International Association
for Cryptologic Research

We address the problem of multiparty private set intersection against a malicious adversary. First, we show that when one can assume no collusion amongst corrupted parties then there exists an extremely efficient protocol given only symmetric-key primitives. Second, we present a protocol secure against an adversary corrupting any strict subset of the parties. Our protocol is based on the recently introduced primitives: oblivious programmable PRF (OPPRF) and oblivious key-value store (OKVS).

Our protocols follow the client-server model where each party is either a client or a server. However, in contrast to previous works where the client has to engage in an expensive interactive cryptographic protocol, our clients need only send a single key to each server and a single message to a {\em pivot} party (where message size is in the order of the set size). Our experiments show that the client's load improves by up to $10 \times$ (compared to both semi-honest and malicious settings) and that factor increases with the number of parties.

We implemented our protocol and conducted an extensive experiment over both LAN and WAN and up to 32 parties with up to $2^{20}$ items each. We provide a comparison of the performance of our protocol and the state-of-the-art for both the semi-honest setting (by Chandran et al.) and the malicious setting (by Ben Efraim et al. and Garimella et al.).

The standard security notion for digital signatures is "single-challenge" (SC) EUF-CMA security, where the adversary outputs a single message-signature pair and "wins" if it is a forgery. Auerbach et al. (CRYPTO 2017) introduced memory-tightness of reductions and argued that the right security goal in this setting is actually a stronger "multi-challenge" (MC) definition, where an adversary may output many message-signature pairs and "wins" if at least one is a forgery. Currently, no construction from simple standard assumptions is known to achieve full tightness with respect to time, success probability, and memory simultaneously. Previous works showed that memory-tight signatures cannot be achieved via certain natural classes of reductions (Auerbach et al., CRYPTO 2017; Wang et al., EUROCRYPT 2018). These impossibility results may give the impression that the construction of memory-tight signatures is difficult or even impossible.

We show that this impression is false, by giving the first constructions of signature schemes with full tightness in all dimensions in the MC setting. To circumvent the known impossibility results, we first introduce the notion of canonical reductions in the SC setting. We prove a general theorem establishing that every signature scheme with a canonical reduction is already memory-tightly secure in the MC setting, provided that it is strongly unforgeable, the adversary receives only one signature per message, and assuming the existence of a tightly-secure pseudorandom function. We then achieve memory-tight many-signatures-per-message security in the MC setting by a simple additional generic transformation. This yields the first memory-tightly, strongly EUF-CMA-secure signature schemes in the MC setting. Finally, we show that standard security proofs often already can be viewed as canonical reductions. Concretely, we show this for signatures from lossy identification schemes (Abdalla et al., EUROCRYPT 2012), two variants of RSA Full-Domain Hash (Bellare and Rogaway, EUROCRYPT 1996), and two variants of BLS signatures (Boneh et al., ASIACRYPT 2001).

We investigate the quality of security reductions for non-interactive key exchange (NIKE) schemes. Unlike for many other cryptographic building blocks (like public-key encryption, signatures, or zero-knowledge proofs), all known NIKE security reductions to date are non-tight, i.e., lose a factor of at least the number of users in the system. In that sense, NIKE forms a particularly elusive target for tight security reductions.

The main technical obstacle in achieving tightly secure NIKE schemes are adaptive corruptions. Hence, in this work, we explore security notions and schemes that lie between selective security and fully adaptive security. Concretely:

- We exhibit a tradeoff between key size and reduction loss. We show that a tighter reduction can be bought by larger public and secret NIKE keys. Concretely, we present a simple NIKE scheme with a reduction loss of O(N^2 log(\nu)/\nu^2), and public and secret keys of O(\nu) group elements, where N denotes the overall number of users in the system, and \nu is a freely adjustable scheme parameter.

Our scheme achieves full adaptive security even against multiple "test queries" (i.e., adversarial challenges), but requires keys of size O(N) to achieve (almost) tight security under the matrix Diffie-Hellman assumption. Still, already this simple scheme circumvents existing lower bounds.

- We show that this tradeoff is inherent. We contrast the security of our simple scheme with a lower bound for all NIKE schemes in which shared keys can be expressed as an ``inner product in the exponent''. This result covers the original Diffie-Hellman NIKE scheme, as well as a large class of its variants, and in particular our simple scheme. Our lower bound gives a tradeoff between the ``dimension'' of any such scheme (which directly corresponds to key sizes in existing schemes), and the reduction quality. For \nu = O(N), this shows our simple scheme and reduction optimal (up to a logarithmic factor).

