International Association
for Cryptologic Research

Simula UiB is a research centre in Cryptography and Information Theory located in Bergen, Norway. We are currently looking for an outstanding candidate for a 4-year PhD researcher position in the area of symmetric-key cryptography. The successful candidate will work under the supervision of Prof Carlos Cid, towards a PhD degree from the University of Bergen. The research topic will be one of the following:

• Design and analysis of dedicated symmetric-key ciphers for privacy-preserving mechanisms (e.g. MPC, FHE, ZKP schemes); or,
• Quantum cryptanalysis of symmetric-key primitives.

We are looking for a candidate who has recently completed, or is about to complete, a master’s degree in cryptography, mathematics, or a closely related field. The master’s degree must have been awarded, with good results, before their start in the PhD position – in particular the candidate must satisfy the enrolment requirements for the PhD programme at the University of Bergen. The candidate must be highly motivated and be able to demonstrate their potential for conducting original research in cryptography. Simula UiB currently has 13 Early Career Researchers working on a range of research problems in cryptography and information theory and can offer a vibrant, stimulating and inclusive working environment to the successful candidate.

Interested and qualified candidates should apply at https://www.simula.no/about/job/phd-student-symmetric-key-cryptography
Deadline for application is 31 October 2022; however applications will be screened continuously, and we may conclude recruitment as soon as we find the right candidate. The starting date is negotiable.

Closing date for applications:

Contact: For additional enquiries about this position, please contact Carlos Cid (carlos@simula.no)

More information: https://www.simula.no/about/job/phd-student-symmetric-key-cryptography

We are looking for a motivated research engineer to join the cybersecurity and applied cryptography group at the university of St. Gallen.
More specifically, the job includes:

• Development and implementation of concepts and research results, both individually and in collaboration with researchers and PhD students;
• Run of experiments and simulation of realistic conditions to test the performance of developed algorithms and protocols;
• Development, maintenance and organization of software;
• Support to BSc, MSc and PhD students, postdocs and researchers who use the lab;
• Responsibility for day routines in the lab, for example purchases, installations, bookings, inventory;

Your profile:

We are looking for a strongly motivated and self-driven person who is able to work and learn new things independently.

Good command of English is required.

You should have a good academic track record and well developed analytical and problem solving skills.

Excellent programming skills and familiarity with cryptographic libraries.

Previous experience in implementation projects with C++, Matlab, Python is desired.

Deadline: 31 August 2022 Apply online: https://jobs.unisg.ch/offene-stellen/cryptography-engineer-m-w-d/ccfd1b3a-e89c-4918-81e7-478348b0c48d

Closing date for applications:

Contact: Katerina Mitrokotsa

More information: https://jobs.unisg.ch/offene-stellen/cryptography-engineer-m-w-d/ccfd1b3a-e89c-4918-81e7-478348b0c48d

We are looking for a bright and motivated PhD student for a 3-year fully funded PhD position starting 1 November 2022 (negotiable). The project is financed by the Independent Research Fund Denmark, and it is a collaboration between DTU, the University of Cambridge, the University of Colorado, Colorado Springs, and Telenor Denmark. It is an excellent opportunity to be involved in advanced research on cyber-security, with important practical applications.

The project’s emphasis will be on digital ghost ships (DGS). A DGS is defined as any online resource (e.g. an IoT device) that has been connected to the Internet and has been subsequently abandoned (in terms of management, updates, or security patches). Hence, DGS may include systems with default usernames and passwords as well as systems that lack important security updates. We aim at proposing novel ways for identifying such DGS, which is the first step into making them secure or taking them down. To do this, the project will not only research novel network detection techniques but also examine how human psychology plays a role in creating DGS.

Closing date for applications:

Contact: Emmanouil Vasilomanolakis

More information: https://www.compute.dtu.dk/english/sitecore/indhold/dtu/dtuenglish-old/forside/about/job-and-career/vacant%20positions/job?id=5ffc257d-616c-4f97-b39d-d16d483459c3

The Ph.D. will focus on discovering new security threats introduced by cloud FPGAs and developing new secure architectures to safeguard cloud infrastructures and their users. A secure deployment strategy of cloud FPGAs will be developed; it should cover all known security threats and new security threats discovered during the project. The overall research project will be conducted on both local experimental setups and online real-world FPGA-integrated cloud environments.

