## IACR News

Updates on the COVID-19 situation are on the Announcement channel.

Here you can see all recent updates to the IACR webpage. These updates are also available:

#### 01 February 2023

###### Aarhus, Denmark, 9 June 2023
Event Calendar
Event date: 9 June 2023
###### Virtual event, Anywhere on Earth, 28 February - 2 March 2023
Event Calendar
Event date: 28 February to 2 March 2023
###### KASTEL — Institute of Information Security and Dependability, KIT, Karlsruhe, Germany
Job Posting
We are looking for multiple PhD students and PostDocs working on cryptographic primitives and protocols enabling privacy, accountability, and transparency in real-world application scenarios.

A solid background in provable security is required (for PhD students: successfully attended courses or a master’s thesis on the subject). Experiences with secure multi-party computation or UC-based security are a plus. For PostDocs, a track record in research on privacy-preserving protocols is expected, including publications at reputable conferences such as Crypto, Eurocrypt, ACM CCS, PETS, etc.

You will be a member of the KASTEL Security Research Labs (https://zentrum.kastel.kit.edu). Your research will be dealing with privacy-preserving cryptographic building blocks and protocols for important application scenarios and result in both theoretical security concepts (protocol designs, security models and proofs, etc.) and their efficient implementation. You will have the opportunity to regularly visit other reputable research institutions for IT security and cryptography such as the University of Luxembourg.

As the positions should be filled as soon as possible, your application will be evaluated promptly. If you are interested, please send an email including your CV and a list of publications (for PostDocs) to andy.rupp@partner.kit.edu.

Closing date for applications:

Contact: Andy Rupp (andy.rupp@partner.kit.edu, PI at KASTEL)

###### University of Bergen, Department of Informatics
Job Posting

There is a vacancy for up to 2 positions as PhD Research Fellow in Informatics – Cryptology at the Department of Informatics, University of Bergen, Norway. Both positions are funded by the university and are for a fixed-term period of 4 years.

• Statistical and algebraic cryptanalysis of modern block and stream ciphers
• Cryptanalysis of lattice-based postquantum cryptography protocols
• Construction of cryptographically optimal functions and related objects
Other closely related topics may be considered.

The working environment for this position will be at the Selmer Center in Secure Communication. The Selmer Center is one of the top ICT research groups with main research in areas of sequence design, coding theory, cryptology, Boolean functions, information security, and quantum information theory.

The candidate should have the following qualifications:

• A master's degree or equivalent education in mathematics, computer science, or a related area
• Experience with general-purpose programming languages
• Knowledge of discrete mathematics, linear algebra and probability theory
• Knowledge of cryptographic schemes and protocols
• Proficiency in both written and oral English

We can offer:

• a good and professionally stimulating working environment
• salary as PhD research fellow (code 1017) in the state salary scale
• enrolment in the Norwegian Public Service Pension Fund
• good welfare benefits

Closing date for applications:

Contact: Nikolay Kaleyski, Department of Informatics, University of Bergen, Norway (firstname.surname@uib.no)

###### Manjeet Kaur, Tarun Yadav, Manoj Kumar, Dhananjoy Dey
ePrint Report
The lightweight block ciphers ULC and LICID are introduced by Sliman et al. (2021) and Omrani et al. (2019) respectively. These ciphers are based on substitution permutation network structure. ULC is designed using the ULM method to increase efficiency, memory usage, and security. On the other hand, LICID is specifically designed for image data. In the ULC paper, the authors have given a full-round differential characteristic with a probability of $2^{-80}$. In the LICID paper, the authors have presented an 8-round differential characteristic with a probability of $2^{-112.66}$. In this paper, we present the 15-round ULC and the 14-round LICID differential characteristics of probabilities $2^{-45}$ and $2^{-40}$ respectively using the MILP model.
###### Diego Castejon-Molina, Dimitrios Vasilopoulos, Pedro Moreno-Sanchez
ePrint Report
The interest shown by central banks in deploying Central Bank Digital Currency (CBDC) has spurred a blooming number of conceptually different proposals from central banks and academia. Yet, they share the common, transversal goal of providing citizens with an additional digital monetary instrument. Citizens, equipped with CBDC wallets, should have access to CBDC fund and defund operations that allow the distribution of CBDC from the central bank to citizens with the intermediation of commercial banks. Despite their key role in the CBDC deployment as acknowledged, e.g., by the European Central Bank, operations fund and defund have not been formally studied yet. In this state of affairs, this work strives to cryptographically define the problem of fund and defund of CBDC wallets as well as the security and privacy notions of interest. We consider a setting with three parties (citizen, commercial bank and central bank) and three ledgers: the CBDC ledger, the retail ledger (where citizens have their accounts with their commercial banks) and the wholesale ledger (where commercial banks have their accounts with the central bank). We follow a modular approach, initially defining the functionality of two types of ledgers: Basic Ledger (BL), which supports basic transactions, and Conditional Payment Ledger(CP), which additionally supports conditional transactions. We then use BL and CP to define the CBDC-Cash Environment (CCE) primitive, which captures the core functionality of operations fund and defund. We require that CCE satisfies balance security: either operation fund/defund is successful, or no honest party loses their funds. CCE also satisfies that fund/defund cannot be used to breach the privacy of the CBDC ledger. Finally, we provide two efficient and secure constructions for CCE to cover both CP and BL types of CBDC ledger. Our performance evaluation shows that our constructions impose small computation and communication overhead to the underlying ledgers. The modular design of CCE allows for the incorporation in our CCE constructions of any CBDC ledger proposal that can be proven a secure instance of CP or BL, enabling thereby a seamless method to provide CBDC fund and defund operations.
###### Eike Kiltz, Jiaxin Pan, Doreen Riepel, Magnus Ringerud
ePrint Report
We introduce CorrGapCDH, the Gap Computational Diffie-Hellman problem in the multi-user setting with Corruptions. In the random oracle model, our assumption tightly implies the security of the authenticated key exchange protocols NAXOS in the eCK model and (a simplified version of) X3DH without ephemeral key reveal. We prove hardness of CorrGapCDH in the generic group model, with optimal bounds matching the one of the discrete logarithm problem.