- We exhibit a tradeoff between security and key size for tight reductions. We show that it is possible to circumvent the inherent tradeoff above by relaxing the desired security notion. Concretely, we consider the natural notion of semi-adaptive security, where the adversary has to commit to a single test query after seeing all public keys. As a feasibility result, we bring forward the first scheme that enjoys compact public keys and tight semi-adaptive security under the conjunction of the matrix Diffie-Hellman and learning with errors assumptions.

We believe that our results shed a new light on the role of adaptivity in NIKE security, and also illustrate the special role of NIKE when it comes to tight security reductions.

The algebraic-group model (AGM), which lies between the generic group model and the standard model of computation, provides a means by which to analyze the security of cryptosystems against so-called algebraic adversaries. We formalize the AGM within the framework of universal composability, providing formal definitions for this setting and proving an appropriate composition theorem. This extends the applicability of the AGM to more-complex protocols, and lays the foundations for analyzing algebraic adversaries in a composable~fashion. Our results also clarify the meaning of composing proofs in the AGM with other proofs and they highlight a natural form of independence between idealized groups that seems inherent to the AGM and has not been made formal before---these insights also apply to the composition of game-based proofs in the AGM. We show the utility of our model by proving several important protocols universally composable for algebraic adversaries, specifically: (1) the Chou-Orlandi protocol for oblivious transfer, and (2) the SPAKE2 and CPace protocols for password-based authenticated key exchange.

Applications are invited for both entry level and senior academic posts to join our community and help us lead and develop our research and teaching in the areas of Hardware and Embedded Systems Security; Applied Cryptography; Security of AI; Network Forensics; or ICS Security within our Centre for Secure Information Technologies (www.csit.qub.ac.uk).

CSIT is an Innovation and Knowledge centre in cyber security funded by EPSRC and Innovate UK since 2009. It is host to the UK Research Institute in Secure Hardware and Embedded Systems (RISE: www.ukrise.org). It is also a partner in the UK Research Institute in Trustworthy Interconnected Cyber Physical Systems (RITICS: ritics.org) and is recognised by NCSC as an Academic Centre of Excellence (ACE) in Cyber Security Research. You will also have opportunities to work with vibrant engineering and commercial teams to translate your research into impact and help you build industry linkages.

We are seeking candidates with research experience (commensurate with career stage) in one or more of the following areas:
(1) Hardware & Embedded Systems Security:
Hardware cryptographic architectures, physical unclonable function, side channel analysis, security of microprocessor architectures, and/or hardware Trojan detection
(2) Applied Cryptography: hardware and software implementation of advanced cryptographic algorithms (e.g., post-quantum, homomorphic encryption), security protocol design, privacy-preserving cryptographic protocol design and implementation
(3) Security of AI: Adversarial learning and/or testing, mitigations against poisoning, evasion, and backdoor attacks.
(4) Network forensics and/or software defined networks: Network intrusion detection, vulnerabilities in SDNFV networks, analytics-based monitoring, and forensics capabilities
(5) Industrial control system security: Resilience in ICS, cyber-physical situation awareness in IT-OT systems, Programmable Logic Controller security

Closing date for applications:

Contact: Professor Máire O'Neill

More information: https://hrwebapp.qub.ac.uk/tlive_webrecruitment/wrd/run/ETREC107GF.open?VACANCY_ID=198185FSGi&WVID=6273090Lgx&LANG=USA

Simula UiB is currently looking for a new director to lead the company. The recruitment process is being handled by Bønes Virik. For more information and applying, see https://bonesvirik.recman.no/job.php?job_id=229981

Simula UiB AS is a research center with strong professional competence in cryptography and information theory. Through research and education of master’s and PhD candidates in the field, we ensure valuable expertise in technological protection of business and public institutions in Norway. Established in 2016, Simula UiB is owned by Simula Research Laboratory AS and the University of Bergen (UiB). We work closely with other companies in the Simula Group, Universities, and other research centers. We are currently nine permanent employees and 17 PhD fellows and Postdocs. Read more about us at www.simula-uib.com.

