## In this issue

1. [2024/49] CL-SCA: Leveraging Contrastive Learning for ...
2. [2024/50] Do You Need a Zero Knowledge Proof?
3. [2024/51] Limits on Authenticated Encryption Use in TLS
4. [2024/52] Simple Vs Vectorial: Exploiting Structural Symmetry ...
5. [2024/53] Anonymous Homomorphic IBE with Application to ...
6. [2024/54] FEASE: Fast and Expressive Asymmetric Searchable ...
7. [2024/55] Multi-Hop Fine-Grained Proxy Re-Encryption
8. [2024/56] Zero-Knowledge Proofs for SIDH variants with Masked ...
9. [2024/57] Elastic MSM: A Fast, Elastic and Modular ...
10. [2024/58] Constrained Pseudorandom Functions for Inner- ...
11. [2024/59] CrISA-X: Unleashing Performance Excellence in ...
12. [2024/60] The Insecurity of Masked Comparisons: SCAs on ML- ...
13. [2024/61] Partial Key Exposure Attack on Common Prime RSA
14. [2024/62] Double Difficulties, Defense in Depth A succinct ...
15. [2024/63] A Study of Soft Analytical Side-Channel Attacks on ...
16. [2024/64] Extreme Algebraic Attacks
17. [2024/65] Privacy-preserving Anti-Money Laundering using ...
18. [2024/66] Exploiting the Central Reduction in Lattice-Based ...
19. [2024/67] A Refined Hardness Estimation of LWE in Two-step Mode
20. [2024/68] Laconic Function Evaluation, Functional Encryption ...
21. [2024/69] SDitH in Hardware
22. [2024/70] Hints from Hertz: Dynamic Frequency Scaling Side- ...
23. [2024/71] Too Hot To Be True: Temperature Calibration for ...
24. [2024/72] 1/0 Shades of UC: Photonic Side-Channel Analysis of ...
25. [2024/73] A Comparative Examination of Network and Contract- ...
26. [2024/74] PRIDA: PRIvacy-preserving Data Aggregation with ...
27. [2024/75] Succinct Verification of Compressed Sigma Protocols ...
28. [2024/76] A provably masked implementation of BIKE Key ...
29. [2024/77] OBSCURE: Versatile Software Obfuscation from a ...
30. [2024/78] Formal Security Analysis of the OpenID FAPI 2.0: ...
31. [2024/79] On Modular Algorithms and Butterfly Operations in ...
32. [2024/80] Memory adds no cost to lattice sieving for ...
33. [2024/81] SuperFL: Privacy-Preserving Federated Learning with ...
34. [2024/82] Quantum State Obfuscation from Classical Oracles
35. [2024/83] Layout Graphs, Random Walks and the t-wise ...
36. [2024/84] Efficient Instances of Docked Double Decker With AES
37. [2024/85] Simultaneously simple universal and ...
38. [2024/86] On Hilbert-Poincaré series of affine semi-regular ...
39. [2024/87] Tree-based Lookup Table on Batched Encrypted ...
40. [2024/88] Enabling PERK on Resource-Constrained Devices
41. [2024/89] Two-party GOST in two parts: fruitless search and ...

## 2024/49

* Title: CL-SCA: Leveraging Contrastive Learning for Profiled Side-Channel Analysis
* Authors: Annv Liu, An Wang, Shaofei Sun, Congming Wei, Yaoling Ding, Yongjuan Wang, Liehuang Zhu
* [Permalink](https://eprint.iacr.org/2024/049)
* [Download](https://eprint.iacr.org/2024/049.pdf)

### Abstract

Side-channel analysis based on machine learning, especially neural networks, has gained significant attention in recent years. However, many existing methods still suffer from certain limitations. Despite the inherent capability of neural networks to
extract features, there remains a risk of extracting irrelevant information. The heavy reliance on profiled traces makes it challenging to adapt to remote attack scenarios with limited profiled traces. Besides, attack traces also contain critical
information that can be used in the training process to assist model learning. In this paper, we propose a side-channel analysis approach based on contrastive learning named CL-SCA to address these issues. We also leverage a stochastic data augmentation
technique to assist model to effectively filter out irrelevant information from the profiled traces. Through experiments of different datasets from different platforms, we demonstrate that CL-SCA significantly outperforms various conventional machine
learning side-channel analysis techniques. Moreover, by incorporating attack traces into the training process using our approach, known as CL-SCA+, it becomes possible to achieve even greater enhancements. This extension can further improve the
effectiveness of key recovery, which is fully verified through experiments on different datasets.



