• [digest] 2024 Week 40 (2/3)

    From IACR ePrint Archive@21:1/5 to All on Mon Oct 7 02:31:09 2024
    [continued from previous message]

    This work provides a comprehensive definition for Secure Swarming Data Exchange (SSDE), including security assumptions. Also it offers a detailed game-based security analysis for the PoUDR protocol. Moreover, the PoUDR protocol has been fully integrated
    into the Bitswap protocol (IPFS). Within this integration, our proposed Relaxed Groth16 algorithm addresses the significant technical challenge of generating zero-knowledge proofs, leading to substantial cost reductions for overall feasibility of secure
    data retrieval in decentralized storage networks.



    ## 2024/1545

    * Title: Fully Composable Homomorphic Encryption
    * Authors: Daniele Micciancio
    * [Permalink](https://eprint.iacr.org/2024/1545)
    * [Download](https://eprint.iacr.org/2024/1545.pdf)

    ### Abstract

    The traditional definition of fully homomorphic encryption (FHE) is not composable, i.e., it does not guarantee that evaluating two (or more) homomorphic computations in a sequence produces correct results. We formally define and investigate a
    stronger notion of homomorphic encryption which we call "fully composable homomorphic encryption", or "composable FHE". The definition is both simple and powerful: it does not directly involve the evaluation of multiple functions, and yet it supports
    the arbitrary composition of homomorphic evaluations. On the technical side, we compare the new definition with other definitions proposed in the past, proving both implications and separations, and show how the "bootstrapping" technique of (Gentry,
    STOC 2009) can be formalized as a method to transform a (non-composable, circular secure) homomorphic encryption scheme into a fully composable one. We use this formalization of bootstrapping to formulate a number of conjectures and open problems.



    ## 2024/1546

    * Title: Bit t-SNI Secure Multiplication Gadget for Inner Product Masking
    * Authors: John Gaspoz, Siemen Dhooghe
    * [Permalink](https://eprint.iacr.org/2024/1546)
    * [Download](https://eprint.iacr.org/2024/1546.pdf)

    ### Abstract

    Masking is a sound countermeasure to protect against differential power analysis. Since the work by Balasch et al. in ASIACRYPT 2012, inner product masking has been explored as an alternative to the well known Boolean masking. In CARDIS 2017, Poussier et
    al. showed that inner product masking achieves higher-order security versus Boolean masking, for the same shared size, in the bit-probing model. Wang et al. in TCHES 2020 verified the inner product masking's security order amplification in practice and
    proposed new gadgets for inner product masking. Finally, Wu et al. in TCHES 2022 showed that this security amplification comes from the bit-probing model, but that Wang al.'s gadgets are not higher-order bit-probing secure reducing the computation's
    practical security. The authors concluded their work with the open question of providing an inner product multiplication gadget which maintains the masking's bit-probing security, and conjectured that such gadget maintains the practical security order
    amplification of the masking during its computation.

    In this paper, we answer positively to Wu et al.'s open problems. We are the first to present a multiplication gadget for inner product masking which is proven secure in the bit-level probing model using the t-Strong Non-Interference (SNI) property.
    Moreover, we provide practical evidence that the gadget indeed maintains the security amplification of its masking. This is done via an evaluation of an assembly implementation of the gadget on an ARM Cortex-M4 core. We used this implementation to take
    leakage measurements and show no leakage happens for orders below the gadget's bit-probing security level either for its univariate or multivariate analysis.



    ## 2024/1547

    * Title: HHL for tensor-decomposable matrices
    * Authors: Cezary Pilaszewicz, Marian Margraf
    * [Permalink](https://eprint.iacr.org/2024/1547)
    * [Download](https://eprint.iacr.org/2024/1547.pdf)

    ### Abstract

    We use the HHL algorithm to retrieve a quantum state holding the algebraic normal formal of a Boolean function. Unlike the standard HHL applications, we do not describe the cipher as an exponentially big system of equations. Rather, we perform a set of
    small matrix inversions which corresponds to the Boolean Möbius transform. This creates a superposition holding information about the ANF in the form: $\ket{\mathcal{A}_{f}} =\frac{1}{C} \sum_{I=0}^{2^n-1} c_I \ket{I}$, where $c_I$ is the coefficient of
    the ANF and $C$ is a scaling factor. The procedure has a time complexity of $\mathcal{O}(n)$ for a Boolean function with $n$ bit input. We also propose two approaches how some information about the ANF can be extracted from such a state.



