## IACR News

Here you can see all recent updates to the IACR webpage. These updates are also available:

#### 14 September 2021

###### Soumya Chattopadhyay, Ashwin Jha, Mridul Nandi

ePrint Report###### Mario Larangeira

ePrint Report###### Wil Liam Teng, Iftekhar Salam, Wei-Chuen Yau, Josef Pieprzyk, Raphaël C.-W. Phan

ePrint ReportThis work evaluates the security of the cipher. The tool used for the evaluation is the cube attack. We present five cube attacks DA1 - DA5. The first two attacks (DA1 and DA2) are launched against the initialisation phase of the cipher. The best result achieved for the attacks is a distinguisher for a 18-bit cube, where the cipher variant consists of the full initialisation phase together with 437 rounds of the encryption phase. The attacks DA3 - DA5 present a collection of distinguishers up to 437 encryption rounds, whose 32-bit cubes are chosen from the plaintext, nonce, or associated data bits. The results are confirmed experimentally. A conclusion from the work is that TinyJAMBU has a better security margin against cube attacks than claimed by the designers.

###### Ivan Damgård, Daniel Escudero, Divya Ravi

ePrint ReportThese results say that for each given set of parameters $(t_a, t_p, t_f)$ respecting the inequality, there exists a protocol secure against this particular choice of corruption thresholds. In this work we consider a dynamic adversary. Here, the goal is a single protocol that is secure, no matter which set of corruption thresholds $(t_a, t_p, t_f)$ from a certain class is chosen by the adversary. A dynamic adversary can choose a corruption strategy after seeing the protocol and so is much stronger than a standard adversary.

Dynamically secure protocols have been considered before for computational security. Also the information theoretic case has been studied, but only considering non-threshold general adversaries, leading to inefficient protocols.

We consider threshold dynamic adversaries and information theoretic security. For statistical security we show that efficient dynamic secure function evaluation (SFE) is possible if and only if $2t_a + 2t_p + t_f < n$, but any dynamically secure protocol must use $\Omega(n)$ rounds, even if only fairness is required. Further, general reactive MPC is possible if we assume in addition that $2t_a+2t_f \leq n$, but fair reactive MPC only requires $2t_a + 2t_p + t_f < n$.

For perfect security we show that both dynamic SFE and verifiable secret sharing (VSS) are impossible if we only assume $3t_a + 2t_p + t_f < n$ and remain impossible even if we also assume $t_f=0$. On the other hand, perfect dynamic SFE with guaranteed output delivery (G.O.D.) is possible when either $t_p = 0$ or $t_a = 0$ i.e. if instead we assume $3t_a+t_f < n$ or $2t_p +t_f < n$. Further, perfect dynamic VSS with G.O.D. is possible under the additional conditions $3t_a + 3/2t_f \leq n$ or $2t_p + 2t_f \leq n$. These conditions are also sufficient for dynamic perfect reactive MPC.

###### Yu Dai, Zijian Zhou, Fangguo Zhang, Chang-An Zhao

ePrint Report###### Marc Joye

ePrint Report###### Abderrahmane Nitaj, Muhammad Rezal Kamel Ariffin, Nurul Nur Hanisah Adenan, Nur Azman Abu

ePrint Report###### Mike Rosulek, Ni Trieu

ePrint ReportFor small sets (500 items or fewer), our protocol requires the least time and communication of any known PSI protocol, even ones that are only semi-honest secure and ones that are not based on Diffie-Hellman. It is one of the few significant improvements to the 20-year old classical Diffie-Hellman PSI protocol of Huberman, Franklin, and Hogg (ACM Elec. Commerce 1999).

Our protocol is actually a generic transformation that constructs PSI from a class of key agreement protocols. This transformation is inspired by a technique of Cho, Dachman-Soled, and Jarecki (CT-RSA 2016), which we streamline and optimize in several important ways to achieve our superior efficiency.

###### Joël Alwen, Benedikt Auerbach, Mirza Ahad Baig, Miguel Cueto, Karen Klein, Guillermo Pascual-Perez, Krzysztof Pietrzak, Michael Walter

ePrint ReportA key tree is a (typically balanced) binary tree, where each node is identified with a key: leaf nodes hold users' secret keys while the root is the shared group key. For a group of size $N$, each user just holds $\log(N)$ keys (the keys on the path from its leaf to the root) and its entire key material can be rotated by broadcasting $2\log(N)$ ciphertexts (encrypting each fresh key on the path under the keys of its parents).

In this work we consider the natural setting where we have many groups with partially overlapping sets of users, and ask if we can find solutions where the cost of rotating a key is better than in the trivial one where we have a separate key tree for each group.

We show that in an asymptotic setting (where the number $m$ of groups is fixed while the number $N$ of users grows) there exist more general key graphs whose cost converges to the cost of a single group, thus saving a factor linear in the number of groups over the trivial solution.

As our asymptotic ``solution" converges very slowly and performs poorly on concrete examples, we propose an algorithm that uses a natural heuristic to compute a key graph for any given group structure. Our algorithm combines two greedy algorithms, and is thus very efficient: it first converts the group structure into a ``lattice graph", which is then turned into a key graph by repeatedly applying the algorithm for constructing a Huffman code.

