International Association for Cryptologic Research

# IACR News Central

Here you can see all recent updates to the IACR webpage. These updates are also available:

Now viewing news items related to:

2 December 2016
ePrint Report Related-Key Impossible-Differential Attack on Reduced-Round SKINNY Ralph Ankele, Subhadeep Banik, Avik Chakraborti, Eik List, Florian Mendel , Siang Meng Sim, Gaoli Wang
At CRYPTO'16, Beierle et al. presented SKINNY, a family of lightweight tweakable block ciphers intended to compete with SIMON. SKINNY can be implemented efficiently in both soft- and hardware, possesses a Substitution-Permutation-Network structure, and supports block sizes of 64 and 128 bits as well as key and tweak sizes of 64, 128, 192, and 256 bits. This paper outlines a related-key impossible-differential attack on 21 and 22 rounds of SKINNY-64/128.
The Learning with Errors (LWE) is one of the most promising primitive for post-quantum cryptography due to its strong security reduction from the worst-case of NP-hard problems and its lightweight operations. The Public Key Encryption (PKE) scheme based on LWE has a simple and fast decryption, but its encryption is rather slow due to large parameter sizes for Leftover Hash Lemma or expensive Gaussian samplings.

In this paper, we propose a novel PKE without relying on either of them. For encryption, we first combine several LWE instances as in the previous LWE-based PKEs. However, the following step to re-randomize this combination before adding a message is different: remove several least significant bits of ciphertexts rather than inserting errors. We prove that our scheme is IND-CPA secure under the hardness of LWE and can be converted into an IND-CCA scheme in the quantum random oracle model.

Our approach accelerates encryption speed to a large extent and also reduces the size of ciphertexts. The proposed scheme is very competitive for all applications requiring both of fast encryption and decryption. In our single-core implementation in Macbook Pro, encryption and decryption of a 128-bit message for quantum 128-bit security take 7 and 6 microseconds that are 3.4 and 4.2 times faster than those of NTRU PKE, respectively. To achieve these results, we further take some advantage of sparse small secrets, under which the security of our scheme is also proved.
ePrint Report Estonian Voting Verication Mechanism Revisited Koksal Mus, Mehmet Sabir Kiraz, Murat Cenk, Isa Sertkaya
After the Estonian Parliamentary Elections held in 2011, an additional veri cation mechanism was integrated into the i-voting system in order to resist corrupted voting devices, including the so called Student's Attack where a student practically showed that the voting system is indeed not veri able by developing several versions of malware capable of blocking or even changing the vote. This mechanism gives voters the opportunity to verify whether the vote they cast is stored in the central system correctly. However, the veri cation phase ends by displaying the cast vote in plain form on the veri cation device. In other words, the device on which the veri cation is done learns the voter's choice. In this work, our aim is to investigate this veri cation phase in detail and to point out that leaking the voter's choice to the veri cation application may harm the voter privacy. Additionally, when applied in a wide range, this would even compromise the fairness and the overall secrecy of the elections. In this respect, we propose an alternative veri cation mechanism for the Estonian i-voting system to overcome this vulnerability. Not only is the proposed mechanism secure and resistant against corrupted veri cation devices, so does it successfully verify whether the vote is correctly stored in the system. We also highlight that our proposed mechanism brings only symmetric encryptions and hash functions on the veri cation device, thereby mitigating these weaknesses in an ecient way with a negligible cost. More concretely, it brings only m additional symmetric key decryptions to the veri cation device, where m denoting the number of candidates. Finally, we prove the security of the proposed veri cation mechanism and compare the cost complexity of the proposed method with that of the current mechanism.
Event date: 2 April 2017
Job Posting Ph.D. student Universitat Pompeu Fabra, Barcelona, Spain
Applications are invited for a PhD position in the field of cryptography at the Department of Information and Communication Technologies at Universitat Pompeu Fabra in Barcelona, Spain, to be co-supervised by Dr. Vanesa Daza and Dr. Carla Ràfols. Research in cryptographic protocols for blockchain technologies, with a special focus on Zero-Knowledge Proofs. The starting date will be around September 2017.

