{"status":"ok","message-type":"work-list","message-version":"1.0.0","message":{"facets":{},"total-results":285,"items":[{"indexed":{"date-parts":[[2025,7,30]],"date-time":"2025-07-30T17:05:03Z","timestamp":1753895103371,"version":"3.41.2"},"reference-count":78,"publisher":"International Association for Cryptologic Research","license":[{"start":{"date-parts":[[2024,4,9]],"date-time":"2024-04-09T00:00:00Z","timestamp":1712620800000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"funder":[{"DOI":"10.13039\/501100001866","name":"Fonds National de la Recherche","doi-asserted-by":"publisher","award":["CORE project Privacy-Preserving Tokenisation of Artworks \u2013PABLO (C21\/IS\/16326754\/PABLO)"],"award-info":[{"award-number":["CORE project Privacy-Preserving Tokenisation of Artworks \u2013PABLO (C21\/IS\/16326754\/PABLO)"]}],"id":[{"id":"10.13039\/501100001866","id-type":"DOI","asserted-by":"publisher"}]},{"DOI":"10.13039\/501100001866","name":"Fonds National de la Recherche","doi-asserted-by":"publisher","award":["CORE project Real-World Implementation and Human-Centered Design of PAKE Technologies \u2013ImPAKT (C21\/IS\/16221219\/ImPAKT)"],"award-info":[{"award-number":["CORE project Real-World Implementation and Human-Centered Design of PAKE Technologies \u2013ImPAKT (C21\/IS\/16221219\/ImPAKT)"]}],"id":[{"id":"10.13039\/501100001866","id-type":"DOI","asserted-by":"publisher"}]},{"DOI":"10.13039\/501100001665","name":"Agence Nationale de la Recherche","doi-asserted-by":"publisher","award":["France 2030 ANR-22-PECY-0010"],"award-info":[{"award-number":["France 2030 ANR-22-PECY-0010"]}],"id":[{"id":"10.13039\/501100001665","id-type":"DOI","asserted-by":"publisher"}]},{"DOI":"10.13039\/100012950","name":"Institut national de recherche en informatique et en automatique","doi-asserted-by":"publisher","award":["Sabbatical Programme"],"award-info":[{"award-number":["Sabbatical Programme"]}],"id":[{"id":"10.13039\/100012950","id-type":"DOI","asserted-by":"publisher"}]}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["IACR CiC"],"accepted":{"date-parts":[[2024,9,2]]},"abstract":"For more than two decades, pairings have been a fundamental tool for designing elegant cryptosystems, varying from digital signature schemes to more complex privacy-preserving constructions. However, the advancement of quantum computing threatens to undermine public-key cryptography. Concretely, it is widely accepted that a future large-scale quantum computer would be capable to break any public-key cryptosystem used today, rendering today's public-key cryptography obsolete and mandating the transition to quantum-safe cryptographic solutions. This necessity is enforced by numerous recognized government bodies around the world, including NIST which initiated the first open competition in standardizing post-quantum (PQ) cryptographic schemes, focusing primarily on digital signatures and key encapsulation\/public-key encryption schemes. Despite the current efforts in standardizing PQ primitives, the landscape of complex, privacy-preserving cryptographic protocols, e.g., zkSNARKs\/zkSTARKs, is at an early stage. Existing solutions suffer from various disadvantages in terms of efficiency and compactness and in addition, they need to undergo the required scrutiny to gain the necessary trust in the academic and industrial domains. Therefore, it is believed that the migration to purely quantum-safe cryptography would require an intermediate step where current classically secure protocols and quantum-safe solutions will co-exist. This is enforced by the report of the Commercial National Security Algorithm Suite version 2.0, mandating transition to quantum-safe cryptographic algorithms by 2033 and suggesting to incorporate ECC at 192-bit security in the meantime. To this end, the present paper aims at providing a comprehensive study on pairings at 192-bit security level. We start with an exhaustive review in the literature to search for all possible recommendations of such pairing constructions, from which we extract the most promising candidates in terms of efficiency and security, with respect to the advanced Special TNFS attacks. Our analysis is focused, not only on the pairing computation itself, but on additional operations that are relevant in pairing-based applications, such as hashing to pairing groups, cofactor clearing and subgroup membership testing. We implement all functionalities of the most promising candidates within the RELIC cryptographic toolkit in order to identify the most efficient pairing implementation at 192-bit security and provide extensive experimental results. <\/jats:p>","DOI":"10.62056\/angyl86bm","type":"journal-article","created":{"date-parts":[[2024,10,7]],"date-time":"2024-10-07T15:13:33Z","timestamp":1728314013000},"update-policy":"https:\/\/doi.org\/10.62056\/adfjwm02dj","source":"Crossref","is-referenced-by-count":0,"title":["A short-list of pairing-friendly curves resistant to the Special TNFS algorithm at the 192-bit security level"],"prefix":"10.62056","author":[{"ORCID":"https:\/\/orcid.org\/0000-0002-2457-0783","authenticated-orcid":false,"given":"Diego","family":"Aranha","sequence":"first","affiliation":[{"id":[{"id":"https:\/\/ror.org\/01aj84f44","id-type":"ROR","asserted-by":"publisher"}],"name":"Aarhus University","place":["Aabogade 34, Aarhus, DK-8200, Denmark"]}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-9699-3817","authenticated-orcid":false,"given":"Georgios","family":"Fotiadis","sequence":"additional","affiliation":[{"id":[{"id":"https:\/\/ror.org\/036x5ad56","id-type":"ROR","asserted-by":"publisher"}],"name":"Universit\u00e9 du Luxembourg","place":["Esch-sur-Alzette, L-4364, Luxembourg"]}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-0824-7273","authenticated-orcid":false,"given":"Aurore","family":"Guillevic","sequence":"additional","affiliation":[{"id":[{"id":"https:\/\/ror.org\/01aj84f44","id-type":"ROR","asserted-by":"publisher"}],"name":"Aarhus University","place":["Aabogade 34, Aarhus, DK-8200, Denmark"]},{"id":[{"id":"https:\/\/ror.org\/03fcjvn64","id-type":"ROR","asserted-by":"publisher"}],"name":"Universit\u00e9 de Lorraine, CNRS, Inria, LORIA","place":["Nancy, F-54000, France"]},{"id":[{"id":"https:\/\/ror.org\/04040yw90","id-type":"ROR","asserted-by":"publisher"}],"name":"Univ Rennes, Inria, CNRS, IRISA","place":["Rennes, F-35000, France"]}]}],"member":"48349","published-online":{"date-parts":[[2024,10,7]]},"reference":[{"key":"ref1:C:BonFra01","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"213","DOI":"10.1007\/3-540-44647-8_13","article-title":"Identity-Based Encryption from the Weil Pairing","volume":"2139","author":"Dan Boneh","year":"2001"},{"key":"ref2:AC:BonLynSha01","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"514","DOI":"10.1007\/3-540-45682-1_30","article-title":"Short Signatures from the Weil Pairing","volume":"2248","author":"Dan Boneh","year":"2001"},{"key":"ref3:JC:Joux04","doi-asserted-by":"publisher","first-page":"263","DOI":"10.1007\/s00145-004-0312-y","article-title":"A One Round Protocol for Tripartite Diffie\u2013Hellman","volume":"17","author":"Antoine Joux","year":"2004","journal-title":"Journal of Cryptology"},{"key":"ref4:RSA:PoiSan16","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"111","DOI":"10.1007\/978-3-319-29485-8_7","article-title":"Short Randomizable Signatures","volume":"9610","author":"David Pointcheval","year":"2016"},{"key":"ref5:EC:TesZhu23b","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"691","DOI":"10.1007\/978-3-031-30589-4_24","article-title":"Revisiting BBS Signatures","volume":"14008","author":"Stefano Tessaro","year":"2023"},{"key":"ref6:AC:KatZavGol10","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"177","DOI":"10.1007\/978-3-642-17373-8_11","article-title":"Constant-Size Commitments to Polynomials and Their\n Applications","volume":"6477","author":"Aniket Kate","year":"2010"},{"key":"ref7:C:CamLys04","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"56","DOI":"10.1007\/978-3-540-28628-8_4","article-title":"Signature Schemes and Anonymous Credentials from Bilinear\n Maps","volume":"3152","author":"Jan Camenisch","year":"2004"},{"key":"ref8:EC:Groth16","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"305","DOI":"10.1007\/978-3-662-49896-5_11","article-title":"On the Size of Pairing-Based Non-interactive Arguments","volume":"9666","author":"Jens Groth","year":"2016"},{"key":"ref9:C:BeuSei23","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"518","DOI":"10.1007\/978-3-031-38554-4_17","article-title":"LaBRADOR: Compact Proofs for R1CS from Module-SIS","volume":"14085","author":"Ward Beullens","year":"2023"},{"key":"ref10:AC:BerLan13","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"321","DOI":"10.1007\/978-3-642-42045-0_17","article-title":"Non-uniform Cracks in the Concrete: The Power of Free\n Precomputation","volume":"8270","author":"Daniel J. Bernstein","year":"2013"},{"key":"ref11:AF:AreFotKon24","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"285","DOI":"10.1007\/978-3-031-64381-1_13","article-title":"Special TNFS-Secure Pairings on Ordinary Genus 2\n Hyperelliptic Curves","volume":"14861","author":"M\u00f3nica P. Arenas","year":"2024"},{"key":"ref12:SAC:BarNae05","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"319","DOI":"10.1007\/11693383_22","article-title":"Pairing-Friendly Elliptic Curves of Prime Order","volume":"3897","author":"Paulo S. L. M. Barreto","year":"2006"},{"key":"ref13:PAIRING:AFKMR12","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"177","DOI":"10.1007\/978-3-642-36334-4_11","article-title":"Implementing Pairings at the 192-Bit Security Level","volume":"7708","author":"Diego F. Aranha","year":"2013"},{"key":"ref14:AC:HSST12","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"43","DOI":"10.1007\/978-3-642-34961-4_5","article-title":"Breaking Pairing-Based Cryptosystems Using $\\eta_{T}$\n Pairing over $\\text{GF}(3^{97})$","volume":"7658","author":"Takuya Hayashi","year":"2012"},{"key":"ref15:C:KimBar16","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"543","DOI":"10.1007\/978-3-662-53018-4_20","article-title":"Extended Tower Number Field Sieve: A New Complexity for\n the Medium Prime Case","volume":"9814","author":"Taechan Kim","year":"2016"},{"volume-title":"BLS12-381: New zk-SNARK Elliptic Curve Construction","year":"2017","author":"Sean Bowe","key":"ref16:Zcash"},{"key":"ref17:ACNS:KIKYTK17","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"59","DOI":"10.1007\/978-3-319-61204-1_4","article-title":"Secure and Efficient Pairing at 256-Bit Security Level","volume":"10355","author":"Yutaro Kiyomura","year":"2017"},{"key":"ref18:BanAraFou19","doi-asserted-by":"publisher","first-page":"45","DOI":"10.1504\/IJACT.2020.107167","article-title":"Computing the optimal Ate pairing over elliptic curves with\n embedding degrees 54 and 48 at the 256-bit security level","volume":"4","author":"Narcise Bang Mbiang","year":"2019","journal-title":"International Journal of Applied Cryptography (IJACT)"},{"key":"ref19:JC:FreScoTes10","doi-asserted-by":"publisher","first-page":"224","DOI":"10.1007\/s00145-009-9048-z","article-title":"A Taxonomy of Pairing-Friendly Elliptic Curves","volume":"23","author":"David Freeman","year":"2010","journal-title":"Journal of Cryptology"},{"key":"ref20:PKC:Guillevic20","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"535","DOI":"10.1007\/978-3-030-45388-6_19","article-title":"A Short-List of Pairing-Friendly Curves Resistant to Special\n TNFS at the 128-Bit Security Level","volume":"12111","author":"Aurore Guillevic","year":"2020"},{"volume-title":"Optimal TNFS-secure pairings on elliptic curves with\n composite embedding degree","year":"2019","author":"Georgios Fotiadis","key":"ref21:EPRINT:FotMar19"},{"volume-title":"An Algebraic Point of View on the Generation of\n Pairing-Friendly Curves","year":"2023","author":"Jean Gasnier","key":"ref22:GasGui23"},{"key":"ref23:AC:ChaRodTib22","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"63","DOI":"10.1007\/978-3-031-22963-3_3","article-title":"SwiftEC: Shallue-van de Woestijne Indifferentiable\n Function to Elliptic Curves - Faster Indifferentiable Hashing to Elliptic\n Curves","volume":"13791","author":"Jorge Ch\u00e1vez-Saab","year":"2022"},{"volume-title":"Pairings for beginners","year":"2012","author":"Craig Costello","key":"ref24:Costello12"},{"key":"ref25:C:BKLS02","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"354","DOI":"10.1007\/3-540-45708-9_23","article-title":"Efficient Algorithms for Pairing-Based Cryptosystems","volume":"2442","author":"Paulo S. L. M. Barreto","year":"2002"},{"key":"ref26:RSA:AraLopHan10","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"89","DOI":"10.1007\/978-3-642-11925-5_7","article-title":"High-Speed Parallel Software Implementation of the\n $\\eta_{T}$ Pairing","volume":"5985","author":"Diego F. Aranha","year":"2010"},{"key":"ref27:MiyNakTak01","first-page":"1234","article-title":"New Explicit Conditions of Elliptic Curve Traces for\n FR-Reduction","volume":"E84-A","author":"A.\u00a0Miyaji","year":"2001","journal-title":"IEICE Transactions on Fundamentals"},{"key":"ref28:SCN:BarLynSco02","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"257","DOI":"10.1007\/3-540-36413-7_19","article-title":"Constructing Elliptic Curves with Prescribed Embedding\n Degrees","volume":"2576","author":"Paulo S. L. M. Barreto","year":"2003"},{"key":"ref29:PAIRING:KacSchSco08","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"126","DOI":"10.1007\/978-3-540-85538-5_9","article-title":"Constructing Brezing-Weng Pairing-Friendly Elliptic\n Curves Using Elements in the Cyclotomic Field","volume":"5209","author":"Ezekiel J. Kachisa","year":"2008"},{"key":"ref30:C:BelUrrSil23","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"3","DOI":"10.1007\/978-3-031-38545-2_1","article-title":"Revisiting Cycles of Pairing-Friendly Elliptic Curves","volume":"14082","author":"Marta Bell\u00e9s-Mu\u00f1oz","year":"2023"},{"key":"ref31:SIAM:CCW19","doi-asserted-by":"publisher","first-page":"175","DOI":"10.1137\/18M1173708","article-title":"On Cycles of Pairing-Friendly Elliptic Curves","volume":"3","author":"Alessandro Chiesa","year":"2019","journal-title":"SIAM Journal on Applied Algebra and Geometry"},{"key":"ref32:PKC:KimJeo17","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"388","DOI":"10.1007\/978-3-662-54365-8_16","article-title":"Extended Tower Number Field Sieve with Application to Finite\n Fields of Arbitrary Composite Extension Degree","volume":"10174","author":"Taechan Kim","year":"2017"},{"key":"ref33:MenSarSin16","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"83","DOI":"10.1007\/978-3-319-61273-7_5","article-title":"Challenges with Assessing the Impact of NFS Advances on\n the Security of Pairing-Based Cryptography","volume":"10311","author":"Alfred Menezes","year":"2016"},{"volume-title":"Pairing-Friendly Curves","year":"2022","author":"Yumi Sakemi","key":"ref34:IETF-draft-22"},{"volume-title":"BLS signatures","year":"2022","author":"Dan Boneh","key":"ref35:IETF-draft-BLS-sign"},{"volume-title":"Barreto\u2013Lynn\u2013Scott Elliptic Curve Key Representations for\n JOSE and COSE","year":"2023","author":"Michael B. Jones Tobias Looker","key":"ref36:IETF-draft-BLS-key"},{"volume-title":"Constructing Efficient and STNFS\u2013Secure Pairings","year":"2021","author":"Georgios Fotiadis","key":"ref37:Fotiadis21"},{"key":"ref38:CANS:ClaDuqSan20","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"280","DOI":"10.1007\/978-3-030-65411-5_14","article-title":"Curves with Fast Computations in the First Pairing Group","volume":"12579","author":"R\u00e9mi Clarisse","year":"2020"},{"key":"ref39:JC:BarDuq19","doi-asserted-by":"publisher","first-page":"1298","DOI":"10.1007\/s00145-018-9280-5","article-title":"Updating Key Size Estimations for Pairings","volume":"32","author":"Razvan Barbulescu","year":"2019","journal-title":"Journal of Cryptology"},{"key":"ref40:GuiSin21","first-page":"1","article-title":"On the alpha value of polynomials in the Tower Number Field\n Sieve Algorithm","volume":"1","author":"Aurore Guillevic","year":"2021","journal-title":"Mathematical Cryptology"},{"volume-title":"An Implementation of the Extended Tower Number Field Sieve\n using 4D Sieving in a Box and a Record Computation in $\\mathbb{F}_{p^4}$","year":"2022","author":"Oisin Robinson","key":"ref41:Robinson22"},{"key":"ref42:AC:DeMGauPie21","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"67","DOI":"10.1007\/978-3-030-92062-3_3","article-title":"Lattice Enumeration for Tower NFS: A 521-Bit Discrete\n Logarithm Computation","volume":"13090","author":"Gabrielle De Micheli","year":"2021"},{"volume-title":"Pairing-friendly curves","year":"2021","author":"Aurore Guillevic","key":"ref43:blog:Guillevic"},{"volume-title":"RELIC is an Efficient LIbrary for Cryptography","author":"Diego F. Aranha","key":"ref44:relic-toolkit"},{"key":"ref45:LC:AraPagRod21","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"320","DOI":"10.1007\/978-3-030-88238-9_16","article-title":"LOVE a Pairing","volume":"12912","author":"Diego F. Aranha","year":"2021"},{"key":"ref46:DCC:AraHouGui23","doi-asserted-by":"publisher","first-page":"3333","DOI":"10.1007\/s10623-022-01135-y","article-title":"A survey of elliptic curves for proof systems","volume":"91","author":"Diego F. Aranha","year":"2023","journal-title":"Des. Codes Cryptography"},{"key":"ref47:TCHES:DaiZhaZha23","doi-asserted-by":"publisher","first-page":"393","DOI":"10.46586\/tches.v2023.i4.393-419","article-title":"Don't Forget Pairing-Friendly Curves with Odd Prime\n Embedding Degrees","volume":"2023","author":"Yu Dai","year":"2023","journal-title":"IACR TCHES"},{"volume-title":"smt-magma","year":"2023","author":"Yu Dai","key":"ref48:github:eccdaiy39"},{"key":"ref49:AFRICACRYPT:HouGuiPie22","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"518","DOI":"10.1007\/978-3-031-17433-9_22","article-title":"Co-factor Clearing and Subgroup Membership Testing on\n Pairing-Friendly Curves","volume":"2022","author":"Youssef El Housni","year":"2022"},{"key":"ref50:ACNS:Housni23","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"339","DOI":"10.1007\/978-3-031-33488-7_13","article-title":"Pairings in Rank-1 Constraint Systems","volume":"13905","author":"Youssef El Housni","year":"2023"},{"volume-title":"A taxonomy of pairings, their security, their complexity","year":"2019","author":"Razvan Barbulescu","key":"ref51:EPRINT:BarElMGha19"},{"key":"ref52:INDOCRYPT:CosLauNae11","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"320","DOI":"10.1007\/978-3-642-25578-6_23","article-title":"Attractive Subfamilies of BLS Curves for Implementing\n High-Security Pairings","volume":"7107","author":"Craig Costello","year":"2011"},{"key":"ref53:PKC:CosLanNae10","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"224","DOI":"10.1007\/978-3-642-13013-7_14","article-title":"Faster Pairing Computations on Curves with High-Degree\n Twists","volume":"6056","author":"Craig Costello","year":"2010"},{"key":"ref54:TCHES:WahBon19","doi-asserted-by":"publisher","first-page":"154","DOI":"10.13154\/tches.v2019.i4.154-179","article-title":"Fast and simple constant-time hashing to the BLS12-381\n elliptic curve","volume":"2019","author":"Riad S. Wahby","year":"2019","journal-title":"IACR TCHES","ISSN":"https:\/\/id.crossref.org\/issn\/2569-2925","issn-type":"electronic"},{"key":"ref55:ICISC:ChaSarBar04","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"168","DOI":"10.1007\/11496618_13","article-title":"Efficient Computation of Tate Pairing in Projective\n Coordinate over General Characteristic Fields","volume":"3506","author":"Sanjit Chatterjee","year":"2005"},{"key":"ref56:EC:AKLGL11","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"48","DOI":"10.1007\/978-3-642-20465-4_5","article-title":"Faster Explicit Formulas for Computing Pairings over\n Ordinary Curves","volume":"6632","author":"Diego F. Aranha","year":"2011"},{"key":"ref57:SAC:FueKnaRod11","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"412","DOI":"10.1007\/978-3-642-28496-0_25","article-title":"Faster Hashing to $\\mathbb{G}_2$","volume":"7118","author":"Laura Fuentes-Casta\u00f1eda","year":"2012"},{"volume-title":"Utilisation des Couplages en Cryptographie asym\u00e9trique pour\n la micro-\u00e9lectronique","year":"2016","author":"Loubna Ghammam","key":"ref58:PhD:Ghammam16"},{"key":"ref59:ARITH:ChuHas07","isbn-type":"print","doi-asserted-by":"publisher","first-page":"113","DOI":"10.1109\/ARITH.2007.11","article-title":"Asymmetric Squaring Formulae","author":"Jaewook Chung","year":"2007","ISBN":"https:\/\/id.crossref.org\/isbn\/0769528546"},{"key":"ref60:Montgomery05","doi-asserted-by":"publisher","first-page":"362","DOI":"10.1109\/TC.2005.49","article-title":"Five, Six, and Seven-Term Karatsuba-Like Formulae","volume":"54","author":"P. L. Montgomery","year":"2005","journal-title":"IEEE Transactions on Computer"},{"key":"ref61:PKC:GraSco10","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"209","DOI":"10.1007\/978-3-642-13013-7_13","article-title":"Faster Squaring in the Cyclotomic Subgroup of Sixth Degree\n Extensions","volume":"6056","author":"Robert Granger","year":"2010"},{"volume-title":"Algorithmic of curves in the context of bilinear and\n post-quantum cryptography","year":"2020","author":"Simon Masson","key":"ref62:PhD:Masson20"},{"key":"ref63:C:GalLamVan01","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"190","DOI":"10.1007\/3-540-44647-8_11","article-title":"Faster Point Multiplication on Elliptic Curves with\n Efficient Endomorphisms","volume":"2139","author":"Robert P. Gallant","year":"2001"},{"key":"ref64:JC:GalLinSco11","doi-asserted-by":"publisher","first-page":"446","DOI":"10.1007\/s00145-010-9065-y","article-title":"Endomorphisms for Faster Elliptic Curve Cryptography on a\n Large Class of Curves","volume":"24","author":"Steven D. Galbraith","year":"2011","journal-title":"Journal of Cryptology"},{"key":"ref65:AFRICACRYPT:JoyTun09","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"334","DOI":"10.1007\/978-3-642-02384-2_21","article-title":"Exponent Recoding and Regular Exponentiation Algorithms","volume":"5580","author":"Marc Joye","year":"2009"},{"key":"ref66:CHES:OLAR13","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"311","DOI":"10.1007\/978-3-642-40349-1_18","article-title":"Lambda Coordinates for Binary Elliptic Curves","volume":"8086","author":"Thomaz Oliveira","year":"2013"},{"key":"ref67:JCEng:FazLonSan15","doi-asserted-by":"publisher","first-page":"31","DOI":"10.1007\/s13389-014-0085-7","article-title":"Efficient and secure algorithms for GLV-based scalar\n multiplication and their implementation on GLV-GLS curves (extended\n version)","volume":"5","author":"Armando Faz-Hern\u00e1ndez","year":"2015","journal-title":"Journal of Cryptographic Engineering"},{"key":"ref68:PAIRING:GalSco08","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"211","DOI":"10.1007\/978-3-540-85538-5_15","article-title":"Exponentiation in Pairing-Friendly Groups Using\n Homomorphisms","volume":"5209","author":"Steven D. Galbraith","year":"2008"},{"key":"ref69:C:BCIMRT10","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"237","DOI":"10.1007\/978-3-642-14623-7_13","article-title":"Efficient Indifferentiable Hashing into Ordinary Elliptic\n Curves","volume":"6223","author":"Eric Brier","year":"2010"},{"key":"ref70:rfc9380","series-title":"Request for Comments","doi-asserted-by":"publisher","DOI":"10.17487\/RFC9380","volume-title":"Hashing to Elliptic Curves","author":"Armando Faz-Hernandez","year":"2023"},{"key":"ref71:Schoof87","doi-asserted-by":"publisher","first-page":"183","DOI":"10.1016\/0097-3165(87)90003-3","article-title":"Nonsingular plane cubic curves over finite fields","volume":"46","author":"Ren\u00e9 Schoof","year":"1987","journal-title":"Journal of Combinatorial Theory, Series A","ISSN":"https:\/\/id.crossref.org\/issn\/0097-3165","issn-type":"electronic"},{"key":"ref72:EC:HouGui22","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"367","DOI":"10.1007\/978-3-031-07085-3_13","article-title":"Families of SNARK-Friendly 2-Chains of Elliptic Curves","volume":"13276","author":"Youssef El Housni","year":"2022"},{"key":"ref73:SNCS:FouAze20","doi-asserted-by":"publisher","first-page":"51","DOI":"10.1007\/S42979-019-0053-5","article-title":"Fast Hashing to $\\mathbb{G}_2$ on Aurifeuillean\n Pairing-Friendly Elliptic Curves","volume":"1","author":"Emmanuel Fouotsa","year":"2020","journal-title":"SN Comput. Sci."},{"volume-title":"A note on group membership tests for ${G_1}$, ${G_2}$\n and ${G_T}$ on BLS pairing-friendly curves","year":"2021","author":"Michael Scott","key":"ref74:EPRINT:Scott21"},{"key":"ref75:Smith15","series-title":"Algorithmic Arithmetic, Geometry, and Coding Theory","doi-asserted-by":"publisher","first-page":"15","DOI":"10.1090\/conm\/637\/12753","article-title":"Easy scalar decompositions for efficient scalar\n multiplication on elliptic curves and genus 2 Jacobians","volume":"637","author":"Benjamin Smith","year":"2015","journal-title":"Contemporary mathematics"},{"key":"ref76:EC:RenCosBat16","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"403","DOI":"10.1007\/978-3-662-49890-3_16","article-title":"Complete Addition Formulas for Prime Order Elliptic Curves","volume":"9665","author":"Joost Renes","year":"2016"},{"key":"ref77:TCHES:Longa23","doi-asserted-by":"publisher","first-page":"445","DOI":"10.46586\/tches.v2023.i3.445-472","article-title":"Efficient Algorithms for Large Prime Characteristic Fields\n and Their Application to Bilinear Pairings","volume":"2023","author":"Patrick Longa","year":"2023","journal-title":"IACR TCHES"},{"key":"ref78:SAC:BosCosNae13","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"438","DOI":"10.1007\/978-3-662-43414-7_22","article-title":"Exponentiating in Pairing Groups","volume":"8282","author":"Joppe W. Bos","year":"2014"}],"container-title":["IACR Communications in Cryptology"],"language":"en","deposited":{"date-parts":[[2024,12,10]],"date-time":"2024-12-10T21:28:04Z","timestamp":1733866084000},"score":0.0,"resource":{"primary":{"URL":"https:\/\/cic.iacr.org\/p\/1\/3\/3"}},"issued":{"date-parts":[[2024,10,7]]},"references-count":78,"URL":"https:\/\/doi.org\/10.62056\/angyl86bm","archive":["Internet Archive","Internet Archive"],"ISSN":["3006-5496"],"issn-type":[{"type":"electronic","value":"3006-5496"}],"published":{"date-parts":[[2024,10,7]]},"assertion":[{"value":"2024-04-09","order":0,"name":"received","label":"Received","group":{"name":"publication_history","label":"Publication History"}},{"value":"2024-09-02","order":1,"name":"accepted","label":"Accepted","group":{"name":"publication_history","label":"Publication History"}}],"article-number":"cc1-2-41"},{"indexed":{"date-parts":[[2026,1,9]],"date-time":"2026-01-09T21:34:28Z","timestamp":1767994468970,"version":"3.49.0"},"reference-count":31,"publisher":"International Association for Cryptologic Research","issue":"1","license":[{"start":{"date-parts":[[2025,1,13]],"date-time":"2025-01-13T00:00:00Z","timestamp":1736726400000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["IACR CiC"],"accepted":{"date-parts":[[2025,3,11]]},"abstract":" In this paper, we study MDS matrices that are specifically designed to prevent the occurrence of related differentials. We investigate MDS matrices with a Hadamard structure and demonstrate that it is possible to construct 4 X 4 Hadamard matrices that effectively eliminate related differentials. Incorporating these matrices into the linear layer of AES-like block-ciphers\/hash functions significantly mitigates the attacks that exploit the related differentials property. The central contribution of this paper is to identify crucial underlying relations that determine whether a given 4 X 4 Hadamard matrix exhibits related differentials. By satisfying these relations, the matrix ensures the presence of related differentials, whereas failing to meet them leads to the absence of such differentials. This offers effective mitigation of recently reported attacks on reduced-round AES. Furthermore, we propose a faster search technique to exhaustively verify the presence or absence of related differentials in 8 X 8 Hadamard matrices over finite field of characteristic 2 which requires checking only a subset of involutory matrices in the set. Although most existing studies on constructing MDS matrices primarily focus on lightweight hardware\/software implementations, our research additionally introduces a novel perspective by emphasizing the importance of MDS matrix construction in relation to their resistance against differential cryptanalysis. <\/jats:p>","DOI":"10.62056\/a6ksdk5vt","type":"journal-article","created":{"date-parts":[[2025,4,8]],"date-time":"2025-04-08T21:23:17Z","timestamp":1744147397000},"update-policy":"https:\/\/doi.org\/10.62056\/adfjwm02dj","source":"Crossref","is-referenced-by-count":1,"title":["Construction of Hadamard-based MixColumns Matrices Resistant to Related-Differential Cryptanalysis"],"prefix":"10.62056","volume":"2","author":[{"ORCID":"https:\/\/orcid.org\/0000-0003-4584-3194","authenticated-orcid":false,"given":"Sonu","family":"Jha","sequence":"first","affiliation":[{"name":"Norwegian University of Science and Technology","place":["Gl\u00f8shaugen, Trondheim, 7034, Norway"]}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-7663-8321","authenticated-orcid":false,"given":"Shun","family":"Li","sequence":"additional","affiliation":[{"name":"Chinese Academy of Sciences","place":["52 Sanlihe Rd, Beijing, 100045, China"]}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-7078-6139","authenticated-orcid":false,"given":"Danilo","family":"Gligoroski","sequence":"additional","affiliation":[{"name":"Norwegian University of Science and Technology","place":["Gl\u00f8shaugen, Trondheim, 7034, Norway"]}]}],"member":"48349","published-online":{"date-parts":[[2025,4,8]]},"reference":[{"key":"ref1:joan2002design","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-662-04722-4","article-title":"The design of Rijndael: AES-the advanced encryption\n standard","author":"Joan Daemen","year":"2002","journal-title":"Information Security and Cryptography"},{"key":"ref2:ccds:DaemenR091","doi-asserted-by":"publisher","first-page":"47","DOI":"10.1007\/s12095-008-0003-x","article-title":"New Criteria for Linear Maps in AES-like Ciphers","volume":"1","author":"Joan Daemen","year":"2009","journal-title":"Cryptogr. Commun."},{"key":"ref3:2022:487","doi-asserted-by":"publisher","first-page":"43","DOI":"10.46586\/tosc.v2022.i2.43-62","article-title":"New Key-Recovery Attack on Reduced-Round AES","volume":"2022","author":"Navid Ghaedi Bardeh","year":"2022","journal-title":"IACR Transactions on Symmetric Cryptology"},{"key":"ref4:AC:RonBarHel17","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"217","DOI":"10.1007\/978-3-319-70694-8_8","article-title":"Yoyo Tricks with AES","volume":"10624","author":"Sondre R\u00f8njom","year":"2017"},{"key":"ref5:guo2011photon","doi-asserted-by":"publisher","first-page":"222","DOI":"10.1007\/978-3-642-22792-9_13","article-title":"The PHOTON family of lightweight hash functions","author":"Jian Guo","year":"2011"},{"key":"ref6:guo2011led","doi-asserted-by":"publisher","first-page":"326","DOI":"10.1007\/978-3-642-23951-9_22","article-title":"The LED block cipher","author":"Jian Guo","year":"2011"},{"key":"ref7:SAC:WuWanWu12","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"355","DOI":"10.1007\/978-3-642-35999-6_23","article-title":"Recursive Diffusion Layers for (Lightweight) Block Ciphers\n and Hash Functions","volume":"7707","author":"Shengbao Wu","year":"2013"},{"key":"ref8:berger2013construction","doi-asserted-by":"publisher","first-page":"274","DOI":"10.1007\/978-3-319-03515-4_18","article-title":"Construction of recursive MDS diffusion layers from\n Gabidulin codes","author":"Thierry P Berger","year":"2013"},{"key":"ref9:augot2015direct","doi-asserted-by":"publisher","first-page":"3","DOI":"10.1007\/978-3-662-46706-0_1","article-title":"Direct construction of recursive MDS diffusion layers using\n shortened BCH codes","author":"Daniel Augot","year":"2014"},{"key":"ref10:cauchois2016direct","doi-asserted-by":"publisher","DOI":"10.13154\/TOSC.V2016.I2.80-98","article-title":"Direct construction of quasi-involutory recursive-like MDS\n matrices from 2-cyclic codes","author":"Victor Cauchois","year":"2016","journal-title":"IACR Transactions on Symmetric Cryptology"},{"key":"ref11:gupta2017towards","doi-asserted-by":"publisher","first-page":"179","DOI":"10.1007\/S10623-016-0261-0","article-title":"Towards a general construction of recursive MDS diffusion\n layers","volume":"82","author":"Kishan Chand Gupta","year":"2017","journal-title":"Designs, Codes and Cryptography"},{"key":"ref12:toh2018lightweight","doi-asserted-by":"publisher","first-page":"51","DOI":"10.1007\/978-3-319-89339-6_4","article-title":"Lightweight MDS serial-type matrices with minimal fixed XOR\n count","author":"Dylan Toh","year":"2018"},{"key":"ref13:light","doi-asserted-by":"publisher","first-page":"147","DOI":"10.13154\/tosc.v2019.i4.147-170","article-title":"Lightweight Iterative MDS Matrices: How Small Can We Go?","volume":"2019, Issue 4","author":"Shun Li","year":"2020","journal-title":"IACR Transactions on Symmetric Cryptology"},{"key":"ref14:hadamardeqv","isbn-type":"print","doi-asserted-by":"publisher","first-page":"471","DOI":"10.1007\/978-3-662-48116-5_23","article-title":"Lightweight MDS Involution Matrices","author":"Siang Meng Sim","year":"2015","ISBN":"https:\/\/id.crossref.org\/isbn\/9783662481165"},{"key":"ref15:DBLP:conf\/crypto\/BeierleKL16","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"625","DOI":"10.1007\/978-3-662-53018-4_23","article-title":"Lightweight Multiplication in GF(2n) with Applications\n to MDS Matrices","volume":"9814","author":"Christof Beierle","year":"2016"},{"key":"ref16:DBLP:conf\/fse\/LiuS16","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"101","DOI":"10.1007\/978-3-662-52993-5_6","article-title":"Lightweight MDS Generalized Circulant Matrices","volume":"9783","author":"Meicheng Liu","year":"2016"},{"key":"ref17:DBLP:conf\/fse\/LiW16","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"121","DOI":"10.1007\/978-3-662-52993-5_7","article-title":"On the Construction of Lightweight Circulant Involutory\n MDS Matrices","volume":"9783","author":"Yongqiang Li","year":"2016"},{"key":"ref18:DBLP:conf\/africacrypt\/SarkarS16","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"167","DOI":"10.1007\/978-3-319-31517-1_9","article-title":"A Deeper Understanding of the XOR Count Distribution in\n the Context of Lightweight Cryptography","volume":"9646","author":"Sumanta Sarkar","year":"2016"},{"key":"ref19:DBLP:journals\/tosc\/SarkarS16","doi-asserted-by":"publisher","first-page":"95","DOI":"10.13154\/tosc.v2016.i1.95-113","article-title":"Lightweight Diffusion Layer: Importance of Toeplitz\n Matrices","volume":"2016","author":"Sumanta Sarkar","year":"2016","journal-title":"IACR Trans. Symmetric Cryptol."},{"key":"ref20:DBLP:journals\/tosc\/LiW17","doi-asserted-by":"publisher","first-page":"129","DOI":"10.13154\/tosc.v2017.i1.129-155","article-title":"Design of Lightweight Linear Diffusion Layers from Near-MDS\n Matrices","volume":"2017","author":"Chaoyun Li","year":"2017","journal-title":"IACR Trans. Symmetric Cryptol."},{"key":"ref21:DBLP:conf\/acisp\/SarkarS17","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"3","DOI":"10.1007\/978-3-319-59870-3_1","article-title":"Analysis of Toeplitz MDS Matrices","volume":"10343","author":"Sumanta Sarkar","year":"2017"},{"key":"ref22:DBLP:journals\/tosc\/JeanPST17","doi-asserted-by":"publisher","first-page":"130","DOI":"10.13154\/tosc.v2017.i4.130-168","article-title":"Optimizing Implementations of Lightweight Building Blocks","volume":"2017","author":"J\u00e9r\u00e9my Jean","year":"2017","journal-title":"IACR Trans. Symmetric Cryptol."},{"key":"ref23:kranz2017shorter","doi-asserted-by":"publisher","first-page":"188","DOI":"10.13154\/TOSC.V2017.I4.188-211","article-title":"Shorter linear straight-line programs for MDS matrices","author":"Thorsten Kranz","year":"2017","journal-title":"IACR Transactions on Symmetric Cryptology"},{"key":"ref24:DBLP:journals\/tosc\/ZhouWS18","doi-asserted-by":"publisher","first-page":"180","DOI":"10.13154\/tosc.v2018.i1.180-200","article-title":"On Efficient Constructions of Lightweight MDS Matrices","volume":"2018","author":"Lijing Zhou","year":"2018","journal-title":"IACR Trans. Symmetric Cryptol."},{"key":"ref25:DBLP:journals\/tosc\/DuvalL18","doi-asserted-by":"publisher","first-page":"48","DOI":"10.13154\/tosc.v2018.i2.48-78","article-title":"MDS Matrices with Lightweight Circuits","volume":"2018","author":"S\u00e9bastien Duval","year":"2018","journal-title":"IACR Trans. Symmetric Cryptol."},{"key":"ref26:li2019constructing","doi-asserted-by":"publisher","first-page":"84","DOI":"10.13154\/TOSC.V2019.I1.84-117","article-title":"Constructing low-latency involutory MDS matrices with\n lightweight circuits","author":"Shun Li","year":"2019","journal-title":"IACR Transactions on Symmetric Cryptology"},{"key":"ref27:Anubis","volume-title":"The Anubis block cipher","author":"Paulo Barreto","year":"2000"},{"key":"ref28:hadamard","doi-asserted-by":"publisher","first-page":"348","DOI":"10.1049\/iet-ifs.2017.0156","article-title":"Generalisation of Hadamard matrix to generate involutory MDS\n matrices for lightweight cryptography","volume":"12","author":"Meltem Kurt Pehlivano\u011flu","year":"2018","journal-title":"IET Information Security"},{"key":"ref29:MacWilliams1977","volume-title":"The Theory of Error-Correcting Codes","author":"F. Jessie MacWilliams","year":"1977"},{"key":"ref30:AES","volume-title":"Advanced Encryption Standard (AES)","year":"2001"},{"key":"ref31:ToSC:XZLBZ20","doi-asserted-by":"publisher","first-page":"120","DOI":"10.13154\/tosc.v2020.i2.120-145","article-title":"Optimizing Implementations of Linear Layers","volume":"2020","author":"Zejun Xiang","year":"2020","journal-title":"IACR Trans. Symm. Cryptol.","ISSN":"https:\/\/id.crossref.org\/issn\/2519-173X","issn-type":"electronic"}],"container-title":["IACR Communications in Cryptology"],"language":"en","deposited":{"date-parts":[[2025,4,8]],"date-time":"2025-04-08T21:25:31Z","timestamp":1744147531000},"score":0.0,"resource":{"primary":{"URL":"https:\/\/cic.iacr.org\/p\/2\/1\/37"}},"issued":{"date-parts":[[2025,4,8]]},"references-count":31,"journal-issue":{"issue":"1","published-online":{"date-parts":[[2025,4,8]]}},"URL":"https:\/\/doi.org\/10.62056\/a6ksdk5vt","archive":["Internet Archive","Internet Archive"],"ISSN":["3006-5496"],"issn-type":[{"value":"3006-5496","type":"electronic"}],"published":{"date-parts":[[2025,4,8]]},"assertion":[{"value":"2025-01-13","order":0,"name":"received","label":"Received","group":{"name":"publication_history","label":"Publication History"}},{"value":"2025-03-11","order":1,"name":"accepted","label":"Accepted","group":{"name":"publication_history","label":"Publication History"}}],"article-number":"cc2-1-60"},{"indexed":{"date-parts":[[2025,11,22]],"date-time":"2025-11-22T11:40:39Z","timestamp":1763811639286,"version":"3.41.2"},"reference-count":11,"publisher":"International Association for Cryptologic Research","issue":"1","license":[{"start":{"date-parts":[[2024,10,9]],"date-time":"2024-10-09T00:00:00Z","timestamp":1728432000000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["IACR CiC"],"accepted":{"date-parts":[[2025,3,11]]},"abstract":" We construct the following cryptographic primitives with unconditional security in a bounded-key model: <\/jats:p>\n * One-time public-key encryption, where the public keys are pure quantum states <\/jats:p>\n * One-time signatures, where the verification keys are pure quantum states. <\/jats:p>\n In our model, the adversary is given a bounded number of copies of the public key. We present efficient constructions and nearly-tight lower bounds for the size of the secret keys.<\/jats:p>\n Our security proofs are based on the quantum coupon collector problem, which was originally studied in the context of learning theory. The quantum coupon collector seeks to learn a set of strings (coupons) when given several copies of a superposition over the coupons. We make novel connections between this problem and cryptography.<\/jats:p>\n Our main technical ingredient is a family of coupon states, with randomized phases, that come with strong hardness properties. Our analysis improves on prior work by (i) showing that the number of quantum states needed to learn the entire set of coupons is identical to the number of random coupons needed in the classical coupon collector problem. (ii) Furthermore we prove that this result holds for a randomly chosen set of coupons, whereas prior work only lower-bounded the number of coupon states required to learn the worst-case set of coupons. <\/jats:p>","DOI":"10.62056\/ayzoxrxqi","type":"journal-article","created":{"date-parts":[[2025,4,8]],"date-time":"2025-04-08T21:23:17Z","timestamp":1744147397000},"update-policy":"https:\/\/doi.org\/10.62056\/adfjwm02dj","source":"Crossref","is-referenced-by-count":1,"title":["Unconditional Quantum Cryptography with a Bounded Number of Keys"],"prefix":"10.62056","volume":"2","author":[{"given":"Vipul","family":"Goyal","sequence":"first","affiliation":[{"name":"NTT Research","place":["USA"]}]},{"ORCID":"https:\/\/orcid.org\/0009-0009-9737-0094","authenticated-orcid":false,"given":"Giulio","family":"Malavolta","sequence":"additional","affiliation":[{"name":"Bocconi University","place":["Italy"]}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-4057-5952","authenticated-orcid":false,"given":"Bhaskar","family":"Roberts","sequence":"additional","affiliation":[{"name":"UC Berkeley","place":["USA"]}]}],"member":"48349","published-online":{"date-parts":[[2025,4,8]]},"reference":[{"key":"ref1:ABC+20","series-title":"Leibniz International Proceedings in Informatics (LIPIcs)","isbn-type":"print","doi-asserted-by":"publisher","DOI":"10.4230\/LIPIcs.TQC.2020.10","article-title":"Quantum Coupon Collector","volume":"158","author":"Srinivasan Arunachalam","year":"2020","ISBN":"https:\/\/id.crossref.org\/isbn\/9783959771467","ISSN":"https:\/\/id.crossref.org\/issn\/1868-8969","issn-type":"electronic"},{"key":"ref2:BGH+23","isbn-type":"print","doi-asserted-by":"publisher","first-page":"198","DOI":"10.1007\/978-3-031-48624-1_8","article-title":"Public-Key Encryption with\u00a0Quantum Keys","author":"Khashayar Barooti","year":"2023","ISBN":"https:\/\/id.crossref.org\/isbn\/9783031486241"},{"key":"ref3:SWAP","doi-asserted-by":"publisher","first-page":"167902","DOI":"10.1103\/PhysRevLett.87.167902","article-title":"Quantum Fingerprinting","volume":"87","author":"Harry Buhrman","year":"2001","journal-title":"Phys. Rev. Lett."