## In this issue

1. [2024/1012] Supersonic OT: Fast Unconditionally Secure ...
2. [2024/1288] KpqClean Ver2: Comprehensive Benchmarking and ...
3. [2024/1289] Improved Lattice Blind Signatures from Recycled Entropy
4. [2024/1290] SoK: Computational and Distributed Differential ...
5. [2024/1291] Raccoon: A Masking-Friendly Signature Proven in the ...
6. [2024/1292] Chosen Ciphertext Security for (Hierarchical) ...
7. [2024/1293] Greyhound: Fast Polynomial Commitments from Lattices
8. [2024/1294] Pre-Constrained Cryptography: Broad Definitions, ...
9. [2024/1295] Identity-Based Encryption from Lattices with More ...
10. [2024/1296] Universal Composable Transaction Serialization with ...
11. [2024/1297] Improved Cryptanalysis of SNOVA
12. [2024/1298] Point (de)compression for elliptic curves over ...
13. [2024/1299] Permissionless Verifiable Information Dispersal ...
14. [2024/1300] SoK: 5 Years of Neural Differential Cryptanalysis
15. [2024/1301] Kalos: Hierarchical-auditable and Human-binding ...
16. [2024/1302] RABAEKS: Revocable Attribute-based Authenticated ...
17. [2024/1303] Efficient Zero-Knowledge Arguments for Paillier ...
18. [2024/1304] Improved Algebraic Attacks on Round-Reduced LowMC ...
19. [2024/1305] Constructions of Efficiently Implementable Boolean ...
20. [2024/1306] Scloud+: a Lightweight LWE-based KEM without ...
21. [2024/1307] On Algebraic Homomorphic Encryption and its ...
22. [2024/1308] LAMA: Leakage-Abuse Attacks Against Microsoft ...
23. [2024/1309] R-STELLAR: A Resilient Synthesizable Signature ...
24. [2024/1310] On the Effects of Neural Network-based Output ...
25. [2024/1311] Dynamic Threshold Key Encapsulation with a ...
26. [2024/1312] Probabilistic Data Structures in the Wild: A ...
27. [2024/1313] A Lattice Attack Against a Family of RSA-like ...
28. [2024/1314] Verifiable Homomorphic Linear Combinations in ...
29. [2024/1315] PulpFHE: Complex Instruction Set Extensions for FHE ...
30. [2024/1316] Generalized Triangular Dynamical System: An ...
31. [2024/1317] MAESTRO: Multi-party AES using Lookup Tables
32. [2024/1318] Patching and Extending the WWL+ Circuit ...
33. [2024/1319] Quantum-safe Signatureless DNSSEC
34. [2024/1320] Post-Quantum DNSSEC over UDP via QNAME-Based ...
35. [2024/1321] ECC’s Achilles’ Heel: Unveiling Weak Keys in ...
36. [2024/1322] Revisiting a Realistic EM Side-Channel Attack on a ...
37. [2024/1323] SoK: Instruction Set Extensions for Cryptographers
38. [2024/1324] CLAASPing ARADI: Automated Analysis of the ARADI ...
39. [2024/1325] Authenticity in the Presence of Leakage using a ...
40. [2024/1326] On the anonymity of one authenticated key agreement ...
41. [2024/1327] Public-Key Anamorphism in (CCA-secure) Public-Key ...
42. [2024/1328] A Note on ARADI and LLAMA
43. [2024/1329] Small Public Exponent Brings More: Improved Partial ...
44. [2024/1330] New Results for Coppersmith's Method from the ...
45. [2024/1331] Practical Small Private Exponent Attacks against RSA

## 2024/1012

* Title: Supersonic OT: Fast Unconditionally Secure Oblivious Transfer
* Authors: Aydin Abadi, Yvo Desmedt
* [Permalink](https://eprint.iacr.org/2024/1012)
* [Download](https://eprint.iacr.org/2024/1012.pdf)

