## IACR News

Updates on the COVID-19 situation are on the Announcement channel.

Here you can see all recent updates to the IACR webpage. These updates are also available:

#### 19 November 2020

###### Sri Aravinda Krishnan Thyagarajan, Giulio Malavolta, Fritz Schmidt, Dominique Schröder
ePrint Report
Decentralized cryptocurrencies still suffer from three interrelated weaknesses: Low transaction rates, high transaction fees, and long confirmation times. Payment Channels promise to be a solution to these issues, and many constructions for real-life cryptocurrencies, such as Bitcoin, are known. Somewhat surprisingly, no such solution is known for Monero, the largest privacy-preserving cryptocurrency, without requiring system-wide changes like a hard-fork of its blockchain.

In this work, we close this gap by presenting \textsc{PayMo}, the first payment channel protocol that is fully compatible with Monero. \textsc{PayMo} does not require any modification of Monero and can be readily used to perform off-chain payments. Notably, transactions in \textsc{PayMo} are identical to standard transactions in Monero, therefore not hampering the coins' fungibility. Using \textsc{PayMo}, we also construct the first fully compatible secure atomic-swap protocol for Monero: One can now securely swap a token of Monero with a token of several major cryptocurrencies such as Bitcoin, Ethereum, Ripple, Cardano, etc. Before our work, it was not known how to implement secure atomic swaps protocols for Monero without forcing a hard fork. Our main technical contribution is a new construction of an efficient verifiable timed linkable ring signature, where signatures can be hidden for a pre-determined amount of time, in a verifiable way. Our scheme is fully compatible with the transaction scheme of Monero and it might be of independent interest. We implemented \textsc{PayMo} and our results show that, even with high network latency and with a single CPU core, two regular users can perform up to 93500 payments over a span of 2 minutes (the block production rate of Monero). This is approximately five orders of magnitude improvement over the current payment rate of Monero.
###### Ralph Ankele, Kai Nahrgang, Branka Stojanovic, Atta Badii
ePrint Report
Nowadays, virtually all products and services offered by financial institutions are backed by technology. While the frontend banking services seem to be simple, the core-banking backend systems and architecture are complex and often based on legacy technologies. Customer-facing applications and services are evolving rapidly, yet they have data dependencies on core banking systems running on ancient technology standards.

While those legacy systems are preferred for their stability, reliability, availability, and security properties, in adapting the frontends and services many security and privacy issues can occur. Clearly, this issues are arising as those systems have been designed decades ago, without considering the enormous amounts of data that they are required to handle and also considering different threat scenarios. Moreover, the trend towards using new technologies such as Distributed Ledger Technologies (DLT) has also emerged in the financial sector. As the nodes in DLT systems are decentralized, additional security threats come to light.

The focus of this work is the security of financial technologies in the FinTech domain. We provide relevant categorization and taxonomies for a better understanding of the main cyber-attack types, and suitable countermeasures. Our findings are supported by using security-by-design principles for some selected critical financial use-cases, and include a detailed discussion of the resulting threats, attack vectors and security recommendations.
Job Posting

To further strengthen and complement the expertise in our group, we are looking for outstanding researchers and teachers in the area of computer security. We have three faculty openings at the Assistant Professor, Associate Professor or Full Professor level (depending on the candidates, different combinations are possible). Possible focus areas for these positions include, but are not limited to, systems security, network security, hardware security, security analysis, usability of security, cryptography, formal methods in security, and privacy-enhancing technologies.

In the Master's programme in Computing Science our group is responsible for the specialisation in cybersecurity, and together with the Data Science group we are setting up a joint specialisation in cybersecurity and artificial intelligence (AI). As we seek to broaden our field of expertise, we especially encourage candidates in computer security disciplines outside the field of cryptography and those with expertise in both computer security and AI to apply. In view of our group's current gender balance, we strongly encourage qualified women to apply.

As we have multiple positions at different seniority levels available, the required qualifications for each of the three levels are different.

You will be appointed in the Digital Security Group at the Institute for Computing and Information Sciences (iCIS) of the Faculty of Science. The faculty is internationally renowned for the quality of its research. The Digital Security Group is one of the leading groups in computer security in the Netherlands and Europe, with, for example, 4 ERC grants in the last decade and strong involvement in European projects.

