Applied Cryptography and Network Security: 20th International Conference, ACNS 2022, Rome, Italy, June 20–23, 2022, Proceedings

Preface
Organization
Contents
Encryption
Keyed-Fully Homomorphic Encryption Without Indistinguishability Obfuscation
	1 Introduction
		1.1 Background
		1.2 Contribution
		1.3 Technical Overview
	2 Preliminaries
		2.1 Non-Interactive Zero-Knowledge Argument
		2.2 Dual-System Simulation-Sound NIZK
		2.3 (Keyed-)Fully Homomorphic Encryption
	3 Generic Construction of Keyed-FHE
	4 Strong DSS-NIZK from Smooth PHPS and Unbounded Simulation-Sound NIZK
	5 Feasibility of Our Construction
	References
A Performance Evaluation of Pairing-Based Broadcast Encryption Systems
	1 Introduction
	2 An ElGamal Baseline and Other Related Works
	3 Broadcast Encryption Implementations and Analysis
		3.1 Boneh-Gentry-Waters Scheme Using Asymmetric Pairings
		3.2 Gentry-Waters: A Semi-static Variant of the BGW System
		3.3 Waters Dual System Broadcast Encryption System
		3.4 Comparison of General Broadcast Encryption Systems
	4 Applications of Broadcast Encryption
	References
An Optimized GHV-Type HE Scheme: Simpler, Faster, and More Versatile
	1 Introduction
	2 Preliminaries
		2.1 Cryptographic Problem
		2.2 Trapdoor Sampling Algorithms
		2.3 The Gentry-Halevi-Vaikuntanathan Encryption Scheme
		2.4 Other Preliminaries
	3 Efficiency Analyses of GHV
		3.1 On the Density of Trapdoor Matrix Pair (T, T-1)
		3.2 Theoretical Efficiency of GHV
	4 Our Optimized GHV-Type Encryption Scheme
		4.1 Using a Sparse Matrix to Replace T-1
		4.2 Generic Construction of oGHV
		4.3 Homomorphic Operations and Concrete Parameters
		4.4 Computational Optimizations
		4.5 Property Analysis
	5 Conclusions
	References
Attacks
Analyzing the Provable Security Bounds of GIFT-COFB and Photon-Beetle
	1 Introduction
	2 Preliminaries
		2.1 Notations
		2.2 Cryptographic Components
		2.3 Authenticated Encryption
	3 Analysis of GIFT-COFB
		3.1 Our Attack
		3.2 Brief Analysis on Security Proof
	4 Analysis of Photon-Beetle
		4.1 Claimed Security Bound and Our Attack
		4.2 Analysis of the Bound in ch4ToSC:ChaJhaNan20
		4.3 Related-Key Attack
	5 Conclusions
	A  Specifications of GIFT-COFB and Photon-Beetle
	References
Beware of Your Vibrating Devices! Vibrational Relay Attacks on Zero-Effort Deauthentication
	1 Introduction
	2 Background: ZEBRA Review
	3 Overview and Threat Model
	4 Design and Implementation
		4.1 Implementation of ZEBRA
		4.2 Implementation of Relay Attack
		4.3 Design of VibRaze's Attack Scenarios
	5 Data Collection
	6 Analysis and Results
		6.1 Performance of ZEBRA
		6.2 Performance of VibRaze Against ZEBRA
	7 Potential Mitigations
	8 Related Work
	9 Conclusion and Future Work
	References
ZLeaks: Passive Inference Attacks on Zigbee Based Smart Homes
	1 Introduction
	2 Background and Motivation
		2.1 Zigbee Overview
		2.2 System and Threat Model
	3 Passive Inference Attacks on Zigbee
		3.1 Attack Overview
		3.2 Passive Network Mapping
		3.3 Device and Event Identification Using Inferred APL Command
		3.4 Device Identification Using Periodic Reporting Patterns
	4 Experimental Setup and Results