    ## 2024/1548

    * Title: Fully-Succinct Arguments over the Integers from First Principles
    * Authors: Matteo Campanelli, Mathias Hall-Andersen
    * [Permalink](https://eprint.iacr.org/2024/1548)
    * [Download](https://eprint.iacr.org/2024/1548.pdf)

    ### Abstract

    Succinct arguments of knowledge allow an untrusted prover to establish that they know a witness for an NP relation. Many recent efficient constructions of such schemes work over arithmetic computations expressed in finite fields.
    Several common settings, however, have an extremely simple representation when expressed over the integers (e.g., RSA signatures/accumulators, range checks for committed values, computations over rational numbers). Efficient arguments of knowledge
    working natively over $\mathbb{Z}$ could be applied to such computations without the overhead from emulating integer arithmetic over a finite field.
    We propose the first native construction of SNARKs over the integers that is fully succinct, thus resolving an open problem from Towa and Vergnaud (Asiacrypt 2020). By fully succinct, we mean that \textit{both} the proof size and the verifier's running
    time should be sublinear in both $|\vec w|$—the size of the witness as a vector of integers—and $\log_2 \lVert \vec w \rVert_\infty$—the size in bits of the largest integer in the witness vector (in absolute value).
    As a stepping stone for our results we provide a general theoretical framework for building succinct arguments over the integers.
    Its most attractive feature is that it allows to reuse already existing constructions of SNARKs in a modular way and can be used as a starting point for constructions following up our work. We build these systematic foundations by leveraging a common
    technique in theoretical computer science—fingerprinting—and applying it to a new setting. Our framework consists of two main ingredients: idealized protocols and polynomial commitments such that an object ``committed over the integers'' can however
    be ``queried modulo $q$'', for a randomly sampled prime $q$.
    We obtain our final construction, $\mathbb{Z}$aratan, by lifting the $\mathsf{Spartan}$ construction (Setty, CRYPTO 2020) to the integers and applying a form of polynomial commitment based on the techniques from DARK (Bünz et al., Eurocrypt 2020). $\
    mathbb{Z}$aratan has a transparent setup, is proven secure in the generic group model for groups of unknown order and can be heuristically made non-interactive in the ROM via the Fiat-Shamir transform.



    ## 2024/1549

    * Title: Universally Composable SNARKs with Transparent Setup without Programmable Random Oracle
    * Authors: Christian Badertscher, Matteo Campanelli, Michele Ciampi, Luigi Russo, Luisa Siniscalchi
    * [Permalink](https://eprint.iacr.org/2024/1549)
    * [Download](https://eprint.iacr.org/2024/1549.pdf)

    ### Abstract

    Non-interactive zero-knowledge (NIZK) proofs allow a prover to convince a verifier about the validity of an NP-statement by sending a single message and without disclosing any additional information (besides the validity of the statement). Single-message
    cryptographic proofs are very versatile, which has made them widely used both in theory and in practice. This is particularly true for succinct proofs, where the length of the message is sublinear in the size of the NP relation. This versatility,
    unfortunately, comes at a price, since any NIZK proof system requires some form of setup, like a common reference string. One way to circumvent the need for a setup is by relying on a Random Oracle. Unfortunately, if the Random Oracle is modeled as a
    Global resource that the simulator is not allowed to program, then it is impossible to obtain a secure NIZK. This impossibility has been circumvented by allowing the simulator (and the real-world adversary) to program the RO, and allowing the honest
    parties to check, via a special interface, if the RO outputs have been programmed.
    In this work, we show that this impossibility can be circumvented by meaningfully weakening the Universal Composability framework following the model proposed by Broadnax et al. (Eurocrypt 2017). In this model, the ideal world functionalities are allowed
    to interact with oracles that have quasi-polynomial time capabilities.
    As our main result, we propose the first composable NIZK proof system that relies on a global (non-programmable) random oracle as its only form of setup. The NIZK scheme we propose is witness-succinct (with proofs logarithmic in the size of the witness).
    Our results break both the barrier of programmability of the random oracle and of polylogarithmic proof size for UC-secure NIZKs with transparent setups.
    We are able to construct our NIZK using the framework proposed by Ganesh et al. (Eurocrypt 2023), which requires—among other building blocks—a polynomial commitment scheme with special features and a polynomial encoding scheme (a primitive that
    appropriately masks a witness as a polynomial). As a core technical contribution, we show a polynomial commitment of this type using a basic component of Bulletproofs as a building block, as well as a polynomial encoding based on techniques completely
    different from the ones from Ganesh et al..



