## IACR News

Updates on the COVID-19 situation are on the Announcement channel.

Here you can see all recent updates to the IACR webpage. These updates are also available:

#### 22 July 2021

ePrint Report
We introduce SPEEDY, a family of ultra low-latency block ciphers. We mix engineering expertise into each step of the cipher’s design process in order to create a secure encryption primitive with an extremely low latency in CMOS hardware. The centerpiece of our constructions is a high-speed 6-bit substitution box whose coordinate functions are realized as two-level NAND trees. In contrast to other low-latency block ciphers such as PRINCE, PRINCEv2, MANTIS and QARMA, we neither constrain ourselves by demanding decryption at low overhead, nor by requiring a super low area or energy. This freedom together with our gate- and transistor-level considerations allows us to create an ultra low-latency cipher which outperforms all known solutions in single-cycle encryption speed. Our main result, SPEEDY-6-192, is a6-round 192-bit block and 192-bit key cipher which can be executed faster in hardware than any other known encryption primitive (including Gimli in Even-Mansour scheme and the Orthros pseudorandom function) and offers 128-bit security. One round more, i.e., SPEEDY-7-192, provides full 192-bit security. SPEEDY primarily targets hardware security solutions embedded in high-end CPUs, where area and energy restrictions are secondary while high performance is the number one priority.
###### Lichao Wu, Guilherme Perin, Stjepan Picek
ePrint Report
In the last decade, machine learning-based side-channel attacks became a standard option when investigating profiling side-channel attacks. At the same time, the previous state-of-the-art technique, template attack, started losing its importance and was more considered a baseline to compare against. As such, most of the results reported that machine learning (and especially deep learning) could significantly outperform the template attack. This does not mean the template attack does not have certain advantages even when compared to deep learning. The most significant one is that it does not have any hyperparameters to tune, making it easier to use.

We take another look at the template attack, and we devise a feature engineering phase allowing template attacks to compete or even outperform state-of-the-art deep learning-based side-channel attacks. More precisely, we show how a deep learning technique called the triplet model can be used to find highly efficient embeddings of input data, which can then be fed into the template attack resulting in powerful attacks.
###### Jonas Ruchti, Michael Gruber, Michael Pehl
ePrint Report
Physical Unclonable Functions (PUFs) have been increasingly used as an alternative to non-volatile memory for the storage of cryptographic secrets. Research on side channel and fault attacks with the goal of extracting these secrets has begun to gain interest but no fault injection attack targeting the necessary error correction within a PUF device has been shown so far. This work demonstrates one such attack on a hardware fuzzy commitment scheme implementation and thus shows a new potential attack threat existing in current PUF key storage systems. After presenting evidence for the overall viability of the profiled attack by performing it on an FPGA implementation, countermeasures are analysed: we discuss the efficacy of hashing helper data with the PUF-derived key to prevent the attack as well as codeword masking, a countermeasure effective against a side channel attack. The analysis shows the limits of these approaches. In particular, it demonstrates the criticality of timing in codeword masking by confirming the attack's effectiveness on ostensibly protected hardware.
###### Arpita Patra, Akshayaram Srinivasan
ePrint Report
We give constructions of three-round secure multiparty computation (MPC) protocols for general functions that make black-box use of a two-round oblivious transfer. For the case of semi-honest adversaries, we make use of a two-round, semi-honest secure oblivious transfer in the plain model. This resolves the round-complexity of black-box (semi-honest) MPC protocols from minimal assumptions and answers an open question of Applebaum et al. (ITCS 2020). For the case of malicious adversaries, we make use of a two-round maliciously-secure oblivious transfer in the common random/reference string model that satisfies a (mild) variant of adaptive security for the receiver.
###### Mike Hamburg, Julius Hermelink, Robert Primas, Simona Samardjiska, Thomas Schamberger, Silvan Streit, Emanuele Strieder, Christine van Vredendaal
ePrint Report
Single-trace attacks are a considerable threat to implementations of classic public-key schemes, and their implications on newer lattice-based schemes are still not well understood. Two recent works have presented successful single-trace attacks targeting the Number Theoretic Transform (NTT), which is at the heart of many lattice-based schemes. However, these attacks either require a quite powerful side-channel adversary or are restricted to specific scenarios such as the encryption of ephemeral secrets. It is still an open question if such attacks can be performed by simpler adversaries while targeting more common public-key scenarios.