The successful candidate will be funded by the INPhINIT  “la Caixa” Marie Curie PhD Fellowships Programme. Only outstanding candidates which satisfy international mobility criteria will be considered (i.e. the applicant should not have resided or carried out their main

activity in Spain for more than 12 months in the 3 years immediately prior to the recruitment date).

The contract will be for 3 years with a gross salary of €34,800, plus other advantages.

The candidate should hold or be about to receive a master\'s degree by September 2017 in computer science, mathematics or a related area. Specialization in cryptography (demonstrated by a relevant MSc) will be positively evaluated.

Further enquiries about the project and conditions should be sent to cryptophdapplications (at) upf.edu. Applicants are required to fill the application form in the link below.

Closing date for applications: 31 January 2017

Contact: Dr. Vanesa Daza and Dr. Carla Ràfols

Department of Information and Communication Technologies

Pompeu Fabra University

cryptophdapplications (at) upf.edu

1 December 2016
Event Calendar IWSEC 2017: The 12th International Workshop on Security Hiroshima, Japan, 30 August - 1 September 2017
Event date: 30 August to 1 September 2017
30 November 2016
We study the security of authenticated encryption based on a stream cipher and a universal hash function. We consider ChaCha20-Poly1305 and generic constructions proposed by Sarkar, where the generic constructions include 14 AEAD (authenticated encryption with associated data) schemes and 3 DAEAD (deterministic AEAD) schemes. In this paper, we analyze the integrity of these schemes both in the standard INT-CTXT notion and in the RUP (releasing unverified plaintext) setting called INT-RUP notion. We present INT-CTXT attacks against 3 out of the 14 AEAD schemes and 1 out of the 3 DAEAD schemes. We then show INT-RUP attacks against 1 out of the 14 AEAD schemes and the 2 remaining DAEAD schemes. We next show that ChaCha20-Poly1305 is provably secure in the INT-RUP notion. Finally, we show that 4 out of the remaining 10 AEAD schemes are provably secure in the INT-RUP notion.
ePrint Report Dude, is my code constant time? Oscar Reparaz, Josep Balasch, Ingrid Verbauwhede
This paper introduces dudect: a tool to assess whether a piece of code runs in constant time or not on a given platform. We base our approach on leakage detection techniques, resulting in a very compact, easy to use and easy to maintain tool. Our methodology fits in around 300 lines of C and runs on the target platform. The approach is substantially different from previous solutions. Contrary to others, our solution requires no modeling of hardware behavior. Our solution can be used in black-box testing, yet benefits from implementation details if available. We show the effectiveness of our approach by detecting several variable-time cryptographic implementations. We place a prototype implementation of dudect in the public domain.
Perfect encryption of quantum states using the Quantum One-Time Pad (QOTP) requires 2 classical key bits per qubit. Almost-perfect encryption, with information-theoretic security, requires only slightly more than 1. We improve the lower bound: we show that key length $n+2\log\frac1\varepsilon$ suffices to encrypt $n$ qubits in such a way that the cipherstate's $L_1$-distance from uniformity is upperbounded by~$\varepsilon$.

We show how to QOTP-encrypt classical plaintext in a nontrivial way: if a plaintext bit is encoded on the Bloch sphere as $\pm(1,1,1)/\sqrt3$ then applying the Pauli encryption operators results in eight possible cipherstates which are equally spread out on the Bloch sphere. This encoding, especially when combined with the half-keylength option of QOTP, has advantages over 4-state and 6-state encoding in applications such as Quantum Key Recycling and Unclonable Encryption. We propose a key recycling scheme based on the 8-state encoding.

