## In this issue
1. [2024/363] Time-Averaged Analysis of Selfish Mining in Bitcoin
2. [2024/370] Perfectly-Secure Multiparty Computation with Linear ...
3. [2024/376] Perfect (Parallel) Broadcast in Constant Expected ...
4. [2024/416] Mangrove: A Scalable Framework for Folding-based SNARKs
5. [2024/417] An improved exact CRR basis conversion algorithm ...
6. [2024/418] Atomic and Fair Data Exchange via Blockchain
7. [2024/419] New Upper Bounds for Evolving Secret Sharing via ...
8. [2024/420] Gap MCSP is not (Levin) NP-complete in Obfustopia
9. [2024/421] LLRing: Logarithmic Linkable Ring Signatures with ...
10. [2024/422] A Class of Weightwise Almost Perfectly Balanced ...
11. [2024/423] Plan your defense: A comparative analysis of ...
12. [2024/424] On the Concrete Security of Approximate FHE with ...
13. [2024/425] Kolmogorov Comes to Cryptomania: On Interactive ...
14. [2024/426] Efficient Actively Secure DPF and RAM-based 2PC ...
15. [2024/427] A Cautionary Note: Side-Channel Leakage ...
16. [2024/428] SNOW-SCA: ML-assisted Side-Channel Attack on SNOW-V
17. [2024/429] FOLEAGE: $\mathbb{F}_4$OLE-Based Multi-Party ...
18. [2024/430] SoK: Zero-Knowledge Range Proofs
19. [2024/431] Generalized Feistel Ciphers for Efficient Prime ...
20. [2024/432] Perfect Asynchronous MPC with Linear Communication ...
21. [2024/433] UniHand: Privacy-preserving Universal Handover for ...
22. [2024/434] Parameter-Hiding Order-Revealing Encryption without ...
23. [2024/435] Unbiasable Verifiable Random Functions
24. [2024/436] Re-Randomized FROST
25. [2024/437] Insecurity of MuSig and BN Multi-Signatures with ...
26. [2024/438] EFFLUX-F2: A High Performance Hardware Security ...
27. [2024/439] Threshold implementations of cryptographic ...
28. [2024/440] Secret and Shared Keys Recovery on Hamming Quasi- ...
29. [2024/441] Cryptanalysis of rank-2 module-LIP in Totally Real ...
30. [2024/442] Fastcrypto: Pioneering Cryptography Via Continuous ...
31. [2024/443] The cool and the cruel: separating hard parts of ...
32. [2024/444] A trust-minimized e-cash for cryptocurrencies
33. [2024/445] Threshold Structure-Preserving Signatures: Strong ...
34. [2024/446] Estimating the Unpredictability of Multi-Bit Strong ...
35. [2024/447] ORIGO: Proving Provenance of Sensitive Data with ...
36. [2024/448] Differential Cryptanalysis of a Lightweight Block ...
37. [2024/449] Practical Lattice-Based Distributed Signatures for ...
38. [2024/450] The 2Hash OPRF Framework and Efficient Post-Quantum ...
39. [2024/451] Towards Verifiable FHE in Practice: Proving Correct ...
40. [2024/452] Modeling Mobile Crash in Byzantine Consensus
41. [2024/453] Verifiable Information-Theoretic Function Secret ...
42. [2024/454] The Systemic Errors of Banded Quantum Fourier ...
43. [2024/455] Anonymous Complaint Aggregation for Secure Messaging
## 2024/363
* Title: Time-Averaged Analysis of Selfish Mining in Bitcoin
* Authors: Roozbeh Sarenche, Ren Zhang, Svetla Nikova, Bart Preneel
* [Permalink](
https://eprint.iacr.org/2024/363)
* [Download](
https://eprint.iacr.org/2024/363.pdf)
### Abstract
A Bitcoin miner who owns a sufficient amount of mining power can perform selfish mining to increase his relative revenue. Studies have demonstrated that the time-averaged profit of a selfish miner starts to rise once the mining difficulty level gets
adjusted in favor of the attacker. Selfish mining profitability lies in the fact that orphan blocks are not incorporated into the current version of Bitcoin's difficulty adjustment mechanism (DAM). Therefore, it is believed that considering the count of
orphan blocks in the DAM can result in selfish mining unprofitability. In this paper, we disprove this belief by providing a formal analysis of the selfish mining time-averaged profit. We present a precise definition of the orphan blocks that can be
incorporated into calculating the next epoch's target and then introduce two modified versions of DAM in which both main-chain blocks and orphan blocks are incorporated. We propose two versions of smart intermittent selfish mining, where the first one
dominates the normal intermittent selfish mining and the second one results in selfish mining profitability under the modified DAMs. Moreover, we present the orphan exclusion attack with the help of which the attacker can stop honest miners from
reporting the orphan blocks. Using combinatorial tools, we analyze the profitability of selfish mining accompanied by the orphan exclusion attack under the modified DAMs. Our result shows that even when considering the orphan blocks in the DAM, normal
selfish mining can still be profitable; however, the level of profitability under the modified DAMs is significantly lower than that observed under the current version of Bitcoin DAM.
