## In this issue

1. [2024/215] Batch PIR and Labeled PSI with Oblivious Ciphertext ...
2. [2024/337] Solving the Tensor Isomorphism Problem for special ...
3. [2024/553] Efficient Linkable Ring Signatures: New Framework ...
4. [2024/653] Ipotane: Achieving the Best of All Worlds in ...
5. [2024/654] Monchi: Multi-scheme Optimization For Collaborative ...
6. [2024/655] Implementation and Performance Analysis of ...
7. [2024/656] Cryptanalytic Audit of the XHash Sponge Function ...
8. [2024/657] Cryptographic Accumulators: New Definitions, ...
9. [2024/658] Information-theoretic security with asymmetries
10. [2024/659] Secure Latent Dirichlet Allocation
11. [2024/660] FE[r]Chain: Enforcing Fairness in Blockchain Data ...
12. [2024/661] On amortization techniques for FRI-based SNARKs
13. [2024/662] Faster Private Decision Tree Evaluation for Batched ...
14. [2024/663] Xproofs: New Aggregatable and Maintainable Matrix ...
15. [2024/664] Pando: Extremely Scalable BFT Based on Committee ...
16. [2024/665] Homomorphic Evaluation of LWR-based PRFs and ...
17. [2024/666] Private Analytics via Streaming, Sketching, and ...
18. [2024/667] Agile, Post-quantum Secure Cryptography in Avionics
19. [2024/668] Blockchain Price vs. Quantity Controls
20. [2024/669] Mempool Privacy via Batched Threshold Encryption: ...
21. [2024/670] Secure Implementation of SRAM PUF for Private Key ...
22. [2024/671] Exploiting Internal Randomness for Privacy in ...
23. [2024/672] Secure Coded Distributed Computing
24. [2024/673] Chocobo: Creating Homomorphic Circuit Operating ...
25. [2024/674] SigmaSuite: How to Minimize Foreign Arithmetic in ...
26. [2024/675] Olympic Privacy-Preserving Blueprints: Faster ...
27. [2024/676] Composing Timed Cryptographic Protocols: ...

## 2024/215

* Title: Batch PIR and Labeled PSI with Oblivious Ciphertext Compression
* Authors: Alexander Bienstock, Sarvar Patel, Joon Young Seo, Kevin Yeo
* [Permalink](https://eprint.iacr.org/2024/215)
* [Download](https://eprint.iacr.org/2024/215.pdf)

### Abstract

In this paper, we study two problems: oblivious compression and decompression of ciphertexts. In oblivious compression, a server holds a set of ciphertexts with a subset of encryptions of zeroes whose positions are only known to the client. The goal is
for the server to effectively compress the ciphertexts obliviously, while preserving the non-zero plaintexts and without learning the plaintext values. For oblivious decompression, the client, instead, succinctly encodes a sequence of plaintexts such
that the server may decode encryptions of all plaintexts value, but the zeroes may be replaced with arbitrary values. We present solutions to both problems that construct lossless compressions only 5% more than the optimal minimum using only additive
homomorphism. The crux of both algorithms involve embedding ciphertexts as random linear systems that are efficiently solvable.

Using our compression schemes, we obtain state-of-the-art schemes for batch private information retrieval (PIR) where a client wishes to privately retrieve multiple entries from a server-held database in one query. We show that our compression schemes
may be used to reduce communication by up to 30% for batch PIR in both the single- and two-server settings.

Additionally, we study labeled private set intersection (PSI) in the unbalanced setting where one party's set is significantly smaller than the other party's set and each entry has associated data. By utilizing our novel compression algorithm, we present
a protocol with 65-88% reduction in communication with comparable computation compared to prior works.



