## In this issue
1. [2024/1210] More Optimizations to Sum-Check Proving
2. [2024/1211] A Generic Framework for Side-Channel Attacks ...
3. [2024/1212] Efficient Layered Circuit for Verification of SHA3 ...
4. [2024/1213] Bounded-Collusion Streaming Functional Encryption ...
5. [2024/1214] Less Effort, More Success: Efficient Genetic ...
6. [2024/1215] Falsifiability, Composability, and Comparability of ...
7. [2024/1216] Delegatable Anonymous Credentials From Mercurial ...
8. [2024/1217] A Compact and Parallel Swap-Based Shuffler based on ...
9. [2024/1218] A Note on the use of the Double Boomerang ...
10. [2024/1219] Foldable, Recursive Proofs of Isogeny Computation ...
11. [2024/1220] Mova: Nova folding without committing to error terms
12. [2024/1221] Depth Optimized Quantum Circuits for HIGHT and LEA
13. [2024/1222] Quantum Implementation and Analysis of ARIA
14. [2024/1223] A short-list of pairing-friendly curves resistant ...
15. [2024/1224] Generic Construction of Secure Sketches from Groups
16. [2024/1225] SIGNITC: Supersingular Isogeny Graph Non- ...
17. [2024/1226] A Spectral Analysis of Noise: A Comprehensive, ...
18. [2024/1227] ZIPNet: Low-bandwidth anonymous broadcast from ...
19. [2024/1228] Automated Software Vulnerability Static Code ...
20. [2024/1229] Benchmarking Attacks on Learning with Errors
21. [2024/1230] Impossible Boomerang Attacks Revisited: ...
22. [2024/1231] A Constructive View of Homomorphic Encryption and ...
23. [2024/1232] Efficient and Privacy-Preserving Collective Remote ...
24. [2024/1233] Binding Security of Implicitly-Rejecting KEMs and ...
25. [2024/1234] EagleSignV3 : A new secure variant of EagleSign ...
26. [2024/1235] Blue fish, red fish, live fish, dead fish
27. [2024/1236] Optimizing Big Integer Multiplication on Bitcoin: ...
28. [2024/1237] Efficient Variants of TNT with BBB Security
## 2024/1210
* Title: More Optimizations to Sum-Check Proving
* Authors: Quang Dao, Justin Thaler
* [Permalink](
https://eprint.iacr.org/2024/1210)
* [Download](
https://eprint.iacr.org/2024/1210.pdf)
### Abstract
Many fast SNARKs apply the sum-check protocol to an $n$-variate polynomial of the form $g(x) = \text{eq}(w,x) \cdot p(x)$, where $p$ is a product of multilinear polynomials, $w \in \mathbb{F}^n$ is a random vector, and $\text{eq}$ is the multilinear
extension of the equality function.
In this setting, we describe an optimization to the sum-check prover that substantially reduces the cost coming from the $\text{eq}(w, x)$ factor. Our work further improves on a prior optimization by Gruen (ePrint 2023), and in the small-field case, can
be combined with additional optimizations by Bagad, Domb, and Thaler (ePrint 2024), and Dao and Thaler (ePrint 2024).
Over large prime-order fields, our optimization eliminates roughly $2^{n + 1}$ field multiplications compared to a standard linear-time implementation of the prover, and roughly $2^{n-1}$ field multiplications when considered on top of Gruen's
optimization. These savings are about a 25% (respectively 10%) end-to-end prover speedup in common use cases, and potentially even larger when working over binary tower fields.
## 2024/1211
* Title: A Generic Framework for Side-Channel Attacks against LWE-based Cryptosystems
* Authors: Julius Hermelink, Silvan Streit, Erik Mårtensson, Richard Petri
* [Permalink](
https://eprint.iacr.org/2024/1211)
* [Download](
https://eprint.iacr.org/2024/1211.pdf)
### Abstract
Lattice-based cryptography is in the process of being standardized. Several proposals to deal with side-channel information using lattice reduction exist. However, it has been shown that algorithms based on Bayesian updating are often more favorable in
practice.
