## In this issue
1. [2023/807] Ready to SQI? Safety First! Towards a constant-time ...
2. [2024/163] On Tweakable Correlation Robust Hashing against Key ...
3. [2024/164] Faster BGV Bootstrapping for Power-of-Two ...
4. [2024/165] Adaptively-Sound Succinct Arguments for NP from ...
5. [2024/166] A Practical MinRank Attack Against VOX
6. [2024/167] Creating from Noise: Trace Generations Using ...
7. [2024/168] Breaking the Cubic Barrier: Distributed Key and ...
8. [2024/169] Machine Learning based Blind Side-Channel Attacks ...
9. [2024/170] Train Wisely: Multifidelity Bayesian Optimization ...
10. [2024/171] Approximate Methods for the Computation of Step ...
11. [2024/172] Relaxed Functional Bootstrapping: A New Perspective ...
12. [2024/173] Constant-Size zk-SNARKs in ROM from Falsifiable ...
13. [2024/174] QPP and HPPK: Unifying Non-Commutativity for ...
14. [2024/175] Lossy Cryptography from Code-Based Assumptions
15. [2024/176] The impact of data-heavy, post-quantum TLS 1.3 on ...
16. [2024/177] Registered Functional Encryption for Quadratic ...
17. [2024/178] Fast Public-Key Silent OT and More from Constrained ...
18. [2024/179] Traitor Tracing without Trusted Authority from ...
19. [2024/180] Exploiting RPMB authentication in a closed source ...
20. [2024/181] Functional Bootstrapping for FV-style Cryptosystems
21. [2024/182] FileDES: A Secure, Scalable and Succinct ...
22. [2024/183] On Security Proofs of Existing Equivalence Class ...
23. [2024/184] Threshold Raccoon: Practical Threshold Signatures ...
24. [2024/185] Vortex: A List Polynomial Commitment and its ...
25. [2024/186] RAD-FS - Inherent and Embedded SCA-Security in ...
26. [2024/187] On the bijectivity of the map $\chi$
27. [2024/188] HomeRun: High-efficiency Oblivious Message ...
28. [2024/189] ZeroAuction: Zero-Deposit Sealed-bid Auction via ...
29. [2024/190] Constructing Committing and Leakage-Resilient ...
30. [2024/191] A Simpler and More Efficient Reduction of DLog to ...
31. [2024/192] Direct FSS Constructions for Branching Programs and ...
32. [2024/193] MQ Does Not Reduce to TUOV
33. [2024/194] Helium: Scalable MPC among Lightweight Participants ...
34. [2024/195] PQC-AMX: Accelerating Saber and FrodoKEM on the ...
35. [2024/196] Subfield attack: leveraging composite-degree ...
36. [2024/197] Alba: The Dawn of Scalable Bridges for Blockchains
37. [2024/198] Distributed Randomness using Weighted VRFs
38. [2024/199] Formal Security Proofs via Doeblin Coefficients: ...
39. [2024/200] A Better Proof-of-Work Fork Choice Rule
40. [2024/201] Breaking the decisional Diffie-Hellman problem in ...
41. [2024/202] Fully Homomorphic Encryption beyond IND-CCA1 ...
42. [2024/203] Application-Aware Approximate Homomorphic ...
43. [2024/204] PerfOMR: Oblivious Message Retrieval with Reduced ...
44. [2024/205] A Generalized Distributed RSA Key Generation
45. [2024/206] Kronos: A Robust Sharding Blockchain Consensus with ...
46. [2024/207] NIZKs with Maliciously Chosen CRS: Subversion ...
47. [2024/208] Asymmetric Cryptography from Number Theoretic ...
48. [2024/209] General Adversary Structures in Byzantine Agreement ...
49. [2024/210] Rollerblade: Replicated Distributed Protocol ...
