## In this issue
1. [2023/1901] Middle-Products of Skew Polynomials and Learning ...
2. [2023/1902] A Transaction-Level Model for Blockchain Privacy
3. [2023/1903] Quarantined-TreeKEM: a Continuous Group Key ...
4. [2023/1904] Generalized Kotov-Ushakov Attack on Tropical ...
5. [2023/1905] Oops, I did it again revisited: another look at ...
6. [2023/1906] Exploring SIDH-based Signature Parameters
7. [2023/1907] Integral Cryptanalysis Using Algebraic Transition ...
8. [2023/1908] PARScoin: A Privacy-preserving, Auditable, and ...
9. [2023/1909] Ratel: MPC-extensions for Smart Contracts
10. [2023/1910] Failed crypto: Matrices over non-standard arithmetic
11. [2023/1911] Non-Interactive Classical Verification of Quantum ...
12. [2023/1912] Dishonest Majority Multiparty Computation over ...
13. [2023/1913] Breaking RSA Authentication on Zynq-7000 SoC and ...
14. [2023/1914] Efficient Low-Latency Masking of Ascon without ...
15. [2023/1915] Efficient Post-Quantum Secure Deterministic ...
16. [2023/1916] DispersedSimplex: simple and efficient atomic broadcast
17. [2023/1917] Regularized PolyKervNets: Optimizing Expressiveness ...
18. [2023/1918] FANNG-MPC: Framework for Artificial Neural Networks ...
19. [2023/1919] When and How to Aggregate Message Authentication ...
20. [2023/1920] Camel: E2E Verifiable Instant Runoff Voting without ...
21. [2023/1921] Automated Issuance of Post-Quantum Certificates: a ...
22. [2023/1922] One for All, All for Ascon: Ensemble-based Deep ...
23. [2023/1923] Differential Fault Attack on Ascon Cipher
24. [2023/1924] Analyzing the complexity of reference post-quantum ...
## 2023/1901
* Title: Middle-Products of Skew Polynomials and Learning with Errors
* Authors: Cong Ling, Andrew Mendelsohn
* [Permalink](
https://eprint.iacr.org/2023/1901)
* [Download](
https://eprint.iacr.org/2023/1901.pdf)
### Abstract
We extend the middle product to skew polynomials, which we use to define a skew middle-product Learning with Errors (LWE) variant. We also define a skew polynomial LWE problem, which we connect to Cyclic LWE (CLWE), a variant of LWE in cyclic division
algebras. We then reduce a family of skew polynomial LWE problems to skew middle-product LWE, for a family which includes the structures found in CLWE. Finally, we give an encryption scheme and demonstrate its IND-CPA security, assuming the hardness of
skew middle-product LWE.
## 2023/1902
* Title: A Transaction-Level Model for Blockchain Privacy
* Authors: François-Xavier Wicht, Zhipeng Wang, Duc V. Le, Christian Cachin
* [Permalink](
https://eprint.iacr.org/2023/1902)
* [Download](
https://eprint.iacr.org/2023/1902.pdf)
### Abstract
Considerable work explores blockchain privacy notions. Yet, it usually employs entirely different models and notations, complicating potential comparisons. In this work, we use the Transaction Directed Acyclic Graph (TDAG) and extend it to capture
blockchain privacy notions (PDAG). We give consistent definitions for untraceability and unlinkability. Moreover, we specify conditions on a blockchain system to achieve each aforementioned privacy notion. Thus, we can compare the two most prominent
privacy-preserving blockchains -- Monero and Zcash, in terms of privacy guarantees. Finally, we unify linking heuristics from the literature with our graph notation and review a good portion of research on blockchain privacy.
## 2023/1903
* Title: Quarantined-TreeKEM: a Continuous Group Key Agreement for MLS, Secure in Presence of Inactive Users
* Authors: Céline Chevalier, Guirec Lebrun, Ange Martinelli
* [Permalink](
https://eprint.iacr.org/2023/1903)
* [Download](
https://eprint.iacr.org/2023/1903.pdf)
### Abstract
The recently standardized secure group messaging protocol “Messaging Layer Security” (MLS) is designed to ensure asynchronous communications within large groups, with an almost-optimal communication cost and the same security level as point-to-point
secure messaging protocols such as “Signal”. In particular, the core sub-protocol of MLS, a Continuous Group Key Agreement (CGKA) called TreeKEM, must generate a common group key that respects the fundamental security properties of “post-compromise
security” and “forward secrecy” which mitigate the effects of user corruption over time.
