International Association
for Cryptologic Research

The Centre for Doctoral Training (CDT) at Royal Holloway, University of London seeks to recruit PhD students to work in the area of cryptography. Examples for potential topics include:

• Foundations of Witness Encryption and Smart Encryption (supervised by Saqib Kakvi)
• Secure Coded Caching (supervised by Siaw-Lynn Ng)
• Applications of Time and Delay in Cryptographic Protocols (supervised by Elizabeth Quaglia)
• Privacy-Preserving Applications based on Secure Multi-Party Computation (supervised by Christian Weinert)

You can find more details for these and other project proposals on FindAPhD.com [1].

The crypto team at Royal Holloway, as part of the Information Security Group (ISG), has a strong track record in cryptographic research, including algorithm design and analysis, post-quantum cryptography, homomorphic encryption, and applications of secure computation.

Applicants are expected to have a background in mathematics, computer science, or a related discipline. Prospective applicants are welcome to contact CDT administrator Claire Hudson (CyberSecurityCDT@rhul.ac.uk) or any member of staff they might be interested to work with. For more information about the crypto team, please visit our website [2].

The CDT can offer approximately ten studentships per year, three of which can be awarded to international students (including EU and EEA). Please ensure you are familiar with the eligibility criteria set by UKRI and their terms and conditions. In order to apply, please visit the CDT website [3] and follow the application instructions. The studentship includes a (tax-free) maintenance of £23,668.00 for each academic year.

[1] https://www.findaphd.com/phds/information-security-group/?c0MPwk50
[2] https://cryptography.isg.rhul.ac.uk
[3] https://www.royalholloway.ac.uk/cdt

Closing date for applications:

Contact: CyberSecurityCDT@rhul.ac.uk

Applications are invited for one Postdoctoral Research Fellow position at Eötvös Loránd University, Budapest. The candidate is expected to carry out research in the topic of post-quantum cryptography (lattice-based, multivariate, code-based or isogeny -based cyrptography). The research will be conducted as part of the Quantum Information National Laboratory, which is a collaboration between several universities and research institutes in Budapest. The applicant is supposed to hold a Phd in Computer Science or Mathematics (the degree should be obtained by the starting date). The position is for two years and expected starting date is April 2023, however the starting date is negotiable (but not later than September 2023). If you want to apply for this position please send the following documents to Péter Kutas (kuppabt@inf.elte.hu):

• CV
• Motivation Letter
• Two recommendation letters (these should be sent by the recommending person directly to the above e-mail address)

Please send your applications by 31st January 2023.

Closing date for applications:

Contact: Péter Kutas (kuppabt@inf.elte.hu)

The School of Engineering at the Universidad Católica de Chile, one of the leading engineering academic institutions in Latin America and ranked among the top four emerging leaders for engineering education worldwide, invites outstanding candidates for a full-time faculty position in the area of cybersecurity. Duties: High-quality teaching (at undergraduate and graduate levels), and conducting independent research. Additional duties include knowledge transfer, outreach, and university administrative tasks. The new position should conduct teaching, research, and technological innovation activities in cybersecurity and cryptography, including but not limited to privacy, data protection, computer network security, information technology security, software and application security, blockchain, computer forensics, smart contracts, data integrity, among others. The selected candidate is expected to develop a strong externally funded research program, support doctoral programs, and teach three courses per year, at least two of these courses should belong to the bachelor of science in computer science program, and another course according to their expertise. Requirements: Applicants must hold a Ph.D., preferably in Computer Science, and/or have demonstrable expertise in the fields. Due to the nature of our School, the applicant will have the opportunity and should be willing to work collaboratively with other Departments in the School of Engineering. Previous postdoctoral or international academic experience should be stated in the application. Candidates do not need to be fluent in Spanish at the time of application, but should be prepared to learn the language well enough to teach in this language in the short term (two years maximum). English is a requirement.