Requirements: PhD candidates are required to have a master degree in computer science, mathematics, electrical engineering, or comparable areas. Candidates that are expected to finish their M.Sc. thesis in the near future can also apply. Candidates should have a clear interest in fundamental research, should be creative and solid in their research, should have (potential) interest in computer security and computer engineering, and should be able to cooperate with experts from different disciplines. It is essential that you have good academic writing and presentation skills. Candidates are expected to have an excellent command of English.

Information and application: The application deadline is 31 August 2022. All applications should include a motivation letter, a detailed CV, and a list of grades and courses.

Interested candidate can learn more information at https://www.cwi.nl/jobs/vacancies/946698

Closing date for applications:

Contact: Dr. Chenglu Jin, chenglu.jin@cwi.nl

More information: https://www.cwi.nl/jobs/vacancies/946698

Do you want to work with us to make society better secured against digital threats? "I want a job that is challenging, socially useful and creative!" This is something we often hear when we ask why job seekers have chosen us. Many of the world's challenges must be solved with technology and at SINTEF we want that to happen in a sustainable way. And we are lucky, many people know that SINTEF is concerned that our work should have a societal benefit. Right now we have a senior researcher position available in cyber security! Our focus areas are: -risk assessment and incident management -secure software development and testing -built-in privacy and GDPR -critical infrastructure -security in cyber-physical systems and IoT -security in 5G and other communication technologies -We currently have projects in several domains: aviation, petroleum, -maritime industry, health, public services and software development.

Closing date for applications:

Contact: Per Håkon Meland

More information: https://candidate.hr-manager.net/ApplicationInit.aspx?cid=1131&ProjectId=145153&DepartmentId=18961&MediaId=5

Can we hope to provide provable security against model extraction attacks? As a step towards a theoretical study of this question, we unify and abstract a wide range of "observational" model extraction defense mechanisms -- roughly, those that attempt to detect model extraction using a statistical analysis conducted on the distribution over the adversary's queries. To accompany the abstract observational model extraction defense, which we call OMED for short, we define the notion of complete defenses -- the notion that benign clients can freely interact with the model -- and sound defenses -- the notion that adversarial clients are caught and prevented from reverse engineering the model. We then propose a system for obtaining provable security against model extraction by complete and sound OMEDs, using (average-case) hardness assumptions for PAC-learning. Our main result nullifies our proposal for provable security, by establishing a computational incompleteness theorem for the OMED: any efficient OMED for a machine learning model computable by a polynomial size decision tree that satisfies a basic form of completeness cannot satisfy soundness, unless the subexponential Learning Parity with Noise (LPN) assumption does not hold. To prove the incompleteness theorem, we introduce a class of model extraction attacks called natural Covert Learning attacks based on a connection to the Covert Learning model of Canetti and Karchmer (TCC '21), and show that such attacks circumvent any defense within our abstract mechanism in a black-box, nonadaptive way. Finally, we further expose the tension between Covert Learning and OMEDs by proving that Covert Learning algorithms require the nonexistence of provable security via efficient OMEDs. Therefore, we observe a "win-win" result by obtaining a characterization of the existence of provable security via efficient OMEDs by the nonexistence of natural Covert Learning algorithms.

We show that we can break SIDH in polynomial time, even with a random starting curve~$E_0$.

This work presents RPM, a scalable anonymous communication protocol suite using secure multiparty computation (MPC) with the offline-online model. We generate random, unknown permutation matrices in a secret-shared fashion and achieve improved (online) performance and the lightest communication and computation overhead for the clients compared to the state of art robust anonymous communication protocols. Using square-lattice shuffling, we make our protocol scale well as the number of clients increases. We provide three protocol variants, each targeting different input volumes and MPC frameworks/libraries. Besides, due to the modular design, our protocols can be easily generalized to support more MPC functionalities and security properties as they get developed. We also illustrate how to generalize our protocols to support two-way anonymous communication and secure sorting. We have implemented our protocols using the MP-SPDZ library suit and the benchmark illustrates that our protocols achieve unprecedented online phase performance with practical offline phases.