### Abstract

Oblivious Transfer (OT) is a fundamental cryptographic protocol with applications in secure Multi-Party Computation, Federated Learning, and Private Set Intersection. With the advent of quantum computing, it is crucial to develop unconditionally secure
core primitives like OT to ensure their continued security in the post-quantum era. Despite over four decades since OT's introduction, the literature has predominantly relied on computational assumptions, except in cases using unconventional methods like
noisy channels or a fully trusted party. Introducing “Supersonic OT”, a highly efficient and unconditionally secure OT scheme that avoids public-key-based primitives, we offer an alternative to traditional approaches. Supersonic OT enables a receiver
to obtain a response of size O(1). Its simple (yet non-trivial) design facilitates easy security analysis and implementation. The protocol employs a basic secret-sharing scheme, controlled swaps, the one-time pad, and a third-party helper who may be
corrupted by a semi-honest adversary. Our implementation and runtime analysis indicate that a single instance of Supersonic OT completes in 0.35 milliseconds, making it up to 2000 times faster than the state-of-the-art base OT.



## 2024/1288

* Title: KpqClean Ver2: Comprehensive Benchmarking and Analysis of KpqC Algorithm Round 2 Submissions
* Authors: Minjoo Sim, Siwoo Eum, Gyeongju Song, Minwoo Lee, Sangwon Kim, Minho Song, Hwajeong Seo
* [Permalink](https://eprint.iacr.org/2024/1288)
* [Download](https://eprint.iacr.org/2024/1288.pdf)

### Abstract

From 2022, Korean Post-Quantum Cryptography (KpqC) Competition has been held. Among the Round 1 algorithms of KpqC, eight algorithms were selected in December 2023. To evaluate the algorithms, the performance is critical factor. However, the performance
of the algorithms submitted to KpqC was evaluated in different development environments. Consequently, it is difficult to compare the performance of each algorithm fairly, because the measurements were not conducted in the identical development
environments. In this paper, we introduce KpqClean ver2, the successor to the KpqClean project. KpqClean ver2 provides comprehensive benchmark analysis results for all KpqC Round 2 algorithms across various environments (Ryzen, Intel, and aarch64). This
framework includes both a ``clean'' implementation and an ``avx2'' implementation of the KpqC Round 2 candidate algorithms. To benchmark the algorithms, we not only removed external library dependencies from each algorithm but also integrated the same
source code for common algorithms (such as AES, SHA2, SHAKE, and etc.) to enable more accurate performance comparisons. The framework automatically recognizes the user’s environment, providing easy benchmarking for all users without the need for
separate settings. This study also includes memory usage analysis using Valgrind for each algorithm and function usage proportion analysis during the execution of each cryptographic algorithm using Xcode's profiling tool. Finally we show that the
practical strength of KpqC algorithms in terms of execution timing and memory usages. This result can be utilized for the understanding of KpqC finalist in terms of performance.



## 2024/1289

* Title: Improved Lattice Blind Signatures from Recycled Entropy
* Authors: Corentin Jeudy, Olivier Sanders
* [Permalink](https://eprint.iacr.org/2024/1289)
* [Download](https://eprint.iacr.org/2024/1289.pdf)

### Abstract

Blind signatures represent a class of cryptographic primitives enabling privacy-preserving authentication with several applications such as e-cash or e-voting. It is still a very active area of research, in particular in the post-quantum setting where
the history of blind signatures has been hectic. Although it started to shift very recently with the introduction of a few lattice-based constructions, all of the latter give up an important characteristic of blind signatures (size, efficiency, or
security under well-known assumptions) to achieve the others. In this paper, we propose another design which revisits the link between the two main procedures of blind signatures, namely issuance and showing, demonstrating that we can significantly
alleviate the second one by adapting the former. Concretely, we show that we can harmlessly inject excess randomness in the issuance phase, and then recycle the entropy surplus during showing to decrease the complexity of the zero-knowledge proof which
constitutes the main component of the signature. This leads to a blind signature scheme with small sizes, low complexity, and that still relies on well-known lattice assumptions.



