## In this issue

1. [2023/1822] Rectangular Attack on VOX
2. [2023/1823] PQC-NN: Post-Quantum Cryptography Neural Network
3. [2023/1824] Learning with Errors over Group Rings Constructed ...
4. [2023/1825] Unclonable Cryptography in the Plain Model
5. [2023/1826] Load-Balanced Server-Aided MPC in Heterogeneous ...
6. [2023/1827] Key Exchange in the Post-Snowden Era: UC Secure ...
7. [2023/1828] Sender-Anamorphic Encryption Reformulated: ...
8. [2023/1829] End-to-End Encrypted Zoom Meetings: Proving ...
9. [2023/1830] Vector Commitments with Efficient Updates
10. [2023/1831] A CP-based Automatic Tool for Instantiating ...
11. [2023/1832] A Note On the Universality of Black-box MKtP Solvers
12. [2023/1833] Cryptanalysis of QARMAv2
13. [2023/1834] BBB PRP Security of the Lai-Massey Mode
14. [2023/1835] ID-CAKE: Identity-based Cluster Authentication and ...
15. [2023/1836] An Incremental PoSW for General Weight Distributions
16. [2023/1837] More forging (and patching) of tropical signatures
17. [2023/1838] Quantifying risks in cryptographic selection processes
18. [2023/1839] Ring-LWE Hardness Based on Ideals of Hidden Orders ...
19. [2023/1840] Unconditionally secure quantum commitments with ...
20. [2023/1841] Unclonable Cryptography with Unbounded Collusions
21. [2023/1842] Leverage Staking with Liquid Staking Derivatives ...
22. [2023/1843] Zero-day vulnerability prevention with recursive ...
23. [2023/1844] Unconditionally Secure Commitments with Quantum ...
24. [2023/1845] Efficient Issuer-Hiding Authentication, Application ...
25. [2023/1846] New Security Proofs and Complexity Records for ...
26. [2023/1847] Cycle Structure and Observability of Two Types of ...
27. [2023/1848] Breach Extraction Attacks: Exposing and Addressing ...
28. [2023/1849] Lattice-based Programmable Hash Functions and ...
29. [2023/1850] Accurate Score Prediction for Dual-Sieve Attacks
30. [2023/1851] Quantum Security of the UMTS-AKA Protocol and its ...
31. [2023/1852] Reduction from sparse LPN to LPN, Dual Attack 3.0
32. [2023/1853] Report on evaluation of KpqC candidates
33. [2023/1854] A note on quantum approximate optimization algorithm
34. [2023/1855] Demystifying DeFi MEV Activities in Flashbots Bundle
35. [2023/1856] Optimizing AES Threshold Implementation under the ...

## 2023/1822

* Title: Rectangular Attack on VOX
* Authors: Gilles Macario-Rat, Jacques Patarin, Benoit Cogliati, Jean-Charles Faugère, Pierre-Alain Fouque, Louis Gouin, Robin Larrieu, Brice Minaud
* [Permalink](https://eprint.iacr.org/2023/1822)
* [Download](https://eprint.iacr.org/2023/1822.pdf)

### Abstract

VOX has been submitted to the NIST Round 1 Additional Signature of the Post-Quantum Signature Competition in June 2023. VOX is a strengthened variant of UOV which uses the Quotient-Ring (QR) setting to reduce the public-key size.
At the end of August 2023, Furue and Ikamatsu posted on the NIST mailing-list a post, indicating that the parameters of VOX can be attacked efficiently using the rectangular attack in the QR setting.

In this note, we explain the attack in the specific case of VOX, we detail the complexity, and show that as Furue and Ikematsu indicated, the attack can be completely avoided by adding one more constraint on the parameter selection. Finally, we show that
this constraint does not increase the sizes of the public keys or signature.