We derive bounds on the distance between pseudorandom-keyed QOTP cipherstates and the fully mixed state. We present numerics up to 9 qubits.
Leakage-resilient cryptography is about security in the presence of leakage from side-channels. In this paper, we present several issues of the RCB block cipher mode. Agrawal et al \cite{AgrawalM2016} proposed recently RCB as a leakage-resilient authenticated encryption (AE) scheme. Our main result is that RCB fails to provide authenticity, even in the absence of leakage.
SKINNY is a family of lightweight tweakable block ciphers designed to have the smallest hardware footprint. In this paper, we present zero-correlation linear approximations and related-tweake impossible differential characteristics for different versions of SKINNY. We utilize meet-in-the-middle approach to construct 9-round and 10-round zero-correlation linear distinguisher. We also obtain 12-round related-tweakey impossible differential characteristics for both SKINNY-64 and 128 in TK1 model and TK2 model. To the best of our knowledge, the presented zero-correlation characteristics in this paper is the first investigation of the security of SKINNY against this attack.
ePrint Report A Code-Based Group Signature Scheme Quentin Alamélou, Olivier Blazy, Stéphane Cauchie, Philippe Gaborit
This work is the extended version of [1] which proposed the first code-based group sig- nature. The new group signature scheme we present here has numerous advantages over all existing post-quantum constructions and even competes (in terms of properties) with pairing based constructions: it allows to add new members during the lifetime of the group (dynamic). Plus, it appears that our scheme might be extended into a traceable signature according to the definition of Kiayias, Tsiounis and Yung [2] (KTY model) while handling membership revo- cation. Our security is based on a relaxation of the model of Bellare, Shi and Zhang [3] (BSZ model) verifying the properties of anonymity, traceability and non-frameability. The main idea of our scheme consists in building an offset collision of two syndromes associated to two dif- ferent matrices: a random one which enables to build a random syndrome from a chosen small weight vector; and a trapdoor matrix for the syndrome decoding problem, which permits to find a small weight preimage of the previous random syndrome to which a fixed syndrome is added. These two small weight vectors will constitute the group member’s secret signing key whose knowledge will be proved thanks to a variation of Stern’s authentication protocol. For appli- cations, we consider the case of the code-based CFS signature scheme [4] of Courtois, Finiasz and Sendrier. If one denotes by N the number of group members, CFS leads to signatures and public keys sizes in $N^{1/\sqrt{\log N}}$. Along with this work, we also introduce a new kind of proof of knowledge, Testable weak Zero Knowledge (TwZK), implicitly covered in the short version of this paper [1]. TwZK proofs appear particularly well fitted in the context of group signature schemes: it allows a verifier to test whether a specific witness is used without learning anything more from the proof. Under the Random Oracle Model (ROM), we ensure the security of our scheme by defining the One More Syndrome Decoding problem, a new code-based problem related to the Syndrome Decoding problem [5].
Linear layer is a fundamental primitive for computer science, electronic engineering, and telecommunication. The performance of a linear layer depends on two aspects: diffusion ability and implementation cost, where the latter is usually measured by the number of XORs needed to implement it. For many years, linear layers have been implemented by computing co-ordinates of the output independently. With this method, costs are determined only by the matrices representing linear layers. However, we note that the implementation cost of a given linear layer depends not only on its matrix but also on the ways with which we implement it. So, in this paper, we focus on another implementation method: modifying input vectors to output step by step (MIOSS). This method uses fewer XORs than previous methods do and needs no extra temporary register. Besides, this method makes the implementation cost of a linear layer same as that of its inverse. With the new implementation method, we first clarify the measurement of implementation cost and the optimal implementation procedure of linear layers. Here, optimal'' means using fewest XORs. Then, to find the optimal implementation procedure of a given linear layer, we construct a graph-theoretical model and transfer the problem to the shortest path problem in graph theory. Although there has been several algorithms for the shortest path problem, they do not perform best for the graph that we construct in this paper because of its regularity. Therefore, we adopt a new double-direction'' algorithm that uses less storage and makes the search for a shortest path more efficient in a regular graph. Unfortunately, this algorithm is not practical for large size linear layers because of its high space/time complexity. So, we finally construct another algorithm for finding efficient implementations of linear layers. An important advantage of this last algorithm is its extremely low complexity. We conduct it to the linear layer of AES and get very efficient implementations.
While the smart grid has the potential to have a positive impact on the sustainability and efficiency of the electricity market, it also poses some serious challenges with respect to the privacy of the consumer. One of the traditional use-cases of this privacy sensitive data is the usage for forecast prediction. The well-studied approaches to alleviate the privacy concerns for smart billing do not apply to this more complicated and computationally intensive setting.