Multi-signatures are protocols that allow a group of signers to jointly produce a single signature on the same message. In recent years, a number of practical multi-signature schemes have been proposed in the discrete-log setting, such as MuSigT (CRYPTO'21) and DWMS (CRYPTO'21). The main technical challenge in constructing a multi-signature scheme is to achieve a set of several desirable properties, such as (1) security in the plain public-key (PPK) model, (2) concurrent security, (3) low online round complexity, and (4) key aggregation. However, previous lattice-based, post-quantum counterparts to Schnorr multi-signatures fail to satisfy these properties.

In this paper, we introduce MuSigL, a lattice-based multi-signature scheme simultaneously achieving these design goals for the first time. Unlike the recent, round-efficient proposal of Damgård et al. (PKC'21), which had to rely on lattice-based trapdoor commitments, we do not require any additional primitive in the protocol, while being able to prove security from the standard module-SIS and LWE assumptions. The resulting output signature of our scheme therefore looks closer to the usual Fiat--Shamir-with-abort signatures.

Secure multiparty computation can often utilize a trusted source of correlated randomness to achieve better efficiency. A recent line of work, initiated by Boyle et al. (CCS 2018, Crypto 2019), showed how useful forms of correlated randomness can be generated using a cheap, one-time interaction, followed by only "silent" local computation. This is achieved via a pseudorandom correlation generator (PCG), a deterministic function that stretches short correlated seeds into long instances of a target correlation. Previous works constructed concretely efficient PCGs for simple but useful correlations, including random oblivious transfer and vector-OLE, together with efficient protocols to distribute the PCG seed generation. Most of these constructions were based on variants of the Learning Parity with Noise (LPN) assumption. PCGs for other useful correlations had poor asymptotic and concrete efficiency.

In this work, we design a new class of efficient PCGs based on different flavors of the ring-LPN assumption. Our new PCGs can generate OLE correlations, authenticated multiplication triples, matrix product correlations, and other types of useful correlations over large fields. These PCGs are more efficient by orders of magnitude than the previous constructions and can be used to improve the preprocessing phase of many existing MPC protocols.

Impossible differential (ID) cryptanalysis is one of the most important attacks on block ciphers. The Mixed Integer Linear Programming (MILP) model is a popular method to determine whether a specific difference pair is an ID. Unfortunately, due to the huge search space (approximately $2^{2n}$ for a cipher with a block size $n$ bits), we cannot leverage this technique to exhaust all difference pairs, which is a well-known long-standing problem.

In this paper, we propose a systematic method to find all IDs for SPN block ciphers. The idea is to partition the whole difference pair space into lots of small disjoint sets, each of which has a representative difference pair. All difference pairs in one small set are possible if its representative pair is possible, and this can be conveniently checked by the MILP model. In this way, the overall search space is drastically reduced to a practical size by excluding the sets containing no IDs. We then examine the remaining difference pairs to identify all IDs (if some IDs exist). If our method cannot find any ID, the target cipher is proved free of ID distinguishers.

Our method works especially well for SPN ciphers with block size 64. We apply our method to SKINNY-64 and successfully find all 432 and 12 truncated IDs (we find all IDs but all of them can be assembled into certain truncated IDs) for 11 and 12 rounds, respectively. We also prove, for the first time, that 13-round SKINNY-64 is free of ID distinguishers even when considering the differential transitions through the Difference Distribution Table (DDT). Similarly, we find all 12 truncated IDs (all IDs are assembled into 12 truncated IDs) for 13-round CRAFT and prove there is no ID for 14 rounds. For SbPN cipher GIFT-64, we prove that there is no ID for 8 rounds.

For SPN ciphers with larger block sizes, we show that our idea is also useful to strengthen the current search methods. For example, if we consider the Sbox to be ideal and only consider the branch number information of the diffusion matrix, we can find all 6,750 truncated IDs for 6-round Rijndael-192 in 1 second and prove that there is no truncated ID for 7 rounds. Previously, we need to solve approximately $2^{48}$ MILP models to achieve the same goal. For GIFT-128, we exhausted all difference patterns that have an active superbox in the plaintext and ciphertext and proved there is no ID of such patterns for 8 rounds.