## 2024/370
* Title: Perfectly-Secure Multiparty Computation with Linear Communication Complexity over Any Modulus
* Authors: Daniel Escudero, Yifan Song, Wenhao Wang
* [Permalink](
https://eprint.iacr.org/2024/370)
* [Download](
https://eprint.iacr.org/2024/370.pdf)
### Abstract
Consider the task of secure multiparty computation (MPC) among $n$ parties with perfect security and guaranteed output delivery, supporting $t<n/3$ active corruptions. Suppose the arithmetic circuit $C$ to be computed is defined over a finite ring $\
mathbb{Z}/q\mathbb{Z}$, for an arbitrary $q\in\mathbb{Z}$. It is known that this type of MPC over such ring is possible, with communication that scales as $O(n|C|)$, assuming that $q$ scales as $\Omega(n)$. However, for constant-size rings $\mathbb{Z}/q\
mathbb{Z}$ where $q = O(1)$, the communication is actually $O(n\log n|C|)$ due to the need of the so-called ring extensions. In most natural settings, the number of parties is variable but the ``datatypes'' used for the computation are fixed (e.g. 64-bit
integers). In this regime, no protocol with linear communication exists.
In this work we provide an MPC protocol in this setting: perfect security, G.O.D. and $t<n/3$ active corruptions, that enjoys linear communication $O(n|C|)$, even for constant-size rings $\mathbb{Z}/q\mathbb{Z}$. This includes as important particular
cases small fields such as $\mathbb{F}_2$, and also the ring $\mathbb{Z}/2^k\mathbb{Z}$. The main difficulty in achieving this result is that widely used techniques such as linear secret-sharing cannot work over constant-size rings, and instead, one must
make use of ring extensions that add $\Omega(\log n)$ overhead, while packing $\Omega(\log n)$ ring elements in each extension element in order to amortize this cost. We make use of reverse multiplication-friendly embeddings (RMFEs) for this packing, and
adapt recent techniques in network routing (Goyal et al. CRYPTO'22) to ensure this can be efficiently used for non-SIMD circuits. Unfortunately, doing this naively results in a restriction on the minimum width of the circuit, which leads to an extra
additive term in communication of $\mathsf{poly}(n)\cdot\mathsf{depth}(C)$. One of our biggest technical contributions lies in designing novel techniques to overcome this limitation by packing elements that are distributed across different layers. To the
best of our knowledge, all works that have a notion of packing (e.g. RMFE or packed secret-sharing) group gates across the same layer, and not doing so, as in our work, leads to a unique set of challenges and complications.
## 2024/376
* Title: Perfect (Parallel) Broadcast in Constant Expected Rounds via Statistical VSS
* Authors: Gilad Asharov, Anirudh Chandramouli
* [Permalink](
https://eprint.iacr.org/2024/376)
* [Download](
https://eprint.iacr.org/2024/376.pdf)
### Abstract
We study broadcast protocols in the information-theoretic model under optimal conditions, where the number of corruptions $t$ is at most one-third of the parties, $n$. While worst-case $\Omega(n)$ round broadcast protocols are known to be impossible to
achieve, protocols with an expected constant number of rounds have been demonstrated since the seminal work of Feldman and Micali [STOC'88]. Communication complexity for such protocols has gradually improved over the years, reaching $O(nL)$ plus expected
$O(n^4\log n)$ for broadcasting a message of size $L$ bits.
