## In this issue

1. [2023/1901] Middle-Products of Skew Polynomials and Learning ...
2. [2023/1902] A Transaction-Level Model for Blockchain Privacy
3. [2023/1903] Quarantined-TreeKEM: a Continuous Group Key ...
4. [2023/1904] Generalized Kotov-Ushakov Attack on Tropical ...
5. [2023/1905] Oops, I did it again revisited: another look at ...
6. [2023/1906] Exploring SIDH-based Signature Parameters
7. [2023/1907] Integral Cryptanalysis Using Algebraic Transition ...
8. [2023/1908] PARScoin: A Privacy-preserving, Auditable, and ...
9. [2023/1909] Ratel: MPC-extensions for Smart Contracts
10. [2023/1910] Failed crypto: Matrices over non-standard arithmetic
11. [2023/1911] Non-Interactive Classical Verification of Quantum ...
12. [2023/1912] Dishonest Majority Multiparty Computation over ...
13. [2023/1913] Breaking RSA Authentication on Zynq-7000 SoC and ...
14. [2023/1914] Efficient Low-Latency Masking of Ascon without ...
15. [2023/1915] Efficient Post-Quantum Secure Deterministic ...
16. [2023/1916] DispersedSimplex: simple and efficient atomic broadcast
17. [2023/1917] Regularized PolyKervNets: Optimizing Expressiveness ...
18. [2023/1918] FANNG-MPC: Framework for Artificial Neural Networks ...
19. [2023/1919] When and How to Aggregate Message Authentication ...
20. [2023/1920] Camel: E2E Verifiable Instant Runoff Voting without ...
21. [2023/1921] Automated Issuance of Post-Quantum Certificates: a ...
22. [2023/1922] One for All, All for Ascon: Ensemble-based Deep ...
23. [2023/1923] Differential Fault Attack on Ascon Cipher
24. [2023/1924] Analyzing the complexity of reference post-quantum ...

## 2023/1901

* Title: Middle-Products of Skew Polynomials and Learning with Errors
* Authors: Cong Ling, Andrew Mendelsohn
* [Permalink](https://eprint.iacr.org/2023/1901)
* [Download](https://eprint.iacr.org/2023/1901.pdf)

### Abstract

We extend the middle product to skew polynomials, which we use to define a skew middle-product Learning with Errors (LWE) variant. We also define a skew polynomial LWE problem, which we connect to Cyclic LWE (CLWE), a variant of LWE in cyclic division algebras. We then reduce a family of skew polynomial LWE problems to skew middle-product LWE, for a family which includes the structures found in CLWE. Finally, we give an encryption scheme and demonstrate its IND-CPA security, assuming the hardness of skew middle-product LWE.

## 2023/1902

* Title: A Transaction-Level Model for Blockchain Privacy
* Authors: François-Xavier Wicht, Zhipeng Wang, Duc V. Le, Christian Cachin
* [Permalink](https://eprint.iacr.org/2023/1902)
* [Download](https://eprint.iacr.org/2023/1902.pdf)

### Abstract

Considerable work explores blockchain privacy notions. Yet, it usually employs entirely different models and notations, complicating potential comparisons.. In this work, we use the Transaction Directed Acyclic Graph (TDAG) and extend it to capture blockchain privacy notions (PDAG). We give consistent definitions for untraceability and unlinkability. Moreover, we specify conditions on a blockchain system to achieve each aforementioned privacy notion. Thus, we can compare the two most prominent privacy-preserving blockchains -- Monero and Zcash, in terms of privacy guarantees. Finally, we unify linking heuristics from the literature with our graph notation and review a good portion of research on blockchain privacy.

## 2023/1903

* Title: Quarantined-TreeKEM: a Continuous Group Key Agreement for MLS, Secure in Presence of Inactive Users
* Authors: Céline Chevalier, Guirec Lebrun, Ange Martinelli
* [Permalink](https://eprint.iacr.org/2023/1903)
* [Download](https://eprint.iacr.org/2023/1903.pdf)

### Abstract

The recently standardized secure group messaging protocol “Messaging Layer Security” (MLS) is designed to ensure asynchronous communications within large groups, with an almost-optimal communication cost and the same security level as point-to-point secure messaging protocols such as “Signal”. In particular, the core sub-protocol of MLS, a Continuous Group Key Agreement (CGKA) called TreeKEM, must generate a common group key that respects the fundamental security properties of “post-compromise security” and “forward secrecy” which mitigate the effects of user corruption over time.

Most research on CGKAs has focused on how to improve these two security properties. However, post-compromise security and forward secrecy require the active participation of respectively all compromised users and all users within the group. Inactive users – who remain offline for long periods – do not update anymore their encryption keys and therefore represent a vulnerability for the entire group. This issue has already been identified in the MLS standard, but no solution, other than expelling these inactive users after some disconnection time, has been found.

