[continued from previous message]

Similarity search, i.e., retrieving vectors in a database that are similar to a query, is the backbone of many applications. Especially, graph-based methods show state-of-the-art performance. For sensitive applications, it is critical to ensure the
privacy of the query and the dataset.

In this work, we introduce GraSS, a secure protocol between client (query owner) and server (dataset owner) for graph-based similarity search based on fully homomorphic encryption (FHE). Both the client-input privacy against the server and the server-
input privacy against the client are achievable based on underlying security assumptions on FHE.

We first propose an FHE-friendly graph structure with a novel index encoding method that makes our protocol highly scalable in terms of data size, reducing the computational complexity of neighborhood retrieval process from $O(n^2)$ to $\tilde{O}(n)$ for
the total number of nodes $n$. We also propose several core FHE algorithms to perform graph operations under the new graph structure. Finally, we introduce GraSS, an end-to-end solution of secure graph-based similarity search based on FHE. To the best of
our knowledge, it is the first FHE-based solution for secure graph-based database search.

We implemented GraSS with an open-source FHE library and estimated the performance on a million-scale dataset. GraSS identifies (approximate) top-16 in about $83$ hours achieving search accuracy of $0.918$, making it over $28\times$ faster than the
previous best-known FHE-based solution.



## 2024/2013

* Title: Crescent: Stronger Privacy for Existing Credentials
* Authors: Christian Paquin, Guru-Vamsi Policharla, Greg Zaverucha
* [Permalink](https://eprint.iacr.org/2024/2013)
* [Download](https://eprint.iacr.org/2024/2013.pdf)

### Abstract

We describe Crescent, a construction and implementation of privacy-preserving credentials. The system works by upgrading the privacy features of existing credentials, such as JSON Web Tokens (JWTs) and Mobile Driver’s License (mDL) and as such does not
require a new party to issue credentials. By using zero-knowledge proofs of possession of these credentials, we can add privacy features such as selective disclosure and unlinkability, without help from credential issuers. The system has practical
performance, offering fast proof generation and verification times (tens of milliseconds) after a once-per-credential setup phase. We give demos for two practical scenarios, proof of employment for benefits eligibility (based on an employer-issued JWT),
and online age verification (based on an mDL). We provide an open-source implementation to enable further research and experimentation.

This paper is an early draft describing our work, aiming to include enough material to describe the functionality, and some details of the internals of our new library, available at https://github.com/microsoft/crescent-credentials.



## 2024/2014

* Title: On the Traceability of Group Signatures: Uncorrupted User Must Exist
* Authors: Keita Emura
* [Permalink](https://eprint.iacr.org/2024/2014)
* [Download](https://eprint.iacr.org/2024/2014.pdf)

### Abstract

Group signature (GS) is a well-known cryptographic primitive providing anonymity and traceability. Several implication results have been given by mainly focusing on the several security levels of anonymity, e.g., fully anonymous GS implies public key
encryption (PKE) and selfless anonymous GS can be constructed from one-way functions and non-interactive zero knowledge poofs, and so on. In this paper, we explore an winning condition of full traceability: an adversary is required to produce a valid
group signature whose opening result is an uncorrupted user. We demonstrate a generic construction of GS secure in the Bellare-Micciancio-Warinschi (BMW) model except the above condition from PKE only. We emphasize that the proposed construction is
quite artificial and meaningless in practice because the verification algorithm always outputs 1 regardless of the input. This result suggests us the winning condition is essential in full traceability, i.e., an uncorrupted user must exist. We also
explore a public verifiability of GS-based PKE scheme and introduce a new formal security definition of public verifiability by following BUFF (Beyond UnForgeability Features) security. Our definition guarantees that the decryption result of a valid
cyphertext is in the message space specified by the public key. We show that the GS-based PKE scheme is publicly verifiable if the underlying GS scheme is fully traceable.



## 2024/2015

* Title: Universal SNARGs for NP from Proofs of Correctness
* Authors: Zhengzhong Jin, Yael Tauman Kalai, Alex Lombardi, Surya Mathialagan * [Permalink](https://eprint.iacr.org/2024/2015)
* [Download](https://eprint.iacr.org/2024/2015.pdf)

### Abstract

We give new constructions of succinct non-interactive arguments ($\mathsf{SNARG}$s) for $\mathsf{NP}$ in the settings of both non-adaptive and adaptive soundness.