## 2023/1823

* Title: PQC-NN: Post-Quantum Cryptography Neural Network
* Authors: Abel C. H. Chen
* [Permalink](https://eprint.iacr.org/2023/1823)
* [Download](https://eprint.iacr.org/2023/1823.pdf)

### Abstract

In recent years, quantum computers and Shor’s quantum algorithm have been able to effectively solve NP (Non-deterministic Polynomial-time) problems such as prime factorization and discrete logarithm problems, posing a threat to current mainstream
asymmetric cryptography, including RSA and Elliptic Curve Cryptography (ECC). As a result, the National Institute of Standards and Technology (NIST) in the United States call for Post-Quantum Cryptography (PQC) methods that include lattice-based
cryptography methods, code-based cryptography methods, multivariate cryptography methods, and hash-based cryptography methods for resisting quantum computing attacks. Therefore, this study proposes a PQC neural network (PQC-NN) that maps a code-based PQC
method to a neural network structure and enhances the security of ciphertexts with non-linear activation functions, random perturbation of ciphertexts, and uniform distribution of ciphertexts. The main innovations of this study include: (1) constructing
a neural network structure that complies with code-based PQC, where the weight sets between the input layer and the ciphertext layer can be used as a public key for encryption, and the weight sets between the ciphertext layer and the output layer can be
used as a private key for decryption; (2) adding random perturbations to the ciphertext layer, which can be removed during the decryption phase to restore the original plaintext; (3) constraining the output values of the ciphertext layer to follow a
uniform distribution with a significant similarity by adding the cumulative distribution function (CDF) values of the chi-square distribution to the loss function, ensuring that the neural network produces sufficiently uniform distribution for the output
values of the ciphertext layer. In practical experiments, this study uses cellular network signals as a case study to demonstrate that encryption and decryption can be performed by the proposed PQC neural network with the uniform distribution of
ciphertexts. In the future, the proposed PQC neural network could be applied to various applications.



## 2023/1824

* Title: Learning with Errors over Group Rings Constructed by Semi-direct Product
* Authors: Jiaqi Liu, Fang-Wei Fu
* [Permalink](https://eprint.iacr.org/2023/1824)
* [Download](https://eprint.iacr.org/2023/1824.pdf)

### Abstract

The Learning with Errors (LWE) problem has been widely utilized as a foundation for numerous cryptographic tools over the years. In this study, we focus on an algebraic variant of the LWE problem called Group ring LWE (GR-LWE). We select group rings (or
their direct summands) that underlie specific families of finite groups constructed by taking the semi-direct product of two cyclic groups. Unlike the Ring-LWE problem described in \cite{lyubashevsky2010ideal}, the multiplication operation in the group
rings considered here is non-commutative. As an extension of Ring-LWE, it maintains computational hardness and can be potentially applied in many cryptographic scenarios. In this paper, we present two polynomial-time quantum reductions. Firstly, we
provide a quantum reduction from the worst-case shortest independent vectors problem (SIVP) in ideal lattices with polynomial approximate factor to the search version of GR-LWE. This reduction requires that the underlying group ring possesses certain
mild properties; Secondly, we present another quantum reduction for two types of group rings, where the worst-case SIVP problem is directly reduced to the (average-case) decision GR-LWE problem. The pseudorandomness of GR-LWE samples guaranteed by this
reduction can be consequently leveraged to construct semantically secure public-key cryptosystems.



## 2023/1825

* Title: Unclonable Cryptography in the Plain Model
* Authors: Céline Chevalier, Paul Hermouet, Quoc-Huy Vu
* [Permalink](https://eprint.iacr.org/2023/1825)
* [Download](https://eprint.iacr.org/2023/1825.pdf)

### Abstract

By leveraging the no-cloning principle of quantum mechanics, unclonable cryptography enables us to achieve novel cryptographic protocols that are otherwise impossible classically. Two most notable examples of unclonable cryptography are quantum copy-
protection and unclonable encryption. Despite receiving a lot of attention in recent years, two important open questions still remain: copy- protection for point functions in the plain model, which is usually considered as feasibility demonstration, and
unclonable encryption with unclonable indistinguishability security in the plain model.
In this work, by relying on previous works of Coladangelo, Liu, Liu, and Zhandry (Crypto’21) and Culf and Vidick (Quantum’22), we establish a new monogamy-of-entanglement property for subspace coset states, which allows us to obtain the following new
results:
• We show that copy-protection of point functions exists in the plain model, with different challenge distributions (including arguably the most natural ones).
• We show, for the first time, that unclonable encryption with unclonable indistinguishability security exists in the plain model.