Although we have searched for a larger or even full space for IDs, no longer ID distinguishers have been found. This implies the reasonableness of the intuition that a small number (usually one or two) of active bits/words at the beginning and end of an ID will be the longest.

We give characterizations of IND\$-CPA security for a large, natural class of encryption schemes. Specifically, we consider encryption algorithms that invoke a block cipher and otherwise perform linear operations (e.g., XOR and multiplication by fixed field elements) on intermediate values. This class of algorithms corresponds to the Linicrypt model of Carmer & Rosulek (Crypto 2016). Our characterization for this class of encryption schemes is sound but not complete.

We then focus on a smaller subclass of block cipher modes, which iterate over the blocks of the plaintext, repeatedly applying the same Linicrypt program. For these Linicrypt block cipher modes, we are able to give a sound and complete characterization of IND\$-CPA security. Our characterization is linear-algebraic in nature and is easy to check for a candidate mode. Interestingly, we prove that a Linicrypt block cipher mode is secure if and only if it is secure against adversaries who choose all-zeroes plaintexts.

We obtain a black-box construction of non-interactive CCA commitments against non-uniform adversaries. This makes black-box use of an appropriate base commitment scheme for small tag spaces, variants of sub-exponential hinting PRG (Koppula and Waters, Crypto 2019) and variants of keyless sub-exponentially collision-resistant hash function with security against non-uniform adversaries (Bitansky, Kalai and Paneth, STOC 2018 and Bitansky and Lin, TCC 2018).

All prior works on non-interactive non-malleable or CCA commitments without setup first construct a "base" scheme for a relatively small identity/tag space, and then build a tag amplification compiler to obtain commitments for an exponential-sized space of identities. Prior black-box constructions either add multiple rounds of interaction (Goyal, Lee, Ostrovsky and Visconti, FOCS 2012) or only achieve security against uniform adversaries (Garg, Khurana, Lu and Waters, Eurocrypt 2021).

Our key technical contribution is a novel tag amplification compiler for CCA commitments that replaces the non-interactive proof of consistency required in prior work. Our construction satisfies the strongest known definition of non-malleability, i.e., CCA2 (chosen commitment attack) security. In addition to only making black-box use of the base scheme, our construction replaces sub-exponential NIWIs with sub-exponential hinting PRGs, which can be obtained based on assumptions such as (sub-exponential) CDH or LWE.

The Rank Decoding problem (RD) is at the core of rank-based cryptography. Cryptosystems such as ROLLO and RQC, which made it to the second round of the NIST Post-Quantum Standardization Process, as well as the Durandal signature scheme, rely on it or its variants. This problem can also be seen as a structured version of MinRank, which is ubiquitous in multivariate cryptography. Recently, [1,2] proposed attacks based on two new algebraic modelings, namely the MaxMinors modeling which is specific to RD and the Support-Minors modeling which applies to MinRank in general. Both improved significantly the complexity of algebraic attacks on these two problems. In the case of RD and contrarily to what was believed up to now, these new attacks were shown to be able to outperform combinatorial attacks and this even for very small field sizes.

However, we prove here that the analysis performed in [2] for one of these attacks which consists in mixing the MaxMinors modeling with the Support-Minors modeling to solve RD is too optimistic and leads to underestimate the overall complexity. This is done by exhibiting linear dependencies between these equations and by considering an Fqm version of these modelings which turns out to be instrumental for getting a better understanding of both systems. Moreover, by working over Fqm rather than over Fq, we are able to drastically reduce the number of variables in the system and we (i) still keep enough algebraic equations to be able to solve the system, (ii) are able to analyze rigorously the complexity of our approach. This new approach may improve the older MaxMinors approach on RD from [1,2] for certain parameters. We also introduce a new hybrid approach on the Support-Minors system whose impact is much more general since it applies to any MinRank problem. This technique improves significantly the complexity of the Support-Minors approach for small to moderate field sizes.

References:

[1] An Algebraic Attack on Rank Metric Code-Based Cryptosystems, Bardet, Briaud, Bros, Gaborit, Neiger, Ruatta, Tillich, EUROCRYPT 2020.