Our construction of non-adaptive $\mathsf{SNARG}$ is universal assuming the security of a (leveled or unleveled) fully homomorphic encryption ($\mathsf{FHE}$) scheme as well as a batch argument ($\mathsf{BARG}$) scheme. Specifically, for any choice of
parameters $\ell$ and $L$, we construct a candidate $\mathsf{SNARG}$ scheme for any $\mathsf{NP}$ language $\mathcal{L}$ with the following properties:

- the proof length is $\ell\cdot \mathsf{poly}(\lambda)$,
- the common reference string $\mathsf{crs}$ has length $L\cdot \mathsf{poly}(\lambda)$, and
- the setup is transparent (no private randomness).

We prove that this $\mathsf{SNARG}$ has non-adaptive soundness assuming the existence of any $\mathsf{SNARG}$ where the proof size is $\ell$, the $\mathsf{crs}$ size is $L$, and there is a size $L$ Extended Frege ($\mathcal{EF}$) proof of completeness
for the $\mathsf{SNARG}$.

Moreover, we can relax the underlying $\mathsf{SNARG}$ to be any 2-message privately verifiable argument where the first message is of length $L$ and the second message is of length $\ell$. This yields new $\mathsf{SNARG}$ constructions based on any ``$\
mathcal{EF}$-friendly'' designated-verifier $\mathsf{SNARG}$ or witness encryption scheme. We emphasize that our $\mathsf{SNARG}$ is universal in the sense that it does not depend on the argument system.

We show several new implications of this construction that do not reference proof complexity:

- a non-adaptive $\mathsf{SNARG}$ for $\mathsf{NP}$ with transparent $\mathsf{crs}$ from evasive $\mathsf{LWE}$ and $\mathsf{LWE}$. This gives a candidate lattice-based $\mathsf{SNARG}$ for $\mathsf{NP}$.
- a non-adaptive $\mathsf{SNARG}$ for $\mathsf{NP}$ with transparent $\mathsf{crs}$ assuming the (non-explicit) existence of any $\mathsf{iO}$ and $\mathsf{LWE}$.
- a non-adaptive $\mathsf{SNARG}$ for $\mathsf{NP}$ with a short and transparent (i.e., uniform) $\mathsf{crs}$ assuming $\mathsf{LWE}$, $\mathsf{FHE}$ and the (non-explicit) existence of any hash function that makes Micali's $\mathsf{SNARG}$
construction sound.
- a non-adaptive $\mathsf{SNARG}$ for languages such as $\mathsf{QR}$ and $\overline{\mathsf{DCR}}$ assuming only $\mathsf{LWE}$.

In the setting of adaptive soundness, we show how to convert any designated verifier $\mathsf{SNARG}$ into publicly verifiable $\mathsf{SNARG}$, assuming the underlying designated verifier $\mathsf{SNARG}$ has an $\mathcal{EF}$ proof of completeness. As
a corollary, we construct an adaptive $\mathsf{SNARG}$ for $\mathsf{UP}$ with a transparent $\mathsf{crs}$ assuming subexponential $\mathsf{LWE}$ and evasive $\mathsf{LWE}$.

We prove our results by extending the encrypt-hash-and-$\mathsf{BARG}$ paradigm of [Jin-Kalai-Lombardi-Vaikuntanathan, STOC '24].



## 2024/2016

* Title: The Existence of Quantum One-Way Functions
* Authors: Ping Wang, Yikang Lei, Zishen Shen, Fangguo Zhang
* [Permalink](https://eprint.iacr.org/2024/2016)
* [Download](https://eprint.iacr.org/2024/2016.pdf)

### Abstract

One-way functions are essential tools for cryptography. However, the existence of one-way functions is still an open conjecture. By constructing a function with classical bits as input and quantum states as output, we prove for the first time the
existence of quantum one-way functions. It provides theoretical guarantees for the security of many quantum cryptographic protocols.



## 2024/2017

* Title: Byzantine Consensus in Wireless Networks
* Authors: Hao Lu, Jian Liu, Kui Ren
* [Permalink](https://eprint.iacr.org/2024/2017)
* [Download](https://eprint.iacr.org/2024/2017.pdf)

### Abstract

A Byzantine consensus protocol is essential in decentralized systems as the protocol ensures system consistency despite node failures.
Research on consensus in wireless networks receives relatively less attention, while significant advancements in wired networks.
However, consensus in wireless networks has equal significance as in wired networks.