## 2023/1826

* Title: Load-Balanced Server-Aided MPC in Heterogeneous Computing
* Authors: Yibiao Lu, Bingsheng Zhang, Kui Ren
* [Permalink](https://eprint.iacr.org/2023/1826)
* [Download](https://eprint.iacr.org/2023/1826.pdf)

### Abstract

Most existing MPC protocols consider the homogeneous setting, where all the MPC players are assumed to have identical communication and computation resources. In practice, the weakest player often becomes the bottleneck of the entire MPC protocol
execution. In this work, we initiate the study of so-called load-balanced MPC in the heterogeneous computing. A load-balanced MPC protocol can adjust the workload of each player accordingly to maximize the overall resource utilization. In particular, we
propose new notions called composite circuit and composite garbling scheme, and construct two efficient server-aided protocols with malicious security and semi-honest security, respectively. Our maliciously secure protocol is over 400$\times$ faster
than the authenticated garbling protocol (CCS'17); our semi-honest protocol is up to 173$\times$ faster than the optimized BMR protocol (CCS'16).



## 2023/1827

* Title: Key Exchange in the Post-Snowden Era: UC Secure Subversion-Resilient PAKE
* Authors: Suvradip Chakraborty, Lorenzo Magliocco, Bernardo Magri, Daniele Venturi
* [Permalink](https://eprint.iacr.org/2023/1827)
* [Download](https://eprint.iacr.org/2023/1827.pdf)

### Abstract

Password-Authenticated Key Exchange (PAKE) allows two parties to establish a common high-entropy secret from a possibly low-entropy pre-shared secret such as a password. In this work, we provide the first PAKE protocol with subversion resilience in the
framework of universal composability (UC), where the latter roughly means that UC security still holds even if one of the two parties is malicious and the honest party's code has been subverted (in an undetectable manner).

We achieve this result by sanitizing the PAKE protocol from oblivious transfer (OT) due to Canetti et al. (PKC'12) via cryptographic reverse firewalls in the UC framework (Chakraborty et al., EUROCRYPT'22). This requires new techniques, which help us
uncover new cryptographic primitives with sanitation-friendly properties along the way (such as OT, dual-mode cryptosystems, and signature schemes).

As an additional contribution, we delve deeper in the backbone of communication required in the subversion-resilient UC framework, extending it to the unauthenticated setting, in line with the work of Barak et al. (CRYPTO'05).



## 2023/1828

* Title: Sender-Anamorphic Encryption Reformulated: Achieving Robust and Generic Constructions
* Authors: Yi Wang, Rongmao Chen, Xinyi Huang, Moti Yung
* [Permalink](https://eprint.iacr.org/2023/1828)
* [Download](https://eprint.iacr.org/2023/1828.pdf)

### Abstract

Motivated by the violation of two fundamental assumptions in secure communication - receiver-privacy and sender-freedom - by a certain entity referred to as ``the dictator'', Persiano et al. introduced the concept of Anamorphic Encryption (AME) for
public key cryptosystems (EUROCRYPT 2022). Specifically, they presented receiver/sender-AME, directly tailored to scenarios where receiver privacy and sender freedom assumptions are compromised, respectively. In receiver-AME, entities share a double key
to communicate in anamorphic fashion, raising concerns about the online distribution of the double key without detection by the dictator. The sender-AME with no shared secret is a potential candidate for key distribution. However, the only such known
schemes (i.e., LWE and Dual LWE encryptions) suffer from an intrinsic limitation and cannot achieve reliable distribution.

Here, we reformulate the sender-AME, present the notion of $\ell$-sender-AME and formalize the properties of (strong) security and robustness. Robustness refers to guaranteed delivery of duplicate messages to the intended receiver, ensuring that
decrypting normal ciphertexts in an anamorphic way or decrypting anamorphic ciphertexts with an incorrect duplicate secret key results in an explicit abort signal. We first present a simple construction for pseudo-random and robust public key encryption
that shares the similar idea of public-key stegosystem by von Ahn and Hopper (EUROCRYPT 2004). Then, inspired by Chen et al.'s malicious algorithm-substitution attack (ASA) on key encapsulation mechanisms (KEM) (ASIACRYPT 2020), we give a generic
construction for hybrid PKE with special KEM that encompasses well-known schemes, including ElGamal and Cramer-Shoup cryptosystems.