},{"key":"ref4:C:MorYam22","isbn-type":"print","doi-asserted-by":"publisher","first-page":"269","DOI":"10.1007\/978-3-031-15802-5_10","article-title":"Quantum Commitments and\u00a0Signatures Without One-Way\n Functions","author":"Tomoyuki Morimae","year":"2022","ISBN":"https:\/\/id.crossref.org\/isbn\/9783031158025"},{"key":"ref5:Tamper","isbn-type":"print","doi-asserted-by":"publisher","first-page":"93","DOI":"10.1007\/978-3-031-68394-7_4","article-title":"Quantum Public-Key Encryption with\u00a0Tamper-Resilient Public\n Keys from\u00a0One-Way Functions","author":"Fuyuki Kitagawa","year":"2024","ISBN":"https:\/\/id.crossref.org\/isbn\/9783031683947"},{"key":"ref6:NIQKD","doi-asserted-by":"publisher","DOI":"10.48550\/arXiv.2304.02999","article-title":"Non-Interactive Quantum Key Distribution","volume":"abs\/2304.02999","author":"Giulio Malavolta","year":"2023","journal-title":"CoRR"},{"key":"ref7:ITMACs","doi-asserted-by":"publisher","first-page":"106","DOI":"10.1145\/800105.803400","article-title":"Universal Classes of Hash Functions (Extended Abstract)","author":"Larry Carter","year":"1977"},{"key":"ref8:BBSS23","isbn-type":"print","doi-asserted-by":"publisher","first-page":"125","DOI":"10.1007\/978-3-031-48624-1_5","article-title":"Pseudorandomness with\u00a0Proof of\u00a0Destruction\n and\u00a0Applications","author":"Amit Behera","year":"2023","ISBN":"https:\/\/id.crossref.org\/isbn\/9783031486241"},{"key":"ref9:KL14","isbn-type":"print","doi-asserted-by":"crossref","DOI":"10.1201\/b17668","volume-title":"Introduction to Modern Cryptography, Second Edition","author":"Jonathan Katz","year":"2014","ISBN":"https:\/\/id.crossref.org\/isbn\/1466570261"},{"volume-title":"Quantum Pseudoentanglement","year":"2023","author":"Scott Aaronson","key":"ref10:ABFGVZZ23"},{"key":"ref11:HKP20","doi-asserted-by":"publisher","first-page":"1050","DOI":"10.1038\/s41567-020-0932-7","article-title":"Predicting many properties of a quantum system from very few\n measurements","volume":"16","author":"Hsin-Yuan Huang","year":"2020","journal-title":"Nature Physics"}],"container-title":["IACR Communications in Cryptology"],"language":"en","deposited":{"date-parts":[[2025,4,8]],"date-time":"2025-04-08T21:23:30Z","timestamp":1744147410000},"score":0.0,"resource":{"primary":{"URL":"https:\/\/cic.iacr.org\/p\/2\/1\/5"}},"issued":{"date-parts":[[2025,4,8]]},"references-count":11,"journal-issue":{"issue":"1","published-online":{"date-parts":[[2025,4,8]]}},"URL":"https:\/\/doi.org\/10.62056\/ayzoxrxqi","archive":["Internet Archive","Internet Archive"],"ISSN":["3006-5496"],"issn-type":[{"type":"electronic","value":"3006-5496"}],"published":{"date-parts":[[2025,4,8]]},"assertion":[{"value":"2024-10-09","order":0,"name":"received","label":"Received","group":{"name":"publication_history","label":"Publication History"}},{"value":"2025-03-11","order":1,"name":"accepted","label":"Accepted","group":{"name":"publication_history","label":"Publication History"}}],"article-number":"cc1-4-56"},{"indexed":{"date-parts":[[2025,12,7]],"date-time":"2025-12-07T13:10:34Z","timestamp":1765113034829,"version":"3.41.2"},"reference-count":30,"publisher":"International Association for Cryptologic Research","license":[{"start":{"date-parts":[[2024,7,2]],"date-time":"2024-07-02T00:00:00Z","timestamp":1719878400000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"funder":[{"DOI":"10.13039\/100014895","name":"Open Philanthropy","doi-asserted-by":"publisher","id":[{"id":"10.13039\/100014895","id-type":"DOI","asserted-by":"publisher"}]}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["IACR CiC"],"accepted":{"date-parts":[[2024,9,2]]},"abstract":" Oblivious Pseudorandom Functions (OPRFs) allow a client to evaluate a pseudorandom function (PRF) on her secret input based on a key that is held by a server. In the process, the client only learns the PRF output but not the key, while the server neither learns the input nor the output of the client. The arguably most popular OPRF is due to Naor, Pinkas and Reingold (Eurocrypt 2009). It is based on an Oblivious Exponentiation by the server, with passive security under the Decisional Diffie-Hellman assumption. In this work, we strengthen the security guarantees of the NPR OPRF by protecting it against active attacks of the server. We have implemented our solution and report on the performance. Our main result is a new batch OPRF protocol which is secure against maliciously corrupted servers, but is essentially as efficient as the semi-honest solution. More precisely, the computation (and communication) overhead is a multiplicative factor \n \n o<\/mml:mi>\n (<\/mml:mo>\n 1<\/mml:mn>\n )<\/mml:mo>\n <\/mml:mrow>\n <\/mml:math> as the batch size increases. The obvious solution using zero-knowledge proofs would have a constant factor overhead at best, which can be too expensive for certain deployments. Our protocol relies on a novel version of the DDH problem, which we call the Oblivious Exponentiation Problem (OEP), and we give evidence for its hardness in the Generic Group model. We also present a variant of our maliciously secure protocol that does not rely on the OEP but nevertheless only has overhead \n \n o<\/mml:mi>\n (<\/mml:mo>\n 1<\/mml:mn>\n )<\/mml:mo>\n <\/mml:mrow>\n <\/mml:math> over the known semi-honest protocol. Moreover, we show that our techniques can also be used to efficiently protect threshold blind BLS signing and threshold ElGamal decryption against malicious attackers. <\/jats:p>","DOI":"10.62056\/a66cy7qiu","type":"journal-article","created":{"date-parts":[[2024,10,7]],"date-time":"2024-10-07T15:13:33Z","timestamp":1728314013000},"update-policy":"https:\/\/doi.org\/10.62056\/adfjwm02dj","source":"Crossref","is-referenced-by-count":3,"title":["Efficient Maliciously Secure Oblivious Exponentiations"],"prefix":"10.62056","author":[{"ORCID":"https:\/\/orcid.org\/0000-0001-7905-0198","authenticated-orcid":false,"given":"Carsten","family":"Baum","sequence":"first","affiliation":[{"name":"Technical University of Denmark","place":["Kgs. Lyngby, Denmark"],"department":["DTU Compute"]}]},{"given":"Jens","family":"Berlips","sequence":"additional","affiliation":[{"name":"SecureDNA Foundation","place":["Zug, Switzerland"]}]},{"given":"Walther","family":"Chen","sequence":"additional","affiliation":[{"name":"SecureDNA Foundation","place":["Zug, Switzerland"]}]},{"ORCID":"https:\/\/orcid.org\/0009-0003-6164-0896","authenticated-orcid":false,"given":"Ivan","family":"Damg\u00e5rd","sequence":"additional","affiliation":[{"name":"Aarhus University","place":["Aarhus, Denmark"],"department":["Department of Computer Science"]}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-8797-3945","authenticated-orcid":false,"given":"Kevin","family":"Esvelt","sequence":"additional","affiliation":[{"name":"MIT","place":["Cambridge, USA"],"department":["Media Lab"]}]},{"given":"Leonard","family":"Foner","sequence":"additional","affiliation":[{"name":"SecureDNA Foundation","place":["Zug, Switzerland"]}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-4726-9149","authenticated-orcid":false,"given":"Dana","family":"Gretton","sequence":"additional","affiliation":[{"name":"MIT","place":["Cambridge, USA"],"department":["Media Lab"]}]},{"given":"Martin","family":"Kysel","sequence":"additional","affiliation":[{"name":"SecureDNA Foundation","place":["Zug, Switzerland"]}]},{"given":"Ronald","family":"Rivest","sequence":"additional","affiliation":[{"name":"MIT","place":["Cambridge, USA"],"department":["Computer Science & AI Lab"]}]},{"given":"Lawrence","family":"Roy","sequence":"additional","affiliation":[{"name":"Aarhus University","place":["Aarhus, Denmark"],"department":["Department of Computer Science"]}]},{"ORCID":"https:\/\/orcid.org\/0009-0008-3277-9668","authenticated-orcid":false,"given":"Francesca","family":"Sage-Ling","sequence":"additional","affiliation":[{"name":"SecureDNA Foundation","place":["Zug, Switzerland"]}]},{"given":"Adi","family":"Shamir","sequence":"additional","affiliation":[{"name":"Weizmann Institute","place":["Rehovot, Israel"],"department":["Department of Computer Science"]}]},{"given":"Vinod","family":"Vaikuntanathan","sequence":"additional","affiliation":[{"name":"MIT","place":["Cambridge, USA"],"department":["Computer Science & AI Lab"]}]},{"given":"Lynn","family":"Van Hauwe","sequence":"additional","affiliation":[{"name":"SecureDNA Foundation","place":["Zug, Switzerland"]}]},{"given":"Theia","family":"Vogel","sequence":"additional","affiliation":[{"name":"SecureDNA Foundation","place":["Zug, Switzerland"]}]},{"given":"Benjamin","family":"Weinstein-Raun","sequence":"additional","affiliation":[{"name":"SecureDNA Foundation","place":["Zug, Switzerland"]}]},{"given":"Daniel","family":"Wichs","sequence":"additional","affiliation":[{"name":"Northeastern University","place":["Boston, USA"],"department":["Khoury College of Computer Sciences"]},{"name":"NTT Research","place":["Sunnyvale, USA"],"department":["Cryptography & Information Security"]}]},{"given":"Stephen","family":"Wooster","sequence":"additional","affiliation":[{"name":"SecureDNA Foundation","place":["Zug, Switzerland"]}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-3648-5594","authenticated-orcid":false,"given":"Andrew","family":"Yao","sequence":"additional","affiliation":[{"name":"Tsinghua University","place":["Beijing, China"],"department":["Institute for Interdisciplinary Information Sciences"]}]},{"given":"Yu","family":"Yu","sequence":"additional","affiliation":[{"name":"Shanghai Jiao Tong University","place":["Shanghai, China"],"department":["Department of Computer Science and Engineering"]}]}],"member":"48349","published-online":{"date-parts":[[2024,10,7]]},"reference":[{"key":"ref1:TCC:HazLin08","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"155","DOI":"10.1007\/978-3-540-78524-8_10","article-title":"Efficient Protocols for Set Intersection and Pattern\n Matching with Security Against Malicious and Covert Adversaries","volume":"4948","author":"Carmit Hazay","year":"2008"},{"key":"ref2:CCS:CamLehNev15","doi-asserted-by":"publisher","first-page":"182","DOI":"10.1145\/2810103.2813722","article-title":"Optimal Distributed Password Verification","author":"Jan Camenisch","year":"2015"},{"key":"ref3:USENIX:ECSJR15","first-page":"547","article-title":"The Pythia PRF Service","author":"Adam Everspaugh","year":"2015"},{"key":"ref4:AC:JarKiaKra14","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"233","DOI":"10.1007\/978-3-662-45608-8_13","article-title":"Round-Optimal Password-Protected Secret Sharing and\n T-PAKE in the Password-Only Model","volume":"8874","author":"Stanislaw Jarecki","year":"2014"},{"key":"ref5:ACNS:JKKX17","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"39","DOI":"10.1007\/978-3-319-61204-1_3","article-title":"TOPPSS: Cost-Minimal Password-Protected Secret Sharing\n Based on Threshold OPRF","volume":"10355","author":"Stanislaw Jarecki","year":"2017"},{"key":"ref6:CCS:AMMM18","doi-asserted-by":"publisher","first-page":"2042","DOI":"10.1145\/3243734.3243839","article-title":"PASTA: PASsword-based Threshold Authentication","author":"Shashank Agrawal","year":"2018"},{"key":"ref7:baum2020pesto","doi-asserted-by":"publisher","first-page":"587","DOI":"10.1109\/EuroSP48549.2020.00044","article-title":"PESTO: proactively secure distributed single sign-on, or how\n to trust a hacked server","author":"Carsten Baum","year":"2020"},{"key":"ref8:PoPETS:DGSTV18","doi-asserted-by":"publisher","first-page":"164","DOI":"10.1515\/popets-2018-0026","article-title":"Privacy Pass: Bypassing Internet Challenges Anonymously","volume":"2018","author":"Alex Davidson","year":"2018","journal-title":"Proceedings on Privacy Enhancing Technologies"},{"key":"ref9:EUROSP:CasHesLeh22","doi-asserted-by":"publisher","first-page":"625","DOI":"10.1109\/EuroSP53844.2022.00045","article-title":"SoK: Oblivious Pseudorandom Functions","author":"S\u00edlvia Casacuberta","year":"2022"},{"key":"ref10:EC:NaoPinRei99","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"327","DOI":"10.1007\/3-540-48910-X_23","article-title":"Distributed Pseudo-random Functions and KDCs","volume":"1592","author":"Moni Naor","year":"1999"},{"key":"ref11:TCC:Peikert06","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"167","DOI":"10.1007\/11681878_9","article-title":"On Error Correction in the Exponent","volume":"3876","author":"Chris Peikert","year":"2006"},{"key":"ref12:biopaper","doi-asserted-by":"publisher","DOI":"10.1101\/2024.03.20.585782","volume-title":"Random adversarial threshold search enables automated DNA\n screening","author":"Dana Gretton","year":"2024","journal-title":"bioRxiv"},{"volume-title":"A system capable of verifiably and privately screening\n global DNA synthesis","year":"2024","author":"Carsten Baum","key":"ref13:systempaper"},{"key":"ref14:EC:BelGarRab98","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"236","DOI":"10.1007\/BFb0054130","article-title":"Fast Batch Verification for Modular Exponentiation and\n Digital Signatures","volume":"1403","author":"Mihir Bellare","year":"1998"},{"key":"ref15:EC:Chaum90","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"458","DOI":"10.1007\/3-540-46877-3_41","article-title":"Zero-Knowledge Undeniable Signatures","volume":"473","author":"David Chaum","year":"1991"},{"key":"ref16:AC:GLSY04","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"276","DOI":"10.1007\/978-3-540-30539-2_20","article-title":"Batching Schnorr Identification Scheme with Applications\n to Privacy-Preserving Authorization and Low-Bandwidth Communication Devices","volume":"3329","author":"Rosario Gennaro","year":"2004"},{"key":"ref17:SP:BBBPWM18","doi-asserted-by":"publisher","first-page":"315","DOI":"10.1109\/SP.2018.00020","article-title":"Bulletproofs: Short Proofs for Confidential Transactions and\n More","author":"Benedikt B\u00fcnz","year":"2018"},{"key":"ref18:C:AttCra20","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"513","DOI":"10.1007\/978-3-030-56877-1_18","article-title":"Compressed $\\varSigma$-Protocol Theory and Practical\n Application to Plug & Play Secure Algorithmics","volume":"12172","author":"Thomas Attema","year":"2020"},{"key":"ref19:naor_reingold","doi-asserted-by":"publisher","first-page":"231","DOI":"10.1145\/972639.972643","article-title":"Number-theoretic constructions of efficient pseudo-random\n functions","volume":"51","author":"Moni Naor","year":"2004","journal-title":"Journal of the ACM (JACM)"},{"key":"ref20:PKC:DodYam05","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"416","DOI":"10.1007\/978-3-540-30580-4_28","article-title":"A Verifiable Random Function with Short Proofs and Keys","volume":"3386","author":"Yevgeniy Dodis","year":"2005"},{"key":"ref21:C:IKNP03","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"145","DOI":"10.1007\/978-3-540-45146-4_9","article-title":"Extending Oblivious Transfers Efficiently","volume":"2729","author":"Yuval Ishai","year":"2003"},{"key":"ref22:CCS:KKRT16","doi-asserted-by":"publisher","first-page":"818","DOI":"10.1145\/2976749.2978381","article-title":"Efficient Batched Oblivious PRF with Applications to\n Private Set Intersection","author":"Vladimir Kolesnikov","year":"2016"},{"key":"ref23:C:MPRSY20","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"3","DOI":"10.1007\/978-3-030-56877-1_1","article-title":"Two-Sided Malicious Security for Private Intersection-Sum\n with Cardinality","volume":"12172","author":"Peihan Miao","year":"2020"},{"key":"ref24:FOCS:Canetti01","doi-asserted-by":"publisher","first-page":"136","DOI":"10.1109\/SFCS.2001.959888","article-title":"Universally Composable Security: A New Paradigm for\n Cryptographic Protocols","author":"Ran Canetti","year":"2001"},{"key":"ref25:EC:CDGLN18","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"280","DOI":"10.1007\/978-3-319-78381-9_11","article-title":"The Wonderful World of Global Random Oracles","volume":"10820","author":"Jan Camenisch","year":"2018"},{"key":"ref26:RSA:AbdPoi05","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"191","DOI":"10.1007\/978-3-540-30574-3_14","article-title":"Simple Password-Based Encrypted Key Exchange Protocols","volume":"3376","author":"Michel Abdalla","year":"2005"},{"key":"ref27:FC:Szydlo06","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"166","DOI":"10.1007\/11889663_14","article-title":"A Note on Chosen-Basis Decisional Diffie-Hellman\n Assumptions","volume":"4107","author":"Michael Szydlo","year":"2006"},{"key":"ref28:JC:BFFMSS19","doi-asserted-by":"publisher","first-page":"324","DOI":"10.1007\/s00145-018-9302-3","article-title":"Automated Analysis of Cryptographic Assumptions in Generic\n Group Models","volume":"32","author":"Gilles Barthe","year":"2019","journal-title":"Journal of Cryptology"},{"key":"ref29:JC:BonLynSha04","doi-asserted-by":"publisher","first-page":"297","DOI":"10.1007\/s00145-004-0314-9","article-title":"Short Signatures from the Weil Pairing","volume":"17","author":"Dan Boneh","year":"2004","journal-title":"Journal of Cryptology"},{"key":"ref30:elgamal","doi-asserted-by":"publisher","first-page":"469","DOI":"10.1109\/TIT.1985.1057074","article-title":"A public key cryptosystem and a signature scheme based on\n discrete logarithms","volume":"31","author":"Taher ElGamal","year":"1985","journal-title":"IEEE transactions on information theory"}],"container-title":["IACR Communications in Cryptology"],"language":"en","deposited":{"date-parts":[[2024,12,10]],"date-time":"2024-12-10T21:28:11Z","timestamp":1733866091000},"score":0.0,"resource":{"primary":{"URL":"https:\/\/cic.iacr.org\/p\/1\/3\/10"}},"issued":{"date-parts":[[2024,10,7]]},"references-count":30,"URL":"https:\/\/doi.org\/10.62056\/a66cy7qiu","archive":["Internet Archive","Internet Archive"],"ISSN":["3006-5496"],"issn-type":[{"type":"electronic","value":"3006-5496"}],"published":{"date-parts":[[2024,10,7]]},"assertion":[{"value":"2024-07-02","order":0,"name":"received","label":"Received","group":{"name":"publication_history","label":"Publication History"}},{"value":"2024-09-02","order":1,"name":"accepted","label":"Accepted","group":{"name":"publication_history","label":"Publication History"}}],"article-number":"cc1-3-30"},{"indexed":{"date-parts":[[2025,7,30]],"date-time":"2025-07-30T17:04:58Z","timestamp":1753895098660,"version":"3.41.2"},"reference-count":49,"publisher":"International Association for Cryptologic Research","issue":"1","license":[{"start":{"date-parts":[[2024,10,9]],"date-time":"2024-10-09T00:00:00Z","timestamp":1728432000000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["IACR CiC"],"accepted":{"date-parts":[[2025,3,11]]},"abstract":"LLL-style lattice reduction algorithms iteratively employ size reduction and reordering on ordered basis vectors to find progressively shorter, more orthogonal vectors. DeepLLL reorders the basis through deep insertions, yielding much shorter vectors than LLL. DeepLLL was introduced alongside BKZ, however, the latter has received greater attention and has emerged as the state-of-the-art. We first show that LLL-style algorithms work with a designated measure of basis quality and iteratively improves it; specifically, DeepLLL improves a sublattice measure based on the generalised Lov\u00e1sz condition. We then introduce a new generic framework X-GG for lattice reduction algorithms that work with a measure X of basis quality. X-GG globally searches for deep insertions that minimise X in each iteration. We instantiate the framework with two quality measures \u2013 basis potential (Pot) and squared sum (SS) \u2013 both of which have corresponding DeepLLL algorithms. We prove polynomial runtimes for our X-GG algorithms and also prove their output to be X-DeepLLL reduced. Our experiments on non-preprocessed bases show that X-GG produces better quality outputs whilst being much faster than the corresponding DeepLLL algorithms. We also compare SS-GG and the FPLLL implementation of BKZ with LLL-preprocessed bases. In small dimensions (40 to 210), SS-GG is significantly faster than BKZ with block sizes 8 to 12, while simultaneously also providing better output quality in most cases. In higher dimensions (250 and beyond), by varying the threshold \n \n \u03b4<\/mml:mi>\n <\/mml:mrow>\n <\/mml:math> for deep insertion, SS-GG offers new trade-offs between the output quality and runtime. On the one hand, it provides significantly better runtime than BKZ-5 with worse output quality; on the other hand, it is significantly faster than BKZ-21 while providing increasingly better output quality after around dimension 350. <\/jats:p>","DOI":"10.62056\/aevuommol","type":"journal-article","created":{"date-parts":[[2025,4,8]],"date-time":"2025-04-08T21:23:17Z","timestamp":1744147397000},"update-policy":"https:\/\/doi.org\/10.62056\/adfjwm02dj","source":"Crossref","is-referenced-by-count":0,"title":["A Greedy Global Framework for Lattice Reduction Using Deep Insertions"],"prefix":"10.62056","volume":"2","author":[{"ORCID":"https:\/\/orcid.org\/0000-0002-3367-6192","authenticated-orcid":false,"given":"Sanjay","family":"Bhattacherjee","sequence":"first","affiliation":[{"id":[{"id":"https:\/\/ror.org\/00xkeyj56","id-type":"ROR","asserted-by":"publisher"}],"name":"School of Computing, University of Kent","place":["Giles Lane, Canterbury, CT2 7NZ, United Kingdom"]}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-6432-5328","authenticated-orcid":false,"given":"Julio","family":"Hernandez-Castro","sequence":"additional","affiliation":[{"id":[{"id":"https:\/\/ror.org\/03n6nwv02","id-type":"ROR","asserted-by":"publisher"}],"name":"ETSISI, Universidad Polit\u00e9cnica de Madrid","place":["Puente de Vallecas, Madrid, 28031, Spain"]}]},{"ORCID":"https:\/\/orcid.org\/0009-0009-1094-9387","authenticated-orcid":false,"given":"Jack","family":"Moyler","sequence":"additional","affiliation":[{"id":[{"id":"https:\/\/ror.org\/00xkeyj56","id-type":"ROR","asserted-by":"publisher"}],"name":"School of Computing, University of Kent","place":["Giles Lane, Canterbury, CT2 7NZ, United Kingdom"]}]}],"member":"48349","published-online":{"date-parts":[[2025,4,8]]},"reference":[{"key":"ref1:ACDDPPVW18","isbn-type":"print","doi-asserted-by":"publisher","first-page":"351","DOI":"10.1007\/978-3-319-98113-0_19","article-title":"Estimate All the {LWE, NTRU} Schemes!","author":"Martin R. Albrecht","year":"2018","ISBN":"https:\/\/id.crossref.org\/isbn\/9783319981130"},{"key":"ref2:ADHKPS19","doi-asserted-by":"publisher","first-page":"717","DOI":"10.1007\/978-3-030-17656-3_25","article-title":"The General Sieve Kernel and New Records in Lattice\n Reduction","author":"Martin R. Albrecht","year":"2019"},{"key":"ref3:Odlyzko84","doi-asserted-by":"publisher","first-page":"594","DOI":"10.1109\/TIT.1984.1056942","article-title":"Cryptanalytic attacks on the multiplicative knapsack\n cryptosystem and on Shamir's fast signature scheme","volume":"30","author":"A. Odlyzko","year":"1984","journal-title":"IEEE Transactions on Information Theory"},{"key":"ref4:Coppersmith96a","isbn-type":"print","doi-asserted-by":"publisher","first-page":"178","DOI":"10.1007\/3-540-68339-9_16","article-title":"Finding a Small Root of a Bivariate Integer Equation;\n Factoring with High Bits Known","author":"Don Coppersmith","year":"1996","ISBN":"https:\/\/id.crossref.org\/isbn\/9783540683391"},{"key":"ref5:Coppersmith96b","isbn-type":"print","doi-asserted-by":"publisher","first-page":"155","DOI":"10.1007\/3-540-68339-9_14","article-title":"Finding a Small Root of a Univariate Modular Equation","author":"Don Coppersmith","year":"1996","ISBN":"https:\/\/id.crossref.org\/isbn\/9783540683391"},{"key":"ref6:Howgrave97","isbn-type":"print","doi-asserted-by":"publisher","first-page":"131","DOI":"10.1007\/BFb0024458","article-title":"Finding small roots of univariate modular equations\n revisited","author":"Nicholas Howgrave-Graham","year":"1997","ISBN":"https:\/\/id.crossref.org\/isbn\/9783540696681"},{"key":"ref7:LenLenLov82","doi-asserted-by":"publisher","first-page":"515","DOI":"10.1007\/BF01457454","article-title":"Factoring polynomials with rational coefficients","volume":"261","author":"Arjen K. Lenstra","year":"1982","journal-title":"Math. Ann."},{"key":"ref8:CalC:NguSte01","isbn-type":"print","doi-asserted-by":"publisher","first-page":"146","DOI":"10.1007\/3-540-44670-2_12","article-title":"The two faces of lattices in cryptology","author":"Phong Q. Nguyen","year":"2001","ISBN":"https:\/\/id.crossref.org\/isbn\/9783540446705"},{"key":"ref9:Cohen10","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-662-02945-9","volume-title":"A course in computational algebraic number theory","author":"Henri Cohen","year":"1993"},{"key":"ref10:Klu09","isbn-type":"print","doi-asserted-by":"publisher","first-page":"283","DOI":"10.1007\/978-3-642-02295-1_8","volume-title":"The LLL Algorithm: Survey and Applications","volume":"1","author":"J\u00fcrgen Kl\u00fcners","year":"2009","ISBN":"https:\/\/id.crossref.org\/isbn\/9783642022951"},{"key":"ref11:Han09","isbn-type":"print","doi-asserted-by":"publisher","first-page":"215","DOI":"10.1007\/978-3-642-02295-1_6","volume-title":"The LLL Algorithm: Survey and Applications","volume":"1","author":"Guillaume Hanrot","year":"2009","ISBN":"https:\/\/id.crossref.org\/isbn\/9783642022951"},{"key":"ref12:SchEuc94","doi-asserted-by":"publisher","first-page":"181","DOI":"10.1007\/BF01581144","article-title":"Lattice basis reduction: improved practical algorithms and\n solving subset sum problems","volume":"66","author":"Claus-Peter Schnorr","year":"1994","journal-title":"Mathematical programming"},{"key":"ref13:YasYam19","doi-asserted-by":"publisher","first-page":"2489","DOI":"10.1007\/s10623-019-00634-9","article-title":"A new polynomial-time variant of LLL with deep insertions\n for decreasing the squared-sum of Gram\u2013Schmidt lengths","volume":"87","author":"Masaya Yasuda","year":"2019","journal-title":"Designs, Codes and Cryptography"},{"key":"ref14:AC:CheNgu11","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"1","DOI":"10.1007\/978-3-642-25385-0_1","article-title":"BKZ2.0: Better lattice security estimates","volume":"7073","author":"Yuanmi Chen","year":"2011"},{"volume-title":"FPLLL, a lattice reduction library, Version: 5.4.4","year":"2023","author":"The FPLLL development team","key":"ref15:fpLLL"},{"key":"ref16:FonSchWag14","doi-asserted-by":"publisher","first-page":"355","DOI":"10.1007\/s10623-014-9918-8","article-title":"PotLLL: a polynomial time version of LLL with deep\n insertions","volume":"73","author":"Felix Fontein","year":"2014","journal-title":"Designs, Codes and Cryptography"},{"key":"ref17:NguSte09","doi-asserted-by":"publisher","first-page":"874","DOI":"10.1137\/070705702","article-title":"An LLL algorithm with quadratic complexity","volume":"39","author":"Phong Q. Nguyen","year":"2009","journal-title":"SIAM Journal on Computing"},{"key":"ref18:GolMay03","doi-asserted-by":"publisher","first-page":"165","DOI":"10.1515\/form.2003.009","article-title":"On the equidistribution of Hecke points","volume":"15","author":"Daniel Goldstein","year":"2003","journal-title":"Forum Mathematicum"},{"volume-title":"SVP challenge","year":"2010","author":"Darmstadt T.U.","key":"ref19:SVPChallenge"},{"volume-title":"Our implementations of some LLL-style algorithms","year":"2024","author":"Sanjay Bhattacherjee","key":"ref20:GG2023"},{"key":"ref21:YamYas18","isbn-type":"print","doi-asserted-by":"publisher","first-page":"142","DOI":"10.1007\/978-3-319-76620-1_9","article-title":"Explicit formula for Gram\u2013Schmidt vectors in LLL with\n deep insertions and its applications","author":"Junpei Yamaguchi","year":"2018","ISBN":"https:\/\/id.crossref.org\/isbn\/9783319766201"},{"volume-title":"The GNU MPFR Library","year":"2023","author":"Guillaume Hanrot","key":"ref22:mpfr"},{"key":"ref23:EC:GamNgu08","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"31","DOI":"10.1007\/978-3-540-78967-3_3","article-title":"Predicting lattice reduction","volume":"4965","author":"Nicolas Gama","year":"2008"},{"key":"ref24:SchBuc10","isbn-type":"print","first-page":"241","article-title":"Extended lattice reduction experiments using the BKZ\n algorithm","author":"Michael Schneider","year":"2010","ISBN":"https:\/\/id.crossref.org\/isbn\/9783885792642"},{"key":"ref25:ABFSW20","isbn-type":"print","doi-asserted-by":"publisher","first-page":"186","DOI":"10.1007\/978-3-030-56880-1_7","article-title":"Faster Enumeration-Based Lattice Reduction: Root Hermite\n Factor $k^{1\/(2k)}$ Time $k^{k\/8+o(k)}$","author":"Martin R. Albrecht","year":"2020","ISBN":"https:\/\/id.crossref.org\/isbn\/9783030568801"},{"key":"ref26:Akhavi2003","doi-asserted-by":"publisher","first-page":"3","DOI":"10.1016\/S0304-3975(02)00616-3","article-title":"The optimal LLL algorithm is still polynomial in fixed\n dimension","volume":"297","author":"Ali Akhavi","year":"2003","journal-title":"Theoretical Computer Science"},{"key":"ref27:YYSKK17","doi-asserted-by":"publisher","first-page":"1","DOI":"10.1515\/jmc-2016-0008","article-title":"Analysis of decreasing squared-sum of Gram\u2013Schmidt\n lengths for short lattice vectors","volume":"11","author":"Masaya Yasuda","year":"2017","journal-title":"Journal of Mathematical Cryptology"},{"volume-title":"Isodual reduction of lattices","year":"2007","author":"Nicholas A. Howgrave-Graham","key":"ref28:Howgrave07"},{"key":"ref29:ISSAC:CheSteVil18","series-title":"ISSAC '18","isbn-type":"print","doi-asserted-by":"publisher","first-page":"127","DOI":"10.1145\/3208976.3209013","article-title":"Computing an LLL-reduced basis of the orthogonal lattice","author":"Jingwei Chen","year":"2018","ISBN":"https:\/\/id.crossref.org\/isbn\/9781450355506"},{"key":"ref30:FukKas15","doi-asserted-by":"publisher","first-page":"67","DOI":"10.2197\/ipsjjip.23.67","article-title":"An accelerated algorithm for solving SVP based on\n statistical analysis","volume":"23","author":"Masaharu Fukase","year":"2015","journal-title":"J. Inf. Process."},{"key":"ref31:Lenstra01","doi-asserted-by":"publisher","first-page":"37","DOI":"10.1007\/978-3-0348-8268-2_3","article-title":"Flags and lattice basis reduction","author":"Hendrik W. Lenstra","year":"2001"},{"key":"ref32:ACMToA:NguSte09","doi-asserted-by":"publisher","DOI":"10.1145\/1597036.1597050","article-title":"Low-Dimensional Lattice Basis Reduction Revisited","volume":"5","author":"Phong Q. Nguyen","year":"2009","journal-title":"ACM Trans. Algorithms","ISSN":"https:\/\/id.crossref.org\/issn\/1549-6325","issn-type":"electronic"},{"key":"ref33:Babai85","series-title":"STACS '85","isbn-type":"print","doi-asserted-by":"publisher","first-page":"13","DOI":"10.1007\/BFb0023990","article-title":"On Lov\u00e1sz' lattice reduction and the nearest lattice\n point problem (shortened version)","author":"L\u00e1szl\u00f3 Babai","year":"1985","ISBN":"https:\/\/id.crossref.org\/isbn\/3540139125"},{"key":"ref34:Babai86","doi-asserted-by":"publisher","first-page":"1","DOI":"10.1007\/bf02579403","article-title":"On Lov\u00e1sz' lattice reduction and the nearest lattice\n point problem","volume":"6","author":"L\u00e1szl\u00f3 Babai","year":"1986","journal-title":"Combinatorica"},{"key":"ref35:NguSte06","series-title":"ANTS'06","isbn-type":"print","doi-asserted-by":"publisher","first-page":"238","DOI":"10.1007\/11792086_18","article-title":"LLL on the average","author":"Phong Q. Nguyen","year":"2006","ISBN":"https:\/\/id.crossref.org\/isbn\/3540360751"},{"key":"ref36:SchBucLin09","series-title":"Dagstuhl Seminar Proceedings (DagSemProc)","doi-asserted-by":"publisher","first-page":"1","DOI":"10.4230\/DagSemProc.09221.4","article-title":"Probabilistic analysis of LLL reduced bases","volume":"9221","author":"Michael Schneider","year":"2009","ISSN":"https:\/\/id.crossref.org\/issn\/1862-4405","issn-type":"electronic"},{"key":"ref37:KoySch01","doi-asserted-by":"publisher","first-page":"67","DOI":"10.1007\/3-540-44670-2_7","article-title":"Segment LLL-reduction of lattice bases","author":"Henrik Koy","year":"2001"},{"key":"ref38:ISSAC:NeuSte16","series-title":"ISSAC '16","isbn-type":"print","doi-asserted-by":"publisher","first-page":"373","DOI":"10.1145\/2930889.2930917","article-title":"Faster LLL-type reduction of lattice bases","author":"Arnold Neumaier","year":"2016","ISBN":"https:\/\/id.crossref.org\/isbn\/9781450343800"},{"key":"ref39:ISSAC:MorSteVil09","series-title":"ISSAC '09","doi-asserted-by":"publisher","first-page":"271","DOI":"10.1145\/1576702.1576740","article-title":"H-LLL: using householder inside LLL","author":"Ivan Morel","year":"2009"},{"key":"ref40:MoC:ChaSteVil12","doi-asserted-by":"publisher","first-page":"1487","DOI":"10.1090\/s0025-5718-2012-02545-2","article-title":"Perturbation analysis of the QR factor R in the context of\n LLL lattice basis reduction","volume":"81","author":"Xiao-Wen Chang","year":"2012","journal-title":"Mathematics of Computation"},{"key":"ref41:C:KirEspFou21","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"760","DOI":"10.1007\/978-3-030-84245-1_26","article-title":"Towards faster polynomial-time lattice reduction","volume":"12826","author":"Paul Kirchner","year":"2021"},{"key":"ref42:RyaHen23","isbn-type":"print","doi-asserted-by":"publisher","first-page":"3","DOI":"10.1007\/978-3-031-38548-3_1","article-title":"Fast Practical Lattice Reduction Through Iterated\n Compression","author":"Keegan Ryan","year":"2023","ISBN":"https:\/\/id.crossref.org\/isbn\/9783031385483"},{"key":"ref43:DCC:PlaSusZha15","doi-asserted-by":"publisher","first-page":"325","DOI":"10.1007\/s10623-014-9957-1","article-title":"LLL for ideal lattices: re-evaluation of the security of\n Gentry\u2013Halevi's FHE scheme","volume":"76","author":"Thomas Plantard","year":"2015","journal-title":"Des. Codes Cryptography"},{"key":"ref44:AC:LPSW19","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"59","DOI":"10.1007\/978-3-030-34621-8_3","article-title":"An LLL algorithm for module lattices","volume":"11922","author":"Changmin Lee","year":"2019"},{"key":"ref45:BogGooWoo20","doi-asserted-by":"publisher","first-page":"2363","DOI":"10.1137\/20M1327422","article-title":"A parametric version of LLL and some consequences:\n Parametric shortest and closest vector problems","volume":"34","author":"Tristram Bogart","year":"2020","journal-title":"SIAM J. Discret. Math.","ISSN":"https:\/\/id.crossref.org\/issn\/0895-4801","issn-type":"electronic"},{"key":"ref46:Galbraith12","isbn-type":"print","doi-asserted-by":"publisher","DOI":"10.1017\/CBO9781139012843","volume-title":"Mathematics of public key cryptography","author":"Steven D. Galbraith","year":"2012","ISBN":"https:\/\/id.crossref.org\/isbn\/1107013925"},{"volume-title":"NTL: A library for doing number theory","year":"2021","author":"Victor Shoup","key":"ref47:NTL"},{"key":"ref48:TKH18","isbn-type":"print","doi-asserted-by":"publisher","first-page":"437","DOI":"10.1007\/978-3-319-76578-5_15","article-title":"Fast Lattice Basis Reduction Suitable for Massive\n Parallelization and Its Application to the Shortest Vector Problem","author":"Tadanori Teruya","year":"2018","ISBN":"https:\/\/id.crossref.org\/isbn\/9783319765785"},{"key":"ref49:NguVal09","isbn-type":"print","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-642-02295-1","volume-title":"The LLL algorithm: survey and applications","author":"Phong Q. Nguyen","year":"2009","ISBN":"https:\/\/id.crossref.org\/isbn\/3642022944"}],"container-title":["IACR Communications in Cryptology"],"language":"en","deposited":{"date-parts":[[2025,4,8]],"date-time":"2025-04-08T21:23:22Z","timestamp":1744147402000},"score":0.0,"resource":{"primary":{"URL":"https:\/\/cic.iacr.org\/p\/2\/1\/2"}},"issued":{"date-parts":[[2025,4,8]]},"references-count":49,"journal-issue":{"issue":"1","published-online":{"date-parts":[[2025,4,8]]}},"URL":"https:\/\/doi.org\/10.62056\/aevuommol","archive":["Internet Archive","Internet Archive"],"ISSN":["3006-5496"],"issn-type":[{"type":"electronic","value":"3006-5496"}],"published":{"date-parts":[[2025,4,8]]},"assertion":[{"value":"2024-10-09","order":0,"name":"received","label":"Received","group":{"name":"publication_history","label":"Publication History"}},{"value":"2025-03-11","order":1,"name":"accepted","label":"Accepted","group":{"name":"publication_history","label":"Publication History"}}],"article-number":"cc1-4-37"},{"indexed":{"date-parts":[[2026,1,2]],"date-time":"2026-01-02T07:51:04Z","timestamp":1767340264600,"version":"3.41.2"},"reference-count":67,"publisher":"International Association for Cryptologic Research","license":[{"start":{"date-parts":[[2024,4,9]],"date-time":"2024-04-09T00:00:00Z","timestamp":1712620800000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["IACR CiC"],"accepted":{"date-parts":[[2024,6,3]]},"abstract":" Distributed key generation (DKG) is a key building block in developing many efficient threshold cryptosystems. This work initiates the study of communication complexity and round complexity of DKG protocols over a point-to-point (bounded) synchronous network. Our key result is the first synchronous DKG protocol for discrete log-based cryptosystems with \n \n O<\/mml:mi>\n (<\/mml:mo>\n \u03ba<\/mml:mi>\n \n n<\/mml:mi>\n 3<\/mml:mn>\n <\/mml:msup>\n )<\/mml:mo>\n <\/mml:mrow>\n <\/mml:math> communication complexity (\n \n \u03ba<\/mml:mi>\n <\/mml:mrow>\n <\/mml:math> denotes a security parameter) that tolerates any \n \n t<\/mml:mi>\n <<\/mml:mo>\n n<\/mml:mi>\n \/<\/mml:mo>\n 2<\/mml:mn>\n <\/mml:mrow>\n <\/mml:math> Byzantine faults among \n \n n<\/mml:mi>\n <\/mml:mrow>\n <\/mml:math> parties. We present two variants of the protocol: (i) a protocol with worst-case \n \n O<\/mml:mi>\n (<\/mml:mo>\n \u03ba<\/mml:mi>\n \n n<\/mml:mi>\n 3<\/mml:mn>\n <\/mml:msup>\n )<\/mml:mo>\n <\/mml:mrow>\n <\/mml:math> communication and \n \n O<\/mml:mi>\n (<\/mml:mo>\n t<\/mml:mi>\n )<\/mml:mo>\n <\/mml:mrow>\n <\/mml:math> rounds, and (ii) a protocol with expected \n \n O<\/mml:mi>\n (<\/mml:mo>\n \u03ba<\/mml:mi>\n \n n<\/mml:mi>\n 3<\/mml:mn>\n <\/mml:msup>\n )<\/mml:mo>\n <\/mml:mrow>\n <\/mml:math> communication and expected constant rounds. In the process of achieving our results, we design (1) a novel weak gradecast protocol with a communication complexity of \n \n O<\/mml:mi>\n (<\/mml:mo>\n \u03ba<\/mml:mi>\n \n n<\/mml:mi>\n 2<\/mml:mn>\n <\/mml:msup>\n )<\/mml:mo>\n <\/mml:mrow>\n <\/mml:math> for linear-sized inputs and constant rounds, (2) a protocol called \u201crecoverable-set-of-shares\u201d for ensuring recovery of shared secrets, (3) an oblivious leader election protocol with \n \n O<\/mml:mi>\n (<\/mml:mo>\n \u03ba<\/mml:mi>\n \n n<\/mml:mi>\n 3<\/mml:mn>\n <\/mml:msup>\n )<\/mml:mo>\n <\/mml:mrow>\n <\/mml:math> communication and constant rounds, and (4) a multi-valued validated Byzantine agreement (MVBA) protocol with \n \n O<\/mml:mi>\n (<\/mml:mo>\n \u03ba<\/mml:mi>\n \n n<\/mml:mi>\n 3<\/mml:mn>\n <\/mml:msup>\n )<\/mml:mo>\n <\/mml:mrow>\n <\/mml:math> communication complexity for linear-sized inputs and expected constant rounds. Each of these primitives is of independent interest. <\/jats:p>","DOI":"10.62056\/ayfhsgvtw","type":"journal-article","created":{"date-parts":[[2024,7,8]],"date-time":"2024-07-08T15:52:04Z","timestamp":1720453924000},"update-policy":"https:\/\/doi.org\/10.62056\/adfjwm02dj","source":"Crossref","is-referenced-by-count":3,"title":["Synchronous Distributed Key Generation without Broadcasts"],"prefix":"10.62056","author":[{"given":"Nibesh","family":"Shrestha","sequence":"first","affiliation":[{"name":"Supra Research","place":["USA"]}]},{"given":"Adithya","family":"Bhat","sequence":"additional","affiliation":[{"name":"Visa Research","place":["USA"]}]},{"given":"Aniket","family":"Kate","sequence":"additional","affiliation":[{"name":"Supra Research","place":["USA"]},{"name":"Purdue University","place":["USA"]}]},{"given":"Kartik","family":"Nayak","sequence":"additional","affiliation":[{"name":"Duke University","place":["USA"]}]}],"member":"48349","published-online":{"date-parts":[[2024,7,8]]},"reference":[{"key":"ref1:boldyreva2003threshold","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"31","DOI":"10.1007\/3-540-36288-6_3","article-title":"Threshold Signatures, Multisignatures and Blind Signatures\n Based on the Gap-Diffie-Hellman-Group Signature Scheme","volume-title":"PKC\u00a02003: 6th International Workshop on Theory and Practice\n in Public Key Cryptography","volume":"2567","author":"Alexandra Boldyreva","year":"2003"},{"key":"ref2:shoup2000practical","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"207","DOI":"10.1007\/3-540-45539-6_15","article-title":"Practical Threshold Signatures","volume-title":"Advances in Cryptology \u2013 EUROCRYPT\u00a02000","volume":"1807","author":"Victor Shoup","year":"2000"},{"key":"ref3:DesmedtF89","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"307","DOI":"10.1007\/0-387-34805-0_28","article-title":"Threshold Cryptosystems","volume-title":"Advances in Cryptology \u2013 CRYPTO'89","volume":"435","author":"Yvo Desmedt","year":"1990"},{"journal-title":"GitHub","article-title":"Drand - A Distributed Randomness Beacon Daemon","author":"Drand","key":"ref4:drand"},{"key":"ref5:cachin2005random","doi-asserted-by":"publisher","first-page":"123","DOI":"10.1145\/343477.343531","article-title":"Random oracles in constantipole: practical asynchronous\n Byzantine agreement using cryptography (extended abstract)","volume-title":"19th ACM Symposium Annual on Principles of Distributed\n Computing","author":"Christian Cachin","year":"2000"},{"key":"ref6:yin2019hotstuff","doi-asserted-by":"publisher","first-page":"347","DOI":"10.1145\/3293611.3331591","article-title":"HotStuff: BFT Consensus with Linearity and\n Responsiveness","volume-title":"38th ACM Symposium Annual on Principles of Distributed\n Computing","author":"Maofan Yin","year":"2019"},{"key":"ref7:shrestha2020optimality","doi-asserted-by":"publisher","first-page":"839","DOI":"10.1145\/3372297.3417284","article-title":"On the Optimality of Optimistic Responsiveness","volume-title":"ACM CCS 2020: 27th Conference on Computer and Communications\n Security","author":"Nibesh Shrestha","year":"2020"},{"key":"ref8:hirt2005cryptographic","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"322","DOI":"10.1007\/11426639_19","article-title":"Cryptographic Asynchronous Multi-party Computation with\n Optimal Resilience (Extended Abstract)","volume-title":"Advances in Cryptology \u2013 EUROCRYPT\u00a02005","volume":"3494","author":"Martin Hirt","year":"2005"},{"key":"ref9:hofheinz2004synchronous","article-title":"A Synchronous Model for Multi-Party Computation and the\n Incompleteness of Oblivious Transfer","author":"Dennis Hofheinz","year":"2004","journal-title":"IACR Cryptol. ePrint Arch."