In this paper, we propose a new reliable broadcast protocol that can achieve reliability with high fault tolerance over than the SOTA (PODC '05). With the new protocol, we further develop the first wireless network Byzantine consensus protocol under the
assumption of partial synchrony. Notably, this consensus protocol removes the requirement of leaders and fail-over mechanism in prior works. We formally prove the correctness of both our new broadcast protocol and consensus protocol.



## 2024/2018

* Title: On the BUFF Security of ECDSA with Key Recovery
* Authors: Keita Emura
* [Permalink](https://eprint.iacr.org/2024/2018)
* [Download](https://eprint.iacr.org/2024/2018.pdf)

### Abstract

In the usual syntax of digital signatures, the verification algorithm takes a verification key in addition to a signature and a message, whereas in ECDSA with key recovery, which is used in Ethereum, no verification key is input to the verification
algorithm. Instead, a verification key is recovered from a signature and a message. In this paper, we explore BUFF security of ECDSA with key recovery (KR-ECDSA), where BUFF stands for Beyond UnForgeability Features (Cremers et al., IEEE S&P 2021). As a
result, we show that KR-ECDSA provides BUFF security, except weak non-resignability (wNR). We pay attention to that the verification algorithm of KR-ECDSA takes an Ethereum address addr as input, which is defined as the rightmost 160-bits of the Keccak-
256 hash of the corresponding ECDSA verification key, and checks the hash value of the recovered verification key is equal to addr. Our security analysis shows that this procedure is mandatory to provide BUFF security. We also discuss whether wNR is
mandatory in Ethereum or not. To clarify the above equality check is mandatory to provide BUFF security in KR-ECDSA, we show that the original ECDSA does not provide any BUFF security. As a by-product of the analysis, we show that one of our BUFF
attacks also works against the Aumayr et al.'s ECDSA-based adaptor signature scheme (ASIACRYPT 2021). We emphasize that the attack is positioned outside of their security model.



## 2024/2019

* Title: Key-Insulated and Privacy-Preserving Signature Scheme with Publicly Derived Public Key, Revisited: Consistency, Outsider Strong Unforgeability, and Generic Construction
* Authors: Keita Emura
* [Permalink](https://eprint.iacr.org/2024/2019)
* [Download](https://eprint.iacr.org/2024/2019.pdf)

### Abstract

Liu et al. (EuroS&P 2019) introduced Key-Insulated and Privacy-Preserving Signature Scheme with Publicly Derived Public Key (PDPKS) to enhance the security of stealth address and deterministic wallet. In this paper, we point out that the current security
notions are insufficient in practice, and introduce a new security notion which we call consistency. Moreover, we explore the unforgeability to provide strong unforgeability for outsider which captures the situation that nobody, except the payer and the
payee, can produce a valid signature. From the viewpoint of cryptocurrency functionality, it allows us to implement a refund functionality. Finally, we propose a generic construction of PDPKS that provides consistency and outsider strong unforgeability.
The design is conceptually much simpler than known PDPKS constructions. It is particularly note that the underlying strongly unforgeable signature scheme is required to provide the strong conservative exclusive ownership (S-CEO) security (Cremers et al.,
IEEE S&P 2021). Since we explicitly require the underlying signature scheme to be S-CEO secure, our security proof introduces a new insight of exclusive ownership security which may be of independent interest. As instantiations, we can obtain a pairing-
based PDPKS scheme in the standard model, a discrete-logarithm based pairing-free PDPKS scheme in the random oracle model, and a lattice-based PDPKS scheme in the random oracle model, and so on.



## 2024/2020

* Title: Ring Ring! Who's There? A Privacy Preserving Mobile Number Search
* Authors: Akshit Aggarwal
* [Permalink](https://eprint.iacr.org/2024/2020)
* [Download](https://eprint.iacr.org/2024/2020.pdf)

### Abstract

Private set intersection (PSI) allows any two parties (say client and server) to jointly compute the intersection of their sets without revealing anything else. Fully homomorphic encryption (FHE)-based PSI is a cryptographic solution to implement PSI-
based protocols. Most FHE-based PSI protocols implement hash function approach and oblivious transfer approach. The main limitations of their protocols are 1) high communication complexity, that is, $O(xlogy)$ (where $x$ is total number of elements on
client side, and $y$ is total number of elements on server side), and 2) high memory usage due to SIMD packing for encrypting large digit numbers. In this work, we design a novel tree-based approach to store the large digit numbers that achieves less
communication complexity, that is, $O(|d|^{2})$ (where $d$ is digits of a mobile number). Later we implement our protocol using Tenseal library. Our designed protocol opens the door to find the common elements with less communication complexity and less
memory usage.