    ## 2024/1550

    * Title: MAYO Key Recovery by Fixing Vinegar Seeds
    * Authors: Sönke Jendral, Elena Dubrova
    * [Permalink](https://eprint.iacr.org/2024/1550)
    * [Download](https://eprint.iacr.org/2024/1550.pdf)

    ### Abstract

    As the industry prepares for the transition to post-quantum secure public key cryptographic algorithms, vulnerability analysis of their implementations is gaining importance. A theoretically secure cryptographic algorithm should also be able to withstand
    the challenges of physical attacks in real-world environments. MAYO is a candidate in the ongoing first round of the NIST post-quantum standardization process for selecting additional digital signature schemes. This paper demonstrates three first-order
    single-execution fault injection attacks on a MAYO implementation in an ARM Cortex-M4 processor. By using voltage glitching to disrupt the computation of the vinegar seed during the signature generation, we enable the recovery of the secret key directly
    from the faulty signatures. Our experimental results show that the success rates of the fault attacks in a single execution are 36%, 82%, and 99%, respectively. They emphasize the importance of developing countermeasures against fault attacks prior to
    the widespread deployment of post-quantum algorithms like MAYO.



    ## 2024/1551

    * Title: SNARKs for Virtual Machines are Non-Malleable
    * Authors: Matteo Campanelli, Antonio Faonio, Luigi Russo
    * [Permalink](https://eprint.iacr.org/2024/1551)
    * [Download](https://eprint.iacr.org/2024/1551.pdf)

    ### Abstract

    Cryptographic proof systems have a plethora of applications: from building other cryptographic tools (e.g., malicious security for MPC protocols) to concrete settings such as private transactions or rollups. In several settings it is important for proof
    systems to be non-malleable: an adversary should not to be able to modify a proof they have observed into another for a statement for which they do not know the witness.
    Proof systems that have been deployed in practice should arguably satisfy this notion: it is crucial in settings such as transaction systems and in order to securely compose proofs with other cryptographic protocols. As a consequence, results on non-
    malleability should keep up with designs of proofs being deployed.
    Recently, Arun et al. proposed $\mathsf{Jolt}$ (Eurocrypt 2024), arguably the first efficient proof system whose architecture is based on the lookup singularity approach (Barry Whitehat, 2022). This approach consists in representing a general computation
    as a series of table lookups. The final result is a SNARK for a Virtual Machine execution (or SNARK VM). Both SNARK VMs and lookup-singularity SNARKs are architectures with enormous potential and will probably be adopted more and more in the next years (
    and they already are).
    As of today, however, there is no literature regarding the non-malleability of SNARK VMs. The goal of this work is to fill this gap by providing both concrete non-malleability results and a set of technical tools for a more general study of SNARK VMs
    security (as well as "modular" SNARKs in general). As a concrete result, we study the non-malleability of (an idealized version of) $\mathsf{Jolt}$ and its fundamental building block, the lookup argument $\mathsf{Lasso}$. While connecting our new result
    on the non-malleability of $\mathsf{Lasso}$ to that of $\mathsf{Jolt}$, we develop a set of tools that enable the composition of non-malleable SNARKs. We believe this toolbox to be valuable in its own right.



    ## 2024/1552

    * Title: Revisiting Keyed-Verification Anonymous Credentials
    * Authors: Michele Orrù
    * [Permalink](https://eprint.iacr.org/2024/1552)
    * [Download](https://eprint.iacr.org/2024/1552.pdf)

    ### Abstract

    Keyed-verification anonymous credentials are widely recognized as among the most efficient tools for anonymous authentication. In this work, we revisit two prominent credential systems: the scheme by Chase et al. (CCS 2014), commonly referred to as CMZ
    or PS MAC, and the scheme by Barki et al. (SAC 2016), known as BBDT or BBS MAC. We show how to make CMZ statistically anonymous and BBDT compatible with the BBS RFC draft. We provide a comprehensive security analysis for strong(er) properties of
    unforgeability and anonymity. These properties allow them to be composed with extensions that users can pick and choose. We show that simpler variants satisfying one-more unforgeability can still be anonymous tokens (Kreuter et al., CRYPTO 2020).

