International Association
for Cryptologic Research

Approximate fully homomorphic encryption (FHE) schemes such as the CKKS scheme (Asiacrypt '17) are popular in practice due to their efficiency and utility for machine learning applications. Unfortunately, Li and Micciancio (Eurocrypt, '21) showed that, while achieving standard semantic (or $\mathsf{IND}\mbox{-}\mathsf{CPA}$ security), the CKKS scheme is broken under a variant security notion known as $\mathsf{IND}\mbox{-}\mathsf{CPA}^D$. Subsequently, Li, Micciancio, Schultz, and Sorrell (Crypto '22) proved the security of the CKKS scheme with a noise-flooding countermeasure, which adds Gaussian noise of sufficiently high variance before outputting the decrypted value. However, the variance required for provable security is very high, inducing a large loss in message precision.

In this work, we ask whether there is an intermediate noise-flooding level, which may not be provably secure, but allows to maintain the performance of the scheme, while resisting known attacks. We analyze the security with respect to different adversarial models and various types of attacks.

We investigate the effectiveness of lattice reduction attacks, guessing attacks and hybrid attacks with noise-flooding with variance $\rho^2_{\mathsf{circ}}$, the variance of the noise already present in the ciphertext as estimated by an average-case analysis, $100\cdot \rho^2_{\mathsf{circ}}$, and $t\cdot \rho^2_{\mathsf{circ}}$, where $t$ is the number of decryption queries. For noise levels of $\rho^2_{\mathsf{circ}}$ and $100\cdot \rho^2_{\mathsf{circ}}$, we find that a full guessing attack is feasible for all parameter sets and circuit types. We find that a lattice reduction attack is the most effective attack for noise-flooding level $t\cdot \rho^2_{\mathsf{circ}}$, but it only induces at most a several bit reduction in the security level.

Due to the large dimension and modulus in typical FHE parameter sets, previous techniques even for estimating the concrete security of these attacks -- such as those in (Dachman-Soled, Ducas, Gong, Rossi, Crypto '20) -- become computationally infeasible, since they involve high dimensional and high precision matrix multiplication and inversion. We therefore develop new techniques that allow us to perform fast security estimation, even for FHE-size parameter sets.

Hardening microprocessors against side-channel attacks is a critical aspect of ensuring their security. A key step in this process is identifying and mitigating “leaky” hardware modules, which inadvertently leak information during the execution of cryptographic algorithms. In this paper, we explore how different leakage detection methods, the Side-channel Vulnerability Factor (SVF) and the Test Vector Leakage Assessment (TVLA), contribute to hardening of microprocessors. We conduct experiments on two RISC-V cores, SHAKTI and Ibex, using two cryptographic algorithms, SHA-3 and AES. Our findings suggest that SVF and TVLA can provide valuable insights into identifying leaky modules. However, the effectiveness of these methods can vary depending on the specific core and cryptographic algorithm in use. We conclude that the choice of leakage detection method should be based not only on computational cost but also on the specific requirements of the system and the nature of the potential threats. Our research contributes to developing more secure microprocessors that are robust against side-channel attacks.

A Boolean function with good cryptographic properties over a set of vectors with constant Hamming weight is significant for stream ciphers like FLIP [MJSC16]. This paper presents a construction weightwise almost perfectly balanced (WAPB) Boolean functions by perturbing the support vectors of a highly nonlinear function in the construction presented in [DM]. As a result, the nonlinearity and weightwise nonlinearities of the modified functions improve substantially.

Linkable ring signatures are an important cryptographic primitive for anonymized applications, such as e-voting, e-cash and confidential transactions. To eliminate backdoor and overhead in trusted setup, transparent setup in the discrete logarithm or pairing settings has received considerable attention in practice. Recent advances have improved the proof sizes and verification efficiency of linkable ring signatures with transparent setup to achieve logarithmic bounds. Omniring (CCS `19) and RingCT 3.0 (FC `20) proposed linkable ring signatures in the discrete logarithm setting with logarithmic proof sizes with respect to the ring size, whereas DualDory (ESORICS `22) achieves logarithmic verifiability in the pairing setting. We make three novel contributions in this paper to improve the efficiency and soundness of logarithmic linkable ring signatures: (1) We report an attack on DualDory that breaks its linkability. (2) To eliminate such attacks, we present a new linkable ring signature scheme in the pairing setting with logarithmic verifiability. (3) We improve the verification efficiency of linkable ring signatures in the discrete logarithm setting, by a technique of reducing the number of group exponentiations for verification in Omniring by 50%. Furthermore, our technique is applicable to general inner-product relation proofs, which might be of independent interest. Finally, we empirically evaluate our schemes and compare them with the extant linkable ring signatures in concrete implementation.

