## IACR News

Updates on the COVID-19 situation are on the Announcement channel.

Here you can see all recent updates to the IACR webpage. These updates are also available:

#### 20 November 2022

###### The School of Engineering at the Pontificia Universidad Católica de Chile
Job Posting
Requirements Applicants must hold a Ph.D., preferably in Computer Science, and/or have demonstrable expertise in the fields. Due to the nature of our School, the applicant will have the opportunity and should be willing to work collaboratively with other Departments in the School of Engineering. Previous postdoctoral or international academic experience should be stated in the application. Candidates do not need to be fluent in Spanish at the time of application, but should be prepared to learn the language well enough to teach in this language in the short term (two years maximum). English is a requirement. Applicants must demonstrate a strong commitment to all aspects of academic life and the public good of the institution. They must be highly motivated to continuously improve their teaching skills, have a genuine interest in getting involved with our graduate programs (specially the doctoral program), and be able to develop and maintain an active research agenda leading to high-quality publications, securing research grants, generating and participating in interdisciplinary projects, leading scientific and industry-liaison initiatives, strengthening and creating national and international academic networks, etc. The candidate will also be expected to create new undergraduate and graduate courses and teach traditional courses in related areas.

Closing date for applications:

Contact: Marcelo Arenas, marenas@ing.puc.cl

###### It University of Copenhagen (ITU)
Job Posting
We are hiring a postdoc interested in blockchains, MPC, zero knowledge or a mix of these topics. We are seeking a highly motivated person with a strong background in one of these areas and a solid publication track record in top venues. The successful candidate will be part of our research group and of the larger Center for Information Security and Trust at ITU, and will also have the chance to visit our collaborators in other institutions, as well as theirs. Besides competitive salaries, employment in this position entails access to high quality public health and education systems for the successful candidate and their family.

Closing date for applications:

Contact: Bernardo David (beda at itu dot dk)

#### 18 November 2022

Election
The 2022 election was held to fill three director positions and four office positions. 645 votes have been cast. The results are below, with elected candidates marked in bold:

President:
Michel Abdalla: 584
Vice-President:
Allison Bishop: 561
Treasurer:
Brian LaMacchia: 573
Secretary:
Benjamin Wesolowski: 563

Directors:
Shai Halevi: 274
Tal Malkin: 233
Bart Preneel: 364
Francisco Rodríguez Henríquez : 186
Peter Schwabe: 364
Hoeteck Wee : 233

Support for the creation of the IACR Communications in Cryptology:
Yes: 491, No: 128

Election verification data can be found at https://vote.heliosvoting.org/helios/e/IACR2022.

The election committee congratulates all elected members and thanks all candidates for their contributions to the IACR and willingness to serve.

#### 17 November 2022

###### Gilad Asharov, Koki Hamada, Dai Ikarashi, Ryo Kikuchi, Ariel Nof, Benny Pinkas, Katsumi Takahashi, Junichi Tomida
ePrint Report
We present a three-party sorting protocol secure against passive and active adversaries in the honest majority setting. The protocol can be easily combined with other secure protocols which work on shared data, and thus enable different data analysis tasks, such as private set intersection of shared data, deduplication, and the identification of heavy hitters. The new protocol computes a stable sort. It is based on radix sort and is asymptotically better than previous secure sorting protocols. It improves on previous radix sort protocols by not having to shuffle the entire length of the items after each comparison step.