## 2024/1290

* Title: SoK: Computational and Distributed Differential Privacy for MPC
* Authors: Fredrik Meisingseth, Christian Rechberger
* [Permalink](https://eprint.iacr.org/2024/1290)
* [Download](https://eprint.iacr.org/2024/1290.pdf)

### Abstract

In the last fifteen years, there has been a steady stream of works combining differential privacy with various other cryptographic disciplines, particularly that of multi-party computation, yielding both practical and theoretical unification. As a part
of that unification, due to the rich definitional nature of both fields, there have been many proposed definitions of differential privacy adapted to the given use cases and cryptographic tools at hand, resulting in computational and/or distributed
versions of differential privacy. In this work, we offer a systemization of such definitions, with a focus on definitions that are both computational and tailored for a multi-party setting. We order the definitions according to the distribution model and
computational perspective and propose a viewpoint on when given definitions should be seen as instantiations of the same generalised notion. The ordering highlights a clear, and sometimes strict, hierarchy between the definitions, where utility (accuracy)
can be traded for stronger privacy guarantees or lesser trust assumptions. Further, we survey theoretical results relating the definitions to each other and extend some such results. We also discuss the state of well-known open questions and suggest new
open problems to study. Finally, we consider aspects of the practical use of the different notions, hopefully giving guidance also to future applied work.



## 2024/1291

* Title: Raccoon: A Masking-Friendly Signature Proven in the Probing Model
* Authors: Rafaël del Pino, Shuichi Katsumata, Thomas Prest, Mélissa Rossi
* [Permalink](https://eprint.iacr.org/2024/1291)
* [Download](https://eprint.iacr.org/2024/1291.pdf)

### Abstract

This paper presents Raccoon, a lattice-based signature scheme submitted to the NIST 2022 call for additional post-quantum signatures. Raccoon has the specificity of always being masked. Concretely, all sensitive intermediate values are shared into 𝑑
parts. The main design rationale of Raccoon is to be easy to mask at high orders, and this dictated most of its design choices, such as the introduction of new algorithmic techniques for sampling small errors. As a result, Raccoon achieves a masking
overhead $𝑂(𝑑 \log 𝑑)$ that compares favorably with the overheads $𝑂(𝑑^2 \log 𝑞)$ observed when masking standard lattice signatures. In addition, we formally prove the security of Raccoon in the 𝑡-probing model: an attacker is able
to probe $𝑡 ≤ 𝑑 −1$ shares during each execution of the main algorithms (key generation, signing, verification). While for most cryptographic schemes, the black-box 𝑡-probing security can be studied in isolation, in Raccoon this analysis is
performed jointly. To that end, a bridge must be made between the black-box game-based EUF-CMA proof and the usual simulation proofs of the ISW model (CRYPTO 2003). We formalize an end-to-end masking proof by deploying the probing EUF-CMA introduced by
Barthe et al.(Eurocrypt 2018) and exhibiting the simulators of the non-interference properties (Barthe et al. CCS 2016). The proof is divided into three novel parts:
- a simulation proof in the ISW model that allows to propagate the dependency to a restricted number of inputs and random coins,
- a game-based proof showing that the security of Raccoon with probes can be reduced to an instance of Raccoon with smaller parameters,
- a parameter study to ensure that the smaller instance is secure, using a robust generalization of the Rényi divergence.
While we apply our techniques to Raccoon, we expect that the algorithmic and proof techniques we introduce will be helpful for the design and analysis of future masking-friendly schemes.



## 2024/1292

* Title: Chosen Ciphertext Security for (Hierarchical) Identity-Based Matchmaking Encryption
* Authors: Sohto Chiku, Keisuke Hara, Junji Shikata
* [Permalink](https://eprint.iacr.org/2024/1292)
* [Download](https://eprint.iacr.org/2024/1292.pdf)

### Abstract

Identity-based matchmaking encryption (IB-ME) is an advanced encryption scheme that enables a sender and a receiver to specify each of identity. In general, from the aspect of abilities for adversaries, we have two flavors of security for encryption
schemes chosen plaintext attacks (CPA) security and chosen ciphertext attacks (CCA) security. Compared to CPA security, CCA security can capture active adversaries, then it has been recognized as a desirable one.