},{"key":"ref10:distributedKDC","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"346","DOI":"10.1007\/3-540-36178-2_22","article-title":"On Unconditionally Secure Robust Distributed Key\n Distribution Centers","volume-title":"Advances in Cryptology \u2013 ASIACRYPT\u00a02002","volume":"2501","author":"Paolo D'Arco","year":"2002"},{"article-title":"Torus: Globally accessible public key infrastructure for\n everyone","year":"2021","author":"Torus Lab","key":"ref11:Torus"},{"key":"ref12:pedersendkg","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"522","DOI":"10.1007\/3-540-46416-6_47","article-title":"A Threshold Cryptosystem without a Trusted Party","volume-title":"Advances in Cryptology \u2013 EUROCRYPT'91","volume":"547","author":"Torben P. Pedersen","year":"1991"},{"key":"ref13:gennaro2007secure","doi-asserted-by":"publisher","first-page":"51","DOI":"10.1007\/s00145-006-0347-3","article-title":"Secure distributed key generation for discrete-log based\n cryptosystems","author":"Rosario Gennaro","year":"2007","journal-title":"Journal of Cryptology"},{"key":"ref14:canetti1999adaptive","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"98","DOI":"10.1007\/3-540-48405-1_7","article-title":"Adaptive Security for Threshold Cryptosystems","volume-title":"Advances in Cryptology \u2013 CRYPTO'99","volume":"1666","author":"Ran Canetti","year":"1999"},{"key":"ref15:nejidkgwithcomplaints","doi-asserted-by":"publisher","first-page":"4585","DOI":"10.1002\/sec.1651","article-title":"Distributed key generation protocol with a new complaint\n management strategy","volume":"9","author":"Wafa Neji","year":"2016","journal-title":"Security and communication networks"},{"key":"ref16:gurkan2021aggregatable","doi-asserted-by":"publisher","first-page":"147","DOI":"10.1007\/978-3-030-77870-5_6","article-title":"Aggregatable distributed key generation","volume-title":"Annual International Conference on the Theory and\n Applications of Cryptographic Techniques (EUROCRYPT'21)","author":"Kobi Gurkan","year":"2021"},{"key":"ref17:feldman1987practical","doi-asserted-by":"publisher","first-page":"427","DOI":"10.1109\/SFCS.1987.4","article-title":"A Practical Scheme for Non-interactive Verifiable Secret\n Sharing","volume-title":"28th Annual Symposium on Foundations of Computer Science","author":"Paul Feldman","year":"1987"},{"key":"ref18:backes2011computational","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"590","DOI":"10.1007\/978-3-642-25385-0_32","article-title":"Computational Verifiable Secret Sharing Revisited","volume-title":"Advances in Cryptology \u2013 ASIACRYPT\u00a02011","volume":"7073","author":"Michael Backes","year":"2011"},{"key":"ref19:dolev1983authenticated","doi-asserted-by":"publisher","first-page":"656","DOI":"10.1137\/0212045","article-title":"Authenticated algorithms for Byzantine agreement","volume-title":"SIAM Journal on Computing","volume":"12","author":"Danny Dolev","year":"1983"},{"key":"ref20:tsimos2020gossiping","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"439","DOI":"10.1007\/978-3-031-15982-4_15","article-title":"Gossiping for Communication-Efficient Broadcast","volume-title":"Advances in Cryptology \u2013 CRYPTO\u00a02022, Part\u00a0III","volume":"13509","author":"Georgios Tsimos","year":"2022"},{"key":"ref21:katz2006expected","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"445","DOI":"10.1007\/11818175_27","article-title":"On Expected Constant-Round Protocols for Byzantine\n Agreement","volume-title":"Advances in Cryptology \u2013 CRYPTO\u00a02006","volume":"4117","author":"Jonathan Katz","year":"2006"},{"key":"ref22:groth2016size","doi-asserted-by":"publisher","first-page":"305","DOI":"10.1007\/978-3-662-49896-5_11","article-title":"On the size of pairing-based non-interactive arguments","volume-title":"Advances in Cryptology\u2013EUROCRYPT 2016: 35th Annual\n International Conference on the Theory and Applications of Cryptographic\n Techniques, Vienna, Austria, May 8-12, 2016, Proceedings, Part II 35","author":"Jens Groth","year":"2016"},{"key":"ref23:momose2020optimal","doi-asserted-by":"publisher","DOI":"10.4230\/LIPIcs.DISC.2021.32","article-title":"Optimal Communication Complexity of Authenticated Byzantine\n Agreement","volume-title":"35th International Symposium on Distributed Computing (DISC\n 2021)","author":"Atsuki Momose","year":"2021"},{"key":"ref24:schindler2019ethdkg","article-title":"ETHDKG: Distributed Key Generation with Ethereum Smart\n Contracts","author":"Philipp Schindler","year":"2019","journal-title":"IACR Cryptol. ePrint Arch."},{"key":"ref25:groth2021non","first-page":"339","article-title":"Non-interactive distributed key generation and key\n resharing.","volume":"2021","author":"Jens Groth","year":"2021","journal-title":"IACR Cryptol. ePrint Arch."},{"key":"ref26:cascudo2023mt","isbn-type":"print","doi-asserted-by":"publisher","first-page":"645","DOI":"10.1007\/978-3-031-33491-7_24","article-title":"Mt. Random: Multi-tiered Randomness Beacons","volume-title":"Applied Cryptography and Network Security: 21st\n International Conference, ACNS 2023, Kyoto, Japan, June 19\u201322, 2023,\n Proceedings, Part II","author":"Ignacio Cascudo","year":"2023","ISBN":"https:\/\/id.crossref.org\/isbn\/9783031334900"},{"key":"ref27:kate2012distributed","first-page":"377","article-title":"Distributed Key Generation in the Wild.","volume":"2012","author":"Aniket Kate","year":"2012","journal-title":"IACR Cryptol. ePrint Arch."},{"key":"ref28:asyncdkg","doi-asserted-by":"publisher","first-page":"1751","DOI":"10.1145\/3372297.3423364","article-title":"Asynchronous Distributed Key Generation for\n Computationally-Secure Randomness, Consensus, and Threshold Signatures","volume-title":"ACM CCS 2020: 27th Conference on Computer and Communications\n Security","author":"Eleftherios Kokoris-Kogias","year":"2020"},{"key":"ref29:abraham2021reaching","series-title":"PODC'21","isbn-type":"print","doi-asserted-by":"publisher","first-page":"363","DOI":"10.1145\/3465084.3467914","article-title":"Reaching Consensus for Asynchronous Distributed Key\n Generation","volume-title":"Proceedings of the 2021 ACM Symposium on Principles of\n Distributed Computing","author":"Ittai Abraham","year":"2021","ISBN":"https:\/\/id.crossref.org\/isbn\/9781450385480"},{"key":"ref30:das2021practical","doi-asserted-by":"publisher","first-page":"2518","DOI":"10.1109\/SP46214.2022.9833584","article-title":"Practical Asynchronous Distributed Key Generation","volume-title":"2022 IEEE Symposium on Security and Privacy","author":"Sourav Das","year":"2022"},{"key":"ref31:das2023practical","isbn-type":"print","first-page":"5359","article-title":"Practical Asynchronous High-threshold Distributed Key\n Generation and Distributed Polynomial Sampling","volume-title":"32nd USENIX Security Symposium (USENIX Security 23)","author":"Sourav Das","year":"2023","ISBN":"https:\/\/id.crossref.org\/isbn\/9781939133373"},{"key":"ref32:abraham2023bingo","isbn-type":"print","doi-asserted-by":"publisher","first-page":"39","DOI":"10.1007\/978-3-031-38557-5_2","article-title":"Bingo: Adaptivity and Asynchrony in Verifiable Secret\n Sharing and Distributed Key Generation","volume-title":"Advances in Cryptology \u2013 CRYPTO 2023: 43rd Annual\n International Cryptology Conference, CRYPTO 2023, Santa Barbara, CA, USA,\n August 20\u201324, 2023, Proceedings, Part I","author":"Ittai Abraham","year":"2023","ISBN":"https:\/\/id.crossref.org\/isbn\/9783031385568"},{"key":"ref33:ben2003resilient","doi-asserted-by":"publisher","first-page":"249","DOI":"10.1007\/s00446-002-0083-3","article-title":"Resilient-optimal interactive consistency in constant time","volume":"16","author":"Michael Ben-Or","year":"2003","journal-title":"Distributed Computing"},{"key":"ref34:pedersen1991non","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"129","DOI":"10.1007\/3-540-46766-1_9","article-title":"Non-Interactive and Information-Theoretic Secure Verifiable\n Secret Sharing","volume-title":"Advances in Cryptology \u2013 CRYPTO'91","volume":"576","author":"Torben P. Pedersen","year":"1992"},{"key":"ref35:feldman1988optimal","doi-asserted-by":"publisher","first-page":"148","DOI":"10.1145\/62212.62225","article-title":"Optimal Algorithms for Byzantine Agreement","volume-title":"20th Annual ACM Symposium on Theory of Computing","author":"Paul Feldman","year":"1988"},{"key":"ref36:cachin2001secure","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"524","DOI":"10.1007\/3-540-44647-8_31","article-title":"Secure and Efficient Asynchronous Broadcast Protocols","volume-title":"Advances in Cryptology \u2013 CRYPTO\u00a02001","volume":"2139","author":"Christian Cachin","year":"2001"},{"key":"ref37:garay2007round","doi-asserted-by":"publisher","first-page":"658","DOI":"10.1109\/FOCS.2007.61","article-title":"Round Complexity of Authenticated Broadcast with a Dishonest\n Majority","volume-title":"48th Annual Symposium on Foundations of Computer Science","author":"Juan A. Garay","year":"2007"},{"key":"ref38:abraham2019asymptotically","doi-asserted-by":"publisher","first-page":"337","DOI":"10.1145\/3293611.3331612","article-title":"Asymptotically Optimal Validated Asynchronous Byzantine\n Agreement","volume-title":"38th ACM Symposium Annual on Principles of Distributed\n Computing","author":"Ittai Abraham","year":"2019"},{"key":"ref39:lu2020dumbo","doi-asserted-by":"publisher","first-page":"129","DOI":"10.1145\/3382734.3405707","article-title":"Dumbo-MVBA: Optimal Multi-Valued Validated Asynchronous\n Byzantine Agreement, Revisited","volume-title":"39th ACM Symposium Annual on Principles of Distributed\n Computing","author":"Yuan Lu","year":"2020"},{"key":"ref40:nayak2020improved","doi-asserted-by":"publisher","DOI":"10.4230\/LIPIcs.DISC.2020.28","article-title":"Improved Extension Protocols for Byzantine Broadcast and\n Agreement","volume-title":"34th International Symposium on Distributed Computing (DISC\n 2020)","author":"Kartik Nayak","year":"2020"},{"key":"ref41:gao2022efficient","doi-asserted-by":"publisher","first-page":"246","DOI":"10.1109\/ICDCS54860.2022.00032","article-title":"Efficient asynchronous byzantine agreement without private\n setups","volume-title":"2022 IEEE 42nd International Conference on Distributed\n Computing Systems (ICDCS'22)","author":"Yingzi Gao","year":"2022"},{"key":"ref42:reed1960polynomial","doi-asserted-by":"publisher","first-page":"300","DOI":"10.1137\/0108018","article-title":"Polynomial codes over certain finite fields","volume":"8","author":"Irving S Reed","year":"1960","journal-title":"Journal of the society for industrial and applied\n mathematics"},{"key":"ref43:nguyen2005accumulators","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"275","DOI":"10.1007\/978-3-540-30574-3_19","article-title":"Accumulators from Bilinear Pairings and Applications","volume-title":"Topics in Cryptology \u2013 CT-RSA\u00a02005","volume":"3376","author":"Lan Nguyen","year":"2005"},{"key":"ref44:boneh2008short","doi-asserted-by":"publisher","first-page":"149","DOI":"10.1007\/s00145-007-9005-7","article-title":"Short Signatures Without Random Oracles and the SDH\n Assumption in Bilinear Groups","volume":"21","author":"Dan Boneh","year":"2008","journal-title":"Journal of Cryptology"},{"key":"ref45:bhatrandpiper","doi-asserted-by":"publisher","first-page":"3502","DOI":"10.1145\/3460120.3484574","article-title":"RandPiper - Reconfiguration-Friendly Random Beacons with\n Quadratic Communication","volume-title":"ACM CCS 2021: 28th Conference on Computer and Communications\n Security","author":"Adithya Bhat","year":"2021"},{"key":"ref46:katedkginternet","doi-asserted-by":"publisher","first-page":"119","DOI":"10.1109\/ICDCS.2009.21","article-title":"Distributed Key Generation for the Internet","volume-title":"29th IEEE International Conference on Distributed Computing\n Systems\u2013ICDCS'09","author":"Aniket Kate","year":"2009"},{"key":"ref47:bacho2022adaptive","series-title":"CCS '22","isbn-type":"print","doi-asserted-by":"publisher","first-page":"193","DOI":"10.1145\/3548606.3560656","article-title":"On the Adaptive Security of the Threshold BLS Signature\n Scheme","volume-title":"Proceedings of the 2022 ACM SIGSAC Conference on Computer\n and Communications Security","author":"Renas Bacho","year":"2022","ISBN":"https:\/\/id.crossref.org\/isbn\/9781450394505"},{"key":"ref48:komlo2023formal","article-title":"A Formal Treatment of Distributed Key Generation, and New\n Constructions","author":"Chelsea Komlo","year":"2023","journal-title":"IACR Cryptol. ePrint Arch."},{"key":"ref49:merkle1987digital","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"369","DOI":"10.1007\/3-540-48184-2_32","article-title":"A Digital Signature Based on a Conventional Encryption\n Function","volume-title":"Advances in Cryptology \u2013 CRYPTO'87","volume":"293","author":"Ralph C. Merkle","year":"1988"},{"key":"ref50:cascudo2017scrape","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"537","DOI":"10.1007\/978-3-319-61204-1_27","article-title":"SCRAPE: Scalable Randomness Attested by Public Entities","volume-title":"ACNS 17: 15th International Conference on Applied\n Cryptography and Network Security","volume":"10355","author":"Ignacio Cascudo","year":"2017"},{"key":"ref51:baric1997collision","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"480","DOI":"10.1007\/3-540-69053-0_33","article-title":"Collision-Free Accumulators and Fail-Stop Signature Schemes\n Without Trees","volume-title":"Advances in Cryptology \u2013 EUROCRYPT'97","volume":"1233","author":"Niko Bari","year":"1997"},{"key":"ref52:feldman1997optimal","doi-asserted-by":"publisher","first-page":"873","DOI":"10.1137\/S0097539790187084","article-title":"An optimal probabilistic protocol for synchronous Byzantine\n agreement","volume":"26","author":"Pesech Feldman","year":"1997","journal-title":"SIAM Journal on Computing"},{"key":"ref53:kate2010constant","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"177","DOI":"10.1007\/978-3-642-17373-8_11","article-title":"Constant-Size Commitments to Polynomials and Their\n Applications","volume-title":"Advances in Cryptology \u2013 ASIACRYPT\u00a02010","volume":"6477","author":"Aniket Kate","year":"2010"},{"key":"ref54:erwig2021large","article-title":"Large-Scale Non-Interactive Threshold Cryptosystems in the\n YOSO Model","author":"Andreas Erwig","year":"2021","journal-title":"IACR Cryptol. ePrint Arch."},{"key":"ref55:katz2023round","article-title":"Round Optimal Fully Secure Distributed Key Generation","author":"Jonathan Katz","year":"2023","journal-title":"IACR Cryptol. ePrint Arch."},{"key":"ref56:abraham2019synchronous","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"320","DOI":"10.1007\/978-3-030-32101-7_20","article-title":"Synchronous Byzantine Agreement with Expected $O(1)$\n Rounds, Expected $O(n^2)$ Communication, and Optimal Resilience","volume-title":"FC 2019: 23rd International Conference on Financial\n Cryptography and Data Security","volume":"11598","author":"Ittai Abraham","year":"2019"},{"key":"ref57:tomescu2020towards","doi-asserted-by":"publisher","first-page":"877","DOI":"10.1109\/SP40000.2020.00059","article-title":"Towards Scalable Threshold Cryptosystems","volume-title":"2020 IEEE Symposium on Security and Privacy","author":"Alin Tomescu","year":"2020"},{"key":"ref58:bacho2023network","isbn-type":"print","doi-asserted-by":"publisher","first-page":"71","DOI":"10.1007\/978-3-031-38557-5_3","article-title":"Network-Agnostic Security Comes (Almost) for Free in DKG and\n MPC","volume-title":"Advances in Cryptology \u2013 CRYPTO 2023: 43rd Annual\n International Cryptology Conference, CRYPTO 2023, Santa Barbara, CA, USA,\n August 20\u201324, 2023, Proceedings, Part I","author":"Renas Bacho","year":"2023","ISBN":"https:\/\/id.crossref.org\/isbn\/9783031385568"},{"key":"ref59:bacho2023grandline","article-title":"GRandLine: Adaptively Secure DKG and Randomness Beacon\n with (Almost) Quadratic Communication Complexity","author":"Renas Bacho","year":"2023","journal-title":"IACR Cryptol. ePrint Arch."},{"key":"ref60:fuchsbauer2018algebraic","doi-asserted-by":"publisher","first-page":"33","DOI":"10.1007\/978-3-319-96881-0_2","article-title":"The algebraic group model and its applications","volume-title":"Advances in Cryptology (CRYPTO'18): 38th Annual\n International Cryptology Conference, Santa Barbara, CA, USA, August 19\u201323,\n 2018, Proceedings, Part II 38","author":"Georg Fuchsbauer","year":"2018"},{"key":"ref61:feng2024breaking","article-title":"Breaking the Cubic Barrier: Distributed Key and Randomness\n Generation through Deterministic Sharding","author":"Hanwen Feng","year":"2024","journal-title":"Cryptology ePrint Archive"},{"key":"ref62:fitzi2003efficient","doi-asserted-by":"publisher","first-page":"211","DOI":"10.1145\/872035.872066","article-title":"Efficient player-optimal protocols for strong and\n differential consensus","volume-title":"Proceedings of the twenty-second annual symposium on\n Principles of distributed computing (PODC'03)","author":"Matthias Fitzi","year":"2003"},{"article-title":"Byzantine agreement, made trivial","year":"2016","author":"Silvio Micali","key":"ref63:micali2016byzantine"},{"key":"ref64:abraham2022asymptotically","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"384","DOI":"10.1007\/978-3-031-22318-1_14","article-title":"Asymptotically Free Broadcast in Constant Expected Time via\n Packed VSS","volume-title":"TCC\u00a02022: 20th Theory of Cryptography Conference, Part\u00a0I","volume":"13747","author":"Ittai Abraham","year":"2022"},{"key":"ref65:fitzi2021new","series-title":"PODC'21","isbn-type":"print","doi-asserted-by":"publisher","first-page":"355","DOI":"10.1145\/3465084.3467907","article-title":"A New Way to Achieve Round-Efficient Byzantine Agreement","volume-title":"Proceedings of the 2021 ACM Symposium on Principles of\n Distributed Computing","author":"Matthias Fitzi","year":"2021","ISBN":"https:\/\/id.crossref.org\/isbn\/9781450385480"},{"key":"ref66:dolev1985bounds","doi-asserted-by":"publisher","first-page":"132","DOI":"10.1145\/800220.806690","article-title":"Bounds on Information Exchange for Byzantine Agreement","volume-title":"1st ACM Symposium Annual on Principles of Distributed\n Computing","author":"Danny Dolev","year":"1982"},{"key":"ref67:fitzi2006optimally","doi-asserted-by":"publisher","first-page":"163","DOI":"10.1145\/1146381.1146407","article-title":"Optimally efficient multi-valued Byzantine agreement","volume-title":"25th ACM Symposium Annual on Principles of Distributed\n Computing","author":"Matthias Fitzi","year":"2006"}],"container-title":["IACR Communications in Cryptology"],"language":"en","deposited":{"date-parts":[[2024,12,10]],"date-time":"2024-12-10T21:26:59Z","timestamp":1733866019000},"score":0.0,"resource":{"primary":{"URL":"https:\/\/cic.iacr.org\/p\/1\/2\/19"}},"issued":{"date-parts":[[2024,7,8]]},"references-count":67,"URL":"https:\/\/doi.org\/10.62056\/ayfhsgvtw","archive":["Internet Archive","Internet Archive"],"ISSN":["3006-5496"],"issn-type":[{"type":"electronic","value":"3006-5496"}],"published":{"date-parts":[[2024,7,8]]},"assertion":[{"value":"2024-04-09","order":0,"name":"received","label":"Received","group":{"name":"publication_history","label":"Publication History"}},{"value":"2024-06-03","order":1,"name":"accepted","label":"Accepted","group":{"name":"publication_history","label":"Publication History"}}],"article-number":"cc1-2-66"},{"indexed":{"date-parts":[[2026,1,9]],"date-time":"2026-01-09T04:11:52Z","timestamp":1767931912453,"version":"3.49.0"},"reference-count":19,"publisher":"International Association for Cryptologic Research","issue":"4","license":[{"start":{"date-parts":[[2025,10,7]],"date-time":"2025-10-07T00:00:00Z","timestamp":1759795200000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["IACR CiC"],"accepted":{"date-parts":[[2025,12,2]]},"abstract":"We study additive positive accumulators, which maintain a short digest of a growing set such that each value in the set can prove membership via a generated witness. Due to the compactness of the digest, previously added values may require updated witnesses as the set grows.<\/jats:p>\n \n In this paper, we establish a trade-off between the bit-length of the accumulator value and the number of witness updates. Specifically, we show that if the accumulator value has bit-length\n \n \n \n p<\/mml:mi>\n o<\/mml:mi>\n l<\/mml:mi>\n y<\/mml:mi>\n <\/mml:mrow>\n (<\/mml:mo>\n log<\/mml:mi>\n n<\/mml:mi>\n )<\/mml:mo>\n <\/mml:mrow>\n <\/mml:math>\n , where\n \n \n n<\/mml:mi>\n <\/mml:mrow>\n <\/mml:math>\n is the number of accumulated values, then some values must incur\n \n \n \u03a9<\/mml:mi>\n (<\/mml:mo>\n log<\/mml:mi>\n n<\/mml:mi>\n \/<\/mml:mo>\n log<\/mml:mi>\n log<\/mml:mi>\n n<\/mml:mi>\n )<\/mml:mo>\n <\/mml:mrow>\n <\/mml:math>\n witness updates. This improves upon the recent\n \n \n \u03c9<\/mml:mi>\n (<\/mml:mo>\n 1<\/mml:mn>\n )<\/mml:mo>\n <\/mml:mrow>\n <\/mml:math>\n lower bound of [BCCK25] and matches the upper bound in [MQ23].\n <\/jats:p>\n Building on the framework of [MQR22], we introduce a new combinatorial structure that removes the fixed-update-time assumption. Our approach also applies to Registration-based Encryption [GHMR18], thereby resolving the open problem left in [MQR22]: it shows that the tight lower bound on decryption-update frequency continues to hold even without any fixed-update-time assumption.<\/jats:p>","DOI":"10.62056\/av7t7ta5v","type":"journal-article","created":{"date-parts":[[2026,1,8]],"date-time":"2026-01-08T23:39:47Z","timestamp":1767915587000},"update-policy":"https:\/\/doi.org\/10.62056\/adfjwm02dj","source":"Crossref","is-referenced-by-count":0,"title":["Tight Lower Bound on Witness Update Frequency in Additive Positive Accumulators"],"prefix":"10.62056","volume":"2","author":[{"ORCID":"https:\/\/orcid.org\/0009-0007-8510-4675","authenticated-orcid":false,"given":"Wei","family":"Qi","sequence":"first","affiliation":[{"id":[{"id":"https:\/\/ror.org\/05crjpb27","id-type":"ROR","asserted-by":"publisher"}],"name":"Bocconi University","place":["Via Roentgen, 1, Milan, MI, 20136, Italy"],"department":["Department of Computing Sciences"]}]}],"member":"48349","published-online":{"date-parts":[[2026,1,8]]},"reference":[{"key":"ref1:merkle-moutain-range","series-title":"Lecture Notes in Computer Science","isbn-type":"print","doi-asserted-by":"publisher","first-page":"170","DOI":"10.1007\/978-3-032-01878-6_6","article-title":"Merkle Mountain Ranges are Optimal: On Witness Update\n Frequency for Cryptographic Accumulators","volume":"16001","author":"Joseph Bonneau","year":"2025","ISBN":"https:\/\/id.crossref.org\/isbn\/9783032018779"},{"key":"ref2:upper-bound","series-title":"Leibniz International Proceedings in Informatics (LIPIcs)","isbn-type":"print","doi-asserted-by":"publisher","DOI":"10.4230\/LIPIcs.ITC.2023.15","article-title":"Online Mergers and Applications to Registration-Based\n Encryption and Accumulators","volume":"267","author":"Mohammad Mahmoody","year":"2023","ISBN":"https:\/\/id.crossref.org\/isbn\/9783959772716","ISSN":"https:\/\/id.crossref.org\/issn\/1868-8969","issn-type":"electronic"},{"key":"ref3:lower-bound","series-title":"Lecture Notes in Computer Science","isbn-type":"print","doi-asserted-by":"publisher","first-page":"559","DOI":"10.1007\/978-3-031-22318-1_20","article-title":"Lower Bounds for the Number of Decryption Updates in\n Registration-Based Encryption","author":"Mohammad Mahmoody","year":"2022","ISBN":"https:\/\/id.crossref.org\/isbn\/9783031223181"},{"key":"ref4:rbe","series-title":"Lecture Notes in Computer Science","isbn-type":"print","doi-asserted-by":"publisher","first-page":"689","DOI":"10.1007\/978-3-030-03807-6_25","article-title":"Registration-Based Encryption: Removing Private-Key\n Generator from IBE","volume":"11239","author":"Sanjam Garg","year":"2018","ISBN":"https:\/\/id.crossref.org\/isbn\/9783030038069"},{"key":"ref5:acc-1","series-title":"Lecture Notes in Computer Science","isbn-type":"print","doi-asserted-by":"publisher","first-page":"274","DOI":"10.1007\/3-540-48285-7_24","article-title":"One-Way Accumulators: A Decentralized Alternative to Digital\n Signatures","volume":"765","author":"Josh Benaloh","year":"1994","ISBN":"https:\/\/id.crossref.org\/isbn\/9783540482857"},{"key":"ref6:acc-2","series-title":"Lecture Notes in Computer Science","isbn-type":"print","doi-asserted-by":"publisher","first-page":"61","DOI":"10.1007\/3-540-45708-9_5","article-title":"Dynamic Accumulators and Application to Efficient Revocation\n of Anonymous Credentials","volume":"2442","author":"Jan Camenisch","year":"2002","ISBN":"https:\/\/id.crossref.org\/isbn\/9783540457084"},{"key":"ref7:acc-3","series-title":"Lecture Notes in Computer Science","isbn-type":"print","doi-asserted-by":"publisher","first-page":"275","DOI":"10.1007\/978-3-540-30574-3_19","article-title":"Accumulators from Bilinear Pairings and Applications","volume":"3376","author":"Lan Nguyen","year":"2005","ISBN":"https:\/\/id.crossref.org\/isbn\/9783540305743"},{"key":"ref8:acc-4","series-title":"Lecture Notes in Computer Science","isbn-type":"print","doi-asserted-by":"publisher","first-page":"480","DOI":"10.1007\/3-540-69053-0_33","article-title":"Collision-Free Accumulators and Fail-Stop Signature Schemes\n Without Trees","volume":"1233","author":"Niko Bari\u0107","year":"1997","ISBN":"https:\/\/id.crossref.org\/isbn\/9783540690535"},{"key":"ref9:merkle","series-title":"Lecture Notes in Computer Science","isbn-type":"print","doi-asserted-by":"publisher","first-page":"369","DOI":"10.1007\/3-540-48184-2_32","article-title":"A Digital Signature Based on a Conventional Encryption\n Function","volume":"293","author":"Ralph C. Merkle","year":"1988","ISBN":"https:\/\/id.crossref.org\/isbn\/9783540481843"},{"key":"ref10:PKI","series-title":"Lecture Notes in Computer Science","isbn-type":"print","doi-asserted-by":"publisher","first-page":"292","DOI":"10.1007\/978-3-319-44618-9_16","article-title":"Efficient Asynchronous Accumulators for Distributed PKI","volume":"9841","author":"Leonid Reyzin","year":"2016","ISBN":"https:\/\/id.crossref.org\/isbn\/9783319446189"},{"key":"ref11:rbe-1","series-title":"Lecture Notes in Computer Science","isbn-type":"print","doi-asserted-by":"publisher","first-page":"63","DOI":"10.1007\/978-3-030-17259-6_3","article-title":"Registration-Based Encryption from Standard Assumptions","volume":"11443","author":"Sanjam Garg","year":"2019","ISBN":"https:\/\/id.crossref.org\/isbn\/9783030172596"},{"key":"ref12:RBE-2","series-title":"Lecture Notes in Computer Science","isbn-type":"print","doi-asserted-by":"publisher","first-page":"621","DOI":"10.1007\/978-3-030-56784-2_21","article-title":"Verifiable Registration-Based Encryption","volume":"12170","author":"Rishab Goyal","year":"2020","ISBN":"https:\/\/id.crossref.org\/isbn\/9783030567842"},{"key":"ref13:RBE-3","series-title":"Lecture Notes in Computer Science","isbn-type":"print","doi-asserted-by":"publisher","first-page":"129","DOI":"10.1007\/978-3-030-92641-0_7","article-title":"Optimizing Registration Based Encryption","volume":"13129","author":"Kelong Cong","year":"2021","ISBN":"https:\/\/id.crossref.org\/isbn\/9783030926410"},{"key":"ref14:RBE-4","series-title":"CCS '23","isbn-type":"print","doi-asserted-by":"publisher","first-page":"1065","DOI":"10.1145\/3576915.3616596","article-title":"Efficient Registration-Based Encryption","author":"Noemi Glaeser","year":"2023","ISBN":"https:\/\/id.crossref.org\/isbn\/9798400700507"},{"key":"ref15:RBE-5","series-title":"Lecture Notes in Computer Science","isbn-type":"print","doi-asserted-by":"publisher","first-page":"166","DOI":"10.1007\/978-981-99-8733-7_6","article-title":"Cuckoo Commitments: Registration-Based Encryption and\n Key-Value Map Commitments for Large Spaces","volume":"14442","author":"Dario Fiore","year":"2023","ISBN":"https:\/\/id.crossref.org\/isbn\/9789819987337"},{"key":"ref16:RBE-6","series-title":"Lecture Notes in Computer Science","isbn-type":"print","doi-asserted-by":"publisher","first-page":"417","DOI":"10.1007\/978-3-031-30620-4_14","article-title":"Efficient Laconic Cryptography from\u00a0Learning with\u00a0Errors","volume":"14006","author":"Nico D\u00f6ttling","year":"2023","ISBN":"https:\/\/id.crossref.org\/isbn\/9783031306204"},{"key":"ref17:RBE-7","series-title":"Lecture Notes in Computer Science","isbn-type":"print","doi-asserted-by":"publisher","first-page":"194","DOI":"10.1007\/978-3-031-91820-9_7","article-title":"Registration-Based Encryption in the Plain Model","volume":"15674","author":"Jesko Dujmovic","year":"2025","ISBN":"https:\/\/id.crossref.org\/isbn\/9783031918209"},{"key":"ref18:lower-bound-2","doi-asserted-by":"publisher","first-page":"301","DOI":"10.1109\/EuroSP.2017.13","article-title":"Accumulators with Applications to Anonymity-Preserving\n Revocation","author":"Foteini Baldimtsi","year":"2017"},{"key":"ref19:acc-5","doi-asserted-by":"publisher","DOI":"10.1109\/CSF51468.2021.00033","article-title":"Efficient Constructions of Pairing Based Accumulators","author":"Ioanna Karantaidou","year":"2021","journal-title":"2021 IEEE 34th Computer Security Foundations Symposium\n (CSF)"}],"container-title":["IACR Communications in Cryptology"],"language":"en","deposited":{"date-parts":[[2026,1,8]],"date-time":"2026-01-08T23:41:08Z","timestamp":1767915668000},"score":0.0,"resource":{"primary":{"URL":"https:\/\/cic.iacr.org\/p\/2\/4\/14"}},"issued":{"date-parts":[[2026,1,8]]},"references-count":19,"journal-issue":{"issue":"4","published-online":{"date-parts":[[2026,1,8]]}},"URL":"https:\/\/doi.org\/10.62056\/av7t7ta5v","archive":["Internet Archive","Internet Archive"],"ISSN":["3006-5496"],"issn-type":[{"value":"3006-5496","type":"electronic"}],"published":{"date-parts":[[2026,1,8]]},"assertion":[{"value":"2025-10-07","order":0,"name":"received","label":"Received","group":{"name":"publication_history","label":"Publication History"}},{"value":"2025-12-02","order":1,"name":"accepted","label":"Accepted","group":{"name":"publication_history","label":"Publication History"}}],"article-number":"cc2-4-28"},{"indexed":{"date-parts":[[2026,2,1]],"date-time":"2026-02-01T03:34:12Z","timestamp":1769916852758,"version":"3.49.0"},"reference-count":29,"publisher":"International Association for Cryptologic Research","issue":"1","license":[{"start":{"date-parts":[[2025,1,14]],"date-time":"2025-01-14T00:00:00Z","timestamp":1736812800000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["IACR CiC"],"accepted":{"date-parts":[[2025,3,11]]},"abstract":" When designing filter functions in Linear Feedback Shift Registers (LFSR) based stream ciphers, algebraic criteria of Boolean functions such as the Algebraic Immunity (AI) become key characteristics because they guarantee the security of ciphers against the powerful algebraic attacks. In this article, we abstract the algebraic attacks proposed by Courtois and Meier on filtered LFSR twenty years ago, considering how the standard algebraic attack can be generalized beyond filtered LFSR to stream ciphers that employ a Boolean filter function to an updated state. Depending on the updating process, we use different sets of annihilators than those used in the standard algebraic attack; it leads to a generalization of the concept of algebraic immunity, and in some particular cases, potentially more efficient attacks. Motivated by the filter permutator paradigm, we focus on the case where the update function is a bit-permutation, since it maintains the degree of the monomials. For example the degree of the monomials of degree up to \n \n d<\/mml:mi>\n <\/mml:mrow>\n <\/mml:math> and from \n \n n<\/mml:mi>\n \u2212<\/mml:mo>\n d<\/mml:mi>\n <\/mml:mrow>\n <\/mml:math> to \n \n n<\/mml:mi>\n <\/mml:mrow>\n <\/mml:math> remains invariant, which leads us to consider annihilators having only monomials of these degrees. If this number of monomials is sufficiently low, linearization is feasible, allowing the linear system to be solved and revealing the key, as in the standard algebraic attack. This particular characteristic is restricted by the standard algebraic attacks and to analyze it we introduce a new notion called Extremal Algebraic Immunity (EAI). We perform a theoretic study of the EAI criterion and explore its relation to other algebraic criteria. We prove the upper bound of the EAI of an \n \n n<\/mml:mi>\n <\/mml:mrow>\n <\/mml:math>-variable Boolean function and further show that the EAI can be lower bounded by the AI restricted to a subset, as defined by Carlet, M\u00e9aux and Rotella at FSE 2017. We also exhibit functions with EAI guaranteed to be lower than the AI, in particular we highlight a pathological case of functions with optimal algebraic immunity and EAI only \n \n n<\/mml:mi>\n \/<\/mml:mo>\n 4<\/mml:mn>\n <\/mml:mrow>\n <\/mml:math>. As applications, we determine the EAI of filter functions of some existing stream ciphers and discuss how extremal algebraic attacks using EAI could apply to variations of known ciphers. The extremal algebraic attack does not give a better complexity than Courtois and Meier's result on the existing stream ciphers. However, we see this work as a study to avoid weaknesses in the construction of future stream ciphers. <\/jats:p>","DOI":"10.62056\/aby7qjp10","type":"journal-article","created":{"date-parts":[[2025,4,8]],"date-time":"2025-04-08T21:23:17Z","timestamp":1744147397000},"update-policy":"https:\/\/doi.org\/10.62056\/adfjwm02dj","source":"Crossref","is-referenced-by-count":1,"title":["Towards a Generalization of the Algebraic Attack on Stream Ciphers: A Study of the Case with Only Extremal-Degree Monomials"],"prefix":"10.62056","volume":"2","author":[{"ORCID":"https:\/\/orcid.org\/0000-0001-5733-4341","authenticated-orcid":false,"given":"Pierrick","family":"M\u00e9aux","sequence":"first","affiliation":[{"id":[{"id":"https:\/\/ror.org\/036x5ad56","id-type":"ROR","asserted-by":"publisher"}],"name":"Luxembourg University","place":["Esch-sur-Alzette, L-4365, Luxembourg"]}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-4565-8394","authenticated-orcid":false,"given":"Qingju","family":"Wang","sequence":"additional","affiliation":[{"id":[{"id":"https:\/\/ror.org\/042tfbd02","id-type":"ROR","asserted-by":"publisher"}],"name":"T\u00e9l\u00e9com Paris, Institut Polytechnique de Paris","place":["Palaiseau, F-91120, France"]}]}],"member":"48349","published-online":{"date-parts":[[2025,4,8]]},"reference":[{"key":"ref1:EC:MJSC16","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"311","DOI":"10.1007\/978-3-662-49890-3_13","article-title":"Towards Stream Ciphers for Efficient FHE with Low-Noise\n Ciphertexts","volume":"9665","author":"Pierrick M\u00e9aux","year":"2016"},{"key":"ref2:CCS:LauNaeVai11","series-title":"CCSW '11","isbn-type":"print","doi-asserted-by":"publisher","first-page":"113","DOI":"10.1145\/2046660.2046682","article-title":"Can Homomorphic Encryption Be Practical?","author":"Michael Naehrig","year":"2011","ISBN":"https:\/\/id.crossref.org\/isbn\/9781450310048"},{"key":"ref3:EC:CouMei03","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"345","DOI":"10.1007\/3-540-39200-9_21","article-title":"Algebraic Attacks on Stream Ciphers with Linear Feedback","volume":"2656","author":"Nicolas T. Courtois","year":"2003"},{"key":"ref4:INDO:MCJS19","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"68","DOI":"10.1007\/978-3-030-35423-7_4","article-title":"Improved Filter Permutators for Efficient FHE: Better\n Instances and Implementations","volume":"11898","author":"Pierrick M\u00e9aux","year":"2019"},{"key":"ref5:Goldreich00","article-title":"Candidate One-Way Functions Based on Expander Graphs","volume":"7","author":"Oded Goldreich","year":"2000","journal-title":"Electronic Colloquium on Computational Complexity (ECCC)"},{"key":"ref6:LILI","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"248","DOI":"10.1007\/3-540-44983-3_18","article-title":"LILI Keystream Generator","volume":"2012","author":"Leonie Ruth Simpson","year":"2000"},{"key":"ref7:Fau99","doi-asserted-by":"publisher","first-page":"61","DOI":"10.1016\/S0022-4049(99)00005-5","article-title":"A new efficient algorithm for computing Groebner bases","volume":"139","author":"Jean-Charles Faug\u00e8re","year":"1999","journal-title":"Journal of Pure and Applied Algebra"},{"key":"ref8:Fau02","article-title":"A new efficient algorithm for computing Grobner bases\n without reduction to zero","author":"Jean-Charles Faug\u00e8re","year":"2002"},{"key":"ref9:ICISC:Courtois02","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"182","DOI":"10.1007\/3-540-36552-4_13","article-title":"Higher Order Correlation Attacks, XL Algorithm and\n Cryptanalysis of Toyocrypt","volume":"2587","author":"Nicolas T. Courtois","year":"2002"},{"key":"ref10:EC:MeiPasCar04","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"474","DOI":"10.1007\/978-3-540-24676-3_28","article-title":"Algebraic Attacks and Decomposition of Boolean Functions","volume":"3027","author":"Willi Meier","year":"2004"},{"key":"ref11:TOSC:CarMeaRot17","doi-asserted-by":"publisher","DOI":"10.13154\/TOSC.V2017.I3.192-227","article-title":"Boolean functions with restricted input and their\n robustness; application to the FLIP cipher","volume":"2017","author":"Claude Carlet","year":"2017","journal-title":"IACR Trans. Symmetric Cryptol."},{"key":"ref12:C:Courtois03","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"176","DOI":"10.1007\/978-3-540-45146-4_11","article-title":"Fast Algebraic Attacks on Stream Ciphers with Linear\n Feedback","volume":"2729","author":"Nicolas T. Courtois","year":"2003"},{"key":"ref13:CC:BraPre05","doi-asserted-by":"publisher","first-page":"290","DOI":"10.1007\/11586821_20","article-title":"Probabilistic Algebraic Attacks","author":"Bart Braeken An and Preneel","year":"2005"},{"key":"ref14:Carlet20","doi-asserted-by":"publisher","DOI":"10.1017\/9781108606806","volume-title":"Boolean Functions for Cryptography and Coding Theory","author":"Claude Carlet","year":"2021"},{"key":"ref15:INDO:BraPre05","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"35","DOI":"10.1007\/11596219_4","article-title":"On the Algebraic Immunity of Symmetric Boolean Functions","volume":"3797","author":"An Braeken","year":"2005"},{"key":"ref16:IEEE:CarMea21","doi-asserted-by":"publisher","first-page":"3404","DOI":"10.1109\/TIT.2021.3139804","article-title":"A Complete Study of Two Classes of Boolean Functions:\n Direct Sums of Monomials and Threshold Functions","volume":"68","author":"Claude Carlet","year":"2022","journal-title":"IEEE Trans. Inf. Theory"},{"key":"ref17:Latin:Meaux19","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"86","DOI":"10.1007\/978-3-030-30530-7_5","article-title":"On the Fast Algebraic Immunity of Majority Functions","volume":"11774","author":"Pierrick M\u00e9aux","year":"2019"},{"key":"ref18:IEEE:Didier06","doi-asserted-by":"publisher","first-page":"4496","DOI":"10.1109\/TIT.2006.881719","article-title":"A New Upper Bound on the Block Error Probability After\n Decoding Over the Erasure Channel","volume":"52","author":"Fr\u00e9d\u00e9ric Didier","year":"2006","journal-title":"IEEE Transactions on Information Theory"},{"key":"ref19:INDO:HofMeaRic20","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"39","DOI":"10.1007\/978-3-030-65277-7_3","article-title":"Transciphering, Using FiLIP and TFHE for an Efficient\n Delegation of Computation","volume":"12578","author":"Cl\u00e9ment Hoffmann","year":"2020"},{"key":"ref20:EC:1stAttackGea21","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"155","DOI":"10.1007\/978-3-030-77886-6_6","article-title":"Cryptanalysis of the GPRS Encryption Algorithms GEA-1\n and GEA-2","volume":"12697","author":"Christof Beierle","year":"2021"},{"key":"ref21:EC:AmzDin22","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"57","DOI":"10.1007\/978-3-031-07082-2_3","article-title":"Refined Cryptanalysis of the GPRS Ciphers GEA-1 and\n GEA-2","volume":"13277","author":"Dor Amzaleg","year":"2022"},{"key":"ref22:DBLP:journals\/tifs\/DingWWGL22","doi-asserted-by":"publisher","first-page":"2878","DOI":"10.1109\/TIFS.2022.3197064","article-title":"New Attacks on the GPRS Encryption Algorithms GEA-1 and\n GEA-2","volume":"17","author":"Lin Ding","year":"2022","journal-title":"IEEE Trans. Inf. Forensics Secur."