		4.1 Automating Passive Inference Attacks with ZLeaks Tool
		4.2 Experimental Setup
		4.3 Evaluation Metrics
		4.4 Device and Event Identification Using Inferred APL Command
		4.5 Device Identification Using Periodic Reporting Patterns
	5 Discussion and Related Work
		5.1 Security Implications of Leaked Data
		5.2 Potential Countermeasures
		5.3 Related Work
	6 Conclusion
	References
Passive Query-Recovery Attack Against Secure Conjunctive Keyword Search Schemes
	1 Introduction
	2 Related Work
	3 Preliminaries
		3.1 Searchable Symmetric Encryption
		3.2 Considered Conjunctive Keyword Search Model
		3.3 Attacker Model
		3.4 Attacker Knowledge
	4 CKWS-Adapted Refined Score Attack
		4.1 Score Attacks
		4.2 Generic Extension
		4.3 Transform Key Steps of Refined Score Attack
		4.4 Revised Algorithm
		4.5 Complexity
	5 Experiments
		5.1 Setup
		5.2 Results
	6 Discussion
	7 Conclusion
	References
Gummy Browsers: Targeted Browser Spoofing Against State-of-the-Art Fingerprinting Techniques
	1 Introduction
	2 Background and Related Work
		2.1 Browser Fingerprinting
		2.2 Representative Fingerprinting Techniques
		2.3 Applications of Browser Fingerprinting
	3 Attack Model and Spoofing Methods
		3.1 Attack Model
		3.2 Spoofing Methods
	4 Attack Implementation
		4.1 Acquiring User Browser Fingerprint
		4.2 Visual Attack
		4.3 Algorithm Attack: Attacking Prominent Fingerprinting Based Techniques
	5 Dataset and Evaluation Methodology
		5.1 FP-Stalker Dataset
		5.2 Evaluation Methodology
	6 Results
		6.1 Visual Attack Results
		6.2 Algorithm Attack Results
	7 Implications of Our Attack
	8 Discussion
	9 Conclusion
	References
Identifying Near-Optimal Single-Shot Attacks on ICSs with Limited Process Knowledge
	1 Introduction
	2 Background
		2.1 Closed Control Loops
		2.2 Process Knowledge Data Sources
	3 Identifying Near-Optimal Single-Shot Attacks
		3.1 System Model
		3.2 Attacker Model
		3.3 Research Questions and Challenges
		3.4 Identifying Near-Optimal Single-Shot Attacks in CCL Graphs
		3.5 Motivating Example
	4 Implementation
	5 Experimental Evaluation
		5.1 Tennessee Eastman Plant
		5.2 Experimental Attacks
	6 Discussion
	7 Related Work
	8 Conclusion
	References
RSA Key Recovery from Digit Equivalence Information
	1 Introduction
	2 Background
		2.1 RSA
		2.2 Fixed-Window Exponentiation
		2.3 Attacks on Fixed-Window Exponentiation
		2.4 The Heninger-Shacham Algorithm
		2.5 Markov Chains
	3 Attacker Model
	4 Our Approach
		4.1 Algorithm Overview
		4.2 Complexity Analysis of the Aligned Case
		4.3 Independent Markov Chains
		4.4 Unaligned Case
	5 Results and Comparisons
		5.1 Theoretical Results
		5.2 Experimental Results
	6 Conclusions
	References
Practical Seed-Recovery of Fast Cryptographic Pseudo-Random Number Generators
	1 Introduction
	2 Description of Arrow
	3 Attacks on Arrow
		3.1 Simple Guess-and-Determine Attack on Arrow-II
		3.2 Longer Guess-and-Determine Attack on Arrow-I
		3.3 An Attack Against Arrow-III, the Software Version of Arrow
	4 Description of Trifork
	5 Attack on Trifork
		5.1 Recovering Z-r3
		5.2 Recovering Y-r2
	References
