## In this issue

1. [2023/275] Revisiting BBS Signatures
2. [2023/880] On Active Attack Detection in Messaging with ...
3. [2023/1529] Shufflecake: Plausible Deniability for Multiple ...
4. [2023/1857] A Simple and Efficient Framework of Proof Systems ...
5. [2023/1858] A Novel Power-Sum PRG with Applications to Lattice- ...
6. [2023/1859] XorSHAP: Privacy-Preserving Explainable AI for ...
7. [2023/1860] EstraNet: An Efficient Shift-Invariant Transformer ...
8. [2023/1861] Automatic Verification of Cryptographic Block ...
9. [2023/1862] Analyzing UTXO-Based Blockchain Privacy Threats
10. [2023/1863] Efficient Secure Multiparty Computation for ...
11. [2023/1864] Cache Side-Channel Attacks Through Electromagnetic ...
12. [2023/1865] Projective Space Stern Decoding and Application to ...
13. [2023/1866] When NTT Meets SIS: Efficient Side-channel Attacks ...
14. [2023/1867] Different Flavours of HILL Pseudoentropy and Yao ...
15. [2023/1868] COMMON: Order Book with Privacy
16. [2023/1869] Accountable Bulletin Boards: Definition and ...
17. [2023/1870] An Improved Method for Evaluating Secret Variables ...
18. [2023/1871] B2T: The Third Logical Value of a Bit
19. [2023/1872] Integral Multiset: A Novel Framework for Integral ...
20. [2023/1873] SoK: Post-Quantum TLS Handshake
21. [2023/1874] Security Analysis of an Image Encryption Based on ...
22. [2023/1875] The Blockwise Rank Syndrome Learning problem and ...
23. [2023/1876] Thwarting Last-Minute Voter Coercion
24. [2023/1877] Security Analysis of an Image Encryption Scheme ...
25. [2023/1878] Predicting performance for post-quantum encrypted- ...
26. [2023/1879] A Multiparty Commutative Hashing Protocol based on ...
27. [2023/1880] Cryptanalysis of Lattice-Based Sequentiality ...
28. [2023/1881] Blockchain Governance via Sharp Anonymous ...
29. [2023/1882] Lattice Based Signatures with Additional ...
30. [2023/1883] The statistical nature of leakage in SSE schemes ...
31. [2023/1884] Multi-Signatures for Ad-hoc and Privacy-Preserving ...
32. [2023/1885] Falcon Takes Off - A Hardware Implementation of the ...
33. [2023/1886] Reef: Fast Succinct Non-Interactive Zero-Knowledge ...
34. [2023/1887] GRandLine: Adaptively Secure DKG and Randomness ...
35. [2023/1888] Reverie: an end-to-end accumulation scheme from ...
36. [2023/1889] Fully Parallel, One-Cycle Random Shuffling for ...
37. [2023/1890] Aegis: A Lightning Fast Privacy-preserving Machine ...
38. [2023/1891] In-depth Correlation Power Analysis Attacks on a ...
39. [2023/1892] Asymptotics of hybrid primal lattice attacks
40. [2023/1893] BOLT: Privacy-Preserving, Accurate and Efficient ...
41. [2023/1894] Hardness of Range Avoidance and Remote Point for ...
42. [2023/1895] The Patching Landscape of Elisabeth-4 and the Mixed ...
43. [2023/1896] Selective Delegation of Attributes in Mercurial ...
44. [2023/1897] PRAC: Round-Efficient 3-Party MPC for Dynamic Data ...
45. [2023/1898] An Empirical Study of Cross-chain Arbitrage in ...
46. [2023/1899] Allowing Blockchain Loans with Low Collateral
47. [2023/1900] Proof of Compliance for Anonymous, Unlinkable Messages

## 2023/275

* Title: Revisiting BBS Signatures
* Authors: Stefano Tessaro, Chenzhi Zhu
* [Permalink](https://eprint.iacr.org/2023/275)
* [Download](https://eprint.iacr.org/2023/275.pdf)

### Abstract

BBS signatures were implicitly proposed by Boneh, Boyen, and Shacham (CRYPTO ’04) as part of their group signature scheme, and explicitly cast as stand-alone signatures by Camenisch and Lysyanskaya (CRYPTO ’04). A provably secure version, called BBS+,
was then devised by Au, Susilo, and Mu (SCN ’06), and is currently the object of a standardization effort which has led to a recent RFC draft. BBS+ signatures are suitable for use within anonymous credential and DAA systems, as their algebraic
structure enables efficient proofs of knowledge of message-signature pairs that support partial disclosure.

