## In this issue

1. [2023/146] Optimized Quantum Implementation of AES
2. [2023/707] Concurrent Security of Anonymous Credentials Light, ...
3. [2023/794] Areion: Highly-Efficient Permutations and Its ...
4. [2023/816] Simplified Modeling of MITM Attacks for Block ...
5. [2023/818] Generalized Special-Sound Interactive Proofs and ...
6. [2023/1388] Sigma Protocols from Verifiable Secret Sharing and ...
7. [2023/1411] zk-SNARKs from Codes with Rank Metrics
8. [2023/1412] Algebraic isomorphic spaces of ideal lattices, ...
9. [2023/1413] Scalable Multi-party Private Set Union from Multi- ...
10. [2023/1414] Differential-Linear Approximation Semi- ...
11. [2023/1415] Generalized Fuzzy Password-Authenticated Key ...
12. [2023/1416] On Black-Box Knowledge-Sound Commit-And-Prove SNARKs
13. [2023/1417] Improved Quantum Circuits for AES: Reducing the ...
14. [2023/1418] Short Concurrent Covert Authenticated Key Exchange ...
15. [2023/1419] Improving the Rectangle Attack on GIFT-64
16. [2023/1420] Rogue-Instance Security for Batch Knowledge Proofs
17. [2023/1421] Efficient Secure Storage with Version Control and ...
18. [2023/1422] Tight Security Bound of 2k-LightMAC Plus
19. [2023/1423] Quantum Lattice Enumeration in Limited Depth
20. [2023/1424] PRIVATON - Privacy Preserving Automaton for Proof ...
21. [2023/1425] Popping “R-propping”: breaking hardness assumptions ...
22. [2023/1426] Arithmetic Circuit Implementations of S-boxes for ...
23. [2023/1427] Efficient Hardware RNS Decomposition for Post- ...
24. [2023/1428] XNET: A Real-Time Unified Secure Inference Framework ....
25. [2023/1429] Leveraging GPU in Homomorphic Encryption: Framework ...
26. [2023/1430] A note on ``ISG-SLAS: secure and lightweight ...
27. [2023/1431] Forgery Attacks on Several Beyond-Birthday-Bound ...
28. [2023/1432] Populating the Zoo of Rugged Pseudorandom Permutations
29. [2023/1433] A polynomial-time attack on instances of M-SIDH and ...
30. [2023/1434] An Efficient Strong Asymmetric PAKE Compiler ...
31. [2023/1435] Identity-Based Matchmaking Encryption, Revisited: ...
32. [2023/1436] Cryptanalysis of Elisabeth-4
33. [2023/1437] KpqBench: Performance and Implementation Security ...
34. [2023/1438] Private Web Search with Tiptoe
35. [2023/1439] Dynamic Security Aspects of Onion Routing
36. [2023/1440] Comment on Enhanced DNA and ElGamal cryptosystem ...
37. [2023/1441] Out of the Box Testing
38. [2023/1442] Everlasting ROBOT: the Marvin Attack
39. [2023/1443] Security with Functional Re-Encryption from CPA
40. [2023/1444] On Time-Space Lower Bounds for Finding Short ...
41. [2023/1445] HEIR: A Unified Representation for Cross-Scheme ...
42. [2023/1446] HE$^3$DB: An Efficient and Elastic Encrypted ...
43. [2023/1447] Practical Round-Optimal Blind Signatures in the ROM ...
44. [2023/1448] The supersingular endomorphism ring problem given ...
45. [2023/1449] Truncated Differential Attacks: New Insights and ...
46. [2023/1450] Post-Quantum Fully Homomorphic Encryption with ...
47. [2023/1451] Counting Unpredictable Bits: A Simple PRG from One- ...
48. [2023/1452] Commitments with Efficient Zero-Knowledge Arguments ...
49. [2023/1453] Preimage and Collision Attacks on Reduced Ascon ...
50. [2023/1454] Scalable Off-Chain Auctions
51. [2023/1455] Efficient Secure Two Party ECDSA
52. [2023/1456] The Generating Series of Support Minors MinRank Ideals
53. [2023/1457] Provable Security Analysis of the Secure Remote ...
54. [2023/1458] A Further Study of Vectorial Dual-Bent Functions
55. [2023/1459] Identity-Based Threshold Signatures from Isogenies
56. [2023/1460] Rigorous Foundations for Dual Attacks in Coding Theory
57. [2023/1461] Do Private Transaction Pools Mitigate Frontrunning ...
58. [2023/1462] High-precision RNS-CKKS on fixed but smaller word- ...
59. [2023/1463] Cascade: Leaderless State-Machine Replication with ...