This paper presents a perfectly secure broadcast protocol with expected constant rounds and communication complexity of $O(nL)$ plus expected $O(n^3 \log^2n)$ bits. In addition, we consider the problem of parallel broadcast, where $n$ senders, each wish
to broadcast a message of size $L$. We show a parallel broadcast protocol with expected constant rounds and communication complexity of $O(n^2L)$ plus expected $O(n^3 \log^2n)$ bits. Our protocol is optimal (up to expectation) for messages of length $L \
in \Omega(n \log^2 n)$.
Our main contribution is a framework for obtaining perfectly secure broadcast with an expected constant number of rounds from a statistically secure verifiable secret sharing. Moreover, we provide a new statistically secure verifiable secret sharing
where the broadcast cost per participant is reduced from $O(n \log n)$ bits to only $O({\sf poly} \log n)$ bits. All our protocols are adaptively secure.
## 2024/416
* Title: Mangrove: A Scalable Framework for Folding-based SNARKs
* Authors: Wilson Nguyen, Trisha Datta, Binyi Chen, Nirvan Tyagi, Dan Boneh
* [Permalink](
https://eprint.iacr.org/2024/416)
* [Download](
https://eprint.iacr.org/2024/416.pdf)
### Abstract
We present a framework for building efficient folding-based SNARKs. First we develop a new "uniformizing" compiler for NP statements that converts any poly-time computation to a sequence of identical simple steps. The resulting uniform computation is
especially well-suited to be processed by a folding-based IVC scheme. Second, we develop two optimizations to folding-based IVC. The first reduces the recursive overhead of the IVC by restructuring the relation to which folding is applied. The second
employs a "commit-and-fold" strategy to further simplify the relation. Together, these optimizations result in a folding-based SNARK that has a number of attractive features. First, the scheme uses a constant-size transparent common reference string (CRS)
. Second, the prover has
(i) low memory footprint,
(ii) makes only two passes over the data,
(iii) is highly parallelizable, and
(iv) is concretely efficient.
Microbenchmarks indicate proving time is comparable to leading monolithic SNARKs, and is significantly faster than other streaming SNARKs. On a laptop, for $2^{24}$ ($2^{32}$) gates, the Mangrove prover is estimated to take $2$ minutes ($8$ hours) with
peak memory usage approximately $390$ MB ($800$ MB).
## 2024/417
* Title: An improved exact CRR basis conversion algorithm for FHE without floating-point arithmetic
* Authors: Hongyuan Qu, Guangwu Xu
* [Permalink](
https://eprint.iacr.org/2024/417)
* [Download](
https://eprint.iacr.org/2024/417.pdf)
### Abstract
Fully homomorphic encryption (FHE) has attracted much attention recently. Chinese remainder representation (CRR) or RNS representation is one of the core technologies of FHE. CRR basis conversion is a key step of KeySwitching procedure. Bajard et al.
proposed a fast basis conversion method for CRR basis conversion, but the elimination of error had to be ignored. Halevi et al. suggested a method using floating-point arithmetic to avoid errors, but floating-point arithmetic has its own issues such as
low efficiency and complex chip design. In this work, we establish a more concise and efficient CRR basis conversion method by observing that each of the ciphertext modulus selected
by the CRR CKKS scheme is very close to an integer that is a power of 2. Our conversion algorithm eliminates errors and involves only integer arithmetic and bit operations. The proof of correctness of our algorithm is given. Extensive experiments are
conducted and comparisons between the method of Halevi et al. and ours are obtained, which show that our method has the same accuracy and a slightly better effeciency. Our method is also applicable to the CRR variant of BGV and BFV schemes, and can be
used to simplify chip design.
## 2024/418
* Title: Atomic and Fair Data Exchange via Blockchain
* Authors: Ertem Nusret Tas, István András Seres, Yinuo Zhang, Márk Melczer, Mahimna Kelkar, Joseph Bonneau, Valeria Nikolaenko
* [Permalink](
https://eprint.iacr.org/2024/418)
* [Download](
https://eprint.iacr.org/2024/418.pdf)
### Abstract
We introduce a blockchain Fair Data Exchange (FDE) protocol, enabling a storage server to transfer a data file to a client atomically: the client receives the file if and only if the server receives an agreed-upon payment. We put forth a new definition
for a cryptographic scheme that we name verifiable encryption under committed key (VECK), and we propose two instantiations for this scheme. Our protocol relies on a blockchain to enforce the atomicity of the exchange and uses VECK to ensure that the
client receives the correct data (matching an agreed-upon commitment) before releasing the payment for the decrypting key. Our protocol is trust-minimized and requires only constant-sized on-chain communication, concretely $3$ signatures, $1$
verification key, and $1$ secret key, with most of the data stored and communicated off-chain. It also supports exchanging only a subset of the data, can amortize the server's work across multiple clients, and offers a general framework to design
alternative FDE protocols using different commitment schemes. A prominent application of our protocol is the Danksharding data availability scheme on Ethereum, which commits to data via KZG polynomial commitments. We also provide an open-source
implementation for our protocol with both instantiations for VECK, demonstrating our protocol's efficiency and practicality on Ethereum.