BBS+ signatures consist of one group element and two scalars. As our first contribution, we prove that a variant of BBS+ producing shorter signatures, consisting only of one group element and one scalar, is also secure. The resulting scheme is
essentially the original BBS proposal, which was lacking a proof of security. Here we show it satisfies, under the q-SDH assumption, the same provable security guarantees as BBS+. We also provide a complementary tight analysis in the algebraic group
model, which heuristically justifies instantiations with potentially shorter signatures.

Furthermore, we devise simplified and shorter zero-knowledge proofs of knowledge of a BBS message-signature pair that support partial disclosure of the message. Over the BLS12-381 curve, our proofs are 896 bits shorter than the prior proposal by
Camenisch, Drijvers, and Lehmann (TRUST ’16), which is also adopted by the RFC draft.

Finally, we show that BBS satisfies one-more unforgeability in the algebraic group model in a scenario, arising in the context of credentials, where the signer can be asked to sign arbitrary group elements, meant to be commitments, without seeing their
openings.



## 2023/880

* Title: On Active Attack Detection in Messaging with Immediate Decryption
* Authors: Khashayar Barooti, Daniel Collins, Simone Colombo, Loı̈s Huguenin-Dumittan, Serge Vaudenay
* [Permalink](https://eprint.iacr.org/2023/880)
* [Download](https://eprint.iacr.org/2023/880.pdf)

### Abstract

The widely used Signal protocol provides protection against state exposure attacks through forward security (protecting past messages) and post-compromise security (for restoring security). It supports immediate decryption, allowing messages to be re-
ordered or dropped at the protocol level without affecting correctness. In this work, we consider strong active attack detection for secure messaging with immediate decryption, where parties are able to immediately detect active attacks under certain
conditions. We first consider in-band active attack detection, where participants who have been actively compromised but are still able to send a single message to their partner can detect the compromise. We propose two complementary notions to capture
security, and present a compiler that provides security with respect to both notions. Our notions generalise existing work (RECOVER security) which only supported in-order messaging. We also study the related out-of-band attack detection problem by
considering communication over out-of-band, authenticated channels and propose analogous security notions. We prove that one of our two notions in each setting imposes a linear communication overhead in the number of sent messages and security parameter
using an information-theoretic argument. This implies that each message must information-theoretically contain all previous messages and that our construction, that essentially attaches the entire message history to every new message, is asymptotically
optimal. We then explore ways to bypass this lower bound and highlight the feasibility of practical active attack detection compatible with immediate decryption.



## 2023/1529

* Title: Shufflecake: Plausible Deniability for Multiple Hidden Filesystems on Linux
* Authors: Elia Anzuoni, Tommaso Gagliardoni
* [Permalink](https://eprint.iacr.org/2023/1529)
* [Download](https://eprint.iacr.org/2023/1529.pdf)

### Abstract

We present Shufflecake, a new plausible deniability design to hide the existence of encrypted data on a storage medium making it very difficult for an adversary to prove the existence of such data. Shufflecake can be considered a ``spiritual successor''
of tools such as TrueCrypt and VeraCrypt, but vastly improved: it works natively on Linux, it supports any filesystem of choice, and can manage multiple volumes per device, so to make deniability of the existence of hidden partitions really plausible.

Compared to ORAM-based solutions, Shufflecake is extremely fast and simpler but does not offer native protection against multi-snapshot adversaries. However, we discuss security extensions that are made possible by its architecture, and we show evidence
why these extensions might be enough to thwart more powerful adversaries.

We implemented Shufflecake as an in-kernel tool for Linux, adding useful features, and we benchmarked its performance showing only a minor slowdown compared to a base encrypted system. We believe Shufflecake represents a useful tool for people whose
freedom of expression is threatened by repressive authorities or dangerous criminal organizations, in particular: whistleblowers, investigative journalists, and activists for human rights in oppressive regimes.