## 2024/337

* Title: Solving the Tensor Isomorphism Problem for special orbits with low rank points: Cryptanalysis and repair of an Asiacrypt 2023 commitment scheme
* Authors: Valerie Gilchrist, Laurane Marco, Christophe Petit, Gang Tang
* [Permalink](https://eprint.iacr.org/2024/337)
* [Download](https://eprint.iacr.org/2024/337.pdf)

### Abstract

The Tensor Isomorphism Problem (TIP) has been shown to be equivalent to the matrix code equivalence problem, making it an interesting candidate on which to build post-quantum cryptographic primitives. These hard problems have already been used in
protocol development. One of these, MEDS, is currently in Round 1 of NIST's call for additional post-quantum digital signatures.
In this work, we consider the TIP for a special class of tensors. The hardness of the decisional version of this problem is the foundation of a commitment scheme proposed by D'Alconzo, Flamini, and Gangemi (Asiacrypt 2023). We present polynomial-time
algorithms for the decisional and computational versions of TIP for special orbits, which implies that the commitment scheme is not secure. The key observations of these algorithms are that these special tensors contain some low-rank points, and their
stabilizer groups are not trivial.
With these new developments in the security of TIP in mind, we give a new commitment scheme based on the general TIP that is non-interactive, post-quantum, and statistically binding, making no new assumptions. Such a commitment scheme does not
currently exist in the literature.



## 2024/553

* Title: Efficient Linkable Ring Signatures: New Framework and Post-Quantum Instantiations
* Authors: Yuxi Xue, Xingye Lu, Man Ho Au, Chengru Zhang
* [Permalink](https://eprint.iacr.org/2024/553)
* [Download](https://eprint.iacr.org/2024/553.pdf)

### Abstract

In this paper, we introduce a new framework for constructing linkable ring signatures (LRS). Our framework is based purely on signatures of knowledge (SoK) which allows one to issue signatures on behalf of any NP-statement using the corresponding witness.
Our framework enjoys the following advantages: (1) the security of the resulting LRS depends only on the security of the underlying SoK; (2) the resulting LRS naturally supports online/offline signing (resp. verification), where the output of the
offline signing (resp. verification) can be re-used across signatures of the same ring. For a ring size $n$, our framework requires an SoK of the NP statement with size $\log n$.

To instantiate our framework, we adapt the well-known post-quantum secure non-interactive argument of knowledge (NIAoK), ethSTARK, into an SoK. This SoK is inherently post-quantum secure and has a signature size poly-logarithmic in the size of the NP
statement. Thus, our resulting LRS has a signature size of $O(\text{polylog}(\log n))$. By comparison, existing post-quantum ring signatures, regardless of linkability considerations, have signature sizes of $O(\log n)$ at best. Furthermore, leveraging
online/offline verification, part of the verification of signatures on the same ring can be shared, resulting in a state-of-the-art amortized verification cost of $O(\text{polylog}(\log n))$.

Our LRS also performs favourably against existing schemes in practical scenarios. Concretely, our scheme has the smallest signature size among all post-quantum linkable ring signatures with non-slanderability for ring size larger than $32$. In our
experiment, at $128$-bit security and ring size of $1024$, our LRS has a size of $29$KB, and an amortized verification cost of $0.3$ ms, surpassing the state-of-the-art by a significant margin. Even without considering amortization, the verification time
for a single signature is $128$ ms, comparable to those featuring linear signature size. A similar performance advantage can also be seen at signing. Furthermore, our LRS has extremely short public keys ($32$ bytes), while public keys of existing
constructions are in the order of kilobytes.



## 2024/653

* Title: Ipotane: Achieving the Best of All Worlds in Asynchronous BFT
* Authors: Xiaohai Dai, Chaozheng Ding, Hai Jin, Julian Loss, Ling Ren
* [Permalink](https://eprint.iacr.org/2024/653)
* [Download](https://eprint.iacr.org/2024/653.pdf)

### Abstract

State-of-the-art asynchronous Byzantine Fault Tolerance (BFT) protocols integrate a partially-synchronous optimistic path. The holy grail in this paradigm is to match the performance of a partially-synchronous protocol in favorable situations and match
the performance of a purely asynchronous protocol in unfavorable situations. Several prior works have made progress toward this goal by matching the efficiency of a partially-synchronous protocol in favorable conditions. However, their performance
compared to purely asynchronous protocols is reduced when network conditions are unfavorable. To address these shortcomings, a recent work, Abraxas (CCS'23), presents the first optimistic asynchronous BFT protocol that retains stable throughput in all
situations. However, Abraxas still incurs very high worst-case latency in unfavorable situations because it is slow at detecting the failure of its optimistic path. Another recent work, ParBFT (CCS'23) guarantees good latency in all situations, but
suffers from reduced throughput in unfavorable situations due to its use of extra Asynchronous Binary Agreement (ABA) instances.