In this paper, we investigate the CCA security for IB-ME.
Concretely, we provide the following three contributions. (i) A method to obtain a CCA secure IB-ME scheme in the standard model based on our new primitive called hierarchical IB-ME (HIB-ME) along with strong one-time signature. (ii) A construction of
HIB-ME based on hierarchical identity-based encryption and hierarchical identity-based signature. (iii) A variant of the first method to get an IB-ME scheme satisfying slightly tweaked CCA security solely based on a CPA secure IB-ME scheme (without
strong one-time signature). We believe that this new type of CCA security is a reasonable one for IB-ME.



## 2024/1293

* Title: Greyhound: Fast Polynomial Commitments from Lattices
* Authors: Ngoc Khanh Nguyen, Gregor Seiler
* [Permalink](https://eprint.iacr.org/2024/1293)
* [Download](https://eprint.iacr.org/2024/1293.pdf)

### Abstract

In this paper, we propose Greyhound, the first concretely efficient polynomial commitment scheme from standard lattice assumptions. At the core of our construction lies a simple three-round protocol for proving evaluations for polynomials of bounded
degree $N$ with verifier time complexity $O(\sqrt{N})$. By composing it with the LaBRADOR proof system (CRYPTO 2023), we obtain a succinct proof of polynomial evaluation (i.e. polylogarithmic in $N$) that admits a sublinear verifier runtime.

To highlight practicality of Greyhound, we provide implementation details including concrete sizes and runtimes. Notably, for large polynomials of degree at most $N=2^{30}$, the scheme produces evaluation proofs of size $53$KB, which is more than $10^4$
times smaller than the recent lattice-based framework, called SLAP (EUROCRYPT 2024), and around three orders of magnitude smaller than Ligero (CCS 2017) and Brakedown (CRYPTO 2023).



## 2024/1294

* Title: Pre-Constrained Cryptography: Broad Definitions, New Constructions, Unbounded Security
* Authors: Shweta Agrawal, Simran Kumari, Ryo Nishimaki
* [Permalink](https://eprint.iacr.org/2024/1294)
* [Download](https://eprint.iacr.org/2024/1294.pdf)

### Abstract

The recent works of Ananth et al. (ITCS 2022) and Bartusek et al. (Eurocrypt 2023) initiated the study of pre-constrained cryptography which achieves meaningful security even against the system authority. In this work we significantly expand this area by
defining several new primitives and providing constructions from simple, standard assumptions as follows.

- Pre-Constrained Encryption. We define a weaker notion of pre-constrained encryption (PCE), as compared to the work of Ananth et al. which nevertheless suffices for all known applications. We then provide constructions for general constraints,
satisfying malicious security from a variety of assumptions including DDH, LWE, QR and DCR. Our LWE based construction satisfies unconditional security against malicious authorities. In contrast, the construction by Ananth et al. supporting general
constraints must rely (inherently) on strong assumptions like indistinguishability obfuscation.

- Pre-Constrained Static Functional Encryption and Input Obfuscation. We provide a new definition for pre-constrained functional encryption in the so-called static setting (PCSFE) where the functions to be embedded in secret keys are specified during the
setup phase. We provide constructions for PCSFE supporting general constraints, with security against malicious authorities. As in the case of PCE, our first construction can be instantiated from a variety of assumptions including DDH, LWE, QR and DCR.
Our second, LWE based construction satisfies unconditional security against malicious authorities.

We also study succinctness in PCSFE, where the public key is sublinear in the number of function keys. We provide the first construction from LWE in the random oracle model. We additionally provide a heuristic construction in the standard model using
lattices together with groups.

- Pre-Constrained Input Obfuscation. We define and provide the first construction of pre-constrained input obfuscation from the same assumptions as those used to instantiate PCSFE.

- Pre-Constrained Group Signatures. For pre-constrained group signatures (PCGS), we provide the first construction supporting general constraints, achieving unconditional security against malicious authorities from the LWE assumption. The only other
construction by Bartusek et al. supports the restricted set/database membership constraint, and achieves computational security from the DDH assumption (and is therefore quantum insecure).