## 2024/50

* Title: Do You Need a Zero Knowledge Proof?
* Authors: Jens Ernstberger, Stefanos Chaliasos, Liyi Zhou, Philipp Jovanovic, Arthur Gervais
* [Permalink](https://eprint.iacr.org/2024/050)
* [Download](https://eprint.iacr.org/2024/050.pdf)

### Abstract

Zero-Knowledge Proofs (ZKPs), a cryptographic tool known for decades, have gained significant attention in recent years due to advancements that have made them practically applicable in real-world scenarios. ZKPs can provide unique attributes, such as
succinctness, non-interactivity, and the ability to prove knowledge without revealing the information itself, making them an attractive solution for a range of applications.

This paper aims to critically analyze the applicability of ZKPs in various scenarios. We categorize ZKPs into distinct types: SNARKs (Succinct Non-Interactive Arguments of Knowledge), Commit-then-Prove ZKPs, MPC-in-the-Head, and Sigma Protocols, each
offering different trade-offs and benefits. We introduce a flowchart methodology to assist in determining the most suitable ZKP system, given a set of technical application requirements. Next, we conduct an in-depth investigation of three major use cases:
Outsourcing Computation, Digital Self-Sovereign Identity, and ZKPs in networking. Additionally, we provide a high-level overview of other applications of ZKPs, exploring their broader implications and opportunities. This paper aims to demystify the
decision-making process involved in choosing the right ZKP system, providing clarity on when and how these cryptographic tools can be effectively utilized in various domains — and when they are better to be avoided.



## 2024/51

* Title: Limits on Authenticated Encryption Use in TLS
* Authors: Atul Luykx, Kenneth G. Paterson
* [Permalink](https://eprint.iacr.org/2024/051)
* [Download](https://eprint.iacr.org/2024/051.pdf)

### Abstract

This technical note presents limits on the security (as a function of the number of plaintext bytes encrypted and the number of forgery attempts made by an adversary) for the main Authenticated Encryption schemes available in TLS 1.2 and the draft of TLS
1.3. These limits are derived from security proofs for the considered schemes available in the literature. Our intention is to provide considered technical input to on-going discussions in the TLS Working Group of the IETF concerning, amongst other
things, the necessity of adding a key update feature to the TLS 1.3 specification.



## 2024/52

* Title: Simple Vs Vectorial: Exploiting Structural Symmetry to Beat the ZeroSum Distinguisher Applications to SHA3, Xoodyak and Bash
* Authors: SAHIBA SURYAWANSHI, Shibam Ghosh, Dhiman Saha, Prathamesh Ram
* [Permalink](https://eprint.iacr.org/2024/052)
* [Download](https://eprint.iacr.org/2024/052.pdf)

### Abstract

Higher order differential properties constitute a very insightful tool at the hands
of a cryptanalyst allowing for probing a cryptographic primitive from an algebraic perspective. In FSE 2017, Saha et al. reported SymSum (referred to as
SymSum_Vec in this paper), a new distinguisher based on higher order vectorial Boolean derivatives of SHA-3, constituting one of the best distinguishers on the
latest cryptographic hash standard. SymSum_Vec exploits the difference in the algebraic degree of highest degree monomials in the algebraic normal form of SHA-3 with regards to their dependence on round constants. Later in Africacrypt 2020, Suryawanshi et al. extended SymSum_Vec using linearization techniques and in SSS 2023 also applied it to NIST-LWC finalist Xoodyak. However, a major limitation of SymSum_Vec is the maximum attainable derivative (MAD) which is less than half of the widely studied ZeroSum distinguisher. This is attributed to SymSum_Vec being dependent on m−fold vectorial derivatives while ZeroSum relies on m−fold simple derivatives. In this work we overcome this limitation of SymSum_Vec by developing and validating the theory of computing SymSum_Vec with simple derivatives. This gives us a close to 100% improvement in the MAD that can be computed. The new distinguisher reported in this work can also be combined with one/two-round linearization to penetrate more rounds. Moreover, we identify an issue with the two-round linearization claim made by Suryawanshi et al. which
renders it invalid and also furnish an algebraic fix at the cost of some additional constraints.

