International Association
for Cryptologic Research

Fair data trading online is a challenging task when there is mistrust between data providers and data collectors. The trust issue leads to an unsolvable situation where the data collector is unwilling to pay until she receives the data while the data provider will not send the data unless she receives the payment. The traditional solutions toward fair data trading rely on the trust-third party. After the emergence of the blockchain, many researchers use a smart contract on blockchain as a trust-less third party to address the mistrust deadlock. However, involving a smart contract in the protocol inevitably exposes some information to the public if the smart contract is on public blockchain cryptocurrency systems. We observe that the existing fair data trading protocols do not take privacy into account, which, for instance, is critical when trading the sensitive data or the players simply do not want to leak any information about the tradings on the public blockchain. In this paper, we construct a fair trading protocol based on a smart contract that provides better privacy to the participants. We introduce new security notions for privacy-preserving blockchain-based fair data trading protocol and prove our protocol is secure under our new notions. Furthermore, we give a prototype implementation on Ethereum smart contract.

Event date: 25 July to 28 July 2022

Simula UiB (http://simula-uib.com) in Bergen, Norway, has a 4-year PhD position available in the field of cryptography. PhD students at Simula UiB enjoy an inclusive working environment with competitive salaries.

Job description

The PhD student we are looking for is eager to dive deeper into selected research topics in cryptography. The supervisor for this position is Chief Research Scientist Håvard Raddum, and the possible research areas of interest are: cryptanalysis of crypto primitives, fully homomorphic encryption with applications, or lattice-based cryptography. This list is not exhaustive, other topics will also be considered. The job consists of doing research on a daily basis, moving the research front on one or a few selected areas. Writing research papers and presenting them is an important part of the position. All research will be done with the aim of the student obtaining a PhD degree. The candidate will receive the PhD degree from the University of Bergen. 25% of the 4-year period is compulsory work related to the PhD student’s research area. Examples of compulsory work are teaching courses, outreach, applied research experiments, etc.

Closing date for applications:

Contact: Håvard Raddum - email: haavardr@simula.no. For administrative enquiries, contact bergen@simula.no.

More information: https://www.simula.no/about/job/call-phd-student-cryptography

Supersingular isogeny Diffie-Hellman (SIDH) is attractive for small public key size, but it is still unsatisfactory due to its efficiency, compared to other post-quantum proposals. In this paper, we focus on the performance of SIDH when the starting curve is $E_6:y^2=x^3+6x^2+x$, which is fixed in Round-3 SIKE implementation. We present several tricks to accelerate key generation of SIDH by precomputing few elements in the base field. We also point out that the main ideas of Costello et al. and Faz-Hern\'andez et al. to improve the ladder performance of SIDH, of which the starting curve is $E_0:y^2=x^3+x$, could be still utilized for the current SIDH protocol.

A recent work of Benhamouda and Lin (TCC~'20) identified a dream version of secure multiparty computation (MPC), termed **Multiparty reusable Non-Interactive Secure Computation** (MrNISC), that combines at the same time several fundamental aspects of secure computation with standard simulation security into one primitive: round-optimality, succinctness, concurrency, and adaptivity. In more detail, MrNISC is essentially a two-round MPC protocol where the first round of messages serves as a reusable commitment to the private inputs of participating parties. Using these commitments, any subset of parties can later compute any function of their choice on their respective inputs by broadcasting one message each. Anyone who sees these parties' commitments and evaluation messages (even an outside observer) can learn the function output and nothing else. Importantly, the input commitments can be computed without knowing anything about other participating parties (neither their identities nor their number) and they are reusable across any number of computations.

By now, there are several known MrNISC protocols from either (bilinear) group-based assumptions or from LWE. They all satisfy semi-malicious security (in the plain model) and require trusted setup assumptions in order to get malicious security. We are interested in maliciously secure MrNISC protocols **in the plain model, without trusted setup**. Since the standard notion of polynomial simulation is un-achievable in less than four rounds, we focus on MrNISC with **super-polynomial**-time simulation (SPS).

