## IACR News

Updates on the COVID-19 situation are on the Announcement channel.

Here you can see all recent updates to the IACR webpage. These updates are also available:

#### 27 November 2020

###### Warsaw, Poland, 23 March - 26 March 2021
Event Calendar
Event date: 23 March to 26 March 2021
Submission deadline: 15 January 2021
Notification: 1 February 2021
###### Perth, Australia, 7 July - 9 July 2021
Event Calendar
Event date: 7 July to 9 July 2021
Submission deadline: 15 February 2021
Notification: 6 April 2021
Announcement
The registration for Asiacrypt 2020 (virtual) is now open: https://asiacrypt.iacr.org/2020/

The IACR board has decided that virtual Asiacrypt 2020 will be free, but attendees are required to pay the IACR membership fee for 2021 if they have not already paid it (typically by attending an IACR conference in 2020).

The conference program is available here: https://asiacrypt.iacr.org/2020/program.php

#### 26 November 2020

###### University of St. Gallen, Switzerland
Job Posting
We are looking for a bright and motivated PhD student to work in the topics of information security and cryptography. The student is expected to work on topics that include security and privacy issues for resource-constrained devices (e.g., sensors) that rely on external untrusted servers in order to perform computations. More precisely, the student shall be working on investigating efficient authentication and verifiable delegation of computation mechanisms that provide: i) provable security guarantees, and ii) rigorous privacy guarantees. The position is funded with a competitive salary.
Research area: Research areas include but are not limited to:
• Verifiable computation
• Secure Multi Party Computation
• Privacy-preserving authentication
• Cryptographic primitives
• A MsC degree in Computer Science, Applied Mathematics or a relevant field;
• Strong mathematical and algorithmic CS background;
• Excellent programming skills;
• Excellent written and verbal communication skills in English
Deadline for applications: 15 December 2020
Starting date: Beginning of 2021 or by mutual agreement

Closing date for applications:

Contact: Katerina Mitrokotsa

###### IMDEA Software Institute, Madrid, Spain
Job Posting

Applications are invited for two fully-funded PhD student position at the IMDEA Software Institute (Madrid, Spain).

The selected candidate will work with Marco Guarnieri (https://mguarnieri.github.io) on the design, verification, and implementation of countermeasures against CPU micro-architectural attacks.

Who should apply?

Ideal candidates have earned (or are in their last year of) a Master's degree in Computer Science, Computer Engineering, or Mathematics, with interest in at least one of the following areas:

• Computer security
• Computer architectures
• Program analysis and verification
• Formal methods
• Logics

Solid programming skills will be highly valued. The position requires good teamwork and communication skills, including excellent spoken and written English.

Working at IMDEA Software

The IMDEA Software Institute is ranked among the best European research institutes in the areas of Programming Languages and Computer Security. Located in the Montegancedo Science and Technology Park, it perfectly combines the sunny and vibrant city of Madrid with cutting edge research and inspiring working environment.

The institute provides an internationally competitive stipend, access to an excellent public health care system, unemployment benefits, retirement benefits, and support for research related travel. The working language at the institute is English. Knowledge of Spanish is not required.

Dates

The duration of the position is intended to be for the duration of the doctoral studies. The ideal starting period is from early January 2021

Deadline for applications is December 20th, 2020. Review of applications will begin immediately, and continue until the positions are filled.

How to apply?

Applicants interested in the position should submit their application at https://careers.software.imdea.org/ using reference code 2020-11-phd-uarchsec.

Questions

For any questions about these positions, please contact Marco Guarnieri directly (marco dot guarnieri at imdea dot org).

Closing date for applications:

Contact: Marco Guarnieri (marco dot guarnieri at imdea dot org)

###### IMDEA Software Institute, Madrid, Spain
Job Posting

Applications are invited for one postdoctoral position at the IMDEA Software Institute (Madrid, Spain).

The selected candidate will work with Marco Guarnieri (https://mguarnieri.github.io) on the design, verification, and implementation of countermeasures against CPU micro-architectural attacks.

Who should apply?

Ideal candidates have earned (or are close to earning) a PhD in Computer Science or a related area with a promising publication record and experience in at least one of the following areas:

• Computer security
• Computer architectures
• Program analysis and verification
• Formal methods
• Logics

Solid programming skills will be highly valued. The position requires good teamwork and communication skills, including excellent spoken and written English.

Working at IMDEA Software

The IMDEA Software Institute is ranked among the best European research institutes in the areas of Programming Languages and Computer Security. Located in the Montegancedo Science and Technology Park, it perfectly combines the sunny and vibrant city of Madrid with cutting edge research and inspiring working environment.

