## In this issue

1. [2024/875] Succinctly-Committing Authenticated Encryption
2. [2024/1179] Inner Product Ring LWE Problem, Reduction, New ...
3. [2024/1180] Fast computation of 2-isogenies in dimension 4 and ...
4. [2024/1181] AQQUA: Augmenting Quisquis with Auditability
5. [2024/1182] Hyperion: Transparent End-to-End Verifiable Voting ...
6. [2024/1183] Updatable Private Set Intersection from Structured ...
7. [2024/1184] Sanitizable and Accountable Endorsement for Dynamic ...
8. [2024/1185] Erebor and Durian: Full Anonymous Ring Signatures ...
9. [2024/1186] MATTER: A Wide-Block Tweakable Block Cipher
10. [2024/1187] STORM — Small Table Oriented Redundancy-based SCA ...
11. [2024/1188] Lightweight Dynamic Linear Components for Symmetric ...
12. [2024/1189] The Espresso Sequencing Network: HotShot Consensus, ...
13. [2024/1190] Efficient Two-Party Secure Aggregation via ...
14. [2024/1191] A note on ``a novel authentication protocol for ...
15. [2024/1192] Towards ML-KEM & ML-DSA on OpenTitan
16. [2024/1193] The syzygy distinguisher
17. [2024/1194] Hardware Implementation and Security Analysis of ...
18. [2024/1195] Efficient Implementation of Super-optimal Pairings ...
19. [2024/1196] Client-Aided Privacy-Preserving Machine Learning
20. [2024/1197] Optimizing Rectangle and Boomerang Attacks: A ...
21. [2024/1198] ECO-CRYSTALS: Efficient Cryptography CRYSTALS on ...
22. [2024/1199] On degrees of carry and Scholz's conjecture
23. [2024/1200] Depth-Aware Arithmetization of Common Primitives in ...
24. [2024/1201] Designing a General-Purpose 8-bit (T)FHE Processor ...
25. [2024/1202] Prover - Toward More Efficient Formal Verification ...
26. [2024/1203] Preservation of Speculative Constant-time by ...
27. [2024/1204] A fast heuristic for mapping Boolean circuits to ...
28. [2024/1205] Analysis of One Scheme for User Authentication and ...
29. [2024/1206] Applying Post-Quantum Cryptography Algorithms to a ...
30. [2024/1207] What Have SNARGs Ever Done for FHE?
31. [2024/1208] Hᴇᴋᴀᴛᴏɴ: Horizontally-Scalable zkSNARKs via Proof ...
32. [2024/1209] Collaborative CP-NIZKs: Modular, Composable Proofs ...

## 2024/875

* Title: Succinctly-Committing Authenticated Encryption
* Authors: Mihir Bellare, Viet Tung Hoang
* [Permalink](https://eprint.iacr.org/2024/875)
* [Download](https://eprint.iacr.org/2024/875.pdf)

### Abstract

Recent attacks and applications have led to the need for symmetric encryption schemes that, in addition to providing the usual authenticity and privacy, are also committing. In response, many committing authenticated encryption schemes have been proposed. However, all known schemes, in order to provide s bits of committing security, suffer an expansion---this is the length of the ciphertext minus the length of the plaintext---of 2s bits. This incurs a cost in bandwidth or storage. (We typically want s=128, leading to 256-bit expansion.) However, it has been considered unavoidable due to birthday attacks. We show how to bypass this limitation. We give authenticated encryption (AE) schemes that provide s bits of committing security, yet suffer expansion only around s as long as messages are long enough, namely more than s bits. We call such schemes succinct. We do this via a generic, ciphertext-shortening transform called SC: given an AE scheme with 2s-bit expansion, SC returns an AE scheme with s-bit expansion while preserving committing security. SC is very efficient; an AES-based instantiation has overhead just two AES calls. As a tool, SC uses a collision-resistant invertible PRF called HtM, that we design, and whose analysis is technically difficult. To add the committing security that SC assumes to a base scheme, we also give a transform CTY that improves Chan and Rogaway's CTX. Our results hold in a general framework for authenticated encryption, called AE3, that includes both AE1 (also called AEAD) and AE2 (also called nonce-hiding AE) as special cases, so that we in particular obtain succinctly-committing AE schemes for both these settings.

## 2024/1179

* Title: Inner Product Ring LWE Problem, Reduction, New Trapdoor Algorithm for Inner Product Ring LWE Problem and Ring SIS Problem
* Authors: Zhuang Shan, Leyou Zhang, Qing Wu, Qiqi Lai
* [Permalink](https://eprint.iacr.org/2024/1179)
* [Download](https://eprint.iacr.org/2024/1179.pdf)

### Abstract

Lattice cryptography is currently a major research focus in public-key encryption, renowned for its ability to resist quantum attacks. The introduction of ideal lattices (ring lattices) has elevated the theoretical framework of lattice cryptography. Ideal lattice cryptography, compared to classical lattice cryptography, achieves more acceptable operational efficiency through fast Fourier transforms. However, to date, issues of impracticality or insecurity persist in ideal lattice problems. In order to provide a reasonable and secure trapdoor algorithm, this paper introduces the concept of "Inner Product Ring LWE" and establishes its quantum resistance and indistinguishability using knowledge of time complexity, fixed-point theory, and statistical distances. Inner product Ring LWE is easier to construct trapdoor algorithms compared to Ring LWE. Additionally, leveraging the properties of NTRU, we propose a more secure Ring SIS trapdoor algorithm.