In this paper, we answer this question positively. First, we present a method for crafting ring/module-LWE ciphertexts that result in sparse polynomials at the input of inverse NTT computations, independent of the used private key. We then demonstrate how this sparseness can be incorporated into a side-channel attack, thereby significantly improving noise resistance of the attack compared to previous works. The effectiveness of our attack is shown on the use-case of CCA2 secure Kyber $k$-module-LWE, where $k\in\{2,3,4\}$. Our $k$-trace attack on the long-term secret can handle noise up to a $\sigma \leq 1.2$ in the noisy Hamming weight leakage model, also for masked implementations. A $2k$-trace variant for Kyber1024 even allows noise $\sigma \leq 2.2$ also in the masked case, with more traces allowing us to recover keys up to $\sigma \leq 2.7$. Single-trace attack variants have a noise tolerance depending on the Kyber parameter set, ranging from $\sigma \leq 0.5$ to $\sigma \leq 0.7$. As a comparison, similar previous attacks in the masked setting were only successful with $\sigma \leq 0.5$.
###### Mathilde Chenu, Benjamin Smith
ePrint Report
We investigate the isogeny graphs of supersingular elliptic curves over $\mathbb{F}_{p^2}$ equipped with a $d$-isogeny to their Galois conjugate. These curves are interesting because they are, in a sense, a generalization of curves defined over $\mathbb{F}_p$, and there is an action of the ideal class group of $\mathbb{Q}(\sqrt{-dp})$ on the isogeny graphs. We investigate constructive and destructive aspects of these graphs in isogeny-based cryptography, including generalizations of the CSIDH cryptosystem and the Delfs--Galbraith algorithm.
###### Jose Maria Bermudo Mera, Angshuman Karmakar, Suparna Kundu, Ingrid Verbauwhede
ePrint Report
In this paper, we introduce Scabbard, a suite of post-quantum key-encapsulation mechanisms. Our suite contains three different schemes Florete, Espada, and Sable based on the hardness of module- or ring-learning with rounding problem. In this work, we first show how the latest advancements on lattice-based cryptography can be utilized to create new better schemes and even improve the state-of-the-art on post-quantum cryptography. We put particular focus on designing schemes that can optimally exploit the parallelism offered by certain hardware platforms and are also suitable for resource constrained devices. We show that this can be achieved without compromising the security of the schemes or penalizing their performance on other platforms. To substantiate our claims, we provide optimized implementations of our three new schemes on a wide range of platforms including general-purpose Intel processors using both portable C and vectorized instructions, embedded platforms such as Cortex-M4 microcontrollers, and hardware platforms such as FPGAs. We show that on each platform, our schemes can outperform the state-of-the-art in speed, memory footprint, or area requirements.
###### Keita Emura, Ryoma Ito, Sachiko Kanamori, Ryo Nojima, Yohei Watanabe
ePrint Report
Searchable symmetric encryption (SSE) has attracted significant attention because it can prevent data leakage from external devices, e.g., clouds. SSE appears to be effective to construct such a secure system; however, it is not trivial to construct such a system from SSE in practice because other parts must be designed, e.g., user login management, defining the keyword space, and sharing secret keys among multiples users who usually do not have public key certificates. In this paper, we describe the implementation of two systems from the state-free dynamic SSE (DSSE) (Watanabe et al., ePrint 2021), i.e., a secure storage system (for a single user) and a chat system (for multiple users). In addition to the DSSE protocol, we employ a secure multipath key exchange (SXKEX) protocol (Costea et al., CCS 2018), which is secure against some classes of unsynchronized active attackers. It allows the chat system users without certificates to share a secret key of the DSSE protocol in a secure manner. To realize end-to-end encryption, the shared key must be kept secret; thus, we must consider how to preserve the secret on, for example, a user's local device. However, this requires additional security assumptions, e.g., tamper resistance, and it seems difficult to assume that all users have such devices. Thus, we propose a secure key agreement protocol by combing the SXKEX and login information (password) that does not require an additional tamper-resistant device. Combining the proposed key agreement protocol and the underlying state-free DSSE protocol allow users who know the password to use the systems on multiple devices.
###### Lichao Wu, Guilherme Perin, Stjepan Picek
ePrint Report
Deep learning-based side-channel analysis already became a de-facto standard when investigating the most powerful profiling side-channel analysis. The results from the last few years show that deep learning techniques can efficiently break targets that are even protected with countermeasures. While there are constant improvements in making the deep learning-based attacks more powerful, little is done on evaluating such attacks' performance. Indeed, what is done today is not different from what was done more than a decade ago.