In this work, we define distribution hints; a type of hint that allows modelling probabilistic information. These hints generalize most previously defined hints and the information obtained in several attacks.
We define two solvers for our hints; one is based on belief propagation and the other one uses a greedy approach. We prove that the latter is a computationally less expensive approximation of the former and that previous algorithms used for specific
attacks may be seen as special cases of our solvers. Thereby, we provide a systematization of previously obtained information and used algorithms in real-world side-channel attacks.
In contrast to lattice-based approaches, our framework is not limited to value leakage. For example, it can deal with noisy Hamming weight leakage or partially incorrect information. Moreover, it improves upon the recovery of the secret key from
approximate hints in the form they arise in real-world attacks.
Our framework has several practical applications: We exemplarily show that a recent attack can be improved; we reduce the number of traces and corresponding ciphertexts and increase the noise resistance. Further, we explain how distribution hints could
be applied in the context of previous attacks and outline a potential new attack.
## 2024/1212
* Title: Efficient Layered Circuit for Verification of SHA3 Merkle Tree
* Authors: Changchang Ding, Zheming Fu
* [Permalink](
https://eprint.iacr.org/2024/1212)
* [Download](
https://eprint.iacr.org/2024/1212.pdf)
### Abstract
We present an efficient layered circuit design for SHA3-256 Merkle tree verification, suitable for a GKR proof system, that achieves logarithmic verification and proof size. We demonstrate how to compute the predicate functions for our circuit in $O(\log
n)$ time to ensure logarithmic verification and provide GKR benchmarks for our circuit.
## 2024/1213
* Title: Bounded-Collusion Streaming Functional Encryption from Minimal Assumptions
* Authors: Kaartik Bhushan, Alexis Korb, Amit Sahai
* [Permalink](
https://eprint.iacr.org/2024/1213)
* [Download](
https://eprint.iacr.org/2024/1213.pdf)
### Abstract
Streaming functional encryption (sFE), recently introduced by Guan, Korb, and Sahai [Crypto 2023], is an extension of functional encryption (FE) tailored for iterative computation on dynamic data streams. Unlike in regular FE, in an sFE scheme, users can
encrypt and compute on the data as soon as it becomes available and in time proportional to just the size of the newly arrived data.
As sFE implies regular FE, all known constructions of sFE and FE for $\mathsf{P/Poly}$ require strong cryptographic assumptions which are powerful enough to build indistinguishability obfuscation. In contrast, bounded-collusion FE, in which the adversary
is restricted to making at most $Q$ function queries for some polynomial $Q$ determined at setup, can be built from the minimal assumptions of public-key encryption (for public-key FE) [Sahai and Seyalioglu, CCS 2010; Gorbunov, Vaikuntanathan, and Wee,
CRYPTO 2012] and secret-key encryption (for secret-key FE)[Ananth, Vaikuntanathan, TCC 2019].
In this paper, we introduce and build bounded-collusion streaming FE for any polynomial bound $Q$ from the same minimal assumptions of public-key encryption (for public-key sFE) and secret-key encryption (for secret-key sFE). Similarly to the original
sFE paper of Guan, Korb, and Sahai, our scheme satisfies semi-adaptive-function-selective security which is similar to standard adaptive indistinguishability-based security except that we require all functions to be queried before any of the challenge
messages.
Along the way, our work also replaces a key ingredient (called $\mathsf{One}\text{-}\mathsf{sFE}$) from the original work of Guan, Korb, and Sahai with a much simpler construction based on garbled circuits.
## 2024/1214
* Title: Less Effort, More Success: Efficient Genetic Algorithm-Based Framework for Side-channel Collision Attacks
* Authors: Jiawei Zhang, Jiangshan Long, Changhai Ou, Kexin Qiao, Fan Zhang, Shi Yan
* [Permalink](
https://eprint.iacr.org/2024/1214)
* [Download](
https://eprint.iacr.org/2024/1214.pdf)
### Abstract
By introducing collision information, the existing side-channel Correlation-Enhanced Collision Attacks (CECAs) performed collision-chain detection, and reduced a given candidate space to a significantly smaller collision-chain space, leading to more
efficient key recovery. However, they are still limited by low collision detection speed and low success rate of key recovery. To address these issues, we first give a Collision Detection framework with Genetic Algorithm (CDGA), which exploits Genetic
Algorithm to detect the collision chains and has a strong capability of global searching. Secondly, we theoretically analyze the performance of CECA, and bound the searching depth of its output candidate
vectors with a confidence level using a rigorous hypothesis test, which is suitable both for Gaussian and non-Gaussian leakages. This facilitates the
initialization of the population.