In this paper we show how to compute the forecast prediction such that the supplier does not learn any individual consumer usage information. This is achieved by using the Fan-Vercauteren somewhat homomorphic encryption scheme. Typical prediction algorithms are based on artificial neural networks that require the computation of an activation function which is complicated to compute homomorphically. Instead of ignoring this requirement, as was done in previous work, we investigate a different approach and show that Ivakhnenko's group method of data handling is suitable for homomorphic computation.

Our results show this approach is practical: prediction for a small apartment complex of 10 households can be computed homomorphically in less than four seconds using a parallel implementation or in 90 seconds using a sequential implementation. Expressed in terms of the mean average percentage error (MAPE), the prediction accuracy is about 21%.
Estimating entropy of randomness sources is a task of crit- ical importance in the context of true random number generators, as feeding cryptographic applications with insufficient entropy is a serious real-world security risk. The challenge is to maximize accuracy and con- fidence under certain data models and resources constants. In this paper we analyze the performance of a simple collision-counting estimator, under the assumption that source outputs are independent but their distribution can change due to adversarial influences. For n samples and confidence 1 &#8722;  we achieve the following features (a) Efficiency: reads the stream in one-pass and uses constant memory (forward-only mode) (b) Accuracy: estimates the amount of extractable bits with a relative 1 error O(n &#8722; 2 log(1/)), when the source outputs are i.i.d. (c) Robustness: keeps the same error when the source outputs are inde- 1 pendent but the distribution changes up to t = O(n^0.5) times during runtime We demonstrate that the estimator is accurate enough to adjust post- processing components dynamically, estimating entropy on the fly in- stead investigating it off-line. Our work thus continues the line of re- search on “testable random number generators” originated by Bucii and Luzzi at CHES’05.
Event date: 15 January to 17 January 2017
Job Posting Postdoctoral & Faculty Positions in Cybersecurity CISPA-Stanford Center (Saarbruecken, Germany & Stanford, USA)

The CISPA-Stanford Center for Cybersecurity is inviting applications for its

Postdoctoral & Faculty Positions (m/f) in Cybersecurity within a unique Elite Research Career Program.

The CISPA-Stanford Center for Cybersecurity was established as a joint program by CISPA - the Center for IT-Security, Privacy and Accountability at Saarland University - and Stanford University in 2016 and is supported by the German Federal Ministry of Education and Research (BMBF).

The Elite Research Career Program intends to offer the very best postdoctoral cybersecurity researchers a unique career path at two of the leading cybersecurity institutes in the world. The program consists of three consecutive phases:

• a preparatory 1-2-year postdoctoral phase (Phase P) at CISPA, followed by

• a 2-year appointment at Stanford University (Phase I) as a visiting assistant professor, followed by

• a 3-year position at CISPA as a junior research group leader (Phase II).

Applicants to the program must have completed an outstanding PhD and demonstrated their potential to become future leaders in their field of research.

Applicants should submit their CV, copies of their school and university reports, a list of publications highlighting their five most relevant ones, names of 3-5 references, a brief description of their previous research, and a research proposal outlining their research vision. Please send them as a single PDF file to: application (at) cispa-stanford.org.

The CISPA-Stanford Center for Cybersecurity is an equal opportunity employer and women are encouraged to apply. Applications of severely disabled candidates with equivalent qualifications will be given priority. We intend to arrange future rounds of application periodically.

Closing date for applications: 30 January 2017

Contact: Prof. Dr. Michael Backes

Saarland University

Center for IT-Security, Privacy and Accountability

Campus E 9 1, 66123 Saarbrücken, Germany

Email: application (at) cispa-stanford.org

Job Posting Lecturer/Senior Lecturer/Reader/Professor in Secure Information Technologies Centre for Secure Information Technologies (CSIT), Queen’s University Belfast, UK
We seek to recruit candidates for the post of Lecturer, or Senior Lecturer, or Reader, or Professor in Secure Information Technologies to commence 2017. We are seeking candidates that can demonstrate an excellent track record of achievements and significant potential for future academic leadership in any of the following areas: hardware and embedded systems security, post-quantum cryptography, multi-factor authentication technologies, cloud and virtualised datacentre security, software defined network security, IoT security and secure industrial control systems - including SCADA, Smart Grid and automotive systems. Candidates should also demonstrate ability to inspire students and facilitate motivational learning within core undergraduate and specialist postgraduate curricula.

