## In this issue

1. [2023/793] Optimizations and Practicality of High-Security CSIDH
2. [2023/1628] Cryptanalysis of the Peregrine Lattice-Based ...
3. [2023/1629] A Note on ``A Time-Sensitive Token-Based Anonymous ...
4. [2023/1630] Crystalor: Persistent Memory Encryption Mechanism ...
5. [2023/1631] ASKPIR: Authorized Symmetric Keyword Privacy ...
6. [2023/1632] On Decompositions of Permutations in Quadratic ...
7. [2023/1633] One-time and Revocable Ring Signature with ...
8. [2023/1634] On the (In)Security of the BUFF Transform
9. [2023/1635] Oblivious issuance of proofs
10. [2023/1636] Unbalanced Circuit-PSI from Oblivious Key-Value ...
11. [2023/1637] Algorithmic Views of Vectorized Polynomial ...
12. [2023/1638] The One-Wayness of Jacobi Signatures
13. [2023/1639] Analysis of a Quantum Attack on the Blum-Micali ...
14. [2023/1640] Quantum Key Leasing for PKE and FHE with a ...
15. [2023/1641] PSKPIR: Symmetric Keyword Private Information ...
16. [2023/1642] A New Perspective on Key Switching for BGV-like Schemes
17. [2023/1643] Oblivious Turing Machine
18. [2023/1644] An End-to-End Framework for Private DGA Detection ...
19. [2023/1645] The Dilemma and Prospects of Academic Misconduct in ...
20. [2023/1646] Security Bounds for Proof-Carrying Data from ...
21. [2023/1647] Who Watches the Watchers: Attacking Glitch ...
22. [2023/1648] On-Chain Timestamps Are Accurate
23. [2023/1649] A New Framework for Fast Homomorphic Matrix ...
24. [2023/1650] An Efficient Algorithm for Solving the MQ Problem ...
25. [2023/1651] Publicly Verifiable Secret Sharing over Class ...
26. [2023/1652] On Sigma-Protocols and (packed) Black-Box Secret ...
27. [2023/1653] QCB is Blindly Unforgeable
28. [2023/1654] On Gaussian sampling, smoothing parameter and ...
29. [2023/1655] Approximate Lower Bound Arguments
30. [2023/1656] Privacy-Preserving Digital Vaccine Passport
31. [2023/1657] PQCMC: Post-Quantum Cryptography McEliece-Chen ...
32. [2023/1658] On the Security of Triplex- and Multiplex-type ...
33. [2023/1659] Partial Sums Meet FFT: Improved Attack on 6-Round AES
34. [2023/1660] FaBFT: Flexible Asynchronous BFT Protocol Using DAG
35. [2023/1661] Publicly Detectable Watermarking for Language Models
36. [2023/1662] Family of embedded curves for BLS
37. [2023/1663] Proof-of-Work-based Consensus in Expected-Constant Time
38. [2023/1664] On the Complexity and Admissible Parameters of the ...
39. [2023/1665] Model Stealing Attacks On FHE-based Privacy- ...
40. [2023/1666] MiRitH: Efficient Post-Quantum Signatures from ...
41. [2023/1667] Unleashing the Power of Differential Fault Attacks ...
42. [2023/1668] Arithmetization Oriented Encryption
43. [2023/1669] $\Pi$: A Unified Framework for Verifiable Secret ...
44. [2023/1670] Unbalanced Private Set Intersection from ...
45. [2023/1671] A note on ``SCPUAK: smart card-based secure ...
46. [2023/1672] Fine-grained Policy Constraints for Distributed ...
47. [2023/1673] Designing Full-Rate Sponge based AEAD modes
48. [2023/1674] Carry Your Fault: A Fault Propagation Attack on ...
49. [2023/1675] Another Look at Differential-Linear Attacks
50. [2023/1676] FutORAMa: A Concretely Efficient Hierarchical ...
51. [2023/1677] Multi-Theorem Fiat-Shamir Transform from ...

## 2023/793

* Title: Optimizations and Practicality of High-Security CSIDH
* Authors: Fabio Campos, Jorge Chavez-Saab, Jesús-Javier Chi-Domínguez, Michael Meyer, Krijn Reijnders, Francisco Rodríguez-Henríquez, Peter Schwabe, Thom Wiggers
* [Permalink](https://eprint.iacr.org/2023/793)
* [Download](https://eprint.iacr.org/2023/793.pdf)

### Abstract

In this work, we assess the real-world practicality of CSIDH, an isogeny-based non-interactive key exchange. We provide the first thorough assessment of the practicality of CSIDH in higher parameter sizes for conservative estimates of quantum security, and with protection against physical attacks.

This requires a three-fold analysis of CSIDH. First, we describe two approaches to efficient high-security CSIDH implementations, based on SQALE and CTIDH.. Second, we optimize such high-security implementations, on a high level by improving several subroutines, and on a low level by improving the finite field arithmetic. Third, we benchmark the performance of high-security CSIDH. As a stand-alone primitive, our implementations outperform previous results by a factor up to 2.53×.