To better understand how far our proposal is from an optimal solution, we prove lower bounds on the update cost of continuous group-key agreement and multicast encryption in a symbolic model admitting (asymmetric) encryption, pseudorandom generators, and secret sharing as building blocks.

###### Sacha Servan-Schreiber, Simon Langowski, Srinivas Devadas

ePrint ReportExisting protocols for private nearest neighbor search re- quire heavy cryptographic tools, resulting in poor practical performance or large client overheads. In this paper, we present the first lightweight protocol for private nearest neighbor search. Our protocol is instantiated using two non-colluding servers, each holding a replica of the database. The protocol supports an arbitrary number of clients simultaneously querying the database via these servers. Each query is only a single round of communication for the client and does not require any communication between servers.

If at least one of the servers is non-colluding, we ensure that (1) no information is revealed on the client’s query, (2) the total communication between the client and the servers is sublinear in the database size, and (3) each query answer only leaks a small and precisely quantified amount of information about the database to the client, even when the client is acting maliciously.

We implement our protocol and report its performance on real-world data. Our construction requires between 10 and 30 seconds of query latency over large databases of 10M feature vectors. Client overhead remained under 10μs of processing time per query and typically less than 4 MB of communication, depending on parameters.

###### Jyotirmoy Pramanik, Avishek Adhikari

ePrint Report###### Jonathan Takeshita, Colin McKechney, Justin Pajak, Antonis Papadimitriou, Ryan Karl, Taeho Jung

ePrint Report###### Elena Andreeva, Amit Singh Bhati, Bart Preneel, Damian Vizar

ePrint ReportOur main contribution is the generic CTR encryption mode GCTR that makes parallel calls to an MFC to encrypt a message $M$. We analyze the set of all 36 ``simple and natural'' GCTR variants under the nivE security notion by Peyrin and Seurin from CRYPTO'16. Our proof method makes use of an intermediate abstraction called tweakable CTR (TCTR) that captures the core security properties of GCTR common to all variants, making their analyses easier. Our results show that many of the schemes achieve from well beyond birthday bound (BBB) to full $n$-bit security under nonce respecting adversaries and some even BBB and close to full $n$-bit security in the face of realistic nonce misuse conditions.

We finally present an efficiency comparison of GCTR using $\mathsf{ForkSkinny}$ (an MFC with $s=2$) with the traditional CTR and the more recent CTRT modes, both are instantiated with the $\mathsf{SKINNY}$ TBC. Our estimations show that any GCTR variant with $\mathsf{ForkSkinny}$ can achieve an efficiency advantage of over $20\%$ for moderately long messages, illustrating that the use of an efficient MFC with $s\geq 2$ brings a clear speed-up.

###### Arpita Patra, Thomas Schneider, Ajith Suresh, Hossein Yalame

ePrint ReportIn this work, we propose SynCirc, an efficient hardware synthesis framework designed for MPC applications. Our framework is based on Verilog and the open-source tool Yosys-ABC. It provides custom libraries and new constraints that accommodate multi-input AND gates. With this, we improve over TinyGMW by up to 3x in multiplicative depth with a corresponding improvement in online round complexity. Moreover, we provide efficient realizations of several new building blocks including comparison, multiplexers, and equality check. For these building blocks, we achieve improvements in multiplicative depth/online rounds between 22.3% and 66.7%. With these improvements, our framework makes multi-round MPC better-suited for high-latency networks such as the Internet. With respect to the look-up table based approach of Dessouky et al (NDSS’17), our framework improves the online communication by 1.3x - 18x.

###### Simon Masson, Antonio Sanso, Zhenfei Zhang

ePrint Report#### 13 September 2021

###### SUTD, Singapore

Job Posting**Closing date for applications:**

**Contact:** Prof. Jianying Zhou

#### 11 September 2021

###### Fujitsu Research of America

Job PostingProfile Description:

Working hours and start dates are flexible. Internship duration will be 3 to 6 months, it can be either full time or part time. The position is open to candidates based on

**USA, Canada, UK, EU**or

**Japan.**

**Closing date for applications:**

**Contact:** Avradip Mandal (amandalATfujitsuDOTcom)

###### Monash University

Job Posting

## Requirements:

* Ph.D. in Computer Science or Mathematics

* Strong academic background in one of the following areas:

- Blockchain

- Cryptography

- Dependability

- Fault tolerance

- Reliable broadcast

- distributed and parallel computing

- Concurrency

## Starting date: ASAP

## Salary: Approx. $92,792 --$120,093 per year (Australian dollars) plus 17% Superannuation

## Location: Monash University, Clayton, Australia.

## Eligibility: We can only consider Australian or New Zealand citizens, Australian permanent residents, or those in Australia with working rights. Chinese / Malaysian citizens can also be considered to work in Monash Suzhou campus in China / Monash Malaysia campus in Selangor.

## Applications (first-come, first-served):
Please send a copy of

1. your detailed CV

2. research statement, and

3. a copy of 2 selected publications/preprints/thesis.

**Closing date for applications:**

**Contact:** Joseph Liu

**More information:** https://www.monash.edu/blockchain