## IACR News

Here you can see all recent updates to the IACR webpage. These updates are also available:

#### 21 February 2020

###### Hasso-Plattner-Institute, University of Potsdam, Germany

Job PostingThe Cybersecurity - Identity Management group at the Hasso-Plattner-Institute (HPI), University of Potsdam is seeking to fill several PhD and PostDoc positions in the area of cryptography and privacy.

**Your future tasks**

- Development of provably secure cryptographic protocols for real-world problems. Topics of interest include (but are not limited to):
- Distributed identity management
- Privacy-enhancing technologies
- Foundations and solutions for real-world cryptography

- Publish and present results at top-tier international conferences
- Participate in teaching activities

**Your skills**

- Master's degree (or PhD for postdoctoral position) in Computer Science, Mathematics, or a related area by the time of appointment
- Profound knowledge in the areas of cryptography and IT security (for postdoctoral candidates proven in the form of publications in these areas)
- Excellent English language skills

**What we offer**

- Collaborative work environment in a newly established research group
- Outstanding setting to conduct top academic research with strong connections to industry
- Working at the HPI campus in Potsdam-Babelsberg (S-Bahn station Griebnitzsee) near to Berlin

We look forward to your application including two references, motivation letter and copies of relevant diplomas and certificates. Please submit your application documents (only as PDF) via email.

**Closing date for applications:**

**Contact:** Anja Lehman, email: anja.lehmann (at) hpi.de

**More information:** https://hpi.de/lehmann/

###### Telecom SudParis, RST Department CNRS UMR 5157, SAMOVAR/R3S and IRT SytemX

Job Posting**Closing date for applications:**

**Contact:** joaquin.garcia_alfaro@telecom-sudparis.eu and
Kalpana.SINGH@irt-systemx.fr

###### University of Clermont-Auvergne, France

Job Posting- Location: LIMOS, Clermont-Ferrand, France
- Salary: 2000€
- Duration: 1 year
- Keywords: Cryptanalysis symmetric, constraint programming, SAT solving, ILP.
- Starting date: As soon as possible, when we have a good candidate; at least before October 2020.

- A PhD in Computer Science, Applied Mathematics, Cryptography or related field.
- Competitive research record in symmetric cryptography or in constraint programming.
- Commitment, team working and a critical mind.
- Good written and verbal communication skills in English are essential.

This post-doc is founded by the ANR project Decrypt started in January 2019.

Transforming a theoretical cryptanalysis into a SAT problem or into a set of linear constraints could be a hard and time-consuming task. Our aim is to use constraint programming (CP) to simplify the way the symmetric key attacks are modeled and thus to overpass existing cryptanalytic results. Preliminary studies are really encouraging.

GoalThe main goal is to identify schemes and attacks for which it is possible to use off-the-shelf CP, SAT or ILP approaches. To achieve this goal, the work will be divided into the following tasks.

- Study symmetric encryption schemes and identify for several schemes the different components that are used in the scheme design.
- Design CP, SAT, and ILP models for cryptanalytic problems on selected schemes. We will mainly focus on the following attacks: cube attacks, conditional cube attacks with division property, (related-key) differential and linear cryptanalysis, word-based division property / integral distinguisher.
- Experimentally evaluate CP, SAT, and ILP solvers on the models designed in previous tasks, and compare these solvers with existing dedicated cryptanalysis approaches. Design of a tool to automate this task is one of the goals of the project.

**Closing date for applications:**

**Contact:** Pascal Lafourcade pascal.Lafourcade@uca.fr

**More information:** https://decrypt.limos.fr/post/postdoc-offer-limos/

###### Université Jean Monnet, Saint-Etienne, France

Job Posting**Closing date for applications:**

**Contact:** Vincent Grosso

###### PQSecure Technologies, Boca Raton, FL, USA

Job Posting**Closing date for applications:**

**Contact:** Dr. Reza Azarderakhsh razarder[a/t]pqsecurity.com

###### Junichi Tomida, Nuttapong Attrapadung

ePrint Report###### Changmin Lee, Alexandre Wallet

ePrint Report###### Itai Dinur

ePrint ReportIn this paper, we prove that any algorithm for CSP satisfies $T^2 \cdot S = \tilde{\Omega}(C^2 \cdot N)$, hence the best known time-space tradeoff is optimal (up to poly-logarithmic factors in $N$). On the other hand, we give strong evidence that proving similar unconditional time-space tradeoff lower bounds on CSP applications (such as breaking double and triple encryption) may be very difficult, and would imply a breakthrough in complexity theory. Hence, we propose a new restricted model of computation and prove that under this model, the best known time-space tradeoff attack on double encryption is optimal.

###### Shweta Agrawal, Shota Yamada

ePrint ReportOur main technical contribution is a ciphertext policy attribute based encryption (CP-ABE) scheme which achieves special efficiency properties – its ciphertext size, secret key size, and public key size are all independent of the size of the circuits supported by the scheme. We show that this special CP-ABE scheme implies BE with optimal parameters; but it may also be of independent interest. Our constructions rely on a novel interplay of bilinear maps and LWE, and are proven secure in the generic group model.

