We observe that the reliability of the arbiter-PUF gets worse over time, whereas the reliability of the loop-PUF remains constant. We interpret this phenomenon by the asymmetric aging of the arbiter, because one half is active (hence aging fast) while the other is not (hence aging slow). Besides, we notice that the aging of the delay chain in the arbiter-PUF and in the loop-PUF has no impact on their reliability, since these PUFs operate differentially. ]]>

Our analysis identifies two families of intractability assumptions, the $q$-Generalized Diffie-Hellman Exponent assumptions and the $q$-Simple Fractional assumptions that imply all other target assumptions. These two assumptions therefore serve as Uber assumptions that can underpin all the target assumptions where the adversary has to compute specific group elements. We also study the internal hierarchy among members of these two assumption families. We provide heuristic evidence that both families are necessary to cover the full class of target assumptions, and we show that the lowest level in the $q$-GDHE hierarchy (the $1$-GDHE assumption) is equivalent to the computational Diffie-Hellman assumption.

We generalize our results to the bilinear group setting. For the base groups our results translate nicely and a similar structure of non-interactive computational assumptions emerges. We also identify Uber assumptions in the target group but this requires replacing the $q$-GDHE assumption with a more complicated assumption, which we call the Bilinar Gap Assumption.

Our analysis can assist both cryptanalysts and cryptographers. For cryptanalysts, we propose the $q$-GDHE and the $q$-SDH assumptions are the most natural and important targets for cryptanalysis in prime-order groups. For cryptographers, we believe our classification can aid the choice of assumptions underpinning cryptographic schemes and be used as a guide to minimize the overall attack surface that different assumptions expose. ]]>

The post-holder will be required to work as part of a multidisciplinary research team and will be responsible for tasks that include designing and implementing software to collect data for various sources on the web, such as Google searches and browser activity, develop privacy-preserving protocols for data aggregation, designing experiments to analyze the data and compare the results to existing surveillance information, designing real-time visualization tools to display the information, designing and implementing databases to store information and documenting and publishing the results.

This position is funded until 30 September 2018 in the first instance.

**Closing date for applications:** 6 May 2017

**Contact:** Emiliano De Cristofaro

https://emilianodc.com

**More information:** https://tinyurl.com/isense-privacy-position

The Cyber Security (CSec) research group and the Centre for Parallel Computing (CPC) at the University of Westminster are looking for one Research Associate in Cloud Security to carry out research within the EU funded H2020 COLA (Cloud Orchestration at the Level of Application) project. COLA will define and provide a reference implementation of a generic and pluggable framework that supports the optimal and secure deployment and run-time orchestration of cloud applications. The successful candidate will carry out tasks in relation to the design and development of novel secure and privacy-preserving cloud orchestration solutions, specifically targeting and supporting application developers. In addition to that, the successful candidate will be also expected to contribute in writing project deliverables and research papers related to the project.

We expect candidates to have a strong research background in network security and/or applied cryptography. Proven research in areas such as trusted computing, cloud security, safety verification, security verification, data privacy, cyber-physical and internet of things security and cloud or mobile security will be considered as a plus.

The primary objective of the Cyber Security Research Group at the University of Westminster is to bring together expertise in education, research and practice in the field of information security and privacy. The group members conduct research in areas spanning from the theoretical foundations of cryptography to the design and implementation of leading edge efficient and secure communication protocols. To this end, we welcome applications from candidates whose research areas complement the existing research of the group.

**Job reference number:**50046999**Salary:**£33,387 to £38,489 per annum**Contract:**Fixed Term until June 2019**Closing date:**16th May 2017**Interviews are likely to be held on: 31st of May 2017**

**Closing date for applications:** 16 May 2017

**Contact:** For an informal discussion contact Dr Antonis Michalas (a.michalas (at) westminster.ac.uk) or Dr Tamas Kiss (T.Kiss (at) westminster.ac.uk).