    To enable faster proofs for complex presentations, we present a compiler that uses an interactive oracle proof and a designated-verifier polynomial commitment to construct a designated-verifier non-interactive argument. For keyed-verification anonymous
    credentials, designated-verifier proofs suffice since the verifier is known in advance. We explore extensions that could benefit from this approach.



    ## 2024/1553

    * Title: STARK-based Signatures from the RPO Permutation
    * Authors: Shahla Atapoor, Cyprien Delpech de Saint Guilhem, Al Kindi
    * [Permalink](https://eprint.iacr.org/2024/1553)
    * [Download](https://eprint.iacr.org/2024/1553.pdf)

    ### Abstract

    This work describes a digital signature scheme constructed from a zero-knowledge proof of knowledge of a pre-image of the Rescue Prime Optimized (RPO) permutation. The proof of knowledge is constructed with the DEEP-ALI interactive oracle proof combined
    with the Ben-Sasson--Chiesa--Spooner (BCS) transformation in the random oracle model. The EUF-CMA security of the resulting signature scheme is established from the UC-friendly security properties of the BCS transformation and the pre-image hardness of
    the RPO permutation.

    The implementation of the scheme computes signatures in 13 ms and verifies them in 1 ms on a single core when the BCS transform is implemented with the Blake3 hash function. (The multi-threaded implementation signs in 9.2 ms and also verifies in 1 ms.)
    These speeds are obtained with parameters achieving 122 bits of average-case security for \( 2^{122} \)-bounded adversaries with access to at most \( 2^{64} \) signatures.



    ## 2024/1554

    * Title: Breaking, Repairing and Enhancing XCBv2 into the Tweakable Enciphering Mode GEM
    * Authors: Amit Singh Bhati, Michiel Verbauwhede, Elena Andreeva
    * [Permalink](https://eprint.iacr.org/2024/1554)
    * [Download](https://eprint.iacr.org/2024/1554.pdf)

    ### Abstract

    Tweakable enciphering modes (TEMs) provide security in a variety of storage and space-critical applications like disk and file-based encryption, and packet-based communication protocols, among others. XCB-AES (known as XCBv2) is specified in the IEEE
    1619.2 standard for encryption of sector-oriented storage media and it comes with a proof of security for block-aligned input messages.

    In this work, we demonstrate an attack on XCBv2. We show that XCBv2 is $\textit{insecure}$ also for full block messages by presenting a plaintext recovery attack using $\textit{only}$ two queries. We demonstrate that our attack further applies to the
    HCI and MXCB TEMs, which follow a similar design approach to XCBv2.

    We then propose a simple, ``quick'' fix that is not vulnerable to our attack and provably restore the security for XCBv2. Following the responsible disclosure process, we communicated the attack details to IEEE and the authors of XCB-AES. The authors
    have confirmed the validity of our attack on 02/09/2024.

    Our next contribution is to strengthen the provable security of XCBv2 (currently $n/3$ bits). We propose a new modular TEM called GEM which can be seen as a generalization of the Hash-CTR-Hash approach as used in XCB-style and HCTR-style TEMs. We are
    able to prove that GEM achieves full $n$-bit security using $\textit{only}$ $n$-bit PRP/PRF.

    We also give two concrete GEM instantiations: $\mathsf{KohiNoor}$ and $\mathsf{DaryaiNoor}$, both of which are based on AES-128 and GHASH-256, and internally use variants of the CTR-based weak pseudorandom functions GCTR-3 and SoCTR, respectively.
    SoCTR uses AES-128 and GCTR-3 is based on $\mathsf{ButterKnife}$-256. Our security proofs show that both $\mathsf{KohiNoor}$ and $\mathsf{DaryaiNoor}$ provide full $n$-bit security. From applications perspective, $\mathsf{DaryaiNoor}$ addresses the need
    for reusing classical components, while $\mathsf{KohiNoor}$ enhances performance by leveraging a more modern primitive based on the AES/Deoxys round function.