Autoguess: A Tool for Finding Guess-and-Determine Attacks and Key Bridges
	1 Introduction
	2 Preliminaries
		2.1 Guess-and-Determine Technique
		2.2 Key-Bridging Technique
		2.3 Connection Relations
		2.4 A Naive Guess-and-Determine Approach
	3 Constraint Programming for GD and Key-Bridging
		3.1 Modelling Knowledge Propagation
		3.2 Encoding Using CP
	4 From Guess Basis to Gröbner Basis
	5 Autoguess
		5.1 Preprocessing Phase
		5.2 Early-Abort Technique
	6 Application to Automatic Search for Key Bridges
		6.1 Application to PRESENT
		6.2 Application to LBlock with Nonlinear Key Schedule
	7 Application to GD Attack on Block Ciphers
		7.1 Automatic GD Attack on AES
	8 Application to GD Attack on Stream Ciphers
		8.1 Automatic GD Attack on ZUC
	9 Key-Recovery-Friendly Distinguishers
		9.1 DS-MITM Attack on SKINNY-{64-192, 64-128, 128-256}
		9.2 Improved DS-MITM Attack on TWINE-80
	10 Conclusion
	References
Cryptographic Protocols
KEMTLS with Delayed Forward Identity Protection in (Almost) a Single Round Trip
	1 Introduction
		1.1 Contributions
	2 Preliminaries
	3 Protocol
	4 Security Model
	5 Security Analysis
	6 Discussion
	7 Implementation
	8 Benchmarking
	References
Improving the Privacy of Tor Onion Services
	1 Introduction
		1.1 Related Work
	2 Attacks
		2.1 Tor and Hidden Service Directories
		2.2 Attacks Targeting Clients
		2.3 Attacks Targeting Onion Services
	3 PIR for Descriptor Lookups
	4 Privacy Analysis for PIR Schemes
	5 Benchmarking and Results
		5.1 Hardware-Assisted PIR Benchmarks
		5.2 CPIR Microbenchmarks
		5.3 Tor Integration Results
	6 Conclusion
	References
Privacy-Preserving Authenticated Key Exchange for Constrained Devices
	1 Introduction
		1.1 Related Work
		1.2 Contributions
	2 Description of the SAKE Protocol
		2.1 SAKE
		2.2 SAKE-AM
	3 A Flawed Proposal
		3.1 Issues
		3.2 Countermeasures
	4 Security Model
		4.1 Execution Environment
		4.2 Security Definitions of the Building Blocks
	5 Privacy-Preserving SAKE/SAKE-AM
	6 Security of Privacy-Preserving SAKE/SAKE-AM
	7 Conclusion
	References
Relations Between Privacy, Verifiability, Accountability and Coercion-Resistance in Voting Protocols
	1 Introduction
	2 Related Work
	3 Preliminaries
		3.1 Protocols
		3.2 Notation Related to Voting Protocols
		3.3 Verifiability and Accountability
		3.4 Privacy and Coercion-Resistance
	4 Relations Between Definitions
		4.1 Coercion-Resistance and Privacy
		4.2 Accountability and Verifiability
		4.3 Privacy and Verifiability
		4.4 Verifiability and Coercion-Resistance
		4.5 Privacy and Accountability
	5 Conclusions and Future Work
	References
System Security
An Approach to Generate Realistic HTTP Parameters for Application Layer Deception
	1 Introduction
	2 Method
		2.1 Data Collection and Training
		2.2 Generation of Parameter Names
	3 Evaluation
		3.1 Preparation of the API Specifications
		3.2 Preparation of the Surveys
		3.3 Participants
	4 Results
		4.1 Participants' Profile
		4.2 Participants' Understanding of the APIs
		4.3 Indistinguishability of Deceptive Parameters
		4.4 Impact of the Quantity of Deceptive Parameters
		4.5 Impact of the Conspicuous Deceptive Parameters