A junior professor position entitled « Mathematics: cryptography, algebra, geometry » is open for competition at the university of Rennes. The recruited person will join the « Géométrie et Algèbre Effectives » team at IRMAR. This position is aimed at doctorate holders, including experienced post-docs and colleagues already in post (lecturers, associate professor, ...). It is a 4 years tenure track leading to a full professor position. Applications will be open from April 16 to May 17 More details, including teaching and research profiles, will be available on https://www.galaxie.enseignementsup-recherche.gouv.fr/ensup/cand_CPJ.htm in the coming days. Do not hesitate to contact us if you have any questions.

Closing date for applications:

Contact: Sylvain Duquesne

The research group for Cryptographic Protocols located at the University of Luxembourg and the KASTEL Security Research Labs (Germany) is looking for a PhD student working on cryptographic primitives and protocols enabling privacy, accountability, and transparency. A background in provable security (e.g., successfully attended courses or a master’s thesis on the subject) is expected.

The candidate will be based at the University of Luxembourg but also profit from regular visits at and joint research projects with the KASTEL Security Research Labs.

The candidate’s research will be dealing with privacy-preserving cryptographic building blocks and protocols for important application scenarios and result in both theoretical contributions (protocol designs, security models and proofs, etc.) and their efficient implementation. Privacy-preserving payments and data analytics, misuse-resistant lawful interception, and anonymous communication are research topics of particular interest to us.

If you are interested in joining our group, please send an email including your CV, transcripts, and two references to andy.rupp@uni.lu. As the position should be filled as soon as possible, your application will be considered promptly.

Closing date for applications:

Contact: Andy Rupp (andy.rupp@uni.lu)

More information: https://www.uni.lu/fstm-en/research-groups/cryptographic-protocols-crypo/

Event date: 5 August to 9 August 2024

Event date: 22 October to 26 October 2024
Submission deadline: 5 May 2024
Notification: 12 July 2024

Event date: 20 June to 21 June 2024
Submission deadline: 1 May 2024
Notification: 17 May 2024

The Department of Electrical and Information Technology at LTH is recruiting an Assistant Professor in Computer Security.

The position is funded within the framework of a special initiative on cybersecurity from the Wallenberg AI, Autonomous Systems and Software Program. This means that, in addition to funding for the Assistant Lecturer position, full funding is provided for doctoral positions associated with the new position. The new Assistant Lecturer is expected to actively participate in the supervision of these doctoral students and, once docent competence is achieved, take on the main supervisory role. Additionally, funding is provided for two postdoctoral positions for two years each within the employment. The new Assistant Lecturer is expected to be responsible for developing profiles and recruiting for these two positions.
The subject of the position encompasses methods and principles for protecting data in safety-critical applications, as well as protection against overload attacks and the maintenance of personal privacy. There are significant challenges in researching how machine learning can be used to attack traditional computer systems, but also to create new principles for protecting systems, making them more robust, and, not least, automating security architectures and protection systems.
Work duties include:
- Research within the subject area,
- Teaching in the first, second and third cycles of studies,
- Supervision of degree projects and doctoral students,
- Actively seeking external research funding,
- Collaboration with industry and wider society.
- Recruitment of researchers and building up a research group,
- Administration related to the work duties listed above.

Closing date for applications:

Contact: Christian Gehrmann, christian.gehrmann@eit.lth.se

More information: https://lu.varbi.com/en/what:job/jobID:688687/

Quantstamp is looking for an applied cryptographer. Quantstamp often deals with a wide range of cryptographic problems, including reviewing implementations and tackling new theoretical problems using cryptography. For example, Quantstamp regularly receives requests to review code bases which either invoke or implement (custom) cryptography, as part of an audit.

Required

Mastery of at least one zk-SNARK/zk-STARK proof system, or a strong enough technical background to understand one (and this should have some direct connection to cryptography)

Ability to code and develop software. You should have experience with at least one major language, like Python, Java, or C; the exact language is not too important. You should be familiar with versioning software (specifically, GitHub), testing, and a familiarity with algorithms and data structures.