    Our implementation demonstrates competitive performance: For typical 4KiB sector size, $\mathsf{KohiNoor}$'s performance is on par with AES$_{6}$-CTET+, yet achieving higher standard security guarantees. $\mathsf{DaryaiNoor}$ is on par with AES-CTET+
    performance-wise while also maintaining higher security with standard components. Our GEM instances triple the security margin of XCBv2 and double that of HCTR2 at the cost of performance loss of only $12\%$ ($\mathsf{KohiNoor}$) and $68\%$ ($\mathsf{
    DaryaiNoor}$) for 4KiB messages.



    ## 2024/1555

    * Title: Private Laconic Oblivious Transfer with Preprocessing
    * Authors: Rishabh Bhadauria, Nico Döttling, Carmit Hazay, Chuanwei Lin
    * [Permalink](https://eprint.iacr.org/2024/1555)
    * [Download](https://eprint.iacr.org/2024/1555.pdf)

    ### Abstract

    Laconic cryptography studies two-message protocols that securely compute on large amounts of data with minimal communication cost. Laconic oblivious transfer (OT) is a central primitive where the receiver's input is a large database $\mathsf{DB}$ and the
    sender's inputs are two messages $m_0$, $m_1$ along with an index $i$, such that the receiver learns the message determined by the choice bit $\mathsf{DB}_i$. OT becomes even more useful for secure computation when considering its laconic variants, which
    offer succinctness and round optimality. However, existing constructions are not practically efficient because they rely on heavy cryptographic machinery and non-black-box techniques.

    In this work, we initiate the study of laconic OT correlations, where the model allows an offline phase to generate the correlations later used in a lightweight online phase. Our correlation is conceptually simple, captured by an inner product
    computation, and enables us to achieve a private laconic OT protocol where the sender's index $i$ is also hidden from the receiver. Our construction is the first private laconic OT with database-dependent preprocessing based solely on symmetric-key
    assumptions, achieving sublinear online computational complexity for the receiver. Furthermore, we enhance our construction with updatability and receiver privacy. Finally, we demonstrate the applications of private laconic OT to laconic function
    evaluation for RAM programs and laconic private set intersection with preprocessing.



    ## 2024/1556

    * Title: The module action for isogeny based cryptography
    * Authors: Damien Robert
    * [Permalink](https://eprint.iacr.org/2024/1556)
    * [Download](https://eprint.iacr.org/2024/1556.pdf)

    ### Abstract

    We extend the usual ideal action on oriented elliptic curves to a (Hermitian) module action on oriented (polarised) abelian varieties. Oriented abelian varieties are naturally enriched in $R$-modules, and our module action comes from the canonical power
    object construction on categories enriched in a closed symmetric monoidal category. In particular our action is canonical and gives a fully fledged symmetric monoidal action. Furthermore, we give algorithms to compute this action in practice,
    generalising the usual algorithms in rank~$1$.

    The action allows us to unify in the same framework, on the one hand isogeny based cryptography based on ordinary or oriented elliptic curves, and on the other hand the one based on supersingular elliptic curves defined over $\mathbb{F}_{p^2}$. In
    particular, from our point of view, supersingular elliptic curves over $\mathbb{F}_p$ are given by a rank~$1$ module action, while (the Weil restriction) of those defined over $\mathbb{F}_{p^2}$ are given by a rank~$2$ module action. As a consequence,
    rank~$2$ module action inversion is at least as hard as the supersingular isogeny path problem.

    We thus propose to use Hermitian modules as an avatar of a cryptographic symmetric monoidal action framework. This generalizes the more standard cryptographic group action framework, and still allows for a NIKE (Non Interactive Key Exchange). The main
    advantage of our action is that, presumably, Kuperberg's algorithm does not apply. Compared to CSIDH, this allows for more compact keys and much better scaling properties.

    In practice, we propose the key exchange scheme $\otimes$-MIKE (Tensor Module Isogeny Key Exchange). Alice and Bob start from a supersingular elliptic curve $E_0/\mathbb{F}_p$ and both compute a $2^n$-isogeny over $\mathbb{F}_{p^2}$. They each send the $
    j$-invariant of their curve. Crucially, unlike SIDH, no torsion information at all is required. Their common secret, given by the module action, is then a dimension~$4$ principally polarised abelian variety. We obtain a very compact post-quantum NIKE:
    only 64B for NIST level~$1$ security.