## 2024/1180

* Title: Fast computation of 2-isogenies in dimension 4 and cryptographic applications
* Authors: Pierrick Dartois
* [Permalink](https://eprint.iacr.org/2024/1180)
* [Download](https://eprint.iacr.org/2024/1180.pdf)

### Abstract

Dimension 4 isogenies have first been introduced in cryptography for the cryptanalysis of Supersingular Isogeny Diffie-Hellman (SIDH) and have been used constructively in several schemes, including SQIsignHD, a derivative of SQIsign isogeny based signature scheme. Unlike in dimensions 2 and 3, we can no longer rely on the Jacobian model and its derivatives to compute isogenies. In dimension 4 (and higher), we can only use theta-models. Previous works by Romain Cosset, David Lubicz and Damien Robert have focused on the computation of $\ell$-isogenies in theta-models of level $n$ coprime to $\ell$ (which requires to use $n^g$ coordinates in dimension $g$). For cryptographic applications, we need to compute chains of $2$-isogenies, requiring to use $\geq 3^g$ coordinates in dimension $g$ with state of the art algorithms.

In this paper, we present algorithms to compute chains of $2$-isogenies between abelian varieties of dimension $g\geq 1$ with theta-coordinates of level $n=2$, generalizing a previous work by Pierrick Dartois, Luciano Maino, Giacomo Pope and Damien Robert in dimension $g=2$. We propose an implementation of these algorithms in dimension $g=4$ to compute endomorphisms of elliptic curve products derived from Kani's lemma with applications to SQIsignHD and SIDH cryptanalysis. We are now able to run a complete key recovery attack on SIDH when the endomorphism ring of the starting curve is unknown within a few seconds on a laptop for all NIST SIKE parameters.

## 2024/1181

* Title: AQQUA: Augmenting Quisquis with Auditability
* Authors: George Papadoulis, Danai Balla, Panagiotis Grontas, Aris Pagourtzis
* [Permalink](https://eprint.iacr.org/2024/1181)
* [Download](https://eprint.iacr.org/2024/1181.pdf)

### Abstract

We propose AQQUA: a digital payment system that combines auditability and privacy. AQQUA extends Quisquis by adding two authorities; one for registration and one for auditing. These authorities do not intervene in the everyday transaction processing; as a consequence, the decentralized nature of the cryptocurrency is not disturbed. Our construction is account-based. An account consists of an updatable public key which functions as a cryptographically unlinkable pseudonym, and of commitments to the balance, the total amount of coins spent, and the total amount of coins received. In order to participate in the system a user creates an initial account with the registration authority. To protect their privacy, whenever the user wants to transact they create unlinkable new accounts by updating their public key and the total number of accounts they own (maintained in committed form). The audit authority may request an audit at will. The user must prove in zero-knowledge that all their accounts are compliant to specific policies. We formally define a security model capturing the properties that a private and auditable digital payment system should possess and we analyze the security of AQQUA under this model.

## 2024/1182

* Title: Hyperion: Transparent End-to-End Verifiable Voting with Coercion Mitigation
* Authors: Aditya Damodaran, Simon Rastikian, Peter B. Rønne, Peter Y A Ryan
* [Permalink](https://eprint.iacr.org/2024/1182)
* [Download](https://eprint.iacr.org/2024/1182.pdf)

### Abstract

We present Hyperion, an end-to-end verifiable e-voting scheme that allows the voters to identify their votes in cleartext in the final tally. In contrast to schemes like Selene or sElect, identification is not via (private) tracker numbers but via cryptographic commitment terms. After publishing the tally, the Election Authority provides each voter with an individual dual key. Voters identify their votes by raising their dual key to their secret trapdoor key and finding the matching commitment term in the tally.
The dual keys are self-certifying in that, without the voter's trapdoor key, it is intractable to forge a dual key that, when raised to the trapdoor key, will match an alternative commitment. On the other hand, a voter can use their own trapdoor key to forge a dual key to fool any would-be coercer.
Additionally, we propose a variant of Hyperion that counters the tracker collision threat present in Selene. We introduce individual verifiable views: each voter gets their own independently shuffled view of the master Bulletin Board.
We provide new improved definitions of privacy and verifiability for e-voting schemes and prove the scheme secure against these, as well as proving security with respect to earlier definitions in the literature.
Finally, we provide a prototype implementation and provide measurements which demonstrate that our scheme is practical for large scale elections.