Thirdly, we design an innovative goal-directed mutation method to randomly select new gene values for replacement, thus improving efficiency and adaptability of the CDGA. Finally, to optimize the evolutionary of CDGA,
we introduce roulette selection strategy to employ a probability assignment based on individual fitness values to guarantee the preferential selection of superior genes. A single-point crossover strategy is also used to introduce novel gene segments
into the chromosomes, thus enhancing the genetic diversity of the population. Experiments verify the superiority of our CDGA.
## 2024/1215
* Title: Falsifiability, Composability, and Comparability of Game-based Security Models for Key Exchange Protocols
* Authors: Chris Brzuska, Cas Cremers, Håkon Jacobsen, Douglas Stebila, Bogdan Warinschi
* [Permalink](
https://eprint.iacr.org/2024/1215)
* [Download](
https://eprint.iacr.org/2024/1215.pdf)
### Abstract
A security proof for a key exchange protocol requires writing down a security definition. Authors typically have a clear idea of the level of security they aim to achieve. Defining the model formally additionally requires making choices on games vs.
simulation-based models, partnering, on having one or more Test queries and on adopting a style of avoiding trivial attacks: exclusion, penalizing or filtering. We elucidate the consequences, advantages and disadvantages of the different possible model
choices. Concretely, we show that a model with multiple Test queries composes tightly with symmetric-key protocols while models with a single Test query require a hybrid argument that loses a factor in the number of sessions. To illustrate the usefulness
of models with multiple Test queries, we prove the Naxos protocol security in said model and obtain a tighter bound than adding a hybrid argument on top of a proof in a single Test query model.
Our composition model exposes partnering information to the adversary, circumventing a previous result by Brzuska, Fischlin, Warinschi, and Williams (CCS 2011) showing that the protocol needs to provide public partnering. Moreover, our baseline theorem
of key exchange partnering shows that partnering by key equality provides a joint baseline for most known partnering mechanisms, countering previous criticism by Li and Schäge (CCS 2017) that security in models with existential quantification over
session identifiers is non-falsifiable.
## 2024/1216
* Title: Delegatable Anonymous Credentials From Mercurial Signatures With Stronger Privacy
* Authors: Scott Griffy, Anna Lysyanskaya, Omid Mir, Octavio Perez Kempner, Daniel Slamanig
* [Permalink](
https://eprint.iacr.org/2024/1216)
* [Download](
https://eprint.iacr.org/2024/1216.pdf)
### Abstract
Delegatable anonymous credentials (DACs) are anonymous credentials that allow a root issuer to delegate their credential-issuing power to secondary issuers who, in turn, can delegate further. This delegation, as well as credential showing, is carried out in a privacy-preserving manner, so that credential recipients and verifiers learn nothing about the issuers on the delegation chain. One particularly efficient approach to constructing DACs is due to Crites and Lysyanskaya (CT-RSA'19), based on mercurial signatures, which is a type of equivalence-class signatures. In contrast to previous approaches, this design is conceptually simple and does not require extensive use of non-interactive zero-knowledge proofs. Unfortunately, the ``CL-type'' DAC schemes proposed so far have a privacy limitation: if an adversarial issuer (even an honest-but-curious one) was part of an honest user's delegation chain, the adversary will be able to detect this fact (and identify the specific adversarial issuer) when an honest user shows its credential. This is because underlying mercurial signature schemes allow the owner of a secret key to detect when his key was used in a delegation chain.