},{"key":"ref23:attackLILI","volume-title":"Reconstructing the Nonlinear Filter Function of LILI-128\n Stream Cipher Based on Complexity","author":"Xiangao Huang","year":"2007"},{"key":"ref24:TCC:Applebaum13b","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"599","DOI":"10.1007\/978-3-642-36594-2_33","article-title":"Cryptographic Hardness of Random Local Functions-Survey","volume":"7785","author":"Benny Applebaum","year":"2013"},{"key":"ref25:STOC:AppLov16","doi-asserted-by":"publisher","first-page":"1087","DOI":"10.1145\/2897518.2897554","article-title":"Algebraic attacks against random local functions and their\n countermeasures","author":"Benny Applebaum","year":"2016"},{"key":"ref26:AC:CDMRR18","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"96","DOI":"10.1007\/978-3-030-03329-3_4","article-title":"On the Concrete Security of Goldreich's Pseudorandom\n Generator","volume":"11273","author":"Geoffroy Couteau","year":"2018"},{"key":"ref27:IEEE:YGJL22","doi-asserted-by":"publisher","first-page":"1329","DOI":"10.1109\/TIT.2021.3128315","article-title":"Revisiting the Concrete Security of Goldreich's\n Pseudorandom Generator","volume":"68","author":"Jing Yang","year":"2022","journal-title":"IEEE Transactions on Information Theory"},{"key":"ref28:EC:Unal23","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"25","DOI":"10.1007\/978-3-031-30545-0_2","article-title":"Worst-Case Subexponential Attacks on PRGs of Constant\n Degree or Constant Locality","volume":"14004","author":"Akin \u00dcnal","year":"2023"},{"key":"ref29:eprint:MCJS19","volume-title":"Improved Filter Permutators: Combining Symmetric Encryption\n Design, Boolean Functions, Low Complexity Cryptography, and Homomorphic\n Encryption, for Private Delegation of Computations","author":"Pierrick M\u00e9aux","year":"2019"}],"container-title":["IACR Communications in Cryptology"],"language":"en","deposited":{"date-parts":[[2025,4,8]],"date-time":"2025-04-08T21:25:05Z","timestamp":1744147505000},"score":0.0,"resource":{"primary":{"URL":"https:\/\/cic.iacr.org\/p\/2\/1\/29"}},"issued":{"date-parts":[[2025,4,8]]},"references-count":29,"journal-issue":{"issue":"1","published-online":{"date-parts":[[2025,4,8]]}},"URL":"https:\/\/doi.org\/10.62056\/aby7qjp10","archive":["Internet Archive","Internet Archive"],"ISSN":["3006-5496"],"issn-type":[{"value":"3006-5496","type":"electronic"}],"published":{"date-parts":[[2025,4,8]]},"assertion":[{"value":"2025-01-14","order":0,"name":"received","label":"Received","group":{"name":"publication_history","label":"Publication History"}},{"value":"2025-03-11","order":1,"name":"accepted","label":"Accepted","group":{"name":"publication_history","label":"Publication History"}}],"article-number":"cc2-1-49"},{"indexed":{"date-parts":[[2026,1,14]],"date-time":"2026-01-14T03:13:53Z","timestamp":1768360433930,"version":"3.49.0"},"reference-count":50,"publisher":"International Association for Cryptologic Research","issue":"4","license":[{"start":{"date-parts":[[2025,10,9]],"date-time":"2025-10-09T00:00:00Z","timestamp":1759968000000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["IACR CiC"],"accepted":{"date-parts":[[2025,12,2]]},"abstract":"As probably the most widespread block cipher, the AES has attracted tremendous cryptanalytical efforts since its standardization. In the single secret-key setting, Demirci-Selcuk Meet-in-the-Middle (DS-MitM) attacks have remained the state of the art on most rounds and have the lowest time complexities on all AES versions. However, after the research intensity had peaked with Derbez et al.'s seminal works from Eurocrypt'13 and FSE'13 and Li et al.'s improvements on the AES-192 at FSE'14, the generic technical evolution on DS-MitM attacks stagnated. Subsequent works automated the technique or concentrated on ciphers other than the AES. But it took one decade until Dong et al. (DCC'24) advanced the progress on DS-MitM attacks. Their approach uses constraints in both the offline and online phases, which produced improved attacks on AES-192 and -256 in the chosen-plaintext setting and on all versions in the practical-data setting.<\/jats:p>\n In this work, we demonstrate that Dong et al.'s use of constraints could be further improved, leading to better attacks on all versions of the AES with practical data complexity. We emphasize that our attacks do not threaten the security of the full AES versions but refine our understanding of their security margins under practical data settings.<\/jats:p>","DOI":"10.62056\/a33zzo-3y","type":"journal-article","created":{"date-parts":[[2026,1,8]],"date-time":"2026-01-08T23:39:47Z","timestamp":1767915587000},"update-policy":"https:\/\/doi.org\/10.62056\/adfjwm02dj","source":"Crossref","is-referenced-by-count":0,"title":["New Records for Practical-data Chosen-plaintext Attacks on Round-reduced AES"],"prefix":"10.62056","volume":"2","author":[{"ORCID":"https:\/\/orcid.org\/0000-0003-2839-6687","authenticated-orcid":false,"given":"Zhenzhen","family":"Bao","sequence":"first","affiliation":[{"id":[{"id":"https:\/\/ror.org\/03cve4549","id-type":"ROR","asserted-by":"publisher"}],"name":"Institute for Network Sciences and Cyberspace, Tsinghua University","place":["Beijing, 100084, China"]},{"name":"Zhongguancun Laboratory","place":["Beijing, China"]},{"id":[{"id":"https:\/\/ror.org\/02pn5rj08","id-type":"ROR","asserted-by":"publisher"}],"name":"State Key Laboratory of Cryptography and Digital Economy Security, Tsinghua University","place":["Beijing, 100084, 100084, China"]}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-8847-6748","authenticated-orcid":false,"given":"Jian","family":"Guo","sequence":"additional","affiliation":[{"id":[{"id":"https:\/\/ror.org\/02e7b5302","id-type":"ROR","asserted-by":"publisher"}],"name":"Nanyang Technological University","place":["Nanyang Link 21, Singapore, 637371, Singapore"]}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-0369-4901","authenticated-orcid":false,"given":"Eik","family":"List","sequence":"additional","affiliation":[{"id":[{"id":"https:\/\/ror.org\/02e7b5302","id-type":"ROR","asserted-by":"publisher"}],"name":"Nanyang Technological University","place":["Nanyang Link 21, Singapore, 637371, Singapore"]}]},{"ORCID":"https:\/\/orcid.org\/0009-0005-0090-8101","authenticated-orcid":false,"given":"Haoyang","family":"Wang","sequence":"additional","affiliation":[{"id":[{"id":"https:\/\/ror.org\/0220qvk04","id-type":"ROR","asserted-by":"publisher"}],"name":"School of Computer Science, Shanghai Jiao Tong University","place":["800 Dongchuan Road, Shanghai, 200240, China"]}]}],"member":"48349","published-online":{"date-parts":[[2026,1,8]]},"reference":[{"key":"ref1:nist:2001","first-page":"1","article-title":"FIPS 197","author":"National Institute of Standards","year":"2001","journal-title":"National Institute of Standards and Technology, November"},{"key":"ref2:daemen:1998","volume-title":"AES Proposal: Rijndael","author":"Joan Daemen","year":"1999"},{"key":"ref3:DR02","isbn-type":"print","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-662-60769-5","volume-title":"The Design of Rijndael: AES - The Advanced Encryption\n Standard","author":"Joan Daemen","year":"2002","ISBN":"https:\/\/id.crossref.org\/isbn\/3540425802"},{"key":"ref4:DBLP:conf\/fse\/DerbezF13","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"541","DOI":"10.1007\/978-3-662-43933-3_28","article-title":"Exhausting Demirci-Sel\u00e7uk Meet-in-the-Middle Attacks\n Against Reduced-Round AES","volume":"8424","author":"Patrick Derbez","year":"2013"},{"key":"ref5:DBLP:conf\/crypto\/DerbezF16","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"157","DOI":"10.1007\/978-3-662-53008-5_6","article-title":"Automatic Search of Meet-in-the-Middle and Impossible\n Differential Attacks","volume":"9815","author":"Patrick Derbez","year":"2016"},{"key":"ref6:DBLP:conf\/asiacrypt\/DunkelmanKS10","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"158","DOI":"10.1007\/978-3-642-17373-8_10","article-title":"Improved Single-Key Attacks on 8-Round AES-192 and\n AES-256","volume":"6477","author":"Orr Dunkelman","year":"2010"},{"key":"ref7:DBLP:journals\/joc\/DunkelmanKS15a","doi-asserted-by":"publisher","first-page":"397","DOI":"10.1007\/s00145-013-9159-4","article-title":"Improved Single-Key Attacks on 8-Round AES-192 and\n AES-256","volume":"28","author":"Orr Dunkelman","year":"2015","journal-title":"Journal of Cryptology"},{"key":"ref8:DBLP:journals\/tit\/Sun21","doi-asserted-by":"publisher","first-page":"4838","DOI":"10.1109\/TIT.2021.3058377","article-title":"Provable Security Evaluation of Block Ciphers Against\n Demirci-Sel\u00e7uk's Meet-in-the-Middle Attack","volume":"67","author":"Bing Sun","year":"2021","journal-title":"IEEE Trans. Inf. Theory"},{"key":"ref9:DBLP:journals\/dcc\/LiJ16","doi-asserted-by":"publisher","first-page":"459","DOI":"10.1007\/s10623-015-0113-3","article-title":"Meet-in-the-middle attacks on 10-round AES-256","volume":"80","author":"Rongjia Li","year":"2016","journal-title":"Designs, Codes, and Cryptography"},{"key":"ref10:DBLP:journals\/dcc\/LuZ24a","doi-asserted-by":"publisher","first-page":"957","DOI":"10.1007\/S10623-023-01323-4","article-title":"Improved meet-in-the-middle attack on 10 rounds of the\n AES-256 block cipher","volume":"92","author":"Jiqiang Lu","year":"2024","journal-title":"Designs, Codes, and Cryptography"},{"key":"ref11:DBLP:conf\/asiacrypt\/BogdanovKR11","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"344","DOI":"10.1007\/978-3-642-25385-0_19","article-title":"Biclique Cryptanalysis of the Full AES","volume":"7073","author":"Andrey Bogdanov","year":"2011"},{"key":"ref12:DBLP:journals\/tosc\/BouraCC19","doi-asserted-by":"publisher","first-page":"170","DOI":"10.13154\/TOSC.V2019.I1.170-191","article-title":"A General Proof Framework for Recent AES\n Distinguishers","volume":"2019","author":"Christina Boura","year":"2019","journal-title":"IACR Transactions on Symmetric Cryptology"},{"key":"ref13:DBLP:conf\/eurocrypt\/0001RR17","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"289","DOI":"10.1007\/978-3-319-56614-6_10","article-title":"A New Structural-Differential Property of 5-Round AES","volume":"10211","author":"Lorenzo Grassi","year":"2017"},{"key":"ref14:DBLP:conf\/asiacrypt\/RonjomBH17","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"217","DOI":"10.1007\/978-3-319-70694-8_8","article-title":"Yoyo Tricks with AES","volume":"10624","author":"Sondre R\u00f8njom","year":"2017"},{"key":"ref15:DBLP:journals\/tosc\/Grassi18","doi-asserted-by":"publisher","first-page":"133","DOI":"10.13154\/tosc.v2018.i2.133-160","article-title":"Mixture Differential Cryptanalysis: a New Approach to\n Distinguishers and Attacks on round-reduced AES","volume":"2018","author":"Lorenzo Grassi","year":"2018","journal-title":"IACR Transactions on Symmetric Cryptology","ISSN":"https:\/\/id.crossref.org\/issn\/2519-173X","issn-type":"electronic"},{"key":"ref16:DBLP:conf\/crypto\/Bar-OnDKRS18","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"185","DOI":"10.1007\/978-3-319-96881-0_7","article-title":"Improved Key Recovery Attacks on Reduced-Round AES with\n Practical Data and Memory Complexities","volume":"10992","author":"Achiya Bar-On","year":"2018"},{"key":"ref17:DBLP:conf\/africacrypt\/BardehR19","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"297","DOI":"10.1007\/978-3-030-23696-0_15","article-title":"Practical Attacks on Reduced-Round AES","volume":"11627","author":"Navid Ghaedi Bardeh","year":"2019"},{"key":"ref18:DBLP:conf\/asiacrypt\/BardehR19","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"347","DOI":"10.1007\/978-3-030-34618-8_12","article-title":"The Exchange Attack: How to Distinguish Six Rounds of AES\n with $2^{88.2}$ Chosen Plaintexts","volume":"11923","author":"Navid Ghaedi Bardeh","year":"2019"},{"key":"ref19:DBLP:conf\/indocrypt\/ChangWSW22","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"422","DOI":"10.1007\/978-3-031-22912-1_19","article-title":"Improved Truncated Differential Distinguishers of AES\n with Concrete S-Box","volume":"13774","author":"Chengcheng Chang","year":"2022"},{"key":"ref20:DBLP:conf\/eurocrypt\/DunkelmanKRS20","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"280","DOI":"10.1007\/978-3-030-45721-1_11","article-title":"The Retracing Boomerang Attack","volume":"12105","author":"Orr Dunkelman","year":"2020"},{"key":"ref21:DBLP:journals\/tosc\/BardehR22","doi-asserted-by":"publisher","first-page":"43","DOI":"10.46586\/TOSC.V2022.I2.43-62","article-title":"New Key-Recovery Attack on Reduced-Round AES","volume":"2022","author":"Navid Ghaedi Bardeh","year":"2022","journal-title":"IACR Transactions on Symmetric Cryptology"},{"key":"ref22:DBLP:journals\/joc\/BouraLNS18","doi-asserted-by":"publisher","first-page":"101","DOI":"10.1007\/s00145-016-9251-7","article-title":"Making the Impossible Possible","volume":"31","author":"Christina Boura","year":"2018","journal-title":"J. Cryptology"},{"key":"ref23:DBLP:conf\/asiacrypt\/BouraNS14","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"179","DOI":"10.1007\/978-3-662-45611-8_10","article-title":"Scrutinizing and Improving Impossible Differential Attacks:\n Applications to CLEFIA, Camellia, LBlock and Simon","volume":"8873","author":"Christina Boura","year":"2014"},{"key":"ref24:DBLP:conf\/eurocrypt\/LeurentP21","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"54","DOI":"10.1007\/978-3-030-77870-5_3","article-title":"New Representations of the AES Key Schedule","volume":"12696","author":"Ga\u00ebtan Leurent","year":"2021"},{"key":"ref25:DBLP:conf\/aes\/GilbertM00","first-page":"230","article-title":"A Collision Attack on 7 Rounds of Rijndael","author":"Henri Gilbert","year":"2000"},{"key":"ref26:DBLP:conf\/sacrypt\/DemirciST03","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"117","DOI":"10.1007\/978-3-540-24654-1_9","article-title":"A New Meet-in-the-Middle Attack on the IDEA Block\n Cipher","volume":"3006","author":"H\u00fcseyin Demirci","year":"2003"},{"key":"ref27:DBLP:conf\/fse\/DemirciS08","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"116","DOI":"10.1007\/978-3-540-71039-4_7","article-title":"A Meet-in-the-Middle Attack on 8-Round AES","volume":"5086","author":"H\u00fcseyin Demirci","year":"2008"},{"key":"ref28:fse:2024","volume-title":"IACR ToSC Test-of-Time Award Page","author":"IACR","year":"2024"},{"key":"ref29:DBLP:journals\/iacr\/DerbezFJ12","first-page":"477","article-title":"Improved Key Recovery Attacks on Reduced-Round AES in the\n Single-Key Setting","author":"Patrick Derbez","year":"2012","journal-title":"IACR Cryptology ePrint Archive"},{"key":"ref30:DBLP:conf\/eurocrypt\/DerbezFJ13","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"371","DOI":"10.1007\/978-3-642-38348-9_23","article-title":"Improved Key Recovery Attacks on Reduced-Round AES in the\n Single-Key Setting","volume":"7881","author":"Patrick Derbez","year":"2013"},{"key":"ref31:DBLP:conf\/indocrypt\/MalaDRM10","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"282","DOI":"10.1007\/978-3-642-17401-8_20","article-title":"Improved Impossible Differential Cryptanalysis of 7-Round\n AES-128","volume":"6498","author":"Hamid Mala","year":"2010"},{"key":"ref32:DBLP:conf\/fse\/LiJW14","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"127","DOI":"10.1007\/978-3-662-46706-0_7","article-title":"Improved Single-Key Attacks on 9-Round AES-192\/256","volume":"8540","author":"Leibo Li","year":"2014"},{"key":"ref33:DBLP:journals\/cj\/LiuSGZZLLB19","doi-asserted-by":"publisher","first-page":"1761","DOI":"10.1093\/comjnl\/bxz059","article-title":"Improved Meet-in-the-Middle Attacks on Reduced-Round\n Kiasu-BC and Joltik-BC","volume":"62","author":"Ya Liu","year":"2019","journal-title":"Comput. J."},{"key":"ref34:DBLP:journals\/ieicet\/TolbaAY16","doi-asserted-by":"publisher","first-page":"1888","DOI":"10.1587\/transfun.E99.A.1888","article-title":"A Meet in the Middle Attack on Reduced Round Kiasu-BC","volume":"99-A","author":"Mohamed Tolba","year":"2016","journal-title":"IEICE Trans. Fundam. Electron. Commun. Comput. Sci."},{"key":"ref35:DBLP:conf\/icics\/ChenSSH19","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"233","DOI":"10.1007\/978-3-030-41579-2_14","article-title":"Automatic Demirci-Sel\u00e7uk Meet-in-the-Middle Attack on\n SKINNY with Key-Bridging","volume":"11999","author":"Qiu Chen","year":"2019"},{"key":"ref36:DBLP:conf\/asiacrypt\/ShiSDTSH18","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"3","DOI":"10.1007\/978-3-030-03329-3_1","article-title":"Programming the Demirci-Sel\u00e7uk Meet-in-the-Middle\n Attack with Constraints","volume":"11273","author":"Danping Shi","year":"2018"},{"key":"ref37:DBLP:conf\/eurocrypt\/ShiSSHY23","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"67","DOI":"10.1007\/978-3-031-30634-1_3","article-title":"Exploiting Non-full Key Additions: Full-Fledged Automatic\n Demirci-Sel\u00e7uk Meet-in-the-Middle Cryptanalysis of SKINNY","volume":"14007","author":"Danping Shi","year":"2023"},{"key":"ref38:DBLP:conf\/ctrsa\/LuZ24","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"136","DOI":"10.1007\/978-3-031-58868-6_6","article-title":"Improved Meet-in-the-Middle Attacks on Nine Rounds of the\n AES-192 Block Cipher","volume":"14643","author":"Jiqiang Lu","year":"2024"},{"key":"ref39:lee:2024","doi-asserted-by":"publisher","first-page":"1212","DOI":"10.1587\/TRANSFUN.2023EAP1145","article-title":"Accurate False-Positive Probability of Multiset-Based\n Demirci-Sel\u00e7uk Meet-in-the-Middle Attacks","volume":"107","author":"Dongjae Lee","year":"2024","journal-title":"IEICE Transactions on Fundamentals of Electronics,\n Communications and Computer Sciences"},{"key":"ref40:dong:2024","doi-asserted-by":"publisher","first-page":"2423","DOI":"10.1007\/S10623-024-01396-9","article-title":"Meet-in-the-middle attacks on AES with value constraints","volume":"92","author":"Xiaoli Dong","year":"2024","journal-title":"Designs, Codes, and Cryptography"},{"key":"ref41:DBLP:conf\/fse\/KrovetzR11","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"306","DOI":"10.1007\/978-3-642-21702-9_18","article-title":"The Software Performance of Authenticated-Encryption\n Modes","volume":"6733","author":"Ted Krovetz","year":"2011"},{"key":"ref42:rfc7253","series-title":"Request for Comments","doi-asserted-by":"publisher","DOI":"10.17487\/RFC7253","volume-title":"The OCB Authenticated-Encryption Algorithm","author":"Ted Krovetz","year":"2014"},{"key":"ref43:ocbv11:caesar","volume-title":"OCB (v1.1)","author":"Ted Krovetz","year":"2016"},{"key":"ref44:DBLP:journals\/iacr\/DerbezF15","first-page":"259","article-title":"Exhausting Demirci-Sel\u00e7uk Meet-in-the-Middle Attacks\n against Reduced-Round AES","author":"Patrick Derbez","year":"2015","journal-title":"IACR Cryptology ePrint Archive"},{"key":"ref45:DBLP:conf\/ispec\/WeiLH11","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"222","DOI":"10.1007\/978-3-642-21031-0_17","article-title":"Meet-in-the-Middle Attack on 8 Rounds of the AES Block\n Cipher under 192 Key Bits","volume":"6672","author":"Yongzhuang Wei","year":"2011"},{"key":"ref46:DBLP:journals\/tosc\/GrassiRR16","doi-asserted-by":"publisher","first-page":"192","DOI":"10.13154\/tosc.v2016.i2.192-225","article-title":"Subspace Trail Cryptanalysis and its Applications to AES","volume":"2016","author":"Lorenzo Grassi","year":"2017","journal-title":"IACR Transactions on Symmetric Cryptology"},{"key":"ref47:DBLP:conf\/fse\/DaemenKR97","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"149","DOI":"10.1007\/BFB0052343","article-title":"The block cipher Square","volume":"1267","author":"Joan Daemen","year":"1997"},{"key":"ref48:DBLP:conf\/indocrypt\/DemirciTCB09","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"144","DOI":"10.1007\/978-3-642-10628-6_10","article-title":"Improved Meet-in-the-Middle Attacks on AES","volume":"5922","author":"H\u00fcseyin Demirci","year":"2009"},{"key":"ref49:DBLP:conf\/fse\/DerbezP15","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"190","DOI":"10.1007\/978-3-662-48116-5_10","article-title":"Meet-in-the-Middle Attacks and Structural Analysis of\n Round-Reduced PRINCE","volume":"9054","author":"Patrick Derbez","year":"2015"},{"key":"ref50:DBLP:journals\/tosc\/BonnetainNS19","doi-asserted-by":"publisher","first-page":"55","DOI":"10.13154\/TOSC.V2019.I2.55-93","article-title":"Quantum Security Analysis of AES","volume":"2019","author":"Xavier Bonnetain","year":"2019","journal-title":"IACR Transactions on Symmetric Cryptology"}],"container-title":["IACR Communications in Cryptology"],"language":"en","deposited":{"date-parts":[[2026,1,8]],"date-time":"2026-01-08T23:40:10Z","timestamp":1767915610000},"score":0.0,"resource":{"primary":{"URL":"https:\/\/cic.iacr.org\/p\/2\/4\/38"}},"issued":{"date-parts":[[2026,1,8]]},"references-count":50,"journal-issue":{"issue":"4","published-online":{"date-parts":[[2026,1,8]]}},"URL":"https:\/\/doi.org\/10.62056\/a33zzo-3y","archive":["Internet Archive","Internet Archive"],"ISSN":["3006-5496"],"issn-type":[{"value":"3006-5496","type":"electronic"}],"published":{"date-parts":[[2026,1,8]]},"assertion":[{"value":"2025-10-09","order":0,"name":"received","label":"Received","group":{"name":"publication_history","label":"Publication History"}},{"value":"2025-12-02","order":1,"name":"accepted","label":"Accepted","group":{"name":"publication_history","label":"Publication History"}}],"article-number":"cc2-4-82"},{"indexed":{"date-parts":[[2025,7,30]],"date-time":"2025-07-30T17:04:49Z","timestamp":1753895089094,"version":"3.41.2"},"reference-count":8,"publisher":"International Association for Cryptologic Research","issue":"4","license":[{"start":{"date-parts":[[2024,9,10]],"date-time":"2024-09-10T00:00:00Z","timestamp":1725926400000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["IACR CiC"],"accepted":{"date-parts":[[2024,12,3]]},"abstract":"A linear error-correcting code exhibits proximity gaps if each affine line of words either consists entirely of words which are close to the code or else contains almost no such words. In this short note, we prove that for each linear code which exhibits proximity gaps within the unique decoding radius, that code's interleaved code also does. Combining our result with a recent argument of Angeris, Evans and Roh ('24), we extend those authors' sharpening of the tensor-based proximity gap of Diamond and Posen (Commun. Cryptol. '24) up to the unique decoding radius, at least in the Reed\u2013Solomon setting. <\/jats:p>","DOI":"10.62056\/a0ljbkrz","type":"journal-article","created":{"date-parts":[[2025,1,13]],"date-time":"2025-01-13T17:00:52Z","timestamp":1736787652000},"update-policy":"https:\/\/doi.org\/10.62056\/adfjwm02dj","source":"Crossref","is-referenced-by-count":0,"title":["Proximity Gaps in Interleaved Codes"],"prefix":"10.62056","volume":"1","author":[{"given":"Benjamin","family":"Diamond","sequence":"first","affiliation":[{"name":"Irreducible","place":["United States"]}]},{"given":"Angus","family":"Gruen","sequence":"additional","affiliation":[{"name":"Polygon","place":["United States"]}]}],"member":"48349","published-online":{"date-parts":[[2025,1,13]]},"reference":[{"key":"ref1:Ben-Sasson:2023aa","doi-asserted-by":"publisher","DOI":"10.1145\/3614423","article-title":"Proximity Gaps for Reed\u2013Solomon Codes","volume":"70","author":"Eli Ben-Sasson","year":"2023","journal-title":"Journal of the ACM"},{"key":"ref2:Diamond:2024aa","doi-asserted-by":"publisher","DOI":"10.62056\/aksdkp10","article-title":"Proximity Testing with Logarithmic Randomness","volume":"1","author":"Benjamin E. Diamond","year":"2024","journal-title":"IACR Communications in Cryptology","ISSN":"https:\/\/id.crossref.org\/issn\/3006-5496","issn-type":"electronic"},{"key":"ref3:Ames:2023aa","doi-asserted-by":"publisher","DOI":"10.1007\/s10623-023-01222-8","article-title":"Ligero: lightweight sublinear arguments without a trusted\n setup","author":"Scott Ames","year":"2023","journal-title":"Designs, Codes and Cryptography"},{"key":"ref4:Golovnev:2023aa","doi-asserted-by":"publisher","first-page":"193","DOI":"10.1007\/978-3-031-38545-2_7","article-title":"Brakedown: Linear-Time and Field-Agnostic SNARKs for\n R1CS","author":"Alexander Golovnev","year":"2023"},{"volume-title":"A Note on Ligero and Logarithmic Randomness","year":"2024","author":"Guillermo Angeris","key":"ref5:Angeris:2024aa"},{"volume-title":"Polylogarithmic Proofs for Multilinears over Binary Towers","year":"2024","author":"Benjamin E. Diamond","key":"ref6:Diamond:2024ab"},{"key":"ref7:Ben-Sasson:2018aa","series-title":"Leibniz International Proceedings in Informatics","doi-asserted-by":"publisher","DOI":"10.4230\/LIPIcs.ICALP.2018.14","article-title":"Fast Reed\u2013Solomon Interactive Oracle Proofs of\n Proximity","volume":"107","author":"Eli Ben-Sasson","year":"2018"},{"key":"ref8:Guruswami:2006aa","series-title":"Foundations and Trends in Theoretical Computer Science","doi-asserted-by":"publisher","DOI":"10.1561\/0400000007","volume-title":"Algorithmic Results in List Decoding","volume":"2","author":"Venkatesan Guruswami","year":"2006"}],"container-title":["IACR Communications in Cryptology"],"language":"en","deposited":{"date-parts":[[2025,1,13]],"date-time":"2025-01-13T17:11:05Z","timestamp":1736788265000},"score":0.0,"resource":{"primary":{"URL":"https:\/\/cic.iacr.org\/p\/1\/4\/8"}},"issued":{"date-parts":[[2025,1,13]]},"references-count":8,"journal-issue":{"issue":"4","published-online":{"date-parts":[[2025,1,13]]}},"URL":"https:\/\/doi.org\/10.62056\/a0ljbkrz","archive":["Internet Archive","Internet Archive"],"ISSN":["3006-5496"],"issn-type":[{"type":"electronic","value":"3006-5496"}],"published":{"date-parts":[[2025,1,13]]},"assertion":[{"value":"2024-09-10","order":0,"name":"received","label":"Received","group":{"name":"publication_history","label":"Publication History"}},{"value":"2024-12-03","order":1,"name":"accepted","label":"Accepted","group":{"name":"publication_history","label":"Publication History"}}],"article-number":"cc1-4-4"},{"indexed":{"date-parts":[[2025,7,30]],"date-time":"2025-07-30T17:04:48Z","timestamp":1753895088547,"version":"3.41.2"},"reference-count":23,"publisher":"International Association for Cryptologic Research","license":[{"start":{"date-parts":[[2024,4,9]],"date-time":"2024-04-09T00:00:00Z","timestamp":1712620800000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["IACR CiC"],"accepted":{"date-parts":[[2024,6,3]]},"abstract":"Pattern matching methods are essential in various applications where users must disclose highly sensitive information. Among these applications are genomic data analysis, financial records inspection, and intrusion detection processes, all of which necessitate robust privacy protection mechanisms. Balancing the imperative of protecting the confidentiality of analyzed data with the need for efficient pattern matching presents a significant challenge.<\/jats:p>\n In this paper, we propose an efficient post-quantum secure construction that enables arbitrary pattern matching over encrypted data while ensuring the confidentiality of the data to be analyzed. In addition, we address scenarios where a malicious data sender, intended to send an encrypted content for pattern detection analysis, has the ability to modify the encrypted content. We adapt the data fragmentation technique to handle such a malicious sender. Our construction makes use of a well-suited Homomorphic Encryption packing method in the context of fragmented streams and combines homomorphic operations in a leveled mode (i.e. without bootstrapping) to obtain a very efficient pattern matching detection process.<\/jats:p>\n In contrast to the most efficient state-of-the-art scheme, our construction achieves a significant reduction in the time required for encryption, decryption, and pattern matching on encrypted data. Specifically, our approach decreases the time by factors of \n \n 1850<\/mml:mn>\n <\/mml:mrow>\n <\/mml:math>, \n \n \n 10<\/mml:mn>\n 6<\/mml:mn>\n <\/mml:msup>\n <\/mml:mrow>\n <\/mml:math>, and \n \n 245<\/mml:mn>\n <\/mml:mrow>\n <\/mml:math>, respectively, for matching a single pattern, and by factors of \n \n 115<\/mml:mn>\n <\/mml:mrow>\n <\/mml:math>, \n \n \n 10<\/mml:mn>\n 5<\/mml:mn>\n <\/mml:msup>\n <\/mml:mrow>\n <\/mml:math>, and \n \n 12<\/mml:mn>\n <\/mml:mrow>\n <\/mml:math>, respectively, for matching \n \n \n 2<\/mml:mn>\n \n 10<\/mml:mn>\n <\/mml:mrow>\n <\/mml:msup>\n <\/mml:mrow>\n <\/mml:math> patterns. <\/jats:p>","DOI":"10.62056\/a09qxrxqi","type":"journal-article","created":{"date-parts":[[2024,7,8]],"date-time":"2024-07-08T15:52:04Z","timestamp":1720453924000},"update-policy":"https:\/\/doi.org\/10.62056\/adfjwm02dj","source":"Crossref","is-referenced-by-count":1,"title":["Efficient Post-Quantum Pattern Matching on Encrypted Data"],"prefix":"10.62056","author":[{"ORCID":"https:\/\/orcid.org\/0000-0002-9758-4617","authenticated-orcid":false,"given":"Anis","family":"Bkakria","sequence":"first","affiliation":[{"name":"IRT SystemX","place":["France"]}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-0216-7958","authenticated-orcid":false,"given":"Malika","family":"Izabach\u00e8ne","sequence":"additional","affiliation":[{"name":"Unaffiliated","place":["France"]}]}],"member":"48349","published-online":{"date-parts":[[2024,7,8]]},"reference":[{"article-title":"A fully homomorphic encryption scheme","year":"2009","author":"Craig Gentry","key":"ref1:gentry2009fully+"},{"key":"ref2:gentry2009fully","doi-asserted-by":"publisher","first-page":"169","DOI":"10.1145\/1536414.1536440","article-title":"Fully homomorphic encryption using ideal lattices","volume-title":"Proceedings of the 41st Annual ACM Symposium on Theory of\n Computing, STOC 2009","author":"Craig Gentry","year":"2009"},{"key":"ref3:boneh2011functional","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"crossref","first-page":"253","DOI":"10.1007\/978-3-642-19571-6_16","article-title":"Functional encryption: Definitions and challenges","volume-title":"Theory of Cryptography - 8th Theory of Cryptography\n Conference, TCC 2011, Proceedings","volume":"6597","author":"Dan Boneh","year":"2011"},{"key":"ref4:abdalla2008searchable","doi-asserted-by":"publisher","first-page":"350","DOI":"10.1007\/S00145-007-9006-6","article-title":"Searchable encryption revisited: Consistency properties,\n relation to anonymous IBE, and extensions","volume":"21","author":"Michel Abdalla","year":"2008","journal-title":"Journal of cryptology"},{"key":"ref5:chase2015substring","doi-asserted-by":"publisher","first-page":"263","DOI":"10.1515\/POPETS-2015-0014","article-title":"Substring-Searchable Symmetric Encryption.","volume":"2015","author":"Melissa Chase","year":"2015","journal-title":"Proc. Priv. Enhancing Technol."},{"key":"ref6:kamara2018structured","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"crossref","first-page":"339","DOI":"10.1007\/978-3-319-96884-1_12","article-title":"Structured encryption and leakage suppression","volume-title":"Advances in Cryptology - CRYPTO 2018 - 38th Annual\n International Cryptology Conference, Proceedings, Part I","volume":"10991","author":"Seny Kamara","year":"2018"},{"key":"ref7:song2000practical","doi-asserted-by":"publisher","first-page":"44","DOI":"10.1109\/SECPRI.2000.848445","article-title":"Practical techniques for searches on encrypted data","volume-title":"Proceeding 2000 IEEE symposium on security and privacy. S&P\n 2000","author":"Dawn Xiaoding Song","year":"2000"},{"key":"ref8:sherry2015blindbox","doi-asserted-by":"crossref","first-page":"213","DOI":"10.1145\/2785956.2787502","article-title":"Blindbox: Deep packet inspection over encrypted traffic","volume-title":"Proceedings of the 2015 ACM Conference on Special Interest\n Group on Data Communication, SIGCOMM 2015, London, United Kingdom","author":"Justine Sherry","year":"2015"},{"key":"ref9:canard2017blindids","doi-asserted-by":"crossref","first-page":"561","DOI":"10.1145\/3052973.3053013","article-title":"BlindIDS: Market-compliant and privacy-friendly intrusion\n detection system over encrypted traffic","volume-title":"Proceedings of the 2017 ACM on Asia Conference on Computer\n and Communications Security, AsiaCCS 2017","author":"S\u00e9bastien Canard","year":"2017"},{"key":"ref10:DFOS2018","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"crossref","first-page":"121","DOI":"10.1007\/978-3-030-03326-2_5","article-title":"Pattern matching on encrypted streams","volume-title":"International Conference on the Theory and Application of\n Cryptology and Information Security, ASIACRYPT 2018, Proceedings, (Part I)","volume":"11272","author":"Nicolas Desmoulins","year":"2018"},{"key":"ref11:bkakria2020privacy","first-page":"191","article-title":"Privacy-Preserving Pattern Matching on Encrypted Data","volume-title":"International Conference on the Theory and Application of\n Cryptology and Information Security, ASIACRYPT 2020, (Part II)","volume":"12492","author":"Anis Bkakria","year":"2020"},{"key":"ref12:bouscatie2021public","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"crossref","first-page":"342","DOI":"10.1007\/978-3-030-92068-5_12","article-title":"Public Key Encryption with Flexible Pattern Matching","volume-title":"Advances in Cryptology - ASIACRYPT 2021 - 27th\n International Conference on the Theory and Application of Cryptology and\n Information Security, Proceedings, Part IV","volume":"13093","author":"Elie Bouscati\u00e9","year":"2021"},{"key":"ref13:canard2015divisible","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"crossref","first-page":"77","DOI":"10.1007\/978-3-662-46447-2_4","article-title":"Divisible e-cash made practical","volume-title":"Public-Key Cryptography - PKC 2015 - 18th IACR\n International Conference on Practice and Theory in Public-Key Cryptography","volume":"9020","author":"S\u00e9bastien Canard","year":"2015"},{"key":"ref14:bouscatie2023pattern","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"crossref","first-page":"774","DOI":"10.1007\/978-3-031-31368-4_27","article-title":"Pattern Matching in Encrypted Stream from Inner Product\n Encryption","volume-title":"Public-Key Cryptography - PKC 2023 - 26th IACR\n International Conference on Practice and Theory of Public-Key Cryptography,\n Atlanta, GA, USA, May 7-10, 2023, Proceedings, Part I","volume":"13940","author":"Elie Bouscati\u00e9","year":"2023"},{"key":"ref15:pereira2011family","doi-asserted-by":"publisher","first-page":"1319","DOI":"10.1016\/J.JSS.2011.03.083","article-title":"A family of implementation-friendly BN elliptic curves","volume":"84","author":"Geovandro CCF Pereira","year":"2011","journal-title":"Journal of Systems and Software"},{"key":"ref16:C:Brakerski12","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"868","DOI":"10.1007\/978-3-642-32009-5_50","article-title":"Fully Homomorphic Encryption without Modulus Switching from\n Classical GapSVP","volume-title":"Advances in Cryptology - CRYPTO 2012 - 32nd Annual\n Cryptology Conference, Santa Barbara, CA, USA, August 19-23, 2012.\n Proceedings","volume":"7417","author":"Zvika Brakerski","year":"2012"},{"article-title":"Somewhat Practical Fully Homomorphic Encryption","year":"2012","author":"Junfeng Fan","key":"ref17:EPRINT:FanVer12"},{"key":"ref18:yasuda2014practical","doi-asserted-by":"crossref","first-page":"34","DOI":"10.1007\/978-3-642-54568-9_3","article-title":"Practical Packing Method in Somewhat Homomorphic\n Encryption","volume-title":"Data Privacy Management and Autonomous Spontaneous\n Security","author":"Masaya Yasuda","year":"2014"},{"key":"ref19:yasuda2015new","doi-asserted-by":"crossref","first-page":"2194","DOI":"10.1002\/sec.1164","article-title":"New packing method in somewhat homomorphic encryption and\n its applications","volume":"8","author":"Masaya Yasuda","year":"2015","journal-title":"Security and Communication Networks"},{"article-title":"Snort - Network Intrusion Detection & Prevention System","year":"1998","author":"SNORT","key":"ref20:snort"},{"key":"ref21:EPRINT:AlbPlaSco15","doi-asserted-by":"publisher","first-page":"169","DOI":"10.1515\/jmc-2015-0016","article-title":"On the concrete hardness of Learning with Errors","volume":"9","author":"Martin R. Albrecht","year":"2015","journal-title":"Journal of Mathemtical Cryptology"},{"article-title":"Homomorphic Encryption Security Standard","year":"2018","author":"Martin Albrecht","key":"ref22:HomomorphicEncryptionSecurityStandard"},{"year":"2022","key":"ref23:sealcrypto","article-title":"Microsoft SEAL (release 4.0)"}],"container-title":["IACR Communications in Cryptology"],"language":"en","deposited":{"date-parts":[[2024,12,10]],"date-time":"2024-12-10T21:27:00Z","timestamp":1733866020000},"score":0.0,"resource":{"primary":{"URL":"https:\/\/cic.iacr.org\/p\/1\/2\/22"}},"issued":{"date-parts":[[2024,7,8]]},"references-count":23,"URL":"https:\/\/doi.org\/10.62056\/a09qxrxqi","archive":["Internet Archive","Internet Archive"],"ISSN":["3006-5496"],"issn-type":[{"type":"electronic","value":"3006-5496"}],"published":{"date-parts":[[2024,7,8]]},"assertion":[{"value":"2024-04-09","order":0,"name":"received","label":"Received","group":{"name":"publication_history","label":"Publication History"}},{"value":"2024-06-03","order":1,"name":"accepted","label":"Accepted","group":{"name":"publication_history","label":"Publication History"}}],"article-number":"cc1-2-74"},{"indexed":{"date-parts":[[2025,7,30]],"date-time":"2025-07-30T17:04:52Z","timestamp":1753895092794,"version":"3.41.2"},"reference-count":63,"publisher":"International Association for Cryptologic Research","issue":"4","license":[{"start":{"date-parts":[[2024,9,29]],"date-time":"2024-09-29T00:00:00Z","timestamp":1727568000000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["IACR CiC"],"accepted":{"date-parts":[[2024,12,3]]},"abstract":" Lattice sieves are algorithms for finding short vectors in lattices. We present an implementation of two such sieves \u2013 known as \"BGJ1\" and \"BDGL\" in the literature - that scales across multiple servers (with varying success). This class of algorithms requires exponential memory which had put into question their ability to scale across sieving nodes. We discuss our architecture and optimisations and report experimental evidence of the efficiency of our approach. <\/jats:p>","DOI":"10.62056\/a3wahey6b","type":"journal-article","created":{"date-parts":[[2025,1,13]],"date-time":"2025-01-13T17:00:52Z","timestamp":1736787652000},"update-policy":"https:\/\/doi.org\/10.62056\/adfjwm02dj","source":"Crossref","is-referenced-by-count":0,"title":["Scaling Lattice Sieves across Multiple Machines"],"prefix":"10.62056","volume":"1","author":[{"given":"Martin","family":"Albrecht","sequence":"first","affiliation":[{"name":"King's College London","place":["London, United Kingdom"]},{"name":"SandboxAQ","place":["Palo Alto, CA, United States"]}]},{"given":"Joe","family":"Rowell","sequence":"additional","affiliation":[{"name":"Unaffiliated","place":["United Kingdom"]}]}],"member":"48349","published-online":{"date-parts":[[2025,1,13]]},"reference":[{"key":"ref1:STOC:Ajtai98","doi-asserted-by":"publisher","first-page":"10","DOI":"10.1145\/276698.276705","article-title":"The Shortest Vector Problem in L2 is NP-hard for\n Randomized Reductions (Extended Abstract)","author":"Mikl\u00f3s Ajtai","year":"1998"},{"key":"ref2:Micciancio00","doi-asserted-by":"publisher","first-page":"2008","DOI":"10.1137\/s0097539700373039","article-title":"The Shortest Vector in a Lattice is Hard to Approximate to\n within Some Constant","volume":"30","author":"Daniele Micciancio","year":"2001","journal-title":"SIAM Journal on Computing"},{"key":"ref3:Khot05","doi-asserted-by":"publisher","first-page":"789","DOI":"10.1145\/1089023.1089027","article-title":"Hardness of approximating the shortest vector problem in\n lattices","volume":"52","author":"Subhash Khot","year":"2005","journal-title":"Journal of the ACM"},{"key":"ref4:HavReg12","doi-asserted-by":"publisher","first-page":"513","DOI":"10.4086\/toc.2012.v008a023","article-title":"Tensor-based Hardness of the Shortest Vector Problem to\n within Almost Polynomial Factors","volume":"8","author":"Ishay Haviv","year":"2012","journal-title":"Theory of Computing"},{"key":"ref5:Micciancio12","doi-asserted-by":"publisher","first-page":"487","DOI":"10.4086\/toc.2012.v008a022","article-title":"Inapproximability of the Shortest Vector Problem: Toward a\n Deterministic Reduction","volume":"8","author":"Daniele Micciancio","year":"2012","journal-title":"Theory of Computing"},{"key":"ref6:STOC:Kannan83a","doi-asserted-by":"publisher","first-page":"193","DOI":"10.1145\/800061.808749","article-title":"Improved Algorithms for Integer Programming and Related\n Lattice Problems","author":"Ravi Kannan","year":"1983"},{"key":"ref7:FinPoh83","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"194","DOI":"10.1007\/3-540-12868-9_103","article-title":"A procedure for determining algebraic integers of given\n norm","volume":"162","author":"Ulrich Fincke","year":"1983"},{"key":"ref8:STOC:AjtKumSiv01","doi-asserted-by":"publisher","first-page":"601","DOI":"10.1145\/380752.380857","article-title":"A sieve algorithm for the shortest lattice vector problem","author":"Mikl\u00f3s Ajtai","year":"2001"},{"key":"ref9:NguVid08","doi-asserted-by":"publisher","DOI":"10.1515\/JMC.2008.009","article-title":"Sieve Algorithms for the Shortest Vector Problem are\n Practical","volume":"2","author":"Phong Q. Nguyen","year":"2008","journal-title":"J. of Mathematical Cryptology"},{"key":"ref10:EC:GamNguReg10","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"257","DOI":"10.1007\/978-3-642-13190-5_13","article-title":"Lattice Enumeration Using Extreme Pruning","volume":"6110","author":"Nicolas Gama","year":"2010"},{"key":"ref11:STOC:MicVou10","doi-asserted-by":"publisher","first-page":"351","DOI":"10.1145\/1806689.1806738","article-title":"A deterministic single exponential time algorithm for most\n lattice problems based on voronoi cell computations","author":"Daniele Micciancio","year":"2010"},{"key":"ref12:SODA:MicWal15","doi-asserted-by":"publisher","first-page":"276","DOI":"10.1137\/1.9781611973730.21","article-title":"Fast Lattice Point Enumeration with Minimal Overhead","author":"Daniele Micciancio","year":"2015"},{"key":"ref13:C:Laarhoven15","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"3","DOI":"10.1007\/978-3-662-47989-6_1","article-title":"Sieving for Shortest Vectors in Lattices Using Angular\n Locality-Sensitive Hashing","volume":"9215","author":"Thijs Laarhoven","year":"2015"},{"key":"ref14:SODA:BDGL16","doi-asserted-by":"publisher","first-page":"10","DOI":"10.1137\/1.9781611974331.ch2","article-title":"New