To approach our holy grail, we propose Ipotane, which delivers performance comparable to partially-synchronous protocols in favorable situations, and attains performance on par with purely asynchronous protocols in unfavorable situations—in both
throughput and latency. Ipotane also runs the two paths simultaneously. It adopts two-chain HotStuff as the optimistic path, thus achieving high performance in favorable situations. As for the pessimistic path, we introduce a new primitive Dual-
functional Byzantine Agreement (DBA), which packs the functionalities of biased ABA and Validated Asynchronous Byzantine Agreement (VABA). Ipotane runs DBA instances continuously as the pessimistic path. DBA’s ABA functionality quickly detects the
optimistic path’s failure, ensuring Ipotane’s low latency in unfavorable situations. Meanwhile, the VABA functionality continuously produces blocks, maintaining Ipotane’s high throughput. Additionally, the biased property ensures that blocks
committed via the optimistic path are respected by DBA instances, guaranteeing consistency across two paths. We conduct extensive experiments to demonstrate that Ipotane achieves high throughput and low latency in all situations.



## 2024/654

* Title: Monchi: Multi-scheme Optimization For Collaborative Homomorphic Identification
* Authors: Alberto Ibarrondo, Ismet Kerenciler, Hervé Chabanne, Vincent Despiegel, Melek Önen
* [Permalink](https://eprint.iacr.org/2024/654)
* [Download](https://eprint.iacr.org/2024/654.pdf)

### Abstract

This paper introduces a novel protocol for privacy-preserving biometric identification, named Monchi, that combines the use of homomorphic encryption for the computation of the identification score with function secret sharing to obliviously compare this
score with a given threshold and finally output the binary result. Given the cost of homomorphic encryption, BFV in this solution, we study and evaluate the integration of two packing solutions that enable the regrouping of multiple templates in one
ciphertext to improve efficiency meaningfully. We propose an end-to-end protocol, prove it secure and implement it. Our experimental results attest to Monchi's applicability to the real-life use case of an airplane boarding scenario with 1000 passengers,
taking less than one second to authorize/deny access to the plane to each passenger via biometric identification while maintaining the privacy of all passengers.



## 2024/655

* Title: Implementation and Performance Analysis of Homomorphic Signature Schemes
* Authors: Davide Carnemolla, Dario Catalano, Mario Di Raimondo, Federico Savasta
* [Permalink](https://eprint.iacr.org/2024/655)
* [Download](https://eprint.iacr.org/2024/655.pdf)

### Abstract

Homomorphic signatures allow to validate computation on signed data. Alice, holding a dataset, $\{m_1 , \ldots , m_t \}$ uses her secret key $\sf sk$ to sign these data and stores the authenticated dataset on a remote server. The server can later (
publicly) compute $m = f(m_1,...,m_t)$ together with a signature $\sigma$ certifying that $m$ is indeed the correct output of the computation $f$. Over the last fifteen years, the problem of realizing homomorphic signatures has been the focus of numerous
research works, with constructions now ranging from very efficient ones supporting linear functions to very expressive ones supporting (up to) arbitrary circuits. In this work we tackle the question of assessing the practicality of schemes belonging to
this latter class. Specifically, we implement the GVW lattice based scheme for circuits from STOC 2015 and two, recently proposed, pairings based constructions building from functional commitments. Our experiments show that (both) pairings based schemes
outperform GVW on all fronts.



## 2024/656

* Title: Cryptanalytic Audit of the XHash Sponge Function and its Components
* Authors: Vincent Rijmen
* [Permalink](https://eprint.iacr.org/2024/656)
* [Download](https://eprint.iacr.org/2024/656.pdf)

### Abstract

In this audit we started from the security analysis provided in the design documentation of XHash8/12. We extended the analysis in several directions and confirmed the security claims that were made by the designers.