Closing date for applications:

Contact: Anne S. Posner, Managing Partner of Bønes Virik
email: anne@bonesvirik.no
phone: +47 90691846

More information: https://bonesvirik.recman.no/job.php?job_id=229981

The School of Computing and Information Technology (SCIT) is looking to recruit two enthusiastic staff members to support teaching and research within SCIT, particularly in the cybersecurity domain, which includes flexible delivery, online degrees and micro-credentials. SCIT aims to maintain its position as a world class Research School and this position is expected to contribute towards that aim. The candidates are expected to carry significant research profile and metrics, relative to opportunity, such as high h-index and citations, and experience in attracting research funding.

Closing date for applications:

Contact: Prof. Willy Susilo

More information: https://uniroles.com.au/display-job/23863/Lecturer,-Cyber-Security.html?searchId=1631859551.4407&page=1

The Department of Computer Science (CS) at the University of Alabama at Birmingham (UAB) is seeking candidates for a tenured faculty position who will assume the role of the Director of the Center for Cyber Security. Highly qualified candidates at both Associate Professor and Professor rank will be considered.

Further information on the position and how to apply can be found at:
https://uab.peopleadmin.com/postings/9605

Closing date for applications:

Contact: Yuliang Zheng, Professor & Chair (yzheng at uab.edu)

Responsibilities include analyzing various crypto algorithms and protocols to detect vulnerabilities. It is preferable to have an undergraduate degree in mathematics/statistics/computer science with a good understanding of cryptography. Salary starting at Rs 12 lakhs pa based on experience.

Closing date for applications:

Contact: Manindra Agrawal

We have (fully funded) multiple PhD positions in the areas of applied cryptography beginning from Fall 2022 (August 2022) or Spring 2022 (January 2022) at University of South Florida (USF). USF is a Rank-1 Research University (rank 31 of CS departments at US public universities per according to Academic Analytics on Scholarly Research Index) and offers a competitive salary with an excellent working environment, all within close proximity of high-tech industry and beautiful beaches of Sunny Florida. Tampa/Orlando area is a key part of the Florida High Technology Corridor and harbors major tech and research companies. The qualified candidate will have opportunities for research internships and joint projects with lead-industrial companies. Topics include:

Trustworthy Machine Learning (TML)

• Privacy-Preserving Machine Learning
• Secure multi-party computation for TML

Trustworthy Blockchains

• New cryptographic schemes for consensus and distributed transactions in Blockchains
• Practical quantum-safe cryptographic deployments for Blockchains

Secure Internet of Things and Systems (IoT) and Next Generation Wireless Networks

• Lightweight cryptography for IoT
• Efficient cryptography for vehicular and unmanned aerial systems
• Efficient digital signatures

Privacy-Enhancing Technologies

• Searchable encryption, Oblivious RAM, and multi-party computation

Requirements:

• A BS degree in ECE/CS with a high-GPA
• Very good programming skills (e.g., C, C++), familiarity with Linux
• MS degree in ECE/CS/Math is a big plus. Publications in security and privacy are highly desirable

Please send (by e-mail) to below contact information:

• Transcripts
• Curriculum vitae
• Three reference letters (send by referees)
• Research statement
• GRE and TOEFL

Closing date for applications:

Contact: Person to Contact: Dr. Attila A. Yavuz
Email: attilaayavuz@usf.edu
Webpage : http://www.csee.usf.edu/~attilaayavuz/

More information: http://www.csee.usf.edu/~attilaayavuz/article/PositionDescrption_at_USF.pdf

Research Associate for the project „Laboratory of energy transition in Northern Germany: Resilient operation management and ICT security of decentralised control concepts”
University of Hamburg is a University of Excellence and one of the most research-focused universities in Germany. The research group “Security in Distributed Systems” is working on the intersection of security and privacy research, with a focus on distributed systems, data protection, anonymity, and cryptography.
Your Profile
We are looking for a new member of our team that will be working as a full-time PhD student in research and teaching. Your tasks will include:

• Development, implementation, analysis, and evaluation of complex and secure IT-systems
• Academic services in a third-party funded project
• Working with bleeding-edge technology and research literature from security, cryptography, and privacy
• Publication of research results in national/international venues
• Support for teaching

Required Qualifications
Completed MSc degree (or equivalent) in IT-Security, computer science or a strongly related field. You are highly motivated, curious, reliable, and creative. You must be interested in system security, applied cryptography and/or privacy research. You must have experience in security in open and distributed communication systems and fundamental knowledge in cryptography and IT-Security. Experience with machine learning and advanced software engineering skills, especially with a focus on application security and cryptography are a bonus. Programming skills in higher languages like C/C++ and Python are required. Fluent English, spoken and written, and good communication skills are mandatory. Knowledge of German is helpful; we expect the willingness to learn German for non-native German speakers.
We offer great and flexible working conditions in a highly motivated team of researchers with many opportunities for collaboration. The university supports their employees with many interesting opportunities for personal development.

