Date | 23 June |
Venue | King’s College London |
Registration | Here |
Programme | https://uk-crypto-day.github.io/2023/06/23/ |
We got some nice speakers/talks lined up:
The sumcheck protocol plays a central role in many constructions of efficient zero-knowledge arguments. In this talk, I will describe the sumcheck protocol, explain why it is so useful, and discuss recent work on a machine-checkable security proof.
Bio. Jonathan Bootle is a researcher in the Foundational Cryptography Group at IBM Research – Zurich. His research focuses on constructing efficient zero-knowledge proofs, especially those based on lattice assumptions or error-correcting codes.
Imagine a setting where whenever a party in a protocol sends a message, its IP address becomes known, and it gets immediately killed by the adversary in a DoS attack. This implies that in any given protocol a party can only send a single message at a random point in time. Can we do secure multiparty computation in this setting? In this talk we introduce the YOSO MPC model that is based around the notion of roles, which are randomly assigned stateless parties that can send a single message for the entire duration of the protocol. We will show how one we can leverage the infrastructure of public blockchains to securely YOSO-compute any function with private inputs.
Bio. Bernardo Magri is a Senior Lecturer at the CS department at University of Machester. His research interests are on the theoretical and practical aspects of cryptography and distributed ledgers.
My talk will focus on two recent works. The first concerns preventing the exploitation of stolen email data. Email is used widely for personal, industry, and government communication; as such, it is a valuable target for attack. Such attacks are compounded by email’s strong attributability: today, any attacker who gains access to your email can easily prove to others that the stolen messages are authentic. We define and construct non-attributable email using a new cryptographic signature primitive.
The second paper concerns a new model of post-election audits, loosely inspired by multi-prover interactive proofs. Post-election audits perform statistical hypothesis testing to confirm election outcomes. However, existing approaches are costly and laborious for close elections—often the most important cases to audit. We instead propose automated consistency checks, augmented by manual checks of only a small number of ballots. Our protocols scan each ballot twice, shuffling the ballots between scans: a “two-scan” approach inspired by two-prover proof systems.
Bio: Sunoo Park is a Postdoctoral Fellow at Columbia University and Visiting Fellow at Columbia Law School. Her research interests range across cryptography, security, and technology law. She received her Ph.D. in computer science at MIT, her J.D. at Harvard Law School, and her B.A. in computer science at the University of Cambridge.
In multi-party computation (MPC), multiple entities, each having some inputs want to jointly compute a function of these inputs with the guarantee that nothing aside from the output of the function will be leaked. In this talk, we are going to investigate how many messages the parties of an MPC need to exchange to securely realise any functionality with simulation-based security in the case where there is no setup and the majority of the parties can be corrupted. We will then consider a relaxation of the standard simulation-based paradigm, and discuss whether this lead to more efficient MPC protocols which still realize non-trivial functionalities which meaningful security.
Bio. Michele Ciampi is a Chancellor’s Fellow at the School of Informatics at the University of Edinburgh. His work focuses on theoretical aspects of cryptography, including multi-party computation protocols, zero-knowledge proofs, and blockchain.
Machine-checked cryptographic proofs, as supported by tools such as EasyCrypt, CryptHOL or SSProve, aim at increasing trust in cryptographic algorithms by producing machine-checkable evidence that their security follows from relatively (sometimes) standard hardness assumptions. With only a few exceptions, their application has unfortunately been limited to small, typically non-interactive, constructions. A significant exception is a Eurocrypt 2015 paper applying EasyCrypt to a family of Authenticated Key Exchange protocols, whose massive proof has unfortunately been lost to time (and some obnoxious IT practices). This talk will report on an ongoing (or perhaps, hopefully, not) attempt at understanding better the interplay between EasyCrypt, interactive protocols, and a few competing pen-and-paper definition and proof methodologies. By doing so, I hope to provoke discussions around the goal and value of security proof and their machine-checked variants, and about what “traditional” cryptographers might expect or want from proof tools.
Bio. François Dupressoir is a Senior Lecturer at the University of Bristol, where he heads the Cryptography Research Group. His research revolves around bringing formal methods and formal reasoning techniques to cryptographic security of algorithms, protocols and their implementations.
Given a random function with domain and codomain , with , a collision of is a pair of distinct inputs with the same image. Collision finding is a ubiquitous problem in cryptanalysis, and it has been well-studied using both classical and quantum algorithms. Indeed, the quantum query complexity of the problem is well known to be , and matching algorithms are known for any value of . The situation becomes different when one is looking for multiple collision pairs. Here, for collisions, a query lower bound of was shown by Liu and Zhandry (EUROCRYPT 2019). A matching algorithm is known, but only for relatively small values of , when many collisions exist.
