International Association
for Cryptologic Research

Event date: 20 August 2023
Submission deadline: 15 June 2023

We are looking for a bright and motivated PhD student to work in the topics of information security and cryptography.

The student is expected to work on topics that include security and privacy issues in authentication. More precisely, the student will be working on investigating efficient and privacy-preserving authentication that provides: i) provable security guarantees, and ii) rigorous privacy guarantees.

Key Responsibilities:

• Perform exciting and challenging research in the domain of information security and cryptography.
• Support and assist in teaching computer security and cryptography courses.

Profile:

• The PhD student is expected to have a MSc degree or equivalent, and strong background in cryptography, network security and mathematics.
• Experience in one or more domains such as cryptography, design of protocols, secure multi-party computation and differential privacy is beneficial.
• Excellent programming skills.
• Excellent written and verbal communication skills in English

The Chair of Cyber Security, https://cybersecurity.unisg.ch/, is a part of the Institute of Computer Science (ICS) at the University of St.Gallen. The chair was established in autumn semester 2020 and is led by Prof. Dr. Katerina Mitrokotsa. Our research interests are centered around information security and applied cryptography, with the larger goal of safeguarding communications and providing strong privacy guarantees. We are currently active in multiple areas including the design of provably secure cryptographic protocols and cryptographic primitives that can be employed for reliable authentication, outsourcing computations in cloud-assisted settings, network security problems as well as secure and privacy-preserving machine learning. As a doctoral student you will be a part of the Doctoral School of Computer Science (DCS), https://dcs.unisg.ch.

The starting date for the position is flexible and come with a very competitive salary. The selection process runs until the suitable candidate has been found.

Closing date for applications:

Contact:
Eriane Breu, eriane.breu@unisg.ch (Administrative matters)
Prof. Katerina Mitrokotsa, katerina.mitrokotsa@unisg.ch (Research related questions)

There is an open call for a Postdoc position in the Cyber Security and Applied Cryptograhy research group at the Institute of Computer Science, University of St.Gallen, led by Prof. Katerina Mitrokotsa.

Our research interests are centered around information security and applied cryptography, with the larger goal of safeguarding communications and providing strong privacy guarantees. We are active in several areas, a subset of which include:

• Verifiable computation
• Secure, private and distributed aggregation
• Secure multi-party computation
• Privacy-preserving biometric authentication
• Anonymous credentials
• Distributed and privacy-preserving authentication

Candidates should have a strong background in applied cryptography and provable security, are able to work independently and also collaborate in a team. Applicants must hold a Ph.D., with contributions in the relevant research topics and have publications in good venues.

The starting date for the position is flexible and come with a very competitive salary. The selection process runs until the suitable candidate has been found. The University of St.Gallen conducts excellent research with international implications. The city of St.Gallen is located one hour from Zurich and offers a high quality of life.

Closing date for applications:

Contact:
Eriane Breu, eriane.breu@unisg.ch (Administrative matters)
Prof. Katerina Mitrokotsa, katerina.mitrokotsa@unisg.ch (Research related questions)

The University of Klagenfurt in southern Austria is looking for a Professor of Cybersecurity:

https://jobs.aau.at/en/job/professor-of-cybersecurity/

Application deadline is 18 June 2023.

Closing date for applications:

Contact: Wolfgang Faber

More information: https://jobs.aau.at/en/job/professor-of-cybersecurity/

The Fraunhofer-Gesellschaft (www.fraunhofer.com) currently operates 76 institutes and research institutions throughout Germany and is the world’s leading applied research organization. We at Fraunhofer FIT are an excellent partner for the human-centric design of our digital future. Some 350 scientists are working within interdisciplinary teams on innovative solutions for current challenges in the domains of Digital Energy, Health and Sustainability as well as Human-centered Engineering & Design, Data Science & AI, Business & Information Systems Engineering, Microsimulation, and Cooperation Systems like Blockchain.