## 2024/2021

* Title: PrivQuant: Communication-Efficient Private Inference with Quantized Network/Protocol Co-Optimization
* Authors: Tianshi Xu, Shuzhang Zhong, Wenxuan Zeng, Runsheng Wang, Meng Li
* [Permalink](https://eprint.iacr.org/2024/2021)
* [Download](https://eprint.iacr.org/2024/2021.pdf)

### Abstract

Private deep neural network (DNN) inference based on secure two-party computation (2PC) enables secure privacy protection for both the server and the client. However, existing secure 2PC frameworks suffer from a high inference latency due to enormous
communication. As the communication of both linear and non-linear DNN layers reduces with the bit widths of weight and activation, in this paper, we propose PrivQuant, a framework that jointly optimizes the 2PC-based quantized inference protocols and the
network quantization algorithm, enabling communication-efficient private inference. PrivQuant proposes DNN architecture-aware optimizations for the 2PC protocols for communication-intensive quantized operators and conducts graph-level operator fusion for
communication reduction. Moreover, PrivQuant also develops a communication-aware mixed precision quantization algorithm to improve the inference efficiency while maintaining high accuracy. The network/protocol co-optimization enables PrivQuant to
outperform prior-art 2PC frameworks. With extensive experiments, we demonstrate PrivQuant reduces communication by $11\times, 2.5\times \mathrm{and}~ 2.8\times$, which results in $8.7\times, 1.8\times ~ \mathrm{and}~ 2.4\times$ latency reduction
compared with SiRNN, COINN, and CoPriv, respectively.



## 2024/2022

* Title: The Revisited Hidden Weight Bit Function
* Authors: Pierrick Méaux, Tim Seuré, Deng Tang
* [Permalink](https://eprint.iacr.org/2024/2022)
* [Download](https://eprint.iacr.org/2024/2022.pdf)

### Abstract

The Hidden Weight Bit Function (HWBF) has drawn considerable attention for its simplicity and cryptographic potential. Despite its ease of implementation and favorable algebraic properties, its low nonlinearity limits its direct application in modern
cryptographic designs. In this work, we revisit the HWBF and propose a new weightwise quadratic variant obtained by combining the HWBF with a bent function. This construction offers improved cryptographic properties while remaining computationally
efficient. We analyze the balancedness, nonlinearity, and other criteria of this function, presenting theoretical bounds and experimental results to highlight its advantages over existing functions in similar use cases. The different techniques we
introduce to study the nonlinearity of this function also enable us to bound the nonlinearity of a broad family of weightwise quadratic functions, both theoretically and practically. We believe these methods are of independent interest.



## 2024/2023

* Title: An Abstract Multi-Forking Lemma
* Authors: Charanjit S Jutla
* [Permalink](https://eprint.iacr.org/2024/2023)
* [Download](https://eprint.iacr.org/2024/2023.pdf)

### Abstract

In this work we state and prove an abstract version of the multi-forking lemma of Pointcheval and Stern from EUROCRYPT'96. Earlier, Bellare and Neven had given an abstract version of forking lemma for two-collisions (CCS'06). While the original purpose
of the forking lemma was to prove security of signature schemes in the random oracle methodology, the abstract forking lemma can be used to obtain security proofs for multi-signatures, group signatures, and compilation of interactive protocols under the
Fiat-Shamir random-oracle methodology.



## 2024/2024

* Title: Hash-Prune-Invert: Improved Differentially Private Heavy-Hitter Detection in the Two-Server Model
* Authors: Borja Balle, James Bell, Albert Cheu, Adria Gascon, Jonathan Katz, Mariana Raykova, Phillipp Schoppmann, Thomas Steinke
* [Permalink](https://eprint.iacr.org/2024/2024)
* [Download](https://eprint.iacr.org/2024/2024.pdf)

### Abstract

Differentially private (DP) heavy-hitter detection is an important primitive for data analysis. Given a threshold $t$ and a dataset of $n$ items from a domain of size $d$, such detection algorithms ignore items occurring fewer than $t$ times while
identifying items occurring more than $t+\Delta$ times; we call $\Delta$ the error margin. In the central model where a curator holds the entire dataset, $(\varepsilon,\delta)$-DP algorithms can achieve error margin $\Theta(\frac 1 \varepsilon \log \frac
1 \delta)$, which is optimal when $d \gg 1/\delta$.

