## In this issue

1. [2023/1723] Deterministic Byzantine Agreement with Adaptive ...
2. [2023/1735] Exploiting the Symmetry of $\mathbb{Z}^n$: ...
3. [2023/1736] Aloha-HE: A Low-Area Hardware Accelerator for ...
4. [2023/1737] Concrete Security for Succinct Arguments from ...
5. [2023/1738] Byzantine Agreement Decomposed: Honest Majority ...
6. [2023/1739] Broadcast-Optimal Four-Round MPC in the Plain Model
7. [2023/1740] Evaluation of Arithmetic Sum-of-Products ...
8. [2023/1741] Pseudorandom Isometries
9. [2023/1742] Round-Optimal Black-Box Multiparty Computation from ...
10. [2023/1743] Explicit Lower Bounds for Communication Complexity ...
11. [2023/1744] Don't Eject the Impostor: Fast Three-Party ...
12. [2023/1745] New Public-Key Cryptosystem Blueprints Using Matrix ...
13. [2023/1746] A masking method based on orthonormal spaces, ...
14. [2023/1747] An Algorithmic Approach to $(2,2)$-isogenies in the ...
15. [2023/1748] Forging tropical signatures
16. [2023/1749] Dora: Processor Expressiveness is (Nearly) Free in ...
17. [2023/1750] A Statistical Verification Method of Random ...
18. [2023/1752] Secure Encryption and Key Exchange using Arbiter PUF
19. [2023/1753] Formal verification of the post-quantum security ...
20. [2023/1754] That’s not my signature! Fail-stop signatures for a ...
21. [2023/1755] HashRand: Efficient Asynchronous Random Beacon ...
22. [2023/1756] How to Use Quantum Indistinguishability Obfuscation
23. [2023/1757] Adaptively Secure Consensus with Linear Complexity ...
24. [2023/1758] Pulsar: Secure Steganography through Diffusion Models
25. [2023/1759] Non-Interactive Zero-Knowledge Functional Proofs
26. [2023/1760] Biscuit: New MPCitH Signature Scheme from ...
27. [2023/1761] Guardianship in Group Key Exchange for Limited ...
28. [2023/1762] ZKSMT: A VM for Proving SMT Theorems in Zero Knowledge
29. [2023/1763] Secure Transformer Inference
30. [2023/1764] Distributed Differential Privacy via Shuffling vs ...
31. [2023/1765] The Non-Uniform Perebor Conjecture for Time-Bounded ...
32. [2023/1766] Introducing Clapoti(s): Evaluating the isogeny ...
33. [2023/1767] The Impact of Hash Primitives and Communication ...
34. [2023/1768] Homomorphic Polynomial Public Key Cryptography for ...
35. [2023/1769] A Comprehensive Survey on Non-Invasive Fault ...
36. [2023/1770] On the Feasibility of E2E Verifiable Online Voting ...
37. [2023/1771] A note on ``HAKECC: highly efficient authentication ...
38. [2023/1772] Robust Combiners and Universal Constructions for ...
39. [2023/1773] Scalable and Adaptively Secure Any-Trust ...
40. [2023/1774] Decentralized Private Steam Aggregation from Lattices
41. [2023/1775] Beyond Security: Achieving Fairness in Mailmen- ...
42. [2023/1776] Watermarks in the Sand: Impossibility of Strong ...
43. [2023/1777] SoK: Collusion-resistant Multi-party Private Set ...
44. [2023/1778] Immunizing Backdoored PRGs
45. [2023/1779] Privacy-Preserving Cross-Facility Early Warning for ...
46. [2023/1780] Pairing-Free Blind Signatures from CDH Assumptions
47. [2023/1781] A Lattice Attack on CRYSTALS-Kyber with Correlation ...
48. [2023/1782] A Solution to a Conjecture on the Maps $\chi_n^{(k)}$
49. [2023/1783] An efficient quantum parallel repetition theorem ...
50. [2023/1784] Succinct Arguments over Towers of Binary Fields
51. [2023/1785] There Is Always a Way Out! Destruction-Resistant ...
52. [2023/1786] CASE: A New Frontier in Public-Key Authenticated ...
53. [2023/1787] Updatable Privacy-Preserving Blueprints