Are you interested in research & practical projects around the topic Data Privacy and Data Spaces? Then take the chance and become part of our department Data Science and Artificial Intelligence in Aachen/Sankt Augustin in Germany!

Our research group, Data Protection and Sovereignty, is dedicated to developing cutting-edge solutions that ensure the security and privacy of sensitive data in real-world data-driven use-cases across various application domains. These include, but are not limited to, cybersecurity, data spaces, energy, supply chain, finance, and health. Data sovereignty, the ability of individuals or entities to have complete control over their data, requires advanced technologies beyond anonymization, such as homomorphic encryption (HE), secure multi-party computation (MPC), and differential privacy. As a part of this team, you will conduct research and develop secure solutions for real-world use-cases (e.g., data spaces, machine learning applications, secure data exchange, distributed systems) to enable data privacy and data sovereignty with partners from industry and research, in national and international projects.

Apply here: https://jobs.fraunhofer.de/job/Sankt-Augustin-Junior-Research-Group-LeaderPostdoc-%28mfd%29-in-the-area-of-Data-Privacy-and-Data-Sovereignty-53757/936608601/

Closing date for applications:

Contact: Dr. Avikarsha Mandal

More information: https://jobs.fraunhofer.de/job/Sankt-Augustin-Junior-Research-Group-LeaderPostdoc-%28mfd%29-in-the-area-of-Data-Privacy-and-Data-Sovereignty-53757/936608601/

We are looking for a bright, ambitious, and motivated PhD student to join the cryptography group in the Cybersecurity Engineering Section at DTU Compute in the Copenhagen region of Denmark. The 3-year PhD position will preferably start on 1 January 2024.
The goal of the PhD project is to improve the state of threshold post-quantum cryptography. You will join the growing cryptography team at DTU and be able to work with researchers in- and outside of the Copenhagen region and Denmark.

Closing date for applications:

Contact: Carsten Baum

More information: https://efzu.fa.em2.oraclecloud.com/hcmUI/CandidateExperience/en/sites/CX_1/job/1763/?utm_medium=jobshare

OpenZeppelin is the premier crypto cybersecurity technology and services company, trusted by the most used DeFi and NFT projects in the world.

The security services team at OpenZeppelin is responsible for the planning, execution, and delivery of Security Audits for the world’s leading web3 organizations and protocols.

What you'll be doing:
1. Review smart contracts for the top decentralized applications before they get launched and present findings and vulnerabilities that the protocol can have to the client.
2. Team up with one or two auditors and review code line by line and try to hack it.
3. Working on proposals to make code easier to understand and use in the future by sharing good practices
4. Conduct open-ended research around cutting edge blockchain technologies
5. Paid time to conduct research and contribute to OpenZeppelin’s projects and knowledge

Benefits
1. Unlimited holidays
2. Fully remote: your way of working
3. Paid parental leave & benefits for primary or second caregiver
4. Team events: onboarding tour & company retreats in different locations around the world
5. Work from home office equipment stipend of up to $500 USD
6. Monthly allowance for wellness activities
7. Coworking: access to a coworking space of your choice
8. Learning: technical training; spoken language lessons in any language of your choice (using Italki)

Closing date for applications:

Contact: David Bessin

More information: https://www.openzeppelin.com/jobs/opening?gh_jid=4254142003

Founded in 2015, OpenZeppelin is the premier crypto cybersecurity technology and services company, trusted by the most used DeFi and NFT projects in the world. Our mission is to protect the open economy, safeguarding tens of billions of dollars in funds for leading crypto organizations including Aave, Coinbase, Compound, Ethereum Foundation, TheGraph and many others. The security services team at OpenZeppelin is responsible for the planning, execution, and delivery of Security Audits for the world’s leading web3 organizations and protocols. We are looking to bolster this team by adding specialized cryptographer roles to lead technical audits of ZK projects and perform independent research. The ZK cryptography researcher is responsible for auditing cryptographic implementations of ZK protocols, alongside our experienced team of security researchers that are analyzing the on-chain components of these protocols. This role will also be in charge of leading cryptography research on the team. Check out the link for a full job description.