In this paper, we improve the algorithms for this problem and, in particular, extend the range of admissible parameters where the lower bound is met. Our new method relies on a chained quantum walk algorithm, which might be of independent interest. It allows to extract multiple solutions of an MNRS-style quantum walk, without having to recompute it entirely: after finding and outputting a solution, the current state is reused as the initial state of another walk. As an application, we improve the quantum sieving algorithms for the Shortest Vector Problem (SVP), with a complexity of instead of the previous .
Bio. Yixin Shen is a research fellow at Royal Holloway, University of London. Her work focuses on quantum algorithms and their application in lattice-based cryptanalysis. She completed her PhD at Université Paris Cité in 2021. After that, she worked as a postdoctoral researcher at Royal Holloway. In 2022, she obtained a five-year EPSRC Quantum Technology Career Development Fellowship.
Formerly, known as London-ish Crypto Day, but that produced a name clash with Liz’ London Crypto Day.
In the interest of advertising our programme, here are two example ideas I’d be interested in.
The name “lattice estimator” at present is more aspirational than factual. In particular, we cover algorithms for solving LWE but not algorithms for solving SIS or (overstretched) NTRU. Well, we implicitly cover SIS because solving SIS implies solving LWE (and we cost that: the “dual attack”), we don’t have a nice interface to ask “how hard would this SIS instance be”. Adding this would be a nice contribution to the community, given how widely that estimator is used.
Our first work on building OPRFs from lattices costs about 2MB of bandwidth if you ignore the zero-knowledge proofs and something like 128GB (yes, GB) if you count them. Since then, proving lattice statements has become a lot cheaper, so a natural project is to reconsider our construction: use newer/smaller proofs, tune the parameters, prove it in a nicer game-based model or in UC. To give you a taste of what is possible: This work building a non-interactive key-exchange (NIKE) has to solve essentially the same problem (noise drowning + ZK proofs) and achieves smaller parameters.
If you are interested, or have some other ideas, ping me and apply for a PQC resident position.
Standardisation efforts for post-quantum public-key encryption and signatures are close to completion. At the same time the most recent decade has seen the deployment, at scale, of more advanced cryptographic algorithms where no efficient post-quantum candidates exist. These algorithms e.g. permit to give strong guarantees even after some parties were compromised, privacy-preserving contact lookups, credentials and e-cash. This project will tackle the challenge of “lifting” such constructions to the post-quantum era by pursuing three guiding questions:
- What is the cost of solving lattice problems with and without hints on a quantum computer? Answers to this question will provide confidence in the entire stack of lattice-based cryptography from “basic” to “advanced”. Studying the presence of hints tackles side-channel attacks and advanced constructions.
- What are the lattice assumptions that establish feature- and (near) performance-parity with pre-quantum cryptography? Standard lattice assumptions do not seem to establish feature parity with pairing-based or even some Diffie-Hellman-based pre-quantum constructions, how can we achieve efficient and secure advanced practical post-quantum solutions?
- How efficient is a careful composition of lattice-base cryptography with other assumptions? If we want to deploy our post-quantum solutions in practice, we will need to design hybrid schemes that are secure if either of their pre- or post-quantum part is secure and to deploy many advanced lattice-based primitives in practice we need to carefully compose them with zero-knowledge proofs to rule out some attacks.
Lattice-based cryptography has established itself as a key technology to realise both efficient basic primitives like post-quantum encryption and advanced solutions such as computation with encrypted data and programs. It is thus well positioned to tackle the middle ground of advanced yet practical primitives for phase 2 of the post-quantum transition.
Concretely, this grant award means that I’ll be recruiting for several postdoc and PhD student (international fees, i.e. not restricted to people from the UK) positions in post-quantum and lattice-based cryptography. I have a bit of flexibility in when to put those on the market, so if you think these positions would fit you well, feel free to get in touch with me to informally discuss it.
In somewhat related news, we’re hiring for a lecturer (≈ assistant professor) position at King’s College London. We’re also hiring for PhD or postdoc residency (≈ intern) positions at SandboxAQ.
(*) Well, there is the tiny issue of Brexit: “As described in Annex 3 of the ERC Work Programme 2022, successful applicants established in a country in the process of associating to Horizon Europe will not be treated as established in an associated country if the association agreement does not apply by the time of the signature of the grant agreement.” See also UKRI’s guidance on the UK’s guarantee scheme.
]]>Note that the plan here is not to build an exclusive lattice-based cryptography, mathematical cryptography, post-quantum cryptography or a cryptanalysis lab, but our ambition is to build a lab with expertise across cryptography. I think this creates a fun and interesting research environment. So consider applying if you consider FSE, CHES, PKC, TCC or RWC your home venue or any other area of cryptography.
Normally, in this genre of blog posts I’d now go on talking about how amazing the department and everybody in it is but I’ve yet to start at KCL myself. However, everything I’ve seen so far makes me really quite optimistic, the department is strong and the people are nice.
The application deadline is somewhat far into the future (1 March 2023). So, if you like, there’s plenty of time to reach out to discuss or even to come visit us to check us out.