## 2024/1295

* Title: Identity-Based Encryption from Lattices with More Compactness in the Standard Model
* Authors: Weidan Ji, Zhedong Wang, Haoxiang Jin, Qi Wang, Geng Wang, Dawu Gu
* [Permalink](https://eprint.iacr.org/2024/1295)
* [Download](https://eprint.iacr.org/2024/1295.pdf)

### Abstract

Lattice-based identity-based encryption having both efficiency and provable security in the standard model is currently still a challenging task and has drawn much attention. In this work, we introduce a new IBE construction from NTRU lattices in the
standard model, based on the framework proposed by Agrawal, Boneh, and Boyen (EUROCRYPT 2010). Particularly, by introducing the NTRU trapdoor and the RingLWE computational assumption, we remove a crux restriction of the column number and obtain a more
compact IBE construction in the standard model. Besides, we provide a concrete implementation and detailed performance results with a comparison of previous works in terms of the security model and the assumption, which demonstrates the advantage of our
construction.



## 2024/1296

* Title: Universal Composable Transaction Serialization with Order Fairness
* Authors: Michele Ciampi, Aggelos Kiayias, Yu Shen
* [Permalink](https://eprint.iacr.org/2024/1296)
* [Download](https://eprint.iacr.org/2024/1296.pdf)

### Abstract

Order fairness in the context of distributed ledgers has received recently significant attention due to a range of attacks that exploit the reordering and adaptive injection of transactions (violating what is known as “input causality”). To address
such concerns an array of definitions for order fairness has been put forth together with impossibility and feasibility results highlighting the difficulty and multifaceted nature of fairness in transaction serialization. Motivated by this we present a
comprehensive modeling of order fairness capitalizing on the universal composition (UC) setting. Our results capture the different flavors of sender order fairness and input causality (which is arguably one of the most critical aspects of ledger
transaction processing with respect to serialization attacks) and we parametrically illustrate what are the limits of feasibility for realistic constructions via an impossibility result. Our positive result, a novel distributed ledger protocol utilizing
trusted enclaves, complements tightly our impossibility result, hence providing an optimal sender order fairness ledger construction that is also eminently practical.



## 2024/1297

* Title: Improved Cryptanalysis of SNOVA
* Authors: Ward Beullens
* [Permalink](https://eprint.iacr.org/2024/1297)
* [Download](https://eprint.iacr.org/2024/1297.pdf)

### Abstract

SNOVA is a multivariate signature scheme submitted to the NIST project for additional signature schemes by Cho, Ding, Kuan, Li, Tseng, Tseng, and Wang. With small key and signature sizes good performance, SNOVA is one of the more efficient schemes in the
competition, which makes SNOVA an important target for cryptanalysis.

In this paper, we observe that SNOVA implicitly uses a structured version of the ``whipping'' technique developed for the MAYO signature scheme. We show that the extra structure makes the construction vulnerable to new forgery attacks. Concretely, we
formulate new attacks that reduce the security margin of the proposed SNOVA parameter sets by a factor between $2^{8}$ and $2^{39}$. Furthermore, we show that large fractions of public keys are vulnerable to more efficient versions of our attack. For
example, for SNOVA-37-17-2, a parameter set targeting NIST's first security level, we show that roughly one out of every $500$ public keys is vulnerable to a universal forgery attack with bit complexity $2^{97}$, and roughly one out of every $143000$
public keys is even breakable in practice within a few minutes.



## 2024/1298

* Title: Point (de)compression for elliptic curves over highly $2$-adic finite fields
* Authors: Dmitrii Koshelev
* [Permalink](https://eprint.iacr.org/2024/1298)
* [Download](https://eprint.iacr.org/2024/1298.pdf)

### Abstract

This article addresses the issue of efficient and safe (de)compression of $\mathbb{F}_{\!q}$-points on an elliptic curve $E$ over a highly $2$-adic finite field $\mathbb{F}_{\!q}$ of characteristic $5$ or greater. The given issue was overlooked by
cryptography experts, probably because, until recently, such fields were not in trend. Therefore, there was no difficulty (with rare exceptions) in finding a square $\mathbb{F}_{\!q}$-root. However, in our days, fields with large $2$-adicities have
gained particular popularity in the ZK (zero-knowledge) community, despite the fact that $\sqrt{\cdot} \in \mathbb{F}_{\!q}$ should be computed via more sophisticated square-root algorithms such as (Cipolla-Lehmer-)Müller's one. The article explains why
the classical $x$-coordinate (de)compression method based on Müller's algorithm often contains Achilles' heel to successfully perform a novel fault attack, which also fits the definition of a (D)DoS attack. In a nutshell, the trouble stems from the non-
deterministic initialization of Müller's algorithm.