## 2023/807
* Title: Ready to SQI? Safety First! Towards a constant-time implementation of isogeny-based signature, SQIsign
* Authors: David Jacquemin, Anisha Mukherjee, Péter Kutas, Sujoy SINHA ROY
* [Permalink](
https://eprint.iacr.org/2023/807)
* [Download](
https://eprint.iacr.org/2023/807.pdf)
### Abstract
NIST has already published the first round of submissions for additional post-quantum signature schemes and the only isogeny-based candidate is SQIsign. It boasts the
most compact key and signature sizes among all post-quantum signature schemes. However, its current implementation does not address side-channel resistance. This
work is the first to identify a potential side-channel vulnerability in SQIsign. At
certain steps within the signing procedure, it relies on Cornacchia’s algorithm to
represent an integer as a sum of squares of two integers. This algorithm in turn uses
a ‘half-GCD’ (half-greatest common divisor) sub-routine based on Euclid’s division
algorithm which has often been exploited for side-channel attacks. We show that if
the inputs of Cornacchia’s algorithm leak, then one can retrieve the signing key in
polynomial time. Also, since there is no constant-time implementation for SQIsign,
we propose two timing attack-resistant versions of Cornacchia’s algorithm. The
first version uses a constant-time ‘half-GCD’ algorithm that runs a fixed number
of times for a given upper bound based on the bit-size of the inputs. The second
version is based on the two-dimensional lattice reduction algorithm. We show that
randomizing the starting basis with an unimodular matrix would make the execution
time independent of the input.
## 2024/163
* Title: On Tweakable Correlation Robust Hashing against Key Leakages
* Authors: Chun Guo, Xiao Wang, Kang Yang, Yu Yu
* [Permalink](
https://eprint.iacr.org/2024/163)
* [Download](
https://eprint.iacr.org/2024/163.pdf)
### Abstract
We continue the study of blockcipher-based (tweakable) correlation robust hash functions, which are central building blocks of circuit garbling and oblivious-transfer extension schemes. As results, we first enhance the multi-user tweakable correlation
robust notion of Guo et al. (CRYPTO 2020) with a {\it key leaking oracle} that tells the adversary whether a certain user key satisfies the adversarially-chosen predicate. We then investigate the state-of-the-art hash construction of Guo et al. with
respect to our new security definition, providing security proof as well as matching attacks. As an application, we exhibit an OT extension protocol with non-trivial multi-user security.
## 2024/164
* Title: Faster BGV Bootstrapping for Power-of-Two Cyclotomics through Homomorphic NTT
* Authors: Shihe Ma, Tairong Huang, Anyu Wang, Xiaoyun Wang
* [Permalink](
https://eprint.iacr.org/2024/164)
* [Download](
https://eprint.iacr.org/2024/164.pdf)
### Abstract
Power-of-two cyclotomics is a popular choice when instantiating the BGV scheme because of its efficiency and compliance with the FHE standard. However, in power-of-two cyclotomics, the linear transformations in BGV bootstrapping cannot be decomposed into
sub-transformations for acceleration with existing techniques. Thus, they can be highly time-consuming when the number of slots is large, degrading the advantage brought by the SIMD property of the plaintext space. By exploiting the algebraic structure
of power-of-two cyclotomics, this paper derives explicit decomposition of the linear transformations in BGV bootstrapping into NTT-like sub-transformations, which are highly efficient to compute homomorphically. Moreover, multiple optimizations are made
to evaluate homomorphic linear transformations, including modified BSGS algorithms, trade-offs between level and time, and specific simplifications for thin and general bootstrapping. We implement our method on HElib. With the number of slots ranging
from 4096 to 32768, we obtain a 7.35x$\sim$143x improvement in the running time of linear transformations and a 4.79x$\sim$66.4x improvement in bootstrapping throughput, compared to previous works or the naive approach.
## 2024/165
* Title: Adaptively-Sound Succinct Arguments for NP from Indistinguishability Obfuscation
* Authors: Brent Waters, David J. Wu
* [Permalink](
https://eprint.iacr.org/2024/165)
* [Download](
https://eprint.iacr.org/2024/165.pdf)
### Abstract
A succinct non-interactive argument (SNARG) for $\mathsf{NP}$ allows a prover to convince a verifier that an $\mathsf{NP}$ statement $x$ is true with a proof of size $o(|x| + |w|)$, where $w$ is the associated $\mathsf{NP}$ witness. A SNARG satisfies
adaptive soundness if the malicious prover can choose the statement to prove after seeing the scheme parameters. In this work, we provide the first adaptively-sound SNARG for $\mathsf{NP}$ in the plain model assuming sub-exponentially-hard
indistinguishability obfuscation, sub-exponentially-hard one-way functions, and either the (polynomial) hardness of the discrete log assumption or the (polynomial) hardness of factoring. This gives the first adaptively-sound SNARG for $\mathsf{NP}$ from
falsifiable assumptions. All previous SNARGs for $\mathsf{NP}$ in the plain model either relied on non-falsifiable cryptographic assumptions or satisfied a weak notion of non-adaptive soundness (where the adversary has to choose the statement it proves
before seeing the scheme parameters).