We’d appreciate any help in spreading the word. Happy to answer any questions I can answer or to direct to you to someone who can.
]]>Lecturer in Cryptography
Job ID 054515 Salary £48,737 to £57,353 per annum, including London Weighting Allowance Posted 22-Sep-2022 Closing date 01-Mar-2023 Business unit Natural, Mathematical & Engineering Sci Department Informatics Contact details Professor Luc Moreau , hod-inf@kcl.ac.uk Job description
As part of its strategic development, the Department of Informatics is seeking applications from candidates for the position of Lecturer in Computer Science (Cryptography), starting in September 2023, or as soon as possible thereafter.
The successful applicant for this post will undertake research and teaching in an area of Cryptography and more broadly Cybersecurity. They will be assigned to teach on the Department’s MSc in Cybersecurity (face to face and/or online), or other postgraduate or undergraduate degree programmes offered by the Department of Informatics, and will be expected to supervise both undergraduate and postgraduate projects. While we cannot guarantee teaching in cryptography, we hope to expand our cryptography teaching portfolio in the near future.
Accordingly, the successful applicant will need knowledge and awareness of current research and practical challenges in Cryptography. All areas of cryptography are of interest to the Department, including but not limited to theory (TCC), applied (RWC), public-key (PKC), symmetric-key (FSE) and embedded systems and hardware (CHES). Outstanding candidates engaged in research and teaching which complements that of the existing members of the Department will be considered favourably.
The successful candidate will be appointed to the Cybersecurity (CYS) group[A1] [A2] and will have the opportunity to contribute to the Security Hub and to the King’s EPSRC-NCSC Academic Centre of Excellence in Cybersecurity Research (ACE-CSR) – https://www.kcl.ac.uk/cybersecurity-centre. The successful candidate will have the opportunity to collaborate with colleagues in the new cryptography lab launching in January 2023 [A3] and other labs in the CYS group. Research collaboration across research groups, with departmental hubs and with other Departments in the Faculty and across the College is strongly encouraged.
The mission of CYS is to conduct word-class research to address research and practical challenges in Cybersecurity such as the ones listed above through six main interconnected pillars: (i) Trustworthy AI; (ii) Formal and automated (program) analysis for verification and testing of security protocols and systems; (iii) Human-Centred Security and Privacy; (iv) Provenance and Trust; (v) Systems Security; and (vi) Cryptography.
To realise our mission, we look at security & privacy challenges with a broad perspective and regularly sit in the program committees of and publish in top-tier and well-known venues in Cryptography (EUROCRYPT, CRYPTO, ASIACRYPT, IACR Area Workshops), Security & Privacy (e.g., IEEE S&P, USENIX Security, ACM CCS, NDSS, IEEE CSF, USENIX SOUPS, IEEE TDSC, IEEE TIFS, ACM TOPS), Artificial Intelligence (e.g., IJCAI, AAMAS, IEEE TKDE), Measurement (e.g., WWW, IMC), Software Engineering (e.g., IEEE TSE), and Human-Computer Interaction (e.g., CHI, CSCW, TOCHI).
Top-quality research establishes CYS members as leaders in their fields, but it is its transformative aspect that provides the opportunity to serve the society while supporting King’s as an outstanding institution in science and technology. As such, CYS has strong links with industry and civil society organisations, which engages with us in collaborative research projects.
Applicants must have a PhD, an excellent publication record, and the ability to attract research funding. It is essential that applicants have the enthusiasm and commitment required to contribute to the further development of the research standing of the Department of Informatics, and to make a full contribution to teaching and administrative activities.
Diversity is positively encouraged with a number of family-friendly policies, including the operation of a core hours policy, the right to apply for flexible working and support for staff returning from periods of extended absence, for example maternity leave. The Department of Informatics is committed to ensuring an inclusive interview process and will reimburse up to £250 towards any additional care costs (for a dependent child or adult) incurred as a result of attending an interview for this position.
For further information about the Department of Informatics at King’s, please see https://nms.kcl.ac.uk/luc.moreau/informatics/overview.pdf.
This post will be offered on an indefinite contract This is a full-time post – 100% full time equivalent
Key responsibilities
The successful candidate is expected to:
- engage in advanced research, maintain an outstanding track record of published research at a level of international excellence and lead activities promoting research impact.
- make a significant contribution to the teaching, examining and project supervision of undergraduate and MSc students in the Department of Informatics
- supervise research students in the Department of Informatics and act as personal tutor to students as agreed with the Head of Department, assist with difficulties, e.g. learning support/problems and be responsible for the pastoral care of students.
- Undertake any other reasonable duties that may be requested by the Head of Department.
The above list of responsibilities may not be exhaustive, and the post holder will be required to undertake such tasks and responsibilities as may reasonably be expected within the scope and grading of the post.