We implemented our sorting protocol with different optimizations and achieved concretely fast performance. For example, sorting one million items with 32-bit keys and 32-bit values takes less than 2 seconds with semi-honest security and about 3.5 seconds with malicious security. Finding the heavy hitters among hundreds of thousands of 256-bit values takes only a few seconds, compared to close to an hour in previous work.
###### Pratish Datta, Tapas Pal, Katsuyuki Takashima
ePrint Report
This paper presents the first functional encryption (FE) scheme for the attribute-weighted sum (AWS) functionality that supports the uniform model of computation. In such an FE scheme, encryption takes as input a pair of attributes (x,z) where the attribute x is public while the attribute z is private. A secret key corresponds to some weight function f, and decryption recovers the weighted sum f(x)z. This is an important functionality with a wide range of potential real life applications, many of which require the attribute lengths to be flexible rather than being fixed at system setup. In the proposed scheme, the public attributes are considered as binary strings while the private attributes are considered as vectors over some finite field, both having arbitrary polynomial lengths that are not fixed at system setup. The weight functions are modeled as Logspace Turing machines. Prior schemes [Abdalla, Gong, and Wee, CRYPTO 2020 and Datta and Pal, ASIACRYPT 2021] could only support non-uniform Logspace. The proposed scheme is built in asymmetric prime-order bilinear groups and is proven adaptively simulation secure under the well-studied symmetric external Diffie-Hellman (SXDH) assumption against an arbitrary polynomial number of secret key queries both before and after the challenge ciphertext. This is the best possible level of security for FE as noted in the literature. As a special case of the proposed FE scheme, we also obtain the first adaptively simulation secure inner-product FE (IPFE) for vectors of arbitrary length that is not fixed at system setup. On the technical side, our contributions lie in extending the techniques of Lin and Luo [EUROCRYPT 2020] devised for payload hiding attribute-based encryption (ABE) for uniform Logspace access policies avoiding the so-called “one-use” restriction in the indistinguishability-based security model as well as the “three-slot reduction” technique for simulation-secure attribute-hiding FE for non-uniform Logspace devised by Datta and Pal [ASIACRYPT 2021] to the context of simulation-secure attribute-hiding FE for uniform Logspace.
###### Melissa Chase, Michele Orrù, Trevor Perrin, Greg Zaverucha
ePrint Report
We provide a $\Sigma$-protocol for proving that two values committed in different groups are equal. We study our protocol in Lyubashevsky's framework "Fiat-Shamir with aborts" (Asiacrypt’09) and offer concrete parameters for instantiating it. We explain how to use it to compose SNARKs with $\Sigma$-protocols, create efficient proofs of solvency on cryptocurrencies, and join of attributes across different anonymous credentials.
###### Valeria Nikolaenko, Sam Ragsdale, Joseph Bonneau, Dan Boneh
ePrint Report
We introduce the first decentralized trusted setup protocols for constructing a powers-of-tau structured reference string. Facilitated by a blockchain platform, our protocols can run in a permissionless manner, with anybody able to participate in exchange for paying requisite transaction fees. The result is secure as long as any single party participates honestly. We introduce several protocols optimized for different sized powers-of-tau setups and using an on-chain or off-chain data availability model to store the resulting string. We implement our most efficient protocol on top of Ethereum, demonstrating practical concrete performance numbers.
###### Arghya Bhattacharjee, Avik Chakraborti, Nilanjan Datta, Cuauhtemoc Mancillas-López, Mridul Nandi
ePrint Report
This paper analyses the lightweight, sponge-based NAEAD mode $\textsf{ISAP}$, one of the finalists of the NIST Lightweight Cryptography (LWC) standardisation project, that achieves high-throughput with inherent protection against differential power analysis (DPA). We observe that $\textsf{ISAP}$ requires $256$-bit capacity in the authentication module to satisfy the NIST LWC security criteria. In this paper, we study the analysis carefully and observe that this is primarily due to the collision in the associated data part of the hash function which can be used in the forgery of the mode. However, the same is not applicable to the ciphertext part of the hash function because a collision in the ciphertext part does not always lead to a forgery. In this context, we define a new security notion, named $\textsf{2PI+}$ security, which is a strictly stronger notion than the collision security, and show that the security of a class of encrypt-then-hash based MAC type of authenticated encryptions, that includes $\textsf{ISAP}$, reduces to the $\textsf{2PI+}$ security of the underlying hash function used in the authentication module. Next we investigate and observe that a feed-forward variant of the generic sponge hash achieves better $\textsf{2PI+}$ security as compared to the generic sponge hash. We use this fact to present a close variant of $\textsf{ISAP}$, named $\textsf{ISAP+}$, which is structurally similar to $\textsf{ISAP}$, except that it uses the feed-forward variant of the generic sponge hash in the authentication module. This improves the overall security of the mode, and hence we can set the capacity of the ciphertext part to $192$ bits (to achieve a higher throughput) and yet satisfy the NIST LWC security criteria.