Several works, e.g., Poplar (S&P 2021), have proposed protocols in which two or more non-colluding servers jointly compute the heavy hitters from inputs held by $n$ clients. Unfortunately, existing protocols suffer from an undesirable dependence on $\
log d$ in terms of both server efficiency (computation, communication, and round complexity) and accuracy (i.e., error margin), making them unsuitable for large domains (e.g., when items are kB-long strings, $\log d \approx 10^4$).

We present hash-prune-invert (HPI), a technique for compiling any heavy-hitter protocol with the $\log d$ dependencies mentioned above into a new protocol with improvements across the board: computation, communication, and round complexity depend (
roughly) on $\log n$ rather than $\log d$, and the error margin is independent of $d$. Our transformation preserves privacy against an active adversary corrupting at most one of the servers and any number of clients. We apply HPI to an improved version
of Poplar, also introduced in this work, that improves Poplar's error margin by roughly a factor of $\sqrt{n}$ (regardless of $d$). Our experiments confirm that the resulting protocol improves efficiency and accuracy for large $d$.



## 2024/2025

* Title: Mira: Efficient Folding for Pairing-based Arguments
* Authors: Josh Beal, Ben Fisch
* [Permalink](https://eprint.iacr.org/2024/2025)
* [Download](https://eprint.iacr.org/2024/2025.pdf)

### Abstract

Pairing-based arguments offer remarkably small proofs and space-efficient provers, but aggregating such proofs remains costly. Groth16 SNARKs and KZG polynomial commitments are prominent examples of this class of arguments. These arguments are widely
deployed in decentralized systems, with millions of proofs generated per day. Recent folding schemes have greatly reduced the cost of proving incremental computations, such as batch proof verification. However, existing constructions require encoding
pairing operations in generic constraint systems, leading to high prover overhead. In this work, we introduce Mira, a folding scheme that directly supports pairing-based arguments. We construct this folding scheme by generalizing the framework in
Protostar to support a broader class of special-sound protocols. We demonstrate the versatility and efficiency of this framework through two key applications: Groth16 proof aggregation and verifiable ML inference. Mira achieves 5.8x faster prover time
and 9.7x lower memory usage than the state-of-the-art proof aggregation system while maintaining a constant-size proof. To improve the efficiency of verifiable ML inference, we provide a new lincheck protocol with a verifier degree that is independent of
the matrix order. We show that Mira scales effectively to larger models, overcoming the memory bottlenecks of current schemes.



## 2024/2026

* Title: Orbweaver: Succinct Linear Functional Commitments from Lattices
* Authors: Ben Fisch, Zeyu Liu, Psi Vesely
* [Permalink](https://eprint.iacr.org/2024/2026)
* [Download](https://eprint.iacr.org/2024/2026.pdf)

### Abstract

We present Orbweaver, a plausibly post-quantum functional commitment for linear relations that achieves quasilinear prover time together with $O(\log n)$ proof size and polylogarithmic verifier time. Orbweaver enables evaluation of linear functions on
committed vectors over cyclotomic rings and the integers. It is extractable, preprocessing, non-interactive, structure-preserving, and supports compact public proof aggregation. The security of our scheme is based on the $k$-$R$-ISIS assumption (and its
knowledge counterpart), whereby we require a trusted setup to generate a universal structured reference string. We use Orbweaver to construct succinct univariate and multilinear polynomial commitments.

Concretely, our scheme has smaller proofs than most other succinct post-quantum arguments for large statements. For binary vectors of length $2^{30}$ we achieve $302$KiB linear map evaluation proofs with evaluation binding, and $1$MiB proofs when
extractability is required; for $32$-bit integers these sizes are $494$KiB and $1.6$MiB, respectively.



