## In this issue

1. [2024/875] Succinctly-Committing Authenticated Encryption
2. [2024/1179] Inner Product Ring LWE Problem, Reduction, New ...
3. [2024/1180] Fast computation of 2-isogenies in dimension 4 and ...
4. [2024/1181] AQQUA: Augmenting Quisquis with Auditability
5. [2024/1182] Hyperion: Transparent End-to-End Verifiable Voting ...
6. [2024/1183] Updatable Private Set Intersection from Structured ...
7. [2024/1184] Sanitizable and Accountable Endorsement for Dynamic ...
8. [2024/1185] Erebor and Durian: Full Anonymous Ring Signatures ...
9. [2024/1186] MATTER: A Wide-Block Tweakable Block Cipher
10. [2024/1187] STORM — Small Table Oriented Redundancy-based SCA ...
11. [2024/1188] Lightweight Dynamic Linear Components for Symmetric ...
12. [2024/1189] The Espresso Sequencing Network: HotShot Consensus, ...
13. [2024/1190] Efficient Two-Party Secure Aggregation via ...
14. [2024/1191] A note on ``a novel authentication protocol for ...
15. [2024/1192] Towards ML-KEM & ML-DSA on OpenTitan
16. [2024/1193] The syzygy distinguisher
17. [2024/1194] Hardware Implementation and Security Analysis of ...
18. [2024/1195] Efficient Implementation of Super-optimal Pairings ...
19. [2024/1196] Client-Aided Privacy-Preserving Machine Learning
20. [2024/1197] Optimizing Rectangle and Boomerang Attacks: A ...
21. [2024/1198] ECO-CRYSTALS: Efficient Cryptography CRYSTALS on ...
22. [2024/1199] On degrees of carry and Scholz's conjecture
23. [2024/1200] Depth-Aware Arithmetization of Common Primitives in ...
24. [2024/1201] Designing a General-Purpose 8-bit (T)FHE Processor ...
25. [2024/1202] Prover - Toward More Efficient Formal Verification ...
26. [2024/1203] Preservation of Speculative Constant-time by ...
27. [2024/1204] A fast heuristic for mapping Boolean circuits to ...
28. [2024/1205] Analysis of One Scheme for User Authentication and ...
29. [2024/1206] Applying Post-Quantum Cryptography Algorithms to a ...
30. [2024/1207] What Have SNARGs Ever Done for FHE?
31. [2024/1208] Hᴇᴋᴀᴛᴏɴ: Horizontally-Scalable zkSNARKs via Proof ...
32. [2024/1209] Collaborative CP-NIZKs: Modular, Composable Proofs ...

## 2024/875

* Title: Succinctly-Committing Authenticated Encryption
* Authors: Mihir Bellare, Viet Tung Hoang
* [Permalink](https://eprint.iacr.org/2024/875)
* [Download](https://eprint.iacr.org/2024/875.pdf)

### Abstract

Recent attacks and applications have led to the need for symmetric encryption schemes that, in addition to providing the usual authenticity and privacy, are also committing. In response, many committing authenticated encryption schemes have been proposed.
However, all known schemes, in order to provide s bits of committing security, suffer an expansion---this is the length of the ciphertext minus the length of the plaintext---of 2s bits. This incurs a cost in bandwidth or storage. (We typically want s=
128, leading to 256-bit expansion.) However, it has been considered unavoidable due to birthday attacks. We show how to bypass this limitation. We give authenticated encryption (AE) schemes that provide s bits of committing security, yet suffer expansion
only around s as long as messages are long enough, namely more than s bits. We call such schemes succinct. We do this via a generic, ciphertext-shortening transform called SC: given an AE scheme with 2s-bit expansion, SC returns an AE scheme with s-bit
expansion while preserving committing security. SC is very efficient; an AES-based instantiation has overhead just two AES calls. As a tool, SC uses a collision-resistant invertible PRF called HtM, that we design, and whose analysis is technically
difficult. To add the committing security that SC assumes to a base scheme, we also give a transform CTY that improves Chan and Rogaway's CTX. Our results hold in a general framework for authenticated encryption, called AE3, that includes both AE1 (also
called AEAD) and AE2 (also called nonce-hiding AE) as special cases, so that we in particular obtain succinctly-committing AE schemes for both these settings.