directions in nearest neighbor searching with\n applications to lattice sieving","author":"Anja Becker","year":"2016"},{"key":"ref15:EC:Ducas18","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"125","DOI":"10.1007\/978-3-319-78381-9_5","article-title":"Shortest Vector from Lattice Sieving: A Few Dimensions for\n Free","volume":"10820","author":"L\u00e9o Ducas","year":"2018"},{"key":"ref16:EC:ADHKPS19","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"717","DOI":"10.1007\/978-3-030-17656-3_25","article-title":"The General Sieve Kernel and New Records in Lattice\n Reduction","volume":"11477","author":"Martin R. Albrecht","year":"2019"},{"key":"ref17:C:ABFKSW20","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"186","DOI":"10.1007\/978-3-030-56880-1_7","article-title":"Faster Enumeration-Based Lattice Reduction: Root Hermite\n Factor $k^{1\/(2k)}$ Time $k^{k\/8+o(k)}$","volume":"12171","author":"Martin R. Albrecht","year":"2020"},{"key":"ref18:C:ABLR21","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"732","DOI":"10.1007\/978-3-030-84245-1_25","article-title":"Lattice Reduction with Approximate Enumeration Oracles -\n Practical Algorithms and Concrete Performance","volume":"12826","author":"Martin R. Albrecht","year":"2021"},{"key":"ref19:SODA:MicVou10","doi-asserted-by":"publisher","first-page":"1468","DOI":"10.1137\/1.9781611973075.119","article-title":"Faster Exponential Time Algorithms for the Shortest Vector\n Problem","author":"Daniele Micciancio","year":"2010"},{"key":"ref20:STOC:ADRS15","doi-asserted-by":"publisher","first-page":"733","DOI":"10.1145\/2746539.2746606","article-title":"Solving the Shortest Vector Problem in $2^n$ Time Using\n Discrete Gaussian Sampling: Extended Abstract","author":"Divesh Aggarwal","year":"2015"},{"volume-title":"Speeding-up lattice sieving without increasing the memory,\n using sub-quadratic nearest neighbor search","year":"2015","author":"Anja Becker","key":"ref21:EPRINT:BecGamJou15"},{"key":"ref22:PKC:HerKir17","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"16","DOI":"10.1007\/978-3-662-54365-8_2","article-title":"Improved Algorithms for the Approximate $k$-List Problem\n in Euclidean Norm","volume":"10174","author":"Gottfried Herold","year":"2017"},{"volume-title":"TU Darmstadt lattice challenge","year":"2024","author":"R. Lindner","key":"ref23:DarmChal"},{"key":"ref24:EC:DucStevWo21","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"249","DOI":"10.1007\/978-3-030-77886-6_9","article-title":"Advanced Lattice Sieving on GPUs, with Tensor Cores","volume":"12697","author":"L\u00e9o Ducas","year":"2021"},{"volume-title":"BGJ15 Revisited: Sieving with Streamed Memory Access","year":"2024","author":"Ziyu Zhao","key":"ref25:EPRINT:ZhaDinYan24"},{"volume-title":"Re: Inaccurate security claims in NTRUprime","year":"2016","author":"Daniel Bernstein","key":"ref26:Bernstein16"},{"volume-title":"NTRU Prime","year":"2020","author":"Daniel J. Bernstein","key":"ref27:NISTPQC-R3:NTRUPrime20"},{"volume-title":"NIST's PQC Standardization: Suggested Avenues for\n Lattice-Based Research","year":"2017","author":"Jacob Alperin-Sheriff","key":"ref28:Alperin-Sheriff17"},{"volume-title":"FAQ on Kyber512","year":"2023","author":"NIST","key":"ref29:Nist23"},{"key":"ref30:EPRINT:Jaques24","doi-asserted-by":"publisher","DOI":"10.62056\/ay4fbn2hd","volume-title":"Memory adds no cost to lattice sieving for computers in 3 or\n more spatial dimensions","volume":"1","author":"Samuel Jaques","year":"2024","journal-title":"IACR Communications in Cryptology","ISSN":"https:\/\/id.crossref.org\/issn\/3006-5496","issn-type":"electronic"},{"volume-title":"An Update on Lattice Cryptanalysis vol. 2","year":"2024","author":"John Schanck","key":"ref31:Schanck24"},{"key":"ref32:AFRICACRYPT:HSBVP10","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"52","DOI":"10.1007\/978-3-642-12678-9_4","article-title":"Parallel Shortest Lattice Vector Enumeration on Graphics\n Cards","volume":"6055","author":"Jens Hermans","year":"2010"},{"key":"ref33:LC:DHPS10","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"124","DOI":"10.1007\/978-3-642-14712-8_8","article-title":"Accelerating Lattice Reduction with FPGAs","volume":"6212","author":"J\u00e9r\u00e9mie Detrey","year":"2010"},{"key":"ref34:CHES:KSDRBC11","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"176","DOI":"10.1007\/978-3-642-23951-9_12","article-title":"Extreme Enumeration on GPU and in Clouds - - How Many\n Dollars You Need to Break SVP Challenges -","volume":"6917","author":"Po-Chun Kuo","year":"2011"},{"key":"ref35:EUROPAR:DagSch10","doi-asserted-by":"publisher","first-page":"211","DOI":"10.1007\/978-3-642-15291-7_21","article-title":"Parallel Enumeration of Shortest Lattice Vectors","author":"\u00d6zg\u00fcr Dagdelen","year":"2010"},{"key":"ref36:PDP:CMPBA16","doi-asserted-by":"publisher","first-page":"596","DOI":"10.1109\/PDP.2016.95","article-title":"Parallel Improved Schnorr-Euchner Enumeration SE++ for the\n CVP and SVP","author":"F\u00e1bio Correia","year":"2016"},{"key":"ref37:ICCS:BurBisKra19","doi-asserted-by":"publisher","first-page":"535","DOI":"10.1007\/978-3-030-22750-0_48","article-title":"p3Enum: A New Parameterizable and Shared-Memory\n Parallelized Shortest Vector Problem Solver","author":"Michael Burger","year":"2019"},{"volume-title":"Lattice Enumeration on GPUs for fplll","year":"2021","author":"Simon Pohmann","key":"ref38:PSZ21"},{"key":"ref39:PKC:TerKasHan18","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"437","DOI":"10.1007\/978-3-319-76578-5_15","article-title":"Fast Lattice Basis Reduction Suitable for Massive\n Parallelization and Its Application to the Shortest Vector Problem","volume":"10769","author":"Tadanori Teruya","year":"2018"},{"key":"ref40:MAP-SVP","doi-asserted-by":"publisher","first-page":"1","DOI":"10.1109\/SC41405.2020.00064","article-title":"Massive Parallelization for Finding Shortest Lattice Vectors\n Based on Ubiquity Generator Framework","author":"Nariaki Tateiwa","year":"2020"},{"volume-title":"fplll, a lattice reduction library, Version: 5.4.4","year":"2023","author":"The FPLLL development team","key":"ref41:fplll"},{"key":"ref42:PACT:MilSch11","isbn-type":"print","doi-asserted-by":"publisher","first-page":"452","DOI":"10.1007\/978-3-642-23178-0_40","article-title":"A Parallel Implementation of GaussSieve for the Shortest\n Vector Problem in Lattices","author":"Benjamin Milde","year":"2011","ISBN":"https:\/\/id.crossref.org\/isbn\/9783642231780"},{"key":"ref43:PKC:IKMT14","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"411","DOI":"10.1007\/978-3-642-54631-0_24","article-title":"Parallel Gauss Sieve Algorithm: Solving the SVP Challenge\n over a 128-Dimensional Ideal Lattice","volume":"8383","author":"Tsukasa Ishiguro","year":"2014"},{"key":"ref44:ICPP:MarBisLaa15","doi-asserted-by":"publisher","first-page":"590","DOI":"10.1109\/ICPP.2015.68","article-title":"Parallel (Probable) Lock-Free Hash Sieve: A Practical\n Sieving Algorithm for the SVP","author":"Artur Mariano","year":"2015"},{"key":"ref45:ICALP:GajAnd20","doi-asserted-by":"publisher","first-page":"661","DOI":"10.1007\/978-3-030-60245-1_45","article-title":"A Multiplatform Parallel Approach for Lattice Sieving\n Algorithms","author":"Michal Andrzejczak","year":"2020"},{"key":"ref46:BNvDP14","doi-asserted-by":"publisher","first-page":"313","DOI":"10.1504\/IJACT.2017.089353","article-title":"Sieving for shortest vectors in ideal lattices: a practical\n perspective","volume":"3","author":"Joppe W. Bos","year":"2017","journal-title":"International Journal of Applied Cryptography"},{"key":"ref47:CMAP-LAP","doi-asserted-by":"publisher","first-page":"42","DOI":"10.1109\/HiPC53243.2021.00018","article-title":"CMAP-LAP: Configurable Massively Parallel Solver for\n Lattice Problems","author":"Nariaki Tateiwa","year":"2021"},{"volume-title":"Shortest Vector from Lattice Sieving: a Few Dimensions for\n Free","year":"2018","author":"L\u00e9o Ducas","key":"ref48:Ducas18"},{"volume-title":"Re: Inaccurate security claims in NTRUprime","year":"2016","author":"Paul Kirchner","key":"ref49:Kirchner16"},{"key":"ref50:AC:KMPM19","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"521","DOI":"10.1007\/978-3-030-34578-5_19","article-title":"Quantum Algorithms for the Approximate k-List Problem and\n Their Application to Lattice Sieving","volume":"11921","author":"Elena Kirshanova","year":"2019"},{"key":"ref51:ANTS:BaiLaaSte16","doi-asserted-by":"publisher","DOI":"10.1112\/S1461157016000292","article-title":"Tuple lattice sieving","volume":"19","author":"Shi Bai","year":"2016","journal-title":"LMS Journal of Computation and Mathematics"},{"key":"ref52:PKC:HerKirLaa18","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"407","DOI":"10.1007\/978-3-319-76578-5_14","article-title":"Speed-Ups and Time-Memory Trade-Offs for Tuple Lattice\n Sieving","volume":"10769","author":"Gottfried Herold","year":"2018"},{"key":"ref53:ConSlo87","doi-asserted-by":"publisher","DOI":"10.1007\/978-1-4757-6568-7","volume-title":"Sphere-packings, Lattices, and Groups","author":"J. H. Conway","year":"1987"},{"key":"ref54:STOC:Charikar02","doi-asserted-by":"publisher","first-page":"380","DOI":"10.1145\/509907.509965","article-title":"Similarity estimation techniques from rounding algorithms","author":"Moses Charikar","year":"2002"},{"key":"ref55:LC:FBBDGM14","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"288","DOI":"10.1007\/978-3-319-16295-9_16","article-title":"Tuning GaussSieve for Speed","volume":"8895","author":"Robert Fitzpatrick","year":"2015"},{"key":"ref56:AC:AGPS20","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"583","DOI":"10.1007\/978-3-030-64834-3_20","article-title":"Estimating Quantum Speedups for Lattice Sieves","volume":"12492","author":"Martin R. Albrecht","year":"2020"},{"key":"ref57:STACS:Babai85","series-title":"Lecture Notes in Computer Science","isbn-type":"print","doi-asserted-by":"publisher","first-page":"13","DOI":"10.1007\/BF02579403","article-title":"On Lov\u00e1sz' Lattice Reduction and the Nearest Lattice\n Point Problem (Shortened Version)","volume":"82","author":"L\u00e1szl\u00f3 Babai","year":"1985","ISBN":"https:\/\/id.crossref.org\/isbn\/3540139125"},{"key":"ref58:logP","doi-asserted-by":"publisher","first-page":"1","DOI":"10.1145\/173284.155333","article-title":"LogP: Towards a Realistic Model of Parallel Computation","volume":"28","author":"David Culler","year":"1993","journal-title":"SIGPLAN Not.","ISSN":"https:\/\/id.crossref.org\/issn\/0362-1340","issn-type":"electronic"},{"key":"ref59:STOC:ForWyl78","doi-asserted-by":"publisher","first-page":"114","DOI":"10.1145\/800133.804339","article-title":"Parallelism in random access machines","author":"Steven Fortune","year":"1978"},{"key":"ref60:CREATE","doi-asserted-by":"publisher","DOI":"10.18742\/rnvf-m076","volume-title":"King's Computational Research, Engineering and Technology\n Environment (CREATE)","author":"King's College London","year":"2024"},{"volume-title":"MPI: A Message-Passing Interface Standard","year":"2012","author":"Message Passing Interface Forum","key":"ref61:mpi-standard"},{"key":"ref62:BHKUW97","doi-asserted-by":"publisher","first-page":"1143","DOI":"10.1109\/71.642949","article-title":"Efficient algorithms for all-to-all communications in\n multiport message-passing systems","volume":"8","author":"J. Bruck","year":"1997","journal-title":"IEEE Transactions on Parallel and Distributed Systems"},{"key":"ref63:IISWC:ZolGro13","doi-asserted-by":"publisher","DOI":"10.1109\/IISWC.2013.6704666","article-title":"(Mis)understanding the NUMA memory system performance of\n multithreaded workloads","author":"Zoltan Majo","year":"2013"}],"container-title":["IACR Communications in Cryptology"],"language":"en","deposited":{"date-parts":[[2025,1,13]],"date-time":"2025-01-13T17:11:17Z","timestamp":1736788277000},"score":0.0,"resource":{"primary":{"URL":"https:\/\/cic.iacr.org\/p\/1\/4\/11"}},"issued":{"date-parts":[[2025,1,13]]},"references-count":63,"journal-issue":{"issue":"4","published-online":{"date-parts":[[2025,1,13]]}},"URL":"https:\/\/doi.org\/10.62056\/a3wahey6b","archive":["Internet Archive","Internet Archive"],"ISSN":["3006-5496"],"issn-type":[{"type":"electronic","value":"3006-5496"}],"published":{"date-parts":[[2025,1,13]]},"assertion":[{"value":"2024-09-29","order":0,"name":"received","label":"Received","group":{"name":"publication_history","label":"Publication History"}},{"value":"2024-12-03","order":1,"name":"accepted","label":"Accepted","group":{"name":"publication_history","label":"Publication History"}}],"article-number":"cc1-4-12"},{"indexed":{"date-parts":[[2025,7,30]],"date-time":"2025-07-30T17:05:02Z","timestamp":1753895102560,"version":"3.41.2"},"reference-count":36,"publisher":"International Association for Cryptologic Research","license":[{"start":{"date-parts":[[2024,7,4]],"date-time":"2024-07-04T00:00:00Z","timestamp":1720051200000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["IACR CiC"],"accepted":{"date-parts":[[2024,9,2]]},"abstract":"This paper presents a new side-channel attack (SCA) on unrolled implementations of stream ciphers, with a particular focus on Trivium. Most conventional SCAs predominantly concentrate on leakage of some first rounds prior to the sufficient diffusion of the secret key and initial vector (IV). However, recently, unrolled hardware implementation has become common and practical, which achieves higher throughput and energy efficiency compared to a round-based hardware. The applicability of conventional SCAs to such unrolled hardware is unclear because the leakage of the first rounds from unrolled hardware is hardly observed. In this paper, focusing on Trivium, we propose a novel SCA on unrolled stream cipher hardware, which can exploit leakage of rounds latter than 80, while existing SCAs exploited intermediate values earlier than 80 rounds. We first analyze the algebraic equations representing the intermediate values of these rounds and present the recursive restricted linear decomposition (RRLD) strategy. This approach uses correlation power analysis (CPA) to estimate the intermediate values of latter rounds. Furthermore, we present a chosen-IV strategy for a successful key recovery through linearization. We experimentally demonstrate that the proposed SCA achieves the key recovery of a 288-round unrolled Trivium hardware implementation using 360,000 traces. Finally, we evaluate the performance of unrolled Trivium hardware implementations to clarify the trade-off between performance and SCA (in)security. The proposed SCA requires 34.5 M traces for a key recovery of 384-round unrolled Trivium implementation and is not applicable to 576-round unrolled hardware. <\/jats:p>","DOI":"10.62056\/angy11zn4","type":"journal-article","created":{"date-parts":[[2024,10,7]],"date-time":"2024-10-07T15:13:33Z","timestamp":1728314013000},"update-policy":"https:\/\/doi.org\/10.62056\/adfjwm02dj","source":"Crossref","is-referenced-by-count":0,"title":["Side-Channel Linearization Attack on Unrolled Trivium Hardware"],"prefix":"10.62056","author":[{"given":"Soichiro","family":"Kobayashi","sequence":"first","affiliation":[{"name":"Tohoku University","place":["2\u20131\u20131 Katahira, Aoba-ku, Sendai, 980-8577, Japan"]}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-9754-6792","authenticated-orcid":false,"given":"Rei","family":"Ueno","sequence":"additional","affiliation":[{"name":"Kyoto University","place":["Yoshidahommachi, Kyoto, 606\u20138501, Japan"]}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-6839-4777","authenticated-orcid":false,"given":"Yosuke","family":"Todo","sequence":"additional","affiliation":[{"name":"NTT Social Informatics Laboratories","place":["3\u20139\u201311 Midori-cho, Musashino-shi, Tokyo, 180-8535, Japan"]}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-0864-3126","authenticated-orcid":false,"given":"Naofumi","family":"Homma","sequence":"additional","affiliation":[{"name":"Tohoku University","place":["2\u20131\u20131 Katahira, Aoba-ku, Sendai, 980-8577, Japan"]}]}],"member":"48349","published-online":{"date-parts":[[2024,10,7]]},"reference":[{"key":"ref1:de2008trivium","doi-asserted-by":"crossref","first-page":"244","DOI":"10.1007\/978-3-540-68351-3_18","article-title":"Trivium","author":"Christophe De Canniere","year":"2008","journal-title":"New Stream Cipher Designs: The eSTREAM Finalists"},{"volume-title":"Trivium specifications","year":"2006","author":"Christophe De Canniere","key":"ref2:canniere2006trivium"},{"volume-title":"ISO\/IEC 29192-3:2012 Information technology\u2014Security\n techniques\u2014Lightweight cryptography\u2014 Part 3: Stream ciphers","key":"ref3:iso"},{"volume-title":"The eSTREAM portfolio\u2014eSTREAM: the ECRYPT Stream\n Cipher Project","key":"ref4:eSTREAM"},{"volume-title":"Randomness Generation for Secure Hardware Masking - Unrolled\n Trivium to the Rescue","year":"2023","author":"Ga\u00ebtan Cassiers","key":"ref5:ePrint:CMM+23"},{"key":"ref6:banik2018towards","doi-asserted-by":"publisher","first-page":"1","DOI":"10.13154\/tosc.v2018.i2.1-19","article-title":"Towards low energy stream ciphers","author":"Subhadeep Banik","year":"2018","journal-title":"IACR Transactions on Symmetric Cryptology"},{"key":"ref7:caforio2021perfect","doi-asserted-by":"publisher","first-page":"36","DOI":"10.46586\/tosc.v2021.i4.36-73","article-title":"Perfect Trees: Designing Energy-Optimal Symmetric Encryption\n Primitives","author":"Andrea Caforio","year":"2021","journal-title":"IACR Transactions on Symmetric Cryptology"},{"key":"ref8:fischer2006differential","doi-asserted-by":"publisher","first-page":"257","DOI":"10.1007\/11967668_17","article-title":"Differential Power Analysis of Stream Ciphers","author":"Wieland Fischer","year":"2006"},{"key":"ref9:strobel2009side","article-title":"Side channel analysis attacks on stream ciphers","author":"Daehyun Strobel","year":"2009","journal-title":"Masterarbeit Ruhr-Universit\u00e4t Bochum, Lehrstuhl Embedded\n Security"},{"key":"ref10:jia2012correlation","doi-asserted-by":"publisher","first-page":"479","DOI":"10.1002\/sec.329","article-title":"Correlation power analysis of Trivium","volume":"5","author":"Yanyan Jia","year":"2012","journal-title":"Security and Communication Networks"},{"key":"ref11:tena2015dpa","doi-asserted-by":"publisher","first-page":"1846","DOI":"10.1109\/ISCAS.2015.7169016","article-title":"DPA vulnerability analysis on Trivium stream cipher using\n an optimized power model","author":"Erica Tena-S\u00e1nchez","year":"2015"},{"key":"ref12:tena2015optimized","first-page":"1","article-title":"Optimized DPA attack on Trivium stream cipher using\n correlation shape distinguishers","author":"Erica Tena-S\u00e1nchez","year":"2015"},{"key":"ref13:sim2021dapa","doi-asserted-by":"publisher","first-page":"169","DOI":"10.46586\/tches.v2021.i1.169-191","article-title":"DAPA: Differential Analysis aided Power Attack on\n (Non-)Linear Feedback Shift Registers","author":"Siang Meng Sim","year":"2021","journal-title":"IACR Transactions on Cryptographic Hardware and Embedded\n Systems"},{"key":"ref14:kumar2022side","doi-asserted-by":"publisher","first-page":"166","DOI":"10.46586\/tches.v2022.i2.166-191","article-title":"Side Channel Attack On Stream Ciphers: A Three-Step Approach\n To State\/Key Recovery","author":"Satyam Kumar","year":"2022","journal-title":"IACR Transactions on Cryptographic Hardware and Embedded\n Systems"},{"key":"ref15:CTRSA:BGSD10","doi-asserted-by":"publisher","first-page":"195","DOI":"10.1007\/978-3-642-11925-5_14","article-title":"Unrolling Cryptographic Circuits: A Simple Countermeasure\n Against Side-Channel Attacks","author":"Shivam Bhasin","year":"2010"},{"key":"ref16:LightSec:YHA16","doi-asserted-by":"publisher","first-page":"148","DOI":"10.1007\/978-3-319-29078-2_9","article-title":"Improved Power Analysis on Unrolled Architecture and Its\n Application to PRINCE Block Cipher","author":"Ville Yli-M\u00e4yry","year":"2016"},{"key":"ref17:AC:MS16","doi-asserted-by":"publisher","first-page":"517","DOI":"10.1007\/978-3-662-53887-6_19","article-title":"Side-Channel Analysis Protection and Low-Latency in Action","author":"Amir Moradi","year":"2016"},{"key":"ref18:TIFS:YUM+21","doi-asserted-by":"publisher","first-page":"1351","DOI":"10.1109\/TIFS.2020.3033441","article-title":"Diffusional Side-Channel Leakage From Unrolled Lightweight\n Block Ciphers: A Case Study of Power Analysis on PRINCE","volume":"16","author":"Ville Yli-M\u00e4yry","year":"2021","journal-title":"IEEE Transactions on Information Forensics and Security"},{"key":"ref19:CHES:MPO05","doi-asserted-by":"publisher","first-page":"157","DOI":"10.1007\/11545262_12","article-title":"Successfully Attacking Masked AES Hardware\n Implementations","author":"Stefan Mangard","year":"2005"},{"key":"ref20:TCHES:Moos20","doi-asserted-by":"publisher","first-page":"416","DOI":"10.13154\/tches.v2020.i4.416-442","article-title":"Unrolled Cryptography on Silicon: A Physical Security\n Analysis","volume":"2020","author":"Thorben Moos","year":"2020","journal-title":"IACR Transactions on Cryptographic Hardware and Embedded\n Systems"},{"key":"ref21:ISSITC:SA15","doi-asserted-by":"publisher","first-page":"253","DOI":"10.1007\/978-3-319-27179-8_18","article-title":"Secure Implementation of Stream Cipher: Trivium","author":"Dillibabu Shanmugam","year":"2015"},{"key":"ref22:ICECS:MHBM+18","doi-asserted-by":"publisher","first-page":"393","DOI":"10.1109\/ICECS.2018.8617892","article-title":"Energy-efficient Masking of the Trivium Stream Cipher","author":"Maxime Montoya","year":"2018"},{"key":"ref23:COSADE:HHN+13","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"169","DOI":"10.1007\/978-3-642-40026-1_11","article-title":"Chosen-IV Correlation Power Analysis on KCipher-2 and a\n Countermeasure","volume":"7864","author":"Takafumi Hibiki","year":"2013"},{"key":"ref24:SEMS:KUH+2017","first-page":"113","article-title":"Practical Power Analysis on KCipher-2 Software on Low-End\n Microcontrollers","author":"Wataru Kawai","year":"2017"},{"key":"ref25:WOOT:BZD+16","series-title":"WOOT'16","first-page":"15","article-title":"Nonce-disrespecting adversaries: practical forgery attacks\n on GCM in TLS","author":"Hanno B\u00f6ck","year":"2016"},{"key":"ref26:TCHES:UHIM23","doi-asserted-by":"publisher","first-page":"264","DOI":"10.46586\/tches.v2024.i1.264-308","article-title":"Fallen Sanctuary: A Higher-Order and Leakage-Resilient\n Rekeying Scheme","volume":"1","author":"Rei Ueno","year":"2023","journal-title":"IACR Transactions on Cryptographic Hardware and Embedded\n Systems"},{"key":"ref27:Z3:dMB08","first-page":"337","article-title":"Z3: An Efficient SMT Solver","author":"Leonardo de Moura","year":"2008"},{"volume-title":"Z3 API in Python","year":"2023","author":"Microsoft","key":"ref28:Z3"},{"key":"ref29:CHES:FPS12","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"213","DOI":"10.1007\/978-3-642-33027-8_13","article-title":"Practical Leakage-Resilient Symmetric Cryptography","volume":"7428","author":"Sebastian Faust","year":"2012"},{"key":"ref30:FSE:Prouff05","doi-asserted-by":"publisher","first-page":"424","DOI":"10.1007\/11502760_29","article-title":"DPA Attacks and S-Boxes","author":"Emmanuel Prouff","year":"2005"},{"key":"ref31:JCEN:FDLZ15","doi-asserted-by":"publisher","DOI":"10.1007\/s13389-015-0107-0","article-title":"A statistics-based success rate model for DPA and CPA","volume":"5","author":"Yunsi Fei","year":"2015","journal-title":"Journal of Cryptographic Engineering"},{"key":"ref32:EC:DS09","doi-asserted-by":"publisher","first-page":"278","DOI":"10.1007\/978-3-642-01001-9_16","article-title":"Cube Attacks on Tweakable Black Box Polynomials","author":"Itai Dinur","year":"2009"},{"key":"ref33:EC:HHLW24","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-031-58716-0_13","article-title":"Massive Superpoly Recovery with a Meet-in-the-middle\n Framework: Improved Cube Attacks on Trivium and Kreyvium","author":"Jiahui He","year":"2024"},{"key":"ref34:Picek-TCHES-2019","doi-asserted-by":"publisher","first-page":"209","DOI":"10.13154\/tches.v2019.i1.209-237","article-title":"The Curse of Class Imbalance and Conflicting Metrics with\n Machine Learning for Side-channel Evaluations","author":"Stjepan Picek","year":"2019","journal-title":"IACR Transactions on Cryptographic Hardware and Embedded\n Systems"},{"key":"ref35:ito-tifs-2021","doi-asserted-by":"publisher","first-page":"3790","DOI":"10.1109\/TIFS.2021.3092050","article-title":"Imbalanced Data Problems in Deep Learning-Based Side-Channel\n Attacks: Analysis and Solution","volume":"16","author":"Akira Ito","year":"2021","journal-title":"IEEE Transactions on Information Forensics and Security"},{"volume-title":"Toward Optimal Deep-Learning Based Side-Channel Attacks:\n Probability Concentration Inequality Loss and Its Usage","year":"2021","author":"Akira Ito","key":"ref36:Ito-eprint-2021"}],"container-title":["IACR Communications in Cryptology"],"language":"en","deposited":{"date-parts":[[2024,12,10]],"date-time":"2024-12-10T21:28:15Z","timestamp":1733866095000},"score":0.0,"resource":{"primary":{"URL":"https:\/\/cic.iacr.org\/p\/1\/3\/14"}},"issued":{"date-parts":[[2024,10,7]]},"references-count":36,"URL":"https:\/\/doi.org\/10.62056\/angy11zn4","archive":["Internet Archive","Internet Archive"],"ISSN":["3006-5496"],"issn-type":[{"type":"electronic","value":"3006-5496"}],"published":{"date-parts":[[2024,10,7]]},"assertion":[{"value":"2024-07-04","order":0,"name":"received","label":"Received","group":{"name":"publication_history","label":"Publication History"}},{"value":"2024-09-02","order":1,"name":"accepted","label":"Accepted","group":{"name":"publication_history","label":"Publication History"}}],"article-number":"cc1-3-41"},{"indexed":{"date-parts":[[2025,7,30]],"date-time":"2025-07-30T17:05:03Z","timestamp":1753895103008,"version":"3.41.2"},"reference-count":56,"publisher":"International Association for Cryptologic Research","license":[{"start":{"date-parts":[[2024,1,8]],"date-time":"2024-01-08T00:00:00Z","timestamp":1704672000000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["IACR CiC"],"accepted":{"date-parts":[[2024,6,4]]},"abstract":" Decentralized Multi-Client Functional Encryption (DMCFE) extends the basic functional encryption to multiple clients that do not trust each other. They can independently encrypt the multiple plaintext-inputs to be given for evaluation to the function embedded in the functional decryption key, defined by multiple parameter-inputs. And they keep control on these functions as they all have to contribute to the generation of the functional decryption keys. Tags can be used in the ciphertexts and the keys to specify which inputs can be combined together. As any encryption scheme, DMCFE provides privacy of the plaintexts. But the functions associated to the functional decryption keys might be sensitive too (e.g. a model in machine learning). The function-hiding property has thus been introduced to additionally protect the function evaluated during the decryption process.<\/jats:p>\n In this paper, we provide new proof techniques to analyze a new concrete construction of function-hiding DMCFE for inner products, with strong security guarantees: the adversary can adaptively query multiple challenge ciphertexts and multiple challenge keys, with unbounded repetitions of the same tags in the ciphertext-queries and a fixed polynomially-large number of repetitions of the same tags in the key-queries. Previous constructions were proven secure in the selective setting only. <\/jats:p>","DOI":"10.62056\/andkp2fgx","type":"journal-article","created":{"date-parts":[[2024,7,8]],"date-time":"2024-07-08T15:52:04Z","timestamp":1720453924000},"update-policy":"https:\/\/doi.org\/10.62056\/adfjwm02dj","source":"Crossref","is-referenced-by-count":7,"title":["Decentralized Multi-Client Functional Encryption with Strong Security"],"prefix":"10.62056","author":[{"ORCID":"https:\/\/orcid.org\/0000-0002-3867-4209","authenticated-orcid":false,"given":"Ky","family":"Nguyen","sequence":"first","affiliation":[{"name":"DIENS, Ecole normale superieure, CNRS, Inria, PSL University","place":["Paris, 75005, France"]}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-6668-683X","authenticated-orcid":false,"given":"David","family":"Pointcheval","sequence":"additional","affiliation":[{"name":"DIENS, Ecole normale superieure, CNRS, Inria, PSL University","place":["Paris, 75005, France"]}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-8643-9046","authenticated-orcid":false,"given":"Robert","family":"Sch\u00e4dlich","sequence":"additional","affiliation":[{"name":"DIENS, Ecole normale superieure, CNRS, Inria, PSL University","place":["Paris, 75005, France"]}]}],"member":"48349","published-online":{"date-parts":[[2024,7,8]]},"reference":[{"key":"ref1:EC:SahWat05","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"457","DOI":"10.1007\/11426639_27","article-title":"Fuzzy Identity-Based Encryption","volume-title":"EUROCRYPT\u00a02005","volume":"3494","author":"Amit Sahai","year":"2005"},{"key":"ref2:TCC:BonSahWat11","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"253","DOI":"10.1007\/978-3-642-19571-6_16","article-title":"Functional Encryption: Definitions and Challenges","volume-title":"TCC\u00a02011","volume":"6597","author":"Dan Boneh","year":"2011"},{"key":"ref3:C:Shamir84wDOI","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"47","DOI":"10.1007\/3-540-39568-7_5","article-title":"Identity-Based Cryptosystems and Signature Schemes","volume-title":"CRYPTO'84","volume":"196","author":"Adi Shamir","year":"1984"},{"key":"ref4:IMA:Cocks01wDOI","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"360","DOI":"10.1007\/3-540-45325-3_32","article-title":"An Identity Based Encryption Scheme Based on Quadratic\n Residues","volume-title":"8th IMA International Conference on Cryptography and\n Coding","volume":"2260","author":"Clifford Cocks","year":"2001"},{"key":"ref5:C:BonFra01","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"213","DOI":"10.1007\/3-540-44647-8_13","article-title":"Identity-Based Encryption from the Weil Pairing","volume-title":"CRYPTO\u00a02001","volume":"2139","author":"Dan Boneh","year":"2001"},{"key":"ref6:CCS:GPSW06","doi-asserted-by":"publisher","first-page":"89","DOI":"10.1145\/1180405.1180418","article-title":"Attribute-Based Encryption for Fine-Grained Access Control\n of Encrypted Data","volume-title":"ACM CCS 2006","author":"Vipul Goyal","year":"2006"},{"key":"ref7:CCS:OstSahWat07","doi-asserted-by":"publisher","first-page":"195","DOI":"10.1145\/1315245.1315270","article-title":"Attribute-based encryption with non-monotonic access\n structures","volume-title":"ACM CCS 2007","author":"Rafail Ostrovsky","year":"2007"},{"key":"ref8:PKC:AttLibPan11","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"90","DOI":"10.1007\/978-3-642-19379-8_6","article-title":"Expressive Key-Policy Attribute-Based Encryption with\n Constant-Size Ciphertexts","volume-title":"PKC\u00a02011","volume":"6571","author":"Nuttapong Attrapadung","year":"2011"},{"key":"ref9:AC:OkaTak12","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"349","DOI":"10.1007\/978-3-642-34961-4_22","article-title":"Fully Secure Unbounded Inner-Product and Attribute-Based\n Encryption","volume-title":"ASIACRYPT\u00a02012","volume":"7658","author":"Tatsuaki Okamoto","year":"2012"},{"key":"ref10:PKC:ABDP15","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"733","DOI":"10.1007\/978-3-662-46447-2_33","article-title":"Simple Functional Encryption Schemes for Inner Products","volume-title":"PKC\u00a02015","volume":"9020","author":"Michel Abdalla","year":"2015"},{"key":"ref11:C:AgrLibSte16","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"333","DOI":"10.1007\/978-3-662-53015-3_12","article-title":"Fully Secure Functional Encryption for Inner Products, from\n Standard Assumptions","volume-title":"CRYPTO\u00a02016, Part\u00a0III","volume":"9816","author":"Shweta Agrawal","year":"2016"},{"key":"ref12:PKC:BenBouLip17","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"36","DOI":"10.1007\/978-3-662-54388-7_2","article-title":"CCA-Secure Inner-Product Functional Encryption from\n Projective Hash Functions","volume-title":"PKC\u00a02017, Part\u00a0II","volume":"10175","author":"Fabrice Benhamouda","year":"2017"},{"key":"ref13:AC:CasLagTuc18","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"733","DOI":"10.1007\/978-3-030-03329-3_25","article-title":"Practical Fully Secure Unrestricted Inner Product Functional\n Encryption Modulo p","volume-title":"ASIACRYPT\u00a02018, Part\u00a0II","volume":"11273","author":"Guilhem Castagnos","year":"2018"},{"key":"ref14:C:BCFG17","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"67","DOI":"10.1007\/978-3-319-63688-7_3","article-title":"Practical Functional Encryption for Quadratic Functions with\n Applications to Predicate Encryption","volume-title":"CRYPTO\u00a02017, Part\u00a0I","volume":"10401","author":"Carmen Elisabetta Zaira Baltico","year":"2017"},{"key":"ref15:PKC:Gay20","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"95","DOI":"10.1007\/978-3-030-45374-9_4","article-title":"A New Paradigm for Public-Key Functional Encryption for\n Degree-2 Polynomials","volume-title":"PKC\u00a02020, Part\u00a0I","volume":"12110","author":"Romain Gay","year":"2020"},{"key":"ref16:EC:AnaSah17","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"152","DOI":"10.1007\/978-3-319-56620-7_6","article-title":"Projective Arithmetic Functional Encryption and\n Indistinguishability Obfuscation from Degree-5 Multilinear Maps","volume-title":"EUROCRYPT\u00a02017, Part\u00a0I","volume":"10210","author":"Prabhanjan Ananth","year":"2017"},{"key":"ref17:C:Lin17","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"599","DOI":"10.1007\/978-3-319-63688-7_20","article-title":"Indistinguishability Obfuscation from SXDH on 5-Linear\n Maps and Locality-5 PRGs","volume-title":"CRYPTO\u00a02017, Part\u00a0I","volume":"10401","author":"Huijia Lin","year":"2017"},{"key":"ref18:C:GorVaiWee15","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"503","DOI":"10.1007\/978-3-662-48000-7_25","article-title":"Predicate Encryption for Circuits from LWE","volume-title":"CRYPTO\u00a02015, Part\u00a0II","volume":"9216","author":"Sergey Gorbunov","year":"2015"},{"key":"ref19:C:AnaJai15","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"308","DOI":"10.1007\/978-3-662-47989-6_15","article-title":"Indistinguishability Obfuscation from Compact Functional\n Encryption","volume-title":"CRYPTO\u00a02015, Part\u00a0I","volume":"9215","author":"Prabhanjan Ananth","year":"2015"},{"key":"ref20:FOCS:BitVai15","doi-asserted-by":"publisher","first-page":"171","DOI":"10.1109\/FOCS.2015.20","article-title":"Indistinguishability Obfuscation from Functional\n Encryption","volume-title":"56th FOCS","author":"Nir Bitansky","year":"2015"},{"key":"ref21:EC:GGGJKL14","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"578","DOI":"10.1007\/978-3-642-55220-5_32","article-title":"Multi-input Functional Encryption","volume-title":"EUROCRYPT\u00a02014","volume":"8441","author":"Shafi Goldwasser","year":"2014"},{"article-title":"Multi-Input Functional Encryption","year":"2013","author":"S. Dov Gordon","key":"ref22:EPRINT:GKLSZ13"},{"key":"ref23:PKC:DatOkaTom18","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"245","DOI":"10.1007\/978-3-319-76581-5_9","article-title":"Full-Hiding (Unbounded) Multi-input Inner Product Functional\n Encryption from the $k$-Linear Assumption","volume-title":"PKC\u00a02018, Part\u00a0II","volume":"10770","author":"Pratish Datta","year":"2018"},{"key":"ref24:AC:CDGPP18","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"703","DOI":"10.1007\/978-3-030-03329-3_24","article-title":"Decentralized Multi-Client Functional Encryption for Inner\n Product","volume-title":"ASIACRYPT\u00a02018, Part\u00a0II","volume":"11273","author":"J\u00e9r\u00e9my Chotard","year":"2018"},{"article-title":"Multi-Client Functional Encryption with Repetition for Inner\n Product","year":"2018","author":"J\u00e9r\u00e9my Chotard","key":"ref25:EPRINT:CDGPP18"},{"key":"ref26:C:ACFGU18","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"597","DOI":"10.1007\/978-3-319-96884-1_20","article-title":"Multi-Input Functional Encryption for Inner Products:\n Function-Hiding Realizations and Constructions Without Pairings","volume-title":"CRYPTO\u00a02018, Part\u00a0I","volume":"10991","author":"Michel Abdalla","year":"2018"},{"key":"ref27:PKC:ABKW19","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"128","DOI":"10.1007\/978-3-030-17259-6_5","article-title":"Decentralizing Inner-Product Functional Encryption","volume-title":"PKC\u00a02019, Part\u00a0II","volume":"11443","author":"Michel Abdalla","year":"2019"},{"key":"ref28:AC:AbdBenGay19","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"552","DOI":"10.1007\/978-3-030-34618-8_19","article-title":"From Single-Input to Multi-client Inner-Product Functional\n Encryption","volume-title":"ASIACRYPT\u00a02019, Part\u00a0III","volume":"11923","author":"Michel Abdalla","year":"2019"},{"key":"ref29:AC:LibTit19","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"520","DOI":"10.1007\/978-3-030-34618-8_18","article-title":"Multi-Client Functional Encryption for Linear Functions in\n the Standard Model from LWE","volume-title":"ASIACRYPT\u00a02019, Part\u00a0III","volume":"11923","author":"Beno\u00eet Libert","year":"2019"},{"key":"ref30:C:CDGPP20","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"747","DOI":"10.1007\/978-3-030-56784-2_25","article-title":"Dynamic Decentralized Functional Encryption","volume-title":"CRYPTO\u00a02020, Part\u00a0I","volume":"12170","author":"J\u00e9r\u00e9my Chotard","year":"2020"},{"key":"ref31:AC:ACGU20","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"467","DOI":"10.1007\/978-3-030-64840-4_16","article-title":"Inner-Product Functional Encryption with Fine-Grained Access\n Control","volume-title":"ASIACRYPT\u00a02020, Part\u00a0III","volume":"12493","author":"Michel Abdalla","year":"2020"},{"key":"ref32:AC:NguPhaPoi22","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"95","DOI":"10.1007\/978-3-031-22963-3_4","article-title":"Multi-Client Functional Encryption with Fine-Grained Access\n Control","volume-title":"ASIACRYPT\u00a02022, Part\u00a0I","volume":"13791","author":"Ky Nguyen","year":"2022"},{"key":"ref33:C:AgrTomYad23","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"464","DOI":"10.1007\/978-3-031-38551-3_15","article-title":"Attribute-Based Multi-input FE (and More) for\n Attribute-Weighted Sums","volume-title":"CRYPTO\u00a02023, Part\u00a0IV","volume":"14084","author":"Shweta Agrawal","year":"2023"},{"key":"ref34:C:AgrGoyTom21","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"208","DOI":"10.1007\/978-3-030-84259-8_8","article-title":"Multi-input Quadratic Functional Encryption from Pairings","volume-title":"CRYPTO\u00a02021, Part\u00a0IV","volume":"12828","author":"Shweta Agrawal","year":"2021"},{"key":"ref35:TCC:AgrGoyTom22","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"711","DOI":"10.1007\/978-3-031-22318-1_25","article-title":"Multi-Input Quadratic Functional Encryption: Stronger\n Security, Broader Functionality","volume-title":"TCC\u00a02022, Part\u00a0I","volume":"13747","author":"Shweta Agrawal","year":"2022"},{"key":"ref36:AC:BisJaiKow15","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"470","DOI":"10.1007\/978-3-662-48797-6_20","article-title":"Function-Hiding Inner Product Encryption","volume-title":"ASIACRYPT\u00a02015, Part\u00a0I","volume":"9452","author":"Allison Bishop","year":"2015"},{"key":"ref37:PKC:DatDutMuk16","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"164","DOI":"10.1007\/978-3-662-49384-7_7","article-title":"Functional Encryption for Inner Product with Full Function\n Privacy","volume-title":"PKC\u00a02016, Part\u00a0I","volume":"9614","author":"Pratish Datta","year":"2016"},{"key":"ref38:ISC:TomAbeOka16","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"408","DOI":"10.1007\/978-3-319-45871-7_24","article-title":"Efficient Functional Encryption for Inner-Product Values\n with Full-Hiding Security","volume-title":"ISC\u00a02016","volume":"9866","author":"Junichi Tomida","year":"2016"},{"key":"ref39:TCS:KimKimSeo19","doi-asserted-by":"publisher","first-page":"22","DOI":"10.1016\/J.TCS.2019.03.016","article-title":"A new approach to practical function-private inner product\n encryption","volume":"783","author":"Sungwook Kim","year":"2019","journal-title":"Theoretical Computer Science"},{"key":"ref40:SCN:KLMMRW18","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"544","DOI":"10.1007\/978-3-319-98113-0_29","article-title":"Function-Hiding Inner Product Encryption Is Practical","volume-title":"SCN 18","volume":"11035","author":"Sam Kim","year":"2018"},{"key":"ref41:AC:Tomida19","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"459","DOI":"10.1007\/978-3-030-34618-8_16","article-title":"Tightly Secure Inner Product Functional Encryption:\n Multi-input and Function-Hiding Constructions","volume-title":"ASIACRYPT\u00a02019, Part\u00a0III","volume":"11923","author":"Junichi Tomida","year":"2019"},{"key":"ref42:TCS:Tomida20","doi-asserted-by":"publisher","first-page":"56","DOI":"10.1016\/J.TCS.2020.05.008","article-title":"Tightly secure inner product functional encryption:\n Multi-input and function-hiding constructions","volume":"833","author":"Junichi Tomida","year":"2020","journal-title":"Theoretical Computer Science"},{"key":"ref43:C:OkaTak10","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"191","DOI":"10.1007\/978-3-642-14623-7_11","article-title":"Fully Secure Functional Encryption with General Relations\n from the Decisional Linear Assumption","volume-title":"CRYPTO\u00a02010","volume":"6223","author":"Tatsuaki Okamoto","year":"2010"},{"key":"ref44:EC:OkaTak12","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"591","DOI":"10.1007\/978-3-642-29011-4_35","article-title":"Adaptively Attribute-Hiding (Hierarchical) Inner Product\n Encryption","volume-title":"EUROCRYPT\u00a02012","volume":"7237","author":"Tatsuaki Okamoto","year":"2012"},{"key":"ref45:TCC:AgrGoyTom21","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"224","DOI":"10.1007\/978-3-030-90453-1_8","article-title":"Multi-Party Functional Encryption","volume-title":"TCC\u00a02021, Part\u00a0II","volume":"13043","author":"Shweta Agrawal","year":"2021"},{"key":"ref46:PKC:ShiVan23","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"622","DOI":"10.1007\/978-3-031-31368-4_22","article-title":"Multi-Client Inner Product Encryption: Function-Hiding\n Instantiations Without Random Oracles","volume-title":"PKC\u00a02023, Part\u00a0I","volume":"13940","author":"Elaine Shi","year":"2023"},{"key":"ref47:EC:Unal20","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"169","DOI":"10.1007\/978-3-030-45721-1_7","article-title":"Impossibility Results for Lattice-Based Functional\n Encryption Schemes","volume-title":"EUROCRYPT\u00a02020, Part\u00a0I","volume":"12105","author":"Akin \u00dcnal","year":"2020"},{"key":"ref48:C:EHKRV13","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"129","DOI":"10.1007\/978-3-642-40084-1_8","article-title":"An Algebraic Framework for Diffie-Hellman Assumptions","volume-title":"CRYPTO\u00a02013, Part\u00a0II","volume":"8043","author":"Alex Escala","year":"2013"},{"key":"ref49:EPRINT:NguPoiSch24","doi-asserted-by":"crossref","DOI":"10.62056\/andkp2fgx","article-title":"Decentralized Multi-Client Functional Encryption with Strong\n Security","author":"Ky Nguyen","year":"2024"},{"key":"ref50:C:Waters09","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"619","DOI":"10.1007\/978-3-642-03356-8_36","article-title":"Dual System Encryption: Realizing Fully Secure IBE and\n HIBE under Simple Assumptions","volume-title":"CRYPTO\u00a02009","volume":"5677","author":"Brent Waters","year":"2009"},{"key":"ref51:TCC:LewWat10","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"455","DOI":"10.1007\/978-3-642-11799-2_27","article-title":"New Techniques for Dual System Encryption and Fully Secure\n HIBE with Short Ciphertexts","volume-title":"TCC\u00a02010","volume":"5978","author":"Allison B. Lewko","year":"2010"},{"key":"ref52:PAIRING:CLLWW12","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"122","DOI":"10.1007\/978-3-642-36334-4_8","article-title":"Shorter IBE and Signatures via Asymmetric Pairings","volume-title":"PAIRING 2012","volume":"7708","author":"Jie Chen","year":"2013"},{"key":"ref53:EC:BelRog06","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"409","DOI":"10.1007\/11761679_25","article-title":"The Security of Triple Encryption and a Framework for\n Code-Based Game-Playing Proofs","volume-title":"EUROCRYPT\u00a02006","volume":"4004","author":"Mihir Bellare","year":"2006"},{"key":"ref54:ACNS:NguPhaPoi23","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"336","DOI":"10.1007\/978-3-031-33491-7_13","article-title":"Optimal Security Notion for Decentralized Multi-Client\n Functional Encryption","volume-title":"ACNS 23, Part\u00a0II","volume":"13906","author":"Ky Nguyen","year":"2023"},{"key":"ref55:FOCS:LinVai16","doi-asserted-by":"publisher","first-page":"11","DOI":"10.1109\/FOCS.2016.11","article-title":"Indistinguishability Obfuscation from DDH-Like Assumptions\n on Constant-Degree Graded Encodings","volume-title":"57th FOCS","author":"Huijia Lin","year":"2016"},{"key":"ref56:JC:JutRoy17","doi-asserted-by":"publisher","first-page":"1116","DOI":"10.1007\/s00145-016-9243-7","article-title":"Shorter Quasi-Adaptive NIZK Proofs for Linear Subspaces","volume":"30","author":"Charanjit S. Jutla","year":"2017","journal-title":"Journal of Cryptology"}],"container-title":["IACR Communications in Cryptology"],"language":"en","deposited":{"date-parts":[[2024,12,10]],"date-time":"2024-12-10T21:26:51Z","timestamp":1733866011000},"score":0.0,"resource":{"primary":{"URL":"https:\/\/cic.iacr.org\/p\/1\/2\/3"}},"issued":{"date-parts":[[2024,7,8]]},"references-count":56,"URL":"https:\/\/doi.org\/10.62056\/andkp2fgx","archive":["Internet Archive","Internet Archive"],"ISSN":["3006-5496"],"issn-type":[{"type":"electronic","value":"3006-5496"}],"published":{"date-parts":[[2024,7,8]]},"assertion":[{"value":"2024-01-08","order":0,"name":"received","label":"Received","group":{"name":"publication_history","label":"Publication History"}},{"value":"2024-06-04","order":1,"name":"accepted","label":"Accepted","group":{"name":"publication_history","label":"Publication History"}}],"article-number":"cc1-1-61"},{"indexed":{"date-parts":[[2025,7,30]],"date-time":"2025-07-30T17:04:55Z","timestamp":1753895095740,"version":"3.41.2"},"reference-count":56,"publisher":"International Association for Cryptologic Research","issue":"4","license":[{"start":{"date-parts":[[2024,7,9]],"date-time":"2024-07-09T00:00:00Z","timestamp":1720483200000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["IACR CiC"],"accepted":{"date-parts":[[2024,12,3]]},"abstract":"The server-aided model for multiparty computation (MPC) was introduced to capture a real-world scenario where clients wish to off-load the heavy computation of MPC protocols to dedicated servers. A rich body of work has studied various trade-offs between security guarantees (e.g., semi-honest vs malicious), trust assumptions (e.g., the threshold on corrupted servers), and efficiency.