Closing date for applications:

Contact: Prof.dr.ir. Joan Daemen, joan@cs.ru.nl

###### Intrinsic ID, Eindhoven, The Netherlands
Job Posting
Intrinsic ID is an embedded security company, specializing in authentication technologies that protect Internet of Things devices and payment transactions; ensure safe connectivity; authenticate sensors and semiconductor chips; and protect sensitive military data & systems. Our approach is based on patented techniques in SRAM PUF.

Intrinsic ID currently has four open positions to expand its R&D team in Eindhoven and support the development of Intrinsic ID’s security solutions and products.

Positions:
• Hardware Design Engineer
• Hardware Verification Engineer
• Embedded Security Engineer
• Sr. Embedded Software Engineer / Architect
What we offer at Intrinsic ID:
• Competitive salary and benefits
• Career development opportunities in a fast-growing company
• Diverse and challenging problem-solving opportunities in a dynamic workplace
• An excellent working atmosphere
• The opportunity to be a part of a team with unparalleled experience in hardware and software security
Applications can be done directly on our website: https://www.intrinsic-id.com/company/careers

Closing date for applications:

Contact: Geert-Jan Schrijen, CTO (Geert.Jan.Schrijen@intrinsic-id.com)

###### Monash University, Malaysia campus
Job Posting
Monash University is ranked 55 in the QS 2021 world rankings and 64 in the Times HE 2021 world rankings. Monash University, Malaysia campus is recruiting 20 postdoc fellows in key areas including security/crypto+AI/ML: https://sites.google.com/monash.edu/postdoc/home High quality candidates who have a PhD, or are completing their PhD, are encouraged to apply. The candidate will join a team of security/AI researchers in collaboration with colleagues from the Australia campus. Current research directions including generative adversarial networks, adversarial machine learning, deepfakes, AI/ML for security. We also welcome crypto/security researchers looking to focus on crypto/security for/with AI/ML. Contact Professor Raphaël Phan for more details.

Closing date for applications:

Contact: Professor Raphaël Phan

#### 18 November 2020

###### Unione di Comuni della Romagna Forlivese, Italy, 23 July - 26 July 2021
Event Calendar
Event date: 23 July to 26 July 2021

#### 17 November 2020

Real World Crypto
The registration for RWC 2021 (virtual) is now open at https://rwc.iacr.org/2021/registration.php
Attendance is free but attendees are required to pay the IACR membership fee for 2022 if they have not already paid it (USD 50 for regular attendees and USD 25 for student attendee).

The conference program is coming soon - talks will be roughly 4pm UTC - 7.30pm UTC on January 11-14.

###### George Mason University, USA
Job Posting
A Postdoc position is available on the areas Cryptography and/or Blockchain. Candidates with interests in one or both areas are encouraged to apply.

The starting date can be anytime in Spring or Summer of 2021.

Closing date for applications:

Contact: Foteini Baldimtsi

#### 15 November 2020

Election
The 2020 election was held to fill three of nine IACR Director positions. 719 votes have been cast. The results are below, with elected candidates marked in bold:

Directors:
Masayuki Abe: 384
Britta Hale: 222
Tancrède Lepoint: 352
Emmanuel Thomé : 212
Moti Yung : 345

Congratulations to all elected members and thank to you all candidates for your contributions to the IACR and willingness to serve.

Election verification data can be found at https://vote.heliosvoting.org/helios/e/IACR2020Election.
###### Kevin "Kenny" Niehage
ePrint Report
Nextcloud provides a server side encryption feature that is implemented by the Default Encryption Module. This paper presents cryptographic vulnerabilities that existed within the Default Encryption Module as well as other shortcomings that still need to be addressed. The vulnerabilities allowed an attacker to break the provided confidentiality and integrity protection guarantees. There is a high risk that ownCloud also contains some of the issues presented in this paper as it still has cryptographic code in common with Nextcloud.
###### Ravi Anand, Subhamoy Maitra, Arpita Maitra, Chandra Sekhar Mukherjee, Sourav Mukhopadhyay
ePrint Report
In this paper, we present a detailed study of the cost of the quantum key search attack using Grover. We consider the popular Feedback Shift Register (FSR) based ciphers Grain-128-AEAD, TinyJAMBU, LIZARD, and Grain-v1 considering the NIST's MAXDEPTH depth restriction. We design reversible quantum circuits for these ciphers and also provide the QISKIT implementations for estimating gate counts. Our results show that cryptanalysis is possible with gate count less than $2^{170}$. In this direction, we also study the scenario where initial keystreams may be discarded before using it for encryption so that the Grovers attack on key search becomes costly in terms of circuit repetition. Finally, we connect Grover with BSW sampling for stream ciphers with low sampling resistance. We implement this attack on LIZARD (secret key size of 120 bits, state 121 bits, and security equivalent to 80 bits) and successfully recover the internal states with $2^{40.5}$ queries to the cryptographic oracle and $2^{40}$ amount of data. Our results provide a clear view of the exact status of quantum cryptanalysis against FSR based symmetric ciphers.
###### 11 November - 15 June 2021
Event Calendar
Event date: 11 November to 15 June 2021
###### Cambridge, USA, 2 December - 3 December 2020
Event Calendar
Event date: 2 December to 3 December 2020
###### Rhodes, Greece, 26 July - 28 July 2021
Event Calendar
Event date: 26 July to 28 July 2021
###### Michele Ciampi, Rafail Ostrovsky, Hendrik Waldner, Vassilis Zikas
ePrint Report
Typical approaches for minimizing the round complexity of multi-party computation (MPC) do so at the cost of increased communication complexity (CC) or reliance on setup assumptions. A notable exception is the recent work of Ananth et al. [TCC 2019], which used Functional Encryption (FE) combiners to obtain a round optimal (two-round) semi-honest MPC in the plain model with CC proportional to the depth and input-output length of the circuit being computed---we refer to such protocols as circuit scalable. This leaves open the question of obtaining communication efficient malicious security in the plain model which we answer in this work:

1) We provide a round-preserving black-box compiler that compiles a wide class of MPC protocols into a circuit-scalable maliciously secure MPC in the plain model, assuming a (succinct) FE combiner. By using our compiler with a round-optimal MPC, we derive the first round-optimal and circuit-scalable maliciously secure MPC in the plain model.

2) We provide a round-preserving black-box compiler that compiles a wide class of MPC protocols into a circuit-independent---i.e., with CC that depends only on the input-output length of the circuit---maliciously secure MPC in the plain model, assuming Multi-Key Fully-Homomorphic Encryption (MFHE). Again, by using this second compiler with a round-optimal MPC, we derive the first round-optimal and circuit-independent maliciously secure MPC in the plain model. This is the best to-date CC for a round-optimal malicious MPC protocol, which is even communication-optimal when the output size of the function being evaluated is smaller than its input size (e.g., for boolean functions).

Our compilers assume the existence of four-round maliciously secure oblivious transfer which can be obtained from standard cryptographic assumptions.
###### Michael John Jacobson Jr., Prabhat Kushwaha
ePrint Report
We describe a novel type of weak cryptographic private key that can exist in any discrete logarithm based public-key cryptosystem set in a group of prime order $p$ where $p-1$ has small divisors. Unlike the weak private keys based on numerical size (such as smaller private keys, or private keys lying in an interval) that will always exist in any DLP cryptosystems, our type of weak private keys occurs purely due to parameter choice of $p$, and hence, can be removed with appropriate value of $p$. Using the theory of implicit group representations, we present algorithms that can determine whether a key is weak, and if so, recover the private key from the corresponding public key. We analyze several elliptic curves proposed in the literature and in various standards, giving counts of the number of keys that can be broken with relatively small amounts of computation. Our results show that many of these curves, including some from standards, have a considerable number of such weak private keys. We also use our methods to show that none of the 14 outstanding Certicom Challenge problem instances are weak in our sense, up to a certain weakness bound.
###### Alessandra Scafuro, Luisa Siniscalchi, Ivan Visconti
ePrint Report
In TCC 2017 Goyal and Goyal proposed the first -- and currently only-- construction of a publicly verifiable zero-knowledge  (pvZK) proof system that leverages a blockchain as a setup assumption. Such construction can be instantiated only through proof-of-stake blockchains and  presents a few more limitations and assumptions:   (1)  the adversary can only perform static corruption of the stakeholders,   (2) keys of the stakeholders must also allow for encryption, and  (3) honest stakeholders must never leak their secret keys  (even when no stake is left with respect to those keys).