We propose here a CGKA protocol based on TreeKEM and fully compatible with the MLS standard, that implements a “quarantine” mechanism for the inactive users in order to mitigate the risk induced by these users without removing them from the group. That mechanism indeed updates the inactive users’ encryption keys on their behalf and secures these keys with a secret sharing scheme. If some of the inactive users eventually reconnect, their quarantine stops and they are able to recover all the messages that were exchanged during their offline period. Our “Quarantined-TreeKEM” protocol thus offers a good trade-off between security and functionality, with a very limited – and sometimes negative – communication overhead.

## 2023/1904

* Title: Generalized Kotov-Ushakov Attack on Tropical Stickel Protocol Based on Modified Circulants
* Authors: Sulaiman Alhussaini, Craig Collett, Serge˘ı Sergeev
* [Permalink](https://eprint.iacr.org/2023/1904)
* [Download](https://eprint.iacr.org/2023/1904.pdf)

### Abstract

After the Kotov-Ushakov attack on the tropical implementation of Stickel protocol, various attempts have been made to create a secure variant of such implementation. Some of these attempts used a special class of commuting matrices resembling tropical circulants, and they have been proposed with claims of resilience against the Kotov-Ushakov attack, and even being potential post-quantum candidates. This paper, however, reveals that a form of the Kotov-Ushakov attack remains applicable and, moreover, there is a heuristic implementation of that attack which has a polynomial time complexity and shows an overwhelmingly good success rate.

## 2023/1905

* Title: Oops, I did it again revisited: another look at reusing one-time signatures
* Authors: Scott Fluhrer
* [Permalink](https://eprint.iacr.org/2023/1905)
* [Download](https://eprint.iacr.org/2023/1905.pdf)

### Abstract

In "Oops, I did it again" - Security of One-Time Signatures under Two-Message Attacks, Bruinderink and Hülsing analyzed the effect of key reuse for several one time signature systems.
When they analyzed the Winternitz system, they assumed certain probabilities were independent when they weren't, leading to invalid conclusions.
This paper does a more correct characterization of the Winternitz scheme, and while their ultimate conclusion (that key reuse allows for practical forgeries) is correct, the situation is both better and worse than what they concluded.

## 2023/1906

* Title: Exploring SIDH-based Signature Parameters
* Authors: Andrea Basso, Mingjie Chen, Tako Boris Fouotsa, Péter Kutas, Abel Laval, Laurane Marco, Gustave Tchoffo Saah
* [Permalink](https://eprint.iacr.org/2023/1906)
* [Download](https://eprint.iacr.org/2023/1906.pdf)

### Abstract

Isogeny-based cryptography is an instance of post-quantum cryptography whose fundamental problem consists of finding an isogeny between two (isogenous) elliptic curves $E$ and $E'$. This problem is closely related to that of computing the endomorphism ring of an elliptic curve. Therefore, many isogeny-based protocols require the endomorphism ring of at least one of the curves involved to be unknown. In this paper, we explore the design of isogeny based protocols in a scenario where one assumes that the endomorphism ring of all the curves are public. In particular, we identify digital signatures based on proof of isogeny knowledge from SIDH
squares as such a candidate. We explore the design choices for such constructions and propose two variants with practical instantiations. We analyze their security according to three lines, the first consists of attacks based on KLPT with both polynomial and superpolynomial adversary, the second consists of attacks derived from the SIDH attacks
and finally we study the zero-knowledge property of the underlying proof of knowledge.

## 2023/1907

* Title: Integral Cryptanalysis Using Algebraic Transition Matrices
* Authors: Tim Beyne, Michiel Verbauwhede
* [Permalink](https://eprint.iacr.org/2023/1907)
* [Download](https://eprint.iacr.org/2023/1907.pdf)

### Abstract

In this work we introduce algebraic transition matrices as the basis for
a new approach to integral cryptanalysis that unifies monomial trails (Hu et al., Asiacrypt 2020) and parity sets (Boura and Canteaut, Crypto 2016). Algebraic transition matrices allow for the computation of the algebraic normal form of a primitive based on the algebraic normal forms of its components by means of well-understood operations from linear algebra. The theory of algebraic transition matrices leads to better insight into the relation between integral properties of $F$ and $F^{−1}$. In addition, we show that the link between invariants and eigenvectors of correlation matrices (Beyne, Asiacrypt 2018) carries over to algebraic transition matrices. Finally, algebraic transition matrices suggest a generalized definition of integral properties that subsumes previous notions such as extended division properties (Lambin, Derbez and Fouque, DCC 2020). On the practical side, a new algorithm is described to search for these generalized properties and applied to Present, resulting in new properties. The algorithm can be instantiated with any existing automated search method for integral cryptanalysis.