## 2023/1723

* Title: Deterministic Byzantine Agreement with Adaptive $O(n\cdot f)$ Communication
* Authors: Fatima Elsheimy, Giorgos Tsimos, Charalampos Papamanthou
* [Permalink](https://eprint.iacr.org/2023/1723)
* [Download](https://eprint.iacr.org/2023/1723.pdf)

### Abstract

We present a deterministic synchronous protocol for binary Byzantine Agreement against a corrupt minority with adaptive $O(n\cdot f)$ communication complexity, where $f$ is the exact number of corruptions. Our protocol improves the previous best-known
deterministic Byzantine Agreement protocol developed by Momose and Ren (DISC 2021), whose communication complexity is quadratic, independent of the exact number of corruptions.
Our approach combines two distinct primitives that we introduce and implement with $O(n\cdot f)$ communication, Reliable Voting, and Weak Byzantine Agreement. In Reliable Voting, all honest parties agree on the same value only if all honest parties start
with that value, but there is no agreement guarantee in the general case. In Weak Byzantine Agreement, we achieve agreement, but validity requires that the inputs to the protocol satisfy certain properties. Our Weak Byzantine Agreement protocol is an
adaptation of the recent Cohen et al. protocol (OPODIS 2022), in which we identify and address various issues.



## 2023/1735

* Title: Exploiting the Symmetry of $\mathbb{Z}^n$: Randomization and the Automorphism Problem
* Authors: Kaijie Jiang, Anyu Wang, Hengyi Luo, Guoxiao Liu, Yang Yu, Xiaoyun Wang
* [Permalink](https://eprint.iacr.org/2023/1735)
* [Download](https://eprint.iacr.org/2023/1735.pdf)

### Abstract

$\mathbb{Z}^n$ is one of the simplest types of lattices, but the computational problems on its rotations, such as $\mathbb{Z}$SVP and $\mathbb{Z}$LIP, have been of great interest in cryptography. Recent advances have been made in building cryptographic
primitives based on these problems, as well as in developing new algorithms for solving them. However, the theoretical complexity of $\mathbb{Z}$SVP and $\mathbb{Z}$LIP are still not well understood.

In this work, we study the problems on rotations of $\mathbb{Z}^n$ by exploiting the symmetry property. We introduce a randomization framework that can be roughly viewed as `applying random automorphisms’ to the output of an oracle, without accessing
the automorphism group. Using this framework, we obtain new reduction results for rotations of $\mathbb{Z}^n$. First, we present a reduction from $\mathbb{Z}$LIP to $\mathbb{Z}$SCVP. Here $\mathbb{Z}$SCVP is the problem of finding the shortest
characteristic vectors, which is a special case of CVP where the target vector is a deep hole of the lattice. Moreover, we prove a reduction from $\mathbb{Z}$SVP to $\gamma$-$\mathbb{Z}$SVP for any constant $\gamma = O(1)$ in the same dimension, which
implies that $\mathbb{Z}$SVP is as hard as its approximate version for any constant approximation factor. Second, we investigate the problem of finding a nontrivial automorphism for a given lattice, which is called LAP. Specifically, we use the
randomization framework to show that $\mathbb{Z}$LAP is as hard as $\mathbb{Z}$LIP. We note that our result can be viewed as a $\mathbb{Z}^n$-analogue of Lenstra and Silverberg's result in [JoC2017], but with a different assumption: they assume the $G$-
lattice structure, while we assume the access to an oracle that outputs a nontrivial automorphism.



## 2023/1736

* Title: Aloha-HE: A Low-Area Hardware Accelerator for Client-Side Operations in Homomorphic Encryption
* Authors: Florian Krieger, Florian Hirner, Ahmet Can Mert, Sujoy Sinha Roy
* [Permalink](https://eprint.iacr.org/2023/1736)
* [Download](https://eprint.iacr.org/2023/1736.pdf)

### Abstract

Homomorphic encryption (HE) has gained broad attention in recent years as it allows computations on encrypted data enabling secure cloud computing. Deploying HE presents a notable challenge since it introduces a performance overhead by orders of
magnitude. Hence, most works target accelerating server-side operations on hardware platforms, while little attention has been given to client-side operations. In this paper, we present a novel design methodology to implement and accelerate the client-
side HE operations on area-constrained hardware. We show how to design an optimized floating-point unit tailored for the encoding of complex values. In addition, we introduce a novel hardware-friendly algorithm for modulo-reduction of floating-point
numbers and propose various concepts for achieving efficient resource sharing between modular ring and floating-point arithmetic. Finally, we use this methodology to implement an end-to-end hardware accelerator, Aloha-HE, for the client-side operations
of the CKKS scheme. In contrast to existing work, Aloha-HE supports both encoding and encryption and their counterparts within a unified architecture. Aloha-HE achieves a speedup of up to 59x compared to prior hardware solutions.