Skills, knowledge, and experience
Essential criteria
- PhD in computer science, cryptography or related field
- Strong research record in computer science and/or cryptography as evidenced by publications in high quality journals and/or conferences; Research experience and good reputation in computer science, cryptography or relevant research field; Potential to acquire research project funding; Ability to supervise research students
- Ability to teach undergraduate and postgraduate modules in computer science and cybersecurity
- Ability to make a significant contribution to administrative work
Desirable criteria
- Teaching and examining experience
- Experience in attracting external research funds
- Administrative experience
Further information
The selection process will include a presentation and a panel interview. The candidates will also have the opportunity to meet members of the department. Interviews are scheduled to be held in early April 2023. Presentations scheduling will be confirmed once shortlisting has taken place. Meetings, presentations and interviews are subject to pandemic constraints and may be held online.
A succinct non-interactive argument of knowledge (SNARK) allows a prover to produce a short proof that certifies the veracity of a certain NP-statement. In the last decade, a large body of work has studied candidate constructions that are secure against quantum attackers. Unfortunately, no known candidate matches the efficiency and desirable features of (pre-quantum) constructions based on bilinear pairings.
In this work, we make progress on this question. We propose the first lattice-based SNARK that simultaneously satisfies many desirable properties: It (i) is tentatively post-quantum secure, (ii) is publicly-verifiable, (iii) has a logarithmic-time verifier and (iv) has a purely algebraic structure making it amenable to efficient recursive composition. Our construction stems from a general technical toolkit that we develop to translate pairing-based schemes to lattice-based ones. At the heart of our SNARK is a new lattice-based vector commitment (VC) scheme supporting openings to constant-degree multivariate polynomial maps, which is a candidate solution for the open problem of constructing VC schemes with openings to beyond linear functions. However, the security of our constructions is based on a new family of lattice-based computational assumptions which naturally generalises the standard Short Integer Solution (SIS) assumption.
In this post, I want to give you a sense of our new family of assumptions, the k-M-ISIS family of assumptions, and its variants. Meanwhile, Russell has written a post focusing on building the SNARK and Aravind has written about the nice things that we can do with our lattice-based SNARKs.
Let’s start with an example:
Let , let and let be short s.t. for and . Given find a short s.t. .
That is, this problem asks you to solve the ring inhomogeneous short integer solutions problem (R-ISIS) but with the twist that you get a bunch of preimages of algebraically related (to the target) images. In the above example those algebraic relations can be expressed as that we are given preimages for evaluated at and we want to find one for evaluated at .
On the one hand, there are pairs that are trivially as hard as R-(I)SIS itself: for example and . Evaluating each element of at simply outputs , i.e. we are given short preimages of random images which are easily sampled by an adversary (pick a short and compute ). On th other hand, e.g. and is trivially insecure. So we need to define which pairs we admit and which we do not:
Let be a Laurent monomial, i.e. for some exponent vector . Let be a set of Laurent monomials with . Let be a target Laurent monomial. We call a family k-M-ISIS-admissible if
- all have constant degree, i.e. ;
- all are distinct, i.e. is not a multiset; and
- .
We call a family k-M-ISIS-admissible if is k-MISIS-admissible, has constant degree, and .
To explain the conditions:
Armed with this definition, we can define the k-M-ISIS problem (I am giving a slightly simplified version here).
Let . Let be a set of -variate Laurent monomial. Let be a target Laurent monomial. Let be k-M-ISIS-admissible. Let , . Given with short and
it is hard to find a short and small s.t.
When , i.e. when is just a vector, we call the problem k-R-ISIS.
We also define a “knowledge” variant of our assumption, which essentially states that for any element the adversary can produce together with a short preimage, it essentially produced that as some small linear combination of the preimages we have given it. Thus, roughly:
If an adversary outputs any s.t.
then there is an extractor that – with access to the adversary’s randomness – outputs short s.t.
The knowledge assumption only makes sense for , To see this, consider an adversary which does the following: First, it samples random short and checks whether is in the submodule of generated by . If not, aborts. If it does not abort, it finds such that and outputs . When , we observe that generates , which means never aborts. Clearly, when does not abort, it has no “knowledge” of how can be expressed as a linear combination of . Yet, when the adversary aborts with overwhelming probability since is close to uniform over but the submodule generated by is only a negligible faction of .
However, in order to be able to pun about “crises of knowledge”, we also define a ring version of the knowledge assumption. In the ring setting, we consider proper ideals rather than submodules.
To see why this might be a useful definition, start with some pairing-based scheme.
For example, consider constructions where the elements are publicly available to all parties. An authority, knowing the secret exponents , is responsible for giving out secret elements to Alice. Alice can then compute and present that to Bob. Bob can then check the correctness of by checking
This is a fairly common pairing-based pattern. Now, note that in this check one side of the pairing (i.e. ) is public, while the other side (i.e. ) is computed from secrets delegated by the authority to Alice. This gives us, at least syntactically (!), an angle to translate such constructions.