The institute provides an internationally competitive stipend, access to an excellent public health care system, unemployment benefits, retirement benefits, and support for research related travel. The working language at the institute is English. Knowledge of Spanish is not required.

Dates

The duration of the position is intended to be for 24 months. The ideal starting period is from early January 2021.

Deadline for applications is December 20th, 2020. Review of applications will begin immediately, and continue until the positions are filled.

How to apply?

Applicants interested in the position should submit their application at https://careers.software.imdea.org/ using reference code 2020-11-postdoc-uarchsec.

Questions

For any questions about these positions, please contact Marco Guarnieri directly (marco dot guarnieri at imdea dot org).

Closing date for applications:

Contact: Marco Guarnieri (marco dot guarnieri at imdea dot org)

###### CWI, Amsterdam
Job Posting
The CWI Cryptology group is looking for a young postdoc researcher interested in both codes and lattices in the context of cryptography. The goal is to make major progress in both research areas, by comparing them, by transferring techniques back and forth, or even by developing a unifying theory. All angles relevant to cryptography are considered, from construction to cryptanalysis, and from theory to practice.
The successful candidate will be working with Dr. Léo Ducas, within his ERC Starting Grant project ARTICULATE.

More details at : https://www.cwi.nl/jobs/vacancies/866541

Closing date for applications:

Contact: Léo Ducas : ducas AT cwi DOT nl

#### 24 November 2020

###### Thomas Haines, Rajeev Gore, Jack Stodart
ePrint Report
ElectionGuard is an open source set of software components and specifications from Microsoft designed to allow the modification of a number of different e-voting protocols and products to produce public evidence (transcripts) which anyone can verify. The software uses ElGamal, homomorphic tallying and sigma protocols to enable public scrutiny without adversely affecting privacy. Some components have been formally verified (machine-checked) to be free of certain software bugs but there was no formal verification of their cryptographic security. Here, we present a machine-checked proof of the verifiability guarantees of the transcripts produced and verified according to the ElectionGuard specification. We have also extracted an executable version of the verifier specification, which we proved to be secure, and used it to verify election transcripts produced by ElectionGuard. Our results show that our implementation is of similar efficiency to existing implementations.
###### Andreas Richardson, Jiahua Xu
ePrint Report
Blockchain has the potential to accelerate the worldwide deployment of an emissions trading system (ETS) and improve the efficiency of existing systems. In this paper, we present a model for a permissioned blockchain implementation based on the successful European Union (EU) ETS and discuss its potential advantages over existing technology. The proposed ETS model is both backward compatible and future-proof, characterised by interconnectedness, transparency, tamper-resistance and continuous liquidity. Further, we identify key challenges to implementation of blockchain in ETS, as well as areas of future work required to enable a fully decentralised blockchain-based ETS.
###### Kwangsu Lee
ePrint Report
Revocable identity-based encryption (RIBE) is an extension of identity-based encryption (IBE) and it supports efficient revocation of private keys. In the past, many efficient RIBE schemes have been proposed, but research on efficiently delegating the generation of update keys to a cloud server is somewhat insufficient. In this paper, we newly introduce the concept of delegated RIBE (DRIBE) that can delegate the generation of update keys to the cloud server and define the security models of DRIBE. Next, we propose a DRIBE scheme by generically combining a hierarchical IBE (HIBE) scheme, an identity-based broadcast encryption (IBBE) scheme, and a collision-resistant hash function. In addition, we propose a DRIBE-INC scheme that generates an occasional base update key and a periodic incremental update key to reduce the size of the update key in our DRIBE scheme.
###### A. M. Mironov
ePrint Report
A cryptographic protocol (CP) is a distributed algorithm designed to provide a secure communication in an insecure environment. CPs are used, for example, in electronic payments, electronic voting procedures, database access systems, etc. Errors in the CPs can lead to great financial and social damage, therefore it is necessary to use mathematical methods to justify the correctness and safety of the CPs. In this paper, a new mathematical model of a CP is introduced, which allows one to describe both the CPs and their properties. It is shown how, on the basis of this model, it is possible to solve the problems of verification of CPs.
###### Leonie Reichert, Samuel Brack, Björn Scheuermann
ePrint Report
Super-spreader events where one person infects many others have been a driving force of the Covid-19 pandemic. Such events often happen indoors, such as in restaurants, at choir practice or in gyms. Many systems for automated contact tracing (ACT) have been proposed, which will warn a user when they have been in proximity to an infected person. These generally fail to detect potential super-spreader events as only users who have come in close contact with the infected person, but not others who also visited the same location, are warned. Other approaches allow users to check into locations or venues, but these require user interaction.