## 2023/1857

* Title: A Simple and Efficient Framework of Proof Systems for NP
* Authors: Yuyu Wang, Chuanjie Su, Jiaxin Pan, Yu Chen
* [Permalink](https://eprint.iacr.org/2023/1857)
* [Download](https://eprint.iacr.org/2023/1857.pdf)

### Abstract

In this work, we propose a simple framework of constructing efficient non-interactive zero-knowledge proof (NIZK) systems for all NP. Compared to the state-of-the-art construction by Groth, Ostrovsky, and Sahai (J. ACM, 2012), our resulting NIZK system
reduces the proof size and proving and verification cost without any trade-off, i.e., neither increasing computation cost, CRS size nor resorting to stronger assumptions.
Furthermore, we extend our framework to construct a batch argument (BARG) system for all NP. Our construction remarkably improves the efficiency of BARG by Waters and Wu (Crypto 2022) without any trade-off.



## 2023/1858

* Title: A Novel Power-Sum PRG with Applications to Lattice-Based zkSNARKs
* Authors: Charanjit S Jutla, Eamonn W. Postlethwaite, Arnab Roy
* [Permalink](https://eprint.iacr.org/2023/1858)
* [Download](https://eprint.iacr.org/2023/1858.pdf)

### Abstract

zkSNARK is a cryptographic primitive that allows a prover to prove to a resource constrained verifier, that it has indeed performed a specified non-deterministic computation correctly, while hiding private witnesses. In this work we focus on lattice
based zkSNARK, as this serves two important design goals. Firstly, we get post-quantum zkSNARK schemes with $O(\log (\mbox{Circuit size}))$ sized proofs (without random oracles) and secondly,
the easy verifier circuit allows further bootstrapping by arbitrary (zk)SNARK schemes that offer additional or complementary properties. However, this goal comes with considerable challenges. The only known lattice-based bilinear maps are obtained using
multi-linear maps of Garg, Gentry, and Halevi 2013 (GGH13), which have undergone considerable cryptanalytic attacks, in particular annihilation attacks.

In this work, we propose a (level-2) GGH13-encoding based zkSNARK which we show to be secure in the weak-multilinear map model of Miles-Sahai-Zhandry assuming a novel pseudo-random generator (PRG). We argue that the new PRG assumption is plausible based
on the well-studied Newton's identity on power-sum polynomials, as well as an analysis of hardness of computing Grobner bases for these polynomials. The particular PRG is designed for efficient implementation of the zkSNARK.


Technically, we leverage the 2-linear instantiation of the GGH13 graded encoding scheme to provide us with an analogue of bilinear maps and adapt the Groth16 (Groth, Eurocrypt 2016) protocol, although with considerable technical advances in design and
proof. The protocol is non-interactive in the CRS model.



## 2023/1859

* Title: XorSHAP: Privacy-Preserving Explainable AI for Decision Tree Models
* Authors: Dimitar Jetchev, Marius Vuille
* [Permalink](https://eprint.iacr.org/2023/1859)
* [Download](https://eprint.iacr.org/2023/1859.pdf)

### Abstract

Explainable AI (XAI) refers to the development of AI systems and machine learning models in a way that humans can understand, interpret and trust the predictions, decisions and outputs of these models. A common approach to explainability is feature
importance, that is, determining which input features of the model have the most significant impact on the model prediction. Two major techniques for computing feature importance are LIME (Local Interpretable Model-agnostic Explanations) and SHAP (
SHapley Additive exPlanations). While very generic, these methods are computationally expensive even in plaintext. Applying them in the privacy-preserving setting when part or all of the input data is private is therefore a major computational challenge.
In this paper, we present $\texttt{XorSHAP}$ - the first practical privacy-preserving algorithm for computing Shapley values for decision tree ensemble models in the semi-honest Secure Multiparty Computation (SMPC) setting with full threshold. Our
algorithm has complexity $O(T \widetilde{M} D 2^D)$, where $T$ is the number of decision trees in the ensemble, $D$ is the depth of the decision trees and $\widetilde{M}$ is the maximum of the number of features $M$ and $2^D$ (the number of leaf nodes
of a tree), and scales to real-world datasets. Our implementation is based on Inpher's $\texttt{Manticore}$ framework and simultaneously computes (in the SMPC setting) the Shapley values for 100 samples for an ensemble of $T = 60$ trees of depth $D = 4$
and $M = 100$ features in just 7.5 minutes, meaning that the Shapley values for a single prediction are computed in just 4.5 seconds for the same decision tree ensemble model.
Additionally, it is parallelization-friendly, thus, enabling future work on massive hardware acceleration with GPUs.