Closing date for applications:

Contact: Marcelo Arenas, marenas@ing.puc.cl

More information: https://www.ing.uc.cl/trabaja-con-nosotros/areas-to-apply-2/

A postdoctoral position is available in the APSIA research group (led by Prof. Peter Y. A. Ryan) in the Department of computer Science at the University of Luxembourg. The successful candidate is expected to do research in line with ‘’quantum safe proofs’’ (QSP) project funded by Luxembourg National Research Fund. The successful candidate will conduct the QSP project in collaboration with Prof. Peter Y. A. Ryan, Prof. Anne Broadbent (University of Ottawa, Canada) and Dr. Ehsan Ebrahimi (PI, University of Luxemburg).

The duration of the position is two years. The yearly gross salary for every Postdoctoral researcher at the UL is around EUR 77167 (full time) . The starting date would be as early as 02.01.2023 (Feb 2023).

The successful candidate will conduct the following tasks:

• Research on post-quantum security of proof systems and its impact to applications like cryptocurrencies and electronic voting systems.
• Research on Quantum Proof Systems: for instance, complexity classes QMA, QIP, etc.
• Participate in teaching tasks and Ph.D. and M.Sc. students supervisions
• Collaboration with writing progress reports

we expect:

• A Ph.D. degree in Computer Science, Mathematics or Physics with the focus on Cryptography and its intersection with Quantum Computation & Information.
• Experience working on quantum-secure proof systems or quantum proof systems is a plus
• Competitive research record in cryptography or quantum computation & information
• Strong mathematical CS background
• Fluent written and verbal communication skills in English are required

Applications should include a short letter of motivation, a CV, a publication list with short summery for each publication, and names of at least 2 reference letter writers . Early application is highly encouraged, as the applications will be processed upon reception.

Closing date for applications:

Contact: Ehsan Ebrahimi, ehsan.ebrahimi@uni.lu

Looking for candidates with a strong background in theory interested in the foundations of cryptography, information-theoretic cryptography, or related areas of complexity theory and algorithms. Multiple positions available, hosted by Prashant Nalini Vasudevan. See website for more details: https://www.comp.nus.edu.sg/~prashant/ads.html

Closing date for applications:

Contact: prashant@comp.nus.edu.sg

More information: https://www.comp.nus.edu.sg/~prashant/ads.html

We’re looking for two PhD students in one the following research directions (but not limited to): e-voting, applied cryptography, postquantum cryptography, provable security, privacy-preserving technologies, and formal verification. The PhD will be under the supervision of Dr. Catalin Dragan. International candidates are welcomed to apply. Final Year BSc students can apply.

Position 1: Department of Computer Science Studentship. The application deadline is 6th January 2023, with a start date of October 2023. Applications are made via CS application page https://www.surrey.ac.uk/postgraduate/computer-science-phd.

Position 2: University of Surrey’s Breaking Barriers Studentship award. The application deadline is 16 December 2022, with a start date of October 2023. More information is available on https://www.surrey.ac.uk/fees-and-funding/studentships/breaking-barriers-studentship-award-2023.

The applications typically requiring CV, cover letter, transcripts, and references. However, we strongly encourage candidates to contact Catalin for an informal chat before applying (there is no need to submit any documents for this). The PhD studentships comes with a stipend of £17.5K – £19K per annum plus tuition fees covered for the duration of 3.5 years

Closing date for applications:

Contact: Dr. Cătălin Drăgan (c.dragan@surrey.ac.uk)

More information: https://www.surrey.ac.uk/postgraduate/computer-science-phd

We are looking for a talented postdoctoral researcher in the field of trustworthy edge computing, with focus on secure Internet infrastructure for future solutions based on Artificial Intelligence (AI), to join our team and help us fulfil the project's goals, producing quality research. The position is placed at the Sensible Things that Communicate (STC) research center, who is a leading Scandinavian research center in Industrial IoT, and are doing research on fields ranging from wireless connectivity, network security and cryptography, distributed systems, ML/AI, embedded systems, visualization and measurement systems. We seek an outstanding talent with a Ph.D. in Computer Science, Computer and Electrical Engineering, or similar. The ideal candidate have a solid background in edge computing, security, network protocols and programming. Previous experiences in ML/AI, embedded systems, and IoT prototyping is an advantage. The work will involve network and security aspects, including algorithm development, simulations and testing, modelling and prototyping, publishing high-quality research papers in high-ranked journals and to contribute to the preparation and drafting of research bids and proposals.

