## IACR News

Updates on the COVID-19 situation are on the Announcement channel.

Here you can see all recent updates to the IACR webpage. These updates are also available:

#### 20 November 2021

###### Saba Eskandarian, Dan Boneh
ePrint Report
This paper studies the role of multiparty shuffling protocols in enabling more efficient metadata-hiding communication. We show that the process of shuffling messages can be expedited by having servers collaboratively shuffle and verify secret-shares of messages instead of using a conventional mixnet approach where servers take turns performing independent verifiable shuffles of user messages. We apply this technique to achieve both practical and asymptotic improvements in anonymous broadcast and messaging systems. We first show how to build a three server anonymous broadcast scheme, secure against one malicious server, that relies only on symmetric cryptography. Next, we adapt our three server broadcast scheme to a $k$-server scheme secure against $k-1$ malicious servers, at the cost of a more expensive per-shuffle preprocessing phase. Finally, we show how our scheme can be used to significantly improve the performance of the MCMix anonymous messaging system.

We implement our shuffling protocol in a system called Clarion and find that it outperforms a mixnet made up of a sequence of verifiable (single-server) shuffles by $9.2\times$ for broadcasting small messages and outperforms the MCMix conversation protocol by $11.8\times$.
###### Gang Wang, Mark Nixon
ePrint Report
Blockchain as a potentially disruptive technology can advance many different fields, e.g., cryptocurrencies, supply chains, and the industrial Internet of Things. The next-generation blockchain ecosystem is expected to consist of various homogeneous and heterogeneous distributed ledgers. These ledger systems will inevitably require a certain level of proper cooperation of multiple blockchains to enrich advanced functionalities and enhance interoperable capabilities for future applications. The interoperability among blockchains will revolutionize current blockchain design principles, like the emergence of the Internet. However, the development of cross-blockchain applications involves much complexity regarding the variety of underlying cross-blockchain communication. With that regard, we propose an efficient, interoperable blockchain architecture, InterTrust, to support interoperability and trustworthiness among arbitrary blockchain systems (including homogeneous and heterogeneous blockchains). It consists of an atomic cross-chain communication protocol, which can be considered an agnostic protocol to integrate existing blockchain systems smoothly. InterTrust is powered by two innovative techniques: threshold signature scheme and trusted hardware. The threshold signature scheme guarantees consistency and verifiability in the target blockchain systems, and the trusted hardware guarantees trusted services among distinct blockchain systems. Combining these two techniques provides an efficient cross-chain communication protocol to facilitate atomic swaps and interoperable operations between different blockchain systems. Our interoperable architecture is robust to support arbitrary blockchain systems. We also present the security analysis on the scenarios of integrating our protocol into Byzantine fault tolerance based blockchain systems.
###### Smile Markovski, Vesna Dimitrova, Zlatka Trajcheska, Marija Petkovska, Mile Kostadinoski, Damjan Buhov
ePrint Report
Designing new cryptosystems and their cryptanalysis is the basic cycle of advancement in the field of cryptography. In this paper we introduce a block cipher based on the quasigroup transformations, which are defined by the matrix presentation of the quasigroup operations. This type of quasigroup presentation is suitable for constructing a block cipher since it doesn't require too much memory space to store all the necessary data, so it can be used even for lightweight cryptographic purposes.

