## In this issue

1. [2023/1728] Simulation-Secure Threshold PKE from LWE with ...
2. [2024/1332] Attacking trapdoors from matrix products
3. [2024/1333] Efficient online and Non-Interactive Threshold ...
4. [2024/1334] Chosen Text Attacks Against an Image Encryption ...
5. [2024/1335] Perfect Monomial Prediction for Modular Addition
6. [2024/1336] Fast Low Level Disk Encryption Using FPGAs
7. [2024/1337] Construction bent functions using the Maiorana ...
8. [2024/1338] Horcrux: Synthesize, Split, Shift and Stay Alive ...
9. [2024/1339] Comprehensive Robustness Analysis of GCM, CCM, and OCB3
10. [2024/1340] Unbalanced Private Set Union with Reduced ...
11. [2024/1341] Approach for High-Performance Random Number ...
12. [2024/1342] Unconditionally secure key distribution without ...
13. [2024/1343] Generalized one-way function and its application
14. [2024/1344] Quantum Security of a Compact Multi-Signature
15. [2024/1345] SoK: The Engineer’s Guide to Post-Quantum ...
16. [2024/1346] Provably Secure Online Authenticated Encryption and ...
17. [2024/1347] Secure Multiparty Computation with Lazy Sharing
18. [2024/1348] Zero-Knowledge Validation for an Offline Electronic ...
19. [2024/1349] Oblivious Pseudo Random Function base on Ideal ...
20. [2024/1350] Update to the Sca25519 Library: Mitigating Tearing- ...
21. [2024/1351] Proximity Gaps in Interleaved Codes
22. [2024/1352] ISABELLA: Improving Structures of Attribute-Based ...
23. [2024/1353] On the overflow and $p$-adic theory applied to ...
24. [2024/1354] Votexx: Extreme Coercion Resistance
25. [2024/1355] Direct Range Proofs for Paillier Cryptosystem and ...
26. [2024/1356] Leakage-Resilience of Circuit Garbling
27. [2024/1357] Understanding the Blockchain Interoperability Graph ...
28. [2024/1358] Quantum Sieving for Code-Based Cryptanalysis and ...
29. [2024/1359] Finding Complete Impossible Differential Attacks on ...
30. [2024/1360] CPA-secure KEMs are also sufficient for Post- ...
31. [2024/1361] What Did Come Out of It? Analysis and Improvements ...
32. [2024/1362] A Documentation of Ethereum’s PeerDAS
33. [2024/1363] Improved Key Recovery Attacks on Reduced-Round Salsa20
34. [2024/1364] FLIP-and-prove R1CS
35. [2024/1365] High-Throughput GPU Implementation of Dilithium ...
36. [2024/1366] Adaptive Successive Over-Relaxation Method for a ...
37. [2024/1367] A Better Kyber Butterfly for FPGAs
38. [2024/1368] Tightly Secure Non-Interactive BLS Multi-Signatures
39. [2024/1369] AGATE: Augmented Global Attested Trusted Execution ...
40. [2024/1370] ML based Improved Differential Distinguisher with ...
41. [2024/1371] PIGEON: A Framework for Private Inference of Neural ...

## 2023/1728

* Title: Simulation-Secure Threshold PKE from LWE with Polynomial Modulus
* Authors: Daniele Micciancio, Adam Suhl
* [Permalink](https://eprint.iacr.org/2023/1728)
* [Download](https://eprint.iacr.org/2023/1728.pdf)

### Abstract

In LWE based cryptosystems, using small (polynomially bounded) ciphertext modulus improves both efficiency and security.
In threshold encryption, one often needs "simulation security": the ability to simulate decryption shares without the secret key.
Existing lattice-based threshold encryption schemes provide one or the other but not both.
Simulation security has seemed to require superpolynomial flooding noise,
and the schemes with polynomial modulus use Rényi divergence based analyses that are sufficient for game-based but not simulation security.

In this work, we give the first construction of simulation-secure lattice-based threshold PKE with polynomially bounded modulus.
The construction itself is relatively standard, but we use an improved analysis, proving that when the ciphertext noise and flooding noise are both Gaussian, simulation is possible even with very small flooding noise.
Our modulus is small not just asymptotically but also concretely: this technique gives parameters roughly comparable to those of highly optimized non-threshold schemes like FrodoKEM.
As part of our proof, we show that LWE remains hard in the presence of some types of leakage; these results and techniques may also be useful in other contexts where noise flooding is used.

## 2024/1332

* Title: Attacking trapdoors from matrix products
* Authors: Thomas Decru, Tako Boris Fouotsa, Paul Frixons, Valerie Gilchrist, Christophe Petit
* [Permalink](https://eprint.iacr.org/2024/1332)
* [Download](https://eprint.iacr.org/2024/1332.pdf)

### Abstract

Recently, Geraud-Stewart and Naccache proposed two trapdoors based on matrix products. In this paper, we answer the call for cryptanalysis. We explore how using the trace and determinant of a matrix can be used to attack their constructions. We fully break their first construction in a polynomial-time attack. We show an information leak in the second construction using characteristic polynomials, and provide an attack using traces that decreases the bit security by about half.