## 2024/1179

* Title: Inner Product Ring LWE Problem, Reduction, New Trapdoor Algorithm for Inner Product Ring LWE Problem and Ring SIS Problem
* Authors: Zhuang Shan, Leyou Zhang, Qing Wu, Qiqi Lai
* [Permalink](https://eprint.iacr.org/2024/1179)
* [Download](https://eprint.iacr.org/2024/1179.pdf)

### Abstract

Lattice cryptography is currently a major research focus in public-key encryption, renowned for its ability to resist quantum attacks. The introduction of ideal lattices (ring lattices) has elevated the theoretical framework of lattice cryptography.
Ideal lattice cryptography, compared to classical lattice cryptography, achieves more acceptable operational efficiency through fast Fourier transforms. However, to date, issues of impracticality or insecurity persist in ideal lattice problems. In order
to provide a reasonable and secure trapdoor algorithm, this paper introduces the concept of "Inner Product Ring LWE" and establishes its quantum resistance and indistinguishability using knowledge of time complexity, fixed-point theory, and statistical
distances. Inner product Ring LWE is easier to construct trapdoor algorithms compared to Ring LWE. Additionally, leveraging the properties of NTRU, we propose a more secure Ring SIS trapdoor algorithm.



## 2024/1180

* Title: Fast computation of 2-isogenies in dimension 4 and cryptographic applications
* Authors: Pierrick Dartois
* [Permalink](https://eprint.iacr.org/2024/1180)
* [Download](https://eprint.iacr.org/2024/1180.pdf)

### Abstract

Dimension 4 isogenies have first been introduced in cryptography for the cryptanalysis of Supersingular Isogeny Diffie-Hellman (SIDH) and have been used constructively in several schemes, including SQIsignHD, a derivative of SQIsign isogeny based
signature scheme. Unlike in dimensions 2 and 3, we can no longer rely on the Jacobian model and its derivatives to compute isogenies. In dimension 4 (and higher), we can only use theta-models. Previous works by Romain Cosset, David Lubicz and Damien
Robert have focused on the computation of $\ell$-isogenies in theta-models of level $n$ coprime to $\ell$ (which requires to use $n^g$ coordinates in dimension $g$). For cryptographic applications, we need to compute chains of $2$-isogenies, requiring to
use $\geq 3^g$ coordinates in dimension $g$ with state of the art algorithms.

In this paper, we present algorithms to compute chains of $2$-isogenies between abelian varieties of dimension $g\geq 1$ with theta-coordinates of level $n=2$, generalizing a previous work by Pierrick Dartois, Luciano Maino, Giacomo Pope and Damien
Robert in dimension $g=2$. We propose an implementation of these algorithms in dimension $g=4$ to compute endomorphisms of elliptic curve products derived from Kani's lemma with applications to SQIsignHD and SIDH cryptanalysis. We are now able to run a
complete key recovery attack on SIDH when the endomorphism ring of the starting curve is unknown within a few seconds on a laptop for all NIST SIKE parameters.



## 2024/1181

* Title: AQQUA: Augmenting Quisquis with Auditability
* Authors: George Papadoulis, Danai Balla, Panagiotis Grontas, Aris Pagourtzis * [Permalink](https://eprint.iacr.org/2024/1181)
* [Download](https://eprint.iacr.org/2024/1181.pdf)

### Abstract

We propose AQQUA: a digital payment system that combines auditability and privacy. AQQUA extends Quisquis by adding two authorities; one for registration and one for auditing. These authorities do not intervene in the everyday transaction processing; as
a consequence, the decentralized nature of the cryptocurrency is not disturbed. Our construction is account-based. An account consists of an updatable public key which functions as a cryptographically unlinkable pseudonym, and of commitments to the
balance, the total amount of coins spent, and the total amount of coins received. In order to participate in the system a user creates an initial account with the registration authority. To protect their privacy, whenever the user wants to transact they
create unlinkable new accounts by updating their public key and the total number of accounts they own (maintained in committed form). The audit authority may request an audit at will. The user must prove in zero-knowledge that all their accounts are
compliant to specific policies. We formally define a security model capturing the properties that a private and auditable digital payment system should possess and we analyze the security of AQQUA under this model.



