## IACR News

Updates on the COVID-19 situation are on the Announcement channel.

Here you can see all recent updates to the IACR webpage. These updates are also available:

#### 24 October 2021

###### Maikel Kerkhof, Lichao Wu, Guilherme Perin, Stjepan Picek
ePrint Report
The deep learning-based side-channel analysis represents one of the most powerful side-channel attack approaches. Thanks to its capability in dealing with raw features and countermeasures, it becomes the de facto standard evaluation method for the evaluation labs/certification schemes. To reach this performance level, recent works significantly improved the deep learning-based attacks from various perspectives, like hyperparameter tuning, design guidelines, or custom neural network architecture elements. Still, limited attention has been given to the core of the learning process - the loss function.

This paper analyzes the limitations of the existing loss functions and then proposes a novel side-channel analysis-optimized loss function: Focal Loss Ratio (FLR), to cope with the identified drawbacks observed in other loss functions. To validate our design, we 1) conduct a thorough experimental study considering various scenarios (datasets, leakage models, neural network architectures) and 2) compare with other loss functions commonly used in the deep learning-based side-channel analysis (both traditional'' one and those designed for side-channel analysis). Our results show that FLR loss outperforms other loss functions in various conditions while not having computation overheads compared to common loss functions like categorical cross-entropy.
###### Keitaro Hashimoto, Shuichi Katsumata, Eamonn Postlethwaite, Thomas Prest, Bas Westerbaan
ePrint Report
Continuous group key agreements (CGKAs) are a class of protocols that can provide strong security guarantees to secure group messaging protocols such as Signal and MLS. Protection against device compromise is provided by commit messages: at a regular rate, each group member may refresh their key material by uploading a commit message, which is then downloaded and processed by all the other members. In practice, propagating commit messages dominates the bandwidth consumption of existing CGKAs.

We propose Chained CmPKE, a CGKA with an asymmetric bandwidth cost: in a group of $N$ members, a commit message costs $O(N)$ to upload and $O(1)$ to download, for a total bandwidth cost of $O(N)$. In contrast, TreeKEM [19, 24, 76] costs $\Omega(\log N)$ in both directions, for a total cost $\Omega(N\log N)$. Our protocol relies on generic primitives, and is therefore readily post-quantum.

We go one step further and propose post-quantum primitives that are tailored to Chained CmPKE, which allows us to cut the growth rate of uploaded commit messages by two or three orders of magnitude compared to naive instantiations. Finally, we realize a software implementation of Chained CmPKE. Our experiments show that even for groups with a size as large as $N = 2^{10}$, commit messages can be computed and processed in less than 100 ms.
###### Veronika Kuchta, Joseph K. Liu
ePrint Report
In this paper, we formally prove the non-slanderability property of the first linkable ring signature paper in ACISP 2004 (in which the notion was called linkable spontaneous anonymous group signature (LSAG)). The rigorous security analysis will give confidence to any future construction of Ring Confidential Transaction (RingCT) protocol for blockchain systems which may use this signature scheme as the basis.
###### Tianyu Zheng, Shang Gao, Bin Xiao, Yubo Song
ePrint Report
In this paper, we propose any-out-of-many proofs, a logarithmic zero-knowledge scheme for proving knowledge of arbitrarily many secrets out of a public list. Unlike existing $k$-out-of-$N$ proofs [S\&P'21, CRYPTO'21], our approach also hides the exact amount of secrets $k$, which can be used to achieve a higher anonymity level. Furthermore, we enhance the efficiency of our scheme through a transformation that can adopt the improved inner product argument in Bulletproofs [S\&P'18], only $2 \cdot \lceil log_2(N) \rceil + 13$ elements need to be sent in a non-interactive proof.