The post holder will be a member of the Centre for Secure Information Technologies (CSIT). CSIT is a UK Innovation and Knowledge Centre (IKC) established in 2009 with initial 5 year funding of £30M from EPSRC/Innovate UK, industry, Invest NI and QUB. CSIT has a proven track record of success and in 2015 was awarded a further 5 years of funding from EPSRC/InnovateUK and £9M from Queen’s to build on its achievements to date as part of a package potentially worth over £38M. CSIT focuses on the electronic security of Smart Cities and the Internet of Things. In 2012 it was recognised by GCHQ and EPSRC as an Academic Centre of Excellence in Cyber Security Research and in 2015 CSIT was awarded a Queen’s Anniversary Prize for Higher and Further Education. This is a biennial award scheme within the UK’s national honours system and is UK’s most prestigious form of national recognition open to a UK academic or vocational institution. Over 20 industrial partners, large global companies as well as SMEs, have committed to supporting the centre through the provision of funding and market intelligence. CSIT has also established strong relationships with similar international centres in cyber security.

Closing date for applications: 12 December 2016

Contact: Professor Dimitrios Nikolopoulos, Head of School, email: eeecs-hos (at) qub.ac.uk

29 November 2016
Event Calendar TA'17: Targeted Attacks 2017 Sliema, Malta, 7 April 2017
Event date: 7 April 2017
Event date: 10 April to 27 October 2017
28 November 2016
Job Posting Researcher Temasek Laboratories, NTU, Singapore
The Physical Analysis and Cryptographic Engineering (PACE), Temasek Laboratories (TL) @ Nanyang Technological University, Singapore is seeking one motivated researcher, in the area of hardware security.

Candidates should ideally have already completed, or be close to completing a PhD degree in mathematics, computer science, electrical engineering, or related disciplines, with strong track record in R&D (publications in international journals and conferences). Master degree with relevant research experience can be considered.

You will be joining a dynamic group performing research on embedded security, specific to physical attacks. This position is available from February 2017. The initial contract will be one year. There are strong possibilities for extensions upon successful performance. TL offers competitive salary package plus other benefits.

Review of applications will start immediately until position is filled.

Interested candidates should send their detailed CVs, cover letter and references

Closing date for applications: 30 April 2017

Contact: Shivam Bhasin, Co-Principle Investigator: sbhasin (at) ntu.edu.sg

Job Posting Post-Doc University of Warsaw
We are offering two postdoc positions in the area of cryptography in the Cryptography and Data Security Group at the Department of Mathematics, Informatics and Mechanics at University of Warsaw. The position is supported by a grant \"Cryptographic Defence Against Malicious Hardware Manufacturers\".

The goal of this project is to design methods for preventing attacks by malicious hardware manufacturers. Such attacks are possible because manufacturing of integrated circuits is frequently outsourced to external companies. Due to the complexity of these devices it is practically impossible to inspect them in order to check that they were manufactured correctly. Hence, a malicious manufacturer can alter the device\'s design, by introducing the so-called \"hardware Trojan horses\". Such devices can later cause significant damage to their users by malfunctioning, or leaking users\' secrets to the adversary. This is very worrying, especially given a tremendous dependence of modern society on the electronic devices. Another threat associated with the third-party manufacturing is the intellectual property theft and piracy, as the manufacturer gets full access to the device\'s specification. In this project we address these problems by applying state-of-the-art cryptographic techniques.

Profile:

All candidates with a PhD degree and a publication record in cryptography or data security are encouraged to apply and will be carefully considered.

We offer excellent networking and training opportunities, including participation in international workshops and conferences.