		4.6 Deception Awareness Effect
	5 Limitations and Discussion
	6 Related Work
	7 Conclusion
	References
IPSpex: Enabling Efficient Fuzzing via Specification Extraction on ICS Protocol
	1 Introduction
	2 Background
		2.1 ICS Protocols
		2.2 ICS Protocol Reverse Engineering
		2.3 ICS Protocol Fuzzing
	3 Problem Statement
	4 Methodology
		4.1 Overview
		4.2 Field Semantic Extractor
		4.3 Context-Aware Execution Monitor
		4.4 Protocol Specification Analyzer
	5 Evaluation
		5.1 Experimental Setup
		5.2 Overview
		5.3 Modbus/TCP
		5.4 S7Comm
		5.5 FINS
	6 Application
		6.1 Target
		6.2 Procedure
		6.3 Result
	7 Discussion
	8 Conclusion
	References
Probing for Passwords – Privacy Implications of SSIDs in Probe Requests
	1 Introduction
	2 Background
		2.1 Network Discovery in 802.11
		2.2 Privacy Implications
		2.3 Differences Between Android and iOS Versions
	3 Related Work
	4 Experimental Setup
		4.1 Potential Ethical and Privacy Concerns
	5 Data Analysis
		5.1 SSID Contents
		5.2 Geolocation Discoverability and Uniqueness
	6 Mitigations for Increased Privacy
		6.1 Hashing SSIDs in Probe Requests
		6.2 Mitigations Through User Interface Design
	7 Discussion
	8 Conclusion
	A  Appendix
		A.1  Ethical collection of probe requests
	References
Cryptographic Primitives
A Cryptographic View of Deep-Attestation, or How to Do Provably-Secure Layer-Linking
	1 Introduction
	2 Towards Authorized Linked Attestation
		2.1 Basic Attestation
		2.2 Authenticated Attestation
		2.3 Linked Attestation
		2.4 Authorized Linked Attestation
	3 Implementation
	4 Conclusions and Future Work
	References
Don't Tamper with Dual System Encryption
	1 Introduction
	2 Our -Oracle Bilinear Diffie-Hellman Assumption
		2.1 Composite Order Bilinear Groups and Existing Assumptions
		2.2 -Oracle Decisional Bilinear Diffie-Hellman Assumption
		2.3 Turning it into a Non-interactive Assumption
		2.4 Generic Security from the Uber-Assumption Family
		2.5 Beyond Group Operations
	3 Security Model for (Hierarchical) ID-Based Encryption
	4 Security Against Related-Key Attack from Dual System Encryption
		4.1 Our RKA-Secure IBE Scheme
		4.2 Our RKA-Secure Hierarchical IBE Scheme
	5 Extensions
	6 Conclusion and Future Works
	A  Generic Security of Specific Cases of Our Assumption
	B  Security Proofs
		B.1 Proof of Theorem 2
		B.2 Proof of Theorem 3
	References
Progressive and Efficient Verification for Digital Signatures
	1 Introduction
		1.1 Our Contribution
		1.2 Related Work
	2 Efficient Verification for Digital Signatures
		2.1 Syntax for Efficient Verification
		2.2 Security Model for Efficient Verification
	3 Progressive Verification for Digital Signatures
		3.1 Signatures with Progressive Verification
		3.2 Syntax for Progressive Verification
		3.3 Security Model for Progressive Verification
	4 Constructions
		4.1 A Compiler for Efficient M v  -Style Verifications
		4.2 A Compiler for Progressive M v  -Style Verification
		4.3 Combining Progressive and Efficient Verification
	References
Revocable Hierarchical Attribute-Based Signatures from Lattices
	1 Introduction
	2 Preliminaries
	3 VLR-HABS Model: Entities and Definitions