## 2024/166
* Title: A Practical MinRank Attack Against VOX
* Authors: Hao Guo, Jintai Ding
* [Permalink](
https://eprint.iacr.org/2024/166)
* [Download](
https://eprint.iacr.org/2024/166.pdf)
### Abstract
VOX is a UOV-like signature scheme submitted to Round 1 additional signatures of NIST PQC standardization process. In 2023 Furue and Ikematsu proposed a rectangular MinRank attack on VOX, resulting in the submitters changing their parameters to counter
this attack. In this paper we propose a new type of MinRank attack called padded MinRank attack. We show that the attack is highly efficient in its running time, taking less than one minute to break eight of nine parameters and about eight hours for the
remaining one. Therefore the parameters of VOX should be reexamined to ensure its safety.
## 2024/167
* Title: Creating from Noise: Trace Generations Using Diffusion Model for Side-Channel Attack
* Authors: Trevor Yap, Dirmanto Jap
* [Permalink](
https://eprint.iacr.org/2024/167)
* [Download](
https://eprint.iacr.org/2024/167.pdf)
### Abstract
In side-channel analysis (SCA), the success of an attack is largely dependent on the dataset sizes and the number of instances in each class. The generation of synthetic traces can help to improve attacks like profiling attacks.
However, manually creating synthetic traces from actual traces is arduous. Therefore, automating this process of creating artificial traces is much needed.
Recently, diffusion models have gained much recognition after beating another generative model known as Generative Adversarial Networks (GANs) in creating realistic images. We explore the usage of diffusion models in the domain of SCA. We proposed
frameworks for a known mask setting and unknown mask setting in which the diffusion models could be applied. Under a known mask setting, we show that the traces generated under the proposed framework preserved the original leakage. Next, we demonstrated
that the artificially created profiling data in the unknown mask setting can reduce the required attack traces for a profiling attack. This suggests that the artificially created profiling data from the trained diffusion model contains useful leakages to
be exploited.
## 2024/168
* Title: Breaking the Cubic Barrier: Distributed Key and Randomness Generation through Deterministic Sharding
* Authors: Hanwen Feng, Zhenliang Lu, Qiang Tang
* [Permalink](
https://eprint.iacr.org/2024/168)
* [Download](
https://eprint.iacr.org/2024/168.pdf)
### Abstract
There are long line of researches on the fundamental distributed key generation (DKG) protocols. Unfortunately, all of them suffer from a large cubic total communication, due to the fact that $O(n)$ participants need to {\em broadcast} to all $n$
participants.
We introduce the first two DKG protocols, both achieving optimal resilience, with sub-cubic total communication and computation. The first DKG generates a secret key within an Elliptic Curve group, incurring $\widetilde{\mathcal{O}}(n^{2.5}\lambda)$
total communication and computation. The second DKG, while slightly increasing communication and computation by a factor of the statistical security parameter, generates a secret key as a field element. This property makes it directly compatible with
various off-the-shelf DLog-based threshold cryptographic systems. Additionally, both DKG protocols straightforwardly imply an improved (single-shot) common coin protocol.
At the core of our techniques, we develop a simple-yet-effective methodology via deterministic sharding that arbitrarily groups nodes into shards;
and a new primitive called consortium-dealer secret sharing, to enable a shard of nodes to securely contribute a secret to the whole population only at the cost of one-dealer. We also formalize simulation-based security for publicly verifiable secret
sharing (PVSS), making it possible for a modular analysis for DKG. Those might be of independent interest.