## 2024/1182

* Title: Hyperion: Transparent End-to-End Verifiable Voting with Coercion Mitigation
* Authors: Aditya Damodaran, Simon Rastikian, Peter B. Rønne, Peter Y A Ryan
* [Permalink](https://eprint.iacr.org/2024/1182)
* [Download](https://eprint.iacr.org/2024/1182.pdf)

### Abstract

We present Hyperion, an end-to-end verifiable e-voting scheme that allows the voters to identify their votes in cleartext in the final tally. In contrast to schemes like Selene or sElect, identification is not via (private) tracker numbers but via
cryptographic commitment terms. After publishing the tally, the Election Authority provides each voter with an individual dual key. Voters identify their votes by raising their dual key to their secret trapdoor key and finding the matching commitment
term in the tally.
The dual keys are self-certifying in that, without the voter's trapdoor key, it is intractable to forge a dual key that, when raised to the trapdoor key, will match an alternative commitment. On the other hand, a voter can use their own trapdoor key to
forge a dual key to fool any would-be coercer.
Additionally, we propose a variant of Hyperion that counters the tracker collision threat present in Selene. We introduce individual verifiable views: each voter gets their own independently shuffled view of the master Bulletin Board.
We provide new improved definitions of privacy and verifiability for e-voting schemes and prove the scheme secure against these, as well as proving security with respect to earlier definitions in the literature.
Finally, we provide a prototype implementation and provide measurements which demonstrate that our scheme is practical for large scale elections.



## 2024/1183

* Title: Updatable Private Set Intersection from Structured Encryption
* Authors: Archita Agarwal, David Cash, Marilyn George, Seny Kamara, Tarik Moataz, Jaspal Singh
* [Permalink](https://eprint.iacr.org/2024/1183)
* [Download](https://eprint.iacr.org/2024/1183.pdf)

### Abstract

Many efficient custom protocols have been developed for two-party private set intersection (PSI), that allow the parties to learn the intersection of their private sets. However, these approaches do not yield efficient solutions in the dynamic setting
when the parties’ sets evolve and the intersection has to be computed repeatedly. In this work we propose a new framework for this problem of updatable PSI — with elements being inserted and deleted — in the semihonest model based on structured
encryption. The framework reduces the problem of updatable PSI to a new variant of structured encryption (StE) for an updatable set datatype, which may be of independent interest. Our final construction is a constant round protocol with worst-case
communication and computation complexity that grows linearly in the size of the updates and only poly-logarithmically with the size of the accumulated sets. Our protocol is the first to support arbitrary inserts and deletes for updatable PSI.



## 2024/1184

* Title: Sanitizable and Accountable Endorsement for Dynamic Transactions in Fabric
* Authors: Zhaoman Liu, Jianting Ning, Huiying Hou, Yunlei Zhao
* [Permalink](https://eprint.iacr.org/2024/1184)
* [Download](https://eprint.iacr.org/2024/1184.pdf)

### Abstract

Hyperledger Fabric, an open-source, enterprise-grade consortium platform, employs an endorsement policy wherein a set of endorsers signs transaction proposals from clients to confirm their authenticity. The signatures from endorsers constitute the core
component of endorsement. However, when dealing with dynamic transactions with high timeliness and frequent updates (e.g., stock trading, real-time ad delivery, news reporting, etc.), the current endorsement process somewhat slows down the transaction
execution. Meanwhile, handling these continuously updated transactions consumes significant resources from endorsers, thereby constraining overall application efficiency.

To address these issues, this paper devises a novel sanitizable and accountable endorsement scheme by proposing a sanitizable multi-signature (SMS) as the theoretical tool. Specifically, we introduce the novel concept of sanitizable multi-signature and
detail its instantiation. SMS combines the advantages of multi-signature and sanitizable signature, maintaining the compactness of the signature while allowing the sanitizer to adjust the initial endorsement result to fit the updated transaction content
without interacting with the endorsers, so that both the authenticity and timeliness of transactions can be ensured. Additionally, SMS incorporates an innovative accountability mechanism to trace instances of improper data updates, thereby enhancing the
security and reliability of the endorsement process.

