## In this issue

1. [2023/216] Two-Round Stateless Deterministic Two-Party Schnorr ...
2. [2023/797] Entropy Suffices for Guessing Most Keys
3. [2023/821] Securing IoT Devices with Fast and Energy Efficient ...
4. [2023/1399] The supersingular Endomorphism Ring and One ...
5. [2023/1527] Adaptive Garbled Circuits and Garbled RAM from Non- ...
6. [2024/336] RAMenPaSTA: Parallelizable Scalable Transparent ...
7. [2024/339] From Random Probing to Noisy Leakages Without ...
8. [2024/342] Massive Superpoly Recovery with a Meet-in-the- ...
9. [2024/351] Improved Differential Meet-In-The-Middle Cryptanalysis
10. [2024/364] Algebraic Algorithm for the Alternating Trilinear ...
11. [2024/367] Accelerating SLH-DSA by Two Orders of Magnitude ...
12. [2024/372] Two-Round Maliciously-Secure Oblivious Transfer ...
13. [2024/381] Quantum Circuits of AES with a Low-depth Linear ...
14. [2024/382] Decentralized Access Control Infrastructure for ...
15. [2024/383] Malicious Security for SCALES: Outsourced ...
16. [2024/384] Transmitter Actions for Secure Integrated Sensing ...
17. [2024/385] A New Public Key Cryptosystem Based on the Cubic ...
18. [2024/386] High-Throughput Secure Multiparty Computation with ...
19. [2024/387] Parallel Zero-knowledge Virtual Machine
20. [2024/388] Leakage-Resilient Attribute-Based Encryption with ...
21. [2024/389] On the Feasibility of Sliced Garbling
22. [2024/390] STIR: Reed–Solomon Proximity Testing with Fewer Queries
23. [2024/391] On Information-Theoretic Secure Multiparty ...
24. [2024/392] Heuristic Ideal Obfuscation Scheme based on LWE ...
25. [2024/393] Revisiting the May--Meurer--Thomae Algorithm --- ...
26. [2024/394] A Deniably Authenticated Searchable Public Key ...
27. [2024/395] Notus: Dynamic Proofs of Liabilities from Zero- ...
28. [2024/396] On the impact of ionizing and non-ionizing ...
29. [2024/397] Exponent-VRFs and Their Applications
30. [2024/398] The Last Challenge Attack: Exploiting a Vulnerable ...
31. [2024/399] A Direct PRF Construction from Kolmogorov Complexity
32. [2024/400] SILBE: an Updatable Public Key Encryption Scheme ...
33. [2024/401] Plover: Masking-Friendly Hash-and-Sign Lattice ...
34. [2024/402] Efficient Unbalanced Quorum PSI from Homomorphic ...
35. [2024/403] DARE to agree: Byzantine Agreement with Optimal ...
36. [2024/404] Breaking the DECT Standard Cipher with Lower Time Cost
37. [2024/405] Traceable Secret Sharing: Strong Security and ...
38. [2024/406] Some notes on algorithms for abelian varieties
39. [2024/407] Permutation-Based Hashing Beyond the Birthday Bound
40. [2024/408] Modular Indexer: Fully User-Verified Execution ...
41. [2024/409] Nebula: A Privacy-First Platform for Data Backhaul
42. [2024/410] Recent Progress in Quantum Computing Relevant to ...
43. [2024/411] Polytopes in the Fiat-Shamir with Aborts Paradigm
44. [2024/412] Quasi-Optimal Permutation Ranking and Applications ...
45. [2024/413] Bent functions construction using extended ...
46. [2024/414] Quantum One-Wayness of the Single-Round Sponge with ...
47. [2024/415] Column-wise Garbling, and How to Go Beyond the ...

## 2023/216

* Title: Two-Round Stateless Deterministic Two-Party Schnorr Signatures From Pseudorandom Correlation Functions
* Authors: Yashvanth Kondi, Claudio Orlandi, Lawrence Roy
* [Permalink](https://eprint.iacr.org/2023/216)
* [Download](https://eprint.iacr.org/2023/216.pdf)

### Abstract

Schnorr signatures are a popular choice due to their simplicity, provable security, and linear structure that enables relatively easy threshold signing protocols. The deterministic variant of Schnorr (where the nonce is derived in a stateless manner using a PRF from the message and a long term secret) is widely used in practice since it mitigates the threats of a faulty or poor randomness generator (which in Schnorr leads to catastrophic breaches of security). Unfortunately, threshold protocols for the deterministic variant of Schnorr have so far been quite inefficient, as they make non black-box use of the PRF involved in the nonce generation.

In this paper, we present the first two-party threshold protocol for Schnorr signatures, where signing is stateless and deterministic, and only makes black-box use of the underlying cryptographic algorithms.