Most research on CGKAs has focused on how to improve these two security properties. However, post-compromise security and forward secrecy require the active participation of respectively all compromised users and all users within the group. Inactive
users – who remain offline for long periods – do not update anymore their encryption keys and therefore represent a vulnerability for the entire group. This issue has already been identified in the MLS standard, but no solution, other than expelling
these inactive users after some disconnection time, has been found.
We propose here a CGKA protocol based on TreeKEM and fully compatible with the MLS standard, that implements a “quarantine” mechanism for the inactive users in order to mitigate the risk induced by these users without removing them from the group.
That mechanism indeed updates the inactive users’ encryption keys on their behalf and secures these keys with a secret sharing scheme. If some of the inactive users eventually reconnect, their quarantine stops and they are able to recover all the
messages that were exchanged during their offline period. Our “Quarantined-TreeKEM” protocol thus offers a good trade-off between security and functionality, with a very limited – and sometimes negative – communication overhead.
## 2023/1904
* Title: Generalized Kotov-Ushakov Attack on Tropical Stickel Protocol Based on Modified Circulants
* Authors: Sulaiman Alhussaini, Craig Collett, Serge˘ı Sergeev
* [Permalink](
https://eprint.iacr.org/2023/1904)
* [Download](
https://eprint.iacr.org/2023/1904.pdf)
### Abstract
After the Kotov-Ushakov attack on the tropical implementation of Stickel protocol, various attempts have been made to create a secure variant of such implementation. Some of these attempts used a special class of commuting matrices resembling tropical
circulants, and they have been proposed with claims of resilience against the Kotov-Ushakov attack, and even being potential post-quantum candidates. This paper, however, reveals that a form of the Kotov-Ushakov attack remains applicable and, moreover,
there is a heuristic implementation of that attack which has a polynomial time complexity and shows an overwhelmingly good success rate.
## 2023/1905
* Title: Oops, I did it again revisited: another look at reusing one-time signatures
* Authors: Scott Fluhrer
* [Permalink](
https://eprint.iacr.org/2023/1905)
* [Download](
https://eprint.iacr.org/2023/1905.pdf)
### Abstract
In "Oops, I did it again" - Security of One-Time Signatures under Two-Message Attacks, Bruinderink and Hülsing analyzed the effect of key reuse for several one time signature systems.
When they analyzed the Winternitz system, they assumed certain probabilities were independent when they weren't, leading to invalid conclusions.
This paper does a more correct characterization of the Winternitz scheme, and while their ultimate conclusion (that key reuse allows for practical forgeries) is correct, the situation is both better and worse than what they concluded.
## 2023/1906
* Title: Exploring SIDH-based Signature Parameters
* Authors: Andrea Basso, Mingjie Chen, Tako Boris Fouotsa, Péter Kutas, Abel Laval, Laurane Marco, Gustave Tchoffo Saah
* [Permalink](
https://eprint.iacr.org/2023/1906)
* [Download](
https://eprint.iacr.org/2023/1906.pdf)
### Abstract
Isogeny-based cryptography is an instance of post-quantum cryptography whose fundamental problem consists of finding an isogeny between two (isogenous) elliptic curves $E$ and $E'$. This problem is closely related to that of computing the endomorphism
ring of an elliptic curve. Therefore, many isogeny-based protocols require the endomorphism ring of at least one of the curves involved to be unknown. In this paper, we explore the design of isogeny based protocols in a scenario where one assumes that
the endomorphism ring of all the curves are public. In particular, we identify digital signatures based on proof of isogeny knowledge from SIDH
squares as such a candidate. We explore the design choices for such constructions and propose two variants with practical instantiations. We analyze their security according to three lines, the first consists of attacks based on KLPT with both polynomial
and superpolynomial adversary, the second consists of attacks derived from the SIDH attacks
and finally we study the zero-knowledge property of the underlying proof of knowledge.