## 2023/1737

* Title: Concrete Security for Succinct Arguments from Vector Commitments
* Authors: Alessandro Chiesa, Marcel Dall'Agnol, Ziyi Guan, Nicholas Spooner
* [Permalink](https://eprint.iacr.org/2023/1737)
* [Download](https://eprint.iacr.org/2023/1737.pdf)

### Abstract

We study the concrete security of a fundamental family of succinct interactive arguments, stemming from the works of Kilian (1992) and Ben-Sasson, Chiesa, and Spooner ("BCS", 2016). These constructions achieve succinctness by combining probabilistic
proofs and vector commitments.

Our first result concerns the succinct interactive argument of Kilian, realized with any probabilistically-checkable proof (PCP) and any vector commitment. We establish the tightest known bounds on the security of this protocol. Prior analyses incur
large overheads unsuitable for concrete security, or assume special (and restrictive) properties of the underlying PCP.

Our second result concerns an interactive variant of the BCS succinct non-interactive argument, which here we call IBCS, realized with any public-coin interactive oracle proof (IOP) and any vector commitment. We establish tight bounds on the security of
this protocol. While this variant has been informally discussed in the literature, no prior security analysis, even asymptotic, existed before this work.

Finally, we study the capabilities and limitations of succinct arguments based on vector commitments. We show that a generalization of the IBCS protocol, which we call the Finale protocol, is secure when realized with any public-query IOP (a notion that
we introduce) that satisfies a natural "random continuation sampling" (RCS) property. We also show a partial converse: if the Finale protocol satisfies the RCS property (which in particular implies its security), then so does the underlying public-query
IOP.



## 2023/1738

* Title: Byzantine Agreement Decomposed: Honest Majority Asynchronous Total-Order Broadcast from Reliable Broadcast
* Authors: Simon Holmgaard Kamp, Jesper Buus Nielsen
* [Permalink](https://eprint.iacr.org/2023/1738)
* [Download](https://eprint.iacr.org/2023/1738.pdf)

### Abstract

It is well-known that Asynchronous Total Order Broadcast (ATOB) requires randomisation and that at most $t < n/3$ out of $n$ players are corrupted.
This is opposed to synchronous total-order broadcast (STOB) which can tolerate $t < n/2$ corruptions and can be deterministic.
We show that these requirements can be conceptually separated, by constructing an ATOB protocol which tolerates $t < n/2$ corruptions from blackbox use of Common Coin and Reliable Broadcast. We show the power of this conceptually simple contribution by
reproving, using simpler protocols, existing results on STOB with optimistic responsiveness and asynchronous fallback. We also use the framework to prove the first ATOB with sub-quadratic communication and optimal corruption threshold $t < n/3$, new
ATOBs with covert security and mixed adversary structures, and a new STOB with asymmetric synchrony assumptions.



## 2023/1739

* Title: Broadcast-Optimal Four-Round MPC in the Plain Model
* Authors: Michele Ciampi, Ivan Damgård, Divya Ravi, Luisa Siniscalchi, Yu Xia, Sophia Yakoubov
* [Permalink](https://eprint.iacr.org/2023/1739)
* [Download](https://eprint.iacr.org/2023/1739.pdf)

### Abstract

Motivated by the fact that broadcast is an expensive, but useful, resource for the realization of multi-party computation protocols (MPC), Cohen, Garay, and Zikas (Eurocrypt 2020), and subsequently Damgård, Magri, Ravi, Siniscalchi and Yakoubov (Crypto
2021), and, Damgård, Ravi, Siniscalchi and Yakoubov (Eurocrypt 2023), focused on 𝘴𝘰-𝘤𝘢𝘭𝘭𝘦𝘥 𝘣𝘳𝘰𝘢𝘥𝘤𝘢𝘴𝘵 𝘰𝘱𝘵𝘪𝘮𝘢𝘭 𝘔𝘗𝘊. In particular, the authors focus on two-round MPC
protocols (in the CRS model), and give tight characterizations of which security guarantees are achievable if broadcast is available in the first round, the second round, both rounds, or not at all.