We present a protocol from general assumptions which achieves covert security, and a protocol that achieves full active security under standard factoring-like assumptions. Our protocols make crucial use of recent advances within the field of pseudorandom correlation functions (PCFs).
As an additional benefit, only two-rounds are needed to perform distributed signing in our protocol, connecting our work to a recent line of research on the trade-offs between round complexity and cryptographic assumptions for threshold Schnorr signatures.

## 2023/797

* Title: Entropy Suffices for Guessing Most Keys
* Authors: Timo Glaser, Alexander May, Julian Nowakowski
* [Permalink](https://eprint.iacr.org/2023/797)
* [Download](https://eprint.iacr.org/2023/797.pdf)

### Abstract

Historically, most cryptosystems chose their keys uniformly at random. This is in contrast to modern (lattice-based) schemes, which typically sample their keys from more complex distributions $\mathcal{D}$, such as the discrete Gaussian or centered binomial distribution.

It is well-known that any key drawn from the uniform distribution $\mathcal{U}$ can be guessed using at most $2^{\operatorname{H}(\mathcal{U})}$ key guesses, where $\operatorname{H}(\mathcal{U})$ denotes the entropy of the uniform distribution. However, for keys drawn from general distributions $\mathcal{D}$ only a lower bound of $\Omega(2^{\operatorname{H}(\mathcal{D})})$ key guesses is known. In fact, Massey (1994) even ruled out that the number of key guesses can be upper bounded by a function of the entropy alone.

When analyzing the complexity of so-called hybrid lattice-attacks (which combine lattice reduction with key guessing) one therefore usually conservatively underestimates the complexity of key guessing by $2^{\operatorname{H}(\mathcal{D})}$. However, a tight complexity analysis is missing, and due to Massey's result considered impossible.

In this work, we bypass Massey's impossibility result by focusing on the typical cryptographic setting, where keys are drawn from $n$-fold product distributions $\mathcal{D} = \chi^n$.

It is well known that the optimal key guessing algorithm enumerates keys in $\chi^n$ in descending order of probability. In order to provide a refined analysis, we allow to abort enumeration after a certain amount of key guesses. As our main result, we prove that for any discrete probability distribution $\chi$ the key guessing algorithm that we abort after $2^{\operatorname{H}(\chi)n}$ keys has asymptotically success probability $\frac 1 2$, taken over the random key choice. The aborted algorithm allows for a quantum version with success probability $\frac 1 2$ within $2^{\operatorname{H}(\chi)n/2}$ key guesses. In other words, for any distribution $\chi$, we achieve a Grover-type square root speedup.

Furthermore, we show that for the distributions used in Kyber and Falcon, the aborted algorithm outperforms the non-aborted algorithm by an exponential factor in the runtime. Hence, for a typical multi-key scenario, where a (large scale) adversary wants to attack as many keys with as few as possible resources, our results show that it greatly pays off to tackle only the likely keys.

## 2023/821

* Title: Securing IoT Devices with Fast and Energy Efficient Implementation of PRIDE and PRESENT Ciphers
* Authors: Vijay Dahiphale, Hrishikesh Raut, Gaurav Bansod, Devendra Dahiphale
* [Permalink](https://eprint.iacr.org/2023/821)
* [Download](https://eprint.iacr.org/2023/821.pdf)

### Abstract

The rise of low-power, cost-efficient internet-connected devices has led to a need for lightweight cryptography. The lightweight block cipher PRIDE, designed by Martin R. Albrecht, is one of the most efficient ciphers designed for IoT-constrained environments. It is useful for connected devices, requires fewer resources to implement, and has high performance. PRIDE is a software-oriented lightweight cipher optimized for microcontrollers. This paper focuses on the FPGA implementation of the PRIDE cipher by keeping throughput, energy, and power consumption metrics focused. The paper also presents a novel and simpler diagrammatical view of a Matrix Layer implementation of the PRIDE cipher. We also implemented the PRESENT cipher using the same metrics. We analyzed different design metrics on Field Programmable Gate Arrays (FPGAs) and compared the metrics of the PRIDE implementation with the well-known cipher PRESENT. This gives us an insight into the efficiency and reliability of PRIDE in IoT-constrained environments. We also proposed different architectures of the PRIDE cipher for 16-bit and 32-bit datapaths.

## 2023/1399

* Title: The supersingular Endomorphism Ring and One Endomorphism problems are equivalent
* Authors: Aurel Page, Benjamin Wesolowski
* [Permalink](https://eprint.iacr.org/2023/1399)
* [Download](https://eprint.iacr.org/2023/1399.pdf)

### Abstract

The supersingular Endomorphism Ring problem is the following: given a supersingular elliptic curve, compute all of its endomorphisms. The presumed hardness of this problem is foundational for isogeny-based cryptography. The One Endomorphism problem only asks to find a single non-scalar endomorphism. We prove that these two problems are equivalent, under probabilistic polynomial time reductions.