Closing date for applications:

Contact: David Bessin

More information: https://www.openzeppelin.com/jobs/opening?gh_jid=5612131003

Wouter Lueks (https://wouterlueks.nl) has fully-funded PhD and post-doc positions available in the area of privacy-enhancing technologies at CISPA Helmholtz Center for Information Security. His research group is interested in designing of end-to-end privacy-friendly systems that solve real-world problems. His research covers three broad areas to achieve this goal: (1) applied cryptography; (2) systems building for anonymity; and (3) the evaluation of privacy-friendly systems.

Applicants for a PhD position should hold a bachelor or master’s degree in Computer Science, Mathematics, or related field, and have an interest in privacy, security and/or cryptography. Post-doc applications should hold a PhD in a related field, and have an proven publication record with publications in top venues (e.g., USENIX, S&P, NDSS, or CCS) or specific privacy venues (e.g., PETS).

For more information, including instructions for how to apply, see: https://wouterlueks.nl/positions/. If you have any questions, please don’t hesitate to reach out by email. Applications will be considered on a rolling basis.

Closing date for applications:

Contact: Wouter Lueks (lueks .at. cispa .dot. de)

More information: https://wouterlueks.nl/positions/

The School of Computing and Information Technology (SCIT) is looking to recruit an enthusiastic staff member to support teaching and research within SCIT, particularly in the cybersecurity domain, which includes flexible delivery, online degrees and micro-credentials. SCIT aims to maintain its position as a world class Research School and this position is expected to contribute towards that aim. There are key challenges the Lecturer will be required to meet, including but not limited to: Conduct original research of lasting significance and disseminate it Apply and be awarded external research grants Develop teaching material To help maintain an enthusiastic and productive collegial environment as you teach and inspire students Please apply online only. No email application is accepted.

Closing date for applications:

Contact: Prof. Willy Susilo

More information: https://www.uow.edu.au/about/jobs/jobs-available/?fbclid=IwAR1UDzq77c_MqIg_kcxsiFkkp25WoGWErpkK7EIVegHIlOAKqgC8dXvphlQ#en/sites/CX_1/requisitions/preview/3486/?lastSelectedFacet=POSTING_DATES&selectedPostingDatesFacet=30

The MPC in the Head (MPCitH) paradigm has recently led to significant improvements for signatures in the code-based setting. In this paper we consider some modifications to a recent twist of MPCitH, called Hypercube-MPCitH, that in the code-based setting provides the currently best known signature sizes. By compressing the Hypercube-MPCitH five round code-based identification into three rounds we obtain two main benefits. On the one hand, it allows us to further develop recent techniques to provide a tight security proof in the quantum-accessible random oracle model (QROM), avoiding the catastrophic reduction losses incurred using generic QROM-results for Fiat-Shamir. On the other hand, we can reduce the already low-cost online part of the signature to just a hash and some serialization. In addition, we propose the introduction of proof-of-work techniques to allow for a reduction in signature size. On the technical side, we develop generalizations of several QROM proof techniques and introduce a variant of the recently proposed extractable QROM.

In this short note we give another direct proof for the variant of the FO transform used by Kyber in the QROM. At PKC'23 Maram & Xagawa gave the first direct proof which does not require the indirection via FO with explicit rejection, thereby avoiding either a non-tight bound, or the necessity to analyze the failure probability in a new setting. However, on the downside their proof produces a bound that incurs an additive collision bound term. We explore a different approach for a direct proof, which results in a simpler argument closer to prior proofs, but a slightly worse bound.