The constructions of $\ell$-sender-AME motivate us to explore the relations between AME, ASA on PKE, and public-key stegosystem. The results show that a strongly secure $\ell$-sender-AME is such a strong primitive that implies reformulated receiver-AME,
public-key stegosystem, and generalized ASA on PKE. By expanding the scope of sender-anamorphic encryption and establishing its robustness, as well as exploring the connections among existing notions, we advance secure communication protocols under
challenging conditions.



## 2023/1829

* Title: End-to-End Encrypted Zoom Meetings: Proving Security and Strengthening Liveness
* Authors: Yevgeniy Dodis, Daniel Jost, Balachandar Kesavan, Antonio Marcedone * [Permalink](https://eprint.iacr.org/2023/1829)
* [Download](https://eprint.iacr.org/2023/1829.pdf)

### Abstract

In May 2020, Zoom Video Communications, Inc. (Zoom) announced a multi-step plan to comprehensively support end-to-end encrypted (E2EE) group video calls and subsequently rolled out basic E2EE support to customers in October 2020. In this work we provide
the first formal security analysis of Zoom's E2EE protocol, and also lay foundation to the general problem of E2EE group video communication.

We observe that the vast security literature analyzing asynchronous messaging does not translate well to synchronous video calls. Namely, while strong forms of forward secrecy and post compromise security are less important for (typically short-lived)
video calls, various liveness properties become crucial. For example, mandating that participants quickly learn of updates to the meeting roster and key, media streams being displayed are recent, and banned participants promptly lose any access to the
meeting. Our main results are as follows:

1. Propose a new notion of leader-based continuous group key agreement with liveness, which accurately captures the E2EE properties specific to the synchronous communication scenario.
2. Prove security of the core of Zoom's E2EE meetings protocol in the above well-defined model.
3. Propose ways to strengthen Zoom's liveness properties by simple modifications to the original protocol, which subsequently influenced updates implemented in production.



## 2023/1830

* Title: Vector Commitments with Efficient Updates
* Authors: Ertem Nusret Tas, Dan Boneh
* [Permalink](https://eprint.iacr.org/2023/1830)
* [Download](https://eprint.iacr.org/2023/1830.pdf)

### Abstract

Dynamic vector commitments that enable local updates of opening proofs have applications ranging from verifiable databases with membership changes to stateless clients on blockchains. In these applications, each user maintains a relevant subset of the
committed messages and the corresponding opening proofs with the goal of ensuring a succinct global state. When the messages are updated, users are given some global update information and update their opening proofs to match the new vector commitment.
We investigate the relation between the size of the update information and the runtime complexity needed to update an individual opening proof. Existing vector commitment schemes require that either the information size or the runtime scale linearly in
the number $k$ of updated state elements. We construct a vector commitment scheme that asymptotically achieves both length and runtime that is sublinear in $k$, namely $k^\nu$ and $k^{1-\nu}$ for any $\nu \in (0,1)$. We prove an information-theoretic
lower bound on the relation between the update information size and runtime complexity that shows the asymptotic optimality of our scheme. For $\nu = 1/2$, our constructions outperform Verkle commitments by about a factor of $2$ in terms of both the
update information size and runtime, but makes use of larger public parameters.



## 2023/1831

* Title: A CP-based Automatic Tool for Instantiating Truncated Differential Characteristics - Extended Version
* Authors: François Delobel, Patrick Derbez, Arthur Gontier, Loïc Rouquette, Christine Solnon
* [Permalink](https://eprint.iacr.org/2023/1831)
* [Download](https://eprint.iacr.org/2023/1831.pdf)

### Abstract

An important criteria to assert the security of a cryptographic primitive is its resistance against differential cryptanalysis. For word-oriented primitives, a common technique to determine the number of rounds required to ensure the immunity against
differential distinguishers is to consider truncated differential characteristics and to count the number of active S-boxes. Doing so allows one to provide an upper bound on the probability of the best differential characteristic with a reduced
computational cost. However, in order to design very efficient primitives, it might be needed to evaluate the probability more accurately. This is usually done in a second step, during which one tries to instantiate truncated differential characteristics
with actual values and computes its corresponding probability. This step is usually done either with ad-hoc algorithms or with CP, SAT or MILP models that are solved by generic solvers. In this paper, we present a generic tool for automatically
generating these models to handle all word-oriented ciphers. Furthermore the running times to solve these models are very competitive
with all the previous dedicated approaches.