Closing date for applications:

Contact: Prof. Hannes Federrath
hannes.federrath@uni-hamburg.de
https://www.inf.uni-hamburg.de/inst/ab/snp/team/federrath.html

Horizen Labs is a blockchain technology company that designs, develops, and delivers powerful, scalable, and reliable distributed ledger solutions for business.

Our Core Engineering Team is an innovative and collaborative group of researchers and software engineers who are dedicated to the design and development of world-class blockchain-based products. We are looking for a cryptographer, or applied cryptographer, to join our growing crypto team based in Milan, Italy. Currently, the team is developing a protocol suite for SNARK-based proof-composition, but its duties reach beyond that, developing privacy-enhancing solutions for our sidechain ecosystem.

Responsabilities

• Design privacy-enhancing technology built on SNARK-based protocols
• Perform collaborative research and assist technical colleagues in their development work
• Participate in standards-setting

Requirements

• Ph.D. in mathematics, computer science, or cryptography
• Solid foundations in zero-knowledge and cryptographic protocols
• Publications in acknowledged venues on applied or theoretical cryptography, preferably cryptographic protocols or PETs
• Strong problem-solving skills
• The ability to work in a team setting as well as autonomously
• Foundations in blockchain technology and experience in reading Rust are a plus

We offer

• A competitive salary plus pre-series A stock options
• Flexible working hours, including the possibility of remote working
• The opportunity to work with talented minds on challenging topics in this field, including the most recent advancements in zero-knowledge
• A nice and informal team setting to conduct research and development of high-quality open source solutions

If you are interested in this position, you might want to take a look at our recent publications (IACR eprints 2021/930, 2021/399, 2020/123) and our latest podcast on zeroknowledge.fm (Episode 178). For further questions, please contact the email below.

Closing date for applications:

Contact: recruiting@horizenlabs.io

More information: https://horizenlabs.io/

Postdoctoral position in Blockchain and IoT Security The School of Computer Science at Mohammed VI Polytechnic University (UM6P), Benguerir, Morocco is currently looking for motivated and talented Postdoctoral researchers in the area of Blockchain and IoT Security. The successful candidates will primarily be working on the following topics (but not limited to):

• Blockchain and Cryptocurrencies
• Applications of Blockchain
• IoT Security

Key duties: The Postdoctoral researcher will be expected to:

• Publish in high impact journals in the field.
• Participate to the supervision of PhD students and research internships.

Criteria of the candidate:

• Ph.D. in the field of Cryptography, Computer security, or any related field.
• Strong publication record in high-impact conferences/journals.
• Very good programming skills (e.g., C, C++), familiarity with Linux
• Proficiency in English and ability to work in a team
• Outstanding analytical and problem-solving skills

Employment terms:
The successful candidate will be employed by Mohammed VI Polytechnic University (UM6P) based at Benguerir (50 km north of Marrakech), Morocco. The net salary per month is 2000 USD. The initial appointment as a Postdoctoral researcher will be for one year renewable depending on satisfactory performance.
Applications and selection procedure:
Applications must be sent using a single electronic zipped folder with the mention of the job title in the mail subject. The folder must contain:

• A 1-page cover letter with main research interests.
• A detailed CV.
• A 1-page brief research statement.
• Contact information of 2 references (Applicants are assumed to have obtained their references’ consent to be contacted for this matter).

The application should be filed online via: https://career2.successfactors.eu/sfcareer/jobreqcareer?jobId=1339&company=ump

Closing date for applications:

Contact: Contact: Assoc. Prof. Mustapha Hedabou (mustapha.hedabou@um6p.ma)