    ## 2024/1557

    * Title: Tightly Secure Threshold Signatures over Pairing-Free Groups
    * Authors: Renas Bacho, Benedikt Wagner
    * [Permalink](https://eprint.iacr.org/2024/1557)
    * [Download](https://eprint.iacr.org/2024/1557.pdf)

    ### Abstract

    Threshold signatures have been drawing lots of attention in recent years. Of particular interest are threshold signatures that are proven secure under adaptive corruptions (NIST Call 2023). Sadly, existing constructions with provable adaptive security
    suffer from at least one of the following drawbacks: (i) strong idealizations such as the algebraic group model (AGM), (ii) an unnatural restriction on the corruption threshold being $t/2$ where $t$ is the signing threshold, or (iii) prohibitively large
    security loss under established assumptions. Notably, point (iii) has received little to no attention in the literature on this subject.

    In this work, we introduce Twinkle-T, a new threshold signature scheme which overcomes these limitations. Twinkle-T is the first scheme to have a fully tight security proof under up to $t$ adaptive corruptions without relying on the AGM. It also has a
    signing protocol consisting of only three rounds and thus matches the currently best threshold signature with full adaptive security Twinkle (Eurocrypt 2024) in the pairing-free discrete logarithm setting. We prove security from a standard non-
    interactive assumption, namely, the Decisional Diffie-Hellman (DDH) assumption.



    ## 2024/1558

    * Title: Understanding Leakage in Searchable Encryption: a Quantitative Approach
    * Authors: Alexandra Boldyreva, Zichen Gui, Bogdan Warinschi
    * [Permalink](https://eprint.iacr.org/2024/1558)
    * [Download](https://eprint.iacr.org/2024/1558.pdf)

    ### Abstract

    Searchable encryption, or more generally, structured encryption, permits search over encrypted data. It is an important cryptographic tool for securing cloud storage. The standard security notion for structured encryption mandates that a protocol leaks
    nothing about the data or queries, except for some allowed leakage, defined by the leakage function. This is due to the fact that some leakage is unavoidable for efficient schemes. Unfortunately, it was shown by numerous works that even innocuous-
    looking leakage can often be exploited by attackers to undermine users' privacy and recover their queries and/or data, despite the structured encryption schemes being provably secure. Nevertheless, the standard security remains the go-to notion used to
    show the "security" of structured encryption schemes. While it is not likely that researchers will design practical structured encryption schemes with no leakage, it is not satisfactory that very few works study ways to assess leakage. This work proposes
    a novel framework to quantify leakage. Our methodology is inspired by the quantitative information flow, and we call our method $q$-leakage analysis. We show how $q$-leakage analysis is related to the standard security. We also demonstrate the
    usefulness of $q$-leakage analysis by analyzing the security of two existing schemes with complex leakage functions.



    ## 2024/1559

    * Title: Mind the Composition of Toffoli Gates: Structural Algebraic Distinguishers of ARADI
    * Authors: Emanuele Bellini, Mohamed Rachidi, Raghvendra Rohit, Sharwan K. Tiwari
    * [Permalink](https://eprint.iacr.org/2024/1559)
    * [Download](https://eprint.iacr.org/2024/1559.pdf)

    ### Abstract

    This paper reveals a critical flaw in the design of ARADI, a recently proposed low-latency block cipher by NSA researchers -- Patricia Greene, Mark Motley, and Bryan Weeks. The weakness exploits the specific composition of Toffoli gates in the round
    function of ARADI's nonlinear layer, and it allows the extension of a given algebraic distinguisher to one extra round without any change in the data complexity. More precisely, we show that the cube-sum values, though depending on the secret key bits,
    are always equal in two of the state words. Such a structural property is difficult to obtain by the direct application of division property and has never been seen before in any state-of-the-art block cipher. We call this structural property \textit{
    weakly-composed-Toffoli gates}, and introduce a theoretical framework which can describe it in general terms. We present algebraic distinguishers that reach 8 out of 16 rounds of ARADI. Most notably, we show that these distinguishers have better data
    complexities than the division property-based distinguishers for the same number of rounds. We further investigate whether changing the linear layer or the order of composition of Toffoli gates could avoid this property. We give a negative answer to the
    same and show that it is impossible to prevent this structural property unless the nonlinear layer is re-designed. As a side result, we provide a key-recovery attack on 10 rounds ARADI with $2^{124}$ data and $2^{177}$ time for a 256-bit key. Our work
    highlights the significance of security analysis during the cipher design phase, and shows that these strong structural distinguishers could have been avoided during this phase.