###### Liliya Akhmetzyanova, Evgeny Alekseev, Alexandra Babueva, Andrey Bozhko, Stanislav Smyshlyaev
ePrint Report
We introduce a modification of the Russian standardized AEAD MGM mode — an MGM2 mode, for which a nonce is not encrypted anymore before using it as an initial counter value. For the new mode we provide security bounds regarding security notions in the nonce-misuse setting (MRAE-integrity and CPA-resilience). The obtained bounds are even better than the bounds obtained for the original MGM mode regarding standard security notions.
###### Sigurd Eskeland, Ahmed Fraz Baig
ePrint Report
Continuous authentication has been proposed as a complementary security mechanism to password-based authentication for computer devices that are handled directly by humans, such as smart phones. Continuous authentication has some privacy issues as certain user features and actions are revealed to the authentication server, which is not assumed to be trusted. Wei et al. proposed in 2021 a privacy-preserving protocol for behavioral authentication that utilizes homomorphic encryption. The encryption prevents the server from obtaining sampled user features. In this paper, we show that the Wei et al. scheme is insecure regarding both an honest-but-curious server and an active eavesdropper. We present two attacks. The first attack enables the authentication server to obtain the secret user key, plaintext behavior template and plaintext authentication behavior data from encrypted data. The second attack enables an active eavesdropper to restore the plaintext authentication behavior data from the transmitted encrypted data.
###### Katherine E. Stange
ePrint Report
We demonstrate that a modification of the classical index calculus algorithm can be used to factor integers. More generally, we reduce the factoring problem to finding an overdetermined system of multiplicative relations in any factor base modulo $n$, where $n$ is the integer whose factorization is sought. The algorithm has subexponential runtime $\exp(O(\sqrt{\log n \log \log n}))$ (or $\exp(O( (\log n)^{1/3} (\log \log n)^{2/3} ))$ with the addition of a number field sieve), but requires a rational linear algebra phase, which is more intensive than the linear algebra phase of the classical index calculus algorithm. The algorithm is certainly slower than the best known factoring algorithms, but is perhaps somewhat notable for its simplicity and its similarity to the index calculus.
###### Fengrong Zhang, Enes Pasalic, Amar Bapić, Baocang Wang
ePrint Report
Two main secondary constructions of bent functions are the direct and indirect sum methods. We show that the direct sum, under more relaxed conditions compared to those in \cite{PolujanandPott2020}, can generate bent functions provably outside the completed Maiorana-McFarland class ($\mathcal{MM}^\#$). We also show that the indirect sum method, though imposing certain conditions on the initial bent functions, can be employed in the design of bent functions outside $\mathcal{MM}^\#$. Furthermore, applying this method to suitably chosen bent functions we construct several generic classes of homogenous cubic bent functions (considered as a difficult problem) that might posses additional properties (namely without affine derivatives and/or outside $\mathcal{MM}^\#$). Our results significantly improve upon the best known instances of this type of bent functions given by Polujan and Pott \cite{PolujanandPott2020}, and additionally we solve an open problem in \cite[Open Problem 5.1]{PolujanandPott2020}. More precisely, we show that one class of our homogenous cubic bent functions is non-decomposable (inseparable) so that $h$ under a non-singular transform $B$ cannot be represented as $h(xB)=f(y)\oplus g(z)$. Finally, we provide a generic class of vectorial bent functions strongly outside $\mathcal{MM}^\#$ of relatively large output dimensions, which is generally considered as a difficult task.
###### Christoph U. Günther, Sourav Das, Lefteris Kokoris-Kogias
ePrint Report
With the emergence of decentralized systems, spearheaded by blockchains, threshold cryptography has seen unprecedented adoption. Just recently, the trustless distribution of threshold keys over an unreliable network has started to become practical. The next logical step is ensuring the security of these keys against persistent adversaries attacking the system over long periods of time.