We further use our proof scheme to implement both multiple ring signature schemes and RingCT protocols. For multiple ring signatures, we need to add a boundary constraint for the number $k$ to avoid the proof of an empty secret set. Thus, an improved version called bounded any-out-of-many proof is presented, which preserves all nice features of the original protocol such as high anonymity and logarithmic size. As for the RingCT, both the original and bounded proofs can be used safely. The result of the performance evaluation indicates that our RingCT protocol is more efficient and secure than others. We also believe our techniques are applicable in other privacy-preserving occasions.

#### 23 October 2021

###### Visa Research, Palo Alto, CA
Job Posting
Visa Research is a team of world-class research scientists. Our mission is to conduct applied research on the most challenging problems in the payment industry and provides technical thought leadership for the company’s future. Visa Research engages with internal and external partners to identify and research critical ideas and issues that may have an impact to the payment’s ecosystem.  Our research agenda focuses on three key areas: Artificial Intelligence, Security, and Future of Payments.

The Visa Research Advanced Cryptography team is seeking research interns in areas including Post-Quantum Cryptography, Multi-Party Computation and Zero-Knowledge Proofs. As an integral member of the extended Research team, interns will contact world-class research activities with fellow researchers, and work closely with product and technology teams to ensure the successful creation and application of disruptive and innovative security technologies.

To apply and for further details see https://smrtr.io/6zLhF

Closing date for applications:

Contact: Gaven Watson (gawatson@visa.com)

###### Zoom Video Communications
Job Posting

Zoom Security Engineering is hiring a Cryptography Intern for Summer 2022 to join the End-To-End-Encryption (E2EE) team. Come have a tangible impact on the security of a product used by millions of people, and help us design and deploy new cryptographic features across all of Zoom’s products!

In particular, we are developing and deploying new cryptographic protocols for privacy preserving and auditable data structures (such as transparency trees), e2ee communications and identity assertions.

Candidates should have a love for cryptography and security, an interest in bridging the gap between the academic literature and industry requirements/constraints, and an appreciation for simple and elegant solutions.

Job Responsibilities:

• Survey the academic literature for existing solutions to a problem, recommending the most suitable given Zoom’s constraints
• Develop new solutions to the problems above that are tailored to Zoom’s needs, analyze their security and submit academic papers to crypto/security conferences
• Write architecture and design documents describing the problem, solution and security tradeoffs. These will both be shared internally to guide the implementation, and externally for transparency and community feedback. See https://github.com/zoom/zoom-e2e-whitepaper/ for an example
• Occasionally review implementations for security vulnerabilities and compliance with the specifications above

Job requirements:

• Pursuing a PhD in Computer Science or related field, with a focus on Cryptography
• Experience with threat modelling, formalizing new cryptographic primitives/protocols, and formally proving/analyzing their security
• Ability to clearly and concisely communicate ideas about complex systems, both in written and spoken word
• (Preferred) Some experience writing Go and/or C++, with awareness of secure coding practices
Apply online: https://zoom.wd5.myworkdayjobs.com/en-US/Zoom/job/Remote--NY---New-York-City/XMLNAME-2022-Summer-Cryptography--INTERN-_R6582

Closing date for applications:

Contact: Antonio Marcedone

###### University of St. Gallen, Switzerland
Job Posting
As a research engineer in the Cyber Security chair you will establish and work in a state-of-the-art IoT (Internet of Things) lab with smart devices ranging from Raspberry Pi's, sensors, smart microphones, toy cars, RFID tags, RFID readers, smart phones, biometric sensors and you will work with world-leading researchers to implement, test, and showcase secure and privacy-preserving protocols and algorithms. Many projects are done in collaboration with other academic and industrial partners. More specifically, the job includes:
• Development and implementation of concepts and research results, both individually and in collaboration with researchers and PhD students,
• Run of experiments and simulation of realistic conditions to test the performance of developed algorithms and protocols,
• Development, maintenance and organization of software,
• Support to BSc, MSc and PhD students, postdocs and researchers who use the lab,
• Responsibility for day routines in the lab, for example purchases, installations, bookings, inventory,
• Demonstrations and lab tours for external visitors,
• Producing media content for our group web page and social media platforms.
• The successful applicant is expected to hold or to be about to receive a M.Sc. degree in Computer Science, Electrical Engineering, Applied Mathematics or similar fields, preferably with a focus in Security and Privacy for Computer Science Systems.
• We are looking for a strongly motivated and self-driven person who is able to work and learn new things independently.
• Good command of English is required.
• You should have a good academic track record and well developed analytical and problem solving skills.
• Excellent programming skills and familiarity with cryptographic libraries.
• Previous experience in implementation projects with C++, Matlab/Simulink, Python is desired.
Apply onlinehttps://jobs.unisg.ch/offene-stellen/cryptography-engineer-m-w-d/634aea27-37d2-4f1f-ab25-2d3c0a622fc0