**More information:** http://tinyurl.com/hdawr6e

The Faculty of Informatics at the Vienna University of Technology is looking for outstanding young researchers from abroad to set up and manage an independent research group as part of the Vienna Science and Technology Fund’s (WWTF) Vienna Research Groups for Young Investigators (VRSYI) Call 2017 - Mathematics and… .

Applications are sought from researchers from abroad who have recently completed their PhD (2 – 8 years ago) with an excellent research track record. Selected candidates will, together with an experienced researcher of the Faculty of Informatics as a proponent, prepare a proposal to be submitted to the WWTF VRSYI Call 2017 - Mathematics and… . Should this proposal be successful, the proposed project will be funded to the amount of 1.6 million euro by the WWTF for a period of 6 – 8 years. The Vienna University of Technology will further offer the successful candidate a tenure-track position (assistant professor), which will be later transformed into a tenured position (associate professor) subject to a positive overall assessment, with subsequent possibility of promotion to full professor.

Applications from researchers working on mathematical methods for Security and Privacy, such as

- Cryptography

- Formal Methods for Security and Privacy

- Language-based Security

- Security and Privacy in Machine Learning

are welcome. These should be sent in digital format (a single pdf file) to Univ. Prof. Matteo Maffei (*matteo.maffei (at) tuwien.ac.at*). The deadline for applications is May 2, 2017. The application should consist of

- CV (including a list of publications)

- a brief outline of the intended research project

Further information on the call is available at:

https://www.wwtf.at/programmes/vienna_research_groups/index.php?lang=EN#VRG17

**Closing date for applications:** 2 May 2017

**Contact:** Univ. Prof. Matteo Maffei

**Organisation**

CEA Tech is the CEA’s technology research unit. In 2013, CEA Tech opened regional branch offices with one in South of France close to the Cadarache center. Based in Provence, the Secure Systems and Architectures (SAS) research team is located at Gardanne within the campus of the CMP (Center of Microelectronic of Provence) near a cluster of academic and industrial partners. Its research interest is mostly in the design and test of secure integrated circuits.

**Job**

The post-doctoral position (12 months) is financed by the PROSECCO project (ANR) that aims at developing tools that will automatically insert protections against side-channel and fault attacks in the compilation flow and formally prove the functional equivalence and the robustness of the protected software. The consortium is composed of the LIP6 (Univ. Paris 6) and the CEA.

The post-doc work will be focus on the security analysis of the code generated with the Prosecco flow according to different use cases (verify pin, AES, bootloader) and different threats (SCA, FA). This analysis will be conducted with state-of-the-art side channel and fault injection benches. Some intermediate security evaluations will also be conducted with \"low cost\" equipment setups. This work will imply a close interaction with the other teams. The retained candidate will bring to other tasks of the project a central expertise about physical attacks and countermeasures.

**Applicant Profile**

PhD in microelectronic, computer science or a related field with a focus on hardware security and physical attacks (SCA and/or FA).

Knowledges and experiences in some or all of the following fields will be an asset during the position: Hardware security, Physical attacks and countermeasures, Cryptography, Microprocessors, Software and compilation

Good programming practice. Written and spoken English.

A brief description of the PhD thesis, a publication list and some recommendations should be included to your application.

Job location : Gardanne (Fr)

Start date : 01/09/2017, (to be discussed)

**Closing date for applications:** 1 September 2017

**Contact:**

Pierre-Alain Moellic

*pierre-alain.moellic (at) cea.fr*

I am looking for PhD interns on cyber-physical system security (IoT, autonomous vehicle, and power grid etc.), especially on the topics such as 1) Lightweight and low-latency crypto algorithms for CPS devices, 2) Resilient authentication of devices and data in CPS, 3) Advanced SCADA firewall to filter more sophisticated attacking packets in CPS, 4) Big data based threat analytics for detection of both known and unknown threats, 5) Attack mitigation to increase the resilience of CPS. The attachment will be at least 3 months. Allowance will be provided for local expenses.