## 2023/1860

* Title: EstraNet: An Efficient Shift-Invariant Transformer Network for Side-Channel Analysis
* Authors: Suvadeep Hajra, Siddhartha Chowdhury, Debdeep Mukhopadhyay
* [Permalink](https://eprint.iacr.org/2023/1860)
* [Download](https://eprint.iacr.org/2023/1860.pdf)

### Abstract

Deep Learning (DL) based Side-Channel Analysis (SCA) has been extremely popular recently. DL-based SCA can easily break implementations protected by masking countermeasures. DL-based SCA has also been highly successful against implementations protected
by various trace desynchronization-based countermeasures like random delay, clock jitter, and shuffling. Over the years, many DL models have been explored to perform SCA. Recently, Transformer Network (TN) based model has also been introduced for SCA.
Though the previously introduced TN-based model is successful against implementations jointly protected by masking and random delay countermeasures, it is not scalable to long traces (having a length greater than a few thousand) due to its quadratic time
and memory complexity. This work proposes a novel shift-invariant TN-based model with linear time and memory complexity. The contributions of the work are two-fold. First, we introduce a novel TN-based model called EstraNet for SCA. EstraNet has linear
time and memory complexity in trace length, significantly improving over the previously proposed TN-based model’s quadratic time and memory cost. EstraNet is also shift-invariant, making it highly effective against countermeasures like random delay and
clock jitter. Secondly, we evaluated EstraNet on three SCA datasets of masked implementations with random delay and clock jitter effects. Our experimental results show that EstraNet significantly outperforms several benchmark models, demonstrating up to
an order of magnitude reduction in the number of attack traces required to reach guessing entropy 1.



## 2023/1861

* Title: Automatic Verification of Cryptographic Block Function Implementations with Logical Equivalence Checking
* Authors: Li-Chang Lai, Jiaxiang Liu, Xiaomu Shi, Ming-Hsien Tsai, Bow-Yaw Wang, Bo-Yin Yang
* [Permalink](https://eprint.iacr.org/2023/1861)
* [Download](https://eprint.iacr.org/2023/1861.pdf)

### Abstract

Given a fixed-size block, cryptographic block functions gen-
erate outputs by a sequence of bitwise operations. Block functions are
widely used in the design of hash functions and stream ciphers. Their
correct implementations hence are crucial to computer security. We pro-
pose a method that leverages logic equivalence checking to verify assem-
bly implementations of cryptographic block functions. Logic equivalence checking is a well-established technique from hardware verification. Using
our proposed method, we verify two dozen assembly implementations of
ChaCha20, SHA-256, and SHA-3 block functions from OpenSSL and
XKCP automatically. We also compare the performance of our technique
with the conventional SMT-based technique in experiments.



## 2023/1862

* Title: Analyzing UTXO-Based Blockchain Privacy Threats
* Authors: Simin Ghesmati, Walid Fdhila, Edgar Weippl
* [Permalink](https://eprint.iacr.org/2023/1862)
* [Download](https://eprint.iacr.org/2023/1862.pdf)

### Abstract

While blockchain technologies leverage compelling characteristics in terms of decentralization, immutability, and transparency, user privacy in public blockchains remains a fundamental challenge that requires particular attention. This is mainly due to
the history of all transactions being accessible and available to anyone, thus making it possible for an attacker to infer data about users that is supposed to remain private.

In this paper, we provide a threat model of possible privacy attacks on users utilizing the Bitcoin blockchain. To this end, we followed the LINDDUN GO methodology to identify threats and suggest possible mitigation.