We propose two designs how broadcast-based ACT systems can be enhanced to utilize location-specific information without the need for GPS traces or scanning of QR codes. This makes it possible to alert attendees of a potential super-spreader event while still remaining private. Our first design relies on cooperating lighthouses which cover a large area and send out pseudonyms. These are recorded by visitors and published by the health authority (HA) in case of an infection. The second design has lighthouses actively communicating with HAs after retrospectively detecting an infected visitor to warn everyone whose stay overlapped.
###### Emanuele Bellini, Philippe Gaborit, Alexandros Hasikos, Victor Mateu
ePrint Report
The advent of quantum computers is a threat to most currently deployed cryptographic primitives. Among these, zero-knowledge proofs play an important role, due to their numerous applications. The primitives and protocols presented in this work base their security on the difficulty of solving the Rank Syndrome Decoding (RSD) problem. This problem is believed to be hard even in the quantum model. We first present a perfectly binding commitment scheme. Using this scheme, we are able to build an interactive zero-knowledge proof to prove: the knowledge of a valid opening of a committed value, and that the valid openings of three committed values satisfy a given linear relation, and, more generally, any bitwise relation. With the above protocols it becomes possible to prove the relation of two committed values for an arbitrary circuit, with quasi-linear communication complexity and a soundness error of 2/3. To our knowledge, this is the first quantum resistant zero-knowledge protocol for arbitrary circuits based on the RSD problem. An important contribution of this work is the selection of a set of parameters, and an a full implementation, both for our proposal in the rank metric and for the original LPN based one by Jain et. al in the Hamming metric, from which we took the inspiration. Beside demonstrating the practicality of both constructions, we provide evidence of the convenience of rank metric, by reporting performance benchmarks and a detailed comparison.
###### James Bartusek, Andrea Coladangelo, Dakshita Khurana, Fermi Ma
ePrint Report
We investigate the round complexity of maliciously-secure two-party quantum computation (2PQC) with setup, and obtain the following results:

&#8729; A three-message protocol (two-message if only one party receives output) in the common random string (CRS) model assuming classical two-message oblivious transfer (OT) with post-quantum malicious security. This round complexity is optimal for the sequential communication setting. Under the additional assumption of reusable malicious designated-verifier non-interactive zero-knowledge (MDV-NIZK) arguments for NP, our techniques give an MDV-NIZK for QMA. Each of the assumptions mentioned above is known from the quantum hardness of learning with errors (QLWE).

&#8729; A protocol with two simultaneous rounds of communication, in a quantum preprocessing model, assuming sub-exponential QLWE. In fact, we construct a three-round protocol in the CRS model with only two rounds of online communication, which implies the above result. Along the way, we develop a new delayed simulation technique that we call “simulation via teleportation,” which may be useful in other settings.

In addition, we perform a preliminary investigation into barriers and possible approaches for two-round 2PQC in the CRS model, including an impossibility result for a natural class of simulators, and a proof-of-concept construction from a strong form of quantum virtual black-box (VBB) obfuscation.