We demonstrate the security of the proposed scheme through rigorous security analysis. Performance evaluations show that SMS can significantly reduce verification overhead and transaction size compared to the default ECDSA scheme in Fabric. Specifically,
when verifying multiple endorsers' endorsements, our scheme exhibits a storage space reduction by approximately 30%-40% and a verification time reduction ranging from 9.2% to nearly 26.3%.



## 2024/1185

* Title: Erebor and Durian: Full Anonymous Ring Signatures from Quaternions and Isogenies
* Authors: Giacomo Borin, Yi-Fu Lai, Antonin Leroux
* [Permalink](https://eprint.iacr.org/2024/1185)
* [Download](https://eprint.iacr.org/2024/1185.pdf)

### Abstract

We construct two efficient post-quantum ring signatures with anonymity against full key exposure from isogenies, addressing limitations of existing isogeny-based ring signatures.
First, we present an efficient concrete distinguisher for the SQIsign simulator when the signing key is provided using one transcript. This shows that turning SQIsign into an efficient full anonymous ring signature requires some new ideas.
Second, we propose a variant of SQIsign that is resistant to the distinguisher attack with only a $\times 1.33$ increase in size and we render it to a ring signature, that we refer as $\mathsf{Erebor}$. This variant introduces a new zero-knowledge
assumption that ensures full anonymity. The efficiency of $\mathsf{Erebor}$ remains comparable to that of SQIsign, with only a proportional increase due to the ring size. This results in a signature size of $0.68 \mathsf{KB}$ for 4 users and $1.35 \
mathsf{KB}$ for 8 users, making it the most compact post-quantum ring signature for up to 31 users.
Third, we revisit the GPS signature scheme (Asiacrypt'17), developing efficient subroutines to make the scheme more efficient and significantly reduce the resulting signature size. By integrating our scheme with the paradigm by Beullens, Katsumata, and
Pintore (Asiacrypt'20), we achieve an efficient logarithmic ring signature, that we call $\mathsf{Durian}$, resulting in a signature size of $9.87 \mathsf{KB}$ for a ring of size 1024.



## 2024/1186

* Title: MATTER: A Wide-Block Tweakable Block Cipher
* Authors: Roberto Avanzi, Orr Dunkelman, Kazuhiko Minematsu
* [Permalink](https://eprint.iacr.org/2024/1186)
* [Download](https://eprint.iacr.org/2024/1186.pdf)

### Abstract

In this note, we introduce the MATTER Tweakable Block Cipher, designed principally for low latency in low-area hardware implementations, but that can also be implemented in an efficient and compact way in software.

MATTER is a 512-bit wide balanced Feistel network with three to six rounds, using the ASCON permutation as the round function.
The Feistel network defines a keyed, non-tweakable core, which is made tweakable by using the encryption of the tweak as its key.
Key and tweak are 320-bit inputs.

MATTER is particularly suitable for use in an OCB-like mode of operation, with an encrypted checksum for authentication.



## 2024/1187

* Title: STORM — Small Table Oriented Redundancy-based SCA Mitigation for AES * Authors: Yaacov Belenky, Hennadii Chernyshchyk, Oleg Karavaev, Oleh Maksymenko, Valery Teper, Daria Ryzhkova, Itamar Levi, Osnat Keren, Yury Kreimer
* [Permalink](https://eprint.iacr.org/2024/1187)
* [Download](https://eprint.iacr.org/2024/1187.pdf)

### Abstract

Side-channel-analysis (SCA) resistance with cost optimization in AES hardware implementations remains a significant challenge. While traditional masking-based schemes offer provable security, they often incur substantial resource overheads (latency, area,
randomness, performance, power consumption). Alternatively, the RAMBAM scheme introduced a redundancy-based approach to control the signal-to-noise ratio, and achieves exponential leakage reduction as redundancy increases. This method results in only a
slight increase in area and in power consumption, and a significant decrease in the amount of randomness needed, without any increase in latency. However, it lacks a formal security proof.