## 2023/1832

* Title: A Note On the Universality of Black-box MKtP Solvers
* Authors: Noam Mazor, Rafael Pass
* [Permalink](https://eprint.iacr.org/2023/1832)
* [Download](https://eprint.iacr.org/2023/1832.pdf)

### Abstract

The relationships between various meta-complexity problems are not well understood in the worst-case regime, including whether the search version is harder than the decision version, whether the hardness scales with the ``threshold", and how the hardness
of different meta complexity problems relate to one another, and to the task of function inversion.

In this note, we present resolutions to some of these questions with respect to the \emph{black-box} analog of these problems. In more detail, let $MK^t_MP[s]$ denote the language consisting of strings $x$ with $K_{M}^t(x) < s(|x|)$, where $K_M^t(x)$
denotes the $t$-bounded Kolmogorov complexity of $x$ with $M$ as the underlying (Universal) Turing machine, and let $search-MK^t_MP[s]$ denote the search version of the same problem.

We show that if there for every Universal Turing machine $U$ there exists a $2^{\alpha n}poly(n)$-size $U$-oracle aided circuit deciding $MK^t_UP [n-O(1)]$, then for every function $s$, and every not necessarily universal Turing machine $M$, there exists
a $2^{\alpha s(n)}poly(n)$ size $M$-oracle aided circuit solving $search-MK^t_MP[s(n)]$; this in turn yields circuits of roughly the same size for both the Minimum Circuit Size Problem (MCSP), and the function inversion problem, as they can be thought of
as instantiating $MK^t_MP$ with particular choices of (a non universal) TMs $M$ (the circuit emulator for the case of MCSP, and the function evaluation in the case of function inversion).

As a corollary of independent interest, we get that the complexity of black-box function inversion is (roughly) the same as the complexity of black-box deciding $MK^t_UP[n-O(1)]$ for any universal TM $U$; that is, also in the worst-case regime, black-box
function inversion is ``equivalent" to black-box deciding $MKtUP$.



## 2023/1833

* Title: Cryptanalysis of QARMAv2
* Authors: Hosein Hadipour, Yosuke Todo
* [Permalink](https://eprint.iacr.org/2023/1833)
* [Download](https://eprint.iacr.org/2023/1833.pdf)

### Abstract

QARMAv2 is a general-purpose and hardware-oriented family of lightweight tweakable block ciphers (TBCs) introduced in ToSC 2023. QARMAv2, as a redesign of QARMA with a longer tweak and tighter security margins, is also designed to be suitable for
cryptographic memory protection and control flow integrity. The designers of QARMAv2 provided a relatively comprehensive security analysis in the design specification, e.g., some bounds for the number of attacked rounds in differential and boomerang
analysis, together with some concrete impossible differential, zero-correlation, and integral distinguishers. As one of the first third-party cryptanalysis of QARMAv2, Hadipour et al. significantly improved the integral distinguishers of QARMAv2 and
provided the longest concrete distinguishers of QARMAv2 up to now. However, they provided no key recovery attack based on their distinguishers.

This paper delves into the cryptanalysis of QARMAv2 to enhance our understanding of its security. Given that the integral distinguishers of QARMAv2 are the longest concrete distinguishers for this cipher so far, we focus on integral attack. To this end,
we first further improve the automatic tool introduced by Hadipour et al., for finding integral distinguishers of TBCs following the TWEAKEY framework. This new tool exploits the MixColumns property of QARMAv2 to find integral distinguishers more
suitable for key recovery attacks. Then, we combine several techniques for integral key recovery attacks, e.g., Meet-in-the-middle and partial-sum techniques to build a fine-grained integral key recovery attack on QARMAv2. Notably, we demonstrate how to
leverage the low data complexity of the integral distinguishers of QARMAv2 to reduce the memory complexity of the meet-in-the-middle technique. As a result, we managed to propose the first concrete key recovery attacks on reduced-round versions of
QARMAv2 by attacking 13 rounds of QARMAv2-64-128 with a single tweak block, 14 rounds of QARMAv2-64-128 with two independent tweak blocks, and 16 rounds of QARMAv2-128-256 with two independent tweak blocks. Our attacks do not compromise the claimed
security of QARMAv2, but they shed more light on the cryptanalysis of this cipher.