In this paper we show that it is possible to construct CL-type DACs that does not suffer from this privacy issue. We give a new mercurial signature scheme that provides adversarial public key class hiding; i.e. even if an adversarial signer participated in the delegation chain, the adversary won't be able to identify this fact. This is achieved by introducing structured public parameters which for each delegation level, enabling strong privacy features in DAC. Since the setup of these parameters also produces trapdoors that are problematic in privacy applications, we show how to overcome this problem by using techniques from updatable structured reference string in zero-knowledge proof systems (Groth et al. CRYPTO'18).
In addition, we propose a simple way to realize revocation for CL-type DACs via the concept of revocation tokens. While we showcase this approach to revocation using our DAC scheme, it is generic and can be applied to any CL-type DAC system. Revocation is a feature that is largely unexplored and notoriously hard to achieve for DACs. However as it is a vital feature for any anonymous credential system, this can help to make DAC schemes more attractive for practical applications.
## 2024/1217
* Title: A Compact and Parallel Swap-Based Shuffler based on butterfly Network and its complexity against Side Channel Analysis
* Authors: Jong-Yeon Park, Wonil Lee, Bo Gyeong Kang, Il-jong Song, Jaekeun Oh, Kouichi Sakurai
* [Permalink](
https://eprint.iacr.org/2024/1217)
* [Download](
https://eprint.iacr.org/2024/1217.pdf)
### Abstract
A prominent countermeasure against side channel attacks, the hiding countermeasure, typically involves shuffling operations using a permutation algorithm. Especially in the era of Post-Quantum Cryptography, the importance of the hiding coun- termeasure
is emphasized due to computational characteristics like those of lattice and code-based cryptography. In this context, swiftly and securely generating permutations has a critical impact on an algorithm’s security and efficiency. The widely adopted
Fisher-Yates shuffle, because of its high security and ease of implementation, is prevalent. However, it has a limitation of complexity O(𝑁) due to its sequential nature. In response, we propose a time-area trade-off swap algorithm, FSS, based on the
Butterfly Network with only log(𝑁) depth, log(𝑁) works and O(1) operation time in parallel. We will calculate the maximum gain that an attacker can achieve through butterfly operations with only log(𝑁) depth from side channel analysis
perspective. In particular, we will show that it is possible to derive a generalized formula of the attack complexity with higher-order side channel attacks for arbitrary input sizes through a fractal structure of the butterfly network. Furthermore, our
research highlights the possibility of generating efficient and secure permutations utilizing a minimal amount of randomness.
## 2024/1218
* Title: A Note on the use of the Double Boomerang Connectivity Table (DBCT) for Spotting Impossibilities
* Authors: Xavier Bonnetain, Virginie Lallemand
* [Permalink](
https://eprint.iacr.org/2024/1218)
* [Download](
https://eprint.iacr.org/2024/1218.pdf)
### Abstract
In this short note we examine one of the impossible boomerang distinguishers of Skinny-128-384 provided by Zhang, Wang and Tang at ToSC 2024 Issue 2 and disprove it.
The issue arises from the use of the Double Boomerang Connectivity Table (DBCT) as a tool to establish that a boomerang switch over 2 rounds has probability zero, whereas the DBCT only covers specific cases of difference propagation, missing a large set
of events that might make the connection possible.
We study in details the specific instance provided by Zhang et al. and display one example of a returning quartet that contradicts the impossibility.
## 2024/1219
* Title: Foldable, Recursive Proofs of Isogeny Computation with Reduced Time Complexity
* Authors: Krystal Maughan, Joseph Near, Christelle Vincent
* [Permalink](
https://eprint.iacr.org/2024/1219)
* [Download](
https://eprint.iacr.org/2024/1219.pdf)
### Abstract
The security of certain post-quantum isogeny-based cryptographic schemes relies on the ability to provably and efficiently compute isogenies between supersingular elliptic curves without leaking information about the isogeny other than its domain and
codomain. Earlier work in this direction give mathematical proofs of knowledge for the isogeny, and as a result when computing a chain of $n$ isogenies each proceeding node must verify the correctness of the proof of each preceding node, which is
computationally linear in $n$.