## 2024/419
* Title: New Upper Bounds for Evolving Secret Sharing via Infinite Branching Programs
* Authors: Bar Alon, Amos Beimel, Tamar Ben David, Eran Omri, Anat Paskin-Cherniavsky
* [Permalink](
https://eprint.iacr.org/2024/419)
* [Download](
https://eprint.iacr.org/2024/419.pdf)
### Abstract
Evolving secret-sharing schemes, defined by Komargodski, Naor, and Yogev [TCC 2016B, IEEE Trans. on Info. Theory 2018], are secret-sharing schemes in which there is no a-priory bound on the number of parties. In such schemes, parties arrive one by one;
when a party arrives, the dealer gives it a share and cannot update this share in later stages. The requirement is that some predefined sets (called authorized sets) should be able to reconstruct the secret, while other sets should learn no information
on the secret. The collection of authorized sets that can reconstruct the secret is called an evolving access structure. The challenge of the dealer is to be able to give short shares to the the current parties without knowing how many parties will
arrive in the future. The requirement that the dealer cannot update shares is designed to prevent expensive updates.
Komargodski et al. constructed an evolving secret-sharing scheme for every monotone evolving access structure; the share size of the $t^{\text{th}}$ party in this scheme is $2^{t-1}$.
Recently, Mazor [ITC 2023] proved that evolving secret-sharing schemes require exponentially-long shares for some evolving access structure, namely shares of size $2^{t-o(t)}$.In light of these results, our goal is to construct evolving secret-sharing
schemes with non-trivial share size for wide classes of evolving access structures; e.g., schemes with share size $2^{ct}$ for $c<1$ or even polynomial size. We provide several results achieving this goal:
-We define layered infinite branching programs representing evolving access structures, show how to transform them into generalized infinite decision trees, and show how to construct evolving secret-sharing schemes for generalized infinite decision trees.
Combining these steps, we get a secret-sharing scheme realizing the evolving access structure.
As an application of this framework, we construct an evolving secret-sharing scheme with non-trivial share size for access structures that can be represented by layered infinite branching programs with width at layer $t$ of at most $2^{0.15t}$. If the
width is polynomial, then we get an evolving secret-sharing scheme with quasi-polynomial share size.
-We construct efficient evolving secret-sharing schemes for dynamic-threshold access structures with high dynamic-threshold and for infinite $2$ slice and $3$-slice access structures. The share size of the $t^{\text{th}}$ party in these schemes is $2^{\
tilde{O}((\log t)^{1/\sqrt{2}+\epsilon})}$ for any constant $\epsilon>0$, which is comparable to the best-known share size of $2^{\tilde{O}((\log t)^{1/2}))}$ for finite $2$-slice and 3-slice access structures.
-We prove lower bounds on the share size of evolving secret-sharing schemes for infinite $k$-hypergraph access structures and for infinite directed st-connectivity access structures. As a by-product of the lower bounds, we provide the first non-trivial
lower bound for finite directed st-connectivity access structures for general secret-sharing schemes.
## 2024/420
* Title: Gap MCSP is not (Levin) NP-complete in Obfustopia
* Authors: Noam Mazor, Rafael Pass
* [Permalink](
https://eprint.iacr.org/2024/420)
* [Download](
https://eprint.iacr.org/2024/420.pdf)
### Abstract
We demonstrate that under believable cryptographic hardness assumptions, Gap versions of standard meta-complexity problems, such as the Minimum Circuit Size problem (MCSP) and the Minimum Time-Bounded Kolmogorov Complexity problem (MKTP) are not NP-
complete w.r.t. Levin (i.e., witness-preserving many-to-one) reductions.
In more detail:
- Assuming the existence of indistinguishability obfuscation, and subexponentially-secure one-way functions, an appropriate Gap version of MCSP is not NP-complete under randomized Levin-reductions.