## 2024/169
* Title: Machine Learning based Blind Side-Channel Attacks on PQC-based KEMs - A Case Study of Kyber KEM
* Authors: Prasanna Ravi, Dirmanto Jap, Shivam Bhasin, Anupam Chattopadhyay
* [Permalink](
https://eprint.iacr.org/2024/169)
* [Download](
https://eprint.iacr.org/2024/169.pdf)
### Abstract
Kyber KEM, the NIST selected PQC standard for Public Key Encryption and Key Encapsulation Mechanisms (KEMs) has been subjected to a variety of side-channel attacks, through the course of the NIST PQC standardization process. However, all these attacks
targeting the decapsulation procedure of Kyber KEM either require knowledge of the ciphertexts or require to control the value of ciphertexts for key recovery. However, there are no known attacks in a blind setting, where the attacker does not have
access to the ciphertexts. While blind side-channel attacks are known for symmetric key cryptographic schemes, we are not aware of such attacks for Kyber KEM. In this paper, we fill this gap by proposing the first blind side-channel attack on Kyber KEM.
We target leakage of the pointwise multiplication operation in the decryption procedure to carry out practical blind side-channel attacks resulting in full key recovery. We perform practical validation of our attack using power side-channel from the
reference implementation of Kyber KEM taken from the pqm4 library, implemented on the ARM Cortex-M4 microcontroller. Our experiments clearly indicate the feasibility of our proposed attack in recovering the full key in only a few hundred to few thousand
traces, in the presence of a suitably accurate Hamming Weight (HW) classifier.
## 2024/170
* Title: Train Wisely: Multifidelity Bayesian Optimization Hyperparameter Tuning in Side-Channel Analysis
* Authors: Trevor Yap Hong Eng, Shivam Bhasin, Léo Weissbart
* [Permalink](
https://eprint.iacr.org/2024/170)
* [Download](
https://eprint.iacr.org/2024/170.pdf)
### Abstract
Side-Channel Analysis (SCA) is critical in evaluating the security of cryptographic implementations. The search for hyperparameters poses a significant challenge, especially when resources are limited. In this work, we explore the efficacy of a
multifidelity optimization technique known as BOHB in SCA. In addition, we proposed a new objective function called $ge_{+ntge}$, which could be incorporated into any Bayesian Optimization used in SCA. We show the capabilities of both BOHB and $ge_{+ntge}
$ on four different public datasets. Specifically, BOHB could obtain the least number of traces in CTF2018 when trained in the Hamming weight and identity leakage model. Notably, this marks the first reported successful recovery of the key for the
identity leakage model in CTF2018.
## 2024/171
* Title: Approximate Methods for the Computation of Step Functions in Homomorphic Encryption
* Authors: Tairong Huang, Shihe Ma, Anyu Wang, XiaoYun Wang
* [Permalink](
https://eprint.iacr.org/2024/171)
* [Download](
https://eprint.iacr.org/2024/171.pdf)
### Abstract
The computation of step functions over encrypted data is an essential issue in homomorphic encryption due to its fundamental application in privacy-preserving computing. However, an effective method for homomorphically computing general step functions
remains elusive in cryptography. This paper proposes two polynomial approximation methods for general step functions to tackle this problem. The first method leverages the fact that any step function can be expressed as a linear combination of shifted
sign functions. This connection enables the homomorphic evaluation of any step function using known polynomial approximations of the sign function. The second method boosts computational efficiency by employing a composite polynomial approximation
strategy. We present a systematic approach to construct a composite polynomial $f_k \circ f_{k-1} \circ \cdots \circ f_1$ that increasingly approximates the step function as $k$ increases. This method utilizes an adaptive linear programming approach
that we developed to optimize the approximation effect of $f_i$ while maintaining the degree and coefficients bounded. We demonstrate the effectiveness of these two methods by applying them to typical step functions such as the round function and
encrypted data bucketing, implemented in the HEAAN homomorphic encryption library. Experimental results validate that our methods can effectively address the homomorphic computation of step functions.
## 2024/172
* Title: Relaxed Functional Bootstrapping: A New Perspective on BGV/BFV Bootstrapping
* Authors: Zeyu Liu, Yunhao Wang
* [Permalink](
https://eprint.iacr.org/2024/172)
* [Download](
https://eprint.iacr.org/2024/172.pdf)
### Abstract
BGV and BFV are among the most widely used fully homomorphic encryption (FHE) schemes, supporting evaluations over a finite field. To evaluate a circuit with arbitrary depth, bootstrapping is needed. However, despite the recent progress, bootstrapping
of BGV/BFV still remains relatively impractical, compared to other FHE schemes.