Combining all results we report SymSum_Sim , a new variant of the SymSum_Vec distinguisher based on m−fold simple derivatives that outperforms ZeroSum by a factor of $2^{257}$, $2^{129}$ for 10-round SHA-3-384 and 9-round SHA-3-512 respectively while enjoying the same MAD as ZeroSum. For every other SHA-3 variant,
SymSum_Sim maintains an advantage of factor 2. Combined with one/two-round linearization, SymSum_Sim improves upon all existing ZeroSum and SymSum_Vec distinguishers on both SHA-3 and Xoodyak. As regards Keccak-p, the internal permutation of SHA-3, we report the best 15-round distinguisher with a complexity of $2^{256}$ and the first better than birthday-bound 16-round distinguisher with
a complexity of $2^{512}$ (improving upon the 15/16-round results by Guo et al. in
Asiacrypt 2016). We also devise the best full-round distinguisher on the Xoodoo internal permutation of Xoodyak with a practically verifiable complexity of $2^{32}$
and furnish the first third-party distinguishers on the Belarushian hash function
Bash. All distinguishers furnished in this work have been verified through implementations whenever practically viable. Overall, with the MAD barrier broken,
SymSum_Sim emerges as a better distinguisher than ZeroSum on all fronts and adds to the state-of-the-art of cryptanalytic tools investigating non-randomness
of crypto primitives.



## 2024/53

* Title: Anonymous Homomorphic IBE with Application to Anonymous Aggregation
* Authors: Michael Clear, Ciaran McGoldrick, Hitesh Tewari
* [Permalink](https://eprint.iacr.org/2024/053)
* [Download](https://eprint.iacr.org/2024/053.pdf)

### Abstract

All anonymous identity-based encryption (IBE) schemes that are group homomorphic (to the best of our knowledge) require knowledge of the identity to compute the homomorphic operation. This paper is motivated by this open problem, namely to construct an
anonymous group-homomorphic IBE scheme that does not sacrifice anonymity to perform homomorphic operations. Note that even when strong assumptions such as indistinguishability obfuscation (iO) are permitted, no schemes are known. We succeed in solving
this open problem by assuming iO and the hardness of the DBDH problem over rings (specifically, $Z_{N^2}$ for RSA modulus $N$). We then use the existence of such a scheme to construct an IBE scheme with re-randomizable anonymous encryption keys, which we
prove to be IND-ID-RCCA secure. Finally, we use our results to construct identity-based anonymous aggregation protocols.



## 2024/54

* Title: FEASE: Fast and Expressive Asymmetric Searchable Encryption
* Authors: Long Meng, Liqun Chen, Yangguang Tian, Mark Manulis, Suhui Liu
* [Permalink](https://eprint.iacr.org/2024/054)
* [Download](https://eprint.iacr.org/2024/054.pdf)

### Abstract

Asymmetric Searchable Encryption (ASE) is a promising cryptographic mechanism that enables a semi-trusted cloud server to perform keyword searches over encrypted data for users. To be useful, an ASE scheme must support expressive search queries, which
are expressed as conjunction, disjunction, or any Boolean formulas. In this paper, we propose a fast and expressive ASE scheme that is adaptively secure, called FEASE. It requires only 3 pairing operations for searching any conjunctive set of keywords
independent of the set size and has linear complexity for encryption and trapdoor algorithms in the number of keywords.

FEASE is based on a new fast Anonymous Key-Policy Attribute-Based Encryption (A-KP-ABE) scheme as our first proposal, which is of independent interest. To address optional protection against keyword guessing attacks, we extend FEASE into the first
expressive Public-Key Authenticated Encryption with Keyword Search (PAEKS) scheme.

We provide implementations and evaluate the performance of all three schemes, while also comparing them with the state of the art. We observe that FEASE outperforms all existing expressive ASE constructions and that our A-KP-ABE scheme offers anonymity
with efficiency comparable to the currently fastest yet non-anonymous KP-ABE schemes FAME (ACM CCS 2017) and FABEO (ACM CCS 2022).