- Assuming the existence of subexponentially-secure indistinguishability obfuscation, subexponentially-secure one-way functions and injective PRGs, an appropriate Gap version of MKTP is not NP-complete under randomized Levin-reductions.
## 2024/421
* Title: LLRing: Logarithmic Linkable Ring Signatures with Transparent Setup
* Authors: Xiangyu Hui, Sid Chi-Kin Chau
* [Permalink](
https://eprint.iacr.org/2024/421)
* [Download](
https://eprint.iacr.org/2024/421.pdf)
### Abstract
Linkable ring signatures are an important cryptographic primitive for anonymized applications, such as e-voting, e-cash and confidential transactions. To eliminate backdoor and overhead in trusted setup, transparent setup in the discrete logarithm or
pairing settings has received considerable attention in practice. Recent advances have improved the proof sizes and verification efficiency of linkable ring signatures with transparent setup to achieve logarithmic bounds. Omniring (CCS `19) and RingCT 3.
0 (FC `20) proposed linkable ring signatures in the discrete logarithm setting with logarithmic proof sizes with respect to the ring size, whereas DualDory (ESORICS `22) achieves logarithmic verifiability in the pairing setting. We make three novel
contributions in this paper to improve the efficiency and soundness of logarithmic linkable ring signatures: (1) We report an attack on DualDory that breaks its linkability. (2) To eliminate such attacks, we present a new linkable ring signature scheme
in the pairing setting with logarithmic verifiability. (3) We improve the verification efficiency of linkable ring signatures in the discrete logarithm setting, by a technique of reducing the number of group exponentiations for verification in Omniring
by 50%. Furthermore, our technique is applicable to general inner-product relation proofs, which might be of independent interest. Finally, we empirically evaluate our schemes and compare them with the extant linkable ring signatures in concrete
implementation.
## 2024/422
* Title: A Class of Weightwise Almost Perfectly Balanced Boolean Functions with High Weightwise Nonlinearity
* Authors: Deepak Kumar Dalai, Krishna Mallick
* [Permalink](
https://eprint.iacr.org/2024/422)
* [Download](
https://eprint.iacr.org/2024/422.pdf)
### Abstract
A Boolean function with good cryptographic properties over a set of vectors with constant Hamming weight is significant for stream ciphers like FLIP [MJSC16]. This paper presents a construction weightwise almost perfectly balanced (WAPB) Boolean
functions by perturbing the support vectors of a highly nonlinear function in the construction presented in [DM]. As a result, the nonlinearity and weightwise nonlinearities of the modified functions improve substantially.
## 2024/423
* Title: Plan your defense: A comparative analysis of leakage detection methods on RISC-V cores
* Authors: Konstantina Miteloudi, Asmita Adhikary, Niels van Drueten, Lejla Batina, Ileana Buhan
* [Permalink](
https://eprint.iacr.org/2024/423)
* [Download](
https://eprint.iacr.org/2024/423.pdf)
### Abstract
Hardening microprocessors against side-channel attacks is a critical aspect of ensuring their security. A key step in this process is identifying and mitigating “leaky” hardware modules, which inadvertently leak information during the execution of
cryptographic algorithms.
In this paper, we explore how different leakage detection methods, the Side-channel Vulnerability Factor (SVF) and the Test Vector Leakage Assessment (TVLA), contribute to hardening of microprocessors. We conduct experiments on two RISC-V cores, SHAKTI
and Ibex, using two cryptographic algorithms, SHA-3 and AES.
Our findings suggest that SVF and TVLA can provide valuable insights into identifying leaky modules. However, the effectiveness of these methods can vary depending on the specific core and cryptographic algorithm in use.
We conclude that the choice of leakage detection method should be based not only on computational cost but also on the specific requirements of the system and the nature of the potential threats. Our research contributes to developing more secure
microprocessors that are robust against side-channel attacks.