In this work, we inspect the BGV/BFV bootstrapping procedure from a different angle. We provide a generalized bootstrapping definition that relaxes the correctness requirement of regular bootstrapping, allowing constructions that support only certain
kinds of circuits with arbitrary depth. In addition, our definition captures a form of functional bootstrapping. In other words, the output encrypts a function evaluation of the input instead of the input itself.
Under this new definition, we provide a bootstrapping procedure supporting different types of functions. Our construction is 1-2 orders of magnitude faster than the state-of-the-art BGV/BFV bootstrapping algorithms, depending on the evaluated function.
Of independent interest, we show that our technique can be used to improve the batched FHEW/TFHE bootstrapping construction introduced by Liu and Wang (Asiacrypt 2023). Our optimization provides a speed-up of 6x in latency and 3x in throughput for
batched binary gate bootstrapping and a plaintext-space-dependent speed-up for batched functional bootstrapping with plaintext space smaller than $\mathbb{Z}_{512}$.
## 2024/173
* Title: Constant-Size zk-SNARKs in ROM from Falsifiable Assumptions
* Authors: Helger Lipmaa, Roberto Parisella, Janno Siim
* [Permalink](
https://eprint.iacr.org/2024/173)
* [Download](
https://eprint.iacr.org/2024/173.pdf)
### Abstract
We prove that the seminal KZG polynomial commitment scheme (PCS) is black-box extractable under a simple falsifiable assumption ARSDH. To create an interactive argument, we construct a compiler that combines a black-box extractable non-interactive PCS
and a polynomial IOP (PIOP). The compiler incurs a minor cost per every committed polynomial. Applying the Fiat-Shamir transformation, we obtain slightly less efficient variants of well-known PIOP-based zk-SNARKs, such as Plonk, that are knowledge-sound
in the ROM under the ARSDH assumption. Importantly, there is no need for idealized group models or knowledge assumptions. This results in the first known zk-SNARKs in the ROM from falsifiable assumptions with both an efficient prover and constant-size
argument.
## 2024/174
* Title: QPP and HPPK: Unifying Non-Commutativity for Quantum-Secure Cryptography with Galois Permutation Group
* Authors: Randy Kuang
* [Permalink](
https://eprint.iacr.org/2024/174)
* [Download](
https://eprint.iacr.org/2024/174.pdf)
### Abstract
In response to the evolving landscape of quantum computing and the heightened vulnerabilities in classical cryptographic systems, our paper introduces a comprehensive cryptographic framework. Building upon the pioneering work of Kuang et al., we present
a unification of two innovative primitives: the Quantum Permutation Pad (QPP) for symmetric key encryption and the Homomorphic Polynomial Public Key (HPPK) for Key Encapsulation Mechanism (KEM) and Digital Signatures (DS). By harnessing matrix
representations of the Galois Permutation Group and inheriting its bijective and non-commutative properties, QPP achieves quantum-secure symmetric key encryption, seamlessly extending Shannon’s perfect secrecy to both classical and quantum-native
systems. Simultaneously, HPPK, free of NP-hard problems, relies on the security of symmetric encryption for the plain public key. This is accomplished by concealing the mathematical structure through arithmetic representations or modular multiplicative
operators (arithmetic QPP) of the Galois Permutation Group over hidden rings, utilizing their partial homomorphic properties. This ensures secure computation on encrypted data during secret encapsulations, thereby enhancing the security of the plain
public key. The integration of KEM and DS within HPPK cryptography results in compact key, cipher, and signature sizes, showcasing exceptional performance. This paper organically unifies QPP and HPPK under the Galois Permutation Group, marking a
significant advance in laying the groundwork for quantum-resistant cryptographic protocols. Our contribution propels the development of secure communication systems in the era of quantum computing.
## 2024/175
* Title: Lossy Cryptography from Code-Based Assumptions
* Authors: Quang Dao, Aayush Jain
* [Permalink](
https://eprint.iacr.org/2024/175)
* [Download](
https://eprint.iacr.org/2024/175.pdf)
### Abstract
Over the past few decades, we have seen a proliferation of advanced cryptographic primitives with lossy or homomorphic properties built from various assumptions such as Quadratic Residuosity, Decisional Diffie-Hellman, and Learning with Errors. These
primitives imply hard problems in the complexity class $\mathcal{SZK}$ (statistical zero-knowledge); as a consequence, they can only be based on assumptions that are broken in $\mathcal{BPP}^{\mathcal{SZK}}$. This poses a barrier for building advanced
primitives from code-based assumptions, as the only known such assumption is Learning Parity with Noise (LPN) with an extremely low noise rate $\frac{\log^2 n}{n}$, which is broken in quasi-polynomial time.