We also introduce CorrCRGapCDH, a stronger Challenge-Response variant of our assumption. Unlike standard GapCDH, CorrCRGapCDH implies the security of the popular AKE protocol HMQV in the eCK model, tightly and without rewinding. Again, we prove hardness of CorrCRGapCDH in the generic group model, with (almost) optimal bounds.

Our new results allow implementations of NAXOS, X3DH, and HMQV without having to adapt the group sizes to account for the tightness loss of previous reductions. As a side result of independent interest, we also obtain modular and simple security proofs from standard GapCDH with tightness loss, improving previously known bounds.

#### 31 January 2023

###### University of Birmingham, UK
Job Posting

This is an exciting opportunity to join the University of Birmingham’s Centre for Cyber Security and Privacy on the exciting projects "User-controlled hardware security anchors: evaluation and designs" and "SIPP - Secure IoT Processor Platform with Remote Attestation".

The position has scope for a variety of research activities, spanning trusted execution, hardware and embedded security, binary analysis, protocol design/analysis, and formal modelling. We are hence looking for a candidate with a PhD (or equivalent industry experience) in at least one of these areas.

The post-doc will be based at the Birmingham Centre for Cyber Security and Privacy, which was originally founded in 2005 as the Security and Privacy group and is now recognised as a Centre by the university since 2018. The Centre is a core part of the School of Computer Science, which was ranked 3rd in the UK-wide REF2021 for computer science research. Three out of the four REF2021 impact case studies came from the security group; all four were awarded the maximum grade of 4*. The centre currently has 12 permanent academics as well as approximately 20 postdocs/PhD students. We are recognised by the UK NCSC in partnership with EPSRC as an Academic Centre of Excellence in Cyber Security Research. We are part of the Research Institute in Secure Hardware and Embedded Systems funded by NCSC and EPSRC.

Full time starting salary is normally in the range £32,348 to £42,155, with potential progression once in post to £44,737 (Grade 7). The position comes with budget for travel and equipment.

Fixed term contract up to July 2024. We will encourage and support the successful candidate to apply for follow-up funding after the end of the fixed term.

Apply until 19th February 2023 using the following link: https://tinyurl.com/uobpostdoc

Closing date for applications:

Contact: Informal enquiries can be sent to Mark Ryan (m.d.ryan@bham.ac.uk) and David Oswald (d.f.oswald@bham.ac.uk). Full applications must be submitted via the above link, we cannot accept applications via email.

###### University of St.Gallen, Switzerland
Job Posting
As a research engineer in the Cyber Security chair you will establish and work in a state-of-the-art IoT (Internet of Things) lab with smart devices ranging from Raspberry Pi's, sensors, smart microphones, toy cars, RFID tags, RFID readers, smart phones, biometric sensors and you will work with world-leading researchers to implement, test, and showcase secure and privacy-preserving protocols and algorithms. Many projects are done in collaboration with other academic and industrial partners. More specifically, the job includes:
• Development and implementation of concepts and research results, both individually and in collaboration with researchers and PhD students,
• Run of experiments and simulation of realistic conditions to test the performance of developed algorithms and protocols,
• Development, maintenance and organization of software,
• Support to BSc, MSc and PhD students, postdocs and researchers who use the lab,
• Responsibility for day routines in the lab, for example purchases, installations, bookings, inventory,
• Demonstrations and lab tours for external visitors,
• Producing media content for our group web page and social media platforms.
The successful applicant is expected to hold or to be about to receive a M.Sc. degree in Computer Science, Electrical Engineering, Applied Mathematics or similar fields, preferably with a focus in Security and Privacy for Computer Science Systems.
• We are looking for a strongly motivated and self-driven person who is able to work and learn new things independently.
• Good command of English is required.
• You should have a good academic track record and well developed analytical and problem solving skills.
• Excellent programming skills and familiarity with cryptographic libraries.
• Previous experience in implementation projects with C++, Matlab/Simulink, Python is desired.