Our main result is the first maliciously secure SPS MrNISC in the plain model. The result is obtained by generically compiling any semi-malicious MrNISC and the security of our compiler relies on several well-founded assumptions, including an indistinguishability obfuscator and a time-lock puzzle (all of which need to be sub-exponentially hard). As a special case we also obtain the first 2-round maliciously secure SPS MPC based on well-founded assumptions. This MPC is also concurrently self-composable and its first message is short (i.e., its size is independent of the number of the participating parties) and reusable throughout any number of computations.

A ring signature is a signature scheme that provides the authenticity of a message anonymously. In this paper, we first present a post-quantum sigma protocol for a ring that relies on the supersingular isogeny-based interactive zero-knowledge identification scheme proposed by De Feo, Jao, and Plût in 2014. We prove the correctness, 2-special soundness, and honest-verifier zero-knowledge properties of the proposed protocol. Then, we construct a ring signature from the proposed sigma protocol for a ring by applying the Fiat-Shamir transform. In order to reduce the size of the exchanges, we use the Merkle tree and show that the signature size increases logarithmically in the size of the ring. The complexity analyses of the proposed protocols are also provided.

Use of game theory and mechanism design in cloud security is a well-studied topic. When applicable, it has the advantages of being efficient and simple compared to cryptography alone. Most analyses consider two-party settings, or multi-party settings where coalitions are not allowed. However, many cloud security problems that we face are in the multi-party setting and the involved parties can almost freely collaborate with each other. To formalize the study of disincentivizing coalitions from deviating strategies, a well-known definition named k-resiliency has been proposed by Abraham et al. (ACM PODC '06). Since its proposal, k-resiliency and related definitions are used extensively for mechanism design. However, in this work we observe the shortcoming of k-resiliency. That is, although it is secure, these definitions are too strict to use for many cases and rule out secure mechanisms as insecure. To overcome this, we propose a new definition named l-repellence against the presence of a single coalition to replace k-resiliency. Our definition incorporates transferable utility in game theory as it is realistic in many distributed and multi-party computing settings. We also propose m-stability definition against the presence of multiple coalitions, which is inspired by threshold security in cryptography. We then show the advantages of our novel definitions on three mechanisms, none of which were previously analyzed against coalitions: incentivized cloud computation, forwarding data packages in ad hoc networks, and connectivity in ad hoc networks. Regarding the former, our concepts improve the proposal by Küpçü (IEEE TDSC '17), by ensuring a coalition-proof mechanism.

Evaluating the side-channel resistance of a device in practice is a problematic and arduous process. Current certification schemes require to attack the device under test with an ever-growing number of techniques to validate its security. In addition, the success or failure of these techniques strongly depends on the individual implementing them, due to the fallible and human intrinsic nature of several steps of this path.

To alleviate this problem, we propose a battery of automated attacks as a side-channel analysis robustness assessment of an embedded device. To prove our approach, we conduct realistic experiments on two different devices, creating a new dataset (AES_RA) as a part of our contribution. Furthermore, we propose a novel way of performing these attacks using Principal Component Analysis, which also serves as an alternative way of selecting optimal principal components automatically. In addition, we perform a detailed analysis of automated attacks against masked AES implementations, comparing our method with the state-of-the-art approaches and proposing two novel initialization techniques to overcome its limitations in this scenario. We support our claims with experiments on AES_RA and a public dataset (ASCAD), showing how our, although fully automated, approach can straightforwardly provide state-of-the-art results.

In known constructions of classical zero-knowledge protocols for NP, either of zero-knowledge or soundness holds only against computationally bounded adversaries. Indeed, achieving both statistical zero-knowledge and statistical soundness at the same time with classical verifier is impossible for NP unless the polynomial-time hierarchy collapses, and it is also believed to be impossible even with a quantum verifier. In this work, we introduce a novel compromise, which we call the certified everlasting zero-knowledge proof for QMA. It is a computational zero-knowledge proof for QMA, but the verifier issues a classical certificate that shows that the verifier has deleted its quantum information. If the certificate is valid, even unbounded malicious verifier can no longer learn anything beyond the validity of the statement. We construct a certified everlasting zero-knowledge proof for QMA. For the construction, we introduce a new quantum cryptographic primitive, which we call commitment with statistical binding and certified everlasting hiding, where the hiding property becomes statistical once the receiver has issued a valid certificate that shows that the receiver has deleted the committed information. We construct commitment with statistical binding and certified everlasting hiding from quantum encryption with certified deletion by Broadbent and Islam [TCC 2020] (in a black box way), and then combine it with the quantum sigma-protocol for QMA by Broadbent and Grilo [FOCS 2020] to construct the certified everlasting zero-knowledge proof for QMA. Our constructions are secure in the quantum random oracle model. Commitment with statistical binding and certified everlasting hiding itself is of independent interest, and there will be many other useful applications beyond zero-knowledge.