[2] Improvements of Algebraic Attacks for solving the Rank Decoding and MinRank problems, Bardet, Bros, Cabarcas, Gaborit, Perlner, Smith-Tone, Tillich, Verbel, ASIACRYPT 2020.

We study the problem of biometric-based authentication with template confidentiality. Typical schemes addressing this problem, such as Fuzzy Vaults (FV) and Fuzzy Extractors (FE), allow a server, aka Authenticator, to store “random looking” Helper Data (HD) instead of biometric templates in clear. HD hides information about the corresponding biometric while still enabling secure biometric-based authentication. Even though these schemes reduce the risk of storing biometric data, their correspondent authentication procedures typically require sending the HD (stored by the Authenticator) to a client who claims a given identity. The premise here is that only the identity owner - i.e., the person whose biometric was sampled to originally generate the HD - is able to provide the same biometric to reconstruct the proper cryptographic key from HD. As a side effect, the ability to freely retrieve HD, by simply claiming a given identity, allows invested adversaries to perform offline statistical attacks (a biometric analog for dictionary attacks on hashed passwords) or re-usability attacks (if the FE scheme is not reusable) on the HD to eventually recover the user’s biometric.

In this work we develop Oblivious Extractors: a new construction that allows an Authenticator to authenticate a user without requiring neither the user to send a biometric to the Authenticator, nor the server to send the HD to the client. Oblivious Extractors provide concrete security advantages for biometric-based authentication systems. From the perspective of secure storage, an oblivious extractor is as secure as its non-oblivious fuzzy extractor counterpart. In addition, it enhances security against aforementioned statistical and re-usability attacks. To demonstrate the construction’s practicality, we implement and evaluate a biometric-based authentication prototype using Oblivious Extractors.

The FIDO2 protocol is a globally used standard for passwordless authentication, building on an alliance between major players in the online authentication space. While already widely deployed, the standard is still under active development. Since version 2.1 of its CTAP sub-protocol, FIDO2 can potentially be instantiated with post-quantum secure primitives. We provide the first formal security analysis of FIDO2 with the CTAP 2.1 and WebAuthn 2 sub-protocols. Our security models build on work by Barbosa et al. for their analysis of FIDO2 with CTAP 2.0 and WebAuthn 1, which we extend in several ways. First, we provide a more fine-grained security model that allows us to prove more relevant protocol properties, such as guarantees about token binding agreement, the None attestation mode, and user verification. Second, we can prove post-quantum security for FIDO2 under certain conditions and minor protocol extensions. Finally, we show that for some threat models, the downgrade resilience of FIDO2 can be improved, and show how to achieve this with a simple modification.

Verifiable Data Streaming (VDS) enables a resource-limited client to continuously outsource data to an untrusted server in a sequential manner while supporting public integrity verification and efficient update. However, most existing VDS schemes require the client to generate all proofs in advance and store them at the server, which leads to a heavy computational burden on the client. In addition, all the previous VDS schemes can perform batch query (i.e., retrieving multiple data entries at once), but are subject to linear communication cost $l$, where $l$ is the number of queried data. In this paper, we first introduce a new cryptographic primitive named Double-trapdoor Chameleon Vector Commitment (DCVC), and then present an unbounded VDS scheme $\mathsf{VDS_1}$ with optimal communication cost in the random oracle model from aggregatable cross-commitment variant of DCVC. Furthermore, we propose, to our best knowledge, the first unbounded VDS scheme $\mathsf{VDS}_2$ with optimal communication and storage overhead in the standard model by integrating Double-trapdoor Chameleon Hash Function (DCH) and Key-Value Commitment (KVC). Both of our schemes enjoy constant-size public key. Finally, we demonstrate the efficiency of our two VDS schemes with a comprehensive performance evaluation.

The School of Computer Science at the University of Birmingham seeks to recruit outstanding computer scientists for the role of Assistant Professor / Associate Professor, with a particular interest in the areas of Systems Security and/or Hardware Security.

