1. Forum
  2. Usenet
  3. SCI.CRYPT

  • [digest] 2024 Week 11 (3/3)

    From IACR ePrint Archive@21:1/5 to All on Mon Mar 18 02:28:27 2024
    [continued from previous message]

    * [Download](https://eprint.iacr.org/2024/448.pdf)

    ### Abstract

    In this study, we investigate the newly developed low energy lightweight block cipher (LELBC), specifically designed for resource-constrained Internet of Things (IoT) devices in smart agriculture. The designers conducted a preliminary differential
    cryptanalysis of LELBC through mixed-integer linear programming (MILP). This paper further delves into LELBC’s differential characteristics in both single and related-key frameworks using MILP, identifying a nine-round differential characteristic with
    a probability of $2^{-60}$ in a single-key framework and a 12-round differential characteristic with a probability of $2^{-60}$ in a related-key framework.



    ## 2024/449

    * Title: Practical Lattice-Based Distributed Signatures for a Small Number of Signers
    * Authors: Nabil Alkeilani Alkadri, Nico Döttling, Sihang Pu
    * [Permalink](https://eprint.iacr.org/2024/449)
    * [Download](https://eprint.iacr.org/2024/449.pdf)

    ### Abstract

    $n$-out-of-$n$ distributed signatures are a special type of threshold $t$-out-of-$n$ signatures. They are created by a group of $n$ signers, each holding a share of the secret key, in a collaborative way. This kind of signatures has been studied
    intensively in recent years, motivated by different applications such as reducing the risk of compromising secret keys in cryptocurrencies. Towards maintaining security in the presence of quantum adversaries, Damgård et al. (J Cryptol 35(2), 2022)
    proposed lattice-based constructions of $n$-out-of-$n$ distributed signatures and multi-signatures following the Fiat-Shamir with aborts paradigm (ASIACRYPT 2009). Due to the inherent issue of aborts, the protocols either require to increase their
    parameters by a factor of $n$, or they suffer from a large number of restarts that grows with $n$. This has a significant impact on their efficiency, even if $n$ is small. Moreover, the protocols use trapdoor homomorphic commitments as a further
    cryptographic building block, making their deployment in practice not as easy as standard lattice-based Fiat-Shamir signatures. In this work, we present a new construction of $n$-out-of-$n$ distributed signatures. It is designed specifically for
    applications with small number of signers. Our construction follows the Fiat-Shamir with aborts paradigm, but solves the problem of large number of restarts without increasing the parameters by a factor of $n$ and utilizing any further cryptographic
    primitive. To demonstrate the practicality of our protocol, we provide a software implementation and concrete parameters aiming at 128 bits of security. Furthermore, we select concrete parameters for the construction by Damgård et al. and for the most
    recent lattice-based multi-signature scheme by Chen (CRYPTO 2023), and show that our approach provides a significant improvement in terms of all efficiency metrics. Our results also show that the multi-signature schemes by Damgård et al. and Chen as
    well as a multi-signature variant of our protocol produce signatures that are not smaller than a naive multi-signature derived from the concatenation of multiple standard signatures.



    ## 2024/450

    * Title: The 2Hash OPRF Framework and Efficient Post-Quantum Instantiations
    * Authors: Ward Beullens, Lucas Dodgson, Sebastian Faller, Julia Hesse
    * [Permalink](https://eprint.iacr.org/2024/450)
    * [Download](https://eprint.iacr.org/2024/450.pdf)

    ### Abstract

    An Oblivious Pseudo-Random Function (OPRF) is a two-party protocol for jointly evaluating a Pseudo-Random Function (PRF), where a user has an input x and a server has an input k. At the end of the protocol, the user learns the evaluation of the PRF using
    key k at the value x, while the server learns nothing about the user's input or output.

    OPRFs are a prime tool for building secure authentication and key exchange from passwords, private set intersection, private information retrieval, and many other privacy-preserving systems. While classical OPRFs run as fast as a TLS Handshake, current *
    quantum-safe* OPRF candidates are still practically inefficient.