This paper considers how to evaluate deep learning-based side-channel analysis and whether the commonly used techniques give the best results. To that end, we consider different summary statistics and the influence of algorithmic randomness on the stability of profiling models. Our results show that besides commonly used metrics like guessing entropy, one should also show the standard deviation results to assess the attack performance properly. Our results show that using the arithmetic mean for guessing entropy does not yield the best results, and instead, a geometric mean should be used.
###### Melissa Azouaoui, Olivier Bronchain, Vincent Grosso, Kostas Papagiannopoulos, François-Xavier Standaert
ePrint Report
We revisit the popular adage that side-channel countermeasures must be combined to be efficient, and study its application to bitslice masking and shuffling. Our contributions are threefold. First, we improve this combination: by shuffling the shares of a masked implementation rather than its tuples, we can amplify the impact of the shuffling exponentially in the number of shares, while this impact was independent of the masking security order in previous works. Second, we evaluate the masking and shuffling combination's performance vs. security tradeoff under sufficient noise conditions: we show that the best approach is to mask first (i.e., fill the registers with as many shares as possible) and shuffle the independent operations that remain. Third, we discuss the challenges for implementing masking and shuffling under low noise conditions: we recall that such algorithmic countermeasures cannot be implemented securely without a minimum level of physical noise. We conclude that with moderate but sufficient noise, the bitslice masking + shuffling combination is relevant, and its interest increases when randomness is expensive and many independent operations are available for shuffling. When these conditions are not met, masking only is the best option. As a side result, we improve the best known attack against shuffling from Asiacrypt 2012, which we use in our concrete evaluations.
###### Sébastien Duval, Pierrick Méaux, Charles Momin, François-Xavier Standaert
ePrint Report
State-of-the-art re-keying schemes can be viewed as a tradeoff between efficient but heuristic solutions based on binary field multiplications, that are only secure if implemented with a sufficient amount of noise, and formal but more expensive solutions based on weak pseudorandom functions, that remain secure if the adversary accesses their output in full. Recent results on “crypto dark matter” (TCC 2018) suggest that low-complexity pseudorandom functions can be obtained by mixing linear functions over different small moduli. In this paper, we conjecture that by mixing some matrix multiplications in a prime field with a physical mapping similar to the leakage functions exploited in side-channel analysis, we can build efficient re-keying schemes based on “crypto-physical dark matter”, that remain secure against an adversary who can access noise-free measurements. We provide first analyzes of the security and implementation properties that such schemes provide. Precisely, we first show that they are more secure than the initial (heuristic) proposal by Medwed et al. (AFRICACRYPT 2010). For example, they can resist attacks put forward by Belaid et al. (ASIACRYPT 2014), satisfy some relevant cryptographic properties and can be connected to a “Learning with Physical Rounding” problem that shares some similarities with standard learning problems. We next show that they are significantly more efficient than the weak pseudorandom function proposed by Dziembowski et al. (CRYPTO 2016), by exhibiting hardware implementation results.
###### Yifeng Song, Danyang Zhu, Jing Tian, Zhongfeng Wang
ePrint Report
Due to the enormous energy consuming involved in the proof of work (POW) process, the resource-efficient blockchain system is urged to be released. The verifiable delay function (VDF), being slow to compute and easy to verify, is believed to be the kernel function of the next-generation blockchain system. In general, the reduction over a class group, involving many complex operations, such as the large-number division and multiplication operations, takes a large portion in the VDF. In this paper, for the first time, we propose a highspeed architecture for the reduction by incorporating algorithmic transformations and architectural optimizations. Firstly, based on the fastest reduction algorithm, we present a modified version to make it more hardware-friendly by introducing a novel transformation method that can efficiently remove the largenumber divisions. Secondly, highly parallelized and pipelined architectures are devised respectively for the large-number multiplication and addition operations to reduce the latency and the critical path. Thirdly, a compact state machine is developed to enable maximum overlapping in time for computations. The experiment results show that when computing 209715 reduction steps with the input width of 2048 bits, the proposed design only takes 137.652ms running on an Altera Stratix-10 FPGA at 100MHz frequency, while the original algorithm needs 3278ms when operating over an i7-6850K CPU at 3.6GHz frequency. Thus we have obtained a drastic speedup of nearly 24x over an advanced CPU.