The Birmingham Centre for Cyber Security and Privacy conducts internationally competitive research in all aspects of cyber security and privacy. The Centre is recognised by EPSRC/NCSC as an Academic Centre of Excellence in Cyber Security Research, and its MSc in Cyber Security is NSCS-accredited.

We encourage applications that either complement our existing strengths or open-up new areas with strong potential for collaboration. Candidates are welcome from both early career and established stages with an emphasis on a growing international reputation. We provide an inclusive environment and are committed to a recruitment process free from discrimination. We believe that supporting a variety of career trajectories is vital for world class computer science to flourish.

For further information and to apply (closing date 16 August 2022), use the following URL: https://bham.taleo.net/careersection/external/jobdetail.ftl?job=220001IU&tz=GMT%2B01%3A00&tzname=Europe%2FLondon

Closing date for applications:

Contact: For informal enquiries, contact David Oswald (d.f.oswald@bham.ac.uk) or Mark Ryan (m.d.ryan@bham.ac.uk)

More information: https://bham.taleo.net/careersection/external/jobdetail.ftl?job=220001IU&tz=GMT%2B01%3A00&tzname=Europe%2FLondon

Horizen Labs is a blockchain technology company that designs, develops, and delivers powerful, scalable, and reliable distributed ledger solutions for business.

Our Core Engineering Team is an innovative and collaborative group of researchers and software engineers who are dedicated to the design and development of world-class blockchain-based products. We are looking for a cryptographer, or applied cryptographer, to join our growing crypto team based in Milan, Italy. Currently, the team is developing a protocol suite for SNARK-based proof-composition, but its duties reach beyond that, developing privacy-enhancing solutions for our sidechain ecosystem.

Responsabilities

• Design privacy-enhancing technology built on SNARK-based protocols
• Perform collaborative research and assist technical colleagues in their development work
• Participate in standards-setting

Requirements

• Ph.D. in mathematics, computer science, or cryptography
• Solid foundations in zero-knowledge and cryptographic protocols
• Publications in acknowledged venues on applied or theoretical cryptography, preferably cryptographic protocols or PETs
• Strong problem-solving skills
• The ability to work in a team setting as well as autonomously
• Foundations in blockchain technology and experience in reading Rust are a plus

We offer

• A competitive salary plus pre-series A stock options
• Flexible working hours, including the possibility of remote working
• The opportunity to work with talented minds on challenging topics in this field, including the most recent advancements in zero-knowledge
• A nice and informal team setting to conduct research and development of high-quality open source solutions

If you are interested in this position, you might want to take a look at our recent publications (IACR eprints 2021/930, 2021/399, 2020/123) and our latest podcast on zeroknowledge.fm (Episode 178). For further questions, please contact the email below.

Closing date for applications:

Contact: Raffaella Lixi raffaella@horizenlabs.io

More information: https://horizenlabs.io/careers/job/?gh_jid=4116067004

Horizen Labs is a blockchain technology company that designs, develops, and delivers powerful, scalable, and reliable distributed ledger solutions for business.

We are looking for an engineer who will contribute in building the cryptographic infrastructure of our Web 3.0-enabled blockchain ecosystem. You will be involved in the design and implementation of our zero-knowledge Layer 2 scaling solution based on STARK-proven virtual machines. Our international team works in a stimulating and innovative environment, where people’s technical expertise and experience contribute to the development of cutting-edge blockchain technology.

Requirements

• Experience in implementing zero-knowledge proving systems or related cryptographic primitives;
• Comfortable in implementing low-level operations such as finite field arithmetics, hash functions, etc.;
• Enthusiastic about algorithmic improvements and code optimization.

Furthermore, any experience with

• Plonk, STARKs, AIR circuits,
• EVM, zk-VMs,
• C/C++/Rust programming language

though not mandatory, it is welcomed. We offer

• Competitive salary, yearly bonus, and stock options
• Flexible working hours, fully remote if preferred
• The opportunity to work with talented minds on innovative, high-quality open source solutions.

If you want to get more knowledge about our technology, read our Whitepapers at the website: https://www.horizen.io/research/

Closing date for applications:

Contact: Raffaella Lixi raffaella@horizenlabs.io

More information: https://horizenlabs.io/careers/job/?gh_jid=4534454004