Closing date for applications:

Contact: Professor Mikael Gidlund

More information: https://www.miun.se/en/work-at-the-university/career/jobs/vacancy/postdoc-in-trustworthy-edge-computing/

About Aztec At Aztec we believe privacy isn’t just a fundamental right, but a creative force for web3. Our goal is to unleash the full potential of decentralized technologies by building an open, privacy-first network with no compromises. Privacy enables use cases that otherwise would not be possible and accelerates mainstream adoption. The next wave of web3 applications will require programmable privacy. Aztec’s technology empowers developers with the tools to build private applications and bring their ideas to reality. Our journey started while building an application to bring syndicated loans on chain. We realized that our idea was a nonstarter without privacy. There were no solutions to offer privacy on public blockchains - so we sought out to build it ourselves. Since then, we've made industry-leading advances in cryptography, and deployed a private money platform and a private DeFi platform. To realize our vision of implementing privacy on a public blockchain, we are building a world-class team of cryptographers, engineers, and ecosystem builders. Supporting us on this journey are leading investors including Paradigm, Variant, Consensys, and a_capital.

Closing date for applications:

Contact: travis@aztecprotocol.com

More information: https://boards.eu.greenhouse.io/aztec/jobs/4099676101

Popular Ethereum wallets (e.g., MetaMask) entrust centralized infrastructure providers (e.g., Infura) to run the consensus client logic on their behalf. As a result, these wallets are light-weight and high-performant, but come with security risks. A malicious provider can mislead the wallet, e.g., fake payments and balances, or censor transactions. On the other hand, light clients, which are not in popular use today, allow decentralization, but at inefficient linear bootstrapping complexity. This poses a dilemma between decentralization and performance. In this paper, we design, implement, and evaluate a new proof-of-stake (PoS) superlight client with logarithmic bootstrapping complexity. These proofs of proof-of-stake (PoPoS) take the form of a Merkle tree of PoS epochs. The verifier enrolls the provers in a bisection game, in which the honest prover is destined to win once an adversarial Merkle tree is challenged at sufficient depth. We evaluate our superlight protocol by providing a client implementation that is compatible with mainnet PoS Ethereum: compared to the state-of-the-art light client construction proposed for PoS Ethereum, our client improves time-to-completion by $9\times$, communication by $180\times$, and energy usage by $30\times$ (when bootstrapping after $10$ years of consensus execution). We prove our construction is secure and show how to employ it for other PoS systems such as Cardano (with full adaptivity), Algorand, and Snow White.

A good differential is a start for a successful differential attack. However, a differential might be invalid, i.e., there is no right pair following the differential1, due to some complicated contradictions that are hard to be considered. In this paper, we present a novel and handy method to search and verify a differential characteristic (DC) based on a recently proposed algebraic perspective on the differential(-linear) cryptanalysis (CRYPTO 2021). From this algebraic perspective, exact Boolean expressions of differentials over a cryptographic primitive can be conveniently established, thus verifying a given DC is naturally a Boolean satisfiability problem (SAT problem). With this observation, our approach simulates the round function of the target cipher symbolically and derives a set of Boolean equations in Algebraic Normal Form (ANF). These Boolean equations can be solved by off-the-shelf SAT solvers such as Bosphorus, which accept ANFs as their input. To demonstrate the power of our new tool, we apply it to Gimli, Ascon, and Xoodoo. For Gimli, we improve the efficiency of searching for a valid 8-round colliding DC compared with the previous MILP model (CRYPTO 2020). Our approach takes about one minute to find a valid 8-round DC, while the previous MILP model could not find any such DCs in practical time. Based on this DC, a practical semi-free-start collision attack on the intermediate 8-round Gimli-Hash is thus successfully mounted, i.e., a colliding message pair is found. For Ascon, we check several DCs reported at FSE 2021. Firstly, we verify a 2-round DC used in the collision attack on Ascon-Hash by giving a right pair (such a right pair requires $2^{156}$ attempts to find in a random search). Secondly, a 4-round differential used in the forgery attack on Ascon-128’s iteration phase is proven invalid, as a result, the corresponding forgery attack is invalid, too. For Xoodoo, we verify tens of thousands of 3-round DCs and two 4-round DCs extended from the so-called differential trail cores found by the designers or our search tool. We find all of these DCs are valid, which well demonstrates the sound independence of the differential propagation over Xoodoo’s round functions. Besides, as an independent interest, we develop a SAT-based automatic search toolkit called XoodooSat to search for 2-, 3-, and 4-round differential trail cores of Xoodoo. Our toolkit finds two more 3-round differential trail cores of weight 48 that were missed by the designers which enhance the security analysis of Xoodoo.