In this work, we propose a new code-based assumption: Dense-Sparse LPN, that falls in the complexity class $\mathcal{BPP}^{\mathcal{SZK}}$ and is conjectured to be secure against subexponential time adversaries. Our assumption is a variant of LPN that is
inspired by McEliece's cryptosystem and random $k\mbox{-}$XOR in average-case complexity. Roughly, the assumption states that
\[(\mathbf{T}\, \mathbf{M}, \mathbf{s} \,\mathbf{T}\, \mathbf{M} + \mathbf{e}) \quad \text{is indistinguishable from}\quad (\mathbf{T} \,\mathbf{M}, \mathbf{u}),\] for a random (dense) matrix $\mathbf{T}$, random sparse matrix $\mathbf{M}$, and sparse
noise vector $\mathbf{e}$ drawn from the Bernoulli distribution with inverse polynomial noise probability.
We leverage our assumption to build lossy trapdoor functions (Peikert-Waters STOC 08). This gives the first post-quantum alternative to the lattice-based construction in the original paper. Lossy trapdoor functions, being a fundamental cryptographic tool,
are known to enable a broad spectrum of both lossy and non-lossy cryptographic primitives; our construction thus implies these primitives in a generic manner. In particular, we achieve collision-resistant hash functions with plausible subexponential
security, improving over a prior construction from LPN with noise rate $\frac{\log^2 n}{n}$ that is only quasi-polynomially secure.
## 2024/176
* Title: The impact of data-heavy, post-quantum TLS 1.3 on the Time-To-Last-Byte of real-world connections
* Authors: Panos Kampanakis, Will Childs-Klein
* [Permalink](
https://eprint.iacr.org/2024/176)
* [Download](
https://eprint.iacr.org/2024/176.pdf)
### Abstract
It has been shown that post-quantum key exchange and authentication with ML-KEM and ML-DSA, NIST’s postquantum algorithm picks, will have an impact on TLS 1.3 performance used in the Web or other applications. Studies so far have focused on the
overhead of quantum-resistant algorithms on TLS time-to-first-byte (handshake time). Although these works have been important in quantifying the slowdown in connection establishment, they do not capture the full picture regarding real-world TLS 1.3
connections which carry sizable amounts of data. Intuitively, the introduction of an extra 10KB of ML-KEM and ML-DSA exchanges in the connection negotiation will inflate the connection establishment time proportionally more than it will increase the
total connection time of a Web connection carrying 200KB of data. In this work, we quantify the impact of ML-KEM and ML-DSA on typical TLS 1.3 connections which transfer a few hundreds of KB from the server to the client. We study the slowdown in the
time-to-last-byte of postquantum connections under normal network conditions and in more unstable environments with high packet delay variability and loss probabilities. We show that the impact of ML-KEM and ML-DSA on the TLS 1.3 time-to-last-byte under
stable network conditions is lower than the impact on the time-to-first-byte and diminishes as the transferred data increases. The time-to-last-byte increase stays below 5% for high-bandwidth, stable networks. It goes from 32% increase of the time-to-
first-byte to under 15% increase of the time-to-last-byte when transferring 50KiB of data or more under low-bandwidth, stable network conditions. Even when congestion control affects connection establishment, the additional slowdown drops below 10% as
the connection data increases to 200KiB. We also show that connections under lossy or volatile network conditions could see higher impact from post-quantum handshakes, but these connections’ time-to-lastbyte increase still drops as the transferred data
increases. Finally, we show that such connections are already significantly slow and volatile regardless of the TLS handshake.
## 2024/177
* Title: Registered Functional Encryption for Quadratic Functions from MDDH
* Authors: Qiaohan Chu, Li Lin, Chen Qian, Jie Chen
* [Permalink](
https://eprint.iacr.org/2024/177)
* [Download](
https://eprint.iacr.org/2024/177.pdf)
### Abstract
We present a Registered Functional Encryption (RFE) scheme for inner product and a RFE scheme for quadratic functions based on pairings and relying on the Matrix Decision Diffie-Hellman (MDDH) assumption and bilateral MDDH assumption. Previously, RFE is
only known to be constructed from indistinguishability obfuscation (iO) in Francati-Friolo-Maitra-Malavolta-Rahimi-Venturi [Asiacrypt '23].