## 2023/1907
* Title: Integral Cryptanalysis Using Algebraic Transition Matrices
* Authors: Tim Beyne, Michiel Verbauwhede
* [Permalink](
https://eprint.iacr.org/2023/1907)
* [Download](
https://eprint.iacr.org/2023/1907.pdf)
### Abstract
In this work we introduce algebraic transition matrices as the basis for
a new approach to integral cryptanalysis that unifies monomial trails (Hu et al., Asiacrypt 2020) and parity sets (Boura and Canteaut, Crypto 2016). Algebraic transition matrices allow for the computation of the algebraic normal form of a primitive based
on the algebraic normal forms of its components by means of well-understood operations from linear algebra. The theory of algebraic transition matrices leads to better insight into the relation between integral properties of $F$ and $F^{−1}$. In
addition, we show that the link between invariants and eigenvectors of correlation matrices (Beyne, Asiacrypt 2018) carries over to algebraic transition matrices. Finally, algebraic transition matrices suggest a generalized definition of integral
properties that subsumes previous notions such as extended division properties (Lambin, Derbez and Fouque, DCC 2020). On the practical side, a new algorithm is described to search for these generalized properties and applied to Present, resulting in new
properties. The algorithm can be instantiated with any existing automated search method for integral cryptanalysis.
## 2023/1908
* Title: PARScoin: A Privacy-preserving, Auditable, and Regulation-friendly Stablecoin
* Authors: Amirreza Sarencheh, Aggelos Kiayias, Markulf Kohlweiss
* [Permalink](
https://eprint.iacr.org/2023/1908)
* [Download](
https://eprint.iacr.org/2023/1908.pdf)
### Abstract
Stablecoins are digital assets designed to maintain a consistent value relative to a reference point, serving as a vital component in Blockchain, and Decentralized Finance (DeFi) ecosystem. Typical implementations of stablecoins via smart contracts come
with important downsides such as a questionable level of privacy, potentially high fees, and lack of scalability. We put forth a new design, PARScoin, for a Privacy-preserving, Auditable, and Regulation-friendly Stablecoin that mitigates these issues
while enabling high performance both in terms of speed of settlement and for scaling to large numbers of users. Our construction is blockchain-agnostic and is analyzed in the Universal Composition (UC) framework, offering a secure and modular approach
for its integration into the broader blockchain ecosystem.
## 2023/1909
* Title: Ratel: MPC-extensions for Smart Contracts
* Authors: Yunqi Li, Kyle Soska, Zhen Huang, Sylvain Bellemare, Mikerah Quintyne-Collins, Lun Wang, Xiaoyuan Liu, Dawn Song, Andrew Miller
* [Permalink](
https://eprint.iacr.org/2023/1909)
* [Download](
https://eprint.iacr.org/2023/1909.pdf)
### Abstract
Enhancing privacy on smart contract-enabled blockchains has garnered much attention in recent research. Zero-knowledge proofs (ZKPs) is one of the most popular approaches, however, they fail to provide full expressiveness and fine-grained privacy. To
illustrate this, we underscore an underexplored type of Miner Extractable Value (MEV), called Residual Bids Extractable Value (RBEV). Residual bids highlight the vulnerability where unfulfilled bids inadvertently reveal traders’ unmet demands and
prospective trading strategies, thus exposing them to exploitation. ZKP-based approaches failed to ad- dress RBEV as they cannot provide post-execution privacy without some level of information disclosure. Other MEV mitigations like fair-ordering
protocols also failed to address RBEV. We introduce Ratel, an innovative framework bridging a multi-party computation (MPC) prototyping framework (MP-SPDZ) and a smart contract language (Solidity), harmonizing the privacy with full expressiveness of MPC
with Solidity ’s on-chain programmability. This synergy empowers developers to effortlessly craft privacy-preserving decentralized applications (DApps). We demonstrate Ratel’s efficacy through two distinguished decentralized finance (DeFi)
applications: a decentralized exchange and a collateral auction, effectively mitigating the potential RBEV issue. Furthermore, Ratel is equipped with a lightweight crash-reset mechanism, enabling the seamless recovery of transiently benign faulty nodes.