More information: https://www.um6p-cs.ma/en/home/

NYU Shanghai is currently inviting applications for Tenured or Tenure-Track positions in Computer Science. The search is not restricted to any rank and outstanding candidates at all levels are encouraged to apply. We seek candidates who have completed a Ph.D. in Computer Science, or a closely related discipline. We seek candidates in all sub-fields of Computer Science, with particular interest in Human-Computer Interaction (HCI), Operating and Distributed Systems, Blockchain, Quantum Computing, and Deep Learning. Applicants will submit a cover letter, curriculum vitae, statement of research, and a statement of teaching interests. Additionally, applicants will be prompted to enter the names and email addresses of at least three referees. Each referee will be contacted to upload a reference letter through Interfolio. Review of applications will begin on January 1, 2022 and will continue until the . To apply, please follow this link apply.interfolio.com/93616. If you have any questions, please email the NYU Shanghai NY Office of Faculty Recruitment shanghai.faculty.recruitment@nyu.edu. Terms of employment at NYU Shanghai are comparable to NYU New York and other U.S. institutions with respect to research start-up funds and compensation, and they include housing subsidies and educational subsidies for children. Faculty may in certain cases have the opportunity to spend time at NYU New York and other sites of the NYU Global Network, engaging in both research and teaching. NYU Shanghai is an equal opportunity employer committed to equity, diversity, and social inclusion. We strongly encourage applications from under-represented individuals in the profession, across color, creed, race, ethnic and national origin, physical ability, and gender and sexual identity. NYU Shanghai affirms the value of differing perspectives on the world as we strive to build the strongest possible university with the widest reach.

Closing date for applications:

Contact: NYU Shanghai Office of Faculty Recruitment

More information: https://apply.interfolio.com/93616

Electromagnetic Fault Injection (EMFI) is a well known method of introducing faults for security analysis of digital devices. Such faults can be seen as analogous to the faults which are known to naturally occur in digital devices, a known problem with designing safety-critical systems.

Numerous standards have been developed for safety-critical systems, including the development of standards for increasing the rate of naturally occurring faults using particle sources. In this work, we demonstrate that desktop EMFI tooling can be used to accomplish similar testing, but with more control, effectively speeding up the evaluation process. We demonstrate that using EMFI tooling for safety evaluation allows us to recreate a highly publicized safety issue present in an automotive ECU -- one that could not easily be recreated previously with other techniques.

In this paper, we present solutions to some open problems for constructing efficient deep learning-based side-channel attacks (DL-SCAs) through a theoretical analysis. There are two major open problems in DL-SCAs: (i) the effect of the difference in secret key values used for profiling and attack phases is unclear, and (ii) the optimality of the negative log-likelihood (NLL) loss function used in the conventional learning method is unknown. These two problems have hindered the accurate performance evaluation and optimization of DL-SCAs. To address the problem (i), we clarified the strict conditions under which the use of different correct keys in profiling and attack phases affects the performance of DL-SCA. For the problem (ii), we then analyzed the relationship between the NLL loss and direct performance metrics of DL-SCAs (i.e., success rate (SR)/guessing entropy (GE)) and proved that the minimum NLL loss is sufficient but not necessary to achieve the optimal distinguisher of DL-SCA. This explains why DL-SCA succeeds even when the NLL loss is large and motivated us to design a new loss function. Based on the above analysis result, we also propose a new loss function called the probability concentration inequality (PCI) loss function. We derive the PCI loss as an upper bound of GE and a lower bound of the SR using a probability concentration inequality. Minimizing the PCI loss during training can directly optimize the GE and SR of the subsequent attack phase. In this paper, we describe the characteristics of PCI loss and NLL loss and introduce a new learning method that takes full advantage of the characteristics. We also analytically investigate the difference between the PCI loss and ranking loss reported in a previous work for a similar purpose and explain the advantage of PCI loss over the ranking loss. Finally, we validate the analysis and demonstrate the effectiveness of the proposed DL-SCA using the PCI loss through experimental attacks on public datasets.