    ## 2024/1560

    * Title: Revisiting Shuffle-Based Private Set Unions with Reduced Communication * Authors: Jiseung Kim, Hyung Tae Lee, Yongha Son
    * [Permalink](https://eprint.iacr.org/2024/1560)
    * [Download](https://eprint.iacr.org/2024/1560.pdf)

    ### Abstract

    A Private Set Union (PSU) allows two parties having sets $X$ and $Y$ to securely compute the union $X \cup Y$ while revealing no additional information. Recently, there have been proposed so-called shuffle-based PSU protocols due to Garimella et. al. (
    PKC'21) and Jia et. al. (USENIX'22).
    Except a few base oblivious transfers, those proposals are fully based on symmetric key primitives and hence enjoy quite low computation costs. However, they commonly have drawbacks on large communication cost of $O(\ell n\log n)$ with input set size $n$
    and $\ell \ge O(\lambda + \log n)$ where $\lambda$ is a statistical security parameter.

    We propose two optimizations for each work that reduce communication cost while maintaining strength in computation cost; the first one optimizes Garimella et. al. to have $O(\ell n + n \log n)$, and the second one optimizes Jia et. al. by reducing the
    concrete value of $\ell$ by $\log n$. Concretely, the first (second, resp) optimization provides $3.3 - 3.9$x ($1.7 - 1.8$x, resp) lower communication input set sizes $n = 2^{16} - 2^{20}$.

    We demonstrate by comprehensive analysis and implementation that our optimization leads to better PSU protocol, compared to the state-of-the-art proposal of Zhang et. al. (USENIX'23) as well as previous shuffle-based PSUs. As a concrete amount of
    improvement, we see $1.4-1.5$x speed up for $100$Mbps network, and $1.8-2.2$x speed up for $10$Mbps network on input set sizes $n = 2^{16} - 2^{20}$.



    ## 2024/1561

    * Title: FLUENT: A Tool for Efficient Mixed-Protocol Semi-Private Function Evaluation
    * Authors: Daniel Günther, Joachim Schmidt, Thomas Schneider, Hossein Yalame
    * [Permalink](https://eprint.iacr.org/2024/1561)
    * [Download](https://eprint.iacr.org/2024/1561.pdf)

    ### Abstract

    In modern business to customer interactions, handling private or confidential data is essential. Private Function Evaluation (PFE) protocols ensure the privacy of both the customers' input data and the business' function evaluated on it which is often
    sensitive intellectual property (IP). However, fully hiding the function in PFE results in high performance overhead. Semi-Private Function Evaluation (SPFE) is a generalization of PFE to only partially hide the function, whereas specific non-critical
    components remain public. Our paper introduces a novel framework designed to make SPFE accessible to non-experts and practical for real-world deployments.

    To achieve this, we improve on previous SPFE solutions in two aspects.
    First, we enhance the developer experience by leveraging High-Level Synthesis (HLS), making our tool more user-friendly than previous SPFE frameworks.
    Second, we achieve a \(2 \times\) speedup compared to the previous state-of-the-art through more efficient underlying constructions and the usage of Lookup Tables (LUTs).

    We evaluate the performance of our framework in terms of communication and runtime efficiency. Our final implementation is available as an open-source project, aiming to bridge the gap between advanced cryptographic protocols and their practical
    application in industry scenarios.



    ## 2024/1562

    * Title: Fully Privacy-preserving Billing Models for Peer-to-Peer Electricity Trading Markets
    * Authors: Akash Madhusudan, Mustafa A. Mustafa, Hilder V.L. Pereira, Erik Takke
    * [Permalink](https://eprint.iacr.org/2024/1562)
    * [Download](https://eprint.iacr.org/2024/1562.pdf)

    ### Abstract


    [continued in next message]

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)