<\/jats:p>\n However, all existing works make the assumption that all clients must agree on employing the same servers, and accept the same corruption threshold. In this paper, we challenge this assumption and introduce a new paradigm for server-aided MPC, where each client can choose their own set of servers and their own threshold of corrupted servers. In this new model, the privacy of each client is guaranteed as long as their own threshold is satisfied, regardless of the other servers\/clients. We call this paradigm per-party private server-aided MPC to highlight both a security and efficiency guarantee: (1) per-party privacy, which means that each party gets their own privacy guarantees that depend on their own choice of the servers; (2) per-party complexity, which means that each party only needs to communicate with their chosen servers. Our primary contribution is a new theoretical framework for server-aided MPC. We provide two protocols to show feasibility, but leave it as a future work to investigate protocols that focus on concrete efficiency. <\/jats:p>","DOI":"10.62056\/ab3wa0l5vt","type":"journal-article","created":{"date-parts":[[2025,1,13]],"date-time":"2025-01-13T17:00:52Z","timestamp":1736787652000},"update-policy":"https:\/\/doi.org\/10.62056\/adfjwm02dj","source":"Crossref","is-referenced-by-count":1,"title":["A New Paradigm for Server-Aided MPC"],"prefix":"10.62056","volume":"1","author":[{"given":"Alessandra","family":"Scafuro","sequence":"first","affiliation":[{"id":[{"id":"https:\/\/ror.org\/04tj63d06","id-type":"ROR","asserted-by":"publisher"}],"name":"North Carolina State University","place":["Campus Box 8206 890 Oval Drive, Raleigh, NC, 27695, USA"],"department":["Computer Science"]}]},{"given":"Tanner","family":"Verber","sequence":"additional","affiliation":[{"id":[{"id":"https:\/\/ror.org\/04tj63d06","id-type":"ROR","asserted-by":"publisher"}],"name":"North Carolina State University","place":["Campus Box 8206 890 Oval Drive, Raleigh, NC, 27695, USA"],"department":["Computer Science"]}]}],"member":"48349","published-online":{"date-parts":[[2025,1,13]]},"reference":[{"key":"ref1:yao1986generate","doi-asserted-by":"publisher","first-page":"162","DOI":"10.1109\/SFCS.1986.25","article-title":"How to Generate and Exchange Secrets (Extended Abstract)","author":"Andrew Chi-Chih Yao","year":"1986"},{"key":"ref2:goldreich1987how","doi-asserted-by":"publisher","first-page":"218","DOI":"10.1145\/28395.28420","article-title":"How to Play any Mental Game or A Completeness Theorem for\n Protocols with Honest Majority","author":"Oded Goldreich","year":"1987"},{"key":"ref3:beaver1990round","doi-asserted-by":"publisher","first-page":"503","DOI":"10.1145\/100216.100287","article-title":"The Round Complexity of Secure Protocols (Extended\n Abstract)","author":"Donald Beaver","year":"1990"},{"key":"ref4:kamara2011outsourcing","first-page":"272","article-title":"Outsourcing Multi-Party Computation","author":"Seny Kamara","year":"2011","journal-title":"IACR Cryptol. ePrint Arch."},{"key":"ref5:feige1994minimal","doi-asserted-by":"publisher","first-page":"554","DOI":"10.1145\/195058.195408","article-title":"A minimal model for secure computation (extended abstract)","author":"Uriel Feige","year":"1994"},{"key":"ref6:halevi2011secure","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"132","DOI":"10.1007\/978-3-642-22792-9_8","article-title":"Secure Computation on the Web: Computing without\n Simultaneous Interaction","volume":"6841","author":"Shai Halevi","year":"2011"},{"key":"ref7:kamara2012salus","doi-asserted-by":"publisher","first-page":"797","DOI":"10.1145\/2382196.2382280","article-title":"Salus: a system for server-aided secure function\n evaluation","author":"Seny Kamara","year":"2012"},{"key":"ref8:lopez2012fly","doi-asserted-by":"publisher","first-page":"1219","DOI":"10.1145\/2213977.2214086","article-title":"On-the-fly multiparty computation on the cloud via multikey\n fully homomorphic encryption","author":"Adriana L\u00f3pez-Alt","year":"2012"},{"key":"ref9:damgaard2005constant","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"378","DOI":"10.1007\/11535218_23","article-title":"Constant-Round Multiparty Computation Using a Black-Box\n Pseudorandom Generator","volume":"3621","author":"Ivan Damg\u00e5rd","year":"2005"},{"key":"ref10:mood2014reuse","doi-asserted-by":"publisher","first-page":"582","DOI":"10.1145\/2660267.2660285","article-title":"Reuse It Or Lose It: More Efficient Secure Computation\n Through Reuse of Encrypted Values","author":"Benjamin Mood","year":"2014"},{"key":"ref11:jakobsen2014framework","doi-asserted-by":"publisher","first-page":"81","DOI":"10.1145\/2664168.2664170","article-title":"A Framework for Outsourcing of Secure Computation","author":"Thomas P. Jakobsen","year":"2014"},{"key":"ref12:goyal2021atlas","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"244","DOI":"10.1007\/978-3-030-84245-1_9","article-title":"ATLAS: Efficient and Scalable MPC in the Honest Majority\n Setting","volume":"12826","author":"Vipul Goyal","year":"2021"},{"key":"ref13:mohassel2017secureml","doi-asserted-by":"publisher","first-page":"19","DOI":"10.1109\/SP.2017.12","article-title":"SecureML: A System for Scalable Privacy-Preserving Machine\n Learning","author":"Payman Mohassel","year":"2017"},{"article-title":"Let's Stride Blindfolded in a Forest: Sublinear Multi-Client\n Decision Trees Evaluation","year":"2021","author":"Jack P. K. Ma","key":"ref14:ma2021let"},{"key":"ref15:mohassel2018aby3","doi-asserted-by":"publisher","first-page":"35","DOI":"10.1145\/3243734.3243760","article-title":"ABY\\({}^{\\mbox{3}}\\): A Mixed Protocol Framework for\n Machine Learning","author":"Payman Mohassel","year":"2018"},{"key":"ref16:chaudhari2019astra","doi-asserted-by":"publisher","first-page":"81","DOI":"10.1145\/3338466.3358922","article-title":"ASTRA: High Throughput 3PC over Rings with Application to\n Secure Prediction","author":"Harsh Chaudhari","year":"2019"},{"article-title":"BLAZE: Blazing Fast Privacy-Preserving Machine Learning","year":"2020","author":"Arpita Patra","key":"ref17:patra2020blaze"},{"key":"ref18:tan2021cryptgpu","doi-asserted-by":"publisher","first-page":"1021","DOI":"10.1109\/SP40001.2021.00098","article-title":"CryptGPU: Fast Privacy-Preserving Machine Learning on the\n GPU","author":"Sijun Tan","year":"2021"},{"key":"ref19:koti2021swift","first-page":"2651","article-title":"SWIFT: Super-fast and Robust Privacy-Preserving Machine\n Learning","author":"Nishat Koti","year":"2021"},{"key":"ref20:byali2020flash","doi-asserted-by":"publisher","first-page":"459","DOI":"10.2478\/POPETS-2020-0036","article-title":"FLASH: Fast and Robust Framework for Privacy-preserving\n Machine Learning","volume":"2020","author":"Megha Byali","year":"2020","journal-title":"Proc. Priv. Enhancing Technol."},{"key":"ref21:choudhuri2020fluid","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"94","DOI":"10.1007\/978-3-030-84245-1_4","article-title":"Fluid MPC: Secure Multiparty Computation with Dynamic\n Participants","volume":"12826","author":"Arka Rai Choudhuri","year":"2021"},{"key":"ref22:gentry2021yoso","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"64","DOI":"10.1007\/978-3-030-84245-1_3","article-title":"YOSO: You Only Speak Once - Secure MPC with Stateless\n Ephemeral Roles","volume":"12826","author":"Craig Gentry","year":"2021"},{"key":"ref23:canetti2001universally","doi-asserted-by":"publisher","first-page":"136","DOI":"10.1109\/SFCS.2001.959888","article-title":"Universally Composable Security: A New Paradigm for\n Cryptographic Protocols","author":"Ran Canetti","year":"2001"},{"key":"ref24:damgaard2012multiparty","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"643","DOI":"10.1007\/978-3-642-32009-5_38","article-title":"Multiparty Computation from Somewhat Homomorphic\n Encryption","volume":"7417","author":"Ivan Damg\u00e5rd","year":"2012"},{"key":"ref25:choi2013multi","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"499","DOI":"10.1007\/978-3-642-36594-2_28","article-title":"Multi-Client Non-interactive Verifiable Computation","volume":"7785","author":"Seung Geol Choi","year":"2013"},{"key":"ref26:carter2016secure","doi-asserted-by":"publisher","first-page":"137","DOI":"10.3233\/JCS-150540","article-title":"Secure outsourced garbled circuit evaluation for mobile\n devices","volume":"24","author":"Henry Carter","year":"2016","journal-title":"J. Comput. Secur."},{"key":"ref27:baldimtsi2016secure","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"103","DOI":"10.1007\/978-3-319-66402-6_8","article-title":"Server-Aided Secure Computation with Off-line Parties","volume":"10492","author":"Foteini Baldimtsi","year":"2017"},{"key":"ref28:mohassel2016efficient","doi-asserted-by":"publisher","first-page":"82","DOI":"10.1515\/POPETS-2016-0006","article-title":"Efficient Server-Aided 2PC for Mobile Phones","volume":"2016","author":"Payman Mohassel","year":"2016","journal-title":"Proc. Priv. Enhancing Technol."},{"key":"ref29:wagh2019securenn","doi-asserted-by":"publisher","first-page":"26","DOI":"10.2478\/POPETS-2019-0035","article-title":"SecureNN: 3-Party Secure Computation for Neural Network\n Training","volume":"2019","author":"Sameer Wagh","year":"2019","journal-title":"Proc. Priv. Enhancing Technol."},{"key":"ref30:boemer2019ngraph","doi-asserted-by":"publisher","first-page":"3","DOI":"10.1145\/3310273.3323047","article-title":"nGraph-HE: a graph compiler for deep learning on\n homomorphically encrypted data","author":"Fabian Boemer","year":"2019"},{"key":"ref31:damgaard2021phoenix","series-title":"LIPIcs","doi-asserted-by":"publisher","DOI":"10.4230\/LIPICS.ITC.2023.7","article-title":"Phoenix: Secure Computation in an Unstable Network with\n Dropouts and Comebacks","volume":"267","author":"Ivan Damg\u00e5rd","year":"2023"},{"key":"ref32:rachuri2021mans","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"719","DOI":"10.1007\/978-3-031-15802-5_25","article-title":"Le Mans: Dynamic and Fluid MPC for Dishonest Majority","volume":"13507","author":"Rahul Rachuri","year":"2022"},{"key":"ref33:bienstock2023on","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"263","DOI":"10.1007\/978-3-031-38557-5_9","article-title":"On Linear Communication Complexity for (Maximally) Fluid\n MPC","volume":"14081","author":"Alexander Bienstock","year":"2023"},{"key":"ref34:david2023perfect","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"360","DOI":"10.1007\/978-3-031-38557-5_12","article-title":"Perfect MPC over Layered Graphs","volume":"14081","author":"Bernardo David","year":"2023"},{"key":"ref35:wigderson1988completeness","doi-asserted-by":"publisher","first-page":"1","DOI":"10.1145\/62212.62213","article-title":"Completeness Theorems for Non-Cryptographic Fault-Tolerant\n Distributed Computation (Extended Abstract)","author":"Michael Ben-Or","year":"1988"},{"key":"ref36:garg2011bringing","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"311","DOI":"10.1007\/978-3-642-19571-6_19","article-title":"Bringing People of Different Beliefs Together to Do UC","volume":"6597","author":"Sanjam Garg","year":"2011"},{"key":"ref37:groth2014cryptography","doi-asserted-by":"publisher","first-page":"506","DOI":"10.1007\/S00145-013-9152-Y","article-title":"Cryptography in the Multi-string Model","volume":"27","author":"Jens Groth","year":"2014","journal-title":"J. Cryptol."},{"key":"ref38:bellare1993random","doi-asserted-by":"publisher","first-page":"62","DOI":"10.1145\/168588.168596","article-title":"Random Oracles are Practical: A Paradigm for Designing\n Efficient Protocols","author":"Mihir Bellare","year":"1993"},{"key":"ref39:katz2007universally","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"115","DOI":"10.1007\/978-3-540-72540-4_7","article-title":"Universally Composable Multi-party Computation Using\n Tamper-Proof Hardware","volume":"4515","author":"Jonathan Katz","year":"2007"},{"key":"ref40:singh2021grades","first-page":"82","article-title":"Grades of Trust in Multiparty Computation","author":"Jaskaran V. Singh","year":"2021","journal-title":"IACR Cryptol. ePrint Arch."},{"key":"ref41:garg2023cryptography","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"295","DOI":"10.1007\/978-3-031-38557-5_10","article-title":"Cryptography with Weights: MPC, Encryption and Signatures","volume":"14081","author":"Sanjam Garg","year":"2023"},{"key":"ref42:asharov2012multiparty","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"483","DOI":"10.1007\/978-3-642-29011-4_29","article-title":"Multiparty Computation with Low Communication, Computation\n and Interaction via Threshold FHE","volume":"7237","author":"Gilad Asharov","year":"2012"},{"key":"ref43:cheon2021mpc","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"426","DOI":"10.1007\/978-3-030-84245-1_15","article-title":"MHz2k: MPC from HE over\n $\\mathbb {Z}_{2k}$ with\n New Packing, Simpler Reshare, and Better ZKP","volume":"12826","author":"Jung Hee Cheon","year":"2021"},{"key":"ref44:ananth2020multikey","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"28","DOI":"10.1007\/978-3-030-64375-1_2","article-title":"Multi-key Fully-Homomorphic Encryption in the Plain Model","volume":"12550","author":"Prabhanjan Ananth","year":"2020"},{"key":"ref45:lindell2017simulate","doi-asserted-by":"publisher","first-page":"277","DOI":"10.1007\/978-3-319-57048-8_6","article-title":"How to Simulate It - A Tutorial on the Simulation Proof\n Technique","author":"Yehuda Lindell","year":"2017"},{"key":"ref46:anirudh2021survey","doi-asserted-by":"publisher","DOI":"10.1145\/3512344","article-title":"A Survey on Perfectly Secure Verifiable Secret-sharing","volume":"54","author":"Anirudh Chandramouli","year":"2022","journal-title":"ACM Comput. Surv."},{"key":"ref47:katz2020introduction","isbn-type":"print","doi-asserted-by":"crossref","DOI":"10.1201\/b17668","volume-title":"Introduction to Modern Cryptography, Second Edition","author":"Jonathan Katz","year":"2014","ISBN":"https:\/\/id.crossref.org\/isbn\/9781466570269"},{"key":"ref48:micali1994proofs","doi-asserted-by":"publisher","first-page":"436","DOI":"10.1109\/SFCS.1994.365746","article-title":"CS Proofs (Extended Abstracts)","author":"Silvio Micali","year":"1994"},{"key":"ref49:bitansky2017hunting","doi-asserted-by":"publisher","first-page":"989","DOI":"10.1007\/S00145-016-9241-9","article-title":"The Hunting of the SNARK","volume":"30","author":"Nir Bitansky","year":"2017","journal-title":"J. Cryptol."},{"key":"ref50:kalai2019how","doi-asserted-by":"publisher","first-page":"1115","DOI":"10.1145\/3313276.3316411","article-title":"How to delegate computations publicly","author":"Yael Tauman Kalai","year":"2019"},{"key":"ref51:canetti2019fiat","doi-asserted-by":"publisher","first-page":"1082","DOI":"10.1145\/3313276.3316380","article-title":"Fiat-Shamir: from practice to theory","author":"Ran Canetti","year":"2019"},{"key":"ref52:jawale2021snargs","doi-asserted-by":"publisher","first-page":"708","DOI":"10.1145\/3406325.3451055","article-title":"SNARGs for bounded depth computations and PPAD hardness\n from sub-exponential LWE","author":"Ruta Jawale","year":"2021"},{"key":"ref53:choudhuri2021snargs","doi-asserted-by":"publisher","first-page":"68","DOI":"10.1109\/FOCS52979.2021.00016","article-title":"SNARGs for\n $\\mathcal{P}$ from LWE","author":"Arka Rai Choudhuri","year":"2021"},{"key":"ref54:hulett2022snargs","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"520","DOI":"10.1007\/978-3-031-07085-3_18","article-title":"SNARGs for P from Sub-exponential DDH and QR","volume":"13276","author":"James Hulett","year":"2022"},{"volume-title":"A fully homomorphic encryption scheme","year":"2009","author":"Craig Gentry","key":"ref55:gentry2009fully"},{"key":"ref56:brakerski2014efficient","doi-asserted-by":"publisher","first-page":"831","DOI":"10.1137\/120868669","article-title":"Efficient Fully Homomorphic Encryption from (Standard)\n $\\mathsf{LWE}$","volume":"43","author":"Zvika Brakerski","year":"2014","journal-title":"SIAM J. Comput."}],"container-title":["IACR Communications in Cryptology"],"language":"en","deposited":{"date-parts":[[2025,1,13]],"date-time":"2025-01-13T17:10:58Z","timestamp":1736788258000},"score":0.0,"resource":{"primary":{"URL":"https:\/\/cic.iacr.org\/p\/1\/4\/5"}},"issued":{"date-parts":[[2025,1,13]]},"references-count":56,"journal-issue":{"issue":"4","published-online":{"date-parts":[[2025,1,13]]}},"URL":"https:\/\/doi.org\/10.62056\/ab3wa0l5vt","archive":["Internet Archive","Internet Archive"],"ISSN":["3006-5496"],"issn-type":[{"type":"electronic","value":"3006-5496"}],"published":{"date-parts":[[2025,1,13]]},"assertion":[{"value":"2024-07-09","order":0,"name":"received","label":"Received","group":{"name":"publication_history","label":"Publication History"}},{"value":"2024-12-03","order":1,"name":"accepted","label":"Accepted","group":{"name":"publication_history","label":"Publication History"}}],"article-number":"cc1-3-109"},{"indexed":{"date-parts":[[2025,7,30]],"date-time":"2025-07-30T17:05:07Z","timestamp":1753895107009,"version":"3.41.2"},"reference-count":19,"publisher":"International Association for Cryptologic Research","license":[{"start":{"date-parts":[[2024,7,8]],"date-time":"2024-07-08T00:00:00Z","timestamp":1720396800000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["IACR CiC"],"accepted":{"date-parts":[[2024,9,2]]},"abstract":" Vessels can be recognised by their navigation radar due to the characteristics of the emitted radar signal. This is particularly useful if one wants to build situational awareness without revealing one's own presence. Most countries maintain databases of radar fingerprints but will not readily share these due to national security regulations. Sharing of such information will generally require some form of information exchange agreement.<\/jats:p>\n However, all parties in a coalition benefit from correct identification. We use secure multiparty computation to match a radar signal measurement against secret databases and output plausible matches with their likelihoods. We also provide a demonstrator using MP-SPDZ. <\/jats:p>","DOI":"10.62056\/aywa0l5vt","type":"journal-article","created":{"date-parts":[[2024,10,7]],"date-time":"2024-10-07T15:13:33Z","timestamp":1728314013000},"update-policy":"https:\/\/doi.org\/10.62056\/adfjwm02dj","source":"Crossref","is-referenced-by-count":0,"title":["Matching radar signals and fingerprints with MPC"],"prefix":"10.62056","author":[{"given":"Benjamin","family":"Mortensen","sequence":"first","affiliation":[{"id":[{"id":"https:\/\/ror.org\/0098gnz32","id-type":"ROR","asserted-by":"publisher"}],"name":"Norwegian Defence Research Establishment (FFI)","place":["Norway"]},{"id":[{"id":"https:\/\/ror.org\/01xtthb56","id-type":"ROR","asserted-by":"publisher"}],"name":"University of Oslo (UiO)","place":["Norway"]}]},{"given":"Mathias","family":"Nordal","sequence":"additional","affiliation":[{"id":[{"id":"https:\/\/ror.org\/0098gnz32","id-type":"ROR","asserted-by":"publisher"}],"name":"Norwegian Defence Research Establishment (FFI)","place":["Norway"]},{"id":[{"id":"https:\/\/ror.org\/05xg72x27","id-type":"ROR","asserted-by":"publisher"}],"name":"Norwegian University of Science and Technology (NTNU)","place":["Norway"]}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-4083-0768","authenticated-orcid":false,"given":"Martin","family":"Strand","sequence":"additional","affiliation":[{"id":[{"id":"https:\/\/ror.org\/0098gnz32","id-type":"ROR","asserted-by":"publisher"}],"name":"Norwegian Defence Research Establishment (FFI)","place":["Norway"]}]}],"member":"48349","published-online":{"date-parts":[[2024,10,7]]},"reference":[{"key":"ref1:CDN2015","isbn-type":"print","doi-asserted-by":"publisher","DOI":"10.1017\/CBO9781107337756","volume-title":"Secure Multiparty Computation and Secret Sharing","author":"Ronald Cramer","year":"2015","ISBN":"https:\/\/id.crossref.org\/isbn\/9781107043053"},{"volume-title":"Concrete: TFHE Compiler that converts python programs into\n FHE equivalent","year":"2022","author":"Zama","key":"ref2:Concrete"},{"key":"ref3:BCDGJK09","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"325","DOI":"10.1007\/978-3-642-03549-4_20","article-title":"Secure Multiparty Computation Goes Live","volume":"5628","author":"Peter Bogetoft","year":"2009"},{"key":"ref4:rogers2022vaultdb","doi-asserted-by":"publisher","DOI":"10.48550\/ARXIV.2203.00146","article-title":"VaultDB: A Real-World Pilot of Secure Multi-Party\n Computation within a Clinical Research Network","volume":"abs\/2203.00146","author":"Jennie Rogers","year":"2022","journal-title":"CoRR"},{"key":"ref5:FOCS:Yao86","doi-asserted-by":"publisher","first-page":"162","DOI":"10.1109\/SFCS.1986.25","article-title":"How to Generate and Exchange Secrets (Extended Abstract)","author":"Andrew Chi-Chih Yao","year":"1986"},{"key":"ref6:STOC:GolMicWig87","doi-asserted-by":"publisher","first-page":"218","DOI":"10.1145\/28395.28420","article-title":"How to Play any Mental Game or A Completeness Theorem for\n Protocols with Honest Majority","author":"Oded Goldreich","year":"1987"},{"key":"ref7:Lindell21","doi-asserted-by":"publisher","first-page":"86","DOI":"10.1145\/3387108","article-title":"Secure multiparty computation","volume":"64","author":"Yehuda Lindell","year":"2021","journal-title":"Commun. ACM"},{"key":"ref8:Shamir79doi","doi-asserted-by":"publisher","first-page":"612","DOI":"10.1145\/359168.359176","article-title":"How to Share a Secret","volume":"22","author":"Adi Shamir","year":"1979","journal-title":"Commun. ACM"},{"key":"ref9:C:Beaver91b","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"420","DOI":"10.1007\/3-540-46766-1_34","article-title":"Efficient Multiparty Protocols Using Circuit Randomization","volume":"576","author":"Donald Beaver","year":"1992"},{"key":"ref10:CCS:KelOrsSch16","doi-asserted-by":"publisher","first-page":"830","DOI":"10.1145\/2976749.2978357","article-title":"MASCOT: Faster Malicious Arithmetic Secure Computation\n with Oblivious Transfer","author":"Marcel Keller","year":"2016"},{"key":"ref11:CCS:Keller20","doi-asserted-by":"publisher","first-page":"1575","DOI":"10.1145\/3372297.3417872","article-title":"MP-SPDZ: A Versatile Framework for Multi-Party\n Computation","author":"Marcel Keller","year":"2020"},{"key":"ref12:Batcher68","series-title":"AFIPS Conference Proceedings","doi-asserted-by":"publisher","first-page":"307","DOI":"10.1145\/1468075.1468121","article-title":"Sorting Networks and Their Applications","volume":"32","author":"Kenneth E. Batcher","year":"1968"},{"key":"ref13:C:DPSZ12","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"643","DOI":"10.1007\/978-3-642-32009-5_38","article-title":"Multiparty Computation from Somewhat Homomorphic\n Encryption","volume":"7417","author":"Ivan Damg\u00e5rd","year":"2012"},{"key":"ref14:ESORICS:DKLPSS13","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"1","DOI":"10.1007\/978-3-642-40203-6_1","article-title":"Practical Covertly Secure MPC for Dishonest Majority - Or:\n Breaking the SPDZ Limits","volume":"8134","author":"Ivan Damg\u00e5rd","year":"2013"},{"key":"ref15:EC:KelPasRot18","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"158","DOI":"10.1007\/978-3-319-78372-7_6","article-title":"Overdrive: Making SPDZ Great Again","volume":"10822","author":"Marcel Keller","year":"2018"},{"key":"ref16:cholesky1924note","doi-asserted-by":"publisher","first-page":"67","DOI":"10.1007\/BF03031308","article-title":"Note sur une m\u00e9thode de r\u00e9solution des \u00e9quations\n normales provenant de l\u2019application de la m\u00e9thode des moindres\n carr\u00e9sa un syteme d\u2019\u00e9quations lin\u00e9aires en nombre\n inf\u00e9rieura celui des inconnues (Published six years after\n Cholesky\u2019s death by Benoit)","volume":"2","author":"Andr\u00e9-Louis Cholesky","year":"1924","journal-title":"Bull. G\u00e9od\u00e9sique"},{"volume-title":"Oblivious Radix Sort: An Efficient Sorting Algorithm for\n Practical Secure Multi-party Computation","year":"2014","author":"Koki Hamada","key":"ref17:EPRINT:HICT14"},{"key":"ref18:Zhang11a","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"240","DOI":"10.1007\/978-3-642-24316-5_17","article-title":"Generic Constant-Round Oblivious Sorting Algorithm for\n MPC","volume":"6980","author":"Bingsheng Zhang","year":"2011"},{"volume-title":"Secure Multi-Party Sorting and Applications","year":"2011","author":"Kristj\u00e1n Valur J\u00f3nsson","key":"ref19:EPRINT:JonKreUdd11"}],"container-title":["IACR Communications in Cryptology"],"language":"en","deposited":{"date-parts":[[2024,12,10]],"date-time":"2024-12-10T21:28:25Z","timestamp":1733866105000},"score":0.0,"resource":{"primary":{"URL":"https:\/\/cic.iacr.org\/p\/1\/3\/24"}},"issued":{"date-parts":[[2024,10,7]]},"references-count":19,"URL":"https:\/\/doi.org\/10.62056\/aywa0l5vt","archive":["Internet Archive","Internet Archive"],"ISSN":["3006-5496"],"issn-type":[{"type":"electronic","value":"3006-5496"}],"published":{"date-parts":[[2024,10,7]]},"assertion":[{"value":"2024-07-08","order":0,"name":"received","label":"Received","group":{"name":"publication_history","label":"Publication History"}},{"value":"2024-09-02","order":1,"name":"accepted","label":"Accepted","group":{"name":"publication_history","label":"Publication History"}}],"article-number":"cc1-3-76"},{"indexed":{"date-parts":[[2025,12,6]],"date-time":"2025-12-06T04:49:21Z","timestamp":1764996561000,"version":"3.41.2"},"reference-count":128,"publisher":"International Association for Cryptologic Research","license":[{"start":{"date-parts":[[2024,1,9]],"date-time":"2024-01-09T00:00:00Z","timestamp":1704758400000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["IACR CiC"],"accepted":{"date-parts":[[2024,6,4]]},"abstract":"Masking is a prominent strategy to protect cryptographic implementations against side-channel analysis. Its popularity arises from the exponential security gains that can be achieved for (approximately) quadratic resource utilization. Many variants of the countermeasure tailored for different optimization goals have been proposed. The common denominator among all of them is the implicit demand for robust and high entropy randomness. Simply assuming that uniformly distributed random bits are available, without taking the cost of their generation into account, leads to a poor understanding of the efficiency vs. security tradeoff of masked implementations. This is especially relevant in case of hardware masking schemes which are known to consume large amounts of random bits per cycle due to parallelism. Currently, there seems to be no consensus on how to most efficiently derive many pseudo-random bits per clock cycle from an initial seed and with properties suitable for masked hardware implementations. In this work, we evaluate a number of building blocks for this purpose and find that hardware-oriented stream ciphers like Trivium and its reduced-security variant Bivium\u00a0B outperform most competitors when implemented in an unrolled fashion. Unrolled implementations of these primitives enable the flexible generation of many bits per cycle, which is crucial for satisfying the large randomness demands of state-of-the-art masking schemes. According to our analysis, only Linear Feedback Shift Registers\u00a0(LFSRs), when also unrolled, are capable of producing long non-repetitive sequences of random-looking bits at a higher rate per cycle for the same or lower cost as Trivium and Bivium B. Yet, these instances do not provide black-box security as they generate only linear outputs. We experimentally demonstrate that using multiple output bits from an LFSR in the same masked implementation can violate probing security and even lead to harmful randomness cancellations. Circumventing these problems, and enabling an independent analysis of randomness generation and masking, requires the use of cryptographically stronger primitives like stream ciphers. As a result of our studies, we provide an evidence-based estimate for the cost of securely generating \n \n n<\/mml:mi>\n <\/mml:mrow>\n <\/mml:math> fresh random bits per cycle. Depending on the desired level of black-box security and operating frequency, this cost can be as low as \n \n 20<\/mml:mn>\n n<\/mml:mi>\n <\/mml:mrow>\n <\/mml:math> to \n \n 30<\/mml:mn>\n n<\/mml:mi>\n <\/mml:mrow>\n <\/mml:math> ASIC gate equivalents\u00a0(GE) or \n \n 3<\/mml:mn>\n n<\/mml:mi>\n <\/mml:mrow>\n <\/mml:math> to \n \n 4<\/mml:mn>\n n<\/mml:mi>\n <\/mml:mrow>\n <\/mml:math> FPGA look-up tables\u00a0(LUTs), where \n \n n<\/mml:mi>\n <\/mml:mrow>\n <\/mml:math> is the number of random bits required. Our results demonstrate that the cost per bit is (sometimes significantly) lower than estimated in previous works, incentivizing parallelism whenever exploitable. This provides further motivation to potentially move low randomness usage from a primary to a secondary design goal in hardware masking research. <\/jats:p>","DOI":"10.62056\/akdkp2fgx","type":"journal-article","created":{"date-parts":[[2024,7,8]],"date-time":"2024-07-08T15:52:04Z","timestamp":1720453924000},"update-policy":"https:\/\/doi.org\/10.62056\/adfjwm02dj","source":"Crossref","is-referenced-by-count":8,"title":["Randomness Generation for Secure Hardware Masking \u2013 Unrolled Trivium to the Rescue"],"prefix":"10.62056","author":[{"ORCID":"https:\/\/orcid.org\/0000-0001-5426-9345","authenticated-orcid":false,"given":"Ga\u00ebtan","family":"Cassiers","sequence":"first","affiliation":[{"id":[{"id":"https:\/\/ror.org\/02495e989","id-type":"ROR","asserted-by":"publisher"}],"name":"Crypto Group, ICTEAM Institute, UCLouvain","place":["Louvain-la-Neuve, 1348, Belgium"]}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-2978-4067","authenticated-orcid":false,"given":"Lo\u00efc","family":"Masure","sequence":"additional","affiliation":[{"id":[{"id":"https:\/\/ror.org\/013yean28","id-type":"ROR","asserted-by":"publisher"}],"name":"Universit\u00e9 de Montpellier, LIRMM, CNRS","place":["Montpellier, 34090, France"]}]},{"given":"Charles","family":"Momin","sequence":"additional","affiliation":[{"id":[{"id":"https:\/\/ror.org\/02495e989","id-type":"ROR","asserted-by":"publisher"}],"name":"Crypto Group, ICTEAM Institute, UCLouvain","place":["Louvain-la-Neuve, 1348, Belgium"]}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-3809-9803","authenticated-orcid":false,"given":"Thorben","family":"Moos","sequence":"additional","affiliation":[{"id":[{"id":"https:\/\/ror.org\/02495e989","id-type":"ROR","asserted-by":"publisher"}],"name":"Crypto Group, ICTEAM Institute, UCLouvain","place":["Louvain-la-Neuve, 1348, Belgium"]}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-4032-7433","authenticated-orcid":false,"given":"Amir","family":"Moradi","sequence":"additional","affiliation":[{"id":[{"id":"https:\/\/ror.org\/05n911h24","id-type":"ROR","asserted-by":"publisher"}],"name":"TU Darmstadt","place":["Darmstadt, 64293, Germany"]}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-7444-0285","authenticated-orcid":false,"given":"Fran\u00e7ois-Xavier","family":"Standaert","sequence":"additional","affiliation":[{"id":[{"id":"https:\/\/ror.org\/02495e989","id-type":"ROR","asserted-by":"publisher"}],"name":"Crypto Group, ICTEAM Institute, UCLouvain","place":["Louvain-la-Neuve, 1348, Belgium"]}]}],"member":"48349","published-online":{"date-parts":[[2024,7,8]]},"reference":[{"key":"ref1:DBLP:conf\/crypto\/KocherJJ99","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"388","DOI":"10.1007\/3-540-48405-1_25","article-title":"Differential Power Analysis","volume-title":"Advances in Cryptology - CRYPTO '99, 19th Annual\n International Cryptology Conference, Santa Barbara, California, USA, August\n 15-19, 1999, Proceedings","volume":"1666","author":"Paul C. Kocher","year":"1999"},{"key":"ref2:DBLP:conf\/crypto\/ChariJRR99","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"398","DOI":"10.1007\/3-540-48405-1_26","article-title":"Towards Sound Approaches to Counteract Power-Analysis\n Attacks","volume-title":"Advances in Cryptology - CRYPTO '99, 19th Annual\n International Cryptology Conference, Santa Barbara, California, USA, August\n 15-19, 1999, Proceedings","volume":"1666","author":"Suresh Chari","year":"1999"},{"key":"ref3:DBLP:conf\/eurocrypt\/ProuffR13","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"142","DOI":"10.1007\/978-3-642-38348-9_9","article-title":"Masking against Side-Channel Attacks: A Formal Security\n Proof","volume-title":"Advances in Cryptology - EUROCRYPT 2013, 32nd Annual\n International Conference on the Theory and Applications of Cryptographic\n Techniques, Athens, Greece, May 26-30, 2013. Proceedings","volume":"7881","author":"Emmanuel Prouff","year":"2013"},{"key":"ref4:DBLP:conf\/eurocrypt\/DucDF14","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"423","DOI":"10.1007\/978-3-642-55220-5_24","article-title":"Unifying Leakage Models: From Probing Attacks to Noisy\n Leakage","volume-title":"Advances in Cryptology - EUROCRYPT 2014 - 33rd Annual\n International Conference on the Theory and Applications of Cryptographic\n Techniques, Copenhagen, Denmark, May 11-15, 2014. Proceedings","volume":"8441","author":"Alexandre Duc","year":"2014"},{"key":"ref5:DBLP:conf\/eurocrypt\/DucFS15","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"401","DOI":"10.1007\/978-3-662-46800-5_16","article-title":"Making Masking Security Proofs Concrete - Or How to Evaluate\n the Security of Any Leaking Device","volume-title":"Advances in Cryptology - EUROCRYPT 2015 - 34th Annual\n International Conference on the Theory and Applications of Cryptographic\n Techniques, Sofia, Bulgaria, April 26-30, 2015, Proceedings, Part I","volume":"9056","author":"Alexandre Duc","year":"2015"},{"key":"ref6:DBLP:conf\/crypto\/IshaiSW03","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"463","DOI":"10.1007\/978-3-540-45146-4_27","article-title":"Private Circuits: Securing Hardware against Probing\n Attacks","volume-title":"Advances in Cryptology - CRYPTO 2003, 23rd Annual\n International Cryptology Conference, Santa Barbara, California, USA, August\n 17-21, 2003, Proceedings","volume":"2729","author":"Yuval Ishai","year":"2003"},{"key":"ref7:DBLP:conf\/ctrsa\/MangardPG05","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"351","DOI":"10.1007\/978-3-540-30574-3_24","article-title":"Side-Channel Leakage of Masked CMOS Gates","volume-title":"Topics in Cryptology - CT-RSA 2005, The Cryptographers'\n Track at the RSA Conference 2005, San Francisco, CA, USA, February 14-18,\n 2005, Proceedings","volume":"3376","author":"Stefan Mangard","year":"2005"},{"key":"ref8:DBLP:conf\/cosade\/CoronGPRRV12","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"69","DOI":"10.1007\/978-3-642-29912-4_6","article-title":"Conversion of Security Proofs from One Leakage Model to\n Another: A New Issue","volume-title":"Constructive Side-Channel Analysis and Secure Design - Third\n International Workshop, COSADE 2012, Darmstadt, Germany, May 3-4, 2012.