		3.1 Security Properties of VLR-HABS
	4 VLR-HABS Scheme
		4.1 New VLR Mechanism
		4.2 Zero-Knowledge Protocol
		4.3 Specification of VLR-HABS
	5 Security, Efficiency and Extensions
		5.1 Efficiency and Parameters
		5.2 Revoking Attributes
	6 Conclusion
	References
Covert Authentication from Lattices
	1 Introduction
	2 Cryptographic Definitions and Models
		2.1 Covertness and Covert Mutual Authentication
		2.2 Covert Commitment Schemes
		2.3 Approximate Smooth Projective Hashing
		2.4 Key Reconciliation Schemes
		2.5 Group Authentication Protocols
	3 Covert Mutual Authentication: Generic Constructions
		3.1 Our Generic Construction of Covert MA
	4 Some Background on Lattices
	5 Approximate Smooth Projective Hashing from M-LWE
		5.1 Supporting Lemmas
		5.2 Covert Commitments from M-LWE
		5.3 -ASPH Scheme
	References
Spreading the Privacy Blanket:
	1 Introduction
		1.1 Related Work
	2 Definitions
	3 Distributing the Privacy Blanket
		3.1 Notation and Preliminaries
		3.2 Step 1: Using Local Differential Privacy of R, D
		3.3 Step 2: Using Differential Obliviousness of
	4 A Differentially Oblivious Shuffle Protocol
		4.1 A Shuffling Protocol
		4.2 Analysis of Obliviousness (=0)
		4.3 Analysis of Obliviousness (> 0)
		4.4 Performance Analysis
	5 Malicious Security
		5.1 Performance Analysis
	References
Bootstrapping for Approximate Homomorphic Encryption with Negligible Failure-Probability by Using Sparse-Secret Encapsulation
	1 Introduction
		1.1 The CKKS Scheme
		1.2 Bootstrapping
		1.3 Our Contributions
	2 Background
		2.1 Notation
		2.2 Approximate Homomorphic Encryption (CKKS)
		2.3 Bootstrapping
	3 Proposed Technique
		3.1 Original ModRaise and Bootstrapping Failure Probability
		3.2 ModRaise with Sparse-Secret Encapsulation
		3.3 Impact on the Evaluation-Key Generation
	4 Security Analysis
		4.1 Security of the Modified ModRaise
		4.2 Minimizing the Use of Sparse Secrets and Achieving Higher Security
	5 Empirical Noise Analysis
		5.1 Proposition 1
		5.2 Proposition 2
		5.3 Conclusion
	6 Evaluation
		6.1 Better Precision, Reduced Failure Probability and Smaller Interpolant
		6.2 Higher Bootstrapping Throughput
		6.3 Dense Key Bootstrapping
	7 Conclusion
	References
(Commit-and-Prove) Predictable Arguments with Privacy
	1 Introduction
		1.1 Our Contribution
		1.2 Related Work
	2 Preliminaries
		2.1 Pairings
		2.2 Algebraic Languages
		2.3 Smooth Projective Hash Function
		2.4 Predictable Arguments
		2.5 Oblivious Transfer
		2.6 Garbled Circuits
	3 More Efficient ZK-PA
		3.1 TSPHF-Based ZK-PAs in the CRS Model
		3.2 Construction of ZK-PA from TSPHFs
	4 Witness-Indistinguishable Predictable Arguments
		4.1 Our Construction
	5 Commit-and-Prove Predictable Arguments
		5.1 ZK-CPPA Based on Garbled Circuits and Oblivious Transfer
	6 Applications: Witness Encryption with Decryptor Privacy
		6.1 Application: Dark Pools
	7 Conclusion and Open Problems
	References
MPC
Communication-Efficient Proactive MPC for Dynamic Groups with Dishonest Majorities
	1 Introduction
		1.1 Contributions
		1.2 Technical Overview
		1.3 Paper Outline
	2 Preliminaries
		2.1 Adversary Model