For now, we are considering only the quasigroups of order 4. Constructions with quasigroups of higher order and examination of the strengths and weaknesses of this design will be considered in next papers.
###### Mila Anastasova, Mojtaba Bisheh-Niasar, Reza Azarderakhsh, Mehran Mozaffari Kermani
ePrint Report
In 2016, the National Institute of Standards and Technology (NIST) initiated a standardization process among the post-quantum secure algorithms. Forming part of the alternate group of candidates after Round 2 of the process is the Supersingular Isogeny Key Encapsulation (SIKE) mechanism which attracts with the smallest key sizes offering post-quantum security in scenarios of limited bandwidth and memory resources. Even further reduction of the exchanged information is offered by the compression mechanism, proposed by Azarderakhsh et al., which, however, introduces a significant time overhead and increases the memory requirements of the protocol, making it challenging to integrate it into an embedded system. In this paper, we propose the first compressed SIKE implementation for a resource-constrained device, where we targeted the NIST recommended platform STM32F407VG featuring ARM Cortex-M4 processor. We integrate the isogeny-based implementation strategies described previously in the literature into the compressed version of SIKE. Additionally, we propose a new assembly design for the finite field operations particular for the compressed SIKE, and observe a speedup of up to 16% and up to 25% compared to the last best-reported assembly implementations for p434, p503, and p610.
###### Gideon Samid
ePrint Report
Pattern loaded ciphers are at risk of being compromised by exploiting deeper patterns discovered first by the attacker. This reality offers a built-in advantage to prime cryptanalysis institutions. On the flip side, risk of hidden math and faster computing undermines confidence in the prevailing cipher products. To avoid this risk one would resort to building security on the premise of lavish quantities of randomness. Gilbert S. Vernam did it in 1917. Using modern technology, the same idea of randomness-based security can be implemented without the inconvenience associated with the old Vernam cipher. These are Trans Vernam Ciphers that project security through a pattern-devoid cipher. Having no pattern to lean on, there is no pattern to crack. The attacker faces (i) a properly randomized shared cryptographic key combined with (ii) unilateral randomness, originated ad-hoc by the transmitter without pre-coordination with the recipient. The unlimited unilateral randomness together with the shared key randomness is set to project as much security as desired up to and including Vernam levels. Assorted Trans Vernam ciphers (TVC) are categorized and reviewed, presenting a cogent message in favor of a cryptographic pathway where transmitted secrets are credibly secured against attackers with faster computers and better mathematicians. A vision emerges: a cryptographic level playing field, consistent with the emerging culture of Web 3.0.

#### 18 November 2021

###### Leuven, Belgium, 12 April - 14 April 2022
Event Calendar
Event date: 12 April to 14 April 2022
###### Stevens Institute of Technology, Hoboken, NJ, USA
Job Posting
The Department of Computer Science in the Charles V. Schaefer, Jr. School of Engineering and Science (SES) at Stevens Institute of Technology (Stevens) invites applications for tenure-track and tenured positions in all areas of computer science at the assistant, associate, and full professor ranks. We encourage applicants with expertise in our existing core areas of research including computer vision, cyber security, and AI/ML, in addition to candidates who can expand our research program significantly in HCI and algorithmic bias/fairness. Stevens offers an intellectually vibrant, diverse, highly interdisciplinary, collaborative, innovative, and entrepreneurial community and is a great place to work.

Applicants should have earned a Ph.D. in computer science or a related discipline. Candidates are expected to demonstrate a commitment to teaching and mentorship at both the undergraduate and graduate levels, including working with students from underrepresented groups. Successful candidates will have the potential to develop an externally funded research program, supervise graduate students in research, and contribute to the highly interdisciplinary, collaborative, diverse, innovative, and entrepreneurial culture at Stevens. Candidates applying at the rank of Associate or Full should have a track record of success in scholarship, funded research, teaching, mentoring, and contributing to diversity, equity, and inclusion.

Closing date for applications:

Contact: Search Committee Chairs, Samantha Kleinberg (samantha.kleinberg@stevens.edu) and Yue Ning (yue.ning@stevens.edu)

###### Apple Inc, Santa Clara Valley, California, USA
Job Posting
Passionate about cryptography? Want to work on impactful projects and amazing features?

Apply to join the team!

You can find details about the position and how to apply in the linked page.

Closing date for applications:

Contact: Yannick Sierra

###### University of Houston - Downtown, Houston, Texas
Job Posting
Assistant or Associate Professor in Computer Science - (FAC002130) Department Name: D0019 Computer Sci & Engr Technology The Department of Computer Science and Engineering Technology at the University of Houston – Downtown (UHD) invites applications for a tenure-track Assistant or Associate Professor position in Computer Science. We are looking for outstanding candidates with expertise in one or more of the areas of: artificial intelligence, machine learning or cybersecurity. The appointment will start in August 2022.