Closing date for applications:

Contact: Katerina Mitrokotsa

###### University of St. Gallen, Switzerland
Job Posting
We are looking for a bright and motivated PhD student to work in the topics of information security and cryptography The student is expected to work on topics that include security and privacy issues for resource-constrained devices (e.g., sensors) that rely on external untrusted servers in order to perform computations. More precisely, the student shall be working on investigating efficient authentication and verifiable delegation of computation mechanisms that provide: i) provable security guarantees, and ii) rigorous privacy guarantees. The overall aim of the PhD position will be to design and evaluate provably secure cryptographic protocols for privacy-preserving authentication and verifiable delegation of computation protocols. The research shall also consider the case where multiple clients outsource jointly computations to untrusted cloud servers. Key Responsibilities: Perform exciting and challenging research in the domain of information security and cryptography. Support and assist in teaching computer security and cryptography courses.

• The PhD student is expected to have a MSc degree or equivalent, and strong background in cryptography, network security and mathematics.
• Experience in one or more domains such as cryptography, design of protocols, secure multi-party computation and differential privacy is beneficial.
Deadline for applications: 30 October 2021
Apply online: https://jobs.unisg.ch/offene-stellen/phd-position-in-applied-cryptography-and-information-security-m-w-d/09f75f22-649c-48a6-9aa4-659bbd686a84

Closing date for applications:

Contact: Katerina Mitrokotsa

###### CryptoLux Group, University of Luxembourg
Job Posting
University of Luxembourg, Computer Science department and Centre for Security, Reliability and Trust (SnT) invite applications from Ph.D. holders in the general area of Applied Cryptography. SnT is carrying out interdisciplinary research in secure, reliable and trustworthy ICT. CryptoLux/SnT team is currently doing research in cryptography, distributed ledgers and privacy.

The successful candidate will join the CryptoLux research team led by Prof. Alex Biryukov. He or she will contribute to a research project on future directions in cryptography and IT security and is expected to perform the following tasks:

• Shaping research directions and producing results in one or more of the following topics:
• Applied Cryptography (symmetric, lightweight, AE, White-box etc.)
• Financial cryptography, cryptocurrencies, blockchain technologies
• Privacy enhancing technologies (Tor, zero-knowledge, eID, etc)
• Disseminating results through scientific publications
• Providing guidance to Ph.D. and M.Sc. students
Requirements
• a Ph.D. degree in Computer Science, Applied Mathematics, Electrical Engineering, or a related field;
• Competitive research record in applied cryptography or information security (at least one paper in top 10 IT security conferences)
• Strong mathematical and algorithmic CS background
• Fluent written and verbal communication skills in English
The University offers a one year employment contract (extendable based on performance). The University offers highly competitive salaries and is an equal opportunity employer. You will work in an exciting international environment together with more than 300 people working on all aspects of cryptography, IT security from very theoretical to very applied ones.

Starting date 1-Feb-2022 or later upon agreement. Early submission is encouraged; applications will be processed upon receipt.