Masking is the main countermeasure against side-channel attacks on embedded devices. For cryptographic algorithms that combine Boolean and arithmetic masking, one must therefore convert between the two types of masking, without leaking additional information to the attacker. In this paper we describe a new high-order conversion algorithm between Boolean and arithmetic masking, based on table recomputation, and provably secure in the ISW probing model. We show that our technique is particularly efficient for masking structured LWE encryption schemes such as Kyber and Saber. In particular, for Kyber IND-CPA decryption, we obtain an order of magnitude improvement compared to existing techniques.

TCC'21 will take place will take place in Raleigh, United States on November 8-11 2021.

Registration for TCC 2021 is now open for both in person and remote attendees! Register early! The earliest we know the number of in-person attendees, the best the in-person experience will be. See: https://tcc.iacr.org/2021/registration.php

Stipends are available for students.

A special "in person" workshop will take place alongside TCC. Deadline to submit a talk is Oct. 13th. More details on the workshop can be found here: https://tcc.iacr.org/2021/inperson.php

We at Arcana(arcana.network) are looking for someone well versed with applied math and cryptography to help design our protocol and allied systems. Specifically, we are looking for knowledge in a significant subset of the following: (1) Verifiable Delay Function(VDF) implementation. (2)Distributed key generation(DKG) and management(DKMS). (3)Encryption schemes. (4)Game theoretical (dis)incentivisation on a decentralized network. (5)Distributed Random Number generation. (6)End to End Encryption schemes . (7)Zero Knowledge proofs. (8)Verifiable computation. Academics and part time consultants also welcome to apply.

Closing date for applications:

Contact: admin@arcana.network

More information: https://arcana.network

The Institute of Information Security and Dependability at KIT is looking for a Post-Doc with expertise in privacy-preserving cryptographic protocols with a focus on secure multi-party computation , ideally, having hands-on experiences with MPC-compilers. A track record in this field is expected, including publications at reputable conferences such as Crypto, Eurocrypt, ACM CCS, PETS, etc.

You will be a member of the KASTEL Security Research Labs (https://zentrum.kastel.kit.edu) and the Topic "Engineering Secure Systems" of the Helmholtz Association. Your research is dealing with cryptographic protocols for privacy-preserving computations, e.g., applied to mobility systems. It will result in both theoretical security concepts (protocol designs, security proofs, etc.) and their practical implementation (e.g., a demonstrator) for some application domain. The contract will initially be limited to 1 year, but can be extended.

If you are interested, please formally apply using the link given below. Besides your CV including a list of your publications, please also include the names of three references.

Closing date for applications:

Contact: Andy Rupp (andy.rupp@rub.de)

More information: https://www.pse.kit.edu/karriere/joboffer.php?id=96409&language=en

The high cost of IC design has made chip protection one of the first priorities of the semiconductor industry. In addition, with the growing number of untrusted foundries, the possibility of inside foundry attack is escalating. However, by taking advantage of polymorphic gates, the layouts of the circuits with different functionalities look exactly identical, making it impossible even for an inside foundry attacker to distinguish the defined functionality of an IC by looking at its layout. Moreover, since memristor is compatible with CMOS structure, it is possible to efficiently design hybrid memristor- CMOS circuits. In this paper, we propose a hardware obfuscation method based on polymorphic hybrid memristor-CMOS technology. Overhead of the polymorphic designs and the time complexity of possible attacks are discussed.