In this paper we introduce the differential-meet-in-the-middle framework, a new cryptanalysis technique against symmetric primitives. The idea of this new cryptanalysis method consists in combining into one attack techniques from both meet-in-the-middle and differential cryptanalysis. The introduced technique can be seen as a way of extending meet-in-the-middle attacks and their variants but also as a new way to perform the key recovery part in differential attacks. We provide a simple tool to search, given a differential, for efficient applications of this new attack and apply our approach, in combination with some additional techniques, to SKINNY-128-384. Our attack on SKINNY-128-384 permits to break 25 out of the 56 rounds of this variant and improves by two rounds the previous best known attacks in the single key model.

Adopting Post-Quantum Cryptography (PQC) in network protocols is a challenging subject. Larger PQC public keys and signatures can significantly slow the Transport Layer Security (TLS) protocol. In this context, KEMTLS is a promising approach that replaces the handshake signatures by using PQC Key Encapsulation Mechanisms (KEMs), which have, in general, smaller sizes. However, for broad PQC adoption, hybrid cryptography has its advantages over PQC-only approaches, mainly about the confidence in the security of existing cryptographic schemes. This work brings hybrid cryptography to the KEMTLS and KEMTLS-PDK protocols. We analyze different network conditions and show that the penalty when using Hybrid KEMTLS over PQC-only KEMTLS is minor under certain security levels. We also compare Hybrid KEMTLS with a hybrid version of PQTLS. Overall, the benefits of using hybrid protocols outweigh the slowdown penalties in higher security parameters, which encourages its use in practice.

The study of symmetric structures based on quasigroups is relatively new and certain gaps can be found in the literature. In this paper, we want to fill one of these gaps. More precisely, in this work we study substitution permutation networks based on quasigroups that make use of permutation layers that are non-linear relative to the quasigroup operation. We prove that for quasigroups isotopic with a group $\mathbb{G}$, the complexity of mounting a differential attack against this type of substitution permutation network is the same as attacking another symmetric structure based on $\mathbb{G}$. The resulting structure is interesting and new, and we hope that it will form the basis for future secure block ciphers.

Indistinguishability Obfuscation $(i\mathcal{O})$ is a highly versatile primitive implying a myriad advanced cryptographic applications. Up until recently, the state of feasibility of $i\mathcal{O}$ was unclear, which changed with works (Jain-Lin-Sahai STOC 2021, Jain-Lin-Sahai Eurocrypt 2022) showing that $i\mathcal{O}$ can be finally based upon well-studied hardness assumptions. Unfortunately, one of these assumptions is broken in quantum polynomial time. Luckily, the line work of Brakerski et al. Eurocrypt 2020, Gay-Pass STOC 2021, Wichs-Wee Eurocrypt 2021, Brakerski et al. ePrint 2021, Devadas et al. TCC 2021 simultaneously created new pathways to construct $i\mathcal{O}$ with plausible post-quantum security from new assumptions, namely a new form of circular security of LWE in the presence of leakages. At the same time, effective cryptanalysis of this line of work has also begun to emerge (Hopkins et al. Crypto 2021).

It is important to identify the simplest possible conjectures that yield post-quantum $i\mathcal{O}$ and can be understood through known cryptanalytic tools. In that spirit, and in light of the cryptanalysis of Hopkins et al., recently Devadas et al. gave an elegant construction of $i\mathcal{O}$ from a fully-specified and simple-to-state assumption along with a thorough initial cryptanalysis.