Moreover, the article suggests a countermeasure, namely an alternative (still simple) (de)compression method that completely prevents the discovered attack whenever the curve $E/\mathbb{F}_{\!q}$ is of even order. In particular, all twisted Edwards (i.e.,
Montgomery) curves are relevant. The decompression stage of the new method equally suffers from one square-root extraction in $\mathbb{F}_{\!q}$. But the corresponding quadratic residue is inherently equipped with additional information, providing an
opportunity to launch Müller's algorithm immediately from its main deterministic part. In turn, the compression stage of the new method remains (almost) free as well as for the $x$-coordinate method.



## 2024/1299

* Title: Permissionless Verifiable Information Dispersal (Data Availability for Bitcoin Rollups)
* Authors: Ben Fisch, Arthur Lazzaretti, Zeyu Liu, Lei Yang
* [Permalink](https://eprint.iacr.org/2024/1299)
* [Download](https://eprint.iacr.org/2024/1299.pdf)

### Abstract

Rollups are special applications on distributed state machines (aka blockchains) for which the underlying state machine only logs, but does not execute transactions. Rollups have become a popular way to scale applications on Ethereum and there is now
growing interest in running rollups on Bitcoin. Rollups scale throughput and reduce transaction costs by using auxiliary machines that have higher throughput and lower cost of executing transactions than the underlying blockchain. State updates are
periodically posted to the underlying blockchain and either verified directly through succinct cryptographic proofs (zk rollups) or can be challenged for a defined period of time in a verifiable way by third parties (optimistic rollups).

However, once computation is removed as a bottleneck, communication quickly becomes the new bottleneck. The critical service the underlying blockchain provides in addition to verification is data availability: that necessary data can always be recovered
upon request. While broadcasting transaction data is one way to ensure this, it requires communication blowup linear in the number of participating nodes. Verifiable information dispersal (VID) systems achieve sublinear blowup in the same participation
model and the same security assumptions as Ethereum, where all nodes have a strong public-key identity. It was not known how to do so in the same permissionless model as Bitcoin, where participants are unauthenticated and participation is dynamic.

We construct a VID system that is secure under the same model as Bitcoin, with one minimal additional requirement on the existence of reliable participants. Our system uses a state machine replication (SMR) protocol (e.g., Bitcoin) as a black box, and
is therefore backward compatible. We implemented the system on top of Bitcoin core with the Regression Test Network (regtest), and our analysis shows that it reduces communication costs by more than 1,000x and latency by more than 10x.



## 2024/1300

* Title: SoK: 5 Years of Neural Differential Cryptanalysis
* Authors: David Gerault, Anna Hambitzer, Moritz Huppert, Stjepan Picek
* [Permalink](https://eprint.iacr.org/2024/1300)
* [Download](https://eprint.iacr.org/2024/1300.pdf)

### Abstract

At CRYPTO 2019, A. Gohr introduced Neural Differential Cryptanalysis by applying deep learning to modern block cipher cryptanalysis. Surprisingly, the resulting neural differential distinguishers enabled a new state-of-the-art key recovery complexity for
11 rounds of SPECK32. As of May 2024, according to Google Scholar, Gohr’s article has been cited 178 times. The wide variety of targets, techniques, settings, and evaluation methodologies that appear in these follow-up works grants a careful
systematization of knowledge, which we provide in this paper. More specifically, we propose a taxonomy of these 178 publications and focus on the 50 that deal with differential neural distinguishers to systematically review and compare them. We then
discuss two challenges for the field, namely comparability of neural distinguishers and
scaling.