This work considers the natural question of characterizing broadcast optimal MPC in the plain model where no set-up is assumed. We focus on four-round protocols, since four is known to be the minimal number of rounds required to securely realize any
functionality with black-box simulation. We give a complete characterization of which security guarantees, (namely selective abort, selective identifiable abort, unanimous abort and identifiable abort) are feasible or not, depending on the exact
selection of rounds in which broadcast is available.



## 2023/1740

* Title: Evaluation of Arithmetic Sum-of-Products Expressions in Linear Secret Sharing Schemes with a Non-Interactive Computation Phase
* Authors: Miguel de Vega, Andrei Lapets, Stanislaw Jarecki, Wicher Malten, Mehmet Ugurbil, Wyatt Howe
* [Permalink](https://eprint.iacr.org/2023/1740)
* [Download](https://eprint.iacr.org/2023/1740.pdf)

### Abstract

Among secure multi-party computation protocols, linear secret sharing schemes often do not rely on cryptographic assumptions and are among the most straightforward to explain and to implement correctly in software. However, basic versions of such schemes
either limit participants to evaluating linear operations involving private values or require those participants to communicate synchronously during a computation phase. A straightforward, information-theoretically secure extension to such schemes is
presented that can evaluate arithmetic sum-of-products expressions that contain multiplication operations involving non-zero private values. Notably, this extension does not require that participants communicate during the computation phase. Instead, a
preprocessing phase is required that is independent of the private input values (but is dependent on the number of factors and terms in the sum-of-products expression).



## 2023/1741

* Title: Pseudorandom Isometries
* Authors: Prabhanjan Ananth, Aditya Gulati, Fatih Kaleoglu, Yao-Ting Lin
* [Permalink](https://eprint.iacr.org/2023/1741)
* [Download](https://eprint.iacr.org/2023/1741.pdf)

### Abstract

We introduce a new notion called ${\cal Q}$-secure pseudorandom isometries (PRI). A pseudorandom isometry is an efficient quantum circuit that maps an $n$-qubit state to an $(n+m)$-qubit state in an isometric manner. In terms of security, we require that
the output of a $q$-fold PRI on $\rho$, for $ \rho \in {\cal Q}$, for any polynomial $q$, should be computationally indistinguishable from the output of a $q$-fold Haar isometry on $\rho$.

By fine-tuning ${\cal Q}$, we recover many existing notions of pseudorandomness. We present a construction of PRIs and assuming post-quantum one-way functions, we prove the security of ${\cal Q}$-secure pseudorandom isometries (PRI) for different
interesting settings of ${\cal Q}$.

We also demonstrate many cryptographic applications of PRIs, including, length extension theorems for quantum pseudorandomness notions, message authentication schemes for quantum states, multi-copy secure public and private encryption schemes, and
succinct quantum commitments.



## 2023/1742

* Title: Round-Optimal Black-Box Multiparty Computation from Polynomial-Time Assumptions
* Authors: Michele Ciampi, Rafail Ostrovsky, Luisa Siniscalchi, Hendrik Waldner * [Permalink](https://eprint.iacr.org/2023/1742)
* [Download](https://eprint.iacr.org/2023/1742.pdf)

### Abstract

A central direction of research in secure multiparty computation with dishonest majority
has been to achieve three main goals:

1. reduce the total number of rounds of communication (to four, which is optimal);
2. use only polynomial-time hardness assumptions, and
3. rely solely on cryptographic assumptions in a black-box manner.

This is especially challenging when we do not allow a trusted setup assumption of any kind. While protocols achieving two out of three goals in this setting have been designed in recent literature, achieving all three simultaneously remained an elusive
open question. Specifically, it was answered positively only for a restricted class of functionalities. In this paper, we completely resolve this long-standing open question. Specifically, we present a protocol for all polynomial-time computable
functions that does not require any trusted setup assumptions and achieves all three of the above goals simultaneously.