## 2024/55

* Title: Multi-Hop Fine-Grained Proxy Re-Encryption
* Authors: Yunxiao Zhou, Shengli Liu, Shuai Han
* [Permalink](https://eprint.iacr.org/2024/055)
* [Download](https://eprint.iacr.org/2024/055.pdf)

### Abstract

Proxy re-encryption (PRE) allows a proxy to transform a ciphertext intended for Alice (delegator) to another ciphertext intended for Bob (delegatee) without revealing the underlying message. Recently, a new variant of PRE, namely fine-grained PRE (FPRE),
was proposed in [Zhou et al., Asiacrypt 2023]. Generally, FPRE is designed for a function family F: each re-encryption key rk_{A→B}^f is associated with a function f ∈ F, and with rk_{A→B}^f, a proxy can transform Alice's ciphertext encrypting m to
Bob's ciphertext encrypting f(m). However, their scheme only supports single-hop re-encryption and achieves only CPA security.

In this paper, we formalize multi-hop FPRE (mFPRE) that supports multi-hop re-encryptions in the fine-grained setting, and propose two mFPRE schemes achieving CPA security and stronger HRA security (security against honest re-encryption attacks),
respectively.

-- For multi-hop FPRE, we formally define its syntax and formalize a set of security notions including CPA security, HRA security, undirectionality and ciphertext unlinkablity. HRA security is stronger and more reasonable than CPA security, and
ciphertext unlinkablity blurs the proxy relations among a chain of multi-hop re-encryptions, hence providing better privacy. We establish the relations between these security notions.

-- Our mFPRE schemes support fine-grained re-encryptions for bounded linear functions and have security based on the learning-with-errors (LWE) assumption in the standard model. In particular, one of our schemes is HRA secure and enjoys all the
aforementioned desirable securities. To achieve CPA security and HRA security for mFPRE, we extend the framework of [Jafargholi et al., Crypto 2017] and the technique of the [Fuchsbauer et al., PKC 2019].



## 2024/56

* Title: Zero-Knowledge Proofs for SIDH variants with Masked Degree or Torsion * Authors: Youcef Mokrani, David Jao
* [Permalink](https://eprint.iacr.org/2024/056)
* [Download](https://eprint.iacr.org/2024/056.pdf)

### Abstract

The polynomial attacks on SIDH by Castryck, Decru, Maino, Martindale and Robert have shown that, while the general isogeny problem is still considered unfeasible to break, it is possible to efficiently compute a secret isogeny when given its degree and
image on enough torsion points.
A natural response from many researchers has been to propose SIDH variants where one or both of these possible extra pieces of information is masked in order to obtain schemes for which a polynomial attack is not currently known. Example of such schemes
are M-SIDH, MD-SIDH and FESTA.
However, by themselves, theses SIDH variants are vulnerable to the same adaptive attacks where the adversary sends public keys whose associated isogeny is either unknown or inexistent. For the original SIDH scheme, one possible defense against these
attacks is to use zero-knowledge proofs that a secret isogeny has been honestly computed. However, such proofs do not currently exist for most SIDH variants.
In this paper, we present new zero-knowledge proofs for isogenies whose degree or torsion points have been masked. The security of these proofs mainly relies on the hardness of DSSP.



## 2024/57

* Title: Elastic MSM: A Fast, Elastic and Modular Preprocessing Technique for Multi-Scalar Multiplication Algorithm on GPUs
* Authors: Xudong Zhu, Haoqi He, Zhengbang Yang, Yi Deng, Lutan Zhao, Rui Hou
* [Permalink](https://eprint.iacr.org/2024/057)
* [Download](https://eprint.iacr.org/2024/057.pdf)

### Abstract

Zero-knowledge proof (ZKP) is a cryptographic primitive that enable a prover to convince a verifier that a statement is true without revealing any other information beyond the correctness of the statement itself. Due to its powerful capabilities, its
most practical type, called zero-knowledge Succinct Non-interactive ARgument of Knowledge (zkSNARK), has been widely deployed in various privacy-preserving applications such as cryptocurrencies and verifiable computation. Although state-of-the-art
zkSNARKs are highly efficient for the verifier, the computational overhead for the prover is still orders of magnitude too high to warrant use in many applications. This overhead is due to several time-consuming operations, including large-scale matrix-
vector multiplication (MUL), number-theoretic transform (NTT), and especially the multi-scalar multiplication (MSM) with the highest proportion. Thus, further efficiency improvements are needed.