## 2024/1301

* Title: Kalos: Hierarchical-auditable and Human-binding Authentication Scheme for Clinical Trial
* Authors: Chang Chen, Zelong Wu, Guoyu Yang, Qi Chen, Wei Wang, Jin Li
* [Permalink](https://eprint.iacr.org/2024/1301)
* [Download](https://eprint.iacr.org/2024/1301.pdf)

### Abstract

Clinical trials are crucial in the development of new medical treatment methods. To ensure the correctness of clinical trial results, medical institutes need to collect and process large volumes of participant data, which has prompted research on privacy
preservation and data reliability. However, existing solutions struggle to resolve the trade-off between them due to the trust gap between the physical and digital worlds, limiting their practicality. To tackle the issues above, we present Kalos, a novel
authentication scheme for clinical trials. Kalos leverages diversified cryptographic tools, such as card-based anonymous credential and zero-knowledge proof to achieve authentication with visual verification and selective disclosure of attributes. It has
properties such as unforgeability, blindness, privacy preservation, and human-binding that support hierarchical auditability and data de-duplication to enhance the reliability of clinical trials. We then provide the security and performance analysis of
Kalos to show its potential to be deployed in the medical consumer electronics scenario. The computational cost of the smartcard is irrespective of the number of certified attributes, and the total computational cost of Kalos is within tens of
milliseconds with the commonly used number of attributes.



## 2024/1302

* Title: RABAEKS: Revocable Attribute-based Authenticated Encrypted Search over Lattice for Multi-receiver Cloud Storage
* Authors: Yibo Cao, Shiyuan Xu, Xiu-Bo Chen, Siu-Ming Yiu
* [Permalink](https://eprint.iacr.org/2024/1302)
* [Download](https://eprint.iacr.org/2024/1302.pdf)

### Abstract

With the widespread development of cloud storage, searching over the encrypted data (without decryption) has become a crucial issue. Public key authenticated encryption with keyword search (PAEKS) retrieves encrypted data, and resists inside keyword
guessing attacks (IKGAs). Most PAEKS schemes cannot support access control in multi-receiver models. To address this concern, attribute-based authenticated encryption with keyword search (ABAEKS) has been studied. However, the access privilege for the
ciphertext may change, and the conventional cryptographic primitives are not resistant to quantum computing attacks, which exhibits a limited applicability and poor security for cloud storage. In this paper, we propose RABAEKS, the first post-quantum
revocable attribute-based authenticated encrypted search scheme for multi-receiver cloud storage. Our design enables cloud server enforces the access control of data receivers in the search process. For practical consideration, we further introduce a
revocation mechanism of data receivers, which makes the access control more dynamic. We then define and rigorously analyze the security our scheme. Through the performance evaluations and comparisons, our computational overhead of ciphertext generation,
trapdoor generation and search algorithm are at least 20×, 1.67× and 1897× faster than prior arts, respectively, which is practical for cloud storage.



## 2024/1303

* Title: Efficient Zero-Knowledge Arguments for Paillier Cryptosystem
* Authors: Borui GONG, Wang Fat Lau, Man Ho Au, Rupeng Yang, Haiyang Xue, Lichun Li
* [Permalink](https://eprint.iacr.org/2024/1303)
* [Download](https://eprint.iacr.org/2024/1303.pdf)

### Abstract

We present an efficient zero-knowledge argument of knowledge system customized for the Paillier cryptosystem. Our system enjoys sublinear proof size, low verification cost, and acceptable proof generation effort, while also supporting batch proof
generation/verification. Existing works specialized for Paillier cryptosystem feature linear proof size and verification time. Using existing sublinear argument systems for generic statements (e.g., zk-SNARK) results in unaffordable proof generation cost
since it involves translating the relations to be proven into an inhibitive large Boolean or arithmetic circuit over a prime order field. Our system does not suffer from these limitations.

The core of our argument systems is a constraint system defined over the ring of residue classes modulo a composite number, together with novel techniques tailored for arguing binary values in this setting. We then adapt the approach from Bootle et al.
(EUROCRYPT 2016) to compile the constraint system into a sublinear argument system. Our constraint system is generic and can be used to express typical relations in Paillier cryptosystems including range proof, correctness proof, relationships between
bits of plaintext, relationships of plaintexts among multiple ciphertexts, and more. Our argument supports batch proof generation and verification, with the amortized cost outperforming state-of-the-art protocol specialized for Paillier when the number
of Paillier ciphertext is in the order of hundreds.


[continued in next message]

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)