###### Yindong Chen, Limin Lin, Chuliang Wei

ePrint Report###### Meher Krishna Duggirala . , . Ravi Duggirala . , . Krishna Subba Rao Pulugurtha

ePrint Report###### Lior Rotem, Gil Segev, Ido Shahaf

ePrint ReportIn this work we prove that there are no constructions of generic-group delay functions in cyclic groups of known orders: We show that for any delay function that does not exploit any particular property of the representation of the underlying group, there exists an attacker that completely breaks the function's sequentiality when given the group's order. As any time-lock puzzle and verifiable delay function give rise to a delay function, our result holds for these two notions we well, and explains the lack of success in resolving the above-mentioned long-standing challenge. Moreover, our result holds even if the underlying group is equipped with a $d$-linear map, for any constant $d \geq 2$ (and even for super-constant values of $d$ under certain conditions).

###### Mihir Bellare, Igors Stepanovs

ePrint Report###### Shuichi Katsumata, Ryo Nishimaki, Shota Yamada, Takashi Yamakawa

ePrint ReportOur main result is a construction of a pairing-based NIZK for all of NP whose proof size is additive in $|C|$, that is, the proof size only grows by $|C| +\poly(\lambda)$, based on the decisional linear (DLIN) assumption. Since the DLIN assumption is the same assumption underlying GOS-NIZK, our NIZK is a strict improvement on their proof size.

As by-products of our main result, we also obtain the following two results: (1) We construct a perfectly zero-knowledge NIZK (NIPZK) for NP relations computable in NC1 with proof size $|w| \cdot \poly(\lambda)$ where $|w|$ is the witness length based on the DLIN assumption. This is the first pairing-based NIPZK for a non-trivial class of NP languages whose proof size is independent of $|C|$ based on a standard assumption. (2)~We construct a universally composable (UC) NIZK for NP relations computable in NC1 in the erasure-free adaptive setting whose proof size is $|w| \cdot \poly(\lambda)$ from the DLIN assumption. This is an improvement over the recent result of Katsumata, Nishimaki, Yamada, and Yamakawa (CRYPTO'19), which gave a similar result based on a non-static $q$-type assumption.

The main building block for all of our NIZKs is a constrained signature scheme with decomposable online-offline efficiency. This is a property which we newly introduce in this paper and construct from the DLIN assumption. We believe this construction is of an independent interest.

###### Dan Boneh, Saba Eskandarian, Sam Kim, Maurice Shih

ePrint ReportThis work's contributions are threefold. First, we introduce new definitions for updatable encryption (in the ciphertext-dependent setting) that capture desirable security properties not covered in prior work. Next, we construct two new updatable encryption schemes. The first construction relies only on symmetric cryptographic primitives but only supports a bounded number of key rotations. The second supports a (nearly) unbounded number of updates and relies on almost key-homomorphic PRFs. We construct an efficient almost key-homomorphic PRF from the Ring Learning with Errors (RLWE) assumption to concretely instantiate our second construction. Finally, we implement both constructions and compare their performance to prior work. Our RLWE-based construction outperforms an existing updatable encryption scheme based on the hardness of DDH in elliptic-curve groups by over 200x in speed. Our construction based only on symmetric primitives has the highest encryption throughput, approaching the performance of AES, and the highest decryption throughput on ciphertexts that were re-encrypted fewer than fifty times, at which point the RLWE construction dominates.

###### Fabrice Benhamouda, Huijia Lin

ePrint ReportWe initiate the study of mrNISC on several fronts. First, we formalize the security of mrNISC protocols in both a UC definition and a game-based definition. Second, we construct mrNISC protocols in the plain model with semi-honest and semi-malicious security based on bilinear groups. Third, we demonstrate the power of mrNISC by showing two applications: non-interactive MPC (NIMPC) with reusable setup and a distributed version of program obfuscation. In addition, at the core of our construction of mrNISC is a witness encryption scheme for a special language that verifies Non-Interactive Zero-Knowledge (NIZK) proofs of the validity of computations over committed values, which we believe is of independent interest.

###### Florian Tramèr, Dan Boneh, Kenneth G. Paterson

ePrint Report###### Michele Ciampi, Luisa Siniscalchi, Hendrik Waldner

ePrint ReportOur compiler extends the works of Brakerski et al. [Eurocrypt 2016] and of Komargodski et al. [Eurocrypt 2017] in which a generic compiler is proposed to obtain multi-input functional encryption (MIFE) from single-input functional encryption. Our construction achieves the stronger notion of MCFE but for the less generic class of separable functions. Prior to our work, a long line of results has been proposed in the setting of MCFE for the inner-product functionality, which is a special case of a separable function.

We also propose a modified version of the notion of decentralized MCFE introduced by Chotard et al. [Asiacrypt 2018] that we call outsourceable mulit-client functional encryption (OMCFE). Intuitively, the notion of OMCFE makes it possible to distribute the load of the decryption procedure among at most n different entities, which will return decryption shares that can be combined (e.g., additively) thus obtaining the output of the computation. This notion is especially useful in the case of a very resource consuming decryption procedure, while the combine algorithm is non-time consuming. We also show how to extend the presented MCFE protocol to obtain an OMCFE scheme for the same functionality class.