Interested candidates please send your CV with a research statement to Prof. Jianying Zhou.

**Closing date for applications:** 30 May 2017

**Contact:** Prof. Jianying Zhou

Email: *jianying_zhou (at) sutd.edu.sg*

**More information:** http://jianying.space/

We evaluate our attacks on the Monero blockchain and show that in 87% of cases, the real output being redeemed can be easily identified with certainty. Moreover, we have compelling evidence that two of our attacks also extend to Monero RingCTs — the second generation Monero that even hides the transaction value. Furthermore, we observe that for over 98% of the inputs that we have been able to trace, the real output being redeemed in it is the one that has been on the blockchain for the shortest period of time. This result shows that the mitigation measures currently employed in Monero fall short of preventing temporal analysis.

Motivated by our findings, we also propose a new mitigation strategy against temporal analysis. Our mitigation strategy leverages the real spending habit of Monero users. ]]>

- Two-round witness indistinguishable (WI) arguments for $\NP$ from different assumptions than previously known.

- Two-round arguments and three-round proofs of knowledge for $\NP$ that achieve strong WI, witness hiding (WH) and distributional weak zero knowledge (WZK) properties in a setting where the instance is only determined by the prover in the last round of the interaction. The soundness of these protocols is guaranteed against adaptive provers.

- Three-round two-party computation satisfying input-indistinguishable security as well as a weaker notion of simulation security against malicious adversaries.

- Three-round extractable commitments with guaranteed correctness of extraction from polynomial hardness assumptions.

Our three-round protocols can be based on DDH or QR or N^th residuosity and our two-round protocols require quasi-polynomial hardness of the same assumptions. In particular, prior to this work, two-round WI arguments for NP were only known based on assumptions such as the existence of trapdoor permutations, hardness assumptions on bilinear maps, or the existence of program obfuscation; we give the first construction based on (quasi-polynomial) DDH.

Our simulation technique bypasses known lower bounds on black-box simulation [Goldreich-Krawcyzk'96] by using the distinguisher's output in a meaningful way. We believe that this technique is likely to find more applications in the future. ]]>

In this work, we formalize the notion of maliciously secure multi-client ORAM, we prove that the server-side computational complexity of any secure realization has to be $\Omega(n)$, and we present a cryptographic instantiation of this primitive based on private information retrieval techniques, which achieves an $O(\sqrt{N})$ communication complexity. We further devise an efficient access control mechanism, built upon a novel and generally applicable realization of plaintext equivalence proofs for ciphertext vectors. Finally, we demonstrate how our lower bound can be bypassed by leveraging a trusted proxy, obtaining logarithmic communication and server-side computational complexity. We implemented our scheme and conducted an experimental evaluation, demonstrating the feasibility of our approach. ]]>

One interesting aspect of the defined object is its connection to the standard Euclidean algorithm for finding the gcd of two numbers. The connection is useful in our proof of the amortized cost, which is based on results concerning the average behavior of the quotient sequence of the Euclidean algorithm.

In security analysis, we study the difficulty of the inverse problem of recovering the seed pair from the keystream of the proposed method(s). Based on this study, we deduce a lower bound on the sizes for secret parameters that provide adequate security. The study of the inverse problem establishes a computational equivalence between a special case of it (defined as Problem A) and the problem of factoring integers.