\n Proceedings","volume":"7275","author":"Jean-S\u00e9bastien Coron","year":"2012"},{"key":"ref9:DBLP:conf\/cosade\/CnuddeBGNNR17","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"1","DOI":"10.1007\/978-3-319-64647-3_1","article-title":"Does Coupling Affect the Security of Masked\n Implementations?","volume-title":"Constructive Side-Channel Analysis and Secure Design - 8th\n International Workshop, COSADE 2017, Paris, France, April 13-14, 2017,\n Revised Selected Papers","volume":"10348","author":"Thomas De Cnudde","year":"2017"},{"key":"ref10:DBLP:conf\/icics\/NikovaRR06","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"529","DOI":"10.1007\/11935308_38","article-title":"Threshold Implementations Against Side-Channel Attacks and\n Glitches","volume-title":"Information and Communications Security, 8th International\n Conference, ICICS 2006, Raleigh, NC, USA, December 4-7, 2006, Proceedings","volume":"4307","author":"Svetla Nikova","year":"2006"},{"key":"ref11:DBLP:conf\/icisc\/NikovaRS08","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"218","DOI":"10.1007\/978-3-642-00730-9_14","article-title":"Secure Hardware Implementation of Non-linear Functions in\n the Presence of Glitches","volume-title":"Information Security and Cryptology - ICISC 2008, 11th\n International Conference, Seoul, Korea, December 3-5, 2008, Revised Selected\n Papers","volume":"5461","author":"Svetla Nikova","year":"2008"},{"key":"ref12:DBLP:conf\/crypto\/ReparazBNGV15","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"764","DOI":"10.1007\/978-3-662-47989-6_37","article-title":"Consolidating Masking Schemes","volume-title":"Advances in Cryptology - CRYPTO 2015 - 35th Annual\n Cryptology Conference, Santa Barbara, CA, USA, August 16-20, 2015,\n Proceedings, Part I","volume":"9215","author":"Oscar Reparaz","year":"2015"},{"key":"ref13:DBLP:conf\/ccs\/GrossMK16","doi-asserted-by":"publisher","first-page":"3","DOI":"10.1145\/2996366.2996426","article-title":"Domain-Oriented Masking: Compact Masked Hardware\n Implementations with Arbitrary Protection Order","volume-title":"Proceedings of the ACM Workshop on Theory of\n Implementation Security, TIS@CCS 2016 Vienna, Austria, October, 2016","author":"Hannes Gro\u00df","year":"2016"},{"key":"ref14:DBLP:conf\/ctrsa\/GrossMK17","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"95","DOI":"10.1007\/978-3-319-52153-4_6","article-title":"An Efficient Side-Channel Protected AES Implementation\n with Arbitrary Protection Order","volume-title":"Topics in Cryptology - CT-RSA 2017 - The Cryptographers'\n Track at the RSA Conference 2017, San Francisco, CA, USA, February 14-17,\n 2017, Proceedings","volume":"10159","author":"Hannes Gro\u00df","year":"2017"},{"key":"ref15:DBLP:conf\/ches\/GrossM17","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"115","DOI":"10.1007\/978-3-319-66787-4_6","article-title":"Reconciling d+1 Masking in Hardware and Software","volume-title":"Cryptographic Hardware and Embedded Systems - CHES 2017 -\n 19th International Conference, Taipei, Taiwan, September 25-28, 2017,\n Proceedings","volume":"10529","author":"Hannes Gro\u00df","year":"2017"},{"key":"ref16:DBLP:conf\/asiacrypt\/BilginGNNR14","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"326","DOI":"10.1007\/978-3-662-45608-8_18","article-title":"Higher-Order Threshold Implementations","volume-title":"Advances in Cryptology - ASIACRYPT 2014 - 20th\n International Conference on the Theory and Application of Cryptology and\n Information Security, Kaoshiung, Taiwan, R.O.C., December 7-11, 2014,\n Proceedings, Part II","volume":"8874","author":"Beg\u00fcl Bilgin","year":"2014"},{"key":"ref17:DBLP:journals\/iacr\/Reparaz15","first-page":"1","article-title":"A note on the security of Higher-Order Threshold\n Implementations","author":"Oscar Reparaz","year":"2015","journal-title":"IACR Cryptol. ePrint Arch."},{"key":"ref18:DBLP:conf\/ccs\/BartheBDFGSZ16","doi-asserted-by":"publisher","first-page":"116","DOI":"10.1145\/2976749.2978427","article-title":"Strong Non-Interference and Type-Directed Higher-Order\n Masking","volume-title":"Proceedings of the 2016 ACM SIGSAC Conference on\n Computer and Communications Security, Vienna, Austria, October 24-28, 2016","author":"Gilles Barthe","year":"2016"},{"key":"ref19:DBLP:journals\/tches\/FaustGPPS18","doi-asserted-by":"publisher","first-page":"89","DOI":"10.13154\/tches.v2018.i3.89-120","article-title":"Composable Masking Schemes in the Presence of Physical\n Defaults & the Robust Probing Model","volume":"2018","author":"Sebastian Faust","year":"2018","journal-title":"IACR Trans. Cryptogr. Hardw. Embed. Syst."},{"key":"ref20:DBLP:journals\/tches\/MoosMSS19","doi-asserted-by":"publisher","first-page":"256","DOI":"10.13154\/tches.v2019.i2.256-292","article-title":"Glitch-Resistant Masking Revisited or Why Proofs in the\n Robust Probing Model are Needed","volume":"2019","author":"Thorben Moos","year":"2019","journal-title":"IACR Trans. Cryptogr. Hardw. Embed. Syst."},{"key":"ref21:DBLP:journals\/tifs\/CassiersS20","doi-asserted-by":"publisher","first-page":"2542","DOI":"10.1109\/TIFS.2020.2971153","article-title":"Trivially and Efficiently Composing Masked Gadgets With\n Probe Isolating Non-Interference","volume":"15","author":"Ga\u00ebtan Cassiers","year":"2020","journal-title":"IEEE Trans. Inf. Forensics Secur."},{"key":"ref22:DBLP:journals\/tc\/CassiersGLS21","doi-asserted-by":"publisher","first-page":"1677","DOI":"10.1109\/TC.2020.3022979","article-title":"Hardware Private Circuits: From Trivial Composition to Full\n Verification","volume":"70","author":"Ga\u00ebtan Cassiers","year":"2021","journal-title":"IEEE Trans. Computers"},{"key":"ref23:DBLP:conf\/ccs\/Knichel022","doi-asserted-by":"publisher","first-page":"1799","DOI":"10.1145\/3548606.3559362","article-title":"Low-Latency Hardware Private Circuits","volume-title":"Proceedings of the 2022 ACM SIGSAC Conference on\n Computer and Communications Security, CCS 2022, Los Angeles, CA, USA,\n November 7-11, 2022","author":"David Knichel","year":"2022"},{"key":"ref24:DBLP:journals\/tches\/KnichelM22","doi-asserted-by":"publisher","first-page":"114","DOI":"10.46586\/tches.v2022.i3.114-140","article-title":"Composable Gadgets with Reused Fresh Masks First-Order\n Probing-Secure Hardware Circuits with only 6 Fresh Masks","volume":"2022","author":"David Knichel","year":"2022","journal-title":"IACR Trans. Cryptogr. Hardw. Embed. Syst."},{"key":"ref25:DBLP:conf\/asiacrypt\/KnichelS020","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"787","DOI":"10.1007\/978-3-030-64837-4_26","article-title":"SILVER - Statistical Independence and Leakage\n Verification","volume-title":"Advances in Cryptology - ASIACRYPT 2020 - 26th\n International Conference on the Theory and Application of Cryptology and\n Information Security, Daejeon, South Korea, December 7-11, 2020, Proceedings,\n Part I","volume":"12491","author":"David Knichel","year":"2020"},{"key":"ref26:DBLP:journals\/tches\/KnichelMMS22","doi-asserted-by":"publisher","first-page":"589","DOI":"10.46586\/tches.v2022.i1.589-629","article-title":"Automated Generation of Masked Hardware","volume":"2022","author":"David Knichel","year":"2022","journal-title":"IACR Trans. Cryptogr. Hardw. Embed. Syst."},{"key":"ref27:DBLP:journals\/tches\/CassiersS21","doi-asserted-by":"publisher","first-page":"136","DOI":"10.46586\/TCHES.V2021.I2.136-158","article-title":"Provably Secure Hardware Masking in the Transition- and\n Glitch-Robust Probing Model: Better Safe than Sorry","volume":"2021","author":"Ga\u00ebtan Cassiers","year":"2021","journal-title":"IACR Trans. Cryptogr. Hardw. Embed. Syst."},{"key":"ref28:DBLP:journals\/tches\/KnichelSM22","doi-asserted-by":"publisher","first-page":"323","DOI":"10.46586\/tches.v2022.i1.323-344","article-title":"Generic Hardware Private Circuits Towards Automated\n Generation of Composable Secure Gadgets","volume":"2022","author":"David Knichel","year":"2022","journal-title":"IACR Trans. Cryptogr. Hardw. Embed. Syst."},{"key":"ref29:DBLP:conf\/cosade\/MominCS22","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"257","DOI":"10.1007\/978-3-030-99766-3_12","article-title":"Handcrafting: Improving Automated Masking in Hardware with\n Manual Optimizations","volume-title":"Constructive Side-Channel Analysis and Secure Design - 13th\n International Workshop, COSADE 2022, Leuven, Belgium, April 11-12, 2022,\n Proceedings","volume":"13211","author":"Charles Momin","year":"2022"},{"key":"ref30:DBLP:conf\/eurocrypt\/BelaidBPPTV16","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"616","DOI":"10.1007\/978-3-662-49896-5_22","article-title":"Randomness Complexity of Private Circuits for\n Multiplication","volume-title":"Advances in Cryptology - EUROCRYPT 2016 - 35th Annual\n International Conference on the Theory and Applications of Cryptographic\n Techniques, Vienna, Austria, May 8-12, 2016, Proceedings, Part II","volume":"9666","author":"Sonia Bela\u00efd","year":"2016"},{"key":"ref31:DBLP:conf\/indocrypt\/JouxD06","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"436","DOI":"10.1007\/11941378_31","article-title":"Galois LFSR, Embedded Devices and Side Channel Weaknesses","volume-title":"Progress in Cryptology - INDOCRYPT 2006, 7th International\n Conference on Cryptology in India, Kolkata, India, December 11-13, 2006,\n Proceedings","volume":"4329","author":"Antoine Joux","year":"2006"},{"key":"ref32:DBLP:conf\/indocrypt\/BurmanMV07","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"384","DOI":"10.1007\/978-3-540-77026-8_30","article-title":"LFSR Based Stream Ciphers Are Vulnerable to Power\n Attacks","volume-title":"Progress in Cryptology - INDOCRYPT 2007, 8th International\n Conference on Cryptology in India, Chennai, India, December 9-13, 2007,\n Proceedings","volume":"4859","author":"Sanjay Burman","year":"2007"},{"key":"ref33:DBLP:conf\/space\/ChakrabortyMM14","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"14","DOI":"10.1007\/978-3-319-12060-7_2","article-title":"Fibonacci LFSR vs. Galois LFSR: Which is More Vulnerable\n to Power Attacks?","volume-title":"Security, Privacy, and Applied Cryptography Engineering -\n 4th International Conference, SPACE 2014, Pune, India, October 18-22, 2014.\n Proceedings","volume":"8804","author":"Abhishek Chakraborty","year":"2014"},{"key":"ref34:DBLP:conf\/secrypt\/MeranehCBM022","doi-asserted-by":"publisher","first-page":"25","DOI":"10.5220\/0011135300003283","article-title":"Blind Side Channel on the Elephant LFSR","volume-title":"Proceedings of the 19th International Conference on Security\n and Cryptography, SECRYPT 2022, Lisbon, Portugal, July 11-13, 2022","author":"Awaleh Houssein Meraneh","year":"2022"},{"key":"ref35:NIST_Statistical_Test_Suite","article-title":"A Statistical Test Suite for Random and Pseudorandom Number\n Generators for Cryptographic Applications - Rev. 1a","author":"Lawrence E. Bassham","year":"2010","journal-title":"NIST Special Publication (SP) 800-22"},{"key":"ref36:DBLP:conf\/ches\/GrossoSF13","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"400","DOI":"10.1007\/978-3-642-40349-1_23","article-title":"Masking vs. Multiparty Computation: How Large Is the Gap for\n AES?","volume-title":"Cryptographic Hardware and Embedded Systems - CHES 2013 -\n 15th International Workshop, Santa Barbara, CA, USA, August 20-23, 2013.\n Proceedings","volume":"8086","author":"Vincent Grosso","year":"2013"},{"key":"ref37:DBLP:conf\/cardis\/GrossoSP13","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"33","DOI":"10.1007\/978-3-319-08302-5_3","article-title":"Low Entropy Masking Schemes, Revisited","volume-title":"Smart Card Research and Advanced Applications - 12th\n International Conference, CARDIS 2013, Berlin, Germany, November 27-29,\n 2013. Revised Selected Papers","volume":"8419","author":"Vincent Grosso","year":"2013"},{"key":"ref38:DBLP:conf\/cardis\/YeE13","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"44","DOI":"10.1007\/978-3-319-08302-5_4","article-title":"On the Vulnerability of Low Entropy Masking Schemes","volume-title":"Smart Card Research and Advanced Applications - 12th\n International Conference, CARDIS 2013, Berlin, Germany, November 27-29,\n 2013. Revised Selected Papers","volume":"8419","author":"Xin Ye","year":"2013"},{"key":"ref39:DBLP:books\/daglib\/0023872","isbn-type":"print","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-642-04101-3","article-title":"Understanding Cryptography - A Textbook for Students and\n Practitioners","author":"Christof Paar","year":"2010","ISBN":"https:\/\/id.crossref.org\/isbn\/9783642041006"},{"key":"ref40:DBLP:conf\/africacrypt\/BilginGNNR14","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"267","DOI":"10.1007\/978-3-319-06734-6_17","article-title":"A More Efficient AES Threshold Implementation","volume-title":"Progress in Cryptology - AFRICACRYPT 2014 - 7th\n International Conference on Cryptology in Africa, Marrakesh, Morocco, May\n 28-30, 2014. Proceedings","volume":"8469","author":"Beg\u00fcl Bilgin","year":"2014"},{"key":"ref41:DBLP:journals\/tc\/UenoHMMMNBMGD20","doi-asserted-by":"publisher","first-page":"534","DOI":"10.1109\/TC.2019.2957355","article-title":"High Throughput\/Gate AES Hardware Architectures Based on\n Datapath Compression","volume":"69","author":"Rei Ueno","year":"2020","journal-title":"IEEE Trans. Computers"},{"key":"ref42:DBLP:conf\/ches\/CnuddeRBNNR16","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"194","DOI":"10.1007\/978-3-662-53140-2_10","article-title":"Masking AES with d+1 Shares in Hardware","volume-title":"Cryptographic Hardware and Embedded Systems - CHES 2016 -\n 18th International Conference, Santa Barbara, CA, USA, August 17-19, 2016,\n Proceedings","volume":"9813","author":"Thomas De Cnudde","year":"2016"},{"key":"ref43:DBLP:conf\/asiacrypt\/BorghoffCGKKKLNPRRTY12","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"208","DOI":"10.1007\/978-3-642-34961-4_14","article-title":"PRINCE - A Low-Latency Block Cipher for Pervasive\n Computing Applications - Extended Abstract","volume-title":"Advances in Cryptology - ASIACRYPT 2012 - 18th\n International Conference on the Theory and Application of Cryptology and\n Information Security, Beijing, China, December 2-6, 2012. Proceedings","volume":"7658","author":"Julia Borghoff","year":"2012"},{"key":"ref44:DBLP:journals\/tches\/SasdrichBHM20","doi-asserted-by":"publisher","first-page":"300","DOI":"10.13154\/tches.v2020.i2.300-326","article-title":"Low-Latency Hardware Masking with Application to AES","volume":"2020","author":"Pascal Sasdrich","year":"2020","journal-title":"IACR Trans. Cryptogr. Hardw. Embed. Syst."},{"key":"ref45:DBLP:conf\/ches\/BertoniDPA10","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"33","DOI":"10.1007\/978-3-642-15031-9_3","article-title":"Sponge-Based Pseudo-Random Number Generators","volume-title":"Cryptographic Hardware and Embedded Systems, CHES 2010,\n 12th International Workshop, Santa Barbara, CA, USA, August 17-20, 2010.\n Proceedings","volume":"6225","author":"Guido Bertoni","year":"2010"},{"key":"ref46:DBLP:conf\/eurocrypt\/BertoniDPA13","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"313","DOI":"10.1007\/978-3-642-38348-9_19","article-title":"Keccak","volume-title":"Advances in Cryptology - EUROCRYPT 2013, 32nd Annual\n International Conference on the Theory and Applications of Cryptographic\n Techniques, Athens, Greece, May 26-30, 2013. Proceedings","volume":"7881","author":"Guido Bertoni","year":"2013"},{"key":"ref47:DBLP:conf\/rfidsec\/KavunY10","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"258","DOI":"10.1007\/978-3-642-16822-2_20","article-title":"A Lightweight Implementation of Keccak Hash Function for\n Radio-Frequency Identification Applications","volume-title":"Radio Frequency Identification: Security and Privacy Issues\n - 6th International Workshop, RFIDSec 2010, Istanbul, Turkey, June 8-9, 2010,\n Revised Selected Papers","volume":"6370","author":"Elif Bilge Kavun","year":"2010"},{"key":"ref48:DBLP:journals\/tches\/Meyer0W18","doi-asserted-by":"publisher","first-page":"596","DOI":"10.13154\/tches.v2018.i3.596-626","article-title":"Spin Me Right Round Rotational Symmetry for FPGA-Specific\n AES","volume":"2018","author":"Lauren De Meyer","year":"2018","journal-title":"IACR Trans. Cryptogr. Hardw. Embed. Syst."},{"key":"ref49:DBLP:journals\/tches\/Moos19","doi-asserted-by":"publisher","first-page":"202","DOI":"10.13154\/tches.v2019.i3.202-232","article-title":"Static Power SCA of Sub-100 nm CMOS ASICs and the\n Insecurity of Masking Schemes in Low-Noise Environments","volume":"2019","author":"Thorben Moos","year":"2019","journal-title":"IACR Trans. Cryptogr. Hardw. Embed. Syst."},{"key":"ref50:DBLP:journals\/tches\/ShahmirzadiM21a","doi-asserted-by":"publisher","first-page":"708","DOI":"10.46586\/tches.v2021.i3.708-755","article-title":"Second-Order SCA Security with almost no Fresh\n Randomness","volume":"2021","author":"Aein Rezaei Shahmirzadi","year":"2021","journal-title":"IACR Trans. Cryptogr. Hardw. Embed. Syst."},{"key":"ref51:DBLP:conf\/cardis\/Picek0RVWCM16","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"209","DOI":"10.1007\/978-3-319-54669-8_13","article-title":"PRNGs for Masking Applications and Their Mapping to\n Evolvable Hardware","volume-title":"Smart Card Research and Advanced Applications - 15th\n International Conference, CARDIS 2016, Cannes, France, November 7-9, 2016,\n Revised Selected Papers","volume":"10146","author":"Stjepan Picek","year":"2016"},{"key":"ref52:DBLP:journals\/tches\/MeyerRB18","doi-asserted-by":"publisher","first-page":"431","DOI":"10.13154\/tches.v2018.i3.431-468","article-title":"Multiplicative Masking for AES in Hardware","volume":"2018","author":"Lauren De Meyer","year":"2018","journal-title":"IACR Trans. Cryptogr. Hardw. Embed. Syst."},{"key":"ref53:DBLP:journals\/tches\/0001RGMV18","doi-asserted-by":"publisher","first-page":"267","DOI":"10.13154\/tches.v2018.i3.267-292","article-title":"ES-TRNG: A High-throughput, Low-area True Random Number\n Generator based on Edge Sampling","volume":"2018","author":"Bohan Yang","year":"2018","journal-title":"IACR Trans. Cryptogr. Hardw. Embed. Syst."},{"article-title":"Lightweight Cryptography","year":"2017","author":"National Institute of Standards","key":"ref54:NISTLWC"},{"article-title":"eSTREAM: the ECRYPT Stream Cipher Project","year":"2004","author":"European Network of Excellence in Cryptology (ECRYPT)","key":"ref55:ESTREAM"},{"key":"ref56:DBLP:journals\/tosc\/DaemenMMR20","doi-asserted-by":"publisher","first-page":"262","DOI":"10.13154\/tosc.v2020.iS1.262-294","article-title":"The Subterranean 2.0 Cipher Suite","volume":"2020","author":"Joan Daemen","year":"2020","journal-title":"IACR Trans. Symmetric Cryptol."},{"key":"ref57:DBLP:journals\/iacr\/AagaardZ21","first-page":"49","article-title":"ASIC Benchmarking of Round 2 Candidates in the NIST\n Lightweight Cryptography Standardization Process: (Preliminary Results)","author":"Mark D. Aagaard","year":"2021","journal-title":"IACR Cryptol. ePrint Arch."},{"key":"ref58:DBLP:conf\/ches\/BernsteinKLMMN017","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"299","DOI":"10.1007\/978-3-319-66787-4_15","article-title":"Gimli : A Cross-Platform Permutation","volume-title":"Cryptographic Hardware and Embedded Systems - CHES 2017 -\n 19th International Conference, Taipei, Taiwan, September 25-28, 2017,\n Proceedings","volume":"10529","author":"Daniel J. Bernstein","year":"2017"},{"key":"ref59:DBLP:journals\/tches\/LeanderMMR21","doi-asserted-by":"publisher","first-page":"510","DOI":"10.46586\/tches.v2021.i4.510-545","article-title":"The SPEEDY Family of Block Ciphers Engineering an Ultra\n Low-Latency Cipher from Gate Level for Secure Processor Architectures","volume":"2021","author":"Gregor Leander","year":"2021","journal-title":"IACR Trans. Cryptogr. Hardw. Embed. Syst."},{"key":"ref60:DBLP:conf\/isw\/Canniere06","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"171","DOI":"10.1007\/11836810_13","article-title":"Trivium: A Stream Cipher Construction Inspired by Block\n Cipher Design Principles","volume-title":"Information Security, 9th International Conference, ISC\n 2006, Samos Island, Greece, August 30 - September 2, 2006, Proceedings","volume":"4176","author":"Christophe De Canni\u00e8re","year":"2006"},{"key":"ref61:DBLP:series\/lncs\/CanniereP08","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"244","DOI":"10.1007\/978-3-540-68351-3_18","article-title":"Trivium","volume-title":"New Stream Cipher Designs - The eSTREAM Finalists","volume":"4986","author":"Christophe De Canni\u00e8re","year":"2008"},{"key":"ref62:raddum2006cryptanalytic","article-title":"Cryptanalytic results on Trivium","author":"Havard Raddum","year":"2006","journal-title":"eSTREAM, ECRYPT Stream Cipher Project, Report 2006\/039"},{"key":"ref63:DBLP:conf\/fse\/CanteautCFLNPS16","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"313","DOI":"10.1007\/978-3-662-52993-5_16","article-title":"Stream Ciphers: A Practical Solution for Efficient\n Homomorphic-Ciphertext Compression","volume-title":"Fast Software Encryption - 23rd International Conference,\n FSE 2016, Bochum, Germany, March 20-23, 2016, Revised Selected Papers","volume":"9783","author":"Anne Canteaut","year":"2016"},{"key":"ref64:DBLP:journals\/ijwmc\/HellJM07","doi-asserted-by":"publisher","first-page":"86","DOI":"10.1504\/IJWMC.2007.013798","article-title":"Grain: a stream cipher for constrained environments","volume":"2","author":"Martin Hell","year":"2007","journal-title":"Int. J. Wirel. Mob. Comput."},{"key":"ref65:DBLP:conf\/isit\/Hell0MM06","doi-asserted-by":"publisher","first-page":"1614","DOI":"10.1109\/ISIT.2006.261549","article-title":"A Stream Cipher Proposal: Grain-128","volume-title":"Proceedings 2006 IEEE International Symposium on\n Information Theory, ISIT 2006, The Westin Seattle, Seattle, Washington,\n USA, July 9-14, 2006","author":"Martin Hell","year":"2006"},{"key":"ref66:DBLP:series\/lncs\/BabbageD08","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"191","DOI":"10.1007\/978-3-540-68351-3_15","article-title":"The MICKEY Stream Ciphers","volume-title":"New Stream Cipher Designs - The eSTREAM Finalists","volume":"4986","author":"Steve Babbage","year":"2008"},{"key":"ref67:DBLP:series\/lncs\/GoodB08","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"267","DOI":"10.1007\/978-3-540-68351-3_19","article-title":"ASIC Hardware Performance","volume-title":"New Stream Cipher Designs - The eSTREAM Finalists","volume":"4986","author":"Tim Good","year":"2008"},{"article-title":"Hardware Evaluation of Estream Candidates","year":"2006","author":"Frank K. G\u00fcrkaynak","key":"ref68:Grkaynak2006HardwareEO"},{"article-title":"FPGA Implementations of eSTREAM Phase-2 Focus Candidates\n with Hardware Profile","year":"2007","author":"Philippe Bulens","key":"ref69:Bulens2007FPGAIO"},{"article-title":"Comparison of hardware performance of selected Phase II\n eSTREAM candidates","year":"2007","author":"Kris Gaj","key":"ref70:Gaj2007ComparisonOH"},{"article-title":"Hardware evaluation of eSTREAM Candidates: Grain, Lex,\n Mickey128, Salsa20 and Trivium","year":"2007","author":"Marcin Rogawski","key":"ref71:Rogawski2007HardwareEO"},{"article-title":"Comparison of FPGA-Targeted Hardware Implementations of\n eSTREAM Stream Cipher Candidates","year":"2008","author":"David Hwang","key":"ref72:Hwang2008ComparisonOF"},{"key":"ref73:DBLP:journals\/mam\/KitsosSPS13","doi-asserted-by":"publisher","first-page":"235","DOI":"10.1016\/j.micpro.2012.09.007","article-title":"FPGA-based performance analysis of stream ciphers ZUC,\n Snow3g, Grain V1, Mickey V2, Trivium and E0","volume":"37","author":"Paris Kitsos","year":"2013","journal-title":"Microprocess. Microsystems"},{"key":"ref74:DBLP:journals\/mam\/LiLL20","doi-asserted-by":"publisher","first-page":"103210","DOI":"10.1016\/j.micpro.2020.103210","article-title":"FPGA implementations of Grain v1, Mickey 2.0, Trivium,\n Lizard and Plantlet","volume":"78","author":"Bohan Li","year":"2020","journal-title":"Microprocess. Microsystems"},{"key":"ref75:DBLP:conf\/crypto\/TodoIMAZ18","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"129","DOI":"10.1007\/978-3-319-96881-0_5","article-title":"Fast Correlation Attack Revisited - Cryptanalysis on Full\n Grain-128a, Grain-128, and Grain-v1","volume-title":"Advances in Cryptology - CRYPTO 2018 - 38th Annual\n International Cryptology Conference, Santa Barbara, CA, USA, August 19-23,\n 2018, Proceedings, Part II","volume":"10992","author":"Yosuke Todo","year":"2018"},{"key":"ref76:DBLP:journals\/jce\/MedwedS11","doi-asserted-by":"publisher","first-page":"231","DOI":"10.1007\/S13389-011-0014-Y","article-title":"Extractors against side-channel attacks: weak or strong?","volume":"1","author":"Marcel Medwed","year":"2011","journal-title":"J. Cryptogr. Eng."},{"key":"ref77:DBLP:reference\/crypt\/Canteaut11c","doi-asserted-by":"publisher","first-page":"261","DOI":"10.1007\/978-1-4419-5906-5_339","article-title":"Correlation Attack for Stream Ciphers","volume-title":"Encyclopedia of Cryptography and Security, 2nd Ed","author":"Anne Canteaut","year":"2011"},{"key":"ref78:DBLP:conf\/ches\/BattistelloCPZ16","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"23","DOI":"10.1007\/978-3-662-53140-2_2","article-title":"Horizontal Side-Channel Attacks and Countermeasures on the\n ISW Masking Scheme","volume-title":"Cryptographic Hardware and Embedded Systems - CHES 2016 -\n 18th International Conference, Santa Barbara, CA, USA, August 17-19, 2016,\n Proceedings","volume":"9813","author":"Alberto Battistello","year":"2016"},{"key":"ref79:DBLP:conf\/ches\/FischerD02","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"415","DOI":"10.1007\/3-540-36400-5_30","article-title":"True Random Number Generator Embedded in Reconfigurable\n Hardware","volume-title":"Cryptographic Hardware and Embedded Systems - CHES 2002,\n 4th International Workshop, Redwood Shores, CA, USA, August 13-15, 2002,\n Revised Papers","volume":"2523","author":"Viktor Fischer","year":"2002"},{"key":"ref80:DBLP:conf\/ches\/FischerL14","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"527","DOI":"10.1007\/978-3-662-44709-3_29","article-title":"Embedded Evaluation of Randomness in Oscillator Based\n Elementary TRNG","volume-title":"Cryptographic Hardware and Embedded Systems - CHES 2014 -\n 16th International Workshop, Busan, South Korea, September 23-26, 2014.\n Proceedings","volume":"8731","author":"Viktor Fischer","year":"2014"},{"key":"ref81:DBLP:conf\/fpl\/PeturaMBFB16","doi-asserted-by":"publisher","first-page":"1","DOI":"10.1109\/FPL.2016.7577379","article-title":"A survey of AIS-20\/31 compliant TRNG cores suitable for\n FPGA devices","volume-title":"26th International Conference on Field Programmable Logic\n and Applications, FPL 2016, Lausanne, Switzerland, August 29 - September 2,\n 2016","author":"Oto Petura","year":"2016"},{"key":"ref82:DBLP:conf\/focs\/BlumM82","doi-asserted-by":"publisher","first-page":"112","DOI":"10.1109\/SFCS.1982.72","article-title":"How to Generate Cryptographically Strong Sequences of Pseudo\n Random Bits","volume-title":"23rd Annual Symposium on Foundations of Computer Science,\n Chicago, Illinois, USA, 3-5 November 1982","author":"Manuel Blum","year":"1982"},{"key":"ref83:DBLP:conf\/ccs\/YuSPY10","doi-asserted-by":"publisher","first-page":"141","DOI":"10.1145\/1866307.1866324","article-title":"Practical leakage-resilient pseudorandom generators","volume-title":"Proceedings of the 17th ACM Conference on Computer and\n Communications Security, CCS 2010, Chicago, Illinois, USA, October 4-8,\n 2010","author":"Yu Yu","year":"2010"},{"key":"ref84:DBLP:series\/isc\/StandaertPYQYO10","series-title":"Information Security and Cryptography","doi-asserted-by":"publisher","first-page":"99","DOI":"10.1007\/978-3-642-14452-3_5","article-title":"Leakage Resilient Cryptography in Practice","volume-title":"Towards Hardware-Intrinsic Security - Foundations and\n Practice","author":"Fran\u00e7ois-Xavier Standaert","year":"2010"},{"key":"ref85:DBLP:conf\/crypto\/BelliziaBCGGMPP20","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"369","DOI":"10.1007\/978-3-030-56784-2_13","article-title":"Mode-Level vs. Implementation-Level Physical Security in\n Symmetric Cryptography - A Practical Guide Through the Leakage-Resistance\n Jungle","volume-title":"Advances in Cryptology - CRYPTO 2020 - 40th Annual\n International Cryptology Conference, CRYPTO 2020, Santa Barbara, CA, USA,\n August 17-21, 2020, Proceedings, Part I","volume":"12170","author":"Davide Bellizia","year":"2020"},{"key":"ref86:DBLP:conf\/sacrypt\/MaximovB07","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"36","DOI":"10.1007\/978-3-540-77360-3_3","article-title":"Two Trivial Attacks on Trivium","volume-title":"Selected Areas in Cryptography, 14th International Workshop,\n SAC 2007, Ottawa, Canada, August 16-17, 2007, Revised Selected Papers","volume":"4876","author":"Alexander Maximov","year":"2007"},{"key":"ref87:DBLP:conf\/africacrypt\/HuangL11","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"77","DOI":"10.1007\/978-3-642-21969-6_5","article-title":"Attacking Bivium and Trivium with the Characteristic Set\n Method","volume-title":"Progress in Cryptology - AFRICACRYPT 2011 - 4th\n International Conference on Cryptology in Africa, Dakar, Senegal, July 5-7,\n 2011. Proceedings","volume":"6737","author":"Zhenyu Huang","year":"2011"},{"key":"ref88:DBLP:conf\/space\/ShahapureSD19","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"34","DOI":"10.1007\/978-3-030-35869-3_5","article-title":"Internal State Recovery Attack on Stream Ciphers: Breaking\n BIVIUM","volume-title":"Security, Privacy, and Applied Cryptography Engineering -\n 9th International Conference, SPACE 2019, Gandhinagar, India, December 3-7,\n 2019, Proceedings","volume":"11947","author":"Shravani Shahapure","year":"2019"},{"key":"ref89:DBLP:journals\/tosc\/BanikMAIMBWR18","doi-asserted-by":"publisher","first-page":"1","DOI":"10.13154\/TOSC.V2018.I2.1-19","article-title":"Towards Low Energy Stream Ciphers","volume":"2018","author":"Subhadeep Banik","year":"2018","journal-title":"IACR Trans. Symmetric Cryptol."},{"key":"ref90:DBLP:journals\/sncs\/LeviBS22","doi-asserted-by":"publisher","first-page":"321","DOI":"10.1007\/s42979-022-01219-5","article-title":"Tight-ES-TRNG: Improved Construction and Robustness\n Analysis","volume":"3","author":"Itamar Levi","year":"2022","journal-title":"SN Comput. Sci."},{"key":"ref91:DBLP:conf\/async\/CherkaouiFAF13","doi-asserted-by":"publisher","first-page":"99","DOI":"10.1109\/ASYNC.2013.15","article-title":"A Self-Timed Ring Based True Random Number Generator","volume-title":"19th IEEE International Symposium on Asynchronous Circuits\n and Systems, ASYNC 2013, Santa Monica, CA, USA, May 19-22, 2013","author":"Abdelkarim Cherkaoui","year":"2013"},{"key":"ref92:DBLP:conf\/ches\/CherkaouiFFA13","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"179","DOI":"10.1007\/978-3-642-40349-1_11","article-title":"A Very High Speed True Random Number Generator with Entropy\n Assessment","volume-title":"Cryptographic Hardware and Embedded Systems - CHES 2013 -\n 15th International Workshop, Santa Barbara, CA, USA, August 20-23, 2013.\n Proceedings","volume":"8086","author":"Abdelkarim Cherkaoui","year":"2013"},{"key":"ref93:DBLP:conf\/crypto\/DziembowskiFHJM16","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"272","DOI":"10.1007\/978-3-662-53008-5_10","article-title":"Towards Sound Fresh Re-keying with Hard (Physical) Learning\n Problems","volume-title":"Advances in Cryptology - CRYPTO 2016 - 36th Annual\n International Cryptology Conference, Santa Barbara, CA, USA, August 14-18,\n 2016, Proceedings, Part II","volume":"9815","author":"Stefan Dziembowski","year":"2016"},{"article-title":"A pedagogical implementation of A5\/1","year":"1998","author":"Marc Briceno","key":"ref94:A511998"},{"key":"ref95:DBLP:books\/daglib\/0078909","isbn-type":"print","volume-title":"Applied cryptography - protocols, algorithms, and source\n code in C, 2nd Edition","author":"Bruce Schneier","year":"1996","ISBN":"https:\/\/id.crossref.org\/isbn\/9780471117094"},{"key":"ref96:E02001","article-title":"Specification of the Bluetooth System - Version 1.1"},{"key":"ref97:DBLP:conf\/indocrypt\/BihamD00","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"43","DOI":"10.1007\/3-540-44495-5_5","article-title":"Cryptanalysis of the A5\/1 GSM Stream Cipher","volume-title":"Progress in Cryptology - INDOCRYPT 2000, First\n International Conference in Cryptology in India, Calcutta, India, December\n 10-13, 2000, Proceedings","volume":"1977","author":"Eli Biham","year":"2000"},{"key":"ref98:SNOW3G2006","article-title":"Specification of the 3GPP Confidentiality and Integrity\n Algorithms UEA2 & UIA2. Document 2: SNOW 3G Specification"},{"article-title":"Phelix: Fast Encryption and Authentication in a Single\n Cryptographic Primitive","year":"2005","author":"Doug Whiting","key":"ref99:Phelix2005"},{"key":"ref100:DBLP:series\/lncs\/Biryukov08","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"48","DOI":"10.1007\/978-3-540-68351-3_5","article-title":"Design of a New Stream Cipher-LEX","volume-title":"New Stream Cipher Designs - The eSTREAM Finalists","volume":"4986","author":"Alex Biryukov","year":"2008"},{"article-title":"The Achterbahn Stream Cipher","year":"2005","author":"Berndt M. Gammel","key":"ref101:Achterbahn2005"},{"article-title":"The self-synchronizing stream cipher Mosquito: eSTREAM\n documentation, version 2","year":"2005","author":"Joan Daemen","key":"ref102:MOSQUITO2005"},{"article-title":"SFINKS: A Synchronous Stream Cipher for Restricted Hardware\n Environments","year":"2005","author":"An Braeken","key":"ref103:SFINKS2005"},{"article-title":"VEST - Hardware-Dedicated Stream Ciphers","year":"2005","author":"Sean O'Neil","key":"ref104:VEST2005"},{"article-title":"ZK-Crypt - a Compact Stream Cipher and more","year":"2005","author":"Carmi Gressel","key":"ref105:ZK-Crypt2005"},{"key":"ref106:DBLP:series\/lncs\/BerbainBCCDGGGGLMPS08","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"140","DOI":"10.1007\/978-3-540-68351-3_11","article-title":"Decimv2","volume-title":"New Stream Cipher Designs - The eSTREAM Finalists","volume":"4986","author":"C\u00f4me Berbain","year":"2008"},{"key":"ref107:DBLP:series\/lncs\/GligoroskiMK08","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"152","DOI":"10.1007\/978-3-540-68351-3_12","article-title":"The Stream Cipher Edon80","volume-title":"New Stream Cipher Designs - The eSTREAM Finalists","volume":"4986","author":"Danilo Gligoroski","year":"2008"},{"key":"ref108:DBLP:series\/lncs\/ArnaultBL08","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"170","DOI":"10.1007\/978-3-540-68351-3_13","article-title":"F-FCSR Stream Ciphers","volume-title":"New Stream Cipher Designs - The eSTREAM Finalists","volume":"4986","author":"Fran\u00e7ois Arnault","year":"2008"},{"key":"ref109:DBLP:series\/lncs\/DaemenK08","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"210","DOI":"10.1007\/978-3-540-68351-3_16","article-title":"The Self-synchronizing Stream Cipher Moustique","volume-title":"New Stream Cipher Designs - The eSTREAM Finalists","volume":"4986","author":"Joan Daemen","year":"2008"},{"key":"ref110:DBLP:series\/lncs\/JansenHK08","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"224","DOI":"10.1007\/978-3-540-68351-3_17","article-title":"Cascade Jump Controlled Sequence Generator and Pomaranch\n Stream Cipher","volume-title":"New Stream Cipher Designs - The eSTREAM Finalists","volume":"4986","author":"Cees J. A. Jansen","year":"2008"},{"key":"ref111:DBLP:series\/lncs\/Bernstein08","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"84","DOI":"10.1007\/978-3-540-68351-3_8","article-title":"The Salsa20 Family of Stream Ciphers","volume-title":"New Stream Cipher Designs - The eSTREAM Finalists","volume":"4986","author":"Daniel J. Bernstein","year":"2008"},{"key":"ref112:ZUC2011","article-title":"Specification of the 3GPP Confidentiality and Integrity\n Algorithms 128-EEA3 & 128-EIA3. Document 2: ZUC Specification"},{"key":"ref113:DBLP:journals\/tosc\/MikhalevAM16","doi-asserted-by":"publisher","first-page":"52","DOI":"10.13154\/tosc.v2016.i2.52-79","article-title":"On Ciphers that Continuously Access the Non-Volatile Key","volume":"2016","author":"Vasily Mikhalev","year":"2016","journal-title":"IACR Trans. Symmetric Cryptol."},{"key":"ref114:DBLP:journals\/tosc\/HamannKM17","doi-asserted-by":"publisher","first-page":"45","DOI":"10.13154\/tosc.v2017.i1.45-79","article-title":"LIZARD - A Lightweight Stream Cipher for\n Power-constrained Devices","volume":"2017","author":"Matthias Hamann","year":"2017","journal-title":"IACR Trans. Symmetric Cryptol."},{"key":"ref115:DBLP:conf\/acns\/BanikCM23","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"178","DOI":"10.1007\/978-3-031-33488-7_7","article-title":"Near Collision Attack Against Grain V1","volume-title":"Applied Cryptography and Network Security - 21st\n International Conference, ACNS 2023, Kyoto, Japan, June 19-22, 2023,\n Proceedings, Part I","volume":"13905","author":"Subhadeep Banik","year":"2023"},{"article-title":"Susceptibility of eSTREAM Candidates towards Side Channel\n Analysis","year":"2008","author":"Benedikt Gierlichs","key":"ref116:Gierlichs2008SusceptibilityOE"},{"key":"ref117:DBLP:reference\/crypt\/Canteaut11e","doi-asserted-by":"publisher","first-page":"458","DOI":"10.1007\/978-1-4419-5906-5_349","article-title":"Filter Generator","volume-title":"Encyclopedia of Cryptography and Security, 2nd Ed","author":"Anne Canteaut","year":"2011"},{"key":"ref118:DBLP:reference\/crypt\/Canteaut11b","doi-asserted-by":"publisher","first-page":"222","DOI":"10.1007\/978-1-4419-5906-5_338","article-title":"Combination Generator","volume-title":"Encyclopedia of Cryptography and Security, 2nd Ed","author":"Anne Canteaut","year":"2011"},{"key":"ref119:DBLP:reference\/crypt\/Fontaine11","doi-asserted-by":"publisher","first-page":"211","DOI":"10.1007\/978-1-4419-5906-5_337","article-title":"Clock-Controlled Generator","volume-title":"Encyclopedia of Cryptography and Security, 2nd Ed","author":"Caroline Fontaine","year":"2011"},{"key":"ref120:DBLP:reference\/crypt\/Fontaine11h","doi-asserted-by":"publisher","first-page":"1197","DOI":"10.1007\/978-1-4419-5906-5_373","article-title":"Shrinking Generator","volume-title":"Encyclopedia of Cryptography and Security, 2nd Ed","author":"Caroline Fontaine","year":"2011"},{"key":"ref121:ascon","article-title":"Status Update on Ascon v1. 2","author":"Christoph Dobraunig","year":"2020","journal-title":"Submission to the NIST LWC competition"},{"article-title":"Efficient Shift Registers, LFSR Counters, and\n Long-Pseudo-Random Generators","year":"1996","author":"P Alfke","key":"ref122:lfsr"},{"key":"ref123:DBLP:journals\/tches\/MullerM22","doi-asserted-by":"publisher","first-page":"311","DOI":"10.46586\/tches.v2022.i4.311-348","article-title":"PROLEAD A Probing-Based Hardware Leakage Detection\n Tool","volume":"2022","author":"Nicolai M\u00fcller","year":"2022","journal-title":"IACR Trans. Cryptogr. Hardw. Embed. Syst."},{"key":"ref124:DBLP:conf\/ches\/SchneiderM15","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"495","DOI":"10.1007\/978-3-662-48324-4_25","article-title":"Leakage Assessment Methodology - A Clear Roadmap for\n Side-Channel Evaluations","volume-title":"Cryptographic Hardware and Embedded Systems - CHES 2015 -\n 17th International Workshop, Saint-Malo, France, September 13-16, 2015,\n Proceedings","volume":"9293","author":"Tobias Schneider","year":"2015"},{"key":"ref125:DBLP:journals\/tches\/KumarDBSJBB22","doi-asserted-by":"publisher","first-page":"166","DOI":"10.46586\/tches.v2022.i2.166-191","article-title":"Side Channel Attack On Stream Ciphers: A Three-Step\n Approach To State\/Key Recovery","volume":"2022","author":"Satyam Kumar","year":"2022","journal-title":"IACR Trans. Cryptogr. Hardw. Embed. Syst."},{"key":"ref126:DBLP:conf\/ches\/RenauldSV09","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"97","DOI":"10.1007\/978-3-642-04138-9_8","article-title":"Algebraic Side-Channel Attacks on the AES: Why Time also\n Matters in DPA","volume-title":"Cryptographic Hardware and Embedded Systems - CHES 2009,\n 11th International Workshop, Lausanne, Switzerland, September 6-9, 2009,\n Proceedings","volume":"5747","author":"Mathieu Renauld","year":"2009"},{"key":"ref127:DBLP:conf\/ches\/BelaidCFGKP15","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"395","DOI":"10.1007\/978-3-662-48324-4_20","article-title":"Improved Side-Channel Analysis of Finite-Field\n Multiplication","volume-title":"Cryptographic Hardware and Embedded Systems - CHES 2015 -\n 17th International Workshop, Saint-Malo, France, September 13-16, 2015,\n Proceedings","volume":"9293","author":"Sonia Bela\u00efd","year":"2015"},{"key":"ref128:DBLP:conf\/asiacrypt\/BelaidFG14","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"306","DOI":"10.1007\/978-3-662-45608-8_17","article-title":"Side-Channel Analysis of Multiplications in GF(2128) -\n Application to AES-GCM","volume-title":"Advances in Cryptology - ASIACRYPT 2014 - 20th\n International Conference on the Theory and Application of Cryptology and\n Information Security, Kaoshiung, Taiwan, R.O.C., December 7-11, 2014,\n Proceedings, Part II","volume":"8874","author":"Sonia Bela\u00efd","year":"2014"}],"container-title":["IACR Communications in Cryptology"],"language":"en","deposited":{"date-parts":[[2024,12,10]],"date-time":"2024-12-10T21:26:52Z","timestamp":1733866012000},"score":0.0,"resource":{"primary":{"URL":"https:\/\/cic.iacr.org\/p\/1\/2\/4"}},"issued":{"date-parts":[[2024,7,8]]},"references-count":128,"URL":"https:\/\/doi.org\/10.62056\/akdkp2fgx","archive":["Internet Archive","Internet Archive"],"ISSN":["3006-5496"],"issn-type":[{"type":"electronic","value":"3006-5496"}],"published":{"date-parts":[[2024,7,8]]},"assertion":[{"value":"2024-01-09","order":0,"name":"received","label":"Received","group":{"name":"publication_history","label":"Publication History"}},{"value":"2024-06-04","order":1,"name":"accepted","label":"Accepted","group":{"name":"publication_history","label":"Publication History"}}],"article-number":"cc1-1-93"},{"indexed":{"date-parts":[[2025,12,7]],"date-time":"2025-12-07T13:10:46Z","timestamp":1765113046999,"version":"3.41.2"},"reference-count":25,"publisher":"International Association for Cryptologic Research","issue":"1","license":[{"start":{"date-parts":[[2025,1,13]],"date-time":"2025-01-13T00:00:00Z","timestamp":1736726400000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["IACR CiC"],"accepted":{"date-parts":[[2025,3,11]]},"abstract":"A Bloom filter is a probabilistic data structure designed to provide a compact representation of a set S of elements from a large universe U. The trade-off for this succinctness is allowing some errors. The Bloom filter efficiently answers membership queries: given any query x, if x is in S, it must answer \u2019Yes\u2019; if x is not in S, it should answer \u2019Yes\u2019 only with a small probability (at most \u03b5).<\/jats:p>\n Traditionally, the error probability of the Bloom filter is analyzed under the assumption that the query is independent of its internal randomness. However, Naor and Yogev (Crypto 2015) focused on the behavior of this data structure in adversarial settings; where the adversary may choose the queries adaptively. One particular challenge in this direction is to define rigorously the robustness of Bloom filters in this model.