To prevent the crash-reset mechanism abused by malicious entities and ward off DoS attacks, we incorporate a cost-utility analysis anchored in the Bayesian approach. Our performance evaluation of the applications developed under the Ratel framework
underscores their competency in managing real-world peak-time workloads.
## 2023/1910
* Title: Failed crypto: Matrices over non-standard arithmetic
* Authors: Daniel R. L. Brown
* [Permalink](
https://eprint.iacr.org/2023/1910)
* [Download](
https://eprint.iacr.org/2023/1910.pdf)
### Abstract
A failed hypothesis is reported here. The hope was that large matrices over small non-standard arithmetic are likely to have infeasible division, and furthermore be secure for use in Rabi–Sherman associative cryptography.
## 2023/1911
* Title: Non-Interactive Classical Verification of Quantum Depth: A Fine-Grained Characterization
* Authors: Nai-Hui Chia, Shih-Han Hung
* [Permalink](
https://eprint.iacr.org/2023/1911)
* [Download](
https://eprint.iacr.org/2023/1911.pdf)
### Abstract
We introduce protocols for classical verification of quantum depth (CVQD). These protocols enable a classical verifier to differentiate between devices of varying quantum circuit depths, even in the presence of classical computation. The goal is to
demonstrate that a classical verifier can reject a device with a quantum circuit depth of no more than $d$, even if the prover employs additional polynomial-time classical computation to deceive. Conversely, the verifier accepts a device with a quantum
circuit depth of $d'>d$.
Previous results for separating hybrid quantum-classical computers with various quantum depths require either quantum access to oracles or interactions between the classical verifier and the quantum prover. However, instantiating oracle separations can
significantly increase the quantum depth in general, and interaction challenges the quantum device to keep the qubits coherent while waiting for the verifier's messages. These requirements pose barriers to implementing the protocols on near-term devices.
In this work, we present a two-message protocol under the quantum hardness of learning with errors and the random oracle heuristic. An honest prover only needs classical access to the random oracle, and therefore any instantiation of the oracle does not
increase the quantum depth. To our knowledge, our protocol is the first non-interactive CVQD, the instantiation of which using concrete hash functions, e.g., SHA-3, does not require additional quantum depth.
Our second protocol seeks to explore the minimality of cryptographic assumptions and the tightness of the separations. To accomplish this, we introduce an untrusted quantum machine that shares entanglements with the target machine. Utilizing a robust
self-test, our protocol certifies the depth of the target machine with information-theoretic security and nearly optimal separation.
## 2023/1912
* Title: Dishonest Majority Multiparty Computation over Matrix Rings
* Authors: Hongqing Liu, Chaoping Xing, Chen Yuan, Taoxu Zou
* [Permalink](
https://eprint.iacr.org/2023/1912)
* [Download](
https://eprint.iacr.org/2023/1912.pdf)
### Abstract
The privacy-preserving machine learning (PPML) has gained growing importance over the last few years. One of the biggest challenges is to improve the efficiency of PPML so that the communication and computation costs of PPML are affordable for large
machine learning models such as deep learning. As we know, linear algebra such as matrix multiplication occupies a significant part of the computation in the deep learning such as deep convolutional neural networks (CNN). Thus, it is desirable to propose
the MPC protocol specialized for the matrix operations. In this work, we propose a dishonest majority MPC protocol over matrix rings which supports matrix multiplication and addition. Our MPC protocol can be seen as a variant of SPDZ protocol, i.e., the
MAC and global key of our protocol are vectors of length $m$ and the secret of our protocol is an $m\times m$ matrix. Compared to the classic SPDZ protocol, our MPC protocol reduces the communication complexity by at least $m$ times. We also show that
our MPC protocol is as efficient as [11] which also presented a dishonest majority MPC protocol specialized for matrix operations. The MPC protocol [11] resorts to the homomorphic encryption scheme (BFV scheme) to produce the matrix triples in the
preprocessing phase. This implies that their protocol only supports the matrix operations over integer rings or prime fields of large size. On the contrary, we resort to vector oblivious linear evaluations and random vector oblivious linear evaluations
to generate correlated randomness in the preprocessing phase. Thus, the matrices of our MPC protocol can be defined over any finite field or integer ring. Due to the small size of our MAC, the communication complexity of our MPC protocol remains almost
the same regardless of the size of the field or the ring.