We present an authenticated encryption scheme which is another application of the defined object. The present work leaves some open issues which we presently are addressing in our ongoing work. ]]>

Submission deadline: 1 September 2017

Notification: 24 November 2017 ]]>

Submission deadline: 9 June 2017

Notification: 6 July 2017 ]]>

\hspace*{5mm}In this paper, we present the first computationally function private constructions for public-key predicate encryption. Our framework for computational function privacy requires that a secret-key corresponding to a predicate sampled from a distribution with min-entropy super logarithmic in the security parameter $\lambda$, is \emph{computationally indistinguishable} from another secret-key corresponding to a uniformly and independently sampled predicate. Within this framework, we develop a novel approach, denoted as \emph{encrypt-augment-recover}, that takes an existing predicate encryption scheme and transforms it into a computationally function private one while retaining its original data privacy guarantees. Our approach leads to public-key constructions for identity-based encryption and inner-product encryption that are fully data private and computationally function private under a family of weaker variants of the DLIN assumption. Our constructions, in fact, satisfy an \emph{enhanced} notion of function privacy, requiring that an adversary learns nothing more than the minimum necessary from a secret-key, even given corresponding ciphertexts with attributes that allow successful decryption. ]]>

In this paper we present Solidus, a protocol for confidential transactions on public blockchains, such as those required for asset transfers with on-chain settlement. Solidus operates in a framework based on real-world financial institutions: a modest number of banks each maintain a large number of user accounts. Within this framework, Solidus hides both transaction values and the transaction graph (i.e., the identities of transacting entities) while maintaining the public verifiability that makes blockchains so appealing. To achieve strong confidentiality of this kind, we introduce the concept of a Publicly-Verifiable Oblivious RAM Machine (PVORM). We present a set of formal security definitions for both PVORM and Solidus and show that our constructions are secure. Finally, we implement Solidus and present a set of benchmarks indicating that the system is efficient in practice. ]]>

Post-quantum cryptography is cryptography under the assumption that the attacker has a large quantum computer; post-quantum cryptosystems strive to remain secure even in this scenario. This relatively young research area has seen some successes in identifying mathematical operations for which quantum algorithms offer little speedup, and then building cryptographic systems around those. The central challenge in post-quantum cryptography is to meet demands for cryptographic usability and flexibility without sacrificing trust. ]]>

**Closing date for applications:** 26 April 2017

**Contact:** Dr. T. Meenpal

Assistant Professor,

Electronics & Telecommunication Engineering

Department

NIT Raipur,Chhattisgarh- 492010

Email: *tmeenpal.etc (at) nitrr.ac.in*

**More information:** http://www.nitrr.ac.in/downloads/recruitment/recruitment2017/project_fellow/JRF_EnTC_advertisement_ETC_10042017.pdf

USF is an R1 university and among the leading institutions in Florida. We are looking for motivated, talented, and hardworking applicants who have background and are interested in working on different aspects of Cryptographic Engineering with emphasis on:

- Cryptographic hardware systems

- Side-channel attacks, particularly fault and power analysis attacks

The required expertise includes:

- Masters (or Bachelors with outstanding background) in Computer Engineering or Electrical Engineering

- Solid background in digital design, VLSI, computer arithmetic, and ASIC/FPGA implementations

- Solid HDL expertise

- Outstanding English (if English tests are taken) to be eligible for department funding

- Motivation to work beyond the expectations from an average Ph.D. student and publish in top tier venues

Please closely observe the admission requirement details here before emailing:

http://www.usf.edu/engineering/cse/graduate/phd-program.aspx

Please send me your updated CV (including list of publications, language test marks, and references), transcripts for B.Sc. (and M.Sc.), and a statement of interest at *usfcrypto2017 (at) gmail.com* as soon as possible.

NOTE: At this time, I consider only the applicants who have already taken TOEFL/IELTS and GRE exams with excellent marks. The successful candidate will be asked to apply formally very soon to the USF CSE department, so all the material has to be already ready.

**Closing date for applications:** 20 April 2017

For further information and for application for the position see the webpage:

https://www.jobbnorge.no/en/available-jobs/job/137029/phd-position-in-boolean-functions

**Closing date for applications:** 15 May 2017

**Contact:** Dr. Lilya Budaghyan *lilya.budaghyan (at) uib.no*

We are starting a project in which we will develop methods for the verification of proofs in quantum cryptography. Similar to what the EasyCrypt tool does in classical cryptography. The scope of the project covers everything from the logical foundations, through the development of tools, to the verification of real quantum protocols.