In this work, we tackle this problem and give two practical constructions for Asynchronous Proactive Secret Sharing. Our first construction uses recent advances in asynchronous protocols and achieves a communication complexity of $O(n^3)$ where $n$ is the total number of nodes in the network. The second protocol builds upon the first and uses sortition to drive down the communication complexity to $O(c n^2)$. Here, $c$ is a tunable parameter that controls the expected size of the sharing committee chosen using the existing random coin.

Additionally, we identify security flaws in prior work and ensure that our protocols are secure by giving rigorous proofs. Moreover, we introduce a related notion which we term Asynchronous Refreshable Secret Sharing — a functionality that also re-randomizes the secret itself. Finally, we demonstrate the practicability of our constructions by implementing them in Rust and running large-scale, geo-distributed benchmarks.
###### Kwan Yin Chan, Tsz Hon Yuen
ePrint Report
User attributes can be authenticated by an attribute-based anonymous credential while keeping the anonymity of the user. Most attribute-based anonymous credential schemes are designed specifically for either multi-use or single-use. In this paper, we propose a unified attribute-based anonymous credential system, in which users always obtain the same format of credential from the issuer. The user can choose to use it for an efficient multi-use or single-use show proof. It is a more user-centric approach than the existing schemes. Technically, we propose an interactive approach to the credential issuance protocol using a two-party computation with an additive homomorphic encryption. At the same time, it keeps the security property of impersonation resilience, anonymity, and unlinkability. Apart from the interactive protocol, we further design the show proofs for efficient single-use credentials which maintain the user anonymity.
Job Posting
Radical Semiconductor is reinventing the credit card chip. With more powerful cryptography, custom apps, and ultra-high security, Radical silicon will power cryptocurrency hardware wallets, new financial technologies, and the entire banking ecosystem.

We are looking for highly-skilled, motivated, interdisciplinary, and diverse team members to help us build our very first custom OS, compiler stack, and cryptographic suite to run on our novel hardware. As an engineer in the earliest stages of Radical, your voice will be heard, and your decisions will impact the hardware that will one day end up in everyone’s wallet.

As an applied cryptographer, you will work directly with Radical’s VP of Information Security and CTO to develop a custom instruction set for implementing cryptographic algorithms, construct a compiler and simulator toolchain targeting this instruction set, and implement and optimize cryptographic algorithms using this toolchain. You will work closely with both the hardware and software design teams to create designs that offer high cryptographic agility with a small power and area footprint.

For full details, see our job posting under the "Jobs" tab at the link below.

Closing date for applications:

Contact: For applying, visit the link above. For any questions or hiring recommendations, reach out to katie@radicalsemiconductor.com.

###### Rutgers University, DIMACS Center, Piscataway, NJ, USA
Job Posting
DIMACS, the Center for Discrete Mathematics and Theoretical Computer Science, based at Rutgers University in New Brunswick, New Jersey, USA, seeks a Deputy Director of the Center who would also serve as an Associate or Full Professor in a Rutgers department. Founded in 1989, DIMACS is a thriving consortium of seven universities and six companies. Its mission is to conduct research, catalyze research, and develop educational programs in the computational and mathematical sciences, including artificial intelligence, computing theory (algorithms, combinatorics, complexity), data science, discrete mathematics (geometry, graph theory), machine learning, modeling, optimization, and privacy. Activities often address applications in biology, cyber & physical security, economics, engineering, epidemiology, and sustainability, as well as topics in computer science and math education. The Deputy Director will co-lead the scientific, educational, financial, and administrative aspects of the Center; help guide its vision; further its interdisciplinary traditions; write grants and raise funds; and interact with initiatives across Rutgers and other partners, including DIMACS’s DHS center of excellence. DIMACS has excelled at catalyzing new research and adapting to its partners’ interests; the Deputy Director will contribute leadership in determining such new directions. The Deputy Director will serve a five-year (renewable) term at DIMACS and engage in research, teaching, and service in their home department. The candidate must have a Ph.D. and a strong record of research, academic service, and teaching ability suitable for a tenured faculty appointment in a field such as computer science, mathematics, operations research, or statistics. The ideal candidate’s research will connect to DIMACS’s roots in theoretical computer science and discrete mathematics, while branching to other areas, such as data science, AI, and machine learning. The candidate should have wide interests and demonstrated leadership abilities. A successful record of grant funding is preferred.

