## In this issue

1. [2023/796] Generic Security of the Ascon Mode: On the Power of ...
2. [2023/1400] Efficient Updatable Public-Key Encryption from Lattices
3. [2023/1410] Two Algorithms for Fast GPU Implementation of NTT
4. [2023/1481] A Total Break of the Scrap Digital Signature Scheme
5. [2023/1482] Twinkle: Threshold Signatures from DDH with Full ...
6. [2023/1483] Lower Bounds on Anonymous Whistleblowing
7. [2023/1484] Blind signatures from Zero knowledge in the Kummer ...
8. [2023/1485] How to Physically Hold Your Bitcoins ?
9. [2023/1486] RC4OK. An improvement of the RC4 stream cipher
10. [2023/1487] A Novel Mathematical Formal Proof in Unreliability ...
11. [2023/1488] SCALLOP-HD: group action from 2-dimensional isogenies
12. [2023/1489] To Broadcast or Not to Broadcast: Decision-Making ...
13. [2023/1490] Revisiting Remote State Preparation with ...
14. [2023/1491] Subversion-Resilient Signatures without Random Oracles
15. [2023/1492] A Quantum Approach for Reducing Communications in ...
16. [2023/1493] Measuring the Concentration of Control in ...
17. [2023/1494] Committing authenticated encryption based on SHAKE
18. [2023/1495] Key Committing Security Analysis of AEGIS
19. [2023/1496] A Privacy-preserving Central Bank Ledger for ...
20. [2023/1497] A note on ``authenticated key agreement protocols ...
21. [2023/1498] On the Hardness of $\sf{S|LWE\rangle}$ with ...
22. [2023/1499] Linearly-Homomorphic Signatures for Short ...
23. [2023/1500] Holographic SNARGs for P and Batch-NP from ...
24. [2023/1501] Optimizing Space in Regev's Factoring Algorithm
25. [2023/1502] (In)security of stream ciphers against quantum ...
26. [2023/1503] zk-Bench: A Toolset for Comparative Evaluation and ...
27. [2023/1504] Algebraic Group Model with Oblivious Sampling
28. [2023/1505] PQ.V.ALU.E: Post-Quantum RISC-V Custom ALU ...
29. [2023/1506] IS-CUBE: An isogeny-based compact KEM using a boxed ...
30. [2023/1507] Efficient Agreement Over Byzantine Gossip
31. [2023/1508] Provable Dual Attacks on Learning with Errors
32. [2023/1509] Efficient and Usable Coercion-Resistant E-Voting on ...
33. [2023/1510] Towards Practical Doubly-Efficient Private ...
34. [2023/1511] Lower bound of costs of formulas to compute image ...
35. [2023/1512] List Oblivious Transfer and Applications to Round- ...
36. [2023/1513] Making an Asymmetric PAKE Quantum-Annoying by ...
37. [2023/1514] Leakage-Free Probabilistic Jasmin Programs
38. [2023/1515] OPTIKS: An Optimized Key Transparency System
39. [2023/1516] Can open decentralized ledgers be economically secure?
40. [2023/1517] Threshold Implementations with Non-Uniform Inputs
41. [2023/1518] Lookup Arguments: Improvements, Extensions and ...
42. [2023/1519] Accountable Decryption made Formal and Practical
43. [2023/1520] Kirby: A Robust Permutation-Based PRF Construction
44. [2023/1521] A reduced set of submatrices for a faster ...
45. [2023/1522] cuML-DSA: Optimized Signing Procedure and Server- ...
46. [2023/1523] On the Privacy of Sublinear-Communication Jaccard ...

## 2023/796

* Title: Generic Security of the Ascon Mode: On the Power of Key Blinding
* Authors: Charlotte Lefevre, Bart Mennink
* [Permalink](https://eprint.iacr.org/2023/796)
* [Download](https://eprint.iacr.org/2023/796.pdf)

### Abstract

The Ascon authenticated encryption scheme has recently been selected as winner of the NIST Lightweight Cryptography competition. Despite its fame, however, there is no known overall generic security treatment of its mode: most importantly, all earlier related generic security results only use the key to initialize the state and do not take into account key blinding internally and at the end. In this work we present a thorough security analysis of the Ascon mode: we consider multi-user and possibly nonce-misuse security by default, but more importantly, we particularly investigate the role of the key blinding. More technically, our analysis includes an authenticity study in various attack settings. This analysis includes a description of a security model of authenticity under state recovery, that captures the idea that the mode aims to still guarantee authenticity and security against key recovery even if an inner state is revealed to the adversary in some way, for instance through leakage. We prove that Ascon satisfies this security property, thanks to its unique key blinding technique.