#### 19 July 2021

###### Zilliqa Research Pte. Ltd., Remote position
Job Posting
Zilliqa Research Pte. Ltd. is the creator of Zilliqa – a scalable blockchain platform to run distributed applications. The company maintains the platform as well as develops tools and services around it.

The research team at Zilliqa consists of senior researchers and research engineers working on distributed systems, programming languages, system security and formal verification. Since starting in late 2017, the team has produced several scientific and engineering work ranging from distributed systems, e.g., the sharding design for scaling blockchains that is now being adopted by several other platforms; to programming languages, e.g., a new principled smart contract language amenable to formal verification called Scilla among others.

We firmly believe in conducting research with practical significance in the blockchain space and particularly research that can go into production systems like Zilliqa, Ethereum or Bitcoin.

Role Overview: As a blockchain researcher, you will be responsible for conducting impactful research that can improve the state of the art blockchain infrastructures and in particular the Zilliqa blockchain. In this role, you will be working very closely with the research team as well as system engineers. We offer a competitive salary, a creative work environment and an opportunity to push a research contribution into a production system.

Scope of Role: We are looking for a researcher with experience in blockchains, distributed systems and applied cryptography. The role will require the researcher to identify key research problems in the blockchain space and the Zilliqa platform in particular and conduct impactful research.

Experience:
• Research experience either as a PhD or as research assistant.
• Must have published at least 2 papers in top-tier conferences.
• Must have a good engineering background.
• Must have conducted research in distributed systems, applied cryptography, system security, and blockchains in general.

Closing date for applications:

Contact: amrit@zilliqa.com

Job Posting
The Cryptography and Privacy Engineering Group (ENCRYPTO) @CS Department @Technical University of Darmstadt offers a fully funded position as Doctoral Researcher (Research Assistant/PhD Student) in Private Machine Learning for Mobile Applications, ideally starting from Oct 1, 2021 for up to 3 years with the possibility of extension.
Job description: You'll work in the research training group/doctoral college Privacy & Trust for Mobile Users funded by the German Research Foundation (DFG). In our sub-project, we build cryptography-based private machine learning services for mobile applications and investigate their legal applicability (data protection) and economic feasibility in interdisciplinary collaborations. You conduct research, implement prototypes, and publish&present the results at top venues. You'll participate in teaching and supervise thesis students & student assistants.
We offer: We demonstrate that privacy is efficiently protectable in real-world applications via cryptographic protocols. Our open and international working environment facilitates excellent research in a sociable team. TU Darmstadt is a top research university for IT security, cryptography and CS in Europe. Darmstadt is a very international, livable and well-connected city in the Rhine-Main area around Frankfurt. Knowledge of German is beneficial, but not required, and TU Darmstadt offers corresponding support.
• Completed Master's degree (or equivalent) at a top university with excellent grades in IT security, computer science, or a similar area.
• Extensive knowledge in applied cryptography/IT security and very good software development skills. Knowledge in cryptographic protocols (ideally MPC) is a plus.
• Experience with/motivation for working with other disciplines, e.g., law or economics.
• Self-motivated, reliable, creative, can work independently, and want to do excellent research.
• Our working language is English: able to discuss/write/present scientific results in English. German is beneficial but not required.
Application deadline: Aug 21, 2021. Later applications are considered.