Closing date for applications:

Contact: Prof. Alex Biryukov

###### Indian Institute of Technology Bhilai, Raipur, Chhattisgarh, India
Job Posting
The project involves developing a secure USB dongle and standardization of Elliptic Curve Cryptography for Smart Card Platforms. Further details will be provided during the online interview for shortlisted candidates.

Number of positions: 2

Qualifications: Bachelor’s Degree in Engineering or Technology or MSc in Computer Science or MCA from a recognized university or equivalent

Desired Qualifications:

• Degree in Computer Science with highly coding proficiency
• A good knowledge of Cryptography, Security, Embedded Systems, Programming.
• Preference will be given to candidates having NET/GATE scores and working experience relevant to the project
How to Apply:
Candidates should only apply using the application form given in the link (https://iitbhilai.ac.in/index.php?pid=adv_oct21_3) and send it to deciphered.recruitment@gmail.com.

Last Date of Application: 31st October 2021

Closing date for applications:

Contact:
Dr. Dhiman Saha
Assistant Professor
Department of EECS IIT Bhilai
Research Group: http://de.ci.phe.red/

###### KETS Quantum Security
Job Posting
We’re looking for a Cryptographic subject matter expert to join our newly established Applications team and be responsible for developing algorithms for the development of core crypto primitives. We are looking to develop our expertise in this area and our aspiration is to develop a world-class internal team over the next couple of years so we are interested in applications from people looking for permanent, fixed term and contract positions. Our head office is located in Bristol but we can consider remote working for the right person. We can also sponsor work visas for those who are not currently UK based but are looking to relocate. Reporting to the Chief Applications Officer, the Senior Cryptographic Engineer’s main responsibilities will be: Work with the applications team to design and evaluate modification of existing communications protocols to provide robust security against the threat of quantum computers. Support the team to develop proof of concept implementations that can be evaluated with KETS’ trusted client base. Contribute to the wider cyber security culture within KETS. Design and evaluate modifications to common layer 2/3 communication protocols (e.g. MACsec, MPLS) to incorporate quantum-safe cryptographic primitives. Collaborating with your team to develop prototype implementations of quantum-safe communications protocols. Produce technical design specifications and documentation. Deliver research papers & patents where appropriate. Engage with the wider community (conferences, industry seminars, standards bodies) where appropriate. Supporting the wider team in implementing best practice for secure software development.

Closing date for applications:

Contact: careers@kets-quantum.com

###### IRMAR (Institute of Research in Maths in Rennes - France)
Job Posting
The mathematical department IRMAR, part of Rennes 1 University in the west of France, is advertising a 2-year post-doctoral position in the area of computational number theory and algebraic geometry for code-based or isogeny-based post-quantum cryptography.

Closing date for applications:

Contact: David Lubicz (DGA) or Jade Nardi (IRMAR)

###### Dakshita Khurana
ePrint Report
We introduce non-interactive distributionally indistinguishable arguments (NIDI) to address a significant weakness of NIWI proofs: namely, the lack of meaningful secrecy when proving statements about $\mathsf{NP}$ languages with unique witnesses.

NIDI arguments allow a prover P to send a single message to verifier V, given which V obtains a sample d from a (secret) distribution D, together with a proof of membership of d in an NP language L. The soundness guarantee is that if the sample d obtained by the verifier V is not in L, then V outputs $\bot$. The privacy guarantee is that secrets about the distribution remain hidden: for every pair of distributions $D_0$ and $D_1$ of instance-witness pairs in L such that instances sampled according to $D_0$ or $D_1$ are (sufficiently) hard-to-distinguish, a NIDI that outputs instances according to $D_0$ with proofs of membership in L is indistinguishable from one that outputs instances according to $D_1$ with proofs of membership in L.

- We build NIDI arguments for sufficiently hard-to-distinguish distributions assuming sub-exponential indistinguishability obfuscation and sub-exponential one-way functions.