Our work gives a polynomial-time distinguisher on their "final assumption" for their scheme. Our algorithm is extremely simple to describe: Solve a carefully designed linear system arising out of the assumption. The argument of correctness of our algorithm, however, is nontrivial.

We also analyze the "T-sum" version of the same assumption described by Devadas et. al. and under a reasonable conjecture rule out the assumption for any value of $T$ that implies $i\mathcal{O}$.

Existing threshold signature schemes come in two flavors: (i) fully private, where the signature reveals nothing about the set of signers that generated the signature, and (ii) accountable, where the signature completely identifies the set of signers. In this paper we propose a new type of threshold signature, called TAPS, that is a hybrid of privacy and accountability. A TAPS signature is fully private from the public's point of view. However, an entity that has a secret tracing key can trace a signature to the threshold of signers that generated it. A TAPS makes it possible for an organization to keep its inner workings private, while ensuring that signers are accountable for their actions. We construct a number of TAPS schemes. First, we present a generic construction that builds a TAPS from any accountable threshold signature. This generic construction is not efficient, and we next focus on efficient schemes based on standard assumptions. We build two efficient TAPS schemes (in the random oracle model) based on the Schnorr signature scheme. We conclude with a number of open problems relating to efficient TAPS.

Fully Homomorphic Encryption is a technique that allows computation on encrypted data. It has the potential to drastically change privacy considerations in the cloud, but high computational and memory overheads are preventing its broad adoption. TFHE is a promising Torus-based FHE scheme that heavily relies on bootstrapping, the noise-removal tool that must be invoked after every encrypted gate computation.

We present FPT, a Fixed-Point FPGA accelerator for TFHE bootstrapping. FPT is the first hardware accelerator to heavily exploit the inherent noise present in FHE calculations. Instead of double or single-precision floating-point arithmetic, it implements TFHE bootstrapping entirely with approximate fixed-point arithmetic. Using an in-depth analysis of noise propagation in bootstrapping FFT computations, FPT is able to use noise-trimmed fixed-point representations that are up to 50% smaller than prior implementations using floating-point or integer FFTs.

FPT's microarchitecture is built as a streaming processor inspired by traditional streaming DSPs: it instantiates high-throughput computational stages that are directly cascaded, with simplified control logic and routing networks. We explore different throughput-balanced compositions of streaming kernels with a user-configurable streaming width in order to construct a full bootstrapping pipeline. FPT's streaming approach allows 100% utilization of arithmetic units and requires only small bootstrapping key caches, enabling an entirely compute-bound bootstrapping throughput of 1 BS / 35$\mu$s. This is in stark contrast to the established classical CPU approach to FHE bootstrapping acceleration, which tends to be heavily memory and bandwidth-constrained.

FPT is fully implemented and evaluated as a bootstrapping FPGA kernel for an Alveo U280 datacenter accelerator card. FPT achieves almost three orders of magnitude higher bootstrapping throughput than existing CPU-based implementations, and 2.5$\times$ higher throughput compared to recent ASIC emulation experiments.

Recently, fast advances in decentralized blockchains have led to the rapid development of decentralized payment systems and finance. In decentralized anonymous payment systems such as Monero, Zerocash and Zether, payment amounts and traders' addresses are confidential to other users. Therefore, cryptocurrency may be used for illegal activities such as money laundering, bribery and blackmails. To solve this problem, some decentralized anonymous payment schemes supporting regulation have been proposed. Unfortunately, most solutions have no restriction on the regulator's power, which may lead to abuse of power and disclosure of privacy. In this paper, we propose a decentralized anonymous payment scheme supporting collaborative regulation. Different from existing solutions, our scheme prevents abuse of power by dividing the regulatory power into two regulatory authorities. These two regulatory authorities, namely Filter and Supervisor, can cooperate to recover payment amounts and traders' addresses from suspicious transactions. However, neither Filter nor Supervisor alone can decode transactions to obtain transaction privacy. Our scheme enjoys three major advantages over others: 1) We design a generic transaction structure using zk-SNARK, 2) divide regulatory power using the regulation label, 3) and achieve aggregability of transaction amounts using the amount label. The experimental result shows that the time cost of generating a transaction is about 11 s and the transaction fee is about 12,183k gas, which is acceptable.