## 2023/146

* Title: Optimized Quantum Implementation of AES
* Authors: Da Lin, Zejun Xiang, Runqing Xu, Shasha Zhang, Xiangyong Zeng
* [Permalink](https://eprint.iacr.org/2023/146)
* [Download](https://eprint.iacr.org/2023/146.pdf)

### Abstract

This work researches the implementation of the AES family with Pauli-X gates, CNOT gates and Toffoli gates as the underlying quantum logic gate set. First, the properties of quantum circuits are investigated, as well as the influence of Pauli-X gates, CNOT gates and Toffoli gates on the performance of the circuits constructed with those gates. Based on these properties and the observations on the hardware circuits built by Boyar \emph{et al.} and Zou \emph{et al.}, it is possible to construct quantum circuits for AES's Substitution-box (S-box) and its inverse (S-box$^{-1}$) by rearranging the classical implementation to three parts. Since the second part is treated as a 4-bit S-box in this paper and can be dealt with by existing tools, a heuristic is proposed to search optimized quantum circuits for the first and the third parts. In addition, considering the number of parallelly executed S-boxes, the trade-offs between the qubit consumption and $T\cdot M$ values for the round function and key schedule of AES are studied. As a result, quantum circuits of AES-128, AES-192 and AES-256 can be constructed with 269, 333 and 397 qubits, respectively. If more qubits are allowed, quantum circuits that outperform state-of-the-art schemes in the metric of $T\cdot M$ value for the AES family can be reported, and it needs only 474, 538 and 602 qubits for AES-128, AES-192 and AES-256, respectively.

## 2023/707

* Title: Concurrent Security of Anonymous Credentials Light, Revisited
* Authors: Julia Kastner, Julian Loss, Omar Renawi
* [Permalink](https://eprint.iacr.org/2023/707)
* [Download](https://eprint.iacr.org/2023/707.pdf)

### Abstract

We revisit the concurrent security guarantees of the well-known Anonymous Credentials Light (ACL) scheme (Baldimtsi and Lysyanskaya, CCS'13). This scheme was originally proven secure when executed sequentially, and its concurrent security was left as an open problem.
A later work of Benhamouda et al. (EUROCRYPT'21) gave an efficient attack on ACL when executed concurrently, seemingly resolving this question once and for all.

In this work, we point out a subtle flaw in the attack of Benhamouda et al. on ACL and show, in spite of popular opinion, that it can be proven concurrently secure.
Our modular proof in the algebraic group model uses an ID scheme as an intermediate step and leads to a major simplification of the complex security argument for Abe's Blind Signature scheme by Kastner et al. (PKC'22).

## 2023/794

* Title: Areion: Highly-Efficient Permutations and Its Applications (Extended Version)
* Authors: Takanori Isobe, Ryoma Ito, Fukang Liu, Kazuhiko Minematsu, Motoki Nakahashi, Kosei Sakamoto, Rentaro Shiba
* [Permalink](https://eprint.iacr.org/2023/794)
* [Download](https://eprint.iacr.org/2023/794.pdf)

### Abstract

In real-world applications, the overwhelming majority of cases require (authenticated) encryption or hashing with relatively short input, say up to 2K bytes. Almost all TCP/IP packets are 40 to 1.5K bytes, and the maximum packet lengths of major protocols, e.g., Zigbee, Bluetooth low energy, and Controller Area Network (CAN), are less than 128 bytes. However, existing schemes are not well optimized for short input. To bridge the gap between real-world needs (in the future) and limited performances of state-of-the-art hash functions and authenticated encryptions with associated data (AEADs) for short input, we design a family of wide-block permutations Areion that fully leverages the power of AES instructions, which are widely deployed in many devices. As for its applications, we propose several hash functions and AEADs. Areion significantly outperforms existing schemes for short input and even competitive to relatively long messages. Indeed, our hash function is surprisingly fast, and its performance is less than three cycles/byte in the latest Intel architecture for any message size. It is significantly much faster than existing state-of-the-art schemes for short messages up to around 100 bytes, which are the most widely-used input size in real-world applications, on both the latest CPU architectures (IceLake, Tiger Lake, and Alder Lake) and mobile platforms (Pixel 7, iPhone 14, and iPad Pro with Apple M2).

## 2023/816

* Title: Simplified Modeling of MITM Attacks for Block Ciphers: new (Quantum) Attacks
* Authors: André Schrottenloher, Marc Stevens
* [Permalink](https://eprint.iacr.org/2023/816)
* [Download](https://eprint.iacr.org/2023/816.pdf)

### Abstract

The meet-in-the-middle (MITM) technique has led to many key-recovery attacks on block ciphers and preimage attacks on hash functions. Nowadays, cryptographers use automatic tools that reduce the search of MITM attacks to an optimization problem. Bao et al. (EUROCRYPT 2021) introduced a low-level modeling based on Mixed Integer Linear Programming (MILP) for MITM attacks on hash functions, which was extended to key-recovery attacks by Dong et al. (CRYPTO 2021).. However, the modeling only covers AES-like designs. Schrottenloher and Stevens (CRYPTO 2022) proposed a different approach aiming at higher-level simplified models. However, this modeling was limited to cryptographic permutations.

In this paper, we extend the latter simplified modeling to also cover block ciphers with simple key schedules. The resulting modeling enables us to target a large array of primitives, typically lightweight SPN ciphers where the key schedule has a slow diffusion, or none at all. We give several applications such as full breaks of the PIPO-256 and FUTURE block ciphers, and reduced-round classical and quantum attacks on SATURNIN-Hash.