In this work, we empirically build a system to prove the execution of the circuit computing the isogeny rather than produce a proof of knowledge. This proof can then be used as part of the verifiable folding scheme Nova, which reduces the complexity of
an isogeny proof of computation for a chain of $n$ isogenies from $O(n)$ to $O(1)$ by providing at each step a single proof that proves the whole preceding chain. To our knowledge, this is the first application of this type of solution to this problem.
## 2024/1220
* Title: Mova: Nova folding without committing to error terms
* Authors: Nikolaos Dimitriou, Albert Garreta, Ignacio Manzur, Ilia Vlasov
* [Permalink](
https://eprint.iacr.org/2024/1220)
* [Download](
https://eprint.iacr.org/2024/1220.pdf)
### Abstract
We present Mova, a folding scheme for R1CS instances that does not require committing to error or cross terms, nor makes use of the sumcheck protocol. For reasonable parameter choices, Mova's Prover is about $5$ to $10$ times faster than Nova's Prover,
and about $1.5$ times faster than Hypernova's Prover (applied to R1CS instances), assuming the R1CS witness vector contains only small elements. Mova's Verifier has a similar cost as Hypernova's Verifier, but Mova has the advantage of having only $4$
rounds of communication, while Hypernova has a logarithmic number of rounds.
Mova, which is based on the Nova folding scheme, manages to avoid committing to Nova's so-called error term $\mathbf{E}$ and cross term $\mathbf{T}$ by replacing said commitments with evaluations of the Multilinear Extension (MLE) of $\mathbf{E}$ and $\
mathbf{T}$ at a random point sampled by the Verifier. A key observation used in Mova's soundness proofs is that $\mathbf{E}$ is implicitly committed by a commitment to the input-witness vector $\mathbf{Z}$, since $\mathbf{E}=(A\cdot\mathbf{Z})\circ (B\
cdot\mathbf{Z}) -u (C\cdot \mathbf{Z})$.
## 2024/1221
* Title: Depth Optimized Quantum Circuits for HIGHT and LEA
* Authors: Kyungbae Jang, Yujin Oh, Minwoo Lee, Dukyoung Kim, Hwajeong Seo
* [Permalink](
https://eprint.iacr.org/2024/1221)
* [Download](
https://eprint.iacr.org/2024/1221.pdf)
### Abstract
Quantum computers can model and solve several problems that have posed challenges for classical super computers, leveraging their natural quantum mechanical characteristics. A large-scale quantum computer is poised to significantly reduce security
strength in cryptography. In this context, extensive research has been conducted on quantum cryptanalysis. In this paper, we present optimized quantum circuits for Korean block ciphers, HIGHT and LEA. Our quantum circuits for HIGHT and LEA demonstrate
the lowest circuit depth compared to previous results. Specifically, we achieve depth reductions of 48% and 74% for HIGHT and LEA, respectively. We employ multiple novel techniques that effectively reduce the quantum circuit depth with a reasonable
increase in qubit count. Based on our depth-optimized quantum circuits for HIGHT and LEA block ciphers, we estimate the lowest quantum attack complexity for Grover’s key search. Our quantum circuit can be utilized for other quantum algorithms, not only
for Grover’s algorithm. Furthermore, the optimization methods gathered in this work can be adopted for generic quantum implementations in cryptography.
## 2024/1222
* Title: Quantum Implementation and Analysis of ARIA
* Authors: Yujin Oh, Kyungbae Jang, Yujin Yang, Hwajeong Seo
* [Permalink](
https://eprint.iacr.org/2024/1222)
* [Download](
https://eprint.iacr.org/2024/1222.pdf)
### Abstract
The progression of quantum computing is considered a potential threat to traditional cryptography system, highlighting the significance of post-quantum security in cryptographic systems. Regarding symmetric key encryption, the Grover algorithm can
approximately halve the search complexity. Despite the absence of fully operational quantum computers at present, the necessity of assessing the security of symmetric key encryption against quantum computing continues to grow. In this paper, we implement
the ARIA block cipher in a quantum circuit and compare it with previous research. Our implementation of the ARIA quantum circuit achieves over 92.5% improvement in full depth and over 98.7% improvement in Toffoli depth compared to the implementation
proposed in Chauhan et al. Compared to Yang et al.’s implementation, our implementation is improved the full depth by 36.7% and the number of qubits by 8%. Additionally, we analyze the complexity of Grover’s search attack and compare it with NIST
criteria. We confirm that ARIA achieves quantum security level 1, 3, and 5 (ARIA-128, 192, and 256, respectively).