Closing date for applications:

Contact: Christine Spassione

#### 16 November 2022

###### Tampere University, Unit of Computing Sciences, Tampere, Finland
Job Posting
We are now seeking an Assistant Professor, Associate Professor or Professor in the field of Information Security. The position is located in the Faculty of Information Technology and Communication Sciences at Tampere University, more specifically in the unit of Computing Sciences. The Network and Information Security group in the unit of Computing Sciences is an active and vibrant research group consisting of 2 professors, 3 lecturers, 4 senior researchers, and around 20 researchers and research assistants made up of postgraduate and graduate students. The core research competencies of the group are hardware-assisted security, privacy, applied cryptography, IoT security, network security, and security usability. We invite applicants with expertise in one or more of the following areas: Hardware Security: Candidates in this area are expected to have a proven track record of excellence in security-focused electrical engineering, signal processing, System-on-Chip design, computer architecture (e.g., RISC-V), hardware-software codesign, and/or digital design research and development. Topics of interest include hardware aspects of system security, side-channel analysis, and/or trusted execution environments. Software Security: Candidates in this area are expected to have a proven track record of excellence in security, privacy, anonymity, and/or crypto-focused software engineering, software assurance, static and dynamic analysis, formal verification, and/or trusted computing research and development. Topics of interest include software architectures, software testing, software aspects of side-channel analysis, trusted application development, and/or application areas such as privacy, anonymity, and/or cryptography. Applied Cryptography: Candidates in this area are expected to have a proven track record of excellence in both practical and theoretical aspects of cryptography research and development. Topics of interest include provable security, differential privacy, functional encryption, privacy-preserving analytics, and/or protocols.

Closing date for applications:

###### TU Wien
Job Posting
Applications are being invited for outstanding early-career scientists (up to eight years after PhD), interested in building their independent research group in the field of Information and Communication Technology at TU Wien. The proposed research area should contribute to the scientific advancement of the ICT field and demonstrate relevance to industry with a strong potential for mid-term technological and societal impact.

The selection follows a two-stage process: In stage one applicants apply for a tenure-track professorship at TU Wien (deadline 15 December 2022). In stage two, applicants apply for a WWTF grant together with a proponent of the applicant’s choice from TU Wien (deadline 15 March 2023).

The 14th Vienna Research Groups for Young Investigators call 2023 (https://wwtf.at/funding/programmes/vrg/#VRG23) is issued for up to three group leader positions as part of the WWTF’s Information and Communication Technology programme. WWTF especially encourages female candidates and takes unconventional research careers into consideration.

The WWTF grant amounts up to EUR 1.6 million for a total of 6-8 years. Successful candidates will be offered an Assistant-Professor position with tenure track at TU Wien.

The new research group will be part of the Security and Privacy research unit (https://secpriv.wien).

The topics of interest include but are not limited

• intersection between machine learning and security & privacy
• usable security
• formal methods for security
• system and network security
• applied cryptography
Apply here: https://jobs.tuwien.ac.at/Job/196427

Closing date for applications:

Contact: Matteo Maffei (first.last@tuwien.ac.at)

###### University of Toronto, Department of Computer Science, Toronto, Canada
Job Posting
The Department of Computer Science at the University of Toronto invites applications for multiple positions with appointment commencing on July 1, 2023, or shortly thereafter. Individuals are encouraged to apply to any and all relevant positions. We are conducting a targeted search in computer security and cryptography, and also have several positions open to all areas of computer science, both at the assistant and at the associate levels. The deadline for applications is January 9, 2023.

Closing date for applications:

Contact: Eitan Grinspun (recruit@cs.toronto.edu)

###### Oregon State University
Job Posting
We are looking for bright and motivated students who are interested in a graduate degree in cryptography. Several fully funded positions are available.

The cryptography research group at Oregon State University is led by Professors Mike Rosulek & Jiayu Xu. We have research interests in secure multi-party computation, password-based authentication, key agreement, and privacy-enhancing technologies.

Oregon State University is an R1 (high research activity) university, and its cryptography research group is highly rated on csrankings.org. Past graduates of the group have gone on to successful research positions in industry and academia. OSU is located in Corvallis, Oregon, a small college town (population 60k) located near Portland, the Pacific Ocean, and the Cascade Mountain range.

Students should have a BS degree in computer science or closely related technical discipline. A background in theoretical computer science and/or mathematics is preferred but not required.

Deadline for PhD applicants is December 1. Deadline for MS applicants is January 1. Interested students should select the CS degree program, and indicate an interest in the Cybersecurity research group.

For information on how to apply, see https://eecs.oregonstate.edu/academics/graduate/cs . For other questions, email rosulekm@eecs.oregonstate.edu or xujiay@oregonstate.edu

Closing date for applications:

Contact: Mike Rosulek & Jiayu Xu