    In this paper, we propose a framework for constructing OPRFs from post-quantum multi-party computation. The framework captures a family of so-called "2Hash PRFs", which sandwich a function evaluation in between two hashes. The core of our framework is a
    compiler that yields an OPRF from a secure evaluation of any function that is key-collision resistant and one-more unpredictable. We instantiate this compiler by providing such functions built from Legendre symbols, and from AES encryption. We then give
    a case-tailored protocol for securely evaluating our Legendre-based function, built from oblivious transfer (OT) and zero-knowledge proofs (ZKP). Instantiated with lattice-based OT and ZKPs, we obtain a quantum-safe OPRF that completes in 0.57 seconds,
    with less than 1MB of communication.



    ## 2024/451

    * Title: Towards Verifiable FHE in Practice: Proving Correct Execution of TFHE's Bootstrapping using plonky2
    * Authors: Louis Tremblay Thibault, Michael Walter
    * [Permalink](https://eprint.iacr.org/2024/451)
    * [Download](https://eprint.iacr.org/2024/451.pdf)

    ### Abstract

    In this work we demonstrate for the first time that a full FHE bootstrapping operation can be proven using a SNARK in practice. We do so by designing an arithmetic circuit for the bootstrapping operation and prove it using plonky2. We are able to prove
    the circuit on an AWS C6i.metal instance in about 20 minutes. Proof size is about 200kB and verification takes less than 10ms. As the basis of our bootstrapping operation we use TFHE's programmable bootstrapping and modify it in a few places to more
    efficiently represent it as an arithmetic circuit (while maintaining full functionality and security). In order to achieve our results in a memory-efficient way, we take advantage of the structure of the computation and plonky2's ability to efficiently
    prove its own verification circuit to implement a recursion-based IVC scheme.



    ## 2024/452

    * Title: Modeling Mobile Crash in Byzantine Consensus
    * Authors: Hans Schmiedel, Runchao Han, Qiang Tang, Ron Steinfeld, Jiangshan Yu * [Permalink](https://eprint.iacr.org/2024/452)
    * [Download](https://eprint.iacr.org/2024/452.pdf)

    ### Abstract

    Targeted Denial-of-Service (DoS) attacks have been a practical concern
    for permissionless blockchains. Potential solutions, such as random
    sampling, are adopted by blockchains.
    However, the associated security guarantees have only been informally discussed in prior work. This
    is due to the fact that existing adversary models are either not
    fully capturing this attack or giving up certain design choices
    (as in the sleepy model or asynchronous network model), or too strong to
    be practical (as in the mobile Byzantine adversary model).

    This paper provides theoretical foundations and desired properties
    for consensus protocols that resist against targeted DoS attacks. In particular, we
    define the Mobile Crash Adaptive Byzantine (MCAB) model to capture such an attack. In addition, we
    identify and formalize two properties for consensus protocols under the MCAB model, and analyze their trade-offs.
    As case studies, we prove that Ouroboros Praos and Algorand are secure in our MCAB model, giving the first formal proofs supporting their security guarantee against targeted DoS attacks, which were previously only informally discussed.
    We also illustrate an application of our properties to secure a streamlined BFT protocol, chained Hotstuff, against targeted DoS attacks.



    ## 2024/453

    * Title: Verifiable Information-Theoretic Function Secret Sharing
    * Authors: Stanislav Kruglik, Son Hoang Dau, Han Mao Kiah, Huaxiong Wang, Liang Feng Zhang
    * [Permalink](https://eprint.iacr.org/2024/453)
    * [Download](https://eprint.iacr.org/2024/453.pdf)