## 2023/1863

* Title: Efficient Secure Multiparty Computation for Multidimensional Arithmetics and Its Application in Privacy-Preserving Biometric Identification
* Authors: Dongyu Wu, Bei Liang, Zijie Lu, Jintai Ding
* [Permalink](https://eprint.iacr.org/2023/1863)
* [Download](https://eprint.iacr.org/2023/1863.pdf)

### Abstract

Over years of the development of secure multi-party computation (MPC), many sophisticated functionalities have been made pratical and multi-dimensional operations occur more and more frequently in MPC protocols, especially in protocols involving datasets
of vector elements, such as privacy-preserving biometric identification and privacy-preserving machine learning. In this paper, we introduce a new kind of correlation, called tensor triples, which is designed to make multi-dimensional MPC protocols more
efficient. We will discuss the generation process, the usage, as well as the applications of tensor triples and show that it can accelerate privacy-preserving biometric identification protocols, such as FingerCode, Eigenfaces and FaceNet, by more than
1000 times.



## 2023/1864

* Title: Cache Side-Channel Attacks Through Electromagnetic Emanations of DRAM Accesses
* Authors: Julien Maillard, Thomas Hiscock, Maxime Lecomte, Christophe Clavier * [Permalink](https://eprint.iacr.org/2023/1864)
* [Download](https://eprint.iacr.org/2023/1864.pdf)

### Abstract

Remote side-channel attacks on processors exploit hardware and micro-architectural effects observable from software measurements. So far, the analysis of micro-architectural leakages over physical side-channels (power consumption, electromagnetic field)
received little treatment. In this paper, we argue that those attacks are a serious threat, especially against systems such as smartphones and Internet-of-Things (IoT) devices which are physically exposed to the end-user. Namely, we show that the
observation of Dynamic Random Access Memory (DRAM) accesses with an electromagnetic (EM) probe constitutes a reliable alternative to time
measurements in cache side-channel attacks. We describe the EVICT+EM attack, that allows recovering a full AES key on a T-Tables implementation with similar number of encryptions than state-of-the-art EVICT+RELOAD attacks on the studied ARM platforms.
This new attack paradigm removes the need for shared memory and exploits EM radiations instead of high precision timers. Then, we introduce PRIME+EM, which goal is to reverse-engineer cache usage patterns. This attack allows to recover the layout of
lookup tables within the cache. Finally, we present COLLISION+EM, a collision-based attack on a System-on-chip (SoC) that does not require malicious code execution, and show its practical efficiency in recovering key material on an ARM TrustZone
application. Those results show that physical observation of the micro-architecture can lead to improved attacks.



## 2023/1865

* Title: Projective Space Stern Decoding and Application to SDitH
* Authors: Kevin Carrier, Valérian Hatey, Jean-Pierre Tillich
* [Permalink](https://eprint.iacr.org/2023/1865)
* [Download](https://eprint.iacr.org/2023/1865.pdf)

### Abstract

We show that here standard decoding algorithms for generic linear codes over a finite field can speeded up by a factor which is essentially the size of the finite field
by reducing it to a low weight codeword problem and working in the relevant projective space. We apply this technique to SDitH and show that the parameters of both the original
submission and the updated version fall short of meeting the security requirements asked by the NIST.



## 2023/1866

* Title: When NTT Meets SIS: Efficient Side-channel Attacks on Dilithium and Kyber
* Authors: Zehua Qiao, Yuejun Liu, Yongbin Zhou, Mingyao Shao, Shuo Sun
* [Permalink](https://eprint.iacr.org/2023/1866)
* [Download](https://eprint.iacr.org/2023/1866.pdf)