## 2023/1400

* Title: Efficient Updatable Public-Key Encryption from Lattices
* Authors: Calvin Abou Haidar, Alain Passelègue, Damien Stehlé
* [Permalink](https://eprint.iacr.org/2023/1400)
* [Download](https://eprint.iacr.org/2023/1400.pdf)

### Abstract

Updatable public key encryption has recently been introduced as a solution to achieve forward-security in the context of secure group messaging without hurting efficiency, but so far, no efficient lattice-based instantiation of this primitive is known.

In this work, we construct the first LWE-based UPKE scheme with polynomial modulus-to-noise rate, which is CPA-secure in the standard model. At the core of our security analysis is a generalized reduction from the standard LWE problem to (a stronger version of) the Extended LWE problem. We further extend our construction to achieve stronger security notions by proposing two generic transforms. Our first transform allows to obtain CCA security in the random oracle model and adapts the Fujisaki-Okamoto transform to the UPKE setting. Our second transform allows to achieve security against malicious updates by adding a NIZK argument in the update mechanism. In the process, we also introduce the notion of Updatable Key Encapsulation Mechanism (UKEM), as the updatable variant of KEMs. Overall, we obtain a CCA-secure UKEM in the random oracle model whose ciphertext sizes are of the same order of magnitude as that of CRYSTALS-Kyber.

## 2023/1410

* Title: Two Algorithms for Fast GPU Implementation of NTT
* Authors: Ali Şah Özcan, Erkay Savaş
* [Permalink](https://eprint.iacr.org/2023/1410)
* [Download](https://eprint.iacr.org/2023/1410.pdf)

### Abstract

The number theoretic transform (NTT) permits a very efficient method to perform multiplication of very large degree polynomials, which is the most time-consuming operation in fully homomorphic encryption (FHE) schemes and a class of non-interactive succinct zero-knowledge proof systems such as zk-SNARK. Efficient modular arithmetic plays an important role in the performance of NTT, and therefore it is studied extensively. The access pattern to the memory, on the other hand, may play much greater role, as the NTT execution time is mostly memory-bound due to large degree polynomials. In this paper, we propose two algorithms for fast computation of NTT on a class of graphical processing units (GPU) by optimizing the memory access patterns. We present an approach i) to optimize the number of accesses to slow global memory for thread synchronization, and ii) to make better use of spatial locality in global memory accesses. It turns out that by controlling certain parameters in CUDA platform for general-purpose GPU computing (GPGPU) such as kernel count, block size and block shape, we can affect the performance of NTT. To best of our knowledge, this work is unique for it suggests a recipe for selecting optimum CUDA parameters to obtain the best NTT performance for a given polynomial degree. Our implementation results on various GPU devices for all power-of-two polynomial degrees from $2^{12}$ to $2^{28}$ show that our algorithms compare favorably with the other state-of-the-art GPU implementations in the literature with the optimum selection of these three CUDA parameters.

## 2023/1481

* Title: A Total Break of the Scrap Digital Signature Scheme
* Authors: Daniel Smith-Tone
* [Permalink](https://eprint.iacr.org/2023/1481)
* [Download](https://eprint.iacr.org/2023/1481.pdf)

### Abstract

Recently a completely new post-quantum digital signature scheme was proposed using the so called ``scrap automorphisms''. The structure is inherently multivariate, but differs significantly from most of the multivariate literature in that it relies on sparsity and rings containing zero divisors. In this article, we derive a complete and total break of Scrap, performing a key recovery in not much more time than verifying a signature. We also generalize the result, breaking unrealistic instances of the scheme for which there is no particularly efficient signing algorithm and key sizes are unmanageable.

## 2023/1482

* Title: Twinkle: Threshold Signatures from DDH with Full Adaptive Security
* Authors: Renas Bacho, Julian Loss, Stefano Tessaro, Benedikt Wagner, Chenzhi Zhu
* [Permalink](https://eprint.iacr.org/2023/1482)
* [Download](https://eprint.iacr.org/2023/1482.pdf)

### Abstract

Sparkle is the first threshold signature scheme in the pairing-free discrete logarithm setting (Crites, Komlo, Maller, Crypto 2023) to be proven secure under adaptive corruptions.
However, without using the algebraic group model, Sparkle's proof imposes an undesirable restriction on the adversary.
Namely, for a signing threshold $t<n$, the adversary is restricted to corrupt at most $t/2$ parties.
In addition, Sparkle's proof relies on a strong one-more assumption.

In this work, we propose Twinkle, a new threshold signature scheme in the pairing-free setting which overcomes these limitations.
Twinkle is the first pairing-free scheme to have a security proof under up to $t$ adaptive corruptions without relying on the algebraic group model.
It is also the first such scheme with a security proof under adaptive corruptions from a well-studied non-interactive assumption, namely, the Decisional Diffie-Hellman (DDH)
assumption.