    ### Abstract

    A function secret sharing (FSS) (Boyle et al., Eurocrypt 2015) is a cryptographic primitive that enables additive secret sharing of functions from a given function family $\mathcal{F}$. FSS supports a wide range of cryptographic applications, including
    private information retrieval (PIR), anonymous messaging systems, private set intersection and more. Formally, given positive integers $r \geq 2$ and $t < r$, and a class $\mathcal{F}$ of functions $f: [n] \to \mathbb{G}$ for an Abelian group $\mathbb{G}$
    , an $r$-party $t$-private FSS scheme for $\mathcal{F}$ allows a dealer to split each $f \in \mathcal{F}$ into $r$ function shares $f_1, \ldots, f_r$ among $r$ servers. Shares have the property that $f = f_1 + \cdots + f_r$ and functions are
    indistinguishable for any coalition of up to $t$ servers. FSS for point function $f_{\alpha_1,\ldots,\alpha_l,\beta_1,\ldots,\beta_l}$ for different $\alpha$ and $l<t$ that evaluates to $\beta_i$ on input $\alpha_i$ for all $i\in[l]$ and to zero on all
    other inputs for $l=1$ are known under the name of distributed point functions (DPF). FSS for special interval functions $f^{<}_{\alpha,\beta}$ that evaluate to $\beta$ on inputs lesser than $\alpha$ and to zero on all other inputs are known under the
    name of distributed comparison functions (DCF).

    Most existing FSS schemes are based on the existence of one-way functions or pseudo-random generators, and as a result, hiding of function $f$ holds only against computationally bounded adversaries. Protocols employing them as building blocks are
    computationally secure. Several exceptions mostly focus on DPF for four, eight or $d(t+1)$ servers for positive integer $d$, and none of them provide verifiability.

    In this paper, we propose DPF for $d(t+l-1)+1$ servers, where $d$ is a positive integer, offering a better key size compared to the previously proposed DPF for $d(t+1)$ servers and DCF for $dt+1$ servers, also for positive integer $d$. We introduce their
    verifiable extension in which any set of servers holding $t$ keys cannot persuade us to accept the wrong value of the function. This verifiability notion differs from existing verifiable FSS schemes in the sense that we verify not only the belonging of
    the function to class $\mathcal{F}$ but also the correctness of computation results. Our schemes provide a secret key size $O(n^{1/d}\cdot s\log(p))$ for DPF and $O(n^{1/d}\cdot s\log(p))$ for DCF, where $p^s$ is the size of group $\mathbb{G}$.



    ## 2024/454

    * Title: The Systemic Errors of Banded Quantum Fourier Transformation
    * Authors: Zhengjun Cao, Zhenfu Cao
    * [Permalink](https://eprint.iacr.org/2024/454)
    * [Download](https://eprint.iacr.org/2024/454.pdf)

    ### Abstract

    Quantum Fourier Transformation (QFT) needs to construct the rotation gates with extremely tiny angles. Since it is impossible to physically manipulate such tiny angles (corresponding to extremely weak energies), those gates should be replaced by some
    scaled and controllable gates. The version of QFT is called banded QFT (BQFT), and can be mathematically specified by Kronecker product and binary fraction. But the systemic errors of BQFT has never been heuristically estimated. In this paper, we
    generate the programming code for BQFT and argue that its systemic errors are not negligible, which means the physical implementation of QFT with a huge transform size is still a challenge. To the best of our knowledge, it is the first time to obtain
    the result.



    ## 2024/455

    * Title: Anonymous Complaint Aggregation for Secure Messaging
    * Authors: Connor Bell, Saba Eskandarian
    * [Permalink](https://eprint.iacr.org/2024/455)
    * [Download](https://eprint.iacr.org/2024/455.pdf)

    ### Abstract

    Private messaging platforms provide strong protection against platform eavesdropping, but malicious users can use privacy as cover for spreading abuse and misinformation. In an attempt to identify the sources of misinformation on private platforms,
    researchers have proposed mechanisms to trace back the source of a user-reported message (CCS '19,'21). Unfortunately, the threat model considered by initial proposals allowed a single user to compromise the privacy of another user whose legitimate
    content the reporting user did not like. More recent work has attempted to mitigate this side effect by requiring a threshold number of users to report a message before its origins can be identified (NDSS '22). However, the state of the art scheme
    requires the introduction of new probabilistic data structures and only achieves a "fuzzy" threshold guarantee. Moreover, false positives, where the source of an unreported message is identified, are possible.

    This paper introduces a new threshold source tracking technique that allows a private messaging platform, with the cooperation of a third-party moderator, to operate a threshold reporting scheme with exact thresholds and no false positives. Unlike prior
    work, our techniques require no modification of the message delivery process for a standard source tracking scheme, affecting only the abuse reporting procedure, and do not require tuning of probabilistic data structures.

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)