Ability to read and interpret academic papers

Ability to communicate ideas

Partial availability (2-6h) during EST work hours

Familiarity with existing ZK Rollup designs and multiple ZK proof systems

Knowledge of software development in Solidity, including testing and various development frameworks like Hardhat

Familiarity with blockchain ecosystems, particularly Ethereum

Familiarity with Circom for writing zero knowledge circuits

Closing date for applications:

Contact: candidate-upload-to-job-N7wnRj36Krf2zX@inbox.ashbyhq.com

More information: https://quantstamp.com/careers

We demonstrate that under believable cryptographic hardness assumptions, Gap versions of standard meta-complexity problems, such as the Minimum Circuit Size problem (MCSP) and the Minimum Time-Bounded Kolmogorov Complexity problem (MKTP) are not NP-complete w.r.t. Levin (i.e., witness-preserving many-to-one) reductions.

In more detail: - Assuming the existence of indistinguishability obfuscation, and subexponentially-secure one-way functions, an appropriate Gap version of MCSP is not NP-complete under randomized Levin-reductions. - Assuming the existence of subexponentially-secure indistinguishability obfuscation, subexponentially-secure one-way functions and injective PRGs, an appropriate Gap version of MKTP is not NP-complete under randomized Levin-reductions.

Evolving secret-sharing schemes, defined by Komargodski, Naor, and Yogev [TCC 2016B, IEEE Trans. on Info. Theory 2018], are secret-sharing schemes in which there is no a-priory bound on the number of parties. In such schemes, parties arrive one by one; when a party arrives, the dealer gives it a share and cannot update this share in later stages. The requirement is that some predefined sets (called authorized sets) should be able to reconstruct the secret, while other sets should learn no information on the secret. The collection of authorized sets that can reconstruct the secret is called an evolving access structure. The challenge of the dealer is to be able to give short shares to the the current parties without knowing how many parties will arrive in the future. The requirement that the dealer cannot update shares is designed to prevent expensive updates. Komargodski et al. constructed an evolving secret-sharing scheme for every monotone evolving access structure; the share size of the $t^{\text{th}}$ party in this scheme is $2^{t-1}$. Recently, Mazor [ITC 2023] proved that evolving secret-sharing schemes require exponentially-long shares for some evolving access structure, namely shares of size $2^{t-o(t)}$.In light of these results, our goal is to construct evolving secret-sharing schemes with non-trivial share size for wide classes of evolving access structures; e.g., schemes with share size $2^{ct}$ for $c<1$ or even polynomial size. We provide several results achieving this goal: -We define layered infinite branching programs representing evolving access structures, show how to transform them into generalized infinite decision trees, and show how to construct evolving secret-sharing schemes for generalized infinite decision trees. Combining these steps, we get a secret-sharing scheme realizing the evolving access structure. As an application of this framework, we construct an evolving secret-sharing scheme with non-trivial share size for access structures that can be represented by layered infinite branching programs with width at layer $t$ of at most $2^{0.15t}$. If the width is polynomial, then we get an evolving secret-sharing scheme with quasi-polynomial share size. -We construct efficient evolving secret-sharing schemes for dynamic-threshold access structures with high dynamic-threshold and for infinite $2$ slice and $3$-slice access structures. The share size of the $t^{\text{th}}$ party in these schemes is $2^{\tilde{O}((\log t)^{1/\sqrt{2}+\epsilon})}$ for any constant $\epsilon>0$, which is comparable to the best-known share size of $2^{\tilde{O}((\log t)^{1/2}))}$ for finite $2$-slice and 3-slice access structures. -We prove lower bounds on the share size of evolving secret-sharing schemes for infinite $k$-hypergraph access structures and for infinite directed st-connectivity access structures. As a by-product of the lower bounds, we provide the first non-trivial lower bound for finite directed st-connectivity access structures for general secret-sharing schemes.

We introduce a blockchain Fair Data Exchange (FDE) protocol, enabling a storage server to transfer a data file to a client atomically: the client receives the file if and only if the server receives an agreed-upon payment. We put forth a new definition for a cryptographic scheme that we name verifiable encryption under committed key (VECK), and we propose two instantiations for this scheme. Our protocol relies on a blockchain to enforce the atomicity of the exchange and uses VECK to ensure that the client receives the correct data (matching an agreed-upon commitment) before releasing the payment for the decrypting key. Our protocol is trust-minimized and requires only constant-sized on-chain communication, concretely $3$ signatures, $1$ verification key, and $1$ secret key, with most of the data stored and communicated off-chain. It also supports exchanging only a subset of the data, can amortize the server's work across multiple clients, and offers a general framework to design alternative FDE protocols using different commitment schemes. A prominent application of our protocol is the Danksharding data availability scheme on Ethereum, which commits to data via KZG polynomial commitments. We also provide an open-source implementation for our protocol with both instantiations for VECK, demonstrating our protocol's efficiency and practicality on Ethereum.