In this paper we focus on comprehensive optimization of running time and storage space needed by the MSM algorithm on GPUs. Specifically, we propose a new modular and adaptive parameter configuration technique—elastic MSM to enable us to change the
scale of MSM according to our own wishes by performing a corresponding amount of preprocessing. This technique enable us to fully unleash the potential of various efficient parallel MSM algorithms. From another perspective, our technique could also be
regarded as a preprocessing technique over the well-known Pippenger algorithm, which is modular and could be used to accelerate almost all the most advanced parallel Pippenger algorithms on GPUs. Meanwhile, our technique provides an adaptive trade-off
between the running time and the extra storage space needed by parallel Pippenger algorithms on GPUs. We implemented and tested elastic MSM over two prevailing parallel Pippenger algorithms on GPUs. Given a range of practical parameters, across various
preprocessing space limitations (across various MSM scales), our construction achieves up to about 28× and 45× (25× and 40×) speedup versus two state-of-the-art preprocessing parallel Pippenger algorithms on GPUs, respectively.



## 2024/58

* Title: Constrained Pseudorandom Functions for Inner-Product Predicates from Weaker Assumptions
* Authors: Sacha Servan-Schreiber
* [Permalink](https://eprint.iacr.org/2024/058)
* [Download](https://eprint.iacr.org/2024/058.pdf)

### Abstract

In this paper, we build a framework for constructing Constrained Pseudorandom Functions (CPRFs) with inner-product constraint predicates, using ideas from subtractive secret sharing and related-key-attack security.

Our framework can be instantiated using a random oracle or any suitable Related-Key-Attack (RKA) secure pseudorandom function. We provide three instantiations of our framework:

1. an adaptively-secure construction in the random oracle model;
2. a selectively-secure construction under the DDH assumption; and
3. a selectively-secure construction under the assumption that one-way functions exist.

All three instantiations are constraint-hiding and support inner-product predicates, leading to
the first constructions of such expressive CPRFs under each corresponding assumption. Moreover, while the OWF-based construction is primarily of theoretical interest, the random oracle and DDH-based constructions are concretely efficient, which we show
via an implementation.



## 2024/59

* Title: CrISA-X: Unleashing Performance Excellence in Lightweight Symmetric Cryptography for Extendable and Deeply Embedded Processors
* Authors: Oren Ganon, Itamar Levi
* [Permalink](https://eprint.iacr.org/2024/059)
* [Download](https://eprint.iacr.org/2024/059.pdf)

### Abstract

The selection of a Lightweight Cryptography (LWC) algorithm is crucial for resource limited applications. The National Institute of Standards and Technology (NIST) leads this process, which involves a thorough evaluation of the algorithms’
cryptanalytic strength. Furthermore, careful consideration is given to factors such as algorithm latency, code size, and hardware implementation area. These factors are critical in determining the overall performance of cryptographic solutions at edge
devices. Introducing CrISA-X, a Cryptography Instruction Set Architecture extensions designed to improve cryptographic latency on extendable processors. CrISA-X, classified as Generic-Atomic, Block-Specific and Procedure-Specific, leverages RISC
processor hardware and a base ISA to effectively execute LWC algorithms. Our study aims to evaluate the execution efficiency of new single-cycle instruction extensions and tightly coupled multicycle instructions on extendable modular RISC processors.
CrISA-X provides enhanced speed of various algorithms simultaneously while optimizing ISA adaptability, a feat yet to be accomplished. The extension, diverse for several computation levels, is first specifically tailored for individual algorithms and
sets of LWC algorithms, depending on performance, frequency, and area trade-offs. By diligently applying the Min-Max optimization technique, we have configured these extensions to achieve a delicate balance between performance, area code size, etc. Our
study presents empirical evidence of the performance enhancement achieved on a real synthesis modular RISC processor. We offer a framework for creating optimized processor hardware and ISA extensions. The CrISA-X framework generally outperforms ISA
extensions by delivering significant performance boosts between 3x to 17x while experiencing a relative area cost increase of +12% and +47% in LUTs, in respect to the instruction set category. Notably, as one important example, the utilization of the
ASCON algorithm yields a 10x performance boost in contrast to the base ISA instruction implementation



