## In this issue

1. [2024/114] Mask Conversions for d+1 shares in Hardware, with ...
2. [2024/115] Accelerating BGV Bootstrapping for Large $p$ Using ...
3. [2024/116] On the practical CPAD security of “exact” and ....
4. [2024/117] Breaking HWQCS: a code-based signature scheme from ...
5. [2024/118] Data Privacy Made Easy: Enhancing Applications with ...
6. [2024/119] R3PO: Reach-Restricted Reactive Program Obfuscation ...
7. [2024/120] K-Waay: Fast and Deniable Post-Quantum X3DH without ...
8. [2024/121] An acceleration of the AKS prime identification ...
9. [2024/122] SPRITE: Secure and Private Routing in Payment ...
10. [2024/123] Memory Checking Requires Logarithmic Overhead
11. [2024/124] Perceived Information Revisited II: Information- ...
12. [2024/125] New self-orthogonal codes from weakly regular ...
13. [2024/126] Monte Carlo Tree Search for automatic differential ...
14. [2024/127] Attacks Against the INDCPA-D Security of Exact FHE ...
15. [2024/128] Non-Binding (Designated Verifier) Signature
16. [2024/129] Finite Key OTP Functionality: Ciphers That Hold Off ...
17. [2024/130] HADES: Automated Hardware Design Exploration for ...
18. [2024/131] Practical Post-Quantum Signatures for Privacy
19. [2024/132] SimpleFT: A Simple Byzantine Fault Tolerant Consensus
20. [2024/133] Optimizing Implementations of Boolean Functions
21. [2024/134] Byzantine Fault Tolerance with Non-Determinism, ...
22. [2024/135] A Closer Look at the Belief Propagation Algorithm ...
23. [2024/136] Secure Transformer Inference Made Non-interactive
24. [2024/137] Sleepy Consensus in the Known Participation Model
25. [2024/138] Correction Fault Attacks on Randomized CRYSTALS- ...
26. [2024/139] Efficient Arithmetic in Garbled Circuits
27. [2024/140] Efficient ECDSA-based Adaptor Signature for Batched ...
28. [2024/141] Secure Statistical Analysis on Multiple Datasets: ...
29. [2024/142] GradedDAG: An Asynchronous DAG-based BFT Consensus ...
30. [2024/143] Scalable Collaborative zk-SNARK: Fully Distributed ...
31. [2024/144] Efficient (3,3)-isogenies on fast Kummer surfaces
32. [2024/145] Practical Batch Proofs of Exponentiation
33. [2024/146] Computing Orientations from the Endomorphism Ring ...
34. [2024/147] Prime Masking vs. Faults - Exponential Security ...
35. [2024/148] Preliminary Cryptanalysis of the Biscuit Signature ...
36. [2024/149] Evict+Spec+Time: Exploiting Out-of-Order Execution ...
37. [2024/150] SALSA FRESCA: Angular Embeddings and Pre-Training ...
38. [2024/151] Improving Linear Key Recovery Attacks using Walsh ...
39. [2024/152] Equivalence of Generalised Feistel Networks
40. [2024/153] Revisiting the Slot-to-Coefficient Transformation ...
41. [2024/154] Broadcast Encryption using Sum-Product ...
42. [2024/155] Fully Homomorphic Encryption on large integers
43. [2024/156] Homomorphic sign evaluation using functional ...
44. [2024/157] Delphi: sharing assessments of cryptographic ...
45. [2024/158] HiSE: Hierarchical (Threshold) Symmetric-key Encryption
46. [2024/159] Logstar: Efficient Linear* Time Secure Merge
47. [2024/160] LightDAG: A Low-latency DAG-based BFT Consensus ...
48. [2024/161] zkMatrix: Batched Short Proof for Committed Matrix ...
49. [2024/162] Zero-Knowledge Proofs of Training for Deep Neural ...

## 2024/114

* Title: Mask Conversions for d+1 shares in Hardware, with Application to Lattice-based PQC
* Authors: Quinten Norga, Jan-Pieter D'Anvers, Suparna Kundu, Ingrid Verbauwhede
* [Permalink](https://eprint.iacr.org/2024/114)
* [Download](https://eprint.iacr.org/2024/114.pdf)

### Abstract

The conversion between arithmetic and Boolean mask representations (A2B & B2A) is a crucial component for side-channel resistant implementations of lattice-based cryptography.
In this paper, we present a first- and high-order masked, unified hardware implementation which can perform both A2B & B2A conversions. We optimize the operation on several layers of abstraction, applicable to any protection order.
First, we propose novel higher-order algorithms for the secure addition and B2A operation. This is achieved through, among others, an improved method for repeated masked modular reduction and through the X2B operation, which can be viewed as a conversion from any type of additive masking to its Boolean representation. This allows for the removal of a full secure addition during B2A post-processing.
Compared to prior work, our $B2A_q$ requires 51/46/45 % less fresh randomness at first through third protection order when implemented in software or hardware.