Closing date for applications:

###### Brandenburg University of Technology (BTU) Cottbus-Senftenberg
Job Posting
Dear students,
Several PhD positions (TV-L 13, full time) in the area of self-learning. Anomaly detection for critical infrastructure, secure cyber-physical Systems, Artificial Intelligence/Machine Learning for Encrypted Network Traffic Analysis (Traffic Analysis) at the Brandenburg University of Technology (BTU Cottbus) are to be filled as soon as possible.
English-speaking applicants with basic German language skills are also welcome.
Active research in the area of intrusion detection systems (IDS) for critical infrastructures, secure cyber-physical systems, and artificial intelligence / machine learning for traffic analysis.
Implementation and evaluation of new algorithms and methods.
Cooperation and knowledge transfer with industrial partners.
Publication of scientific results.
Assistance with teaching.

The employment takes place with the goal of doctoral graduation (obtaining a PhD degree).

Requirements:
Recognized above-average master's degree in computer science or a related discipline
Very good English skills
Programming skills
Interest in IT security/privacy/networking.

Applications containing the following documents:
A detailed Curriculum Vitae.
Transcript of records from your Master studies.
An electronic version of your Master thesis, if possible should be sent in a single PDF file as soon as possible, but not later than 30.07.2021 at itsec-jobs.informatik@lists.b-tu.de.

Closing date for applications:

Contact: Prof. A. Panchenko

#### 15 July 2021

###### Yokohama, Japan, 7 March - 11 March 2022
PKC
Event date: 7 March to 11 March 2022
###### University of Stuttgart, Institute of Information Security
Job Posting
The Institute of Information Security at University of Stuttgart offers a

fully-funded Postdoc position in formal verification.

The successful candidate is expected to work on tool-supported formal verification of security-critical systems and security protocols.

The position is available immediately with an internationally competitive salary (German public salary scale TV-L E13, or TV-L E14, depending on the candidate's qualification, ranging from about 4.600 Euro to 6.200 Euro monthly gross salary). The appointment period follows the German Wissenschaftszeitvertragsgesetz (WissZeitVg), ranging from one year to up to six years.

The Institute of Information Security offers a creative international environment for top-level international research in Germany's high-tech region.

The successful candidate should have a Ph.D. (or should be very close to completion thereof) in Computer Science, Mathematics, Information Security, or a related field. We value strong analytical skills and

• solid knowledge of logic, proofs and/or formal verification techniques (Theorem Proving, Type Checking, etc.),
• solid programming experience.
Knowledge in security is not required, but a plus. Knowledge of German is not required.

August 1st, 2021.

Late applications will be considered until the position is filled. See the official job announcement for details on how to apply.

https://www.sec.uni-stuttgart.de/institute/job-openings/

Closing date for applications:

Contact: Prof. Ralf Küsters
Institute of Information Security
University of Stuttgart
Germany
ralf.kuesters@sec.uni-stuttgart.de

###### QPQ
Job Posting
Did you recently gain a Master/PhD in the area of Applied Cryptology?

Do you want to design, code and co-invent the next generation of Distributed Systems protocols?

At QPQ, we are building the Internet of Economics, a new approach to a compliant and regulated financial systems infrastructure.

Join a team of mathematicians, computer scientists, engineers and self-taught individuals.