Batch proofs are proof systems that convince a verifier that $x_1,\dots, x_t \in L$, for some $NP$ language $L$, with communication that is much shorter than sending the $t$ witnesses. In the case of statistical soundness (where the cheating prover is unbounded but honest prover is efficient), interactive batch proofs are known for $UP$, the class of unique witness $NP$ languages. In the case of computational soundness (aka arguments, where both honest and dishonest provers are efficient), non-interactive solutions are now known for all of $NP$, assuming standard cryptographic assumptions. We study the necessary conditions for the existence of batch proofs in these two settings. Our main results are as follows.

1. Statistical Soundness: the existence of a statistically-sound batch proof for $L$ implies that $L$ has a statistically witness indistinguishable ($SWI$) proof, with inverse polynomial $SWI$ error, and a non-uniform honest prover. The implication is unconditional for public-coin protocols and relies on one-way functions in the private-coin case.

This poses a barrier for achieving batch proofs beyond $UP$ (where witness indistinguishability is trivial). In particular, assuming that $NP$ does not have $SWI$ proofs, batch proofs for all of $NP$ do not exist. This motivates further study of the complexity class $SWI$, which, in contrast to the related class $SZK$, has been largely left unexplored.

2. Computational Soundness: the existence of batch arguments ($BARG$s) for $NP$, together with one-way functions, implies the existence of statistical zero-knowledge ($SZK$) arguments for $NP$ with roughly the same number of rounds, an inverse polynomial zero-knowledge error, and non-uniform honest prover.

Thus, constant-round interactive $BARG$s from one-way functions would yield constant-round $SZK$ arguments from one-way functions. This would be surprising as $SZK$ arguments are currently only known assuming constant-round statistically-hiding commitments (which in turn are unlikely to follow from one-way functions).

3. Non-interactive: the existence of non-interactive $BARG$s for $NP$ and one-way functions, implies non-interactive statistical zero-knowledge arguments ($NISZKA$) for $NP$, with negligible soundness error, inverse polynomial zero-knowledge error, and non-uniform honest prover. Assuming also lossy public-key encryption, the statistical zero-knowledge error can be made negligible. We further show that $BARG$s satisfying a notion of honest somewhere extractability imply lossy public key encryption.

All of our results stem from a common framework showing how to transform a batch protocol for a language $L$ into an $SWI$ protocol for $L$.

Isogeny-based cryptography is famous for its short key size. As one of the most compact digital signatures, SQISign (Short Quaternion and Isogeny Signature) is attractive among post-quantum cryptography, but it is ineffcient compared to other post-quantum competitors because of complicated procedures in ideal to isogeny translation, which is the effciency bottleneck of the signing phase. In this paper, we recall the current implementation of SQISign and mainly discuss how to improve the execution of ideal to isogeny translation in SQISign. To be precise, we modify the SigningKLPT algorithm to accelerate the performance of generating the ideal $I_\sigma$. In addition, we explore how to save one of the two elliptic curve discrete logarithms and compute the remainder with the help of the reduced Tate pairing correctly and effciently. We speed up other procedures in ideal to isogeny translation with various techniques as well. It should be noted that our improvements also benefit the performances of key generation and verification in SQISign. In particular, in the instantiation with p3923 the improvements lead to a speedup of 8.82%, 8.50% and 18.94% for key generation, signature and verification, respectively

We implement the Schnorr proof system in assembler via the Jasmin toolchain, and prove the security (proof-of-knowledge property) and the absence of leakage through timing side-channels of that implementation in EasyCrypt.

In order to do so, we show how leakage-freeness of Jasmin programs can be proven for probabilistic programs (that are not constant-time). We implement and verify algorithms for fast constant-time modular multiplication and exponentiation (using Barrett reduction and Montgomery ladder). We implement and verify the rejection sampling algorithm. And finally, we put it all together and show the security of the overall implementation (end-to-end verification) of the Schnorr protocol, by connecting our implementation to prior security analyses in EasyCrypt (Firsov, Unruh, CSF 2023).