## 2023/1834

* Title: BBB PRP Security of the Lai-Massey Mode
* Authors: Ritam Bhaumik, Mohammad Amin Raeisi
* [Permalink](https://eprint.iacr.org/2023/1834)
* [Download](https://eprint.iacr.org/2023/1834.pdf)

### Abstract

In spite of being a popular technique for designing block ciphers, Lai-Massey networks have received considerably less attention from a security analysis point-of-view than Feistel networks and Substitution-Permutation networks. In this paper we study
the beyond-birthday-bound (BBB) security of Lai-Massey networks with independent random round functions against chosen-plaintext adversaries. Concretely, we show that five rounds are necessary and sufficient to achieve BBB security.



## 2023/1835

* Title: ID-CAKE: Identity-based Cluster Authentication and Key Exchange Scheme for Message Broadcasting and Batch Verification in VANETs
* Authors: Apurva K Vangujar, Alia Umrani, Paolo Palmieri
* [Permalink](https://eprint.iacr.org/2023/1835)
* [Download](https://eprint.iacr.org/2023/1835.pdf)

### Abstract

Vehicle Ad Hoc Networks (VANETs) play a pivotal role in intelligent transportation systems, offering dynamic communication between vehicles, Road Side Units (RSUs), and the internet. Given the open-access nature of VANETs and the associated threats, such
as impersonation and privacy violations, ensuring the security of these communications is of utmost importance.
This paper presents the Identity-based Cluster Authentication and Key Exchange (ID-CAKE) scheme, a new approach to address security challenges in VANETs. The ID-CAKE scheme integrates the Cluster Consensus Identity-based Identification (CCIBI) with Zero-
Knowledge (ZK) proofs and the Identity-based Multireceiver Key Exchange Mechanism (ID-mKEM) signature scheme. This integration provides robust authorization via CCIBI, while ID-mKEM signatures ensure message integrity, and guarantee both non-repudiation
and unforgeability through mKEM for message broadcasting. The scheme employs a novel three-party ZK proof for batch verification using mKEM, which significantly reduces computational burdens. Our scheme also ensures anonymity and unlinkability by
introducing pseudo-identities to all users in the cluster. The rigorous security proofs provided confirm the resilience of the ID-CAKE scheme against potential attacks, adhering to the different scenarios, against the hardness of the elliptic curve
computational Diffie-Hellman under the random oracle model. The ID-CAKE scheme establishes a robust security framework for VANETs, and its introduction highlights potential pathways for future exploration in the realm of VANET security.



## 2023/1836

* Title: An Incremental PoSW for General Weight Distributions
* Authors: Hamza Abusalah, Valerio Cini
* [Permalink](https://eprint.iacr.org/2023/1836)
* [Download](https://eprint.iacr.org/2023/1836.pdf)

### Abstract

A proof of sequential work (PoSW) scheme allows the prover to convince a verifier that it computed a certain number of computational steps sequentially.
Very recently, graph-labeling PoSW schemes, found applications in light-client blockchain protocols, most notably bootstrapping. A bootstrapping protocol allows a light client, with minimal information about the blockchain, to hold a commitment to its
stable prefix. An incremental PoSW (iPoSW) scheme allows the prover to non-trivially increment proofs: given $\chi,\pi_1$ and integers $N_1,N_2$ such that $\pi_1$ is a valid proof for $N_1$, it generates a valid proof $\pi$ for $N_1+N_2$.
In this work, we construct an iPoSW scheme based on the skiplist-based PoSW scheme of Abusalah et al. and prove its security in the random oracle model by employing the powerful on-the-fly sampling technique of Döttling et al. Moreover, unlike the iPoSW
scheme of Döttling et al., ours is the first iPoSW scheme which is suitable for constructing incremental non-interactive arguments of chain knowledge (SNACK) schemes, which are at the heart of space and time efficient blockchain light-client protocols.
In particular, our scheme works for general weight distributions, which we characterize as incrementally sampleable distributions. Our general treatment recovers the distribution underlying the scheme of Döttling et al. as well as the distribution
underlying SNACK-enabled bootstrapping application as special cases. In realizing our general construction, we develop a new on-the-fly sampling technique.