## 2023/1913
* Title: Breaking RSA Authentication on Zynq-7000 SoC and Beyond: Identification of Critical Security Flaw in FSBL Software
* Authors: Prasanna Ravi, Arpan Jati, Shivam Bhasin
* [Permalink](
https://eprint.iacr.org/2023/1913)
* [Download](
https://eprint.iacr.org/2023/1913.pdf)
### Abstract
In this report, we perform an in-depth analysis of the RSA authentication feature used in the secure boot procedure of Xilinx Zynq-7000 SoC device. The First Stage Boot Loader (FSBL) is a critical piece of software
executed during secure boot, which utilizes the RSA authentication feature to validate all the hardware and software partitions to be mounted on the device. We analyzed the implementation of FSBL (provided by
Xilinx) for the Zynq-7000 SoC and identified a critical security flaw, whose exploitation makes it possible to load an unauthenticated application onto the Zynq device, thereby bypassing RSA authentication. We also experimentally validated the presence
of the vulnerability through a Proof of Concept (PoC) attack to successfully mount an unauthenticated software application on an RSA authenticated Zynq device. The identified flaw is only present in the FSBL software and thus can be easily fixed through
appropriate modification of the FSBL software. Thus, the first contribution of our work is the identification of a critical security flaw in the FSBL software to bypass RSA authentication.
Upon bypassing RSA authentication, an attacker can mount any unauthenticated software application on the target device to mount a variety of attacks. Among the several possible attacks, we are interested to perform recovery of the encrypted bitstream in
the target boot image of the Zynq-7000 device. To the best of our knowledge, there does not exist any prior work that has reported a practical bitstream recovery attack on the Zynq-7000 device. In the context of bitstream recovery, Ender et al. in 2020
proposed the Starbleed attack that is applicable to standalone Virtex-6 and 7-series Xilinx FPGAs. The design advisory provided by Xilinx as a response to the Starbleed attack claims that the Zynq-7000 SoC is resistant “due to the use of asymmetric and/
or symmetric authentication in the boot/configuration process that ensures configuration is authenticated prior to use". Due to the security flaw found in the FSBL, we managed to identify a novel approach to mount
the Starbleed attack on the Zynq-7000 device for full bitstream recovery. Thus, as a second contribution of our work, we present the first practical demonstration of the Starbleed attack on the Zynq-7000 SoC. We perform experimental validation of our
proposed attacks on the PYNQ-Z1 platform based on the Zynq-7000 SoC.
## 2023/1914
* Title: Efficient Low-Latency Masking of Ascon without Fresh Randomness
* Authors: Srinidhi Hari Prasad, Florian Mendel, Martin Schläffer, Rishub Nagpal
* [Permalink](
https://eprint.iacr.org/2023/1914)
* [Download](
https://eprint.iacr.org/2023/1914.pdf)
### Abstract
In this work, we present the first low-latency, second-order masked hardware implementation of Ascon that requires no fresh randomness using only $d+1$ shares. Our results significantly outperform any publicly known second-order masked implementations of
AES and Ascon in terms of combined area, latency and randomness requirements. Ascon is a family of lightweight authenticated encryption and hashing schemes selected by NIST for standardization. Ascon is tailored for small form factors. It requires less
power and energy while attaining the same or even better performance than current NIST standards.
We achieve the reduction of latency by rearranging the linear layers of the Ascon permutation in a round-based implementation. We provide an improved technique to achieve implementations without the need for fresh randomness. It is based on the concept
of changing of the guards extended to the second-order case. Together with the reduction of latency, we need to consider a large set of additional conditions which we propose to solve using a SAT solver.
We have formally verified both, our first- and second-order implementations of Ascon using CocoAlma for the first two rounds. Additionally, we have performed a leakage assessment using t-tests on all 12 rounds of the initial permutation. Finally, we
provide a comparison of our second-order masked Ascon implementation with other results.