Designing efficient distributed protocols for various agreement tasks such as Byzantine Agreement, Broadcast, and Committee Election is a fundamental problem. We are interested in $scalable$ protocols for these tasks, where each (honest) party communicates a number of bits which is sublinear in $n$, the number of parties. The first major step towards this goal is due to King et al. (SODA 2006) who showed a protocol where each party sends only $\tilde O(1)$ bits throughout $\tilde O(1)$ rounds, but guarantees only that $1-o(1)$ fraction of honest parties end up agreeing on a consistent output, assuming constant $<1/3$ fraction of static corruptions. Few years later, King et al. (ICDCN 2011) managed to get a full agreement protocol in the same model but where each party sends $\tilde O(\sqrt{n})$ bits throughout $\tilde O(1)$ rounds. Getting a full agreement protocol with $o(\sqrt{n})$ communication per party has been a major challenge ever since.

In light of this barrier, we propose a new framework for designing efficient agreement protocols. Specifically, we design $\tilde O(1)$-round protocols for all of the above tasks (assuming constant $<1/3$ fraction of static corruptions) with optimistic and pessimistic guarantees:

$\bullet$ $Optimistic$ $complexity$: In an honest execution, (honest) parties send only $\tilde O(1)$ bits.

$\bullet$ xxx$Pessimistic$ $complexity$: In any other case, (honest) parties send $\tilde O(\sqrt{n})$ bits.

Thus, all an adversary can gain from deviating from the honest execution is that honest parties will need to work harder (i.e., transmit more bits) to reach agreement and terminate. Besides the above agreement tasks, we also use our new framework to get a scalable secure multiparty computation (MPC) protocol with optimistic and pessimistic complexities.

Technically, we identify a relaxation of Byzantine Agreement (of independent interest) that allows us to fall-back to a pessimistic execution in a coordinated way by all parties. We implement this relaxation with $\tilde O(1)$ communication bits per party and within $\tilde O(1)$ rounds.

We propose a lightweight block cipher named BAKSHEESH, which follows up on the popular cipher GIFT-128 (CHES'17). BAKSHEESH runs for 35 rounds, which is 12.50 percent smaller compared to GIFT-128 (runs for 40 rounds) while maintaining the same security claims against the classical attacks.

The crux of BAKSHEESH is to use a 4-bit SBox that has a non-trivial Linear Structure (LS). An SBox with one or more non-trivial LS has not been used in a cipher construction until DEFAULT (Asiacrypt'21). DEFAULT is pitched to have inherent protection against the Differential Fault Attack (DFA), thanks to its SBox having 3 non-trivial LS. BAKSHEESH, however, uses an SBox with only 1 non-trivial LS; and is a traditional cipher just like GIFT-128.

The SBox requires a low number of AND gates, making BAKSHEESH suitable for side-channel countermeasures (when compared to GIFT-128) and other niche applications. Indeed, our study on the cost of the threshold implementation shows that BAKSHEESH offers a few-fold advantage over other lightweight ciphers. The design is not much deviated from its predecessor (GIFT-128), thereby allowing for easy implementation (such as fix-slicing in software). However, BAKSHEESH opts for the full-round key XOR, compared to the half-round key XOR in GIFT.

Thus, when taking everything into account, we show how a cipher construction can benefit from the unique vantage point of using 1 LS SBox, by combining the state-of-the-art progress in classical cryptanalysis and protection against device-dependent attacks. We, therefore, create a new paradigm of lightweight ciphers, by adequate deliberation on the design choice, and solidify it with appropriate security analysis and ample implementation/benchmark.