## 2024/657

* Title: Cryptographic Accumulators: New Definitions, Enhanced Security, and Delegatable Proofs
* Authors: Anaïs Barthoulot, Olivier Blazy, Sébastien Canard
* [Permalink](https://eprint.iacr.org/2024/657)
* [Download](https://eprint.iacr.org/2024/657.pdf)

### Abstract

Cryptographic accumulators, introduced in 1993 by Benaloh and De
Mare, represent a set with a concise value and offer proofs of (non-)membership. Accumulators have evolved, becoming essential in anonymous credentials, e-cash, and blockchain applications. Various properties like dynamic and universal emerged for
specific needs, leading to multiple accumulator definitions. In 2015, Derler, Hanser, and Slamanig proposed a unified model, but new properties, including zero-knowledge security, have arisen since. We offer a new definition of accumulators, based on
Derler et al.’s, that is suitable for all properties. We also introduce a new security property, unforgeability of private evaluation, to protect accumulator from forgery and we verify this property in Barthoulot, Blazy, and Canard’s recent
accumulator. Finally we provide discussions on security properties of accumulators and on the delegatable (non-)membership proofs property.



## 2024/658

* Title: Information-theoretic security with asymmetries
* Authors: Tim Beyne, Yu Long Chen
* [Permalink](https://eprint.iacr.org/2024/658)
* [Download](https://eprint.iacr.org/2024/658.pdf)

### Abstract

In this paper, we study the problem of lower bounding any
given cost function depending on the false positive and false negative probabilities of adversaries against indistinguishability security notions in symmetric-key cryptography. We take the cost model as an input, so that this becomes a purely information-theoretical question.

We propose power bounds as an easy-to-use alternative for advantage bounds in the context of indistinguishability with asymmetric cost functions. We show that standard proof techniques such as hybrid arguments and the H-coefficient method can be
generalized to the power model, and apply these techniques to the PRP-PRF switching lemma, the Even-Mansour (EM) construction, and the sum-of-permutations (SoP) construction.

As the final and perhaps most useful contribution, we provide two methods to convert single-user power bounds into multi-user power bounds, and investigate their relation to the point-wise proximity method of Hoang and Tessaro (Crypto 2016). These method
are applied to obtain tight multi-user power bounds for EM and SoP.



## 2024/659

* Title: Secure Latent Dirichlet Allocation
* Authors: Thijs Veugen, Vincent Dunning, Michiel Marcus, Bart Kamphorst
* [Permalink](https://eprint.iacr.org/2024/659)
* [Download](https://eprint.iacr.org/2024/659.pdf)

### Abstract

Topic modelling refers to a popular set of techniques used to discover hidden topics that occur in a collection of documents. These topics can, for example, be used to categorize documents or label text for further processing. One popular topic modelling
technique is Latent Dirichlet Allocation (LDA). In topic modelling scenarios, the documents are often assumed to be in one, centralized dataset. However, sometimes documents are held by different parties, and contain privacy- or commercially-sensitive
information that cannot be shared.
We present a novel, decentralized approach to train an LDA model securely without having to share any information about the content of the documents with the other parties. We preserve the privacy of the individual parties using a combination of privacy
enhancing technologies.
We show that our decentralized, privacy preserving LDA solution has a similar accuracy compared to an (insecure) centralised approach. With $1024$-bit Paillier keys, a topic model with $5$ topics and $3000$ words can be trained in around $16$ hours.
Furthermore, we show that the solution scales linearly in the total number of words and the number of topics.



## 2024/660

* Title: FE[r]Chain: Enforcing Fairness in Blockchain Data Exchanges Through Verifiable Functional Encryption
* Authors: Camille Nuoskala, Reyhaneh Rabbaninejad, Tassos Dimitriou, Antonis Michalas
* [Permalink](https://eprint.iacr.org/2024/660)
* [Download](https://eprint.iacr.org/2024/660.pdf)

### Abstract

Functional Encryption (FE) allows users to extract specific function-related information from encrypted data while preserving the privacy of the underlying plaintext. Though significant research has been devoted to developing secure and efficient Multi-
Input Functional Encryption schemes supporting diverse functions, there remains a noticeable research gap in the development of verifiable FE schemes. Functionality and performance have received considerable attention, however, the crucial aspect of
verifiability in FE has been relatively understudied. Another important aspect that prior research in FE with outsourced decryption has not adequately addressed is the fairness of the data-for-money exchange between a curator and an analyst. This paper
focuses on addressing these gaps by proposing a verifiable FE scheme for inner product computation. The scheme not only supports the multi-client setting but also extends its functionality to accommodate multiple users -- an essential feature in modern
privacy-respecting services. Additionally, it demonstrates how this FE scheme can be effectively utilized to ensure fairness and atomicity in a payment protocol, further enhancing the trustworthiness of data exchanges.