We map
and
Note that since does not necessarily hide in the lattice setting (e.g. when consists of many linear functions), the authority might as well publicly hand out the vectors directly. We then map
Now, given , Alice can similarly compute , although the coefficients are now required to be short. The pairing-product check is then translated to checking
To see it in action, let’s build a vector commitment scheme with a functional opening, i.e. we can open to for a committed vector . To keep things simple I will consider , linear functions (we support any constant degree in our paper) and the simplified (non-knowledge) version of our scheme.
Let .
If k-R-ISIS is hard then this construction is weakly binding, meaning the adversary cannot open to two different values for the same . We can also achieve binding (no inconsistent openings) for if we allow to be exponentially large. To achieve binding for , we need the knowledge assumption. The intuition here is that solving the non-linear system of equations produced by inconsistent openings may be exponentially hard.
As already mentioned above, there are instances of k-M-ISIS that are trivially as hard as M-ISIS. We formalise these reasons in the paper. Slightly more interestingly, we also show that if k-M-ISIS is easy when then k-R-SIS is easy. The latter is a generalisation of the k-SIS problem (EPRINT:BonFre10, EPRINT:LPSS14) which is as hard as SIS. However, it is worth stressing that , i.e. handing out fewer preimages than the dimension of , is not very interesting. Our applications certainly need .
On the other hand, we did not find any attacks better than just solving M-(I)SIS directly. In the paper, we also consider the approaches of finding a small integer linear combination or finding a linear combination s.t. is small.
A challenger selects a matrix and sends it to the adversary. The adversary can perform two types of queries:
- Syndrome queries The adversary can request a challenge vector which the challenger selects at random, i.e. , adds to some set and returns to the adversary.
- Preimage queries. The adversary submits any vector . The challenger will return a short vector such that . Denote for the number of preimage queries.
In the end the adversary is asked to output pairs satisfying:
- ,
- and
- .
The hardness of the problem depends on the parameters, critically and . To see this consider the following two attacks, given in the above mentioned paper.
Combinatorial Attack. The adversary requests preimages for all , here is the -th unit vector. Then, adding up such preimages allows to construct any image. Since the norm of the preimages returned by the challenger is , this allows to solve the One-more-ISIS problem when . Of course, smaller and larger sets of preimages are possible, increasing and decreasing the output norm respectively.
Lattice Attack. The adversary requests preimages of zero and uses that to produce a short basis for the kernel of , i.e. . This constitutes a trapdoor for and thus permits to return short preimages for any target. The key point here is that this trapdoor is of degraded quality relative to the trapdoor used by the challenger. The key computational challenge then is to fix-up or improve this degraded trapdoor in order to be able to sample sufficiently short vectors.
I’d say that last computational problem is of more general interest. That is, given some polynomial number of short vectors in a lattice, how hard is it to produce a slightly shorter basis for this lattice? Okay, technically, there might be a way of sampling short preimages without finding such a high-quality basis, but finding such a high-quality basis would certainly solve the problem.
Finally, it’s worth noting that this problem is not only relevant for building blind signatures. It would also arise in some side-channel attacks on GPV-style signature schemes such as Falcon. That is, in these signature schemes, signing the same twice would produce a preimage of zero, i.e. implies . Sampling many such preimages of zero would constitute a trapdoor as discussed above. Falcon defends against this by signing for some fresh random . Now, in a setting where only poor randomness is available (think attacks on Schnorr-like signatures with poor randomness) this might collapse down to again. Studying lattice attacks on One-more-ISIS would help us to understand how devastating this would be.
]]>Debugging “corner cases” can often do wonders to improve the robustness of a given piece of software. For example, back in the days when I worked a lot on M4RI, as much as I dreaded fixing bugs that only showed up on Solaris boxes, those bugs always revealed some shady assumptions in my code that were bound to produce problems elsewhere down the line.
Indeed, I think this bug puts the finger on the heuristics we rely upon and where they can go wrong. The parameter sets that Ben has in mind are quite unusual in that we have to pick quite a large dimension (or, equivalently, a large number of LWE samples) to make the target uniquely short. That is, I suspect fixing this bug would take a bit more than increasing the precision of some numerical computation here or there or to fix/add some if statement to account for a corner case. This makes bugs like these a high-ish priority.
On the other hand, truth be told, between this, the estimator being “mostly developed on the side” and all the other stuff I have to do, I doubt I’ll sink significant time into fixing this bug anytime soon.
But, and this is point of this post, perhaps someone would like to take this bug as an invitation to help to improve the Lattice Estimator? While, the estimator is quite widely relied upon to, well, estimate the difficulty of solving LWE and related problems, its bus factor is uncomfortably low. I’d say attempting to fix this bug would take whoever attempts to fix it on a whirlwind tour through the code base; a good way to learn it and to improve it.
Interested? Get in touch.