The **ideal candidate would have experience in**:

- Semantics
- Theorem proving
- Verification of classical cryptography
- Quantum cryptography
- Quantum computation / communication

Of course, expertise in all those areas is very rare, so candidates who are strong in some of those areas and are interested in the others are encouraged to apply!

Please contact **Dominique Unruh ** if you have more questions about the project, the required background, Estonia, the position itself, or the application process.

The **salary range is 30000-36000 Euro** per year (depending on experience), which is highly competitive in Estonia due to low costs of living and low income tax rate (20%), pension contributions and health insurance are covered by the employer.

The position is for three years, **September 1, 2017 till August 31, 2020**. The starting date and duration can be negotiated (in both directions).

For application instructions, see the link below.

**Closing date for applications:** 1 June 2017

**Contact:** **Dominique Unruh**

Professor of Information Security

Department of Computer Science

University of Tartu*unruh (at) ut.ee*

**More information:** http://crypto.cs.ut.ee/Main/PostdocInVerificationOfQuantumCryptography

In particular, if $G\colon\{0,1\}^n \rightarrow \{0,1\}^m$ and $m$ is as above, then $G$ cannot be a pseudorandom generator. Our algorithm is based on semidefinite programming and in particular the sum of squares (SOS) hierarchy.

As a corollary, we refute some conjectures recently made in the cryptographic literature. This includes refuting the assumptions underlying Lin and Tessaro's recently proposed candidate construction for indistinguishability obfuscation from bilinear maps, by showing that any block-wise 2-local PRG with block size $b$ cannot go beyond $m \approx 2^{2b}\cdot n$. We give an even stronger bound of $m \approx 2^b n$ on the output length of random block-wise 2-local PRGs. We also show that a generalized notion of generators runs into similar barriers.

We complement our algorithm by presenting a class of candidate generators with block-wise locality $3$ and constant block size, that resists both Gaussian elimination and SOS algorithms whenever $m = n^{1.5-\varepsilon}$. This class is extremely easy to describe: Let $\mathbb{G}$ be any simple non-abelian group, and interpret the blocks of $x$ as elements in $\mathbb{G}$, then each output of the generator is of the form $x_i \ast x_j \ast x_k$, where $i,j,k$ are random and "$\ast$" is the group operation. ]]>

In this paper, we present the first PKE with KDM-security based on constant-noise LPN, where the number of users is predefined. The technical tool is two types of _multi-fold LPN on squared-log entropy_, one having _independent secrets_ and the other _independent sample subspaces_. We establish the hardness of the multi-fold LPN variants on constant-noise LPN. Two squared-logarithmic entropy sources for multi-fold LPN are carefully chosen, so that our PKE is able to achieve correctness and KDM-security simultaneously. ]]>

In this work, we develop algebraic techniques for obtaining zero knowledge variants of proof protocols in a way that leverages and preserves their algebraic structure. Our constructions achieve unconditional (perfect) zero knowledge in the Interactive Probabilistically Checkable Proof (IPCP) model of Kalai and Raz [KR08] (the prover first sends a PCP oracle, then the prover and verifier engage in an Interactive Proof in which the verifier may query the PCP).

Our main result is a zero knowledge variant of the sumcheck protocol [LFKN92] in the IPCP model. The sumcheck protocol is a key building block in many IPs, including the protocol for polynomial-space computation due to Shamir [Sha92], and the protocol for parallel computation due to Goldwasser, Kalai, and Rothblum [GKR15]. A core component of our result is an algebraic commitment scheme, whose hiding property is guaranteed by algebraic query complexity lower bounds [AW09,JKRS09]. This commitment scheme can then be used to considerably strengthen our previous work [BCFGRS16] that gives a sumcheck protocol with much weaker zero knowledge guarantees, itself using algebraic techniques based on algorithms for polynomial identity testing [RS05,BW04].