## 2023/1915
* Title: Efficient Post-Quantum Secure Deterministic Threshold Wallets from Isogenies
* Authors: Poulami Das, Andreas Erwig, Michael Meyer, Patrick Struck
* [Permalink](
https://eprint.iacr.org/2023/1915)
* [Download](
https://eprint.iacr.org/2023/1915.pdf)
### Abstract
Cryptocurrency networks crucially rely on digital signature schemes, which are used as an authentication mechanism for transactions. Unfortunately, most major cryptocurrencies today, including Bitcoin and Ethereum, employ signature schemes that are
susceptible to quantum adversaries, i.e., an adversary with access to a quantum computer can forge signatures and thereby spend coins of honest users. In cryptocurrency networks, signature schemes are typically not executed in isolation, but within a so-
called cryptographic wallet. In order to achieve security against quantum adversaries, the signature scheme and the cryptographic wallet must withstand quantum attacks.
In this work, we advance the study on post-quantum secure signature and wallet schemes. That is, we provide the first formal model for deterministic threshold wallets and we show a generic post-quantum secure construction from any post-quantum secure
threshold signature scheme with rerandomizable keys. We then instantiate our construction from the isogeny-based signature scheme CSI-FiSh and we show that our instantiation significantly improves over prior work.
## 2023/1916
* Title: DispersedSimplex: simple and efficient atomic broadcast
* Authors: Victor Shoup
* [Permalink](
https://eprint.iacr.org/2023/1916)
* [Download](
https://eprint.iacr.org/2023/1916.pdf)
### Abstract
In this brief note, we flesh out some details of the recently proposed Simplex atomic broadcast protocol, and modify it so that leaders disperse blocks in a more communication efficient fashion, while maintaining the simplicity and excellent latency
characteristics of the protocol.
## 2023/1917
* Title: Regularized PolyKervNets: Optimizing Expressiveness and Efficiency for Private Inference in Deep Neural Networks
* Authors: Toluwani Aremu
* [Permalink](
https://eprint.iacr.org/2023/1917)
* [Download](
https://eprint.iacr.org/2023/1917.pdf)
### Abstract
Private computation of nonlinear functions, such as Rectified Linear Units (ReLUs) and max-pooling operations, in deep neural networks (DNNs) poses significant challenges in terms of storage, bandwidth, and time consumption. To address these challenges,
there has been a growing interest in utilizing privacy-preserving techniques that leverage polynomial activation functions and kernelized convolutions as alternatives to traditional ReLUs. However, these alternative approaches often suffer from a trade-
off between achieving faster private inference (PI) and sacrificing model accuracy. In particular, when applied to much deeper networks, these methods encounter training instabilities, leading to issues like exploding gradients (resulting in NaNs) or
suboptimal approximations. In this study, we focus on PolyKervNets, a technique known for offering improved dynamic approximations in smaller networks but still facing instabilities in larger and more complex networks. Our primary objective is to
empirically explore optimization-based training recipes to enhance the performance of PolyKervNets in larger networks. By doing so, we aim to potentially eliminate the need for traditional nonlinear activation functions, thereby advancing the state-of-
the-art in privacy-preserving deep neural network architectures.
## 2023/1918
* Title: FANNG-MPC: Framework for Artificial Neural Networks and Generic MPC
* Authors: Najwa Aaraj, Abdelrahaman Aly, Tim Güneysu, Chiara Marcolla, Johannes Mono, Rogerio Paludo, Iván Santos-González, Mireia Scholz, Eduardo Soria-Vazquez, Victor Sucasas, Ajith Suresh
* [Permalink](
https://eprint.iacr.org/2023/1918)
* [Download](
https://eprint.iacr.org/2023/1918.pdf)
### Abstract
In this work, we introduce FANNG-MPC, a versatile secure multi-party computation framework capable to offer active security for privacy preserving machine learning as a service (MLaaS). Derived from the now deprecated SCALE-MAMBA, FANNG is a data-
oriented fork, featuring novel set of libraries and instructions for realizing private neural networks, effectively reviving the popular framework. To the best of our knowledge, FANNG is the first MPC framework to offer actively secure MLaaS in the
dishonest majority setting, specifically two parties.