## 2024/178
* Title: Fast Public-Key Silent OT and More from Constrained Naor-Reingold
* Authors: Dung Bui, Geoffroy Couteau, Pierre Meyer, Alain Passelègue, Mahshid Riahinia
* [Permalink](
https://eprint.iacr.org/2024/178)
* [Download](
https://eprint.iacr.org/2024/178.pdf)
### Abstract
Pseudorandom Correlation Functions (PCFs) allow two parties, given correlated evaluation keys, to locally generate arbitrarily many pseudorandom correlated strings, e.g. Oblivious Transfer (OT) correlations, which can then be used by the two parties to
jointly run secure computation protocols.
In this work, we provide a novel and simple approach for constructing PCFs for OT correlation, by relying on constrained pseudorandom functions for a class of constraints containing a weak pseudorandom function (wPRF). We then show that tweaking the Naor-
Reingold pseudorandom function and relying on low-complexity pseudorandom functions allow us to instantiate our paradigm. We further extend our ideas to obtain efficient public-key PCFs, which allow the distribution of correlated keys between parties to
be non-interactive: each party can generate a pair of public/secret keys, and any pair of parties can locally derive their correlated evaluation key by combining their secret key with the other party's public key.
In addition to these theoretical contributions, we detail various optimizations and provide concrete instantiations of our paradigm relying on the Boneh-Ishai-Passelègue-Sahai-Wu wPRF and the Goldreich-Applebaum-Raykov wPRF. Putting everything together,
we obtain public-key PCFs with a throughput of 15k-40k OT/s, which is of a similar order of magnitude to the state-of-the-art interactive PCFs and about 4 orders of magnitude faster than state-of-the-art public-key PCFs.
As a side result, we also show that public-key PCFs can serve as a building block to construct reusable designated-verifier non-interactive zero-knowledge proofs (DV-NIZK) for NP. Combined with our instantiations, this yields simple and efficient
reusable DV-NIZKs for NP in pairing-free groups.
## 2024/179
* Title: Traitor Tracing without Trusted Authority from Registered Functional Encryption
* Authors: Pedro Branco, Russell W. F. Lai, Monosij Maitra, Giulio Malavolta, Ahmadreza Rahimi, Ivy K. Y. Woo
* [Permalink](
https://eprint.iacr.org/2024/179)
* [Download](
https://eprint.iacr.org/2024/179.pdf)
### Abstract
Traitor-tracing systems allow identifying the users who contributed to building a rogue decoder in a broadcast environment. In a traditional traitor-tracing system, a key authority is responsible for generating the global public parameters and issuing
secret keys to users. All security is lost if the \emph{key authority itself} is corrupt. This raises the question: Can we construct a traitor-tracing scheme, without a trusted authority?
In this work, we propose a new model for traitor-tracing systems where, instead of having a key authority, users could generate and register their own public keys. The public parameters are computed by aggregating all user public keys. Crucially, the
aggregation process is \emph{public}, thus eliminating the need of any trusted authority. We present two new traitor-tracing systems in this model based on bilinear pairings. Our first scheme is proven adaptively secure in the generic group model. This
scheme features a transparent setup, ciphertexts consisting of $6\sqrt{L}+4$ group elements, and a public tracing algorithm. Our second scheme supports a bounded collusion of traitors and is proven selectively secure in the standard model. Our main
technical ingredients are new registered functional encryption (RFE) schemes for quadratic and linear functions which, prior to this work, were known only from indistinguishability obfuscation.
To substantiate the practicality of our approach, we evaluate the performance a proof of concept implementation. For a group of $L = 1024$ users, encryption and decryption take roughly 50ms and 4ms, respectively, whereas a ciphertext is of size 6.7KB.
## 2024/180
* Title: Exploiting RPMB authentication in a closed source TEE implementation
* Authors: Aya Fukami, Richard Buurke, Zeno Geradts
* [Permalink](
https://eprint.iacr.org/2024/180)
* [Download](
https://eprint.iacr.org/2024/180.pdf)
### Abstract
[continued in next message]
--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)