## IACR News

Here you can see all recent updates to the IACR webpage. These updates are also available:

#### 25 July 2021

###### Dan Boneh, Hart Montgomery, Ananth Raghunathan

ePrint Report###### Gachon University, Korea

Job Posting**Closing date for applications:**

**Contact:** Contact Professor Seong Oun Hwang at sohwang (at) gachon.ac.kr

#### 23 July 2021

###### Hanno Becker, Vincent Hwang, Matthias J. Kannwischer, Bo-Yin Yang, Shang-Yi Yang

ePrint Report###### Karim Lounis

ePrint Report###### Alan Szepieniec

ePrint ReportAfter discussing the design considerations induced by the use of Legendre symbol gates, we present a concrete design that follows this strategy, along with an elaborate security analysis thereof. This cipher is called Grendel.

###### Elena Fuchs, Kristin Lauter, Matthew Litman, Austin Tran

ePrint Report###### Anubhab Baksi, Kyungbae Jang, Gyeongju Song, Hwajeong Seo, Zejun Xiang

ePrint Report###### Sudharshan Swaminathan, Lukasz Chmielewski, Guilherme Perin, Stjepan Picek

ePrint ReportThis work provides a generalization for inner round side-channel attacks on AES and experimentally validates it with non-profiled and profiled attacks. This work \textit{formulates the computation of the hypothesis values of any byte in the intermediate rounds}. The more inner the AES round is, the higher is the attack complexity in terms of the number of bits to be guessed for the hypothesis. We discuss the main limitations for obtaining predictions in inner rounds and, in particular, we compare the performance of Correlation Power Analysis (CPA) against deep learning-based profiled side-channel attacks (DL-SCA). We demonstrate that because trained deep learning models require fewer traces in the attack phase, they also have fewer complexity limitations to attack inner AES rounds than non-profiled attacks such as CPA. This paper is the first to propose deep learning-based profiled attacks on inner rounds of AES under several time and memory constraints to the best of our knowledge.

###### University of Birmingham

Job Posting**Closing date for applications:**

**Contact:** Mark Ryan

**More information:** https://bham.taleo.net/careersection/external/jobdetail.ftl?job=2100019X

###### Cambridge Quantum, London, UK

Job PostingCambridge Quantum (CQ) is a quantum computing software and algorithms company aiming to allow our customers to get the most out of quantum computers both now and in the future. Our cybersecurity division is developing quantum-related technologies including the world’s only quantum random number generator (QRNG) that uses quantum computers to produce verifiably high-quality entropy.

In this role will work in our quantum cryptography team and bring your expertise in computer science and/or classical cryptography to find solutions to the different problems faced both by classical cryptography in a post-quantum world but also the ones faced by quantum cryptography.

**Role overview**

- Research and design new cryptography applications with a quantum advantage, together with their security proofs.
- Find innovative solutions to the problems faced by classical cryptography in a quantum world and to the challenges faced in quantum cryptography.

**Key Requirements**

- PhD in Computer Science, Mathematics, Physics or related field (or equivalent experience).
- Expertise in one or more of the following: post-quantum cryptography (E.g. lattice-based crypto), multi-party computation, zero-knowledge proofs, formal verification tools, information-theoretic security, cryptanalysis.
- Track record of publications in relevant fields.

**Desirable**

- Job experience in research either as a postdoc or with a company.
- Familiarity with quantum-based cryptography.
- An interest in the discussions and issues surrounding the transition to post-quantum cryptography.
- Good programming skills (E.g. Python, C/C++ and/or other).
- Ability to mentor and coach colleagues.

**Closing date for applications:**

**Contact:** Ela Lee (ela dot lee at cambridgequantum dot com)

**More information:** https://jobs.eu.lever.co/cambridgequantum/762ede2f-22ce-4c4a-88f6-fa07f602d8f4?lever-origin=applied&lever-source%5B%5D=iacr.org%2Fjobs%2F

#### 22 July 2021

###### Kyoungbae Jang, Gyeong Ju Song, Hyunji Kim, Hyeokdong Kwon, Wai-Kong Lee, Zhi Hu, Hwajeong Seo

ePrint Report###### Nicholas Franzese, Jonathan Katz, Steve Lu, Rafail Ostrovsky, Xiao Wang, Chenkai Weng

ePrint Report###### Donghang Lu, Albert Yu, Aniket Kate, Hemanta Maji

ePrint ReportWe implement our protocols over the HoneyBadgerMPC library and apply them to two prominent secure computation tasks: privacy-preserving evaluation of decision trees and privacy-preserving evaluation of Markov processes. For the decision tree evaluation problem, we demonstrate the feasibility of evaluating high-depth decision tree models in a general n-party setting. For the Markov process application, we demonstrate that Polymath can compute large powers of transition matrices with better online time and less communication.

