and core functionalities inherent in most voter registration systems, the jurisdictional policies that constrain specific implementations, and key security properties. Our definitions are configurable based on jurisdiction-specific parameters and policies. We provide a template for the structured presentation of detailed jurisdictional policy information, via a series of tables, and illustrate its application with detailed case studies of the voter registration systems of three U.S. states and Panama. Throughout our research, with the aim of realism and practical applicability, we consulted current and former U.S. election officials, civil society, and non-profits in the elections space. We conclude with a list of critical questions regarding voter registration security.

Consider the problem of securely identifying τ -heavy hitters, where given a set of client inputs, the goal is to identify those inputs which are held by at least τ clients in a privacy-preserving manner. Towards this, we design a novel system Vogue, whose key highlight in comparison to prior works, is that it ensures complete privacy and does not leak any information other than the heavy hitters. In doing so, Vogue aims to achieve as efficient a solution as possible. To showcase these efficiency improvements, we benchmark our solution and observe that it requires around 14 minutes to compute the heavy hitters for τ = 900 on 256-bit inputs when considering 400K clients. This is in contrast to the state of the art solution that requires over an hour for the same. In addition to the static input setting described above, Vogue also accounts for streaming inputs and provides a protocol that outperforms the state-of-the-art therein. The efficiency improvements witnessed while computing heavy hitters in both, the static and streaming input settings, are attributed to our new secure stable compaction protocol, whose round complexity is independent of the size of the input array to be compacted

A computational PIR scheme allows a client to privately query a database hosted on a single server without downloading the entire database. We introduce the notion of verifiable PIR (vPIR) where the server can convince the client that the database satisfies certain properties without additional rounds and while keeping the communication sub-linear. For example, the server can prove that the number of rows in the database that satisfy a predicate $P$ is exactly $n$.

We define security by modeling vPIR as an ideal functionality and following the real-ideal paradigm. Starting from a standard PIR scheme, we construct a vPIR scheme for any database property that can be verified by a machine that reads the database once and maintains a bounded size state between rows. We also construct vPIR with public verification based on LWE or on DLIN. The main technical hurdle is to demonstrate a simulator that extracts a long input from an adversary that sends a single short message.

Our vPIR constructions are based on the notion of batch argument for NP. As contribution of independent interest, we show that batch arguments are equivalent to quasi-arguments---a relaxation of SNARKs which is known to imply succinct argument for various sub-classes of NP.

In this paper, we show how to use the Matrix Code Equivalence (MCE) problem as a new basis to construct signature schemes. This extends previous work on using isomorphism problems for signature schemes, a trend that has recently emerged in post-quantum cryptography. Our new formulation leverages a more general problem and allows for smaller data sizes, achieving competitive performance and great flexibility. Using MCE, we construct a zero-knowledge protocol which we turn into a signature scheme named Matrix Equivalence Digital Signature (MEDS). We provide an initial choice of parameters for MEDS, tailored to NIST's Category 1 security level, yielding public keys as small as 2.7 kB and signatures ranging from 18.8 kB to just around 10 kB, along with a reference implementation in C.

This paper shows how to achieve quantum speed-up for multidimensional (zero correlation) linear and integral distinguishers. To understand post-quantum security of symmetric-key cryptosystems, it is important to study how much quantum speed-up we can obtain for classical cryptanalytic techniques such as differential, linear, and integral cryptanalysis. A previous work by Kaplan et al. already showed a quantum quadratic speed-up for one-dimensional linear distinguishers, but it is unclear how to extend their technique to multidimensional linear distinguishers. To remedy this, we investigate how to speed-up multidimensional linear distinguishers in the quantum setting. Firstly, we observe that there is a close relationship between the subroutine of Simon's algorithm and linear correlations via Fourier transform, and a slightly modified version of Simon's subroutine can be used to speed-up multidimensional linear distinguishers. The modified Simon's subroutine also leads to speed-ups for multidimensional zero correlation and some integral distinguishers. Surprisingly, our technique achieves more-than-quadratic speed-ups for some special types of integral distinguishers. This is because the modified Simon's subroutine can exploit the existence of multiple multidimensional zero correlation linear approximations. Our attacks are the first examples achieving such speed-up on classical cryptanalytic techniques without relying on any algebraic structures such as hidden periods or shifts. The speed-ups for multidimensional (zero correlation) linear distinguishers are at-most-quadratic, and all of our attacks require quantum superposition queries.