## IACR News

Here you can see all recent updates to the IACR webpage. These updates are also available:

#### 19 May 2022

###### CryptoLux Group, University of Luxembourg

Job PostingThe University of Luxembourg invites applications for a Ph.D. position in the general area of symmetric cryptography. The successful candidate will join the CryptoLux group of Prof. Alex Biryukov, which is affiliated to both the Department of Computer Science (DCS) and the Interdisciplinary Center for Security, Reliability and Trust (SnT).

**Research Topics**

- Cryptanalysis and design of cryptographic primitives, lightweight ciphers, hash functions
- Financial cryptography (security of distributed ledgers, smart contracts)
- Privacy-enhancing technologies (Tor-like networks, privacy for cryptocurrencies, blockchains)
- White-box cryptography

**Candidate Profile**

- M.Sc. degree in computer science or applied mathematics with outstanding grades (GPA >= 85%)
- Strong mathematical and/or algorithmic CS background
- Some background in cryptography or information security
- Good programming skills (C/C++, Python, math tools, etc.)
- Fluent written and verbal communication skills in English

The University of Luxembourg offers a Ph.D. study program with an initial contract of 36 months, with a further possible 1-year extension if required. The successful candidate will work in one of the most international universities in the world and will have a chance to participate in a well-known security research center. The position will be available from July 2022.

Applications, written in English, should be sent by email to alex.biryukov@uni.lu. The application material should include a curriculum vitae (with photo, educational background, work experience), a brief research statement and topics of particular interest to the candidate (max. 1 page), a transcript of all modules and results from university-level courses taken (with overall GPAs) and contact information for 2-3 references.

Application deadline: **1 June 2022**. Early submission is encouraged; applications will be processed upon arrival.

**Closing date for applications:**

**Contact:** Prof. Alex Biryukov (email: alex.biryukov@uni.lu)

###### University of Bergen

Job Posting**Closing date for applications:**

**Contact:** Prof. Lilya Budaghyan, Head of the Selmer center at the Department of Informatics (firstname.surname@uib.no).

**More information:** https://www.jobbnorge.no/en/available-jobs/job/226570/phd-research-fellow-in-informatics-cryptology-up-to-3-positions

###### University of Rouen Normandie, France

Job PostingWe offer a 3-year fully funded Ph.D. position starting fall 2022 at University of Rouen Normandie within the LITIS lab (https://www.litislab.fr/en/) with a focus on the design and cryptanalysis of code-based and multivariate cryptographic primitives. The goal is to focus more precisely on algebraic cryptanalysis which consists in building a system of multivariate equations such that the solution set contains (part of) the secret of a cryptographic primitive. Furthermore, the algebraic modeling of several problems, such as the MinRank problem or the Rank Decoding problem, have recently witnessed important progress in their analysis. The Ph.D. candidate will pursue the analysis of various algebraic modeling on code-based or multivariate schemes (e.g. Classic McEliece, GeMSS, Rainbow, DURANDAL, MQDSS, etc).

The candidate is expected to have a strong background in mathematics, computer algebra, in particular in polynomial system solving (e.g. Gröbner basis algorithms), and cryptography. She/he must have a Master degree or equivalent related to these areas.

Funding for attending international conferences, summer schools, and visiting other research centers will also be provided.

To apply, send the following documents to Magali Bardet (magali.bardet@univ-rouen.fr) and Ayoub Otmani (ayoub.otmani@univ-rouen.fr):

- Motivation letter
- CV
- Transcripts of marks
- Up to 3 reference letters

Applications will be considered until the position is filled but a first screening of candidates will take place by May 25, 2022. Interested applicants are therefore encouraged to send their documents before that date.

**Keywords.** Post-quantum cryptography, code-based cryptography, multivariate cryptography, MinRank problem, algebraic cryptanalysis, Gröbner basis.

**Closing date for applications:**

**Contact:**

- Magali Bardet (magali.bardet@univ-rouen.fr)
- Ayoub Otmani (ayoub.otmani@univ-rouen.fr)

**More information:** https://www.litislab.fr/en/

#### 17 May 2022

###### Léonard Lys, Maria Potop-Butucaru

ePrint Report###### Clément Fanjas, Clément Gaine, Driss Aboulkassimi, Simon Pontié, Olivier Potin

ePrint Report###### Lucianna Kiffer, Rajmohan Rajaraman, abhi shelat

ePrint ReportTo establish consistency, the prior analysis of Pass, Seeman and shelat required a careful counting of certain combinatorial events that was difficult to apply to variations of Nakamoto. The work of Garay, Kiayas, and Leonardas provides another method of analyzing the blockchain under both a synchronous and partially synchronous setting.