## 2024/424
* Title: On the Concrete Security of Approximate FHE with Noise-Flooding Countermeasures
* Authors: Flavio Bergamaschi, Anamaria Costache, Dana Dachman-Soled, Hunter Kippen, Lucas LaBuff, Rui Tang
* [Permalink](
https://eprint.iacr.org/2024/424)
* [Download](
https://eprint.iacr.org/2024/424.pdf)
### Abstract
Approximate fully homomorphic encryption (FHE) schemes such as the CKKS scheme (Asiacrypt '17) are popular in practice due to their efficiency and utility for machine learning applications. Unfortunately, Li and Micciancio (Eurocrypt, '21) showed that,
while achieving standard semantic (or $\mathsf{IND}\mbox{-}\mathsf{CPA}$ security), the CKKS scheme is broken under a variant security notion known as $\mathsf{IND}\mbox{-}\mathsf{CPA}^D$. Subsequently, Li, Micciancio, Schultz, and Sorrell (Crypto '22)
proved the security of the CKKS scheme with a noise-flooding countermeasure, which adds Gaussian noise of sufficiently high variance before outputting the decrypted value. However, the variance required for provable security is very high, inducing a
large loss in message precision.
In this work, we ask whether there is an intermediate noise-flooding level, which may not be provably secure, but allows to maintain the performance of the scheme, while resisting known attacks. We analyze the security with respect to different
adversarial models and various types of attacks.
We investigate the effectiveness of lattice reduction attacks, guessing attacks and hybrid attacks with noise-flooding with variance $\rho^2_{\mathsf{circ}}$, the variance of the noise already present in the ciphertext as estimated by an average-case
analysis, $100\cdot \rho^2_{\mathsf{circ}}$, and $t\cdot \rho^2_{\mathsf{circ}}$, where $t$ is the number of decryption queries. For noise levels of $\rho^2_{\mathsf{circ}}$ and $100\cdot \rho^2_{\mathsf{circ}}$, we find that a full guessing attack is
feasible for all parameter sets and circuit types.
We find that a lattice reduction attack is the most effective attack for noise-flooding level $t\cdot \rho^2_{\mathsf{circ}}$, but it only induces at most a several bit reduction in the security level.
Due to the large dimension and modulus in typical FHE parameter sets, previous techniques even for estimating the concrete security of these attacks -- such as those in (Dachman-Soled, Ducas, Gong, Rossi, Crypto '20) -- become computationally infeasible,
since they involve high
dimensional and high precision matrix multiplication and inversion. We therefore develop new techniques that allow us to perform fast security estimation, even for FHE-size parameter sets.
## 2024/425
* Title: Kolmogorov Comes to Cryptomania: On Interactive Kolmogorov Complexity and Key-Agreement
* Authors: Marshall Ball, Yanyi Liu, Noam Mazor, Rafael Pass
* [Permalink](
https://eprint.iacr.org/2024/425)
* [Download](
https://eprint.iacr.org/2024/425.pdf)
### Abstract
Only a handful candidates for computational assumptions that imply secure key-agreement protocols (KA) are known, and even fewer are believed to be quantum safe. In this paper, we present a new hardness assumption---the worst-case hardness of a promise
problem related to an interactive version of Kolmogorov Complexity.
Roughly speaking, the promise problem requires telling apart tuples of strings $(\pi,x,y)$ with relatively (w.r.t. $K(\pi)$) low time-bounded Interactive Kolmogorov Complexity ($IK^t$), and those with relatively high Kolmogorov complexity, given the
promise that $K^t(x|y)< s, K^t(y|x)< s$ and $s = log n$, and where $IK^t(\pi;x;y)$ is defined as the length of the shortest pair of $t$-bounded TMs $(A,B)$ such that the interaction of $(Ac,Bc)$ lead to the transcript $\pi$ and the respective outputs $x,
y$.
We demonstrate that when $t$ is some polynomial, then not only does this hardness assumption imply the existence of KA, but it is also necessary for the existence of secure KA. As such, it yields the first natural hardness assumption characterizing the
existence of key-agreement protocols.
We additionally show that when the threshold $s$ is bigger (e.g., $s = 55log n$), then the (worst-case) hardness of this problem instead characterizes the existence of one-way functions (OWFs). As such, our work also clarifies exactly what it would take
to base KA on the existence of OWFs, and demonstrates that this question boils down to demonstrating a worst-case reduction between two closely related promise problems.
## 2024/426
* Title: Efficient Actively Secure DPF and RAM-based 2PC with One-Bit Leakage
* Authors: Wenhao Zhang, Xiaojie Guo, Kang Yang, Ruiyu Zhu, Yu Yu, Xiao Wang
* [Permalink](
https://eprint.iacr.org/2024/426)
* [Download](
https://eprint.iacr.org/2024/426.pdf)
### Abstract
Secure two-party computation (2PC) in the RAM model has attracted huge attention in recent years. Most existing results only support semi-honest security, with the exception of Keller and Yanai (Eurocrypt 2018) with very high cost. In this paper, we
propose an efficient RAM-based 2PC protocol with active security and one-bit leakage.