## 2023/1743

* Title: Explicit Lower Bounds for Communication Complexity of PSM for Concrete Functions
* Authors: Kazumasa Shinagawa, Koji Nuida
* [Permalink](https://eprint.iacr.org/2023/1743)
* [Download](https://eprint.iacr.org/2023/1743.pdf)

### Abstract

Private Simultaneous Messages (PSM) is a minimal model of secure computation, where the input players with shared randomness send messages to the output player simultaneously and only once. In this field, finding upper and lower bounds on communication
complexity of PSM protocols is important, and in particular, identifying the optimal one where the upper and lower bounds coincide is the ultimate goal. However, up until now, functions for which the optimal communication complexity has been determined
are few: An example of such a function is the two-input AND function where $(2\log_2 3)$-bit communication is optimal. In this paper, we provide new upper and lower bounds for several concrete functions. For lower bounds, we introduce a novel approach
using combinatorial objects called abstract simplicial complexes to represent PSM protocols. Our method is suitable for obtaining non-asymptotic explicit lower bounds for concrete functions. By deriving lower bounds and constructing concrete protocols,
we show that the optimal communication complexity for the equality and majority functions with three input bits are $3\log_2 3$ bits and $6$ bits, respectively. We also derive new lower bounds for the $n$-input AND function, three-valued comparison
function, and multiplication over finite rings.



## 2023/1744

* Title: Don't Eject the Impostor: Fast Three-Party Computation With a Known Cheater (Full Version)
* Authors: Andreas Brüggemann, Oliver Schick, Thomas Schneider, Ajith Suresh, Hossein Yalame
* [Permalink](https://eprint.iacr.org/2023/1744)
* [Download](https://eprint.iacr.org/2023/1744.pdf)

### Abstract

Secure multi-party computation (MPC) enables (joint) computations on sensitive data while maintaining privacy. In real-world scenarios, asymmetric trust assumptions are often most realistic, where one somewhat trustworthy entity interacts with smaller
clients. We generalize previous two-party computation (2PC) protocols like MUSE (USENIX Security'21) and SIMC (USENIX Security'22) to the three-party setting (3PC) with one malicious party, avoiding the performance limitations of dishonest-majority
inherent to 2PC.

We introduce two protocols, Auxiliator and Socium, in a machine learning (ML) friendly design with a fast online phase and novel verification techniques in the setup phase. These protocols bridge the gap between prior 3PC approaches that considered
either fully semi-honest or malicious settings. Auxiliator enhances the semi-honest two-party setting with a malicious helper, significantly improving communication by at least two orders of magnitude. Socium extends the client-malicious setting with one
malicious client and a semi-honest server, achieving substantial communication improvement by at least one order of magnitude compared to SIMC.

Besides an implementation of our new protocols, we provide the first open-source implementation of the semi-honest 3PC protocol ASTRA (CCSW'19) and a variant of the malicious 3PC protocol SWIFT (USENIX Security'21).



## 2023/1745

* Title: New Public-Key Cryptosystem Blueprints Using Matrix Products in $\mathbb F_p$
* Authors: Remi Geraud-Stewart, David Naccache
* [Permalink](https://eprint.iacr.org/2023/1745)
* [Download](https://eprint.iacr.org/2023/1745.pdf)

### Abstract

Given a set of matrices $\mathbf{A} := \{A_0, \dotsc, A_{k-1}\}$, and a matrix $M$ guaranteed to be the product of some ordered subset of $\mathbf{L}\subset\mathbf{A}$, can $\mathbf{L}$ be efficiently recovered? We begin by observing that the answer is
positive under some assumptions on $\mathbf{A}$.

Noting that appropriate transformations seem to make $\mathbf{L}$'s recovery difficult we provide the blueprint of two new public-key cryptosystems based upon this problem.

We term those constructions "blueprints because, given their novelty, we are still uncertain of their exact security. Yet, we daringly conjecture that even if attacks are found on the proposed constructions, these attacks could be thwarted by adjustments
in the key generation, key size or the encryption mechanism, thereby resulting on the long run in fully-fledged public-key cryptosystems that do not seem to belong to any of the mainstream public-key encryption paradigms known to date.