We present the first transparent and plausibly post-quantum SNARK relying on the Ring Short Integer Solution problem (Ring-SIS), a well-known assumption from lattice-based cryptography. At its core, our proof system relies on a new linear-commitment scheme named Vortex which is inspired from the work of Orion and Brakedown. Vortex uses a hash function based on Ring-SIS derived from “SWIFFT" (Lyubashevsky et al., FSE08). We take advantage of the linear structure of this particular hash function to craft an efficient self-recursion technique. Although Vortex proofs have $O(\sqrt{n})$ size in the witness size, we show how our self-recursion technique can be used to build a SNARK scheme based on Vortex. The resulting SNARK works over any field with reasonably large 2-adicity (also known as FFT-friendly fields). Moreover, we introduce Wizard-IOP, an extension of the concept of polynomial-IOP. Working with Wizard-IOP rather than separate polynomial-IOPs provides us with a strong tool for handling a wide class of queries, needed for proving the correct executions of the complex state machines (e.g., zk-EVM as our use-case) efficiently and conveniently.

The security of several cryptosystems rests on the trust assumption that a certain fraction of the parties are honest. This trust assumption has enabled a diverse of cryptographic applications such as secure multiparty computation, threshold encryption, and threshold signatures. However, current and emerging practical use cases suggest that this paradigm of one-person-one-vote is outdated.

In this work, we consider {\em weighted} cryptosystems where every party is assigned a certain weight and the trust assumption is that a certain fraction of the total weight is honest. This setting can be translated to the standard setting (where each party has a unit weight) via virtualization. However, this method is quite expensive, incurring a multiplicative overhead in the weight.

We present new weighted cryptosystems with significantly better efficiency. Specifically, our proposed schemes incur only an {\em additive} overhead in weights.

\begin{itemize} \item We first present a weighted ramp secret-sharing scheme where the size of the secret share is as short as $O(w)$ (where $w$ corresponds to the weight). In comparison, Shamir's secret sharing with virtualization requires secret shares of size $w\cdot\lambda$, where $\lambda=\log |\mathbb{F}|$ is the security parameter. \item Next, we use our weighted secret-sharing scheme to construct weighted versions of (semi-honest) secure multiparty computation (MPC), threshold encryption, and threshold signatures. All these schemes inherit the efficiency of our secret sharing scheme and incur only an additive overhead in the weights. \end{itemize}

Our weighted secret-sharing scheme is based on the Chinese remainder theorem. Interestingly, this secret-sharing scheme is {\em non-linear} and only achieves statistical privacy. These distinct features introduce several technical hurdles in applications to MPC and threshold cryptosystems. We resolve these challenges by developing several new ideas.

In this work we extend the known pseudorandomness of Ring-LWE (RLWE) to be based on ideal lattices of non Dedekind domains. In earlier works of Lyubashevsky et al (EUROCRYPT 2010) and Peikert et al (STOC 2017), the hardness of RLWE was based on ideal lattices of ring of integers of number fields, which are known to be Dedekind domains. While these works extended Regev's (STOC 2005) quantum polynomial-time reduction for LWE, thus allowing more efficient and more structured cryptosystems, the additional algebraic structure of ideals of Dedekind domains leaves open the possibility that such ideal lattices are not as hard as general lattices.

We now show that for any number field $\mathbb{Q}[X]/(f(X))$, for all prime integers $p$ such that the factorization of $f(X)$ modulo $p$ passes the Dedekind index theorem criterion, which is almost all $p$, we can base $p$-power RLWE in the polynomial ring $\mathbb{Z}[X]/(f(X))$ itself and its hardness on hardness of ideal lattices of this ring. This ring can potentially be a strict sub-ring of the ring of integers of the field, and hence not be a Dedekind domain. We also give natural examples, and prove that certain ideals require at least three generators, as opposed to two sufficient for Dedekind domains. Such rings also do not satisfy many other algebraic properties of Dedekind domains such as ideal invertibility. Our proof technique is novel as it builds an algebraic theory for general such rings that also include cyclotomic rings.