### Abstract

In 2022, NIST selected Kyber and Dilithium as post-quantum cryptographic standard algorithms. The Number Theoretic Transformation (NTT) algorithm, which facilitates polynomial multiplication, has become a primary target for side-channel attacks. Among
these, Correlation Power Analysis (CPA) attacks against NTT have received much attention, which aims to recover all the coefficients of the private key in NTT domain. The necessity to recover all these coefficients not only limits efficiency but also
directly impacts the feasibility of such attacks. Thus, a crucial question emerges: can the remaining coefficients be recovered using only a subset of known ones? In this work, we respond affirmatively by introducing overdetermined system-based and SIS-
assisted key recovery methods for both Dilithium and Kyber, tailored for scenarios with incomplete NTT domain private keys. The SIS-assisted method, by embedding NTT transform matrix into the SIS search problem, offers a complete key recovery with the
minimum known coefficients in NTT domain. For Kyber512 and Dilithium2, only 64 and 32 coefficients are enough to recover a subset of the private key with 256 coefficients, respectively. Furthermore, we propose a parameter-adjustable CPA scheme to
expedite the recovery of a single coefficient in NTT domain. Combining this CPA scheme with the SIS-assisted approach, we executed practical attacks on both unprotected and masked implementations of Kyber and Dilithium on an ARM Cortex-M4. The results
demonstrate that we can recover a subset of 256 private key coefficients for Dilithium2 using 2,000 power traces in 0.5 minutes, while Kyber512 requires 0.4 minutes and 500 power traces. These attacks achieve a 400$\times$ speedup compared to the best-
known attacks against Dilithium. Moreover, we successfully break the first-order mask implementations and explore the potential applicable to higher-order implementations.



## 2023/1867

* Title: Different Flavours of HILL Pseudoentropy and Yao Incompressibility Entropy
* Authors: Pihla Karanko
* [Permalink](https://eprint.iacr.org/2023/1867)
* [Download](https://eprint.iacr.org/2023/1867.pdf)

### Abstract

There are two popular ways to measure computational entropy in cryptography: (HILL) pseudoentropy and (Yao) incompressibility entropy. Both of these computational entropy notions are based on a natural intuition.

- A random variable $X$ has $k$ bits of pseudoentropy if there exists a random variable $Y$ that has $k$ bits 'real' entropy and $Y$ is computationally indistinguishable from $X$.
- A random variable $X$ has $k$ bits of incompressibility entropy if $X$ cannot be efficiently compressed to less than $k$ bits.

It is also intuitive, that if a random variable has high pseudoentropy, then it should also have high incompressibility entropy, because a high-entropy distribution cannot be compressed.

However, the above intuitions are not precise. Does 'real entropy' refer to Shannon entropy or min-entropy? What kind of correctness do we require from the compressor algorithm? Different papers use slightly different variations of both pseudoentropy and
incompressibility entropy.

In this note we study these subtle differences and see how they affect the parameters in the implication that pseudoentropy implies incompressibility.



## 2023/1868

* Title: COMMON: Order Book with Privacy
* Authors: Albert Garreta, Adam Gągol, Aikaterini-Panagiota Stouka, Damian Straszak, Michal Zajac
* [Permalink](https://eprint.iacr.org/2023/1868)
* [Download](https://eprint.iacr.org/2023/1868.pdf)

### Abstract

Decentralized Finance (DeFi) has witnessed remarkable growth and innovation, with Decentralized Exchanges (DEXes) playing a pivotal role in shaping this ecosystem. As numerous DEX designs emerge, challenges such as price inefficiency and lack of user
privacy continue to prevail. This paper introduces a novel DEX design, termed COMMON, that addresses these two predominant challenges. COMMON operates as an order book, natively integrated with a shielded token pool, thus providing anonymity to its users.

Through the integration of zk-SNARKs, order batching, and Multiparty Computation (MPC) COMMON allows to conceal also the values in orders.
This feature, paired with users never leaving the shielded pool when utilizing COMMON, provides a high level of privacy.
To enhance price efficiency, we introduce a two-stage order matching process: initially, orders are internally matched, followed by an open, permissionless Dutch Auction to present the assets to Market Makers. This design effectively enables aggregating
multiple sources of liquidity as well as helps reducing the adverse effects of Maximal Extractable Value (MEV), by redirecting most of the MEV profits back to the users.



## 2023/1869

* Title: Accountable Bulletin Boards: Definition and Provably Secure Implementation
* Authors: Mike Graf, Ralf Küsters, Daniel Rausch, Simon Egger, Marvin Bechtold, Marcel Flinspach
* [Permalink](https://eprint.iacr.org/2023/1869)
* [Download](https://eprint.iacr.org/2023/1869.pdf)

### Abstract

Bulletin boards (BB) are important cryptographic building blocks that, at their core, provide a broadcast channel with
memory. BBs are widely used within many security protocols, including secure multi-party computation protocols, e-voting systems, and electronic auctions. Even though the security of protocols crucially depends on the underlying BB, as also highlighted
by recent works, the literature on constructing secure BBs is sparse. The so-far only provably secure BBs require trusted components and sometimes also networks without message loss, which makes them unsuitable for applications with particularly high
security needs where these assumptions might not always be met.