Closing date for applications:

Contact: -

###### University of Bergen
Job Posting
The postdoc position is for 3 years (with potential possibility for extension for one more year) within a project "Cryptographic Boolean Functions for Threshold Implementations" that aims to study Boolean functions used as building blocks in cryptographic ciphers and their Threshold Implementations in order to find efficient ways of preventing Side Channel Attacks. This position is to start as soon as possible (approx. February-March 2022). We are seeking excellent candidates in cryptography in the direction of Threshold Implementations and Boolean functions. We are particularly interested in applicants who excel both at mathematics and programming.

Closing date for applications:

Contact: Prof. Lilya Budaghyan

###### KU LEUVEN
Job Posting
The Computer Security and Industrial Cryptography (COSIC) research group belongs to the Electrical Engineering Department at the KU Leuven.
Research group COSIC is looking for a PhD position on Secure Localisation Technologies
The goal of this PhD research is twofold.
• First, the PhD candidate will evaluate the security strength of (future) emerging ranging and localisation technologies that are being deployed by industry. Experiments will be carried out to discover new security vulnerabilities and assess their impact.
• Second, the PhD candidate will study and design novel secure ranging and localisation solutions. The focus of this second line of research is particularly on the realisation of secure distance bounding protocols, which are cryptographic primitives used to mitigate a set of ranging attacks.
Candidates must hold a master’s degree in electronics engineering or computer science, have good grades and have a keen interest in cryptography and system security. Prior expertise in physical layer security or radio propagation is a bonus.

Closing date for applications:

Contact: Please check the application procedure at https://www.esat.kuleuven.be/cosic/vacancies/ and send all requested documents to jobs-cosic@esat.kuleuven.be

• ###### CISPA Helmholtz Center for Information Security
Job Posting
The research group of Karl Wüst (https://karlwuest.github.io) at the CISPA Helmholtz Center for Information Security is looking for talented people with a background in computer science or closely related fields and an interest in information security and applied cryptography to join the group as PhD students. The main research focus of the group is on security and privacy aspects of digital currency and smart contract systems as well as some aspects of trustworthy computing.

The positions are fully funded and located at the CISPA Helmholtz Center for Information Security in Germany, one of the world’s top research institutions in the area of information security. The start dates for the positions are flexible and applications will be considered until the positions are filled.

For additional details and information on how to apply see https://karlwuest.github.io/positions

Closing date for applications:

Contact: Karl Wüst

###### Zama, Paris, France
Job Posting
Job description. We are looking for a researcher in Homomorphic Encryption to start working with us in 2022. The candidate and his/her/their team will be responsible for:
• discovering new cryptographic techniques to compute on encrypted data
• working with the engineering and product teams to implement his/her/their research into our products
• design robust tests and benchmarks to validate his/her/their research and its implementation
• review the latest published research, and inform the team on potential new applications
• work with the entire team to define the research and product roadmaps
• publishing papers, filing patents and presenting his/her/their work at academic conferences
Experience. He/she/they should:
• have a PhD in cryptography or equivalent
• have deep knowledge of homomorphic encryption
• have (optionally) knowledge of LWE hardness and security
• have (optionally) knowledge of machine learning
• be passionate about privacy and open source software
• have good written and oral communication skills
Full remote is possible, with a willingness to come to Paris quarterly.