The contribution of this paper is the development of a simple Markov-chain based method for analyzing consistency properties of blockchain protocols. The method includes a formal way of stating strong concentration bounds as well as easy ways to concretely compute the bounds. We use our new method to answer a number of basic questions about consistency of blockchains:

• Our new analysis provides a tighter guarantee on the consistency property of Nakamoto’s protocol, including for parameter regimes which previous work could not consider; • We analyze a family of delaying attacks and extend them to other protocols; • We analyze how long a participant should wait before considering a high-value transaction “confirmed”; • We analyze the consistency of CliqueChain, a variation of the Chainweb system; • We provide the first rigorous consistency analysis of GHOST under the partially synchronous setting and also analyze a folklore "balancing"-attack.

In each case, we use our framework to experimentally analyze the consensus bounds for various network delay parameters and adversarial computing percentages.

We hope our techniques enable authors of future blockchain proposals to provide a more rigorous analysis of their schemes.

###### Loïc Masure, Olivier Rioul, François-Xavier Standaert

ePrint Report###### Lionel Beltrando, Maria Potop-Butucaru, Jose Alfaro

ePrint Report###### Laltu Sardar, Sushmita Ruj

ePrint ReportWe design a forward private DSE scheme that supports conjunctive keyword search. At the heart of the construction is our proposed data structure called the dynamic interval accumulation tree (DIA tree). It is an accumulator-based authentication tree that efficiently returns both membership and non-membership proofs. Using the DIA tree, we can convert any single keyword forward private DSE scheme to a verifiable forward private DSE scheme that can support conjunctive queries as well. Our proposed scheme has the same storage as the base DSE scheme and low computational overhead on the client-side. We have shown the efficiency of our design by comparing it with existing conjunctive DSE schemes. The comparison also shows that our scheme is suitable for practical use.

###### Sisi Duan, Haibin Zhang

ePrint ReportWe demonstrate the challenges of extending static BFT to dynamic BFT. Then we design and implement Dyno, a highly efficient dynamic BFT protocol under the partial synchrony model. We show that Dyno can seamlessly handle membership changes without incurring performance degradation.

###### Liam Eagen

ePrint Report###### Theo von Arx, Kenneth G. Paterson

ePrint Report###### Maria Ferrara, Antonio Tortora

ePrint Report###### Yupu Hu, Shanshan Zhang, Baocang Wang, Siyue Dong

ePrint ReportIn this paper we only consider the simple case of \((n,t)\) threshold secret sharing. We find following 5 facts about CKO+21 scheme, which are the basic reasons we negate the security proof of CKO+21 scheme. (1) In the expression of share of CKO+21 scheme, some bottom Shamir share is simply included, rather than encapsulated. (2) The leakage of the share is not a random leakage, but rather related to the inquiry of the attacker, that is, a chosen leakage. (3) The permitted leakage length of each share is proportional to the share length. (4) The bottom Shamir scheme has such special feature: when the length of the share $l^{*}$ is kept unchanged, it can make the number of shares $n$, the threshold value $t$, and the difference value $n-t+1$ any large, as long as $t

\setlength{\parindent}{2em}In this paper we point that, CKO+21 scheme didn’t successfully prove its security. As long as the bottom Shamir secret sharing scheme satisfies both “leakage recoverability” and “contaminated leakage irrecoverability”, the security proof of CKO+21 scheme is wrong. It needs to be pointed out that “leakage recoverability” and “contaminated leakage irrecoverability” cannot be naturally negated by “privacy” of Shamir scheme, and up to now there is not a proof that Shamir scheme doesn’t satisfy “leakage recoverability” or “contaminated leakage irrecoverability”.

The detailed contribution of this paper is as follow. CKO+21 scheme designed several leakage models: \(\mathsf{Leak}{\mathsf{B}_0}\),\(\mathsf{Leak}{\mathsf{A}_1}\),\(\mathsf{Leak}{\mathsf{B}_1}\),\(\mathsf{Leak}{\mathsf{A}_2}\),\(\mathsf{Leak}{\mathsf{B}_2}\),$\cdots$,\(\mathsf{Leak}{\mathsf{A}_h}\),\(\mathsf{Leak}{\mathsf{B}_h}\),\(\mathsf{Leak}{\mathsf{C}}\), where \(\mathsf{Leak}{\mathsf{B}_0}\) is the practical leakage model, \(\mathsf{Leak}{\mathsf{C}}\) is a leakage model independent of the secret message. CKO+21 scheme claimed that an attacker cannot distinguish two adjacent leakage models, so the scheme is “leakage resilient”. We point that, if the bottom Shamir scheme satisfies both “leakage recoverability” and “contaminated leakage irrecoverability”, the attacker can distinguish \(\mathsf{Leak}{\mathsf{B}_0}\) and \(\mathsf{Leak}{\mathsf{A}_1}\) with non-negligible probability.