- We demonstrate preliminary applications of NIDI and of our techniques to obtaining the first (relaxed) non-interactive constructions in the plain model, from well-founded assumptions, of:

1. Commit-and-prove that provably hides the committed message

2. CCA-secure commitments against non-uniform adversaries.

The commit phase of our commitment schemes consists of a single message from the committer to the receiver, followed by a randomized output by the receiver (that need not necessarily be returned to the committer).
###### Amey Bhangale, Chen-Da Liu-Zhang, Julian Loss, Kartik Nayak
ePrint Report
We investigate the communication complexity of Byzantine agreement protocols for long messages against an adaptive adversary. In this setting, prior results either achieved a communication complexity of $O(nl\cdot\poly(\kappa))$ or $O(nl + n^2 \cdot \poly(\kappa))$ for $l$-bit long messages. We improve the state of the art by presenting protocols with communication complexity $O(nl + n \cdot \poly(\kappa))$ in both the synchronous and asynchronous communication models. The synchronous protocol tolerates $t \le (1-\epsilon) \frac{n}{2}$ corruptions and assumes a VRF setup, while the asynchronous protocol tolerates $t \le (1-\epsilon) \frac{n}{3}$ corruptions under further cryptographic assumptions. Our protocols are very simple and combine subcommittee election with the recent approach of Nayak et al. (DISC 20). Surprisingly, the analysis of our protocols is \emph{all but simple} and involves an interesting new application of Mc Diarmid's inequality to obtain {\em optimal} corruption thresholds.
###### Marc Joye
ePrint Report
First posed as a challenge in 1978 by Rivest et al., fully homomorphic encryption—the ability to evaluate any function over encrypted data— was only solved in 2009 in a breakthrough result by Gentry. After a decade of intense research, practical solutions have emerged and are being pushed for standardization.

This guide is intended to practitioners. It explains the inner-workings of TFHE, a torus-based fully homomorphic encryption scheme. More exactly, it describes its implementation on a discretized version of the torus. It also explains in detail the technique of the programmable bootstrapping.
###### Zeta Avarikioti, Krzysztof Pietrzak, Iosif Salem, Stefan Schmid, Samarth Tiwari, Michelle Yeo
ePrint Report
Payment channels effectively move the transaction load off-chain thereby successfully addressing the inherent scalability problem most cryptocurrencies face. A major drawback of payment channels is the need to top up'' funds on-chain when a channel is depleted. Rebalancing was proposed to alleviate this issue, where parties with depleting channels move their funds along a cycle to replenish their channels off-chain. Protocols for rebalancing so far either introduce local solutions or compromise privacy.

In this work, we present an opt-in rebalancing protocol that is both private and globally optimal, meaning our protocol maximizes the total amount of rebalanced funds. We study rebalancing from the framework of linear programming. To obtain full privacy guarantees, we leverage multi-party computation in solving the linear program, which is executed by selected participants to maintain efficiency. Finally, we efficiently decompose the rebalancing solution into incentive-compatible cycles which conserve user balances when executed atomically.
###### Anubhab Baksi, Vishnu Asutosh Dasu, Banashri Karmakar, Anupam Chattopadhyay, Takanori Isobe
ePrint Report
The linear layer, which is basically a binary non-singular matrix, is an integral part of cipher construction in a lot of private key ciphers. As a result, optimising the linear layer for device implementation has been an important research direction for about two decades. The Boyar-Peralta's algorithm (SEA'10) is one such common algorithm, which offers significant improvement compared to the straightforward implementation. This algorithm only returns implementation with XOR2 gates, and is deterministic. Over the last couple of years, some improvements over this algorithm has been proposed, so as to make support for XOR3 gates as well as make it randomised. In this work, we take an already existing improvement (Tan and Peyrin, TCHES'20) that allows randomised execution and extend it to support three input XOR gates. This complements the other work done in this direction (Banik et al., IWSEC'19) that also supports XOR3 gates with randomised execution. Further, noting from another work (Maximov, Eprint'19), we include one additional tie-breaker condition in the original Boyar-Peralta's algorithm. Our work thus collates and extends the state-of-the-art, at the same time offers a simpler interface. We show several results that improve from the lastly best-known results.
###### Jiaxin Guan, Mark Zhandry
ePrint Report
Let $p$ be a polynomial, and let $p^{(i)}(x)$ be the result of iterating the polynomial $i$ times, starting at an input $x$. The case where $p(x)$ is the homogeneous polynomial $x^2$ has been extensively studied in cryptography. Due to its associated group structure, iterating this polynomial gives rise to a number of interesting cryptographic applications such as time-lock puzzles and verifiable delay functions. On the other hand, the associated group structure leads to quantum attacks on the applications.

