## IACR News

Here you can see all recent updates to the IACR webpage. These updates are also available:

#### 30 May 2020

###### Hvar, Croatia, 17 September - 19 September 2020

Event CalendarSubmission deadline: 10 June 2020

###### Santa Barbara, USA, -

Event CalendarSubmission deadline: 1 June 2021

Notification: 1 July 2021

###### Cryptanalysis Taskforce @ Nanyang Technological University, Singapore

Job Posting(Yes ! We are still hiring despite COVID-19)

The Cryptanalysis Taskforce at Nanyang Technological University in Singapore led by Prof. Jian Guo is seeking for candidates to fill 3 postdoctoral research fellow positions on symmetric-key cryptography, including but not limited to the following sub-areas:- privacy-preserving friendly symmetric-key designs
- tool aided cryptanalysis, such as MILP, CP, STP, and SAT
- machine learning aided cryptanalysis and designs
- quantum cryptanalysis
- cryptanalysis against SHA-3 and AES

**Closing date for applications:**

**Contact:** Asst Prof. Jian Guo, guojian@ntu.edu.sg

###### Carnegie Mellon University

Job Posting**Closing date for applications:**

**Contact:** Vipul Goyal (vipul at cmu.edu)

**More information:** http://www.cs.cmu.edu/~goyal/

###### CryptoLux Group, University of Luxembourg

Job PostingThe CryptoLux group of the University of Luxembourg has a vacancy for a post-doctoral researcher in the area of symmetric cryptography. The successful candidate will contribute to a research project entitled "Analysis and Protection of Lightweight Cryptographic Algorithms (APLICA)", which is funded by the Luxembourgish Fonds National de la Recherche and the German Research Foundation. Starting in Fall 2020, APLICA will run over a period of 3 years as a joint research project between the CryptoLux group and the Workgroup for Symmetric Cryptography of Ruhr-University Bochum. The mission of the APLICA project is to develop new cryptanalytic techniques for lightweight authenticated encryption algorithms and hash functions, and to design and implement new countermeasures against side-channel attacks that are suitable for constrained devices.

Candidates must have a Ph.D. degree in symmetric cryptography or a closely related field. Preference will be given to candidates with a strong publication record that includes at least one paper at an IACR-sponsored conference/workshop or one of the top-4 security conferences. Experience in software development for embedded systems or mounting side-channel attacks is a plus. Candidates with an interest to conduct research in one of the following areas are particularly encouraged to apply:

- Cryptanalysis of authenticated encryption algorithms or hash functions
- Leakage resilience or leakage reduction by design (e.g. modes of operation)
- Security evaluation of leakage-resilient primitives or constructions

The position is available from Sept. 2020 on basis of a fixed-term contract for 3 years, which includes a probation period of 6 months. The University of Luxembourg offers excellent working conditions and a highly competitive salary. Interested candidates are invited to send their application by email to Alex Biryukov before June 15, 2020. The application material should contain a cover letter explaining the candidate's research interests, a detailed CV (including photo), a list of publications, scans of diploma certificates, and the names and contact details of 3 referenc

**Closing date for applications:**

**Contact:** Prof. Alex Biryukov (alex.biryukov@uni.lu)

**More information:** https://www.fnr.lu/projects/analysis-and-protection-of-lightweight-cryptographic-algorithms/

#### 28 May 2020

###### Jason H. M. Ying, Shuwei Cao, Geong Sen Poh, Jia Xu, Hoon Wei Lim

ePrint Report###### Yao Jiang

ePrint ReportThis paper solves two open problems in updatable encryption, that of uni-directional vs. bi-directional updates, and post-quantum security.

The main result in this paper is to analyze the security notions based on uni- and bi-directional updates. Surprisingly, we prove that uni- and bi-directional variants of each security notion are equivalent.

The second result in this paper is to provide a new and highly efficient updatable encryption scheme based on the Decisional Learning with Error assumption. This gives us post-quantum security. Our scheme is bi-directional, but because of our main result, this is sufficient.

#### 27 May 2020

###### University of Stuttgart, Germany

Job Posting**Closing date for applications:**

**Contact:** Ilia Polian

**More information:** https://spp-nanosecurity.uni-stuttgart.de/projects/

#### 26 May 2020

###### Junbin Fang, Dominique Unruh, Jian Weng, Jun Yan, Dehua Zhou

ePrint ReportAs the first step towards studying the possible application of quantum bit commitment in quantum cryptography, in this work we consider replacing the classical bit commitment used in some well-known constructions with a perfectly/statistically-binding quantum bit commitment. We show that (quantum) security can still be fulfilled in particular with respect to zero-knowledge, oblivious transfer, and proofs-of-knowledge. In spite of this, we stress that the corresponding security analyses are by no means a trivial adaptation of their classical counterparts. New techniques are needed to handle possible superposition attacks by the cheating sender of the quantum bit commitments.

Since non-interactive quantum bit commitment schemes can be constructed from general quantum-secure one-way functions, we hope to use quantum bit commitment (rather than the classical one that is still quantum-secure) in cryptographic construction to reduce the round complexity and weaken the complexity assumption simultaneously.

###### Ben Kreuter, Sarvar Patel, Ben Terner

ePrint Report###### Viet Tung Hoang, Yaobin Shen

ePrint Report###### Ivan Damgård, Sophia Yakoubov

ePrint ReportIn this paper, we set out to determine whether we can get ATE with short ciphertexts from standard primitives. We therefore work in a model where we limit reliance on computational assumptions. We do this by demanding information theoretic security given black-box access to limited cryptographic tools such as non-interactive key exchange and pseudorandom generators.