###### Yuval Ishai, Hang Su, David J. Wu

ePrint ReportOur construction follows the general blueprint of Bitansky et al. (TCC 2013) and Boneh et al. (Eurocrypt 2017) of combining a linear probabilistically checkable proof (linear PCP) together with a linear-only vector encryption scheme. We develop a concretely-efficient lattice-based instantiation of this compiler by considering quadratic extension fields of moderate characteristic and using linear-only vector encryption over rank-2 module lattices.

###### Sayantan Mukherjee, Avishek Majumder

ePrint ReportAll the state-of-the-arts works were unable to fully identify the requirements of a BED scheme. We first identify and propose a new security requirement that has not been considered before. After formally defining a BED scheme, we show simple pairing-based attacks on all previous constructions rendering all of them useless. We then give the first secure BED construction in the composite-order pairing groups. This construction achieves constant-size ciphertext and secret keys but achieves selectively secure message hiding only. We then give our second construction from Li and Gong's (PKC'18) anonymous broadcast encryption. This construction achieves adaptively secure message hiding but has ciphertext size dependent on the size of the privileged set. Following that, we propose our third and final construction that achieves constant size ciphertext in the standard model and achieves adaptive message hiding security.

###### Mugurel Barcau, Cristian Lupascu, Vicentiu Pasol, George C. Turcas

ePrint Report###### Yi-Fan Tseng, Chun-I Fan, Zi-Cheng Liu

ePrint Report###### Michał Andrzejczak, Kris Gaj

ePrint Report###### Alexander May, Julian Nowakowski, Santanu Sarkar

ePrint ReportUsing a Coppersmith-type attack, Takayasu, Lu and Peng (TLP) recently showed that one obtains the factorization of $N$ in polynomial time, provided that $d_p, d_q \leq N^{0.122}$. Building on the TLP attack, we show the first Partial Key Exposure attack on short secret exponent CRT-RSA. Namely, let $N^{0.122} \leq d_p, d_q \leq N^{0.5}$. Then we show that a constant known fraction of the least significant bits (LSBs) of both $d_p, d_q$ suffices to factor $N$ in polynomial time.

Naturally, the larger $d_p,d_q$, the more LSBs are required. E.g. if $d_p, d_q$ are of size $N^{0.13}$, then we have to know roughly a $\frac 1 5$-fraction of their LSBs, whereas for $d_p, d_q$ of size $N^{0.2}$ we require already knowledge of a $\frac 2 3$-LSB fraction. Eventually, if $d_p, d_q$ are of full size $N^{0.5}$, we have to know all of their bits. Notice that as a side-product of our result we obtain a heuristic deterministic polynomial time factorization algorithm on input $(N,e,d_p,d_q)$.

###### Lior Rotem, Gil Segev

ePrint ReportWe establish tighter security guarantees for identification and signature schemes which result from $\Sigma$-protocols with special soundness based on the hardness of their underlying relation, and in particular for Schnorr's schemes based on the hardness of the discrete logarithm problem. We circumvent the square-root barrier by introducing a high-moment generalization of the classic forking lemma, relying on the assumption that the underlying relation is ``$d$-moment hard'': The success probability of any algorithm in the task of producing a witness for a random instance is dominated by the $d$-th moment of the algorithm's running time.

In the concrete context of the discrete logarithm problem, already Shoup's original proof shows that the discrete logarithm problem is $2$-moment hard in the generic-group model, and thus our assumption can be viewed as a highly-plausible strengthening of the discrete logarithm assumption in any group where no better-than-generic algorithms are currently known. Applying our high-moment forking lemma in this context shows that, assuming the $2$-moment hardness of the discrete logarithm problem, any $t$-time attacker breaks the security of the Schnorr identification and signature schemes with probabilities at most $(t^2/p)^{2/3}$ and $(q_{\mathcal{H}} \cdot t^2/p)^{2/3}$, respectively.