]]>Here is how we had to express, e.g., NIST Round 1 Kyber-512 for the “Estimate all the {LWE, NTRU} schemes!” project:
n = 512 sd = 1.5811388300841898 q = 7681 alpha = sqrt(2*pi)*sd/RR(q) m = n secret_distribution = "normal" primal_usvp(n, alpha, q, secret_distribution=secret_distribution, m=m)
In contrast, here’s how we express NIST Round 3 Kyber-512 now:
from estimator import * Kyber512 = LWE.Parameters( n=2 * 256, q=3329, Xs=ND.CenteredBinomial(3), Xe=ND.CenteredBinomial(3), m=2 * 256, tag="Kyber 512", )
That is, the user should not have to pretend their input distributions are some sort of Gaussians, the estimator should be able to handle standard distributions used in cryptography. Hopefully this makes using the estimator less error-prone.
It is well-established by now that making the Geometric Series Assumption for “primal attacks” on the Learning with Errors problem can be somewhat off. It is more precise to use a simulator to predict the shape after lattice reduction but the old estimator did not support this. Now we do:
lwe.primal_usvp(Kyber512, red_shape_model="GSA")
rop: ≈2^141.2, red: ≈2^141.2, δ: 1.004111, β: 382, d: 973, tag: usvp
lwe.primal_usvp(Kyber512, red_shape_model="CN11")
rop: ≈2^144.0, red: ≈2^144.0, δ: 1.004038, β: 392, d: 976, tag: usvp
The design is (hopefully) modular enough that you can plug in your favourite simulator.
The algorithms we costed were getting outdated. For example, we had these (really slow) estimates for the “decoding attack” that was essentially equivalent to computing a BKZ-ϐ reduced basis followed by calling an SVP oracle in some dimension η. This is now implemented as primal_bdd
.
lwe.primal_bdd(Kyber512, red_shape_model="CN11")
rop: ≈2^140.5, red: ≈2^139.3, svp: ≈2^139.6, β: 375, η: 409, d: 969, tag: bdd
Similarly, our estimates for dual and hybrid attacks hadn’t kept up with the state of the art. Michael and Ben (both now at Zama) contributed code to fix that and have blogged about it here.
lwe.dual_hybrid(Kyber512)
rop: ≈2^157.7, mem: ≈2^153.6, m: 512, red: ≈2^157.4, δ: 1.003726, β: 440, d: 1008, ↻: ≈2^116.5, ζ: 16, tag: dual_hybrid
lwe.primal_hybrid(Kyber512)
rop: ≈2^276.4, red: ≈2^276.4, svp: ≈2^155.3, β: 381, η: 2, ζ: 0, |S|: 1, d: 1007, prob: ≈2^-133.2, ↻: ≈2^135.4, tag: hybrid
We’re still not complete (e.g. BKW with sieving is missing), but the more modular design, e.g. the one-big-Python-file-to-rule-them-all is no more, should make it easier to update the code.
For most users, the usage should be fairly simple, e.g.
params = LWE.Parameters(n=700, q=next_prime(2^13), Xs=ND.UniformMod(3), Xe=ND.CenteredBinomial(8), m=1400, tag="KewLWE") _ = LWE.estimate.rough(params)
usvp :: rop: ≈2^153.9, red: ≈2^153.9, δ: 1.003279, β: 527, d: 1295, tag: usvp dual_hybrid :: rop: ≈2^178.9, mem: ≈2^175.1, m: 691, red: ≈2^178.7, δ: 1.002943, β: 612, d: 1360, ↻: 1, ζ: 31, tag: dual_hybrid
_ = LWE.estimate(params)
bkw :: rop: ≈2^210.4, m: ≈2^198.0, mem: ≈2^199.0, b: 15, t1: 0, t2: 16, ℓ: 14, #cod: 603, #top: 0, #test: 98, tag: coded-bkw usvp :: rop: ≈2^182.3, red: ≈2^182.3, δ: 1.003279, β: 527, d: 1295, tag: usvp bdd :: rop: ≈2^178.7, red: ≈2^178.1, svp: ≈2^177.2, β: 512, η: 543, d: 1289, tag: bdd dual :: rop: ≈2^207.8, mem: ≈2^167.1, m: 695, red: ≈2^207.6, δ: 1.002926, β: 617, d: 1394, ↻: ≈2^165.5, tag: dual dual_hybrid :: rop: ≈2^201.3, mem: ≈2^197.4, m: 676, red: ≈2^201.1, δ: 1.003008, β: 594, d: 1341, ↻: ≈2^141.9, ζ: 35, tag: dual_hybrid
If you are an attack algorithm designer, we would appreciate if you would contribute estimates for your algorithm to the estimator. If we already have support for it implemented, we would appreciate if you could compare our results against what you expect. If you are a scheme designer, we would appreciate if you could check if our results match what you expect. If you find suspicious behaviour or bugs, please open an issue on GitHub.
You can read the documentation here and play with the new estimator in your browser here (beware that Binder has a pretty low time-out, though).