		2.2 Commitment Scheme
		2.3 Shares and Sharings
		2.4 Polynomials and Degrees of Freedom
	3 Proactive Secret Sharing
	4 Communication-Efficient Proactive MPC (PMPC) for Dynamic Groups with Dishonest Majorities
	5 Subprotocols for PMPC
		5.1 Bivariate to Univariate Sharing
		5.2 Blinding Bivariate Mask Generation
		5.3 Bivariate Product
		5.4 Random Evaluation for Commitment Verification
		5.5 The Multiplication Protocol
	References
PSI-Stats: Private Set Intersection Protocols Supporting Secure Statistical Functions
	1 Introduction
		1.1 Our Contributions
	2 Preliminaries
	3 Private Set Intersection-Mean
		3.1 On the Chosen Sizes of r, r1, r2
		3.2 Flexibility of Protocol
		3.3 Security Analysis
		3.4 Geometric Mean
		3.5 Extensions to Variance and Standard Deviation
	4 Intersection-Sum with Approximate Composition
		4.1 Applicability of Sum Composition
		4.2 On the Selection of c
		4.3 Comparisons Between Type 1 and Type 2
	5 Implementation and Performance
		5.1 Comparisons with Circuit-Based PSI Protocols
	6 Related Work
		6.1 Existing PSI Protocols
	7 Conclusion
	References
Efficient Oblivious Evaluation Protocol and Conditional Disclosure of Secrets for DFA
	1 Introduction
		1.1 Our Contributions
		1.2 Our Approaches
		1.3 Related Works
		1.4 Organization
	2 Preliminaries
		2.1 Finite Automata
		2.2 Conditional Disclosure of Secrets
		2.3 Multi-client Verifiable Computation
	3 Oblivious CDS for DFA
	4 Oblivious DFA Evaluation via CDS
		4.1 Complexity Analysis
	5 CDS for DFA
		5.1 Transform an Input String to a MSP
		5.2 Transform a DFA to a MSP
		5.3 CDS for MSP
		5.4 CDS for DFA
	6 Concluding Remarks
	References
Efficient and Tight Oblivious Transfer from PKE with Tight Multi-user Security
	1 Introduction
		1.1 Our Contribution
		1.2 Technical Overview
	2 Preliminaries
	3 Public Key Encryption in the Multi User Setting
	4 Oblivious Transfer from PKE
	References
Efficient Two-Party Exponentiation from Quotient Transfer
	1 Introduction
		1.1 Background
		1.2 Our Contribution
		1.3 Existing Exponentiation Protocols Without Bit-Decomposition
		1.4 Technical Overview
	2 Preliminaries
		2.1 Notations
		2.2 Additive Secret Sharing
		2.3 A Model of Secure Two-Party Computation
		2.4 Quotient Transfer Functionality
		2.5 Modulus Conversion Functionality
		2.6 Exponentiation Functionality
	3 Our Exponentiation Protocol
		3.1 A New Framework for Exponentiation Protocol
		3.2 A Modulus Conversion Protocol Using Quotient Transfer Functionality
		3.3 A Constrained Quotient Transfer Protocol Without Bit-Decomposition
		3.4 A Concrete Protocol in Our Framework
	4 Conclusion
	References
Efficient Compiler to Covert Security with Public Verifiability for Honest Majority MPC
	1 Introduction
		1.1 Contributions
		1.2 Technical Overview
	2 Preliminaries
		2.1 Multi-party Computation
		2.2 Publicly Verifiable Secret Sharing
	3 Building Blocks
	4 PVC Compiler
		4.1 Execution Opening
		4.2 Seed Reconstruction
		4.3 Blame Algorithm
		4.4 Judge Algorithm
		4.5 Security
	5 Computation and Communication Complexity
		5.1 Comparison with Prior Work
	References
How Byzantine is a Send Corruption?