Closing date for applications:

Contact: Ilaria Chillotti (ilaria.chillotti(at)zama.ai)

###### Nanyang Technological University, Singapore
Job Posting
The Cryptanalysis Taskforce at Nanyang Technological University in Singapore led by Prof. Jian Guo is seeking for candidates to fill several post-doctoral research fellow positions on symmetric-key cryptography. Topics include but are not limited to the following sub-areas:
• tool aided cryptanalysis, such as MILP, CP, STP, and SAT
• machine learning aided cryptanalysis and designs
• privacy-preserving friendly symmetric-key designs
• quantum cryptanalysis
• provable security
• cryptanalysis against SHA-2, SHA-3, and AES
• threshold cryptography
Established in 2014, the Cryptanalysis Taskforce is a group dedicated for research in symmetric-key cryptography, it is currently comprised by 4 (senior) PostDoc Research Fellows, 3 PhD students, and several long-term visitors. Since establishment, the team has been active in both publications in and services for IACR. It has done quite some cryptanalysis work on various important targets such as SHA-3 and AES, and is expanding its interests to the areas mentioned above, with strong funding support from the university and government agencies in Singapore. We offer competitive salary package with extremely low tax (around 5%), as well as excellent environment dedicating for top-venues publication orientated research in Singapore. The contract will be initially for one year, and has the possibility to be extended. Candidates are expected to have proven record of publications in IACR conferences. Interested candidates are to send their CV and 2 reference letters to Jian Guo. Review of applicants will start immediately until the positions are filled. More information about the Cryptanalysis Taskforce research group can be found via https://team.crypto.sg

Closing date for applications:

Contact: Asst Prof Jian Guo, guojian@ntu.edu.sg

###### University of Neuchatel, Switzerland
Job Posting

We are oferring a fully funded PhD scholarship for a student to join our group on reinforcement learning and decision making under uncertainty more generally, at the University of Neuchatel, Switzerland. We are particularly interested in candidates with a strong mathematical and research interest in the following fields e

1. Theory of differential privacy.
2. Algorithms for differentially private machine learning.
3. Algorithms for fairness in machine learning.
4. Interactions between machine learning and game theory.
5. Inference of human models of fairness or privacy.

Overall, our group works on reinforcement learning, decision making under uncertainty, fairness and differential privacy. The student will also have the opportunity to visit and work with other group members at the University of Oslo, Norway and Chalmers University of Technology, Sweden.

• Starting date 1 Februrary 2022 or soon afterwards.
• Application deadline 30 November 2021.

Closing date for applications:

Contact: Christos Dimitrakakis

#### 17 November 2021

ePrint Report
Authentication constitutes the foundation and vertebrae of all security properties. It is the procedure in which communicating parties prove their identities to each other, and generally establish and derive secret keys to enforce other services, such as confidentiality, data integrity, non-repudiation, and availability. PUFs (Physical Unclonable Functions) has been the subject of many subsequent publications on lightweight, lowcost, and secure-by-design authentication protocols. This has turned our attention to investigate the most recent PUF-based authentication protocols for IoT. In [1], we reviewed the security of some PUF-based authentication protocols that were proposed between 2016 and October 2020, and drew important security lessons to consider by future authentication protocol designers. In this paper, we extend our previous work by reviewing the security of fifteen PUF-based authentication protocols that were recently published during the past two years (2020 and 2021). We first provide the necessary background on PUFs and how they are used for authentication. Then, we analyze the security of these authentication protocols to identify and report common security issues and design flaws. We draw lessons and recommendations for future authentication protocol designers
###### Viet Ba Dang, Kamyar Mohajerani, Kris Gaj
ePrint Report
Performance in hardware has typically played a significant role in differentiating among leading candidates in cryptographic standardization efforts. Winners of two past NIST cryptographic contests (Rijndael in case of AES and Keccak in case of SHA-3) were ranked consistently among the two fastest candidates when implemented using FPGAs and ASICs. Hardware implementations of cryptographic operations may quite easily outperform software implementations for at least a subset of major performance metrics, such as latency, number of operations per second, power consumption, and energy usage, as well as in terms of security against physical attacks, including side-channel analysis. Using hardware also permits much higher flexibility in trading one subset of these properties for another. This paper presents high-speed hardware architectures for four lattice-based CCA-secure Key Encapsulation Mechanisms (KEMs), representing three NIST PQC finalists: CRYSTALS-Kyber, NTRU (with two distinct variants, NTRU-HPS and NTRU-HRSS), and Saber. We rank these candidates among each other and compare them with all other Round 3 KEMs based on the data from the previously reported work.
###### Kyungbae Jang, Gyeongju Song, Hyunjun Kim, Hyeokdong Kwon, Hyunji Kim, Hwajeong Seo
ePrint Report
Adversaries using quantum computers can employ new attacks on cryptography that are not possible with classical computers. Grover's search algorithm, a well-known quantum algorithm, can reduce the search complexity of $O(2^n)$ to $\sqrt{2^n}$ for symmetric key cryptography using an $n$-bit key. To apply the Grover search algorithm, the target encryption process must be implemented as a quantum circuit. In this paper, we present optimized quantum circuits for Korean block ciphers based on ARX architectures. We adopt the optimal quantum adder and design in parallel way with only a few trade-offs between quantum resources. As a result, we provide a performance improvement of 78\% in LEA, 85\% in HIGHT, and 70\% in CHAM in terms of circuit depth, respectively. Finally, we estimate the cost of the Grover key search for Korean block ciphers and evaluate the post-quantum security based on the criteria presented by NIST.
###### Amos Zheng, Marcos A. Simplicio Jr.
ePrint Report
Hash-based signature schemes are a class of post-quantum algorithms usually built upon one-time signature (OTS) solutions via hash-trees. The benefits of such schemes include small key sizes, efficient processing and the fact that they are simple to implement using a regular hash algorithm. In addition, their security properties are quite well understood, since they rely basically on the pre-image or collision resistance of the underlying hash function. Among the existing OTS schemes, W-OTS+ is among the most popular. One reason for such popularity is that the OTS public key can be recovered from the signature itself, which facilitates the construction of a multi-time signature scheme using Merkle trees. On the other hand, signature generation and verification in W-OTS+ take roughly the same time, which is not ideal for applications where each signature is expected to be verified several times, as in software stores, PKI certificate validation, and secure boot. It is also inconvenient when the devices that verify signatures have lower computational power than the signers. In such scenarios, it is desirable to design signature schemes enabling faster verification, even if such speed-ups come at the expense of a slower signature generation procedure. With this goal in mind, we hereby present and evaluate a novel OTS scheme, called z-OTS. The main interest of z-OTS is that it preserves all benefits of W-OTS+, but provides faster signature verification at the cost of a (not much) slower signature generation procedure. For example, for signature sizes equivalent to W-OTS+ with Winternitz parameter w=4, our simulations show that verification can be 30.3% faster with z-OTS, while key and signature generation become, respectively, 53.7% and 137.5% slower. Larger w leads to even more expressive gains in the verification procedure, besides providing lower overheads when generating keys and signatures.
###### Sangeeta Chowdhary, Wei Dai, Kim Laine, Olli Saarikivi
ePrint Report
Homomorphic encryption (HE), especially the CKKS scheme, can be extremely challenging to use. The EVA language and compiler (Dathathri et al., PLDI 2020) was an attempt at addressing this challenge. EVA allows a developer to express their encrypted computation in a simple form with a Python-integrated language called PyEVA. It then compiles the program into an executable form by inserting operations such as relinearization and rescaling, applying optimizations, and choosing encryption parameters with the objective of minimizing execution time. Compiled programs can be executed with a parallelizing back-end against a library of HE primitives.

Our work improves upon the EVA toolchain in several ways: changes to the Python front-end make writing PyEVA programs more natural, while a rework of EVA's C++ APIs makes writing new passes easier. We also implement two new optimizations, common subexpression elimination and reduction balancing, which we show allow users to write simpler and more modular PyEVA programs.

We argue that the abstraction EVA provides is insufficient to resolve some common usability challenges. For example, managing vectors of arbitrary size is non-trivial. To resolve these problems, we demonstrate how building a library of commonly used data structures and functions is simple in PyEVA. EVA's automation allows writing very concise code, which gets fused and optimized together with the user program. We create the beginnings of an EVA Extension Library (EXL), that provides vector and matrix classes and a collection of common statistical functions, to demonstrate the power of this approach.