## 2023/1746

* Title: A masking method based on orthonormal spaces, protecting several bytes against both SCA and FIA with a reduced cost
* Authors: Claude Carlet, Abderrahman Daif, Sylvain Guilley, Cédric Tavernier * [Permalink](https://eprint.iacr.org/2023/1746)
* [Download](https://eprint.iacr.org/2023/1746.pdf)

### Abstract

In the attacker models of Side-Channel Attacks (SCA) and Fault Injection Attacks (FIA), the opponent has access to a noisy version of the internal behavior of the hardware. Since the end of the nineties, many works have shown that this type of attacks
constitutes a serious threat to cryptosystems implemented in embedded devices. In the state-of-the-art, there exist several countermeasures to protect symmetric encryption (especially AES-128). Most of them protect only against one of these two attacks (
either SCA or FIA). The main known counter-measure against SCA is masking; it makes the complexity of SCA growing exponentially with its order d. The most general version of masking is based on error correcting codes. It has the advantage of offering in
principle a protection against both types of attacks (SCA and FIA), but all the functions implemented in the algorithm need to be masked accordingly, and this is not a simple task in general. We propose a particular version of such construction that has
several advantages: it has a very low computation complexity, it offers a concrete protection against both SCA and FIA, and finally it allows flexibility: being not specifically dedicated to AES, it can be applied to any block cipher with any S-boxes. In
the state-of-art, masking schemes all come with pros and cons concerning the different types of complexity (time, memory, amount of randomness). Our masking scheme concretely achieves the complexity of the best known scheme, for each complexity type



## 2023/1747

* Title: An Algorithmic Approach to $(2,2)$-isogenies in the Theta Model and Applications to Isogeny-based Cryptography
* Authors: Pierrick Dartois, Luciano Maino, Giacomo Pope, Damien Robert
* [Permalink](https://eprint.iacr.org/2023/1747)
* [Download](https://eprint.iacr.org/2023/1747.pdf)

### Abstract

In this paper, we describe an algorithm to compute chains of $(2,2)$-isogenies between products of elliptic curves in the theta model. The description of the algorithm is split into various subroutines to allow for a precise field operation counting.

We present a constant time implementation of our algorithm in Rust and an alternative implementation in SageMath. Our work in SageMath runs ten times faster than a comparable implementation of an isogeny chain using the Richelot correspondence. The
Rust implementation runs up to forty times faster than the equivalent isogeny in SageMath and has been designed to be portable for future research in higher-dimensional isogeny-based cryptography.



## 2023/1748

* Title: Forging tropical signatures
* Authors: Lorenz Panny
* [Permalink](https://eprint.iacr.org/2023/1748)
* [Download](https://eprint.iacr.org/2023/1748.pdf)

### Abstract

A recent preprint [ePrint 2023/1475] suggests the use of polynomials over a tropical algebra to construct a digital signature scheme "based on" the problem of factoring such polynomials, which is known to be NP‑hard.
This short note presents two very efficient forgery attacks on the scheme, bypassing the need to factorize tropical polynomials and thus demonstrating that security in fact rests on a different, empirically easier problem.



## 2023/1749

* Title: Dora: Processor Expressiveness is (Nearly) Free in Zero-Knowledge for RAM Programs
* Authors: Aarushi Goel, Mathias Hall-Andersen, Gabriel Kaptchuk
* [Permalink](https://eprint.iacr.org/2023/1749)
* [Download](https://eprint.iacr.org/2023/1749.pdf)

### Abstract

Existing protocols for proving the correct execution of a RAM program in zero-knowledge are plagued by a processor expressiveness trade-off : supporting fewer instructions results in smaller processor circuits (which improves performance), but may
result in more program execution steps because non-supported instruction must be emulated over multiple processor steps (which diminishes performance).

We present Dora, a concretely efficient zero-knowledge protocol for RAM programs that sidesteps this tension by making it (nearly) free to add additional instructions to the processor. The computational and communication complexity of proving each step
of a computation in Dora, is constant in the number of supported instructions. Dora is also highly generic and only assumes the existence of linearly homomorphic commitments. We implement Dora and demonstrate that on commodity hardware it can prove the
correct execution of a processor with thousands of instruction, each of which has thousands of gates, in just a few milliseconds per step.



## 2023/1750

* Title: A Statistical Verification Method of Random Permutations for Hiding Countermeasure Against Side-Channel Attacks
* Authors: Jong-Yeon Park, Jang-Won Ju, Wonil Lee, Bo-Gyeong Kang, Yasuyuki Kachi, Kouichi Sakurai
* [Permalink](https://eprint.iacr.org/2023/1750)
* [Download](https://eprint.iacr.org/2023/1750.pdf)