Secondly, on the circuit level, we successfully introduce half-cycle data paths and demonstrate how careful, manual masking is a superior approach for masking highly non-linear operations and providing first- and high-order security.
Our techniques significantly reduce the high latency and fresh randomness overhead, typically introduced by glitch-resistant masking schemes and universally composable gadgets, including HPC3 by Knichel et al. presented at CCS 2022.. Compared to state-of-the-art algorithms and masking techniques, our unified and high-throughput hardware implementation requires up to 89/84/86 % fewer clock cycles and 78/71/55 % fewer fresh random bits.

We show detailed performance results for first-, second- and third-order protected implementations on FPGA. Our proposed algorithms are proven secure in the glitch extended probing model and their implementations are validated via practical lab analysis using the TVLA methodology. We experimentally show that both our first- and second-order masked implementation is hardened against univariate and multivariate attacks using 100 million traces, for each mode of operation.

## 2024/115

* Title: Accelerating BGV Bootstrapping for Large $p$ Using Null Polynomials Over $\mathbb{Z}_{p^e}$
* Authors: Shihe Ma, Tairong Huang, Anyu Wang, Xiaoyun Wang
* [Permalink](https://eprint.iacr.org/2024/115)
* [Download](https://eprint.iacr.org/2024/115.pdf)

### Abstract

The BGV scheme is one of the most popular FHE schemes for computing homomorphic integer arithmetic.
The bootstrapping technique of BGV is necessary to evaluate arbitrarily deep circuits homomorphically.
However, the BGV bootstrapping performs poorly for large plaintext prime $p$ due to its digit removal procedure exhibiting a computational complexity of at least $O(\sqrt{p})$.
In this paper, we propose optimizations for the digit removal procedure with large $p$ by leveraging the properties of null polynomials over the ring $\mathbb{Z}_{p^e}$.
Specifically, we demonstrate that it is possible to construct low-degree null polynomials based on two observations of the input to the digit removal procedure:
1) the support size of the input can be upper-bounded by $(2B+1)^2$; 2) the size of the lower digits to be removed can be upper-bounded by $B$.
Here $B$ can be controlled within a narrow interval $[22,23]$ in our parameter selection, making the degree of these null polynomials much smaller than $p$ for large values of $p$.
These low-degree null polynomials can significantly reduce the polynomial degrees during homomorphic digit removal, thereby decreasing both running time and capacity consumption.
Theoretically, our optimizations reduce the computational cost of extracting a single digit from $O(\sqrt{pe})$ (by Chen and Han) or $O(\sqrt{p}\sqrt[4]{e})$ (by Geelen et al.) to $\min(2B+1,\sqrt{\lceil e/t\rceil(2B+1)})$ for some $t\ge 1$.
We implement and benchmark our method on HElib with $p=17,127,257,8191$ and $65537$.
With our optimized digit removal, we achieve a bootstrapping throughput $1.38\sim151$ times that in HElib, with the speedup increasing with the value of $p$.
For $p=65537$, we accelerate the digit removal step by 80 times and reduce the bootstrapping time from more than 12 hours to less than 14 minutes.

## 2024/116

* Title: On the practical CPAD security of “exact” and threshold FHE schemes and libraries
* Authors: Marina Checri, Renaud Sirdey, Aymen Boudguiga, Jean-Paul Bultel, Antoine Choffrut
* [Permalink](https://eprint.iacr.org/2024/116)
* [Download](https://eprint.iacr.org/2024/116.pdf)

### Abstract

In their 2021 seminal paper, Li and Micciancio presented a passive attack against the CKKS approximate FHE scheme and introduced the notion of CPAD security. The current status quo is that this line of attacks does not apply to ``exact'' FHE. In this paper, we challenge this statu quo by exhibiting a CPAD key recovery attack on the linearly homomorphic Regev cryptosystem which easily generalizes to other xHE schemes such as BFV, BGV and TFHE showing that these cryptosystems are not CPAD secure in their basic form. We also show that existing threshold variants of BFV, BGV and CKKS are particularily exposed to CPAD attackers and would be CPAD-insecure without smudging noise addition after partial decryption. Finally we successfully implement our attack against several mainstream FHE libraries and discuss a number of natural countermeasures and discuss their consequences in terms of FHE practice, security and efficiency. The attack itself is quite practical as it typically takes less than an hour on an average laptop PC, requiring a few thousand ciphertexts as well as up to around a million evaluations/decryptions, to perform a full key recovery.

## 2024/117

* Title: Breaking HWQCS: a code-based signature scheme from high weight QC-LDPC codes
* Authors: Alex Pellegrini, Giovanni Tognolini
* [Permalink](https://eprint.iacr.org/2024/117)
* [Download](https://eprint.iacr.org/2024/117.pdf)