## 2024/1223
* Title: A short-list of pairing-friendly curves resistant to the Special TNFS algorithm at the 192-bit security level
* Authors: Diego F. Aranha, Georgios Fotiadis, Aurore Guillevic
* [Permalink](
https://eprint.iacr.org/2024/1223)
* [Download](
https://eprint.iacr.org/2024/1223.pdf)
### Abstract
For more than two decades, pairings have been a fundamental tool for designing elegant cryptosystems, varying from digital signature schemes to more complex privacy-preserving constructions. However, the advancement of quantum computing threatens to
undermine public-key cryptography. Concretely, it is widely accepted that a future large-scale quantum computer would be capable to break any public-key cryptosystem used today, rendering today's public-key cryptography obsolete and mandating the
transition to quantum-safe cryptographic solutions. This necessity is enforced by numerous recognized government bodies around the world, including NIST which initiated the first open competition in standardizing post-quantum (PQ) cryptographic schemes,
focusing primarily on digital signatures and key encapsulation/public-key encryption schemes. Despite the current efforts in standardizing PQ primitives, the landscape of complex, privacy-preserving cryptographic protocols, e.g., zkSNARKs/zkSTARKs, is at
an early stage. Existing solutions suffer from various disadvantages in terms of efficiency and compactness and in addition, they need to undergo the required scrutiny to gain the necessary trust in the academic and industrial domains. Therefore, it is
believed that the migration to purely quantum-safe cryptography would require an intermediate step where current classically secure protocols and quantum-safe solutions will co-exist. This is enforced by the report of the Commercial National Security
Algorithm Suite version 2.0, mandating transition to quantum-safe cryptographic algorithms by 2033 and suggesting to incorporate ECC at 192-bit security in the meantime. To this end, the present paper aims at providing a comprehensive study on pairings
at 192-bit security level. We start with an exhaustive review in the literature to search for all possible recommendations of such pairing constructions, from which we extract the most promising candidates in terms of efficiency and security, with
respect to the advanced Special TNFS attacks. Our analysis is focused, not only on the pairing computation itself, but on additional operations that are relevant in pairing-based applications, such as hashing to pairing groups, cofactor clearing and
subgroup membership testing. We implement all functionalities of the most promising candidates within the RELIC cryptographic toolkit in order to identify the most efficient pairing implementation at 192-bit security and provide extensive experimental
results.
## 2024/1224
* Title: Generic Construction of Secure Sketches from Groups
* Authors: Axel Durbet, Koray Karabina, Kevin Thiry-Atighehchi
* [Permalink](
https://eprint.iacr.org/2024/1224)
* [Download](
https://eprint.iacr.org/2024/1224.pdf)
### Abstract
Secure sketches are designed to facilitate the recovery of originally enrolled data from inputs that may vary slightly over time. This capability is important in applications where data consistency cannot be guaranteed due to natural variations, such as
in biometric systems and hardware security. Traditionally, secure sketches are constructed using error-correcting codes to handle these variations effectively. Additionally, principles of information theory ensure the security of these sketches by
managing the trade-off between data recoverability and confidentiality. In this paper, we show how to construct a new family of secure sketches generically from groups. The notion of groups with unique factorization property is first introduced, which is
of independent interest and serves as a building block for our secure sketch construction. Next, an in-depth study of the underlying mathematical structures is provided, and some computational and decisional hardness assumptions are defined. As a result,
it is argued that our secure sketches are efficient; can handle a linear fraction of errors with respect to the norm 1 distance; and that they are reusable and irreversible. To our knowledge, such generic group-based secure sketch construction is the
first of its kind, and it offers a viable alternative to the currently known secure sketches.