We demonstrate the applicability of our techniques by deriving zero knowledge variants of well-known protocols based on algebraic techniques. First, we construct zero knowledge IPCPs for NEXP starting with the Multi-prover Interactive Proofs of Babai, Fortnow, and Lund [BFL91]. This result is a direct application of our zero knowledge sumcheck and our algebraic commitment scheme, augmented with the use of `randomized' low-degree extensions.

We also construct protocols in a more restricted model where the prover and verifier engage in a standard Interactive Proof with oracle access to a uniformly random low-degree polynomial (soundness holds with respect to any oracle). In this setting we achieve zero knowledge variants of the protocols of Shamir and of Goldwasser, Kalai, and Rothblum. ]]>

The bounded retrieval model (BRM) (cf. [Alwen et al., CRYPTO '09] and [Alwen et al., EUROCRYPT '10]) has been studied extensively in the setting of leakage resilience for cryptographic primitives. This threat model assumes that an attacker can learn information about the secret key, subject only to the constraint that the overall amount of leaked information is upper bounded by some value. The goal is then to construct cryptosystems whose secret key length grows with the amount of leakage, but whose runtime (assuming random access to the secret key) is independent of the leakage amount.

In this work, we combine the above two notions and construct locally decodable and updatable non-malleable codes in the split-state model, that are secure against bounded retrieval adversaries. Specifically, given leakage parameter l, we show how to construct an efficient, 3-split-state, locally decodable and updatable code (with CRS) that is secure against one-time leakage of any polynomial time, 3-split-state leakage function whose output length is at most l, and one-time tampering via any polynomial-time 3-split-state tampering function. The locality we achieve is polylogarithmic in the security parameter. ]]>

We even go one step further and prove that sponges are collapsing (Unruh, EUROCRYPT'16). Thereby, we can also derive the applicability of sponge functions for collapse-binding commitments.

In addition to the security arguments, we also present a quantum collision attack against sponges. The complexity of our attack asymptotically matches the proven lower bound up to a square root. ]]>

Our attack uses tools from the literature on two-source extractors (Chor and Goldreich, SICOMP 1988) and efficient refutation of 2-CSPs over large alphabets (Allen, O'Donnell and Witmer, FOCS 2015). Finally, we propose new ways to instantiate the Lin-Tessaro construction that do not immediately fall to our attacks. While we cannot say with any confidence that these modifications are secure, they certainly deserve further cryptanalysis. ]]>

Submission deadline: 21 July 2017

Notification: 12 September 2017 ]]>

The IQA group is part of several active networks of researchers in quantum information, which provides a dynamic context for scientific exchange, collaboration and opportunities for financial support: the Paris Centre for Quantum Computing” http://www.pcqc.fr/, the “Domaine d’Intérêt Majeur” project called SIRTEQ (regional cluster) and the project IQUPS : quantum information at university Paris –Saclay.

The IQA group is also involved in master courses in Paris-Saclay, in Quantum communications and quantum cryptography, as well as a specialized master program on quantum information and post-quantum cryptography.

The IQA group is part of the Network & Computer Sc. departement (INFRES Dpt.) and the Laboratoire Traitement et Communication de l’information l’Information (LTCI).

The recruited associate professor will contribute to the research and teaching activities, as detailed in the official announcement (in French) http://www.telecom-paristech.fr/nc/telecom-paristech/offres-emploi-stages-theses/fiche-offre- demploi.html?offre_emploi=181

The successful candidate will take part in the research projects lead in the team, and will also initiate new research projects, in particular on quantum information and post-quantum cryptography. Research results will be published in leading journals and conferences. Activities in scientific bodies, organization of special sessions, workshops as well as involvements in committees of scientific conferences will also be encouraged, as they contribute to the visibility.