FANNG goes beyond SCALE-MAMBA by decoupling offline and online phases and materializing the dealer model in software, enabling a separate set of entities to produce offline material. The framework incorporates database support, a new instruction set for
pre-processed material, including garbled circuits and convolutional and matrix multiplication triples. FANNG also implements novel private comparison protocols and an optimized library supporting Neural Network functionality. All our theoretical claims
are substantiated by an extensive evaluation using an open-sourced implementation, including the private evaluation of popular neural networks like LeNet and VGG16.
## 2023/1919
* Title: When and How to Aggregate Message Authentication Codes on Lossy Channels?
* Authors: Eric Wagner, Martin Serror, Klaus Wehrle, Martin Henze
* [Permalink](
https://eprint.iacr.org/2023/1919)
* [Download](
https://eprint.iacr.org/2023/1919.pdf)
### Abstract
Aggregation of message authentication codes (MACs) is a proven and efficient method to preserve valuable bandwidth in resource-constrained environments: Instead of appending a long authentication tag to each message, the integrity protection of multiple
messages is aggregated into a single tag. However, while such aggregation saves bandwidth, a single lost message typically means that authentication information for multiple messages cannot be verified anymore. With the significant increase of bandwidth-
constrained lossy communication, as applications shift towards wireless channels, it thus becomes paramount to study the impact of packet loss on the diverse MAC aggregation schemes proposed over the past 15 years to assess when and how to aggregate
message authentication. Therefore, we empirically study all relevant MAC aggregation schemes in the context of lossy channels, investigating achievable goodput improvements, the resulting verification delays, processing overhead, and resilience to denial-
of-service attacks. Our analysis shows the importance of carefully choosing and configuring MAC aggregation, as selecting and correctly parameterizing the right scheme can, e.g., improve goodput by 39% to 444%, depending on the scenario. However, since
no aggregation scheme performs best in all scenarios, we provide guidelines for network operators to select optimal schemes and parameterizations suiting specific network settings.
## 2023/1920
* Title: Camel: E2E Verifiable Instant Runoff Voting without Tallying Authorities
* Authors: Luke Harrison, Samiran Bag, Feng Hao
* [Permalink](
https://eprint.iacr.org/2023/1920)
* [Download](
https://eprint.iacr.org/2023/1920.pdf)
### Abstract
Instant Runoff Voting (IRV) is one example of ranked-choice voting. It provides many known benefits when used in elections, such as minimising vote splitting, ensuring few votes are wasted, and providing resistance to strategic voting. However, the
voting and tallying procedures for IRV are much more complicated than those of plurality and are both error-prone and tedious. Many automated systems have been proposed to simplify these procedures in IRV. Some of these also employ cryptographic
techniques to protect the secrecy of ballots and enable verification of the tally. Nearly all of these cryptographic systems require a set of trustworthy tallying authorities (TAs) to perform the decryption of votes and/or running of mix servers, which
adds significant complexity to the implementation and election management. We address this issue by proposing Camel: an E2E verifiable solution for IRV that requires no TAs. Camel employs a novel representation and a universally verifiable shifting
procedure for ballots that facilitate the elimination of candidates as required in an IRV election. We combine these with a homomorphic encryption scheme and zero-knowledge proofs to protect the secrecy of the ballots and enable any party to verify the
well-formedness of the ballots and the correctness of the tally in an IRV election. We examine the security of Camel and prove it maintains ballot secrecy by limiting the learned information (namely the tally) against a set of colluding voters.
## 2023/1921
* Title: Automated Issuance of Post-Quantum Certificates: a New Challenge
* Authors: Alexandre Augusto Giron, Frederico Schardong, Lucas Pandolfo Perin, Ricardo Custódio, Victor Valle, Víctor Mateu
* [Permalink](
https://eprint.iacr.org/2023/1921)
* [Download](
https://eprint.iacr.org/2023/1921.pdf)
### Abstract
[continued in next message]
--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)