## 2024/661

* Title: On amortization techniques for FRI-based SNARKs
* Authors: Albert Garreta, Hayk Hovhanissyan, Aram Jivanyan, Ignacio Manzur, Isaac Villalobos, Michał Zając
* [Permalink](https://eprint.iacr.org/2024/661)
* [Download](https://eprint.iacr.org/2024/661.pdf)

### Abstract

We present two techniques to improve the computational and/or communication costs of STARK proofs: packing and modular split-and-pack.

Packing allows to generate a single proof of the satisfiability of several constraints. We achieve this by packing the evaluations of all relevant polynomials in the same Merkle leaves, and combining all DEEP FRI functions into a single randomized
validity function. Our benchmarks show that packing reduces the verification time and proof size compared to individually proving the satisfiability of each witness, while only increasing the prover time moderately.

Modular split-and-pack is a proof acceleration technique where the prover divides a witness into smaller sub-witnesses. It then uses packing to prove the simultaneous satisfiability of each sub-witness. Compared to producing a proof of the original
witness, splitting improves the prover time and memory usage, while increasing the verifier time and proof size. Ideas similar to modular split-and-pack seem to be used throughout the industry, but 1) generally execution traces are split by choosing the
first $k$ rows, then the next $k$ rows, and so on; and 2) full recursion is used to prove the simultaneous satisfiability of the sub-witnesses, usually combined with a final wrapper proof (typically a Groth16 proof). We present a different way to split
the witness that allows for an efficient re-writing of Plonkish-type constraints. Based on our benchmarks, we believe this approach (together with a wrapper proof) can improve upon existing splitting methods, resulting in a faster prover at essentially
no cost in proof size and verification time.

Both techniques apply to popular FRI-based proof systems such as ethSTARK, Plonky2/3, RISC Zero, and Boojum.



## 2024/662

* Title: Faster Private Decision Tree Evaluation for Batched Input from Homomorphic Encryption
* Authors: Kelong Cong, Jiayi Kang, Georgio Nicolas, Jeongeun Park
* [Permalink](https://eprint.iacr.org/2024/662)
* [Download](https://eprint.iacr.org/2024/662.pdf)

### Abstract

Privacy-preserving decision tree evaluation (PDTE) allows a client that holds feature vectors to perform inferences against a decision tree model on the server side without revealing feature vectors to the server. Our work focuses on the non-interactive
batched setting where the client sends a batch of encrypted feature vectors and then obtains classifications, without any additional interaction. This is useful in privacy-preserving credit scoring, biometric authentication, and many more applications.

In this paper, we propose two novel non-interactive batched PDTE protocols, BPDTE_RCC and BPDTE_CW, based on two new ciphertext-plaintext comparison algorithms, the improved range cover comparison (RCC) comparator and the constant-weight (CW) piece-wise
comparator, respectively. Compared to the current state-of-the-art Level Up (CCS'23), our comparison algorithms are up to $72\times$ faster for batched inputs of 16 bits. Moreover, we introduced a new tree traversal method called Adapted SumPath, to
achieve $\mathcal{O}(1)$ complexity of the server's response, whereas Level Up has $\mathcal{O}(2^d)$ for a depth-$d$ tree where the client needs to look up classification values in a table. Overall, our PDTE protocols attain the optimal server-to-client
communication complexity and are up to $17\times$ faster than Level Up in batch size 16384.