The salary will depend on qualifications and will be in the range of approximately PLN 7000 - 8,500 (net/month).

Successful candidates can start from January 2017. Funding is available for 3 years.

There is no official deadline for this call. We will start looking at the applications from Dec 15, 2016.

Closing date for applications: 15 December 2016

Contact: Stefan Dziembowski

stefan.dziembowski (at) crypto.edu.pl

Job Posting Four tenure-track positions at the rank of Assistant Professor Computer Science, Stevens Institute of Technology
The Department of Computer Science at Stevens Institute of Technology invites applications for four tenure-track positions at the rank of Assistant Professor to begin in Fall 2017.

We are particularly interested in applicants whose research focuses on system aspects in areas of Computer Science that include but are not limited to:

Machine learning and AI,

Formal software verification,

Security for systems including operating systems, networking and data management,

Pervasive computing and HCI.

We are also interested in applicants whose research complements existing strengths in the department, to support collaborative research efforts in topics such as data science, mobile health, computer vision, programming languages and cybersecurity. However, exceptional candidates and in all areas of Computer Science will be considered.

Closing date for applications: 31 March 2017

26 November 2016
ePrint Report Impossible Differential Cryptanalysis of SKINNY Mohamed Tolba, Ahmed Abdelkhalek, Amr M. Youssef
SKINNY is a new lightweight tweakable block cipher family proposed by Beierle $et$ $al$. in CRYPTO 2016. SKINNY-$n$-$t$ is a block cipher with $n$-bit state and $t$-bit tweakey (key and tweak). It is designed to compete with the recent NSA SIMON block cipher. In this paper, we present impossible differential attacks against all the 6 variants of SKINNY, namely, SKINNY-$n$-$n$, SKINNY-$n$-2$n$ and SKINNY-$n$-3$n$ ($n=64$ or $n=128$) in the single-tweakey model. More precisely, we present impossible differential attacks against 18, 20 and 22 rounds of SKINNY-$n$-$n$, SKINNY-$n$-2$n$ and SKINNY-$n$-3$n$ ($n=64$ or $n=128$), respectively. These attacks are based on the same 11-round impossible differential distinguisher. To the best of our knowledge, these are the best attacks against these 6 variants of the cipher in the single-tweakey model.
25 November 2016
ePrint Report Full Disk Encryption: Bridging Theory and Practice Louiza Khati, Nicky Mouha, Damien Vergnaud
We revisit the problem of Full Disk Encryption (FDE), which refers to the encryption of each sector of a disk volume. In the context of FDE, it is assumed that there is no space to store additional data, such as an IV (Initialization Vector) or a MAC (Message Authentication Code) value. We formally define the security notions in this model against chosen-plaintext and chosen-ciphertext attacks. Then, we classify various FDE modes of operation according to their security in this setting, in the presence of various restrictions on the queries of the adversary. We will find that our approach leads to new insights for both theory and practice. Moreover, we introduce the notion of a diversifier, which does not require additional storage, but allows the plaintext of a particular sector to be encrypted to different ciphertexts. We show how a 2-bit diversifier can be implemented in the EagleTree simulator for solid state drives (SSDs), while decreasing the total number of Input/Output Operations Per Second (IOPS) by only 4%.
In this paper, we consider a special type of secret sharing scheme known as Visual Cryptographic Scheme (VCS) in which the secret reconstruction is done visually without any mathematical computation unlike other secret sharing schemes. We put forward an efficient direct construction of a visual cryptographic scheme for compartmented access structure which generalizes the access structure for threshold as well as for threshold with certain essential participants. Up to the best of our knowledge, the scheme is the first proposed scheme for compartmented access structure in the literature of visual cryptography. Finding the closed form of relative contrast of a scheme is, in general, a combinatorially hard problem. We come up with a closed form of both pixel expansion as well as relative contrast. Numerical evidence shows that our scheme performs better in terms of both relative contrast as well as pixel expansion than the cumulative array based construction obtained as a particular case of general access structure.
A good linear diffusion layer is a prerequisite in the design of block ciphers. Usually it is obtained by combining matrices with optimal diffusion property over the Sbox alphabet. These matrices are constructed either directly using some algebraic properties or by enumerating a search space, testing the optimal diffusion property for every element. For implementation purposes, two types of structures are considered: Structures where all the rows derive from the first row and recursive structures built from powers of companion matrices. In this paper, we propose a direct construction for new recursive-like MDS matrices. We show they are quasi-involutory in the sense that the matrix-vector product with the matrix or with its inverse can be implemented by clocking a same LFSR-like architecture.
First-order secure Threshold Implementations (TI) of symmetric cryptosystems provide provable security at a moderate overhead; yet attacks using higher-order statistical moments are still feasible. Cryptographic instances compliant to Higher-Order Threshold Implementation (HO-TI) can prevent such attacks, however, usually at unacceptable implementation costs. As an alternative concept we investigate in this work the idea of dynamic hardware modification, i.e., random changes and transformations of cryptographic implementations in order to render higher-order attacks on first-order TI impractical. In a first step, we present a generic methodology which can be applied to (almost) every cryptographic implementation. In order to investigate the effectiveness of our proposed strategy, we use an instantiation of our methodology that adapts ideas from White-Box Cryptography and applies this construction to a first-order secure TI. Further, we show that dynamically updating cryptographic implementations during operation provides the ability to avoid higher-order leakages to be practically exploitable.
ePrint Report Efficient Post-Quantum Zero-Knowledge and Signatures Steven Goldfeder, Melissa Chase, Greg Zaverucha
In this paper, we present a new post-quantum digital signature algorithm that derives its security entirely from assumptions about symmetric-key primitives, which are very well studied and believed to be quantum-secure (with increased parameter sizes). We present our new scheme with a complete post-quantum security analysis, and benchmark results from a prototype implementation.