We show that, with access only to idealized two-party key exchange, any secure ATE scheme must produce ciphertexts of size at least (n-t-1)l (where l is the length of the message). If access is additionally given to an idealized PRG, the lower bound on ciphertext size becomes k(n-t)/2 + l (where k is the length of the input to the PRG).

If idealized q-party key exchange for q > 2 is availabe, then we can achieve a constant-size ciphertext, at the cost of invoking the key exchange an exponential number of times. We also prove that, if the size of the ciphertext is optimal (that is, equal to the size of the message), the exponential overhead is unavoidable. Finally, we give some alternative constructions demonstrating that the overhead can be reduced at the cost of slightly larger ciphertext size.

###### Rachit Garg, George Lu, Brent Waters

ePrint ReportDamg{\aa}rd, Ganesh, and Orlandi (CRYPTO' 19) proposed a novel notion that we will call proof of replication with client setup. Here, a client first operates with secret coins to generate the replicas for a file. Such systems do not inherently have to require fine-grained timing assumptions. At the core of their solution to building proofs of replication with client setup is an abstraction called replica encodings. Briefly, these comprise a private coin scheme where a client algorithm given a file $m$ can produce an encoding $\sigma$. The encodings have the property that, given any encoding $\sigma$, one can decode and retrieve the original file $m$. Secondly, if a server has significantly less than $n \cdot |m|$ bit of storage, it cannot reproduce $n$ encodings. The authors give a construction of encodings from ideal permutations and trapdoor functions.

In this work, we make three central contributions: 1) Our first contribution is that we discover and demonstrate that the security argument put forth by DGO19 is fundamentally flawed. Briefly, the security argument makes assumptions on the attacker's storage behavior that does not capture general attacker strategies. We demonstrate this issue by constructing a trapdoor permutation which is secure assuming indistinguishability obfuscation, serves as a counterexample to their claim (for the parameterization stated). 2) In our second contribution we show that the DGO19 construction is actually secure in the ideal permutation model from any trapdoor permutation when parameterized correctly. In particular, when the number of rounds in the construction is equal to $\lambda \cdot n \cdot b$ where $\lambda$ is the security parameter, $n$ is the number of replicas and $b$ is the number of blocks. To do so we build up a proof approach from the ground up that accounts for general attacker storage behavior where we create an analysis technique that we call ``sequence-then-switch''. 3) Finally, we show a new construction that is provably secure in the random oracle (or random function) model. Thus requiring less structure on the ideal function.

#### 25 May 2020

###### Sanjam Garg, Romain Gay, Mohammad Hajiabadi

ePrint Report###### Diego F. Aranha, Felipe Rodrigues Novaes, Akira Takahashi, Mehdi Tibouchi, Yuval Yarom

ePrint ReportIn this paper, we uncover LadderLeak, a novel class of side-channel vulnerabilities in implementations of the Montgomery ladder used in ECDSA scalar multiplication. The vulnerability is in particular present in several recent versions of OpenSSL. However, it leaks less than $1$ bit of information about the nonce, in the sense that it reveals the most significant bit of the nonce, but with probability $<1$. Exploiting such a mild leakage would be intractable using techniques present in the literature so far. However, we present a number of theoretical improvements of the Fourier analysis approach to solving the HNP (an approach originally due to Bleichenbacher), and this lets us practically break LadderLeak-vulnerable ECDSA implementations instantiated over the sect163r1 and NIST P-192 elliptic curves. In so doing, we achieve several significant computational records in practical attacks against the HNP.

###### Amit Deo, Benoit Libert, Khoa Nguyen, Olivier Sanders

ePrint Report###### Tomoki Moriya, Hiroshi Onuki, Tsuyoshi Takagi

ePrint ReportNext, we propose a Naor-Reingold type pseudo random function based on SiGamal. If the P-CSSDDH assumption and the CSSDDH$^*$ assumption, which guarantees the security of CSIDH that uses a prime $p$ in the setting of SiGamal, hold, then our proposed function is a pseudo random function. Moreover, we estimate computational costs of group actions to compute our proposed PRF are about $\sqrt{\frac{8T}{3\pi}}$ times than that of the group action in CSIDH, where $T$ is the Hamming weight of input of the PRF.

Finally, we experimented group actions in SiGamal and C-SiGamal. In our experimentation, the computational costs of group actions in SiGamal-512 with a $256$-bit plaintext message space are about $2.62$ times that of a group action in CSIDH-512.

###### Jeroen Pijnenburg, Bertram Poettering

ePrint Report###### Rami Elkhatib, Reza Azarderakhsh, Mehran Mozaffari-Kermani

ePrint Report###### Navid Alamati, Hart Montgomery, Sikhar Patranabis

ePrint ReportA number of recent works have shown how to build iO from multilinear maps endowed with plausible assumptions; one example would be the work of Lin and Tessaro (Crypto’17) which shows how to construct iO from subexponentially secure SXDH-hard multilinear maps and some (subexponentially secure) plausible assumptions. Coupled with any one of these constructions, our results here can be seen as formally proving the equivalence of iO and multilinear maps/graded encodings (modulo subexponential reductions and other plausible assumptions) for the first time.