Prior to our work, maliciously-secure 2PQC required round complexity linear in the size of the quantum circuit.
###### Songze Li, David Tse
ePrint Report
Most state machine replication protocols are either based on the 40-years-old Byzantine Fault Tolerance (BFT) theory or the more recent Nakamoto’s longest chain design. Longest chain protocols, designed originally in the Proof-of-Work (PoW) setting, are available under dynamic participation, but has probabilistic confirmation with long latency dependent on the security parameter. BFT protocols, designed for the permissioned setting, has fast deterministic confirmation, but assume a fixed number of nodes always online. We present a new construction which combines a longest chain protocol and a BFT protocol to get the best of both worlds. Using this construction, we design TaiJi, the first dynamically available PoW protocol which has almost deterministic confirmation with latency independent of the security parameter. In contrast to previous hybrid approaches which use a single longest chain to sample participants to run a BFT protocol, our native PoW construction uses many independent longest chains to sample propose actions and vote actions for the BFT protocol. This design enables TaiJi to inherit the full dynamic availability of Bitcoin, as well as its full unpredictability, making it secure against fully-adaptive adversaries with up to 50% of online hash power.
###### Jiayu Zhang
ePrint Report
In the universal blind quantum computation problem, a client wants to make use of a single quantum server to evaluate $C|0\rangle$ where $C$ is an arbitrary quantum circuit while keeping $C$ secret. The client's goal is to use as few resources as possible. This problem, first raised by Broadbent, Fitzsimons and Kashefi [FOCS09, arXiv:0807.4154], has become fundamental to the study of quantum cryptography, not only because of its own importance, but also because it provides a testbed for new techniques that can be later applied to related problems (for example, quantum computation verification). Known protocols on this problem are mainly either information-theoretically (IT) secure or based on trapdoor assumptions (public key encryptions). In this paper we study how the availability of symmetric-key primitives, modeled by a random oracle, changes the complexity of universal blind quantum computation. We give a new universal blind quantum computation protocol. Similar to previous works on IT-secure protocols (for example, BFK [FOCS09, arXiv:0807.4154]), our protocol can be divided into two phases. In the first phase the client prepares some quantum gadgets with relatively simple quantum gates and sends them to the server, and in the second phase the client is entirely classical -- it does not even need quantum storage. Crucially, the protocol's first phase is succinct, that is, its complexity is independent of the circuit size. Given the security parameter $\kappa$, its complexity is only a fixed polynomial of $\kappa$, and can be used to evaluate any circuit (or several circuits) of size up to a subexponential of $\kappa$. In contrast, known schemes either require the client to perform quantum computations that scale with the size of the circuit [FOCS09, arXiv:0807.4154], or require trapdoor assumptions [Mahadev, FOCS18, arXiv:1708.02130].
###### Jun Shen, Fuchun Guo, Xiaofeng Chen, Willy Susilo
ePrint Report
Cloud auditing with ownership transfer is a provable data possession scheme meeting verifiability and transferability simultaneously. In particular, not only cloud data can be transferred to other cloud clients, but also tags for integrity verification can be transferred to new data owners. More concretely, it requires that tags belonging to the old owner can be transformed into that of the new owner by replacing the secret key for tag generation while verifiability still remains. We found that existing solutions are less efficient due to the huge communication overhead linear with the number of tags. In this paper, we propose a secure auditing protocol with efficient ownership transfer for cloud data. Specifically, we sharply reduce the communication overhead produced by ownership transfer to be independent of the number of tags, making it with a constant size. Meanwhile, the computational cost during this process on both transfer parties is constant as well.
###### Alessandro Budroni, Qian Guo, Thomas Johansson, Erik Mårtensson, Paul Stankovski Wagner
ePrint Report
The Learning with Errors (LWE) problem is one of the main mathematical foundations of post-quantum cryptography. One of the main groups of algorithms for solving LWE is the Blum-Kalai-Wasserman (BKW) algorithm. This paper presents new improvements for BKW-style algorithms for solving LWE instances. We target minimum concrete complexity and we introduce a new reduction step where we partially reduce the last position in an iteration and finish the reduction in the next iteration, allowing non-integer step sizes. We also introduce a new procedure in the secret recovery by mapping the problem to binary problems and applying the Fast Walsh Hadamard Transform. The complexity of the resulting algorithm compares favourably to all other previous approaches, including lattice sieving. We additionally show the steps of implementing the approach for large LWE problem instances. The core idea here is to overcome RAM limitations by using large file-based memory.
###### Naoya Okanami, Ryuya Nakamura, Takashi Nishide
ePrint Report
Sharding is an approach to designing a highly scalable blockchain. A sharded blockchain achieves parallelism by dividing consensus nodes (validators) into groups called shards and making them process different transactions in each shard. In this paper, we economically analyze users’ behavior on sharded blockchains and identify a phenomenon that users’ accounts and smart contracts eventually get concentrated in a few shards, making shard loads unfair. This phenomenon leads to bad user experiences, such as delays in transaction inclusions and increased transaction fees. To solve the above problem, we propose a load balancing framework in sharded blockchains in which accounts and contracts are frequently reassigned into shards to reduce the difference of loads between shards. We formulate the contract reassignment as an optimization problem and present the algorithm to solve it. Further, we apply the framework to an existing sharding design (Ethereum 2.0) and modify the protocol to do load balancing. Finally, we simulate the protocol and observe smaller transaction delays and fees.
###### Mohammad Amin Rakeei, Farokhlagha Moazami
ePrint Report
Recently, Kumar and Chand proposed an anonymous authentication protocol for wireless body area network. They claimed that their scheme meets major security requirements and is able to resist known attacks. However, in this paper we demonstrate that their scheme is prone to traceability attack. Followed by this attack, an attacker can launch a man-in-the-middle attack and share a session key with the victim node, and hence the scheme does not achieve secure authentication. Also, we show that this protocol does not provide perfect forward secrecy which considered as a key security property in the design of any secure key agreement protocol.