]]>As you may know, several of us in the ISG work in the area of post-quantum cryptography, an area adjacent to quantum computing. To give some examples, Simon and co-authors showed that there are regimes where subexponential quantum attacks on SIDH exist; Eamonn, me and co-authors gave resource estimates for running quantum sieving attacks on lattice-based schemes; Carlos and co-authors gave polynomial-time quantum attacks (i.e. with superposition queries) against the CPA security of contracting Feistel structures; Chris discussed the impact of quantum computing on 5G; Fernando and co-authors gave resource estimates (and Q# code!) for breaking AES on a quantum computer; Eamonn and co-authors improved “low-memory” sieving in a quantum setting. We have a lively research community of PhD students, postdocs and staff. Speaking of PhD students, due to our CDT in Cyber Security of the Everyday, we are currently recruiting 10 students per year across the field of information security, including the “quantum threat”. Moreover, as mentioned in the ad, the College considers quantum a key priority. Some of our physicists work in various areas of quantum, some of our mathematicians work on quantum dynamics.
Feel free to reach out to me if you want to discuss what it is like working at Royal Holloway. For specifics about this post, reach out to Magnus (HoD of CS). Also feel encouraged to disseminate this ad through your networks.
]]>
Location: Egham Salary: £44,283 to £52,430 per annum – including London Allowance Post Type: Full Time Closing Date: 23.59 hours GMT on Sunday 13 February 2022 Reference: 1221-502 The Department of Computer Science at Royal Holloway is looking to appoint multiple academic members of staff to support its research and teaching.
We carry out outstanding research and deliver excellent teaching at both undergraduate and postgraduate level: we ranked 11th in the Research Excellence Framework (REF 2014) for the quality of our research output, and in teaching we are typically in the top 10 in the UK for graduate prospects (e.g., Guardian 2022).
Over the past seven years, we have undertaken an ambitious plan of expansion: eighteen new academic members of staff were appointed, new undergraduate and integrated-masters programmes were created, and multiple new postgraduate-taught programmes were launched. We have strong research groups in the broad areas of Intelligent Systems, Machine Learning, Algorithms and Complexity, and Programming Languages and Systems, as well as good connections with the Information Security Group. We are also involved in multiple inter/multidisciplinary activities, from electrical engineering to psychology and social sciences. Our research strength generates significant interest and collaborative opportunity from universities and third stream partners.
Recently, Royal Holloway launched a research catalyst “Advanced Quantum Science and Technologies,” with multiple connections to Computer Science, Physics, Mathematics, and the Information Security Group, and the Computer Science department is seeking to strengthen its research activities via increased engagement in the catalyst.
We are therefore recruiting academic members of staff with research expertise in Quantum Computing, to complement and extend the department’s research profile. We welcome applicants with expertise in any area of quantum computing, including but not limited to quantum algorithms, quantum information theory, quantum simulation, and potential application areas such as quantum linear algebra and quantum machine learning. We also welcome exceptional candidates from all disciplines in Computer Science, who can contribute to the new catalysts.
The successful candidate will help us seek and seize opportunities for research funding and industrial engagement. They will hold a PhD or equivalent, and will have a proven research record with a solid background in the underlying theory. Experience in attracting funding, engaging with industry, or contributing to outreach activities would also be valuable.
The appointee will be expected to contribute across the full range of departmental activities, including undergraduate and postgraduate teaching and the supervision of mainstream projects over a wide range of topics. In particular, duties and responsibilities of this post include: conducting individual or collaborative research projects; producing high-quality outputs for publication in high-profile journals or conference proceedings; applying for research funding; delivering high-quality teaching to all levels of students; supervising research postgraduate students.
This is a full-time and permanent (tenured) post, available from April 2022 or as soon as possible thereafter. The post is based in Egham, Surrey, within commuting distance from London, Europe’s most dynamic technology hub.
In return we offer a highly competitive rewards and benefits package including:
- Generous annual leave entitlement
- Training and Development opportunities
- Pension Scheme with generous employer contribution
- Various schemes including Cycle to Work, Season Ticket Loans and help with the cost of Eyesight testing.
- Free parking
For further details of the Department see royalholloway.ac.uk/computerscience or contact the Head of Department at Magnus.Wahlstrom@rhul.ac.uk. For further details on the Royal Holloway research catalysts see intranet.royalholloway.ac.uk/staff/research/research-2021/research-catalysts.aspx
To view further details of this post and to apply please visit https://jobs.royalholloway.ac.uk. For queries on the application process the Human Resources Department can be contacted by email at: recruitment@rhul.ac.uk
- Please quote the reference: 1221-502
- Closing Date: Midnight, 13th February 2022
- Interview Date: W/C 7th March 2022
]]>We invite you to the 32nd HP/HPE Colloquium on Information Security, which will be held on Thursday 16th and Friday 17th December 2021, from 15:00 to 18:00 (UTC) on both days.
This year, it will be a virtual event with exciting talks, poster sessions and online discussion and networking.