In this work, we first show that, even if all the above limitations/assumptions hold,  a malicious verifier could still violate the zero-knowledge property by leveraging smart contracts. We show an  attack of the clones''  that allows a malicious verifier to clone some of the stakeholder capabilities via a smart contract that is designed after the proof is received from the prover. This leaves open the question of constructing publicly verifiable zero-knowledge proofs from blockchains. Moreover, it raises the issue of using blockchains as setup assumptions since they evolve over time and could even become unreliable in the future.   Then, we provide a publicly verifiable zero-knowledge proof system,  based on any blockchain (i.e., not only proof-of-stake) that, very roughly, satisfies the following unpredictability property.  Sufficiently many future honest blocks added to the blockchain contain a high min-entropy string in a specific location (e.g., a new wallet for cashing the mining reward). Our proof system is secure against a verifier/prover that can corrupt blockchain players adaptively. In particular,  it remains zero knowledge even if the blockchain eventually collapses and all blockchain players are controlled by the zero-knowledge adversary.
###### Ran Canetti, Oxana Poburinnaya
ePrint Report
Incoercible multi-party computation (Canetti-Gennaro ’96) allows parties to engage in secure computation with the additional guarantee that the public transcript of the computation cannot be used by a coercive outsider to verify representations made by the parties regarding their inputs, outputs, and local random choices. That is, it is guaranteed that the only deductions regarding the truthfulness of such representations, made by an outsider who has witnessed the communication among the parties, are the ones that can be drawn just from the represented inputs and outputs alone. To date, all incoercible secure computation protocols withstand coercion of only a fraction of the parties, or else assume that all parties use an execution environment that makes some crucial parts of their local states physically inaccessible even to themselves.

We consider, for the first time, the setting where all parties are coerced, and the coercer expects to see the entire history of the computation. We allow both protocol participants and external attackers to access a common reference string which is generated once and for all by an uncorruptable trusted party. In this setting we construct:

- A general multi-party function evaluation protocol, for any number of parties, that withstands coercion of all parties, as long as all parties use the prescribed faking algorithm'' upon coercion. This holds even if the inputs and outputs represented by coerced parties are globally inconsistent with the evaluated function.

- A general two-party function evaluation protocol that withstands even the %mixed'' case where some of the coerced parties do follow the prescribed faking algorithm. (For instance, these parties might collude with the coercer and disclose their true local states.) This protocol is limited to functions where the input of at least one of the parties is taken from a small (poly-size) domain. It uses fully deniable encryption with public deniability for one of the parties; when instantiated using the fully deniable encryption of Canetti, Park, and Poburinnaya (Crypto'20), it takes 3 rounds of communication.

Both protocols operate in the common reference string model, and use fully bideniable encryption (Canetti Park and Poburinnaya, Crypto'20) and sub-sexponential indistiguishability obfuscation. Finally, we show that protocols with certain communication pattern cannot be incoercible, even in a weaker setting where only some parties are coerced.
###### Liran Katzir, Clara Shikhelman, Eylon Yogev
ePrint Report
We consider interactive proofs for social graphs, where the verifier has only oracle access to the graph and can query for the $i^{th}$ neighbor of a vertex $v$, given $i$ and $v$. In this model, we construct a doubly-efficient public-coin two-message interactive protocol for estimating the size of the graph to within a multiplicative factor $\epsilon>0$. The verifier performs $\tilde{O}(1/\epsilon^2 \cdot \tau_{mix} \cdot \Delta)$ queries to the graph, where $\tau_{mix}$ is the mixing time of the graph and $\Delta$ is the average degree of the graph. The prover runs in quasi-linear time in the number of nodes in the graph.

Furthermore, we develop a framework for computing the quantiles of essentially any (reasonable) function $f$ of vertices/edges of the graph. Using this framework, we can estimate many health measures of social graphs such as the clustering coefficients and the average degree, where the verifier performs only a small number of queries to the graph.

Using the Fiat-Shamir paradigm, we are able to transform the above protocols to a non-interactive argument in the random oracle model. The result is that social media companies (e.g., Facebook, Twitter, etc.) can publish, once and for all, a short proof for the size or health of their social network. This proof can be publicly verified by any single user using a small number of queries to the graph.
In this work, we construct the first symmetric key ciphertext policy attribute based encryption scheme (CP-ABE) for all polynomial sized circuits from the learning with errors (LWE) assumption. In more detail, the ciphertext for a message $m$ is labelled with an access control policy $f$, secret keys are labelled with public attributes $x$ from the domain of $f$ and decryption succeeds to yield the hidden message $m$ if and only if $f(x)=1$. The size of our public and secret key do not depend on the size of the circuits supported by the scheme -- this enables our construction to support circuits of unbounded size (but bounded depth). Our construction is secure against collusions of unbounded size. We note that current best CP-ABE schemes [BSW07,Wat11,LOSTW10,OT10,LW12,RW13,Att14,Wee14,AHY15,CGW15,AC17,KW19] rely on pairings and only support circuits in the class NC1 (albeit in the public key setting).