In this work, we set out to create a subversion resilient authenticated key exchange protocol. The first step was to design a meaningful security model for this primitive, and our goal was to avoid using building blocks like reverse firewalls and public watchdogs. We wanted to exclude these kinds of tools because we desired that our protocols to be self contained in the sense that we could prove security without relying on some outside, tamper-proof party. To define the model, we began by extending models for regular authenticated key exchange, as we wanted our model to retain all the properties from regular AKE. While trying to design protocols that would be secure in this model, we discovered that security depended on more than just the protocol, but also on engineering questions like how keys are stored and accessed in memory. Moreover, even if we assume that we can find solutions to these engineering challenges, other problems arise when trying to develop a secure protocol, partly because it's hard to define what secure means in this setting.It is in particular not clear how a subverted algorithm should affect the freshness predicate inherited from trivial attacks in regular AKE. The attack variety is large, and it is not intuitive how one should treat or classify the different attacks. In the end, we were unable to find a satisfying solution for our model, and hence we could not prove any meaningful security of the protocols we studied. This work is a summary of our attempt, and the challenges we faced before concluding it.

Symmetric-key primitives designed over the prime field $\mathbb{F}_p$ with odd characteristics, rather than the traditional $\mathbb{F}_2^{n}$, are becoming the most popular choice for MPC/FHE/ZK-protocols for better efficiencies. However, the security of $\mathbb{F}_p$ is less understood as there are highly nontrivial gaps when extending the cryptanalysis tools and experiences built on $\mathbb{F}_2^{n}$ in the past few decades to $\mathbb{F}_p$.

At CRYPTO 2015, Sun et al. established the links among impossible differential, zero-correlation linear, and integral cryptanalysis over $\mathbb{F}_2^{n}$ from the perspective of distinguishers. In this paper, following the definition of linear correlations over $\mathbb{F}_p$ by Baignéres, Stern and Vaudenay at SAC 2007, we successfully establish comprehensive links over $\mathbb{F}_p$, by reproducing the proofs and offering alternatives when necessary. Interesting and important differences between $\mathbb{F}_p$ and $\mathbb{F}_2^n$ are observed.

- Zero-correlation linear hulls can not lead to integral distinguishers for some cases over $\mathbb{F}_p$, while this is always possible over $\mathbb{F}_2^n$ proven by Sun et al..

- When the newly established links are applied to GMiMC, its impossible differential, zero-correlation linear hull and integral distinguishers can be increased by up to 3 rounds for most of the cases, and even to an arbitrary number of rounds for some special and limited cases, which only appeared in $\mathbb{F}_p$. It should be noted that all these distinguishers do not invalidate GMiMC's security claims.

The development of the theories over $\mathbb{F}_p$ behind these links, and properties identified (be it similar or different) will bring clearer and easier understanding of security of primitives in this emerging $\mathbb{F}_p$ field, which we believe will provide useful guides for future cryptanalysis and design.

In attribute-based signatures (ABS) for range of inner product (ARIP), recently proposed by Ishizaka and Fukushima at ICISC 2022, a secret-key labeled with an $n$-dimensional vector $\mathbf{x}\in\mathbb{Z}_p^n$ for a prime $p$ can used to sign a message under an $n$-dimensional vector $\mathbf{y}\in\mathbb{Z}_p^n$ and a range $[L,R]=\{L, L+1, \cdots, R-1, R\}$ with $L,R\in\mathbb{Z}_p$ iff their inner product is within the range, i.e., $\langle \mathbf{x}, \mathbf{y} \rangle \in [L,R]\pmod p$. We consider its key-range version, named key-range ARIP (KARIP), where the range $[L,R]$ is associated with a secret-key but not with a signature. We propose three generic KARIP constructions based on linearly homomorphic signatures and non-interactive witness-indistinguishable proof, which lead to concrete KARIP instantiations secure under standard assumptions with different features in terms of efficiency. We also show that KARIP has various applications, e.g., key-range ABS for range evaluation of polynomials/weighted averages/Hamming distance/Euclidean distance, key-range time-specific signatures, and key-range ABS for hyperellipsoid predicates.