## 2024/1225
* Title: SIGNITC: Supersingular Isogeny Graph Non-Interactive Timed Commitments * Authors: Knud Ahrens
* [Permalink](
https://eprint.iacr.org/2024/1225)
* [Download](
https://eprint.iacr.org/2024/1225.pdf)
### Abstract
Non-Interactive Timed Commitment schemes (NITC) allow to open any commitment after a specified delay $t_{\mathrm{fd}}$ . This is useful for sealed bid auctions and as primitive for more complex protocols. We present the first NITC without repeated
squaring or theoretical black box algorithms like NIZK proofs or one-way functions. It has fast verification, almost arbitrary delay and satisfies IND-CCA hiding and perfect binding. Additionally, it needs no trusted setup. Our protocol is based on
isogenies between supersingular elliptic curves making it presumably quantum secure, and all algorithms have been implemented as part of SQISign or other well-known isogeny-based cryptosystems.
## 2024/1226
* Title: A Spectral Analysis of Noise: A Comprehensive, Automated, Formal Analysis of Diffie-Hellman Protocols
* Authors: Guillaume Girol, Lucca Hirschi, Ralf Sasse, Dennis Jackson, Cas Cremers, David Basin
* [Permalink](
https://eprint.iacr.org/2024/1226)
* [Download](
https://eprint.iacr.org/2024/1226.pdf)
### Abstract
The Noise specification describes how to systematically construct a large family of Diffie-Hellman based key exchange protocols, including the secure transports used by WhatsApp, Lightning, and WireGuard. As the specification only makes informal security
claims, earlier work has explored which formal security properties may be enjoyed by protocols in the Noise framework, yet many important questions remain open.
In this work we provide the most comprehensive, systematic analysis of the Noise framework to date. We start from first principles and, using an automated analysis tool, compute the strongest threat model under which a protocol is secure, thus enabling
formal comparison between protocols. Our results allow us to objectively and automatically associate each informal security level presented in the Noise specification with a formal security claim.
We also provide a fine-grained separation of Noise protocols that were previously described as offering similar security properties, revealing a subclass for which alternative Noise protocols exist that offer strictly better security guarantees. Our
analysis also uncovers missing assumptions in the Noise specification and some surprising consequences, e.g. in some situations higher security levels yield strictly worse security.
## 2024/1227
* Title: ZIPNet: Low-bandwidth anonymous broadcast from (dis)Trusted Execution Environments
* Authors: Michael Rosenberg, Maurice Shih, Zhenyu Zhao, Rui Wang, Ian Miers, Fan Zhang
* [Permalink](
https://eprint.iacr.org/2024/1227)
* [Download](
https://eprint.iacr.org/2024/1227.pdf)
### Abstract
Anonymous Broadcast Channels (ABCs) allow a group of clients to announce messages without revealing the exact author. Modern ABCs operate in a client-server model, where anonymity depends on some threshold (e.g., 1 of 2) of servers being honest. ABCs are
an important application in their own right, e.g., for activism and whistleblowing. Recent work on ABCs (Riposte, Blinder) has focused on minimizing the bandwidth cost to clients and servers when supporting large broadcast channels for such applications.
But, particularly for low bandwidth settings, they impose large costs on servers, make cover traffic costly, and make volunteer operators unlikely.
In this paper, we describe the design, implementation, and evaluation of ZIPNet, an anonymous broadcast channel that 1) scales to hundreds of anytrust servers by minimizing the computational costs of each server, 2) substantially reduces the servers’
bandwidth costs by outsourcing the aggregation of client messages to untrusted (for privacy) infrastructure, and 3) supports cover traffic that is both cheap for clients to produce and for servers to handle.
## 2024/1228
* Title: Automated Software Vulnerability Static Code Analysis Using Generative Pre-Trained Transformer Models
* Authors: Elijah Pelofske, Vincent Urias, Lorie M. Liebrock
* [Permalink](
https://eprint.iacr.org/2024/1228)
* [Download](
https://eprint.iacr.org/2024/1228.pdf)
### Abstract
Generative Pre-Trained Transformer models have been shown to be surprisingly effective at a variety of natural language processing tasks -- including generating computer code. However, in general GPT models have been shown to not be incredibly effective
at handling specific computational tasks (such as evaluating mathematical functions).
[continued in next message]
--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)