Closing date for applications:

Contact:
Prof. Katerina Mitrokotsa, katerina.mitrokotsa@unisg.ch (Research related questions)

###### Visa Research, Palo Alto, CA
Job Posting

The Digital Currency Research team at Visa Research is looking for outstanding research interns as part of our growing team in Palo Alto, California.

Our team is building the next generation of financial systems that rely on digital currencies, including decentralized cryptocurrencies like Bitcoin and Ethereum and semi-decentralized digital currencies like stablecoins, central bank digital currencies (CBDCs), and tokenized commercial bank deposits. Compared to traditional financial systems, these networks have significantly stronger resilience against cyberattacks, achieved by minimizing trust in various system components.

Past intern projects have included:

• Blockchain scalability, e.g., sharding (RapidChain) and light clients (FlyClient)
• Layer 2 scalability solutions, e.g., hub-based payment channels (UPC) and offline payments (OPS)
• Blockchain privacy, e.g., private smart contract transactions (Zether)
• Privacy-preserving auditability of large payment graphs (SPA)
• Privacy-preserving fraud detection using federated learning and multi-party computation

Basic Qualification

• Pursuing a Ph.D. in Computer Science or Computer Engineering, graduating December 2023 or later

Preferred Qualifications

• Research experience in one or more research areas related to blockchain, cryptography, and/or systems security
• Strong track record in research publications and impact in the research community
• Strong ability to collaborate
• Good team player and excellent interpersonal skills
• Good analytical and problem-solving skills

Closing date for applications:

Contact:

• Mahdi Zamani mzamani@visa.com
• Panos Chatzigiannis pchatzig@visa.com

###### Meta, Menlo Park, CA, USA
Job Posting
We are looking for Research Scientist Interns to join the Statistics & Privacy team to advance cutting-edge applied research, focusing on Privacy Enhancing Technologies. Research Scientist Interns partner with our full-time Research Scientists to drive forward the research, prototypes and methodologies.

Challenges and intern projects include incorporating approaches such as multi-party computation, homomorphic encryption, trusted execution environments, differential privacy, and federated learning to develop privacy-focused solutions while maintaining performance at massive scale, including cryptographic protocols, algorithms & tooling for machine learning or analytics. Research projects may include developing new or improving existing privacy-preserving solutions for areas such as: private record linkage, privacy-preserving ML and analytics.

For more details and to apply: https://www.metacareers.com/jobs/881989909611952/

Closing date for applications:

Contact: Gaven Watson

#### 30 January 2023

###### Tarun Chitra, Matheus V. X. Ferreira, Kshitij Kulkarni
ePrint Report
Akbarpour and Li (2020) formalized credibility as an auction desideratum where the auctioneer cannot benefit by implementing undetectable deviations from the promised auction and showed that, in the plain model, the ascending price auction with reserves is the only credible, strategyproof, revenue-optimal auction. Ferreira and Weinberg (2020) proposed the Deferred Revelation Auction (DRA) as a communication efficient auction that avoids the uniqueness results from (2020) assuming the existence of cryptographic commitments and as long as bidder valuations are MHR. They also showed DRA is not credible in settings where bidder valuations are $\alpha$-strongly regular unless $\alpha$ > 1. In this paper, we ask if blockchains allow us to design a larger class of credible auctions. We answer this question positively, by showing that DRA is credible even for $\alpha$-strongly regular distributions for all $\alpha$ > 0 if implemented over a secure and censorship-resistant blockchain. We argue ledgers provide two properties that limit deviations from a self-interested auctioneer. First, the existence of smart contracts allows one to extend the concept of credibility to settings where the auctioneer does not have a reputation — one of the main limitations for the definition of credibility from Akbarpour and Li (2020). Second, blockchains allow us to implement mechanisms over a public broadcast channel, removing the adaptive undetectable deviations driving the negative results of Ferreira and Weinberg (2020).
###### Luciano Freitas, Andrei Tonkikh, Adda-Akram Bendoukha, Sara Tucci-Piergiovanni, Renaud Sirdey, Oana Stan, Petr Kuznetsov
ePrint Report
In a single secret leader election protocol (SSLE), one of the system participants is chosen and, unless it decides to reveal itself, no other participant can identify it. SSLE has a great potential in protecting blockchain consensus protocols against denial of service (DoS) attacks. However, all existing solutions either make strong synchrony assumptions or have expiring registration, meaning that they require elected processes to re-register themselves before they can be re-elected again. This, in turn, prohibits the use of these SSLE protocols to elect leaders in partially-synchronous consensus protocols as there may be long periods of network instability when no new blocks are decided and, thus, no new registrations (or re-registrations) are possible. In this paper, we propose Homomorphic Sortition -- the first asynchronous SSLE protocol with non-expiring registration, making it the first solution compatible with partially-synchronous leader-based consensus protocols.