## 2024/663

* Title: Xproofs: New Aggregatable and Maintainable Matrix Commitment with Optimal Proof Size
* Authors: Xinwei Yong, Jiaojiao Wu, Jianfeng Wang
* [Permalink](https://eprint.iacr.org/2024/663)
* [Download](https://eprint.iacr.org/2024/663.pdf)

### Abstract

Vector Commitment (VC) enables one to commit to a vector, and then the element at a specific position can be opened, with proof of consistency to the initial commitment. VC is a powerful primitive with various applications, including stateless
cryptocurrencies. Recently, matrix commitment Matproofs (Liu and Zhang CCS 2022), as an extension of VC, has been proposed to reduce the communication and computation complexity of VC-based cryptocurrencies. However, Matproofs requires linear-sized
public parameters, and the aggregated proof size may also increase linearly with the number of individual proofs aggregated. Additionally, the proof updating process involves the third party, known as Proof-Serving Nodes (PSNs), which leads to extra
storage and communication overhead. In this paper, we first propose a multi-dimensional variant of matrix commitment and construct a new matrix commitment scheme for two-dimensional matrix, called 2D-Xproofs, which achieves optimal aggregated proof size
without using PSNs. Furthermore, we present a highly maintainable three-dimensional scheme, 3D-Xproofs, which updates all proofs within time sublinear in the size of the committed matrix without PSNs' assistance. More generally, we could further increase
the matrix dimensionality to achieve more efficient proof updates. Finally, we demonstrate the security of our schemes, showing that both schemes are position binding. We also implement both schemes, and the results indicate that our schemes enjoy
constant-sized aggregated proofs and sublinear-sized public parameters, and the proof update time in 3D-Xproofs is $2.5\times$ faster than Matproofs.



## 2024/664

* Title: Pando: Extremely Scalable BFT Based on Committee Sampling
* Authors: Xin Wang, Haochen Wang, Haibin Zhang, Sisi Duan
* [Permalink](https://eprint.iacr.org/2024/664)
* [Download](https://eprint.iacr.org/2024/664.pdf)

### Abstract

Byzantine fault-tolerant (BFT) protocols are known to suffer from the scalability issue. Indeed, their performance degrades drastically as the number of replicas $n$ grows. While a long line of work has attempted to achieve the scalability goal, these
works can only scale to roughly a hundred replicas.

In this paper, we develop BFT protocols from the so-called committee sampling approach that selects a small committee for consensus and conveys the results to all replicas. Such an approach, however, has been focused on the Byzantine agreement (BA)
problem (considering replicas only) instead of the BFT problem (in the client-replica model); also, the approach is mainly of theoretical interest only, as concretely, it works for impractically large $n$.

We build an extremely efficient, scalable, and adaptively secure BFT protocol called Pando in partially synchronous environments based on the committee sampling approach. In particular, we devise novel BFT building blocks targeting scalability, including
communication-efficient and computation-efficient consistent broadcast and atomic broadcast protocols.

Pando inherits some inherent issues of committee sampling-based protocols: Pando can only achieve near-optimal resilience (i.e., $f<(1/3-\epsilon)n$, where $f$ is the number of faulty replicas and $\epsilon$ is a small constant), and Pando attains safety
and liveness only probabilistically. Interestingly, to make $\epsilon$ come close to 0 (near-optimal resilience), $n$ needs to be sufficiently large but not impractically large, e.g., $n>500$---just what we need for scalable BFT.

Our evaluation on Amazon EC2 shows that in contrast to existing protocols, Pando can easily scale to a thousand replicas in the WAN environment, achieving a throughput of 62.57 ktx/sec.



## 2024/665

* Title: Homomorphic Evaluation of LWR-based PRFs and Application to Transciphering
* Authors: Amit Deo, Marc Joye, Benoit Libert, Benjamin R. Curtis, Mayeul de Bellabre
* [Permalink](https://eprint.iacr.org/2024/665)
* [Download](https://eprint.iacr.org/2024/665.pdf)

### Abstract

Certain applications such as FHE transciphering require randomness while operating over encrypted data. This randomness has to be obliviously generated in the encrypted domain and remain encrypted throughout the computation. Moreover, it should be
guaranteed that independent-looking random coins can be obliviously generated for different computations.