	1 Introduction
		1.1 Send and Receive Corruptions: Honest-but-Faulty
		1.2 The Pathology of Send Corruptions
		1.3 Contributions
		1.4 Comparison with Related Work and Obvious Solutions
		1.5 Paper Outline
	2 Model and Definitions
		2.1 Digital Signatures and Coin Flipping
		2.2 Defining Broadcast and Consensus
	3 On the Difficulty of Optimal Corruption Tolerance for Send-Corrupt Parties
		3.1 Modifying Dolev-Strong Broadcast
		3.2 Recent Techniques for Adaptive, Strongly Rushing Adveraries
	4 Constant-Round Synchronous Consensus for n> trcv+2tsnd+2tbyz
		4.1 All-to-All FixReceive
		4.2 Weak Broadcast
		4.3 Weak Consensus
		4.4 Graded Consensus
		4.5 Expected Constant-Round Consensus
	References
Blockchain
Babel Fees via Limited Liabilities
	1 Introduction
	2 Limited Liabilities in a Multi-asset Ledger
		2.1 Native Custom Assets
		2.2 Limited Liabilities
		2.3 Babel Fees
		2.4 Other Uses Liabilities and Liabilities on Account-Based Ledgers
	3 Formal Ledger Rules for Limited Liabilities
		3.1 Validity
		3.2 Stage 1: Conditional Validity
		3.3 Stage 2: Batch Validity
	4 Implementing Babel Fees
		4.1 Babel Offers
		4.2 Exchange Rates
		4.3 Coverage
		4.4 Liveness
	5 Transaction Selection for Block Issuers
		5.1 The Value of Babel Offers
		5.2 Dynamic Programming
		5.3 Optimal Algorithm of the Transaction Selection Problem
		5.4 Polynomial Approximation
	6 Related Work
	References
FAST: Fair Auctions via Secret Transactions
	1 Introduction
		1.1 Our Contributions
		1.2 Our Techniques
		1.3 Related Work
	2 Preliminaries
		2.1 Security Model and Setup Assumptions
		2.2 Building Blocks
	3 Secret Deposits in Public Smart Contracts
	4 First-Price Auctions
	5 Rational Strategies
	6 Complexity Analysis and Comparison to Other Protocols
	References
Astrape: Anonymous Payment Channels with Boring Cryptography
	1 Introduction
		1.1 Payment Channel Networks
		1.2 Anonymity in PCNs
		1.3 Why Boring Cryptography?
		1.4 Our Contributions
	2 Background and Related Work
		2.1 First-Generation PCNs with HTLC
		2.2 Hub-Based Anonymous Payment Channels
		2.3 Relationship-Anonymous Payment Channels
	3 Our Approach
		3.1 Generalized Multi-hop Locks
		3.2 Security and Execution Model
		3.3 Security and Privacy Goals
	4 Construction
		4.1 Core Idea: Balance Security + Honest-Sender Anonymity
		4.2 XorCake: Anonymous but Insecure Against Malicious Senders
		4.3 HashOnion: Secure but Eventually Non-anonymous
		4.4 Securing XorCake+HashOnion
		4.5 Complete Construction
	5 Blockchain Implementation
	6 Comparison with Existing Work
		6.1 Design Comparison
		6.2 Implementation and Benchmark Setup
		6.3 Resource Usage
		6.4 Statistical Simulation
	7 Conclusion
	References
Block-Cyphers
A White-Box Speck Implementation Using Self-equivalence Encodings
	1 Introduction
		1.1 Contributions
	2 Preliminaries
		2.1 Self-equivalences
		2.2 Speck
	3 Self-equivalences and Speck
		3.1 Self-equivalences of SL
	4 Security Analysis
		4.1 Security Analysis of Linear Self-equivalences
		4.2 Security Analysis of Affine Self-equivalences
	5 Implementation
		5.1 Code Generation Strategies
		5.2 Comparison
	6 Conclusion
	References
Improved Differential-Linear Attack with Application to Round-Reduced Speck32/64
	1 Introduction
	2 Preliminaries
		2.1 Description of Speck
		2.2 The Differential Properties of ARX Ciphers
	3 The Differential-Linear Attack
		3.1 Langford and Hellman's Differential-Linear Cryptanalysis Revisited
		3.2 Differential-Linear Cryptanalysis with Experimental Middle Part
		3.3 Improvement upon the Differential Part for ARX Ciphers
		3.4 Improvement upon the Differential-Linear Distinguisher
	4 Differential-Linear Attack on Round-Reduced Speck32/64
		4.1 The Overview of Our Attack
		4.2 Searching for Appropriate Trails
		4.3 Flipping Special Bits in Differential Characteristics
		4.4 Extending the Distinguishes to Key Recovery
	5 Conclusion
	References
Deep Neural Networks Aiding Cryptanalysis: A Case Study of the Speck Distinguisher