## 2024/60

* Title: The Insecurity of Masked Comparisons: SCAs on ML-KEM’s FO-Transform * Authors: Julius Hermelink, Kai-Chun Ning, Emanuele Strieder
* [Permalink](https://eprint.iacr.org/2024/060)
* [Download](https://eprint.iacr.org/2024/060.pdf)

### Abstract

NIST has released the draft standard for ML-KEM, and ML-KEM is actively used in several widely-distributed applications. Thus, the wide-spread use of ML-KEM in the embedded worlds has to be expected in the near future. This makes security against side-
channel attacks a pressing matter.

Several side-channel attacks have previously been proposed, and one line of research have been attacks against the comparison step of the FO-transform. These attacks construct a decryption failure oracle using a side-channel. A recent work published at
TCHES 2022 stresses the need for higher-order masked comparisons by presenting a horizontal attack and proposes a t-probing secure comparison operation. A subsequent work by D’Anvers, Van Beirendonck, and Verbauwhede improves upon the performance of
several previous proposals.

In this work, we show that the latter masked comparison suffers from weakness similar to those identified in the former. We first propose an approximate template attack that requires only a very low number of traces for profiling and has an exceptionally
high noise tolerance. We show that the profiling phase is not necessary and can be replaced by a vertical analysis of the distribution of certain points of interest without knowledge of the targeted values. Finally, we explain how a horizontal attack may
construct a decryption failure oracle from a single trace.

We provide a leakage model of the targeted operations, which is based on the noisy Hamming weight model. Our evaluations are carried out on a physical device to stress the practicality of our attack. In addition, we simulate the attacks to determine the
measurement noise levels that can be handled. We discuss the underlying causes for our attack, the difficulty of securing the Fujisaki-Okamoto transform in ML-KEM, and draw conclusion about the (in-)sufficiency of t-probing security in this context.



## 2024/61

* Title: Partial Key Exposure Attack on Common Prime RSA
* Authors: Mengce Zheng
* [Permalink](https://eprint.iacr.org/2024/061)
* [Download](https://eprint.iacr.org/2024/061.pdf)

### Abstract

In this paper, we focus on the common prime RSA variant and introduces a novel investigation into the partial key exposure attack targeting it. We explore the vulnerability of this RSA variant, which employs two common primes $p$ and $q$ defined as $p=
2ga+1$ and $q=2gb+1$ for a large prime $g$. Previous cryptanalysis of common prime RSA has primarily focused on the small private key attack. In our work, we delve deeper into the realm of partial key exposure attacks by categorizing them into three
distinct cases. We are able to identify weak private keys that are susceptible to partial key exposure by using the lattice-based method for solving simultaneous modular univariate linear equations. To validate the effectiveness and soundness of our
proposed attacks, we conduct experimental evaluations. Through these examinations, we demonstrate the validity and practicality of the proposed partial key exposure attacks on common prime RSA.



## 2024/62

* Title: Double Difficulties, Defense in Depth A succinct authenticated key agreement protocol
* Authors: WenBin Hsieh
* [Permalink](https://eprint.iacr.org/2024/062)
* [Download](https://eprint.iacr.org/2024/062.pdf)

### Abstract

In 2016, NIST announced an open competition with the goal of finding and standardizing a suitable quantum-resistant cryptographic algorithm, with the standard to be drafted in 2023. These algorithms aim to implement post-quantum secure key encapsulation
mechanism (KEM) and digital signatures. However, the proposed algorithm does not consider authentication and is vulnerable to attacks such as man-in-the-middle. In this paper, we propose an authenticated key exchange algorithm to solve the above problems
and improve its usability. The proposed algorithm combines learning with errors (LWE) and elliptic curve discrete logarithm problem to provide the required security goals. As forward security is a desirable property in a key exchange protocol, an
ephemeral key pair is designed that a long-term secret compromise does not affect the security of past session keys. Moreover, the exchange steps required by the algorithm are very streamlined and can be completed with only two handshakes. We also use
the random oracle model to prove the correctness and the security of proposed scheme. The performance analysis demonstrates the effectiveness of the proposed scheme. We believe that the novel approach introduced in this algorithm opens several doors for
innovative applications of digital signatures in KEMs.