In this work, we consider whether inhomogeneous polynomials, such as $2x^2+3x+1$, can have useful cryptographic applications. We focus on the case of polynomials mod $2^n$, due to some useful mathematical properties. The natural group structure no longer exists, so the quantum attacks but also applications no longer immediately apply. We nevertheless show classical polynomial-time attacks on analogs of hard problems from the homogeneous setting. We conclude by proposing new computational assumptions relating to these inhomogeneous polynomials, with cryptographic applications.
###### Nishanth Chandran, Pouyan Forghani, Juan Garay, Rafail Ostrovsky, Rutvik Patel, Vassilis Zikas
ePrint Report
Most existing work on secure multi-party computation (MPC) ignores a key idiosyncrasy of modern communication networks, that there are a limited number of communication paths between any two nodes, many of whom might even be corrupted. The work by Garay and Ostrovsky [EUROCRYPT'08] on almost-everywhere MPC (AE-MPC), introduced “best-possible security” properties for MPC over such incomplete networks, where necessarily some of the honest parties may be excluded from the computation—we call such parties “doomed.”

In this work we provide a universally composable definition of almost-everywhere security, which allows us to automatically and accurately capture the guarantees of AE-MPC (as well as AE-communication, the analogous “best-possible security” version of secure communication) in the Universal Composability (UC) framework of Canetti. Our result offers the first simulation-based treatment of this important but under-investigated problem, along with the first simulation-based proof of AE-MPC.
###### Craig Gentry, Shai Halevi, Vadim Lyubashevsky
ePrint Report
Non-interactive publicly verifiable secret sharing (PVSS) schemes allow parties to re-share a secret in a decentralized setting in the presence of malicious parties. A recently proposed application of PVSS schemes is to enable permissionless proof-of-stake blockchains to `keep a secret" via a sequence of committees that share that secret. Such committees can use the secret to produce signatures on the blockchain's behalf, or to disclose hidden data conditioned on consensus that some event has occurred. Such a setting may involve thousands of parties, so the PVSS scheme that it uses must be very efficient, both in computation and communication. Yet, previous PVSS schemes have large proofs and/or require many exponentiations over large groups.

We present a non-interactive PVSS scheme in which the underlying encryption scheme is based on the learning with errors (LWE) problem. While lattice-based encryption schemes are very fast, they have issues with bandwidth (long ciphertexts and public keys). We deal with the bandwidth issue in two ways. First, we adapt the Peikert-Vaikuntanathan-Waters (PVW) encryption scheme to the multi-receiver setting so that the bulk of the parties' keys is a common random string, and so that we get good amortized communication: $\Omega(1)$ plaintext/ciphertext rate (rate $\approx 1/60$ for 100 parties, $\approx 1/8$ for 1000 parties, approaching 1/2 as the number of parties grows). Second, we use bulletproofs over a DL-group of order about 256 bits to get compact proofs of correct encryption of shares. Switching from the lattice setting to the DL setting is relatively painless, as we equate the LWE modulus with the order of the group, and apply dimension reduction to vectors before the switch to minimize the number of exponentiations in the bulletproof. An implementation of our PVSS for 1000 parties showed that it's quite practical, and should remain so with up to a two order of magnitude increase in the group size.