In this study, we introduce a scheme, denoted STORM, that synergizes RAMBAM's methodology with the utilization of look-up-tables (LUTs) in memory (ROM/RAM) in a redundant domain. STORM, like RAMBAM, is as fast as a typical unprotected implementation and
has the same latency, but has a significantly higher maximal clock frequency than RAMBAM, and consumes less than half the power. RAMBAM and STORM are code-based schemes in the sense that their set of representations is a code in the vector space $GF(2)^{
8+d}$. RAMBAM requires a richer structure of a ring on $GF(2)^{8+d}$ and a ring homomorphism whereas STORM utilizes a simple vector space. In code-based-masking (CBM), as in all masking schemes, non-interference based notions (t-S/NI) are fundamental
for establishing provable security. RAMBAM and STORM diverge from this approach. While CBM employs codes in vector spaces over $GF(2^8)$ for AES protection, RAMBAM and STORM use codes over $GF(2)$ without the need for t-S/NI-gadgets, leaving them both
smaller and more efficient.

Independence in security proofs typically means that in each individual computation (in a clock-cycle), at least one share does not participate. This approach does not work for RAMBAM where several field multiplications are executed sequentially in a
cycle. However, in STORM no multiplications are performed due to its memory based tables, leaving only (independent) bitwise-XORs. Therefore, the reasoning necessary for proving security is different and STORM, unlike RAMBAM, enjoys provable security. We
consider two distinct scenarios, \emph{both with provable security}: (1) STORM1 --- ``leakage-free’’ memory reads, demonstrating (1,1,0)-robustness for LUTs with redundancy 2 in the 1-probe model and for LUTs with redundancy 6 in the 2-probe model,
and (2) STORM2 --- leaky memory reads, where additional protection mechanisms and a notion of memory-read robustness are introduced.

STORM can be implemented not only in HW, but in SW as well. However, this paper and the proofs in it relate to STORM's HW implementations.



## 2024/1188

* Title: Lightweight Dynamic Linear Components for Symmetric Cryptography
* Authors: S. M. Dehnavi, M. R. Mirzaee Shamsabad
* [Permalink](https://eprint.iacr.org/2024/1188)
* [Download](https://eprint.iacr.org/2024/1188.pdf)

### Abstract

‎In this paper‎, ‎using the concept of equivalence of mappings we characterize all of the one-XOR matrices which are used in hardware applications and propose a family of lightweight linear mappings for software-oriented applications in symmetric
cryptography‎. ‎Then‎, ‎we investigate interleaved linear mappings and based upon this study‎, ‎we present generalized dynamic primitive LFSRs along with dynamic linear components for construction of diffusion layers.
‎From the mathematical viewpoint‎, ‎this paper presents involutive sparse binary matrices as well as sparse binary matrices with sparse inverses‎. ‎Another interesting result of our investigation is that‎, ‎by our characterization of one-
XOR matrices‎, ‎the search space for finding a $k$ such that $x^n+x^k+1$ is a primitive trinomial could be reduced‎.



## 2024/1189

* Title: The Espresso Sequencing Network: HotShot Consensus, Tiramisu Data-Availability, and Builder-Exchange
* Authors: Jeb Bearer, Benedikt Bünz, Philippe Camacho, Binyi Chen, Ellie Davidson, Ben Fisch, Brendon Fish, Gus Gutoski, Fernando Krell, Chengyu Lin, Dahlia Malkhi, Kartik Nayak, Keyao Shen, Alex Xiong, Nathan Yospe
* [Permalink](https://eprint.iacr.org/2024/1189)
* [Download](https://eprint.iacr.org/2024/1189.pdf)