Our construction is an efficient instantiation of the following design: the public key is $y=f(x)$ for preimage-resistant function $f$, and $x$ is the private key. A signature is a non-interactive zero-knowledge proof of $x$, that incorporates a message to be signed. Our security analysis uses recent results of Unruh (EUROCRYPT'12,'15,'16) that show how to securely convert an interactive sigma protocol to a non-interactive one in the quantum random oracle model (QROM). The Unruh construction is generic, and does not immediately yield compact proofs. However, when we specialize the construction to our application, we can reduce the size overhead of the QROM-secure construction to 1.6x, when compared to the Fiat-Shamir transform, which does not have a rigorous post-quantum security analysis. Our implementation results compare both instantiations, with multiple choices of $f$ for comparison. Our signature scheme proposal uses the block cipher LowMC for $f$, as it gives the shortest signatures. In addition to reducing the size of signatures with Unruh's construction, we also improve the size of proofs in the underlying sigma protocol (of Giacomelli et al., USENIX'16) by a factor of two. This is of independent interest as it yields more compact proofs for arbitrary choices of $f$ in the classical case as well. Further, this reduction in size comes at no additional computational cost.
ePrint Report Practical CCA2-Secure and Masked Ring-LWE Implementation Tobias Oder, Tobias Schneider, Thomas Pöppelmann, Tim Güneysu
In this work we provide the first practical instantiation of ring-LWE-based public-key encryption that is protected against active attacks (i.e., adaptive chosen-ciphertext attacks) and equipped with countermeasures against side-channel attacks (masking and hiding). We propose a novel provably first-order secure masking scheme that outperforms previous work and we combine this masking approach with blinding and shuffing techniques to further thwart higher-order attacks. Our work shows that extremely fast and secured implementations of postquantum public-key encryption are possible on constrained devices and we give evidence that ring-LWE-based schemes are highly suitable for implementations on smart cards due to the large amount of linear operations. Even with conservative parameter choices (n = 1024; q = 12289) for ring-LWE encryption we obtain 243 bits of quantum security based on a recently established model. Our implementation requires 1,222,054 cycles for encryption and 2,372,242 cycles for decryption with masking and hiding countermeasures on a Cortex-M4F. Furthermore, the first-order security of our masked implementation is practically verified using the non-specific t-test evaluation methodology.