### Abstract

As NIST is putting the final touches on the standardization of PQC (Post Quantum Cryptography) public key algorithms, it is a racing certainty that peskier cryptographic attacks undeterred by those new PQC algorithms will surface. Such a trend in turn
will prompt more follow-up studies of attacks and countermeasures. As things stand, from the attackers’ perspective, one viable form of attack that can be implemented thereupon is the so-called “side-channel attack”. Two best-known countermeasures
heralded to be durable against side-channel attacks are: “masking” and “hiding”. In that dichotomous picture, of particular note are successful single-trace attacks on some of the NIST’s PQC then-candidates, which worked to the detriment of the
former: “masking”. In this paper, we cast an eye over the latter: “hiding”. Hiding proves to be durable against both side-channel attacks and another equally robust type of attacks called “fault injection attacks”, and hence is deemed an
auspicious countermeasure to be implemented. Mathematically, the hiding method is fundamentally based on random permutations. There has been a cornucopia of studies on generating random permutations. However, those are not tied to implementation of the
hiding method. In this paper, we propose a reliable and efficient verification of permutation implementation, through employing Fisher–Yates’ shuffling method. We introduce the concept of an 𝑛-th order permutation and explain how it can be used to
verify that our implementation is more efficient than its previous-gen counterparts for hiding countermeasures.



## 2023/1752

* Title: Secure Encryption and Key Exchange using Arbiter PUF
* Authors: Raja Adhithan Radhakrishnan
* [Permalink](https://eprint.iacr.org/2023/1752)
* [Download](https://eprint.iacr.org/2023/1752.pdf)

### Abstract

This paper introduces a novel approach to enhancing cryp-
tographic security. It proposes the use of one-time message sharing com-
bined with Physically Unclonable Functions (PUF) to securely exchange
keys and generate an S-subbyte-box for encryption. This innovative tech-
nique aims to elevate the security standards of cryptographic applica-
tions.



## 2023/1753

* Title: Formal verification of the post-quantum security properties of IKEv2 PPK (RFC 8784) using the Tamarin Prover
* Authors: Sophie Stevens
* [Permalink](https://eprint.iacr.org/2023/1753)
* [Download](https://eprint.iacr.org/2023/1753.pdf)

### Abstract

The Internet Key Exchange version 2 (IKEv2) (RFC 7296) is a component of IPsec used to authenticate two parties (the initiator and responder) to each other and to establish a set of security parameters for the communications. The security parameters
include secret keys to encrypt and authenticate data as well as the negotiation of a set of cryptographic algorithms. The core documentation uses exclusively Diffie-Hellman exchanges to agree the security information. However, this is not a quantum-
secure option due to the ability of Shor's algorithm to break the security assumption underlying the Diffie-Hellman. A post-quantum solution is to include a preshared key in the exchange, as proposed by the extension RFC 8784; assuming that this
preshared key has sufficient entropy, the keys created in the IKEv2 exchange will be resistant to a quantum computer. In this paper, we investigate the security claims of RFC 8784 using formal verification methods. We find that keys created using the
preshared key are secret from an adversary. However, certain authentication properties of the protocol that are weakened under the assumption that Diffie-Hellman is insecure are not recovered using the preshared key.



## 2023/1754

* Title: That’s not my signature! Fail-stop signatures for a post-quantum world
* Authors: Cecilia Boschini, Hila Dahari, Moni Naor, Eyal Ronen
* [Permalink](https://eprint.iacr.org/2023/1754)
* [Download](https://eprint.iacr.org/2023/1754.pdf)

### Abstract

The Snowden's revelations kick-started a community-wide effort to develop cryptographic tools against mass surveillance.
In this work, we propose to add another primitive to that toolbox: Fail-Stop Signatures (FSS) [EC'89].
FSS are digital signatures enhanced with a forgery-detection mechanism that can protect a PPT signer from more powerful attackers.
Despite the fascinating concept, research in this area stalled after the '90s. However, the ongoing transition to post-quantum cryptography, with its hiccups due to the novelty of underlying assumptions, has become the perfect use case for FSS.
This paper aims to reboot research on FSS with practical use in mind: Our framework for FSS includes ``fine-grained'' security definitions (that assume a powerful, but bounded adversary e.g: can break $128$-bit of security, but not $256$-bit).
As an application, we show new FSS constructions for the post-quantum setting. We show that FSS are equivalent to standard, provably secure digital signatures that do not require rewinding or programming random oracles, and that this implies lattice-based FSS.
Our main construction is an FSS version of SPHINCS, which required building FSS versions of all its building blocks: WOTS, XMSS, and FORS.

[continued in next message]

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)