## 2024/63

* Title: A Study of Soft Analytical Side-Channel Attacks on Secure Hash Algorithms
* Authors: Julien Maillard, Thomas Hiscock, Maxime Lecomte, Christophe Clavier * [Permalink](https://eprint.iacr.org/2024/063)
* [Download](https://eprint.iacr.org/2024/063.pdf)

### Abstract

Hashing algorithms are one-way functions that are used in cryptographic protocols as Pseudo Random Functions (PRF), to assess data integrity or to create a Hash-based Message Authentication Code (HMAC). In many cryptographic constructions, secret data is
processed with hashing functions. In these cases, recovering the input given to the hashing algorithm allows retrieving secret data. In this paper, we investigate the application of Soft Analytical Side-Channel Attacks (SASCA), based on a Belief
Propagation (BP) framework, to recover the input of two popular hash function families: SHA-2 and SHA-3. Thanks to a simulation framework, we develop a comprehensive study of the attacker's recovery capacity depending on the hash function variant. Then,
we demonstrate that an attacker can leverage prior knowledge on the hashing function input to increase the effectiveness of the attacks. As an example, in the context of a bootloader doing a hash-based integrity check on a secret firmware, we show that
simple statistics on assembly code injected in BP improves input recovery. Finally, we study the security implications of SASCA on cryptosystems performing multiple invocations of hashing functions with inputs derived from the same secret data. We show
that such constructions can be exploited efficiently by an attacker. We support such statements with experiments on SHA-256 based HMAC and on SHAKE-256 based PRF in Kyber's encryption routine. We also show that increasing Kyber's security parameters
implies weaker security against the proposed SASCA targeting the shared key.



## 2024/64

* Title: Extreme Algebraic Attacks
* Authors: Pierrick Méaux, Qingju Wang
* [Permalink](https://eprint.iacr.org/2024/064)
* [Download](https://eprint.iacr.org/2024/064.pdf)

### Abstract

When designing filter functions in Linear Feedback Shift Registers (LFSR) based stream ciphers, algebraic criteria of Boolean functions such as the Algebraic Immunity (AI) become key characteristics because they guarantee the security of ciphers against
the powerful algebraic attacks. In this article, we investigate a generalization of the algebraic attacks proposed by Courtois and Meier on filtered LFSR twenty years ago. We consider how the standard algebraic attack can be generalized beyond filtered
LFSR to stream ciphers applying a Boolean filter function to an updated state. Depending on the updating process, we can use different sets of annihilators than the ones used in the standard algebraic attack; it leads to a generalization of the concept
of algebraic immunity, and more efficient attacks. To illustrate these strategies, we focus on one of these generalizations and introduce a new notion called Extreme Algebraic Immunity (EAI).

We perform a theoretic study of the EAI criterion and explore its relation to other algebraic criteria. We prove the upper bound of the EAI of an n-variable Boolean function and further show that the EAI can be lower bounded by the AI restricted to a
subset, as defined by Carlet, Méaux and Rotella at FSE 2017. We also exhibit functions with EAI guaranteed to be lower than the AI, in particular we highlight a pathological case of functions with optimal algebraic immunity and EAI only n/4. As
applications, we determine the EAI of filter functions of some existing stream ciphers and discuss how extreme algebraic attacks using EAI could apply to some ciphers.

Our generalized algebraic attack does not give a better complexity than Courtois and Meier's result on the existing stream ciphers. However, we see this work as a study to avoid weaknesses in the construction of future stream cipher designs.



## 2024/65

* Title: Privacy-preserving Anti-Money Laundering using Secure Multi-Party Computation
* Authors: Marie Beth van Egmond, Vincent Dunning, Stefan van den Berg, Thomas Rooijakkers, Alex Sangers, Ton Poppe, Jan Veldsink
* [Permalink](https://eprint.iacr.org/2024/065)
* [Download](https://eprint.iacr.org/2024/065.pdf)

### Abstract


[continued in next message]

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)