Besides, if the bottom Shamir scheme doesn’t satisfy “leakage recoverability”. Shamir scheme itself has some ability to resist leakage, and the bulky structure of CKO+21 scheme is not necessary.

###### Tomer Ashur, Mohammad Mahzoun, Dilara Toprakhisar

ePrint ReportIn this paper we present Chaghri, an FHE-friendly block cipher enabling efficient transciphering in BGV-like schemes. A complete Chaghri circuit can be implemented using only 16 multiplications, 32 Frobenius automorphisms and 32 rotations, all arranged in a depth-32 circuit. Our HElib implemention achieves a throughput of 0.26 seconds-per-bit which is 65% faster than AES in the same setting.

###### Ryota Hira, Tomoaki Kitahara, Daiki Miyahara, Yuko Hara-Azumi, Yang Li, Kazuo Sakiyama

ePrint Report###### Mark Blunk, Paul Bunn, Samuel Dittmer, Steve Lu, Rafail Ostrovsky

ePrint ReportOur protocol improves on previous work of [FNO22], which gave a $O(n)$ communication and $O(n)$ round complexity protocol, and other ``naive'' approaches, such as the shuffle-sort paradigm, which has $O(n \log n)$ communication and $O(\log n)$ round complexity. It is also more efficient for most practical applications than either a garbled circuit or fully-homomorphic encryption (FHE) approach, which each require $O(n \log n)$ communication or computation and have $O(1)$ round complexity.

There are several applications that stand to benefit from our result, including secure sort (in cases where two or more parties have access to their own list of data, secure sort reduces to secure merge since the parties can first sort their own data locally), which in-turn has implications for more efficient private set intersection (PSI) protocols; as well as secure mutable database storage and search, whereby secure merge can be used to insert new rows into an existing database.

In building our secure merge protocol, we develop several subprotocols that may be of independent interest. For example, we develop a protocol for secure asymmetric merge (where one list is much larger than the other), which matches theoretic lower-bounds for all three metrics (assuming the ratio of list sizes is small enough).

###### Simin Ghesmati, Andreas Kern, Aljosha Judmayer, Nicholas Stifter and

ePrint Report###### Daniel Kales, Greg Zaverucha

ePrint ReportAs a case study we consider efficient constructions of post-quantum signatures, where a signature is a proof of knowledge of a one-way function preimage, and two commonly used one-way functions are defined over small fields (AES and LowMC). We find that carefully applying these lifting strategies gives shorter signatures than the state-of-the-art: our AES-based signatures are 1.3x shorter than Banquet (PKC 2021) and our LowMC-based signatures are almost 2x shorter than the NIST-candidate algorithm Picnic3. We implement our schemes and provide benchmarks. Finally, we also give other optimizations: some generally applicable to this class of proofs, and some specific to the circuits we focused on.

###### Eduardo Soria-Vazquez

ePrint ReportWe achieve our results through a generalization of GKR-style interactive proofs (Goldwasser, Kalai and Rothblum, Journal of the ACM, 2015). When $A$ is a subset of the center of $R$, generalizations of the sum-check protocol and other building blocks are not too problematic. The case when the elements of $A$ only commute with each other, on the other hand, introduces a series of challenges. In order to overcome those, we need to introduce a new definition of polynomial ring over a non-commutative ring, the notion of left (and right) multi-linear extensions, modify the layer consistency equation and adapt the sum-check protocol.

Despite these changes, our results are compatible with recent developments such as linear time provers. Moreover, for certain rings our construction achieves provers that run in sublinear time in the circuit size. We obtain such result both for known cases, such as matrix and polynomial rings, as well as new ones, such as for some rings resulting from Clifford algebras. Besides efficiency improvements in computation and/or round complexity for several instantiations, the core conclusion of our results is that state of the art doubly efficient interactive proofs do not require much algebraic structure. This enables exact rather than approximate computation over infinite rings as well as agile proof systems, where the black-box choice of the underlying ring can be easily switched through the software life cycle.