	1 Introduction
	2 The Speck Family of Block Ciphers
		2.1 Notations and Conventions
		2.2 Speck Block Cipher
		2.3 The Setup
	3 Related Works on Neural Speck Distinguishers
	4 The Network Under Lens
		4.1 The Initial Network
		4.2 The Lottery Ticket Hypothesis
		4.3 The Smaller Network
		4.4 How Much Smaller Can We Go?
	5 Visualizing the Important Features
		5.1 Feature Engineering Using an Autoencoder
		5.2 Feature Visualization with LIME
	6 Conclusions and Future Work
	References
Post-quantum Cryptography
Carry-Less to BIKE Faster
	1 Introduction
		1.1 Related Work
		1.2 Contribution
	2 BIKE
	3 Evaluation Platforms
		3.1 The ARM Cortex-M4
		3.2 The VexRiscv
	4 Bit-Polynomial Multiplication
		4.1 Single-Word Polynomial Multiplication
		4.2 Multiplication for Intermediate-Sized Polynomials
		4.3 Multiplication for Large Polynomials
	5 Bit-Polynomial Multiplication in the Radix-16 Representation
	6 Evaluation
		6.1 Comparisons of Multipliers
		6.2 Performance of BIKE KEM
		6.3 Comparison with Other NIST Post-quantum Candidates
	7 Conclusion
	References
Faster Kyber and Dilithium on the Cortex-M4
	1 Introduction
	2 Preliminaries
		2.1 Notation
		2.2 Polynomial Multiplications Using the NTT
		2.3 Fermat Number Transform
		2.4 Kyber
		2.5 Dilithium
		2.6 Barrett Reduction
		2.7 Arm Cortex-M4
	3 Improvements to Kyber Implementations
		3.1 NTT
		3.2 Inverse NTT
		3.3 Faster Barrett Reduction
		3.4 Matrix-Vector Product
	4 Improvements to Dilithium Implementations
		4.1 NTT and Inverse NTT
		4.2 Small NTTs for Dilithium
	5 Results
		5.1 Benchmarking Setup
		5.2 Performance of NTT-Related Functions
		5.3 Performance of Schemes
	References
Quantum-Resistant Software Update Security on Low-Power Networked Embedded Devices
	1 Introduction
		1.1 Low-Power IoT and Post-quantum Cryptography
		1.2 Contributions and Outline
	2 Related Work
	3 Case Study: Low-Power Software Updates with SUIT
		3.1 SUIT Workflow
		3.2 Security Features of SUIT
		3.3 Hash Functions with SUIT
		3.4 Digital Signatures with SUIT
	4 Post-quantum Digital Signatures
		4.1 Post-quantum Signature Paradigms
		4.2 Selection of Candidates
	5 Benchmarks
		5.1 Hardware Testbed Setup
		5.2 Software Setup
		5.3 Pre- and Post-quantum Signature Benchmarks
	6 The Impact of Post-quantum in SUIT/COSE
		6.1 The Cost of Post-quantum Security
		6.2 The Cost of Post-quantum SUIT/COSE
		6.3 Post-quantum Signatures for IoT
		6.4 Real-World Usability of Post-quantum Signatures
	7 Conclusion
	References
Post-quantum ID-Based Ring Signatures from Symmetric-Key Primitives
	1 Introduction
		1.1 Contributions
		1.2 Overview of Techniques
		1.3 Outline of the Paper
	2 Definition of ID-Based Ring Signature (IDRS)
	3 Generic Construction for ID-Based Ring Signature from Symmetric-Key Primitives
		3.1 Generic IDRS Algorithms
		3.2 Security Analysis
	4 IDRS: Applicable Constructions
		4.1 Sub-circuit C1
		4.2 Sub-circuit C2
		4.3 Applicable Post-quantum IDRSs from Symmetric-Key Primitives
	5 Evaluation
		5.1 PicRS Signature's Size
		5.2 XRS Signature's Size
		5.3 PicRS vs XRS
	A  Definitions
	References
Author Index