Fully homomorphic encryption (FHE) has attracted much attention recently. Chinese remainder representation (CRR) or RNS representation is one of the core technologies of FHE. CRR basis conversion is a key step of KeySwitching procedure. Bajard et al. proposed a fast basis conversion method for CRR basis conversion, but the elimination of error had to be ignored. Halevi et al. suggested a method using floating-point arithmetic to avoid errors, but floating-point arithmetic has its own issues such as low efficiency and complex chip design. In this work, we establish a more concise and efficient CRR basis conversion method by observing that each of the ciphertext modulus selected by the CRR CKKS scheme is very close to an integer that is a power of 2. Our conversion algorithm eliminates errors and involves only integer arithmetic and bit operations. The proof of correctness of our algorithm is given. Extensive experiments are conducted and comparisons between the method of Halevi et al. and ours are obtained, which show that our method has the same accuracy and a slightly better effeciency. Our method is also applicable to the CRR variant of BGV and BFV schemes, and can be used to simplify chip design.

We present a framework for building efficient folding-based SNARKs. First we develop a new "uniformizing" compiler for NP statements that converts any poly-time computation to a sequence of identical simple steps. The resulting uniform computation is especially well-suited to be processed by a folding-based IVC scheme. Second, we develop two optimizations to folding-based IVC. The first reduces the recursive overhead of the IVC by restructuring the relation to which folding is applied. The second employs a "commit-and-fold" strategy to further simplify the relation. Together, these optimizations result in a folding-based SNARK that has a number of attractive features. First, the scheme uses a constant-size transparent common reference string (CRS). Second, the prover has (i) low memory footprint, (ii) makes only two passes over the data, (iii) is highly parallelizable, and (iv) is concretely efficient. Microbenchmarks indicate proving time is comparable to leading monolithic SNARKs, and is significantly faster than other streaming SNARKs. On a laptop, for $2^{24}$ ($2^{32}$) gates, the Mangrove prover is estimated to take $2$ minutes ($8$ hours) with peak memory usage approximately $390$ MB ($800$ MB).

Event date: 26 August to 30 August 2024

Event date: 6 July to 11 July 2025
Submission deadline: 13 September 2024
Notification: 23 October 2024

In the linear garbling model introduced by Zahur, Rosulek, and Evans (Eurocrypt 2015), garbling an AND gate requires at least \(2\kappa\) bits of ciphertext, where $\kappa$ is the security parameter. Though subsequent works, including those by Rosulek and Roy (Crypto 2021) and Acharya et al. (ACNS 2023), have advanced beyond these linear constraints, a more comprehensive design framework is yet to be developed.

Our work offers a novel, unified, and arguably simple perspective on garbled circuits. We introduce a hierarchy of models that captures all existing practical garbling schemes. By determining the lower bounds for these models, we elucidate the capabilities and limits of each. Notably, our findings suggest that simply integrating a nonlinear processing function or probabilistic considerations does not break the \(2\kappa\) lower bound by Zahur, Rosulek, and Evans. However, by incorporating column correlations, the bound can be reduced to \((1+1/w)\kappa\), where \(w\ge 1\). Additionally, we demonstrate that a straightforward extension of Rosulek and Roy's technique (Crypto 2021) does not yield improved results. We also present a methodology for crafting new models and for exploring further extensions of both the new and the existing models.

Our new models set the course for future designs. We introduce three innovative garbling schemes based on a common principle called ``majority voting.'' The third construction performs on par with the state-of-the-art.

Sponge hashing is a novel class of cryptographic hash algorithms which underlies the current international hash function standard SHA-3. In a nutshell, a sponge function takes as input a bit-stream of any length and processes it via a simple iterative procedure: it repeatedly feeds each block of the input into a so-called block function, and then produces a short digest which consists of a subset of the final output bits. While much is known about the post-quantum security of the sponge construction in the case when the block function is modeled as a random function or permutation, the case of invertible permutations, which more accurately models the construction underlying SHA-3, has so far remained a fundamental open problem.

In this work, we make new progress towards overcoming this barrier and show several results. First, we prove the ``double-sided zero-search'' conjecture proposed by Unruh (eprint' 2021) and show that finding zero-pairs in a random $2n$-bit permutation requires at least $\Omega(2^{n/2})$ many queries---and this is tight due to Grover's algorithm. At the core of our proof lies a novel ``symmetrization argument'' which uses insights from the theory of Young subgroups. Second, we consider more general variants of the double-sided search problem and show similar query lower bounds for them. As an application, we prove the quantum one-wayness of the single-round sponge with invertible permutations in the quantum random oracle model.