## 2024/1333

* Title: Efficient online and Non-Interactive Threshold Signatures with Identifiable Aborts for Identity-Based Signatures in the IEEE P1363 Standard
* Authors: Yan Jiang, Youwen Zhu, Jian Wang, Yudi Zhang
* [Permalink](https://eprint.iacr.org/2024/1333)
* [Download](https://eprint.iacr.org/2024/1333.pdf)

### Abstract

Identity-based threshold signature (IDTS) enables the generation of valid signatures without revealing cryptographic keys in the signing process. While current protocols have achieved much progress in their efficiency, many schemes easily suffer from denial-of-service attacks in which misbehaving parties could keep from generating signatures without being caught. The identifiable abort property is designed to withstand such an attack in some recent IDTS protocols. However, all these schemes require many rounds of interaction for the resulting signature or utilize cryptographic techniques, which have a high complexity. In this study, we put forward a novel IDTS protocol that can achieve identifiable abort and resist arbitrary collusion attacks. Precisely, this ensures that corrupted parties are responsible in case of failure and cannot jointly obtain the input of honest parties. Moreover, we present the ideal IDTS functionality and provide the provable security of the proposed protocol with the global random oracle model. Our scheme has non-interactive signing, compatibility with the offline/online settings, and practical efficiency for the online phase. Finally, we give theoretical analyses and experimental results of our solution, showing that the signing time is less than two milliseconds and that the scheme is suitable for resource-constrained settings.

## 2024/1334

* Title: Chosen Text Attacks Against an Image Encryption Based on the Kronecker Xor Product, the Hill Cipher and the Sigmoid Logistic Map
* Authors: George Teseleanu
* [Permalink](https://eprint.iacr.org/2024/1334)
* [Download](https://eprint.iacr.org/2024/1334.pdf)

### Abstract

In 2023, Mfungo et al. presented an image encryption scheme that relies on a series of diffusion techniques and uses a chaotic map to generate three secret keys. Note that two out of three keys are dynamically generated based on the size of the original image, while the remaining key is static. The authors claim that their proposal offers $149$ bits of security. Unfortunately, we found a chosen plaintext attack that requires $2$ oracle queries and has a worse case complexity of $\mathcal O(2^{32})$. If the attacker has access to $1$ encryption oracle query and $1$ decryption oracle query, we can lower the complexity to $\mathcal O(2^{18.58})$. Encrypting an image with Mfungo et al.'s scheme has a worst case complexity of $\mathcal O(2^{33})$. Therefore, both our attacks are faster than encrypting an image. Our attacks are feasible because the dynamic keys remain unchanged for different plaintext images of the same size, and the static key remains the same for all images.

## 2024/1335

* Title: Perfect Monomial Prediction for Modular Addition
* Authors: Kai Hu, Trevor Yap
* [Permalink](https://eprint.iacr.org/2024/1335)
* [Download](https://eprint.iacr.org/2024/1335.pdf)

### Abstract

Modular addition is often the most complex component of typical Addition-Rotation-XOR (ARX) ciphers, and the division property is the most effective tool for detecting integral distinguishers. Thus, having a precise division property model for modular addition is crucial in the search for integral distinguishers in ARX ciphers.

Current division property models for modular addition either (a) express the operation as a Boolean circuit and apply standard propagation rules for basic operations (COPY, XOR, AND), or (b) treat it as a sequence of smaller functions with carry bits, modeling each function individually. Both approaches were originally proposed for the two-subset bit-based division property (2BDP), which is theoretically imprecise and may overlook some balanced bits.

Recently, more precise versions of the division property, such as parity sets, three-subset bit-based division property without unknown subsets (3BDPwoU) or monomial prediction (MP), and algebraic transition matrices have been proposed. However, little attention has been given to modular addition within these precise models.

The propagation rule for the precise division property of a vectorial Boolean function $\boldsymbol{f}$ requires that $\boldsymbol{u}$ can propagate to $\boldsymbol{v}$ if and only if the monomial $\pi_{\boldsymbol{u}}({\boldsymbol{x}})$ appears in $\pi_{\boldsymbol{v}}( \boldsymbol{f} )$. Braeken and Semaev (FSE 2005) studied the algebraic structure of modular addition and showed that for $\boldsymbol{x} \boxplus \boldsymbol{y} = \boldsymbol{z}$, the monomial $\pi_{\boldsymbol{u}}(\boldsymbol{x})\pi_{\boldsymbol{v}}(\boldsymbol{v})$ appears in $\pi_{\boldsymbol{w}}(\boldsymbol{w})$ if and only if $\boldsymbol{u} + \boldsymbol{v} = \boldsymbol{w}$. Their theorem directly leads to a precise division property model for modular addition. Surprisingly, this model has not been applied in division property searches, to the best of our knowledge.