Since the sign function can be used to implement the comparison operation, max function, and rectified linear unit (ReLU) function, several studies have been conducted to efficiently evaluate the sign function in the Cheon-Kim-Kim-Song (CKKS) scheme, one of the most promising fully homomorphic encryption schemes. Recently, Lee et al. (IEEE Trans. Depend. Sec. Comp.) proposed a practically optimal approximation method of sign function on the CKKS scheme using a composition of minimax approximate polynomials. However, homomorphic comparison, max function, and ReLU function algorithms that use this approximation method have not yet been successfully implemented on the residue number system variant CKKS (RNS-CKKS) scheme, and the sets of degrees of the component polynomials used by the algorithms are not optimized for the RNS-CKKS scheme. In this paper, we propose the optimized homomorphic comparison, max function, and ReLU function algorithms on the RNS-CKKS scheme using a composition of minimax approximate polynomials for the first time. We propose a fast algorithm for inverse minimax approximation error, a subroutine required to find the optimal set of degrees of component polynomials. This proposed algorithm makes it possible to find the optimal set of degrees of component polynomials with higher degrees than the previous study. In addition, we propose a method to find the degrees of component polynomials optimized for the RNS-CKKS scheme using the proposed algorithm for inverse minimax approximation error. We successfully implement the homomorphic comparison, max function, and ReLU function algorithms on the RNS-CKKS scheme with a low comparison failure rate ($< 2^{-15}$) and provide the various parameter sets according to the precision parameter $\alpha$. We reduce the depth consumption of the homomorphic comparison, max function, and ReLU function algorithms by one depth for several $\alpha$. In addition, the numerical analysis demonstrates that the proposed homomorphic comparison, max function, and ReLU function algorithms reduce running time by 6%, 7%, and 6% on average compared with the previous best-performing algorithms, respectively.

We study the problem of obtaining 2-round interactive arguments for NP with weak zero-knowledge (weak ZK) [Dwork et al., 2003] or with strong witness indistinguishability (strong WI) [Goldreich, 2001] under polynomially hard falsifiable assumptions. We consider both the delayed-input setting [Jain et al., 2017] and the standard non-delayed-input setting, where in the delayed-input setting, (i) prover privacy is only required to hold against delayed-input verifiers (which learn statements in the last round of the protocol) and (ii) soundness is required to hold even against adaptive provers (which choose statements in the last round of the protocol).

Concretely, we show the following black-box (BB) impossibility results by relying on standard cryptographic primitives.

1. It is impossible to obtain 2-round delayed-input weak ZK arguments under polynomially hard falsifiable assumptions if BB reductions are used to prove soundness. This result holds even when non-black-box techniques are used to prove weak ZK.

2. It is impossible to obtain 2-round non-delayed-input strong WI arguments and 2-round publicly verifiable delayed-input strong WI arguments under polynomially hard falsifiable assumptions if a natural type of BB reductions, called "oblivious" BB reductions, are used to prove strong WI.

3. It is impossible to obtain 2-round delayed-input strong WI arguments under polynomially hard falsifiable assumptions if BB reductions are used to prove both soundness and strong WI (the BB reductions for strong WI are required to be oblivious as above). Compared with the above result, this result no longer requires public verifiability in the delayed-input setting.

We introduce a novel generic ring signature construction, called DualRing, which can be built from several canonical identification schemes (such as Schnorr identification). DualRing differs from the classical ring signatures by its formation of two rings: a ring of commitments and a ring of challenges. It has a structural difference from the common ring signature approaches based on accumulators or zero-knowledge proofs of the signer index. Comparatively, DualRing has a number of unique advantages.

Considering the DL-based setting by using Schnorr identification scheme, our DualRing structure allows the signature size to be compressed into logarithmic size via an argument of knowledge system such as Bulletproofs. We further improve on the Bulletproofs argument system to eliminate about half of the computation while maintaining the same proof size. We call this Sum Argument and it can be of independent interest. This DL-based construction, named DualRing-EC, using Schnorr identification with Sum Argument has the shortest ring signature size in the literature without using trusted setup.

Considering the lattice-based setting, we instantiate DualRing by a canonical identification based on M-LWE and M-SIS. In practice, we achieve the shortest lattice-based ring signature, named DualRing-LB, when the ring size is between 4 and 2000. DualRing-LB is also 5x faster in signing and verification than the fastest lattice-based scheme by Esgin et al. (CRYPTO'19).

The SPEEDY block cipher suite announced at CHES 2021 shows excellent hardware performance. However, SPEEDY was not designed to be efficient in software implementations. SPEEDY's 6-bit sbox and bit permutation operations generally do not work efficiently in software. We implemented SPEEDY block cipher by applying the implementation technique of bit slicing. As an implementation technique of bit slicing, SPEEDY can be operated in software very efficiently and can be applied in microcontroller. By calculating the round key in advance, the performance on ARM Cortex-M3 for SPEEDY-5-192, SPEEDY-6-192, and SPEEDY-7-192 are 65.7, 75.25, and 85.16 clock cycles per byte (i.e. cpb), respectively. It showed better performance than AES-128 constant-time implementation and GIFT constant-time implementation in the same platform. Through this, we conclude that SPEEDY can show good performance on embedded environments.