### Abstract

Building a Consensus platform for shared sequencing can power an ecosystem of layer-2 solutions such as rollups which are crucial for scaling blockchains (e.g.,Ethereum). However, it drastically differs from conventional Consensus for blockchains in two
key considerations:
• (No) Execution: A shared sequencing platform is not responsible for pre-validating blocks nor for processing state updates. Therefore, agreement is formed on a sequence of certificates of block data-availability (DA) without persisting them or
obtaining blocks in full. At the same time, the platform must stream block data with very high efficiency to layer-2 entities for execution, or (in the case of rollups) for proof generation.
• Builder-Exchange: A shared sequencing platform delegates to external entities to build blocks and separates it from the role of a consensus proposer. This allows an ecosystem of specialized builders to pre-validate transactions for diversified
rollups, languages, and MEV exploits. However, separating the task of block-building from proposing brings a new challenge. Builders want assurances that their blocks would commit in exchange for revealing their contents, whereas validators/proposers
want assurance that the data in committed blocks will be available and fees paid. Neither one trusts the other, hence the shared sequencing platform should facilitate a “fair-exchange” between builders and the sequencing network. The Espresso
Sequencing Network is purpose-built to address these unique considerations. Among the main novelties of the design are (i) a three-layered DA system called Tiramisu, coupled with (ii) a costless integration of the DA with the platform’s consensus core, and (iii) a Builder-Exchange mechanism between builders and the consensus
core.
Note that this paper relies substantially on and can be seen as an extension of The Espresso Sequencer: HotShot Consensus and Tiramisu Data Availability [84].



## 2024/1190

* Title: Efficient Two-Party Secure Aggregation via Incremental Distributed Point Function
* Authors: Nan Cheng, Aikaterini Mitrokotsa, Feng Zhang, Frank Hartmann
* [Permalink](https://eprint.iacr.org/2024/1190)
* [Download](https://eprint.iacr.org/2024/1190.pdf)

### Abstract

Computing the maximum from a list of secret inputs is a widely-used functionality that is employed ei- ther indirectly as a building block in secure computation frameworks, such as ABY (NDSS’15) or directly used in multiple applications that solve
optimisation problems, such as secure machine learning or secure aggregation statistics. Incremental distributed point function (I-DPF) is a powerful primitive (IEEE S&P’21) that significantly reduces the client- to-server communication and are
employed to efficiently and securely compute aggregation statistics.
In this paper, we investigate whether I-DPF can be used to improve the efficiency of secure two-party computation (2PC) with an emphasis on computing the maximum value and the k-th (with k unknown to the computing parties) ranked value from a list of
secret inputs. Our answer is affir- mative, and we propose novel secure 2PC protocols that use I-DPF as a building block, resulting in significant efficiency gains compared to the state-of-the-art. More precisely, our contributions are: (i) We present
two new secure computa- tion frameworks that efficiently compute secure aggregation statistics bit-wisely or batch-wisely; (ii) we propose novel protocols to compute the maximum value, the k-th ranked value from a list of secret inputs; (iii) we provide
variations of the proposed protocols that can perform batch computations and thus provide further efficiency improvements; and (iv) we provide an extensive performance evaluation for all proposed protocols.
Our protocols have a communication complexity that is independent of the number of secret inputs and linear to the length of the secret input domain. Our experimental re- sults show enhanced efficiency over state-of-the-art solutions, particularly
notable when handling large-scale inputs. For instance, in scenarios involving an input set of five million elements with an input domain size of 31 bits, our protocol ΠMax achieves an 18% reduction in online execution time and a 67% decrease in
communication volume compared to the most efficient existing solution.



## 2024/1191

* Title: A note on ``a novel authentication protocol for IoT-enabled devices'' * Authors: Zhengjun Cao, Lihua Liu
* [Permalink](https://eprint.iacr.org/2024/1191)
* [Download](https://eprint.iacr.org/2024/1191.pdf)

### Abstract

We show that the authentication protocol [IEEE Internet Things J., 2023, 10(1), 867-876] is not correctly specified, because the server cannot complete its computations. To revise, the embedded device needs to compute an extra point multiplication over
the underlying elliptic curve. We also find the protocol cannot provide anonymity, not as claimed. It can only provide pseudonymity.