1) We propose an actively secure protocol for distributed point function (DPF), with one-bit leakage, that is essentially as efficient as the state-of-the-art semi-honest protocol. Compared with previous work, our protocol takes about $50 \times$ less
communication for a domain with $2^{20}$ entries, and no longer requires actively secure generic 2PC.
2) We extend the dual-execution protocol to allow reactive computation, and then build a RAM-based 2PC protocol with active security on top of our new building blocks. The protocol follows the paradigm of Doerner and shelat (CCS 2017). We are able to
prove that the protocol has end-to-end one-bit leakage.
3) Our implementation shows that our protocol is almost as efficient as the state-of-the-art semi-honest RAM-based 2PC protocol, and is at least two orders of magnitude faster than prior actively secure RAM-based 2PC without leakage, providing a
realistic trade-off in practice.
## 2024/427
* Title: A Cautionary Note: Side-Channel Leakage Implications of Deterministic Signature Schemes
* Authors: Hermann Seuschek, Johann Heyszl, Fabrizio De Santis
* [Permalink](
https://eprint.iacr.org/2024/427)
* [Download](
https://eprint.iacr.org/2024/427.pdf)
### Abstract
Two recent proposals by Bernstein and Pornin emphasize the use of deterministic signatures in DSA and its elliptic curve-based variants. Deterministic signatures derive the required ephemeral key value in a deterministic manner from the message to be
signed and the secret key instead of using random number generators. The goal is to prevent severe security issues, such as the straight-forward secret key recovery from low quality random numbers. Recent developments have raised skepticism whether e.g.
embedded or pervasive devices are able to generate randomness of sufficient quality. The main concerns stem from individual implementations lacking sufficient entropy source and standardized methods for random number generation with suspected back doors.
While we support the goal of deterministic signatures, we are concerned about the fact that this has a significant influence on side-channel security of implementations. Specifically, attackers will be able to mount differential side-channel attacks on
the additional use of the secret key in a cryptographic hash function to derive the deterministic ephemeral key. Previously, only a simple integer arithmetic function
to generate the second signature parameter had to be protected, which is rather straight-forward. Hash functions are significantly more difficult to protect. In this contribution, we systematically explain how deterministic signatures introduce this new
side-channel vulnerability.
## 2024/428
* Title: SNOW-SCA: ML-assisted Side-Channel Attack on SNOW-V
* Authors: Harshit Saurabh, Anupam Golder, Samarth Shivakumar Titti, Suparna Kundu, Chaoyun Li, Angshuman Karmakar, Debayan Das
* [Permalink](
https://eprint.iacr.org/2024/428)
* [Download](
https://eprint.iacr.org/2024/428.pdf)
### Abstract
This paper presents SNOW-SCA, the first power side-channel analysis (SCA) attack of a 5G mobile communication security standard candidate, SNOW-V, running on a 32-bit ARM Cortex-M4 microcontroller. First, we perform a generic known-key correlation (KKC)
analysis to identify the leakage points. Next, a correlation power analysis (CPA) attack is performed, which reduces the attack complexity to two key guesses for each key byte. The correct secret key is then uniquely identified utilizing linear
discriminant analysis (LDA). The profiled SCA attack with LDA achieves 100% accuracy after training with < 200 traces, which means the attack succeeds with just a single trace. Overall, using the combined CPA and LDA attack model, the correct secret key
byte is recovered with < 50 traces collected using the ChipWhisperer platform. The entire 256-bit secret key of SNOW-V can be recovered incrementally using the proposed SCA attack. Finally, we suggest low-overhead countermeasures that can be used to
prevent these SCA attacks.
## 2024/429
* Title: FOLEAGE: $\mathbb{F}_4$OLE-Based Multi-Party Computation for Boolean Circuits
* Authors: Maxime Bombar, Dung Bui, Geoffroy Couteau, Alain Couvreur, Clément Ducros, Sacha Servan-Schreiber
* [Permalink](
https://eprint.iacr.org/2024/429)
* [Download](
https://eprint.iacr.org/2024/429.pdf)
### Abstract
[continued in next message]
--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)