In this work, we fill this gap by leveraging the concepts of accountability and universal composability (UC). More
specifically, we propose the first ideal functionality for accountable BBs that formalizes the security requirements
of such BBs in UC. We then propose Fabric$^\ast_\text{BB}$ as a slight extension designed on top of Fabric$^\ast$, which is a variant of the prominent Hyperledger Fabric distributed ledger protocol, and show that Fabric$^\ast_\text{BB}$ UC-realizes our
ideal BB functionality. This result makes Fabric$^\ast_\text{BB}$ the first provably accountable BB, an often desired, but so far not formally proven property for BBs, and also the first BB that has been proven to be secure based only on standard
cryptographic assumptions and without requiring trusted BB components or network assumptions. Through an implementation and performance evaluation we show that Fabric$^\ast_\text{BB}$ is practical for many applications of BBs.



## 2023/1870

* Title: An Improved Method for Evaluating Secret Variables and Its Application to WAGE
* Authors: Weizhe Wang, Haoyang Wang, Deng Tang
* [Permalink](https://eprint.iacr.org/2023/1870)
* [Download](https://eprint.iacr.org/2023/1870.pdf)

### Abstract

The cube attack is a powerful cryptanalysis technique against symmetric ciphers, especially stream ciphers. The adversary aims to recover secret key bits by solving equations that involve the key. To simplify the equations, a set of plaintexts called a
cube is summed up together. Traditional cube attacks use only linear or quadratic superpolies, and the size of cube is limited to an experimental range, typically around 40. However, cube attack based on division property, proposed by Todo et al. at
CRYPTO 2017, overcomes these limitations and enables theoretical cube attacks on many lightweight stream ciphers. For a given cube $I$, they evaluate the set $J$ of secret key bits involved in the superpoly and require $2^{|I|+|J|}$ encryptions to
recover the superpoly. However, the secret variables evaluation method proposed by Todo et al. sometimes becomes unresponsive and fails to solve within a reasonable time. In this paper, we propose an improvement to Todo's method by breaking down
difficult-to-solve problems into several smaller sub-problems. Our method retains the efficiency of Todo's method while effectively avoiding unresponsive situations. We apply our method to the WAGE cipher, an NLFSR-based authenticated encryption
algorithm and one of the second round candidates in the NIST LWC competition. Specifically, we successfully mount cube attacks on 29-round WAGE, as well as on 24-round WAGE with a sponge constraint. To the best of our knowledge, this is the first cube
attack against the WAGE cipher, which provides a more accurate characterization of the WAGE's resistance against algebraic attacks.



## 2023/1871

* Title: B2T: The Third Logical Value of a Bit
* Authors: Dipesh, Vishesh Mishra, Urbi chatterjee
* [Permalink](https://eprint.iacr.org/2023/1871)
* [Download](https://eprint.iacr.org/2023/1871.pdf)

### Abstract

Modern computing systems predominantly operate on the binary number system that accepts only ‘0’ or ‘1’ as logical values leading to computational homogeneity. But this helps in creating leakage patterns that can be exploited by adversaries to
carry out hardware and software-level attacks. Recent research has shown that ternary systems, operating on three logical values (‘0′, ‘1', and ‘z') can surpass binary systems in terms of performance and security. In this paper, we first propose
a novel approach that assigns logical values based on the direction of current flow within a conducting element, rather than relying on the voltage scale. Furthermore, we also present the mathematical models for each ternary gate.



## 2023/1872

* Title: Integral Multiset: A Novel Framework for Integral Attacks over Finite Fields
* Authors: Weizhe Wang, Deng Tang
* [Permalink](https://eprint.iacr.org/2023/1872)
* [Download](https://eprint.iacr.org/2023/1872.pdf)

### Abstract


[continued in next message]

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)