Homomorphic Sortition relies on Threshold Fully Homomorphic Encryption (ThFHE) and is tailored to proof-of-stake (PoS) blockchains, with several important optimizations with respect to prior proposals. In particular, unlike most existing SSLE protocols, it works with arbitrary stake distributions and does not require a user with multiple coins to be registered multiple times. Our protocol is highly parallelizable and can be run completely off-chain after setup.

Some blockchains require a sequence of rounds to have non-repeating leaders. We define a generalization of SSLE, called Secret Leader Permutation (SLP) in which the application can choose how many non-repeating leaders should be output in a sequence of rounds and we show how Homomorphic Sortition also solves this problem.
###### Gabrielle De Micheli, Duhyeong Kim, Daniele Micciancio, Adam Suhl
ePrint Report
Amortized bootstrapping offers a way to simultaneously refresh many ciphertexts of a fully homomorphic encryption scheme, at a total cost comparable to that of refreshing a single ciphertext. An amortization method for FHEW-style cryptosystems was first proposed by (Micciancio and Sorrell, ICALP 2018), who showed that the amortized cost of bootstrapping n FHEW-style ciphertexts can be reduced from $O(n)$ basic cryptographic operations to just $O(n^{\epsilon})$, for any constant $\epsilon>0$. However, despite the promising asymptotic saving, the algorithm was rather inpractical due to a large constant (exponential in $1/\epsilon$) hidden in the asymptotic notation. In this work, we propose an alternative amortized boostrapping method with much smaller overhead, still achieving $O(n^\epsilon)$ asymptotic amortized cost, but with a hidden constant that is only linear in $1/\epsilon$, and with reduced noise growth. This is achieved following the general strategy of (Micciancio and Sorrell), but replacing their use of the Nussbaumer transform, with a much more practical Number Theoretic Transform, with multiplication by twiddle factors implemented using ring automorphisms. A key technical ingredient to do this is a new "scheme switching" technique proposed in this paper which may be of independent interest.
###### Vahid Amin-Ghafari, Mohammad Ali Orumiehchiha, Saeed Rostami
ePrint Report
A few small-state stream ciphers (SSCs) were proposed for constrained environments. All of the SSCs before the LILLE stream cipher suffered from distinguishing attacks and fast correlation attacks. The designers of LILLE claimed that it is based on the well-studied two-key Even-Mansour scheme and so is resistant to various types of attacks. This paper proposes a distinguishing attack on LILLE, the first attack since 2018. The data and time complexities to attack LILLE-40 are 2^(50.7) and 2^(41.2), respectively. We verified practically our attack on a halved version of LILLE-40. A countermeasure is suggested to strengthen LILLE against the proposed attack. We hope our attack opens the door to more cryptanalyses of LILLE.
###### Ripon Patgiri, Laiphrakpam Dolendro Singh
ePrint Report
In this paper, we propose a variable-sized, one-way, and randomized secure hash algorithm, VORSHA for short. We present six variants of VORSHA, which are able to generate a randomized secure hash value. VORSHA is the first secure hash algorithm to randomize the secure hash value fully. The key embodiment of our proposed algorithm is to generate a pool of pseudo-random bits using the primary hash functions and selects a few bits from the pool of bits to form the final randomized secure hash value. Each hash value of the primary hash function produces a single bit (either 0 or 1) for the pool of pseudo-random bits. Thus, VORSHA randomized the generated bit string to produce the secure hash value, and we term it as a randomized secure hash value. Moreover, the randomized secure hash value is tested using NIST-SP 800-22 statistical test suite, and the generated randomized secure hash value of VORSHA has passed all 15 statistical tests of NIST-SP 800-22. It proves that the VORSHA is able to generate a highly unpredictable yet consistent secure hash value. Moreover, VORSHA features a memory-hardness property to restrict a high degree of parallelism, which features a tiny memory footprint for legal users but massive memory requirements for adversaries. Furthermore, we demonstrate how to prevent Rainbow Table as a Service (RTaaS) attack using VORSHA. The source code is available at https://github.com/patgiri/VORSHA.
###### Bologna, Italia, 25 May - 26 May 2023
Event Calendar
Event date: 25 May to 26 May 2023