Teaching can be done at bachelor level, in computer science and maths, and also at master level in more specialized courses, such as information theory, algebra, quantum physics, quantum information, cryptography.

**Closing date for applications:** 5 May 2017

**Contact:** Isabelle Zaquine

Département Informatique et Réseaux

Télécom ParisTech, LTCI

Université Paris-Saclay

46 rue Barrault Paris 13e , Bureau C234-5

+33 1 45 81 78 39

*isabelle.zaquine (at) telecom-paristech.fr*

**More information:** http://www.telecom-paristech.fr/telecom-paristech/offres-emploi-stages-theses.html

Use elliptic curve cryptography, digital signatures, and commitments in an established codebase to help the world securely interact in a way that preserves privacy.

Write code in python and possibly a system language or two (C, Rust, Go) that invokes c-callable crypto libraries to exchange anonymous credentials (see http://www.research.ibm.com/labs/zurich/idemix/ and https://www.microsoft.com/en-us/research/project/u-prove/) and build zero-knowledge proofs. Integrate with technologies like zkSNARKS and Ethereum.

Build byzantine fault tolerant protocols for distributed consensus.

Work on specific federal government contracts.*

Requirements

Master’s degree or PhD in cryptography or a closely related field--or active enrollment in such a program.

At least 5 years of experience with software engineering

Familiarity with applied cryptography, cryptanalysis, and similar topics; the stronger the math background, the better. Familiarity with networking and cryptocurrencies. Good competence as a coder (python preferred, but strengths in other languages may be considered). Comfort on Linux (though we also work on Mac and Windows).

Flexibility to work with remote colleagues in different time zones.

Strongly preferred: Ability to work in our Utah office (Lehi/American Fork). Some remote work possible.

This is a regular full-time position.

*Federal Government project requires US Citizenship.

**Closing date for applications:** 4 July 2017

**Contact:** Steve Tolman

*careers (at) evernym.com*

Meshcash, is designed to be race-free: there is no ``race'' to generate the next block, hence honestly-generated blocks are always rewarded. This property, which we define formally as a game-theoretic notion, turns out to be useful in analyzing rational miners' behavior: we prove (using a generalization of the blockchain mining games of Kiayias et al.) that race-free blockchain protocols are incentive-compatible and satisfy linearity of rewards (i.e., a party receives rewards proportional to its computational power).

Because Meshcash can tolerate a high block rate regardless of network propagation delays (which will only affect latency), it allows us to lower both the variance and the expected time between blocks for honest miners; together with linearity of rewards, this makes pooled mining far less attractive. Moreover, race-free protocols scale more easily (in terms of transaction rate). This is because the race-free property implies that the network propagation delays are not a factor in terms of rewards, which removes the main impediment to accommodating a larger volume of transactions.

We formally prove that all of our guarantees hold in the asynchronous communication model of Pass, Seeman and shelat, and against a constant fraction of byzantine (malicious) miners; not just rational ones. ]]>

The most computationally efficient PSI protocols have been constructed using tools such as hash functions and oblivious transfer, but a potential limitation with these approaches is the communication complexity, which scales linearly with the size of the larger set. This is of particular concern when performing PSI between a constrained device (cellphone) holding a small set, and a large service provider (e.g. WhatsApp), such as in the Private Contact Discovery application.

Our protocol has communication complexity linear in the size of the smaller set, and logarithmic in the larger set. More precisely, if the set sizes are Nx for the sender, and Ny for the receiver, we achieve a communication overhead of O(NylogNx). Our benchmarks show that it takes 36 seconds of online-computation, 71 seconds of non-interactive (receiver-independent) pre-processing, and only 12.5MB of round trip communication to intersect five thousand 32-bit strings with 16 million 32-bit strings. Compared to prior works, this is roughly a 38 times reduction in communication, with minimal increase in computation. ]]>