In this work, we consider the homomorphic evaluation of pseudorandom functions (PRFs) with a focus on practical lattice-based candidates. In the homomorphic PRF evaluation setting, given a fully homomorphic encryption of the PRF secret key $\vec{s}$, it
should be possible to homomorphically compute encryptions of PRF evaluations $\{ \text{PRF}_{\vec{s}}(x_i) \}_{i=1}^M$ for public inputs $\{ x_i\}_{i=1}^M$. We consider this problem for PRF families based on the hardness of the Learning-With-Rounding (
LWR) problem introduced by Banerjee, Peikert and Rosen (Eurocrypt '12). We build on the random-oracle variant of a PRF construction suggested by Banerjee et al. and demonstrate that it can be evaluated using only two sequential programmable bootstraps in
the TFHE homomorphic encryption scheme. We also describe several modifications of this PRF---which we prove as secure as the original function---that support homomorphic evaluations using only one programmable bootstrap per slot.

Numerical experiments were conducted using practically relevant FHE parameter sets from the TFHE-rs library. Our benchmarks show that a throughput of about $1000$ encrypted pseudorandom bits per second (resp. $900$ encrypted pseudorandom bits per second)
can be achieved on an AWS hpc7a.96xlarge machine (resp. on a standard laptop with an Apple M2 chip), on a single thread. The PRF evaluation keys in our experiments have sizes roughly $40\%$ and $60\%$ of a bootstrapping key. Applying our solution to
transciphering enables important bandwidth savings, typically trading $64$-bit values for $4$-bit values per transmitted ciphertext.



## 2024/666

* Title: Private Analytics via Streaming, Sketching, and Silently Verifiable Proofs
* Authors: Mayank Rathee, Yuwen Zhang, Henry Corrigan-Gibbs, Raluca Ada Popa
* [Permalink](https://eprint.iacr.org/2024/666)
* [Download](https://eprint.iacr.org/2024/666.pdf)

### Abstract

We present Whisper, a system for privacy-preserving collection of aggregate statistics. Like prior systems, a Whisper deployment consists of a small set of non-colluding servers; these servers compute aggregate statistics over data from a large number of
users without learning the data of any individual user. Whisper’s main contribution is that its server- to-server communication cost and its server-side storage costs scale sublinearly with the total number of users. In particular, prior systems
required the servers to exchange a few bits of information to verify the well-formedness of each client submission. In contrast, Whisper uses silently verifiable proofs, a new type of proof system on secret-shared data that allows the servers to verify
an arbitrarily large batch of proofs by exchanging a single 128-bit string. This improvement comes with increased client-to-server communication, which, in cloud computing, is typically cheaper (or even free) than the cost of egress for server-to-server
communication. To reduce server storage, Whisper approximates certain statistics using small-space sketching data structures. Applying randomized sketches in an environment with adversarial clients requires a careful and novel security analysis. In a
deployment with two servers and 100,000 clients of which 1% are malicious, Whisper can improve server-to-server communication for vector sum by three orders of magnitude while each client’s communication increases by only 10%.



## 2024/667

* Title: Agile, Post-quantum Secure Cryptography in Avionics
* Authors: Karolin Varner, Wanja Zaeske, Sven Friedrich, Aaron Kaiser, Alice Bowman
* [Permalink](https://eprint.iacr.org/2024/667)
* [Download](https://eprint.iacr.org/2024/667.pdf)

### Abstract

To introduce a post-quantum-secure encryption scheme specifically for use in flight-computers, we used avionics’ module-isolation methods to wrap a recent encryption standard (HPKE – Hybrid Public Key Encryption) within a software partition. This
solution proposes an upgrade to HPKE, using quantum-resistant ciphers (Kyber/ML-KEM and Dilithium/ML-DSA) redundantly alongside well-established ciphers, to achieve post-quantum security.

Because cryptographic technology can suddenly become obsolete as attacks become more sophisticated, "crypto-agility" -– the ability to swiftly replace ciphers – represents the key challenge to deployment of software like ours. Partitioning is a
crucial method for establishing such agility, as it enables the replacement of compromised software without affecting software on other partitions, greatly simplifying the certification process necessary in an avionics environment.


[continued in next message]

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)