What do we give you?
• A stimulating, Socratic intellectual environment.
• As Socratic implies, we want you to have a voice. We do not recruit brilliant people to put them in boxes, we recruit brilliant people so they can push the horizons even further.
• Hybrid office approach – we have been a distributed workforce from the start. This role is centred around our European axis, so we expect you to live within +/- 2 hours of CET. We get together a complete team every quarter, so you must be willing to travel and embrace being part of a diverse team drawn from many walks of life and cultures.
• Competitive salary, travel expense budget and many future opportunities to participate in the company’s growth.
• The mother of all intellectual challenges!
Responsibilities:
• Perform research and engineering on cryptographic protocols applied in a DeFi context.
• Working with a multi-faceted team of practitioners on a set of blockchain-based privacy protocols interacting in a DeFi environment and providing compliance with financial regulations.
• Focus on modern zero knowledge protocols that guarantee privacy and compliance.
Requirements:
• Master or Ph.D. in cryptography or a closely related field.
• Be able to prototype protocols/schemes/algorithms in at least one relevant programming language.
• General understanding of full-stack system architecture.
• Have a thorough approach and be committed to high quality output.
• Have prior research/code already published in the space.
• A proactive, self-driven approach and problem-solving mindset.
• Closing date for applications:

Contact: Emanuele Ragnoli at opportunities at qpq.io

###### QPQ
Job Posting
Do you have a Master/PhD, research or coding experience in the area of Applied Cryptology?
Do you want to design, code and co-invent the next generation of Distributed Systems protocols?
At QPQ, we are building the Internet of Economics, a new approach to a compliant and regulated financial systems infrastructure. Join a team of mathematicians, computer scientists, engineers and self-taught individuals.

What do we give you?
• A stimulating, Socratic intellectual environment. As Socratic implies, we want you to have a voice. We do not recruit brilliant people to put them in boxes, we recruit brilliant people so they can push the horizons even further.
• Hybrid office approach – we have been a distributed workforce from the start. This role is centred around our European axis, so we expect you to live within +/- 2 hours of CET. We get together a complete team every quarter, so you must be willing to travel and embrace being part of a diverse team drawn from many walks of life and cultures.
• Competitive salary, travel expense budget and many future opportunities to participate in the company’s growth.
• The mother of all intellectual challenges!
Responsibilities:
• Perform research and engineering on cryptographic protocols in a DS context.
• Working with a multi-faceted team of practitioners on a set of DLT-based privacy protocols interacting in a DeFi environment and providing compliance with financial regulations.
• Focus on modern zero knowledge protocols that guarantee privacy and compliance.
Requirements:
• 3+ years of experience in software development.
• Be able to prototype protocols/schemes/algorithms in at least one relevant programming language.
• General understanding of full-stack system architecture.
• Have a thorough approach and be committed to high quality output Have prior research/code already published in the space.
• Excellent communication and collaboration skills.
• A proactive, self-driven approach and problem.
• Closing date for applications:

Contact: Emanuele Ragnoli at opportunities at qpq.io

#### 13 July 2021

###### Yohei Watanabe, Takeshi Nakai, Kazuma Ohara, Takuya Nojima, Yexuan Liu, Mitsugu Iwamoto, Kazuo Ohta
ePrint Report
Searchable symmetric encryption (SSE) enables clients to search encrypted data. Curtmola et al. (ACM CCS 2006) formalized a model and security notions of SSE and proposed two concrete constructions called SSE-1 and SSE-2. After the seminal work by Curtmola et al., SSE becomes an active area of encrypted search.

In this paper, we focus on two unnoticed problems in the seminal paper by Curtmola et al. First, we show that SSE-2 does not appropriately implement Curtmola et al.'s construction idea for dummy addition. We refine SSE-2's (and its variants') dummy-adding procedure to keep the number of dummies sufficiently many but as small as possible. We then show how to extend it to the dynamic setting while keeping the dummy-adding procedure work well and implement our scheme to show its practical efficiency. Second, we point out that the SSE-1 can cause a search error when a searched keyword is not contained in any document file stored at a server and show how to fix it.