Sponsorship from HP and HPE has enabled us to invite four distinguished speakers:
Thursday 16th December:
Friday 17th December:
Please find details about our speakers and their talks below.
REGISTER NOW: Registration is free but mandatory — tickets will be allocated on a first come, first served basis. For now, attendance is by invitation only, but we will make some spaces available to the public at a later date.
Joining instructions for Zoom and Zulip will be sent a week ahead of the event.
We are looking forward to another enjoyable end-of-year event and we hope you will join us on both days.
Martin Albrecht, Rikke Bjerg Jensen
Speakers
Alec Muffet: “Ends” all the way down: how we misunderstand security, privacy, identity, and anonymity
Diffie says that encryption is possibly the only conceivable way to communicate a secret over distance through an untrusted medium. Less well understood is that end-to-end encryption is similarly perhaps the only way to maintain an entity relationship over both distance and time through an untrusted medium. We will demonstrate that this facility is critical for innovation because all concepts of identity are founded upon entity relationships, rather than upon traditional, blunt abstractions of attributes, credentials and claims. We will explore this model of information security, discussing how it impacts the future of technology and the public debate around end-to-end encryption.
Bio: Alec is a full-time parent who has worked in host and network security for more than 30 years, with 25 of those in industry, holding senior engineering, architecture, and consulting roles at Sun Microsystems, Facebook, and Deliveroo. Alec is noted particularly for his work in password hashing, systems security, and end-to-end encrypted communications.
Nithya Sambasivan: The chilling effect of privacy and safety on non-Western women
The Internet isn’t gender equitable. In over two-thirds of countries worldwide, there are more male than female users online. In this talk, I will share findings on how safety & privacy threats limit women’s access and free expression online, drawn from our gender equity research in seven countries, spanning nearly 2 years. I will present novel and chilling abuse threats enabled by pervasive social media platforms, resulting in cyberstalking, impersonation and personal data leakages, and how our participants experienced and coped with the threats. I will also share how inadequate privacy on devices led participants to create privacy-preserving practices while sharing phones, such as locks, deleting traces, and avoiding specific digital activities. I will then discuss design implications towards a safer, more private Internet.
Bio: Nithya Sambasivan is a Research Scientist at PAIR, Google Research and leads the human-computer interaction (HCI) group at the India lab. Her current research focuses on designing responsible AI systems by focusing on the humans of the AI/ML pipeline, specifically in the non-West. Her research is seminal to Google’s products and strategy for emerging markets, while also winning numerous best paper awards and nominations at top-tier computing conferences. Nithya has a PhD in Information and Computer Sciences from UC Irvine.
Clémentine Maurice: Evolution of micro-architectural attacks
Hardware is often considered as an abstract layer that behaves correctly, just executing instructions and outputing a result. However, the internal state of the hardware leaks information about the programs that are executing, paving the way for covert or side-channel attacks. In this presentation, we will cover the evolution of micro-architectural attacks. We will first have a look at a historical recap of past attacks and how the field evolved in the last years. We will then focus on recent trends, and will conclude with the different challenges and open questions that the field is facing.
Bio: Clémentine Maurice is a full-time CNRS researcher in the Spirals team at CRIStAL (Lille, France). Prior to that, she obtained her PhD from Telecom ParisTech in October 2015, and then worked as a postdoctoral researcher at Graz University of Technology, Austria. Her research interests span software-based side-channel and fault attacks on commodity computers and servers, leveraging micro-architectural components. She also enjoys reverse-engineering processor parts. Beyond academic conferences, she presented her research at venues like the Chaos Communication Congress and BlackHat Europe.
Lorenzo Cavallaro: Dos and don’ts of machine learning in computer security
With the growing processing power of computing systems and the increased availability of massive datasets, machine learning algorithms have led to major breakthroughs in many different areas. This development has influenced computer security, inspiring many learning-based security systems, such as for malware detection, vulnerability discovery, and binary code analysis. Despite great potential, machine learning in security is prone to subtle pitfalls that undermine its performance and render learning-based systems potentially unsuitable for security tasks and practical deployment. In this talk, we look at common pitfalls in the design, implementation, and evaluation of learning-based security systems which we have identified across 30 papers from top-tier security conferences within the past decade. We further examine how individual pitfalls can lead to unrealistic and misleading results through a set of case studies and, as a remedy, derive actionable recommendations for avoiding them.
Bio: Lorenzo grew up on pizza, spaghetti, and Phrack, first. Underground and academic research interests followed shortly thereafter. He is currently a Full Professor of Computer Science at UCL, where he leads the Systems Security Research Lab in the Information Security Research Group. Lorenzo’s research vision focuses on understanding and improving the effectiveness of machine learning methods for systems security in the presence of adversaries. In particular, he investigates the intertwined relationships of program analysis and machine learning and the implications they have towards realizing Trustworthy ML for Systems Security. Lorenzo has definitely never stopped wondering and having fun throughout.