Group signatures allow group members to sign on behalf of the group anonymously. They are therefore well suited to storing data in a way that preserves the users’ privacy, while guaranteeing its authenticity. Garms and Lehmann (PKC’19) introduced a new type of group signatures that balance privacy with utility by allowing to selectively link subsets of the group signatures via an oblivious entity, the converter. The conversion takes a batch of group signatures and blindly transforms signatures originating from the same user into a consistent representation. Their scheme essentially targets a setting where the entity receiving fully unlinkable signatures and the converted ones is the same: only pseudonyms but not full signatures are converted, and the input to the converter is assumed to be well-formed. Thus, the converted outputs are merely linkable pseudonyms but no longer signatures. In this work we extend and strengthen such convertibly linkable group signatures. Conversion can now be triggered by malicious entities too, and the converted outputs can be publicly verified. This preserves the authentication of data during the conversion process. We define the security of this scheme and give a provably secure instantiation. Our scheme makes use of controlled-malleable NIZKs, which allow proofs to be mauled in a controlled manner. This allows signatures to be blinded, while still ensuring they can be verified during conversions.

This paper describes a practical side-channel power analysis on CRYSTALS-Kyber key-encapsulation mechanism. In particular, we analyse the polynomial multiplication in the decapsulation phase to recover the secret key in a semi-static setting. The power analysis attack was performed against the KYBER512 implementation from pqm4 running on STM32F3 M4-cortex CPU.

We consider the related-tweak impossible differential cryptanalysis of \texttt{TweAES}. It is one of the underlying primitives of Authenticated Encryption with Associated Data (AEAD) scheme \texttt{ESTATE} which was accepted as one of second-round candidates in the NIST Lightweight Cryptography Standardization project. Firstly, we reveal several properties of \texttt{TweAES}, which show what kinds of distinguishers are more effective in recovering keys. With the help of automatic solver Simple Theorem Prover (STP), we achieve many 5.5-round related-tweak impossible differentials with fixed input differences and output differences that just have one active byte. Then, we implement 8-round key recovery attacks against \texttt{TweAES} based on one of these 5.5-round distinguishes. Moreover, another 5.5-round distinguisher that has four active bytes at the end is utilized to mount a 7-round key recovery attack against \texttt{TweAES}, which needs much lower attack complexities than the 6-round related-tweak impossible differential attack of \texttt{TweAES} in the design document. Our 8-round key recovery attack is the best one against \texttt{TweAES} in terms of the number of rounds and complexities so far.

The final exponentiation affects the efficiency of pairing computations especially on pairing-friendly curves with high embedding degree. We propose an efficient method for computing the hard part of the final exponentiation on the KSS18 curve at 192-bit security level. Implementations indicate that the computation of the final exponentiation can be 8.74% faster than the previously fastest result.

This paper presents the design and evaluation of Wendy, the first Byzantine consensus protocol that achieves optimal latency (two phases), linear authenticator complexity, and optimistic responsiveness. Wendy's core technical contribution is a novel aggregate signature scheme that allows leaders to prove, with constant pairing cost, that an operation did not commit. This No-commit proof addresses prior liveness concerns in protocols with linear authenticator complexity (including view change), allowing Wendy to commit operations in two-phases only.

A variety of post-quantum cryptographic schemes are currently undergoing standardization in the National Institute of Standards and Technology's post-quantum cryptography standardization process. It is well known from classical cryptography that actual implementations of cryptographic schemes can be attacked by exploiting side-channels, e.g. timing behavior, power consumption or emanation in the electromagnetic field. Although several of the reference implementations currently in the third and final standardization round are - to some extent - implemented in a timing-constant fashion, resistance against other side-channels is not taken into account yet. Implementing sufficient countermeasures, however, is challenging.

We therefore exemplarily examine CRYSTALS-Kyber, which is a lattice-based key encapsulation mechanism currently considered as a candidate for standardization. By analyzing the power consumption side-channel during message encoding we develop four more and compare six different implementations with an increasing degree of countermeasures.

We show that introducing randomization countermeasures is crucial as all examined implementations aiming at reducing the leakage by minimizing the Hamming distance of the processed intermediate values only are vulnerable against single-trace attacks when implemented on an ARM Cortex-M4.