## 2023/1837

* Title: More forging (and patching) of tropical signatures
* Authors: Daniel R. L. Brown, Chris Monico
* [Permalink](https://eprint.iacr.org/2023/1837)
* [Download](https://eprint.iacr.org/2023/1837.pdf)

### Abstract

Panny [3] described how to forge the “tropical signatures” proposed by Chen, Grigoriev and Shpilrain [1]. (These signatures are loosely related to the NP-complete problem of factoring tropical polynomials).
We describe more methods to forge these tropical signatures. We also describe some patches that thwart all but one of these forgery methods (which we summarize as re-hashing an honest signature).



## 2023/1838

* Title: Quantifying risks in cryptographic selection processes
* Authors: Daniel J. Bernstein
* [Permalink](https://eprint.iacr.org/2023/1838)
* [Download](https://eprint.iacr.org/2023/1838.pdf)

### Abstract

There appears to be a widespread belief that some processes of selecting cryptosystems are less risky than other processes. As a case study of quantifying the difference in risks, this paper compares the currently-known-failure rates of three large
groups of cryptosystems: (1) the round-1 submissions to the NIST Post-Quantum Cryptography Standardization Project, (2) the round-1 submissions not broken by the end of round 1, and (3) the round-1 submissions selected by NIST for round 2 of the same
project. These groups of cryptosystems turn out to have currently-known-failure rates that are strikingly high, and that include statistically significant differences across the groups, not matching the pattern of differences that one might expect.
Readers are cautioned that the actual failure rates could be much higher than the currently-known-failure rates.



## 2023/1839

* Title: Ring-LWE Hardness Based on Ideals of Hidden Orders of Number Fields
* Authors: Charanjit S Jutla, Chengyu Lin
* [Permalink](https://eprint.iacr.org/2023/1839)
* [Download](https://eprint.iacr.org/2023/1839.pdf)

### Abstract

We extend the known pseudorandomness of Ring-LWE to be based on lattices that do not correspond to any ideal of any order in the underlying number field. In earlier works of Lyubashevsky et al (EUROCRYPT 2010) and Peikert et al (STOC 2017), the hardness
of RLWE was based on ideal lattices of ring of integers of number fields, which are known to be Dedekind domains. While these works extended Regev's (STOC 2005) quantum polynomial-time reduction for LWE, thus allowing more efficient and more structured
cryptosystems, the additional algebraic structure of ideals of Dedekind domains leaves open the possibility that such ideal lattices are not as hard as general lattices.

In this work we show that hardness of $q$-Ring-LWE can be based on worst-case hardness of ideal lattices in arbitrary orders $O$, as long as the order $O$ satisfies the property that $\frac{1}{m}\cdot O$ contains the ring of integers, for some $m$ co-
prime to $q$. Further, the hard lattice problems need not be given the order $O$ itself as input. The reduction requires that the noise be a factor $m$ more than the original Ring-LWE reduction. We also show that for the power-of-two cyclotomic number
fields, there exist orders with $m=4$ such that non-trivial ideals of the order, which are not contained in the conductor, are non-invertible.

Another reduction shows that hardness of $q$-Ring-LWE can be based on worst-case hardness of lattices that correspond to sum of ideal-lattices in arbitrary and different orders in the number field, as long as the (set of) orders $\{O_i\}$ satisfy the
property that $\frac{1}{m}\cdot O_i$ contains the ring of integers, for some $m$ co-prime to $q$. We also show that for the power-of-two cyclotomic number fields, there exist orders $O_1, O_2$ with $m=8$ such that there are ideals $I_1, I_2$ of $O_1, O_2$
resp. with $I_1+ I_2$ not an ideal of any order in the number field.



## 2023/1840

* Title: Unconditionally secure quantum commitments with preprocessing
* Authors: Luowen Qian
* [Permalink](https://eprint.iacr.org/2023/1840)
* [Download](https://eprint.iacr.org/2023/1840.pdf)

### Abstract


[continued in next message]

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)