## 2024/1192

* Title: Towards ML-KEM & ML-DSA on OpenTitan
* Authors: Amin Abdulrahman, Felix Oberhansl, Hoang Nguyen Hien Pham, Jade Philipoom, Peter Schwabe, Tobias Stelzer, Andreas Zankl
* [Permalink](https://eprint.iacr.org/2024/1192)
* [Download](https://eprint.iacr.org/2024/1192.pdf)

### Abstract

This paper presents extensions to the OpenTitan hardware root of trust that aim at enabling high-performance lattice-based cryptography. We start by carefully optimizing ML-KEM and ML-DSA - the two primary algorithms selected by NIST for standardization -
in software targeting the OTBN accelerator. Based on profiling results of these implementations, we propose tightly integrated extensions to OTBN, specifically an interface from OTBN to OpenTitan's Keccak accelerator (KMAC core) and extensions to the
OTBN ISA to support operations on 256-bit vectors. We implement these extensions in hardware and show that we achieve a speedup by a factor between 6 and 9 for different operations and parameter sets of ML-KEM and ML-DSA compared to our baseline
implementation on unmodified OTBN. This speedup is achieved with an increase in cell count of less than 12% in OTBN, which corresponds to an increase of less than 2% for the full Earlgrey OpenTitan core.



## 2024/1193

* Title: The syzygy distinguisher
* Authors: Hugues RANDRIAMBOLOLONA
* [Permalink](https://eprint.iacr.org/2024/1193)
* [Download](https://eprint.iacr.org/2024/1193.pdf)

### Abstract

We present a new distinguisher for alternant and Goppa codes, whose complexity is subexponential in the error-correcting capability, hence better than that of generic decoding algorithms. Moreover it does not suffer from the strong regime limitations of
the previous distinguishers or structure recovery algorithms: in particular, it applies to the codes used in the Classic McEliece candidate for postquantum cryptography standardization. The invariants that allow us to distinguish are graded Betti numbers
of the homogeneous coordinate ring of a shortening of the dual code.

Since its introduction in 1978, this is the first time an analysis of the McEliece cryptosystem breaks the exponential barrier.



## 2024/1194

* Title: Hardware Implementation and Security Analysis of Local-Masked NTT for CRYSTALS-Kyber
* Authors: Rafael Carrera Rodriguez, Emanuele Valea, Florent Bruguier, Pascal Benoit
* [Permalink](https://eprint.iacr.org/2024/1194)
* [Download](https://eprint.iacr.org/2024/1194.pdf)

### Abstract

The rapid evolution of post-quantum cryptography, spurred by standardization efforts such as those led by NIST, has highlighted the prominence of lattice-based cryptography, notably exemplified by CRYSTALS-Kyber. However, concerns persist regarding the
security of cryptographic implementations, particularly in the face of Side-Channel Attacks (SCA). The usage of operations like the Number Theoretic
Transform (NTT) in CRYSTALS-Kyber introduces vulnerabilities to SCA, especially single-trace ones, such as soft-analytical side-channel attacks. To address this threat, Ravi et al. proposed local masking as a countermeasure by randomizing the NTT’s
twiddle factors, but its implementation and security implications require further investigation. This paper presents a hardware implementation of the NTT with local masking, evaluating its performance, area utilization, and security impacts. Additionally,
it analyzes the vulnerabilities inherent in local masking and assesses its practical security effectiveness through non-specific t-tests, showing that there are configurations of local masking that are more prone to leakage than others.



## 2024/1195

* Title: Efficient Implementation of Super-optimal Pairings on Curves with Small Prime Fields at the 192-bit Security Level
* Authors: Jianming Lin, Chang-An Zhao, Yuhao Zheng
* [Permalink](https://eprint.iacr.org/2024/1195)
* [Download](https://eprint.iacr.org/2024/1195.pdf)

### Abstract

For many pairing-based cryptographic protocols such as Direct Anonymous Attestation (DAA) schemes, the arithmetic on the first pairing subgroup $\mathbb{G}_1$ is more fundamental. Such operations heavily depend on the sizes of prime fields. At the 192-
bit security level, Gasnier and Guillevic presented a curve named GG22D7-457 with CM-discriminant $D = 7$ and embedding degree $k = 22$. Compared to other well-known pairing-friendly curves at the same security level, the curve GG22D7-457 has smaller
prime field size and $\rho$-value, which benefits from the fast operations on $\mathbb{G}_1$. However, the pairing computation on GG22D7-457 is not efficient.

[continued in next message]

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)