## 2024/2027

* Title: Impact Tracing: Identifying the Culprit of Misinformation in Encrypted Messaging Systems
* Authors: Zhongming Wang, Tao Xiang, Xiaoguo Li, Biwen Chen, Guomin Yang, Chuan Ma, Robert H. Deng
* [Permalink](https://eprint.iacr.org/2024/2027)
* [Download](https://eprint.iacr.org/2024/2027.pdf)

### Abstract

Encrypted messaging systems obstruct content moderation, although they provide end-to-end security. As a result, misinformation proliferates in these systems, thereby exacerbating online hate and harassment. The paradigm of ``Reporting-then-Tracing"
shows great potential in mitigating the spread of misinformation. For instance, message traceback (CCS'19) traces all the dissemination paths of a message, while source tracing (CCS'21) traces its originator. However, message traceback lacks privacy
preservation for non-influential users (e.g., users who only receive the message once), while source tracing maintains privacy but only provides limited traceability.

In this paper, we initiate the study of impact tracing. Intuitively, impact tracing traces influential spreaders central to disseminating misinformation while providing privacy protection for non-influential users. We introduce noises to hide non-
influential users and demonstrate that these noises do not hinder the identification of influential spreaders. Then, we formally prove our scheme's security and show it achieves differential privacy protection for non-influential users. Additionally, we
define three metrics to evaluate its traceability, correctness, and privacy using real-world datasets. The experimental results show that our scheme identifies the most influential spreaders with accuracy from 82% to 99% as the amount of noise varies.
Meanwhile, our scheme requires only a 6-byte platform storage overhead for each message while maintaining a low messaging latency (< 0.25ms).



## 2024/2028

* Title: Qubit Optimized Quantum Implementation of SLIM
* Authors: Hasan Ozgur Cildiroglu, Oguz Yayla
* [Permalink](https://eprint.iacr.org/2024/2028)
* [Download](https://eprint.iacr.org/2024/2028.pdf)

### Abstract

The advent of quantum computing has profound implications for current technologies, offering advancements in optimization while posing significant threats to cryptographic algorithms. Public-key cryptosystems relying on prime factorization or discrete
logarithms are particularly vulnerable, whereas block ciphers (BCs) remain secure through increased key lengths. In this study, we introduce a novel quantum implementation of SLIM, a lightweight block cipher optimized for 32-bit plaintext and an 80-bit
key, based on a Feistel structure. This implementation distinguishes itself from other BC quantum implementations in its class (64–128-bit) by utilizing a minimal number of qubits while maintaining robust cryptographic strength and efficiency. By
employing an innovative design that minimizes qubit usage, this work highlights SLIM’s potential as a resource-efficient and secure candidate for quantum-resistant encryption protocols.



## 2024/2029

* Title: NLAT: the NonLinear Distribution Table of Vectorial Boolean Mappings
* Authors: Jorge Nakahara Jr
* [Permalink](https://eprint.iacr.org/2024/2029)
* [Download](https://eprint.iacr.org/2024/2029.pdf)

### Abstract

This paper studies an extension of the Linear Approximation Table (LAT) of vectorial Boolean mappings (also known as Substitution boxes) used in Linear Cryptanalysis (LC). This extended table is called NonLinear Approximation Table (NLAT).



## 2024/2030

* Title: Security Analysis of ASCON Cipher under Persistent Faults
* Authors: Madhurima Das, Bodhisatwa Mazumdar
* [Permalink](https://eprint.iacr.org/2024/2030)
* [Download](https://eprint.iacr.org/2024/2030.pdf)

### Abstract

This work investigates persistent fault analysis on ASCON
cipher that has been recently standardized by NIST USA for lightweight cryptography applications. In persistent fault, the fault once injected
through RowHammer injection techniques, exists in the system during
the entire encryption phase. In this work, we propose a model to mount persistent fault analysis (PFA) on ASCON cipher. In the finalization
round of the ASCON cipher, we identify that the fault-injected S-Box
operation in the permutation round, $p^{12}$, is vulnerable to leaking infor- mation about the secret key. The model can exist in two variants, a single instance of fault-injected S-Box out of 64 parallel S-Box invocations, and
the same faulty S-Box iterated 64 times. The attack model demonstrates
that any Spongent construction operating with authenticated encryption
with associated data (AEAD) mode is vulnerable to persistent faults. In
this work, we demonstrate the scenario of a single fault wherein the fault, once injected is persistent until the device is powered off. Using the pro- posed method, we successfully retrieve the 128-bit key in ASCON. Our experiments show that the minimum number and the maximum num-
ber of queries required are 63 plaintexts and 451 plaintexts, respectively. Moreover, we observe that the number of queries required to mount the
attack depends on fault location in the S-box LUT as observed from the
plots reporting the minimum number of queries and average number of
queries for 100 key values.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)