As a real-world use case considering network protocols, we use CSIDH in TLS variants that allow early authentication through a NIKE. Although our instantiations of CSIDH have smaller communication requirements than post-quantum KEM and signature schemes, even our highly-optimized implementations result in too-large handshake latency (tens of seconds), showing that CSIDH is only practical in niche cases.

## 2023/1628

* Title: Cryptanalysis of the Peregrine Lattice-Based Signature Scheme
* Authors: Xiuhan Lin, Moeto Suzuki, Shiduo Zhang, Thomas Espitau, Yang Yu, Mehdi Tibouchi, Masayuki Abe
* [Permalink](https://eprint.iacr.org/2023/1628)
* [Download](https://eprint.iacr.org/2023/1628.pdf)

### Abstract

The Peregrine signature scheme is one of the candidates in the ongoing Korean post-quantum cryptography competition. It is proposed as a high-speed variant of Falcon, which is a hash-and-sign signature scheme over NTRU lattices and one of the schemes selected by NIST for standardization. To this end, Peregrine replaces the lattice Gaussian sampler in the Falcon signing procedure with a new sampler based on the centered binomial distribution. While this modification offers significant advantages in terms of efficiency and implementation, it does not come with a provable guarantee that signatures do not leak information about the signing key. Unfortunately, lattice-based signature schemes in the hash-and-sign paradigm that lack such a guarantee (such as GGH, NTRUSign or DRS) have generally proved insecure.

In this paper, we show that Peregrine is no exception, by demonstrating a practical key recovery attack against it. We observe that the support of Peregrine signatures is a hidden transformation of some public distribution and still leaks information about the signing key. By adapting the parallelepiped-learning technique of Nguyen and Regev (Eurocrypt 2006), we show that the signing key can be recovered from a relatively small number of signatures. The learning technique alone yields an approximate version of the key, from which we can recover the exact key using a decoding technique due to Thomas Prest (PKC 2023).

For the reference implementation
(resp. the official specification version) of Peregrine-512, we fully recover the secret key with good probability in a few hours given around 25,000 (resp. 11 million) signature samples.

## 2023/1629

* Title: A Note on ``A Time-Sensitive Token-Based Anonymous Authentication and Dynamic Group Key Agreement Scheme for Industry 5.0''
* Authors: Zhengjun Cao, Lihua Liu
* [Permalink](https://eprint.iacr.org/2023/1629)
* [Download](https://eprint.iacr.org/2023/1629.pdf)

### Abstract

We show that the Xu et al.'s authentication and key agreement scheme [IEEE Trans. Ind. Informatics, 18(10), 7118-7127, 2022] is flawed. (1) It confused some operations for bilinear maps and presented some inconsistent computations. (2) It failed to keep
anonymity, not as claimed. The adversary can use any device's public key stored in the blockchain to test some verification equations so as to reveal the identity of a target device.

## 2023/1630

* Title: Crystalor: Persistent Memory Encryption Mechanism with Optimized Metadata Structure and Fast Crash Recovery
* Authors: Rei Ueno, Hiromichi Haneda, Naofumi Homma, Akiko Inoue, Kazuhiko Minematsu
* [Permalink](https://eprint.iacr.org/2023/1630)
* [Download](https://eprint.iacr.org/2023/1630.pdf)

### Abstract

This study presents an efficient persistent memory encryption mechanism, named Crystalor, which efficiently realizes a secure persistent/non-volatile memory based on an authentication tree with structural optimization, such as the split counter (SC). Crystalor can completely exploit the advantage of metadata compression techniques, whereas existing mechanisms are incompatible with such optimization. Meanwhile, Crystalor incurs almost no latency overhead under the nominal operation conditions for realizing the crash consistency/recoverability. We implement Crystalor with a state-of-the-art parallelizable authentication tree instance, namely ELM (IEEE TIFS 2022), and evaluate the effectiveness by both algorithmic analyses and system-level simulation in comparison with the existing state-of-the-art ones (e.g., SCUE in HPCA 2023). For protecting a 4 TB memory, Crystalor requires 29–62% fewer clock cycles per memory read/write operation than SCUE owing to the compatibility with the SC. In addition, Crystalor and SCUE require 312GB and 554GB memory overheads for metadata, respectively, which indicates that Crystalor achieves a reduction of memory overhead by 44%. The result of the system-level simulation using the gem5 simulator indicates that Crystalor achieves a reduction of the workload execution time by up to 11.5% from SCUE. Moreover, Crystalor can offer a lazy recovery, which makes recovery several thousand times faster than SCUE.

## 2023/1631

* Title: ASKPIR: Authorized Symmetric Keyword Privacy Information Retrieval Protocol Based on DID
* Authors: Zuodong Wu, Dawei Zhang, Yong Li, Xu Han
* [Permalink](https://eprint.iacr.org/2023/1631)
* [Download](https://eprint.iacr.org/2023/1631.pdf)