<\/jats:p>\n In this work, we continue investigating the definitions of success of the adaptive adversary. Specifically, we focus on two notions proposed by Naor and Oved (TCC 2022) and examine the relationships between them. In particular, we highlight the notion of Bet-or-Pass as being stronger than others, such as Monotone-Test Resilience. <\/jats:p>","DOI":"10.62056\/a3txom2hd","type":"journal-article","created":{"date-parts":[[2025,4,8]],"date-time":"2025-04-08T21:23:17Z","timestamp":1744147397000},"update-policy":"https:\/\/doi.org\/10.62056\/adfjwm02dj","source":"Crossref","is-referenced-by-count":1,"title":["Adversarially Robust Bloom Filters: Monotonicity and Betting"],"prefix":"10.62056","volume":"2","author":[{"ORCID":"https:\/\/orcid.org\/0009-0006-6251-5650","authenticated-orcid":false,"given":"Chen","family":"Lotan","sequence":"first","affiliation":[{"id":[{"id":"https:\/\/ror.org\/0316ej306","id-type":"ROR","asserted-by":"publisher"}],"name":"Weizmann Institute of Science","place":["Rehovot, Israel"],"department":["Department of Computer Science and Applied Mathematics"]}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-3381-0221","authenticated-orcid":false,"given":"Moni","family":"Naor","sequence":"additional","affiliation":[{"id":[{"id":"https:\/\/ror.org\/0316ej306","id-type":"ROR","asserted-by":"publisher"}],"name":"Weizmann Institute of Science","place":["Rehovot, Israel"],"department":["Department of Computer Science and Applied Mathematics"]}]}],"member":"48349","published-online":{"date-parts":[[2025,4,8]]},"reference":[{"key":"ref1:DBLP:journals\/im\/BroderM03","doi-asserted-by":"publisher","first-page":"485","DOI":"10.1080\/15427951.2004.10129096","article-title":"Survey: Network Applications of Bloom Filters: A Survey","volume":"1","author":"Andrei Z. Broder","year":"2003","journal-title":"Internet Math."},{"key":"ref2:DBLP:journals\/comsur\/TarkomaRL12","doi-asserted-by":"publisher","first-page":"131","DOI":"10.1109\/SURV.2011.031611.00024","article-title":"Theory and Practice of Bloom Filters for Distributed\n Systems","volume":"14","author":"Sasu Tarkoma","year":"2012","journal-title":"IEEE Commun. Surv. Tutorials"},{"key":"ref3:NAYAK2021108232","doi-asserted-by":"publisher","first-page":"108232","DOI":"10.1016\/j.comnet.2021.108232","article-title":"A survey on the roles of Bloom Filter in implementation of\n the Named Data Networking","volume":"196","author":"Sabuzima Nayak","year":"2021","journal-title":"Computer Networks","ISSN":"https:\/\/id.crossref.org\/issn\/1389-1286","issn-type":"electronic"},{"key":"ref4:Bloom70","doi-asserted-by":"publisher","first-page":"422","DOI":"10.1145\/362686.362692","article-title":"Space\/Time Trade-offs in Hash Coding with Allowable Errors","volume":"13","author":"Burton H. Bloom","year":"1970","journal-title":"Commun. ACM"},{"key":"ref5:DBLP:conf\/crypto\/NaorY15","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"565","DOI":"10.1007\/978-3-662-48000-7_28","article-title":"Bloom Filters in Adversarial Environments","volume":"9216","author":"Moni Naor","year":"2015"},{"key":"ref6:DBLP:conf\/tcc\/NaorO22","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"777","DOI":"10.1007\/978-3-031-22365-5_27","article-title":"Bet-or-Pass: Adversarially Robust Bloom Filters","volume":"13748","author":"Moni Naor","year":"2022"},{"key":"ref7:kalai2005threshold","series-title":"Santa Fe Institute Studies in the Sciences of Complexity","first-page":"25","article-title":"Threshold Phenomena and Influence: Perspectives from\n Mathematics, Computer Science, and Economics","author":"Gil Kalai","year":"2006"},{"key":"ref8:DBLP:books\/daglib\/0012859","isbn-type":"print","doi-asserted-by":"publisher","DOI":"10.1017\/CBO9780511813603","volume-title":"Probability and Computing: Randomized Algorithms and\n Probabilistic Analysis","author":"Michael Mitzenmacher","year":"2005","ISBN":"https:\/\/id.crossref.org\/isbn\/9780521835404"},{"key":"ref9:DBLP:conf\/stoc\/CarterFGMW78","doi-asserted-by":"publisher","first-page":"59","DOI":"10.1145\/800133.804332","article-title":"Exact and Approximate Membership Testers","author":"Larry Carter","year":"1978"},{"key":"ref10:DBLP:conf\/innovations\/BoyleLV19","series-title":"LIPIcs","doi-asserted-by":"publisher","DOI":"10.4230\/LIPICS.ITCS.2019.16","article-title":"Adversarially Robust Property-Preserving Hash Functions","volume":"124","author":"Elette Boyle","year":"2019"},{"key":"ref11:DBLP:books\/cu\/Goldreich2001","isbn-type":"print","doi-asserted-by":"publisher","DOI":"10.1017\/CBO9780511546891","volume-title":"The Foundations of Cryptography - Volume 1: Basic\n Techniques","author":"Oded Goldreich","year":"2001","ISBN":"https:\/\/id.crossref.org\/isbn\/0521791723"},{"key":"ref12:DBLP:journals\/jal\/PaghR04","doi-asserted-by":"publisher","first-page":"122","DOI":"10.1016\/J.JALGOR.2003.12.002","article-title":"Cuckoo hashing","volume":"51","author":"Rasmus Pagh","year":"2004","journal-title":"J. Algorithms"},{"key":"ref13:DBLP:reference\/algo\/Pagh08","doi-asserted-by":"publisher","DOI":"10.1007\/978-0-387-30162-4_97","article-title":"Cuckoo Hashing","author":"Rasmus Pagh","year":"2008"},{"key":"ref14:DBLP:conf\/stoc\/DietzfelbingerW03","doi-asserted-by":"publisher","first-page":"629","DOI":"10.1145\/780542.780634","article-title":"Almost random graphs with simple hash functions","author":"Martin Dietzfelbinger","year":"2003"},{"key":"ref15:DBLP:journals\/joc\/BermanHKN19","doi-asserted-by":"publisher","first-page":"361","DOI":"10.1007\/S00145-018-9293-0","article-title":"Hardness-Preserving Reductions via Cuckoo Hashing","volume":"32","author":"Itay Berman","year":"2019","journal-title":"J. Cryptol."},{"key":"ref16:10.1145\/3319535.3354235","series-title":"CCS '19","isbn-type":"print","doi-asserted-by":"publisher","first-page":"1317","DOI":"10.1145\/3319535.3354235","article-title":"Probabilistic Data Structures in Adversarial Environments","author":"David Clayton","year":"2019","ISBN":"https:\/\/id.crossref.org\/isbn\/9781450367479"},{"key":"ref17:DBLP:journals\/jacm\/Ben-EliezerJWY22","doi-asserted-by":"publisher","DOI":"10.1145\/3498334","article-title":"A Framework for Adversarially Robust Streaming Algorithms","volume":"69","author":"Omri Ben-Eliezer","year":"2022","journal-title":"J. ACM"},{"key":"ref18:DBLP:conf\/pods\/Ben-EliezerY20","doi-asserted-by":"publisher","first-page":"49","DOI":"10.1145\/3375395.3387643","article-title":"The Adversarial Robustness of Sampling","author":"Omri Ben-Eliezer","year":"2020"},{"key":"ref19:DBLP:conf\/crypto\/KaplanMNS21","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"94","DOI":"10.1007\/978-3-030-84252-9_4","article-title":"Separating Adaptive Streaming from Oblivious Streaming Using\n the Bounded Storage Model","volume":"12827","author":"Haim Kaplan","year":"2021"},{"key":"ref20:DBLP:conf\/stoc\/AlonBDMNY21","doi-asserted-by":"publisher","first-page":"447","DOI":"10.1145\/3406325.3451041","article-title":"Adversarial laws of large numbers and optimal regret in\n online classification","author":"Noga Alon","year":"2021"},{"key":"ref21:DBLP:journals\/iacr\/BishopT24","first-page":"754","article-title":"Adversary Resilient Learned Bloom Filters","author":"Allison Bishop","year":"2024","journal-title":"IACR Cryptol. ePrint Arch."},{"key":"ref22:KraskaBCDP18","doi-asserted-by":"publisher","first-page":"489","DOI":"10.1145\/3183713.3196909","article-title":"The Case for Learned Index Structures","author":"Tim Kraska","year":"2018"},{"key":"ref23:DBLP:conf\/nips\/Mitzenmacher18","first-page":"462","article-title":"A Model for Learned Bloom Filters and Optimizing by\n Sandwiching","author":"Michael Mitzenmacher","year":"2018"},{"key":"ref24:10.1145\/3548606.3560621","series-title":"CCS '22","isbn-type":"print","doi-asserted-by":"publisher","first-page":"1037","DOI":"10.1145\/3548606.3560621","article-title":"Adversarial Correctness and Privacy for Probabilistic Data\n Structures","author":"Mia Filic","year":"2022","ISBN":"https:\/\/id.crossref.org\/isbn\/9781450394505"},{"key":"ref25:8555104","doi-asserted-by":"publisher","first-page":"182","DOI":"10.1109\/FOCS.2018.00026","article-title":"Bloom Filters, Adaptivity, and the Dictionary Problem","author":"Michael A. Bender","year":"2018"}],"container-title":["IACR Communications in Cryptology"],"language":"en","deposited":{"date-parts":[[2025,6,9]],"date-time":"2025-06-09T23:36:08Z","timestamp":1749512168000},"score":0.0,"resource":{"primary":{"URL":"https:\/\/cic.iacr.org\/p\/2\/1\/24"}},"issued":{"date-parts":[[2025,4,8]]},"references-count":25,"journal-issue":{"issue":"1","published-online":{"date-parts":[[2025,4,8]]}},"URL":"https:\/\/doi.org\/10.62056\/a3txom2hd","archive":["Internet Archive","Internet Archive"],"ISSN":["3006-5496"],"issn-type":[{"type":"electronic","value":"3006-5496"}],"published":{"date-parts":[[2025,4,8]]},"assertion":[{"value":"2025-01-13","order":0,"name":"received","label":"Received","group":{"name":"publication_history","label":"Publication History"}},{"value":"2025-03-11","order":1,"name":"accepted","label":"Accepted","group":{"name":"publication_history","label":"Publication History"}}],"article-number":"cc2-1-32"},{"indexed":{"date-parts":[[2026,1,9]],"date-time":"2026-01-09T03:41:57Z","timestamp":1767930117307,"version":"3.49.0"},"reference-count":58,"publisher":"International Association for Cryptologic Research","issue":"4","license":[{"start":{"date-parts":[[2025,7,2]],"date-time":"2025-07-02T00:00:00Z","timestamp":1751414400000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"funder":[{"DOI":"10.13039\/100000121","name":"National Science Foundation","doi-asserted-by":"publisher","award":["DMS-2411704"],"award-info":[{"award-number":["DMS-2411704"]}],"id":[{"id":"10.13039\/100000121","id-type":"DOI","asserted-by":"publisher"}]}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["IACR CiC"],"accepted":{"date-parts":[[2025,12,1]]},"abstract":"Fully Homomorphic Encryption (FHE) is a powerful tool for performing computations on encrypted data. The Cheon-Kim-Kim-Song (CKKS) scheme, an instantiation of approximate FHE, is particularly effective for privacy-preserving machine learning applications over real and complex numbers. Although CKKS offers clear efficiency advantages, confusion persists around accurately describing applications in FHE libraries and securely instantiating the scheme for these applications, particularly after the key recovery attacks by Li and Micciancio (EUROCRYPT'21) for the IND-CPA^D setting. There is presently a gap between the application-agnostic, generic definition of IND-CPA^D, and efficient, application-specific instantiation of CKKS in software libraries, which led to recent attacks by Guo et al. (USENIX Security'24).<\/jats:p>\n To close this gap, we introduce the notion of application-aware homomorphic encryption (AAHE) and devise related security definitions. This model corresponds more closely to how FHE schemes are implemented and used in practice, and provides a mechanism to identify and address potential vulnerabilities in popular libraries. We then propose an application specification language (ASL) and formulate guidelines for implementing the AAHE model to achieve IND-IND-CPA^D security for practical applications of CKKS. We present a proof-of-concept implementation of the ASL in the OpenFHE library showing how the attacks by Guo et al. can be countered. Moreover, we show that our new model and ASL can be used for the secure and efficient instantiation of exact FHE schemes and to counter the recent IND-IND-CPA^D attacks by Cheon et al. (CCS'24) and Checri et al. (CRYPTO'24).<\/jats:p>","DOI":"10.62056\/ayl83z10k","type":"journal-article","created":{"date-parts":[[2026,1,8]],"date-time":"2026-01-08T23:39:47Z","timestamp":1767915587000},"update-policy":"https:\/\/doi.org\/10.62056\/adfjwm02dj","source":"Crossref","is-referenced-by-count":0,"title":["Application-Aware Approximate Homomorphic Encryption"],"prefix":"10.62056","volume":"2","author":[{"ORCID":"https:\/\/orcid.org\/0000-0001-5396-1241","authenticated-orcid":false,"given":"Andreea","family":"Alexandru","sequence":"first","affiliation":[{"id":[{"id":"https:\/\/ror.org\/027qwc485","id-type":"ROR","asserted-by":"publisher"}],"name":"Duality Technologies","place":["USA"]}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-7759-7368","authenticated-orcid":false,"given":"Ahmad","family":"Al Badawi","sequence":"additional","affiliation":[{"id":[{"id":"https:\/\/ror.org\/027qwc485","id-type":"ROR","asserted-by":"publisher"}],"name":"Duality Technologies","place":["USA"]}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-3323-9985","authenticated-orcid":false,"given":"Daniele","family":"Micciancio","sequence":"additional","affiliation":[{"id":[{"id":"https:\/\/ror.org\/0168r3w48","id-type":"ROR","asserted-by":"publisher"}],"name":"University of California, San Diego","place":["USA"]}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-5566-3763","authenticated-orcid":false,"given":"Yuriy","family":"Polyakov","sequence":"additional","affiliation":[{"id":[{"id":"https:\/\/ror.org\/027qwc485","id-type":"ROR","asserted-by":"publisher"}],"name":"Duality Technologies","place":["USA"]}]}],"member":"48349","published-online":{"date-parts":[[2026,1,8]]},"reference":[{"key":"ref1:STOC:Gentry09","doi-asserted-by":"publisher","first-page":"169","DOI":"10.1145\/1536414.1536440","article-title":"Fully homomorphic encryption using ideal lattices","author":"Craig Gentry","year":"2009"},{"key":"ref2:ITCS:BraGenVai12","doi-asserted-by":"publisher","first-page":"309","DOI":"10.1145\/2090236.2090262","article-title":"(Leveled) fully homomorphic encryption without\n bootstrapping","author":"Zvika Brakerski","year":"2012"},{"key":"ref3:C:Brakerski12","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"868","DOI":"10.1007\/978-3-642-32009-5_50","article-title":"Fully Homomorphic Encryption without Modulus Switching from\n Classical GapSVP","volume":"7417","author":"Zvika Brakerski","year":"2012"},{"key":"ref4:EPRINT:FanVer12","volume-title":"Somewhat Practical Fully Homomorphic Encryption","author":"Junfeng Fan","year":"2012"},{"key":"ref5:EC:DucMic15","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"617","DOI":"10.1007\/978-3-662-46800-5_24","article-title":"FHEW: Bootstrapping Homomorphic Encryption in Less Than a\n Second","volume":"9056","author":"L\u00e9o Ducas","year":"2015"},{"key":"ref6:AC:CGGI17","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"377","DOI":"10.1007\/978-3-319-70694-8_14","article-title":"Faster Packed Homomorphic Operations and Efficient Circuit\n Bootstrapping for TFHE","volume":"10624","author":"Ilaria Chillotti","year":"2017"},{"key":"ref7:EC:LMKCDE23","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"227","DOI":"10.1007\/978-3-031-30620-4_8","article-title":"Efficient FHEW Bootstrapping with Small Evaluation Keys,\n and Applications to Threshold Homomorphic Encryption","volume":"14006","author":"Yongwoo Lee","year":"2023"},{"key":"ref8:AC:CKKS17","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"409","DOI":"10.1007\/978-3-319-70694-8_15","article-title":"Homomorphic Encryption for Arithmetic of Approximate\n Numbers","volume":"10624","author":"Jung Hee Cheon","year":"2017"},{"key":"ref9:EC:LiMic21","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"648","DOI":"10.1007\/978-3-030-77870-5_23","article-title":"On the Security of Homomorphic Encryption on Approximate\n Numbers","volume":"12696","author":"Baiyu Li","year":"2021"},{"key":"ref10:C:LMSS22","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"560","DOI":"10.1007\/978-3-031-15802-5_20","article-title":"Securing Approximate Homomorphic Encryption Using\n Differential Privacy","volume":"13507","author":"Baiyu Li","year":"2022"},{"key":"ref11:seal","volume-title":"Microsoft SEAL v4.1","year":"2023"},{"key":"ref12:sealProceedings","isbn-type":"print","doi-asserted-by":"publisher","first-page":"3","DOI":"10.1007\/978-3-319-70278-0_1","article-title":"Simple Encrypted Arithmetic Library - SEAL v2.1","author":"Hao Chen","year":"2017","ISBN":"https:\/\/id.crossref.org\/isbn\/9783319702780"},{"key":"ref13:openfhe","volume-title":"OpenFHE v1.2.3","year":"2024"},{"key":"ref14:cryptoeprint:2022\/915","doi-asserted-by":"publisher","DOI":"10.1145\/3560827.356337","volume-title":"OpenFHE: Open-Source Fully Homomorphic Encryption\n Library","author":"Ahmad Al Badawi","year":"2022"},{"key":"ref15:helib","volume-title":"HElib v2.3","year":"2023"},{"key":"ref16:C:HalSho14","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"554","DOI":"10.1007\/978-3-662-44371-2_31","article-title":"Algorithms in HElib","volume":"8616","author":"Shai Halevi","year":"2014"},{"key":"ref17:EPRINT:CheHonKim20","volume-title":"Remark on the Security of CKKS Scheme in Practice","author":"Jung Hee Cheon","year":"2020"},{"key":"ref18:lattigo","volume-title":"Lattigo v5","year":"2023"},{"key":"ref19:mouchet2020lattigo","doi-asserted-by":"publisher","first-page":"64","DOI":"10.25835\/0072999","article-title":"Lattigo: A multiparty homomorphic encryption library in go","author":"Christian Vincent Mouchet","year":"2020"},{"key":"ref20:MP24CiC","doi-asserted-by":"publisher","DOI":"10.62056\/ay76c0kr","article-title":"A Central Limit Approach for Ring-LWE Noise Analysis","volume":"1","author":"Sean Murphy","year":"2024","journal-title":"IACR Communications in Cryptology","ISSN":"https:\/\/id.crossref.org\/issn\/3006-5496","issn-type":"electronic"},{"key":"ref21:SAC:CCHMOP23","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"325","DOI":"10.1007\/978-3-031-53368-6_16","article-title":"On the Precision Loss in Approximate Homomorphic\n Encryption","volume":"14201","author":"Anamaria Costache","year":"2024"},{"key":"ref22:RSA:CosNurPla23","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"29","DOI":"10.1007\/978-3-031-30872-7_2","article-title":"Optimisations and Tradeoffs for HElib","volume":"13871","author":"Anamaria Costache","year":"2023"},{"key":"ref23:USENIX:GNSJ24","article-title":"Key Recovery Attacks on Approximate Homomorphic Encryption\n with Non-Worst-Case Noise Flooding Countermeasures","author":"Qian Guo","year":"2024"},{"key":"ref24:folklore","author":"Flavio Bergamaschi","year":"2020"},{"key":"ref25:PQCRYPTO:DAnVerVer19","doi-asserted-by":"publisher","first-page":"103","DOI":"10.1007\/978-3-030-25510-7_6","article-title":"The Impact of Error Dependencies on Ring\/Mod-LWE\/LWR\n Based Schemes","author":"Jan-Pieter D'Anvers","year":"2019"},{"key":"ref26:ICICS:MarFriSep20","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"331","DOI":"10.1007\/978-3-030-61078-4_19","article-title":"The Influence of LWE\/RLWE Parameters on the Stochastic\n Dependence of Decryption Failures","volume":"11999","author":"Georg Maringer","year":"2020"},{"key":"ref27:C:CSBB24","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"3","DOI":"10.1007\/978-3-031-68382-4_1","article-title":"On the Practical $\\text{CPA}^{D}$ Security of \u201cexact\u201d and\n Threshold FHE Schemes and Libraries","volume":"14922","author":"Marina Checri","year":"2024"},{"key":"ref28:CCS:CCPSS24","doi-asserted-by":"publisher","first-page":"2505","DOI":"10.1145\/3658644.3690341","article-title":"Attacks Against the IND-CPA$^{\\text{D}}$ Security of\n Exact FHE Schemes","author":"Jung Hee Cheon","year":"2024"},{"key":"ref29:gentry2009phd","volume-title":"A fully homomorphic encryption scheme","author":"Craig Gentry","year":"2009"},{"key":"ref30:EC:DucSte16","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"294","DOI":"10.1007\/978-3-662-49890-3_12","article-title":"Sanitization of FHE Ciphertexts","volume":"9665","author":"L\u00e9o Ducas","year":"2016"},{"key":"ref31:CiC:Kluczniak24","doi-asserted-by":"publisher","first-page":"33","DOI":"10.62056\/av11c3w9p","article-title":"Circuit Privacy for FHEW\/TFHE-Style Fully Homomorphic\n Encryption in Practice","volume":"1","author":"Kamil Kluczniak","year":"2024","journal-title":"CiC"},{"key":"ref32:CiC:KluSan25","doi-asserted-by":"publisher","first-page":"9","DOI":"10.62056\/a69qgyl7s","article-title":"On Circuit Private, Multikey and Threshold Approximate\n Homomorphic Encryption","volume":"2","author":"Kamil Kluczniak","year":"2025","journal-title":"CiC"},{"key":"ref33:C:BPMW16","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"62","DOI":"10.1007\/978-3-662-53008-5_3","article-title":"FHE Circuit Privacy Almost for Free","volume":"9815","author":"Florian Bourse","year":"2016"},{"key":"ref34:EC:AJLTVW12","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"483","DOI":"10.1007\/978-3-642-29011-4_29","article-title":"Multiparty Computation with Low Communication, Computation\n and Interaction via Threshold FHE","volume":"7237","author":"Gilad Asharov","year":"2012"},{"key":"ref35:knabenhansMS","volume-title":"Practical Integrity Protection for Private Computations","author":"Christian Knabenhans","year":"2022"},{"key":"ref36:TCC:AGHV22","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"70","DOI":"10.1007\/978-3-031-22365-5_3","article-title":"Achievable CCA2 Relaxation for Homomorphic Encryption","volume":"13748","author":"Adi Akavia","year":"2022"},{"key":"ref37:viand2023verifiable","series-title":"WAHC '24","isbn-type":"print","doi-asserted-by":"publisher","first-page":"11","DOI":"10.1145\/3689945.3694806","article-title":"vFHE: Verifiable Fully Homomorphic Encryption","author":"Christian Knabenhans","year":"2024","ISBN":"https:\/\/id.crossref.org\/isbn\/9798400712418"},{"key":"ref38:EC:ManNgu24","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"63","DOI":"10.1007\/978-3-031-58723-8_3","article-title":"Fully Homomorphic Encryption Beyond IND-CCA1 Security:\n Integrity Through Verifiability","volume":"14652","author":"Mark Manulis","year":"2024"},{"key":"ref39:CiC:BCFPPR25","doi-asserted-by":"publisher","first-page":"20","DOI":"10.62056\/aee0iv7sf","article-title":"Relations Among New CCA Security Notions for Approximate\n FHE","volume":"2","author":"Chris Brzuska","year":"2025","journal-title":"CiC"},{"key":"ref40:EC:BJSW25","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"181","DOI":"10.1007\/978-3-031-91101-9_7","article-title":"Drifting Towards Better Error Probabilities in Fully\n Homomorphic Encryption Schemes","volume":"15608","author":"Olivier Bernard","year":"2025"},{"key":"ref41:EC:MicWal18","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"3","DOI":"10.1007\/978-3-319-78381-9_1","article-title":"On the Bit Security of Cryptographic Primitives","volume":"10820","author":"Daniele Micciancio","year":"2018"},{"key":"ref42:TCC:MicSch24","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"224","DOI":"10.1007\/978-3-031-78017-2_8","article-title":"Bit Security: Optimal Adversaries, Equivalence Results, and\n a Toolbox for Computational-Statistical Security Analysis","volume":"15365","author":"Daniele Micciancio","year":"2024"},{"key":"ref43:C:GenSahWat13","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"75","DOI":"10.1007\/978-3-642-40041-4_5","article-title":"Homomorphic Encryption from Learning with Errors:\n Conceptually-Simpler, Asymptotically-Faster, Attribute-Based","volume":"8042","author":"Craig Gentry","year":"2013"},{"key":"ref44:CiC:Micciancio25","doi-asserted-by":"publisher","first-page":"1","DOI":"10.62056\/ak5wl86bm","article-title":"Fully Composable Homomorphic Encryption","volume":"2","author":"Daniele Micciancio","year":"2025","journal-title":"CiC"},{"key":"ref45:RSA:KimPapPol22","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"120","DOI":"10.1007\/978-3-030-95312-6_6","article-title":"Approximate Homomorphic Encryption with Reduced\n Approximation Error","volume":"13161","author":"Andrey Kim","year":"2022"},{"key":"ref46:openfhe-guidelines","volume-title":"CKKS Noise Flooding","year":"2024"},{"key":"ref47:EC:BMTH21","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"587","DOI":"10.1007\/978-3-030-77870-5_21","article-title":"Efficient Bootstrapping for Approximate Homomorphic\n Encryption with Non-sparse Keys","volume":"12696","author":"Jean-Philippe Bossuat","year":"2021"},{"key":"ref48:helib-guidelines","volume-title":"Security of Approximate-Numbers Homomorphic Encrypt","year":"2024"},{"key":"ref49:10.1007\/978-3-030-21568-2_29","isbn-type":"print","doi-asserted-by":"publisher","first-page":"592","DOI":"10.1007\/978-3-030-21568-2_29","article-title":"Homomorphic Training of 30,000 Logistic Regression Models","author":"Flavio Bergamaschi","year":"2019","ISBN":"https:\/\/id.crossref.org\/isbn\/9783030215675"},{"key":"ref50:poc","volume-title":"PoC AAHE ASL Implementation using OpenFHE v1.2.3","author":"Andreea Alexandru","year":"2025"},{"key":"ref51:AC:KimPolZuc21","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"608","DOI":"10.1007\/978-3-030-92078-4_21","article-title":"Revisiting Homomorphic Encryption Schemes for Finite\n Fields","volume":"13092","author":"Andrey Kim","year":"2021"},{"key":"ref52:RSA:HalPolSho19","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"83","DOI":"10.1007\/978-3-030-12612-4_5","article-title":"An Improved RNS Variant of the BFV Homomorphic\n Encryption Scheme","volume":"11405","author":"Shai Halevi","year":"2019"},{"key":"ref53:EPRINT:HalSho20","volume-title":"Design and implementation of HElib: a homomorphic\n encryption library","author":"Shai Halevi","year":"2020"},{"key":"ref54:HEIR","volume-title":"HEIR: Homomorphic Encryption Intermediate Representation","author":"HEIR Contributors","year":"2023"},{"key":"ref55:USENIX:FPSGW18","first-page":"657","article-title":"Practical Accountability of Secret Processes","author":"Jonathan Frankle","year":"2018"},{"key":"ref56:TFHE-rs","volume-title":"TFHE-rs: A Pure Rust Implementation of the TFHE Scheme for\n Boolean and Integer Arithmetics Over Encrypted Data","author":"Zama","year":"2022"},{"key":"ref57:TFHELib","volume-title":"TFHE: Fast Fully Homomorphic Encryption Library","author":"Ilaria Chillotti"},{"key":"ref58:openfhe-estimator","volume-title":"OpenFHE Lattice Estimator","year":"2024"}],"container-title":["IACR Communications in Cryptology"],"language":"en","deposited":{"date-parts":[[2026,1,8]],"date-time":"2026-01-08T23:41:19Z","timestamp":1767915679000},"score":0.0,"resource":{"primary":{"URL":"https:\/\/cic.iacr.org\/p\/2\/4\/3"}},"subtitle":["Configuring FHE for Practical Use"],"issued":{"date-parts":[[2026,1,8]]},"references-count":58,"journal-issue":{"issue":"4","published-online":{"date-parts":[[2026,1,8]]}},"URL":"https:\/\/doi.org\/10.62056\/ayl83z10k","archive":["Internet Archive","Internet Archive"],"ISSN":["3006-5496"],"issn-type":[{"value":"3006-5496","type":"electronic"}],"published":{"date-parts":[[2026,1,8]]},"assertion":[{"value":"2025-07-02","order":0,"name":"received","label":"Received","group":{"name":"publication_history","label":"Publication History"}},{"value":"2025-12-01","order":1,"name":"accepted","label":"Accepted","group":{"name":"publication_history","label":"Publication History"}}],"article-number":"cc2-3-26"},{"indexed":{"date-parts":[[2026,1,9]],"date-time":"2026-01-09T14:06:17Z","timestamp":1767967577316,"version":"3.49.0"},"reference-count":81,"publisher":"International Association for Cryptologic Research","issue":"1","license":[{"start":{"date-parts":[[2025,1,14]],"date-time":"2025-01-14T00:00:00Z","timestamp":1736812800000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["IACR CiC"],"accepted":{"date-parts":[[2025,3,11]]},"abstract":"With the threat posed by quantum computers on the horizon, systems like Ethereum must transition to cryptographic primitives resistant to quantum attacks. One of the most critical of these primitives is the non-interactive multi-signature scheme used in Ethereum's proof-of-stake consensus, currently implemented with BLS signatures. This primitive enables validators to independently sign blocks, with their signatures then publicly aggregated into a compact aggregate signature.<\/jats:p>\n In this work, we introduce a family of hash-based signature schemes as post-quantum alternatives to BLS. We consider the folklore method of aggregating signatures via (hash-based) succinct arguments, and our work is focused on instantiating the underlying signature scheme. The proposed schemes are variants of the XMSS signature scheme, analyzed within a novel and unified framework. While being generic, this framework is designed to minimize security loss, facilitating efficient parameter selection. A key feature of our work is the avoidance of random oracles in the security proof. Instead, we define explicit standard model requirements for the underlying hash functions. This eliminates the paradox of simultaneously treating hash functions as random oracles and as explicit circuits for aggregation. Furthermore, this provides cryptanalysts with clearly defined targets for evaluating the security of hash functions. Finally, we provide recommendations for practical instantiations of hash functions and concrete parameter settings, supported by known and novel heuristic bounds on the standard model properties. <\/jats:p>","DOI":"10.62056\/aey7qjp10","type":"journal-article","created":{"date-parts":[[2025,4,8]],"date-time":"2025-04-08T21:23:17Z","timestamp":1744147397000},"update-policy":"https:\/\/doi.org\/10.62056\/adfjwm02dj","source":"Crossref","is-referenced-by-count":6,"title":["Hash-Based Multi-Signatures for Post-Quantum Ethereum"],"prefix":"10.62056","volume":"2","author":[{"given":"Justin","family":"Drake","sequence":"first","affiliation":[{"name":"Ethereum Foundation","place":["Switzerland"]}]},{"ORCID":"https:\/\/orcid.org\/0009-0001-0347-3378","authenticated-orcid":false,"given":"Dmitry","family":"Khovratovich","sequence":"additional","affiliation":[{"name":"Ethereum Foundation","place":["Switzerland"]}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-8555-4891","authenticated-orcid":false,"given":"Mikhail","family":"Kudinov","sequence":"additional","affiliation":[{"id":[{"id":"https:\/\/ror.org\/02c2kyt77","id-type":"ROR","asserted-by":"publisher"}],"name":"Eindhoven University of Technology","place":["Netherlands"]}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-4620-7264","authenticated-orcid":false,"given":"Benedikt","family":"Wagner","sequence":"additional","affiliation":[{"name":"Ethereum Foundation","place":["Switzerland"]}]}],"member":"48349","published-online":{"date-parts":[[2025,4,8]]},"reference":[{"key":"ref1:EPRINT:DLLSSS17","volume-title":"CRYSTALS \u2013 Dilithium: Digital Signatures from Module\n Lattices","author":"L\u00e9o Ducas","year":"2017"},{"key":"ref2:NISTPQC-R3:CRYSTALS-DILITHIUM20","volume-title":"CRYSTALS-DILITHIUM","author":"Vadim Lyubashevsky","year":"2020"},{"key":"ref3:NISTPQC-R3:FALCON20","volume-title":"FALCON","author":"Thomas Prest","year":"2020"},{"key":"ref4:C:Stern93","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"13","DOI":"10.1007\/3-540-48329-2_2","article-title":"A New Identification Scheme Based on Syndrome Decoding","volume":"773","author":"Jacques Stern","year":"1994"},{"key":"ref5:AC:CouFinSen01","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"157","DOI":"10.1007\/3-540-45682-1_10","article-title":"How to Achieve a McEliece-Based Digital Signature Scheme","volume":"2248","author":"Nicolas Courtois","year":"2001"},{"key":"ref6:AC:DKLPW20","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"64","DOI":"10.1007\/978-3-030-64837-4_3","article-title":"SQISign: Compact Post-quantum Signatures from Quaternions\n and Isogenies","volume":"12491","author":"Luca De Feo","year":"2020"},{"key":"ref7:EC:DLRW24","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"3","DOI":"10.1007\/978-3-031-58716-0_1","article-title":"SQIsignHD: New Dimensions in Cryptography","volume":"14651","author":"Pierrick Dartois","year":"2024"},{"key":"ref8:EC:SEMR24","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"63","DOI":"10.1007\/978-3-031-58716-0_3","article-title":"Apr\u00e8sSQI: Extra Fast Verification for SQIsign Using\n Extension-Field Signing","volume":"14651","author":"Maria Corte-Real Santos","year":"2024"},{"key":"ref9:SAC:Beullens21","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"355","DOI":"10.1007\/978-3-030-99277-4_17","article-title":"MAYO: Practical Post-quantum Signatures from\n Oil-and-Vinegar Maps","volume":"13203","author":"Ward Beullens","year":"2022"},{"key":"ref10:PQCRYPTO:BucDahHul11","doi-asserted-by":"publisher","first-page":"117","DOI":"10.1007\/978-3-642-25405-5_8","article-title":"XMSS - A Practical Forward Secure Signature Scheme Based\n on Minimal Security Assumptions","author":"Johannes A. Buchmann","year":"2011"},{"key":"ref11:EC:BHHLNP15","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"368","DOI":"10.1007\/978-3-662-46800-5_15","article-title":"SPHINCS: Practical Stateless Hash-Based Signatures","volume":"9056","author":"Daniel J. Bernstein","year":"2015"},{"key":"ref12:CCS:BHKNRS19","doi-asserted-by":"publisher","first-page":"2129","DOI":"10.1145\/3319535.3363229","article-title":"The SPHINCS$^+$ Signature Framework","author":"Daniel J. Bernstein","year":"2019"},{"key":"ref13:TCC:ChiManSpo19","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"1","DOI":"10.1007\/978-3-030-36033-7_1","article-title":"Succinct Arguments in the Quantum Random Oracle Model","volume":"11892","author":"Alessandro Chiesa","year":"2019"},{"key":"ref14:EPRINT:HabLevPap24","volume-title":"Circle STARKs","author":"Ulrich Hab\u00f6ck","year":"2024"},{"key":"ref15:C:ZeiCheFis24","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"138","DOI":"10.1007\/978-3-031-68403-6_5","article-title":"BaseFold: Efficient Field-Agnostic Polynomial Commitment\n Schemes from Foldable Codes","volume":"14929","author":"Hadas Zeilberger","year":"2024"},{"key":"ref16:C:ACFY24","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"380","DOI":"10.1007\/978-3-031-68403-6_12","article-title":"STIR: Reed-Solomon Proximity Testing with Fewer Queries","volume":"14929","author":"Gal Arnon","year":"2024"},{"key":"ref17:merkle1979secrecy","volume-title":"Secrecy, authentication, and public key systems.","author":"Ralph Charles Merkle","year":"1979"},{"key":"ref18:PKC:GenRam06","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"257","DOI":"10.1007\/11745853_17","article-title":"Identity-Based Aggregate Signatures","volume":"3958","author":"Craig Gentry","year":"2006"},{"key":"ref19:CCS:FleSimZha22","doi-asserted-by":"publisher","first-page":"1109","DOI":"10.1145\/3548606.3560655","article-title":"Squirrel: Efficient Synchronized Multi-Signatures from\n Lattices","author":"Nils Fleischhacker","year":"2022"},{"key":"ref20:CCS:FHSZ23","doi-asserted-by":"publisher","first-page":"386","DOI":"10.1145\/3576915.3623219","article-title":"Chipmunk: Better Synchronized Multi-Signatures from\n Lattices","author":"Nils Fleischhacker","year":"2023"},{"key":"ref21:boneh2020graduate","volume-title":"A graduate course in applied cryptography","author":"Dan Boneh","year":"2020","journal-title":"Draft 0.5"},{"key":"ref22:zcypap","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"455","DOI":"10.1007\/978-3-031-38554-4_15","article-title":"Revisiting the Constant-Sum Winternitz One-Time Signature\n with Applications to SPHINCS+ and XMSS","volume":"14085","author":"Kaiyi Zhang","year":"2023"},{"key":"ref23:AC:HulKud22","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"3","DOI":"10.1007\/978-3-031-22972-5_1","article-title":"Recovering the Tight Security Proof of\n SPHINCS$^\\textrm{+}$","volume":"13794","author":"Andreas H\u00fclsing","year":"2022"},{"key":"ref24:SP:HKRY23","doi-asserted-by":"publisher","first-page":"1435","DOI":"10.1109\/SP46215.2023.10179381","article-title":"SPHINCS+C: Compressing SPHINCS+ With (Almost) No\n Cost","author":"Andreas H\u00fclsing","year":"2023"},{"key":"ref25:C:ACLMT22","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"102","DOI":"10.1007\/978-3-031-15979-4_4","article-title":"Lattice-Based SNARKs: Publicly Verifiable, Preprocessing,\n and Recursively Composable - (Extended Abstract)","volume":"13508","author":"Martin R. Albrecht","year":"2022"},{"key":"ref26:STOC:GenPeiVai08","doi-asserted-by":"publisher","first-page":"197","DOI":"10.1145\/1374376.1374407","article-title":"Trapdoors for hard lattices and new cryptographic\n constructions","author":"Craig Gentry","year":"2008"},{"key":"ref27:STOC:GenWic11","doi-asserted-by":"publisher","first-page":"99","DOI":"10.1145\/1993636.1993651","article-title":"Separating succinct non-interactive arguments from all\n falsifiable assumptions","author":"Craig Gentry","year":"2011"},{"key":"ref28:watwu","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"433","DOI":"10.1007\/978-3-031-15979-4_15","article-title":"Batch Arguments for NP and More from Standard Bilinear\n Group Assumptions","volume":"13508","author":"Brent Waters","year":"2022"},{"key":"ref29:FOCS:DGKV22","doi-asserted-by":"publisher","first-page":"1057","DOI":"10.1109\/FOCS54457.2022.00103","article-title":"Rate-1 Non-Interactive Arguments for Batch-NP and\n Applications","author":"Lalita Devadas","year":"2022"},{"key":"ref30:C:BBKLP23","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"252","DOI":"10.1007\/978-3-031-38545-2_9","article-title":"SNARGs for Monotone Policy Batch NP","volume":"14082","author":"Zvika Brakerski","year":"2023"},{"key":"ref31:EC:BCJP24","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"168","DOI":"10.1007\/978-3-031-58737-5_7","article-title":"Monotone-Policy Aggregate Signatures","volume":"14654","author":"Maya Farber Brodsky","year":"2024"},{"key":"ref32:ASIACCS:KCLM22","doi-asserted-by":"publisher","first-page":"393","DOI":"10.1145\/3488932.3524128","article-title":"Aggregating and Thresholdizing Hash-based Signatures using\n STARKs","author":"Irakliy Khaburzaniya","year":"2022"},{"key":"ref33:nistspx","volume-title":"SPHINCS+","author":"Andreas H\u00fclsing","year":"2022"},{"key":"ref34:rfc8391","series-title":"Request for Comments","doi-asserted-by":"publisher","DOI":"10.17487\/RFC8391","volume-title":"XMSS: eXtended Merkle Signature Scheme","author":"Andreas Huelsing","year":"2018"},{"key":"ref35:TCHES:BHRV21","doi-asserted-by":"publisher","first-page":"137","DOI":"10.46586\/tches.v2021.i1.137-168","article-title":"Rapidly Verifiable XMSS Signatures","volume":"2021","author":"Joppe W. Bos","year":"2021","journal-title":"IACR TCHES","ISSN":"https:\/\/id.crossref.org\/issn\/2569-2925","issn-type":"electronic"},{"key":"ref36:AFRICACRYPT:Hulsing13","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"173","DOI":"10.1007\/978-3-642-38553-7_10","article-title":"W-OTS+ - Shorter Signatures for Hash-Based Signature\n Schemes","volume":"7918","author":"Andreas H\u00fclsing","year":"2013"},{"key":"ref37:Kudinov2021","doi-asserted-by":"publisher","first-page":"129","DOI":"10.4213\/mvk362","article-title":"Security analysis of the W-OTS$^+$ signature scheme:\n Updating security bounds","volume":"12","author":"Mikhail Aleksandrovich Kudinov","year":"2021","journal-title":"Matematicheskie Voprosy Kriptografii [Mathematical Aspects\n of Cryptography]","ISSN":"https:\/\/id.crossref.org\/issn\/2222-3193","issn-type":"electronic"},{"key":"ref38:AFRICACRYPT:BDEHR11","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"363","DOI":"10.1007\/978-3-642-21969-6_23","article-title":"On the Security of the Winternitz One-Time Signature\n Scheme","volume":"6737","author":"Johannes Buchmann","year":"2011"},{"key":"ref39:cryptoeprint:2024\/1553","volume-title":"STARK-based Signatures from the RPO Permutation","author":"Shahla Atapoor","year":"2024"},{"key":"ref40:C:FiaSha86","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"186","DOI":"10.1007\/3-540-47721-7_12","article-title":"How to Prove Yourself: Practical Solutions to\n Identification and Signature Problems","volume":"263","author":"Amos Fiat","year":"1987"},{"key":"ref41:NISTPQC-ADD-R1:FAEST23","volume-title":"FAEST","author":"Carsten Baum","year":"2023"},{"key":"ref42:NISTPQC-ADD-R1:Biscuit23","volume-title":"Biscuit","author":"Luk Bettale","year":"2023"},{"key":"ref43:boneh2020one","volume-title":"One-time and interactive aggregate signatures from\n lattices","volume":"4","author":"Dan Boneh","year":"2020","journal-title":"preprint"},{"key":"ref44:TCC:LyuMic08","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"37","DOI":"10.1007\/978-3-540-78524-8_3","article-title":"Asymptotically Efficient Lattice-Based Digital Signatures","volume":"4948","author":"Vadim Lyubashevsky","year":"2008"},{"key":"ref45:EPRINT:DHSS20","volume-title":"MMSAT: A Scheme for Multimessage Multiuser Signature\n Aggregation","author":"Yark\u0131n Dor\u00f6z","year":"2020"},{"key":"ref46:C:BeuSei23","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"518","DOI":"10.1007\/978-3-031-38554-4_17","article-title":"LaBRADOR: Compact Proofs for R1CS from Module-SIS","volume":"14085","author":"Ward Beullens","year":"2023"},{"key":"ref47:EPRINT:TomShi23","volume-title":"Compact Aggregate Signature from Module-Lattices","author":"Toi Tomita","year":"2023"},{"key":"ref48:C:AABKT24","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"71","DOI":"10.1007\/978-3-031-68376-3_3","article-title":"Aggregating Falcon Signatures with LaBRADOR","volume":"14920","author":"Marius A. Aardal","year":"2024"},{"key":"ref49:TCC:LMQW22","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"3","DOI":"10.1007\/978-3-031-22318-1_1","article-title":"Post-quantum Insecurity from LWE","volume":"13747","author":"Alex Lombardi","year":"2022"},{"key":"ref50:cryptoeprint:2024\/257","volume-title":"LatticeFold: A Lattice-based Folding Scheme and its\n Applications to Succinct Proof Systems","author":"Dan Boneh","year":"2024"},{"key":"ref51:cryptoeprint:2024\/1964","volume-title":"Lova: Lattice-Based Folding Scheme from Unstructured\n Lattices","author":"Giacomo Fenzi","year":"2024"},{"key":"ref52:PKC:DOTT21","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"99","DOI":"10.1007\/978-3-030-75245-3_5","article-title":"Two-Round n-out-of-n and Multi-signatures and Trapdoor\n Commitment from Lattices","volume":"12710","author":"Ivan Damg\u00e5rd","year":"2021"},{"key":"ref53:C:Chen23","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"716","DOI":"10.1007\/978-3-031-38554-4_23","article-title":"DualMS: Efficient Lattice-Based Two-Round Multi-signature\n with Trapdoor-Free Simulation","volume":"14085","author":"Yanbo Chen","year":"2023"},{"key":"ref54:cryptoeprint:2024\/1574","volume-title":"Scalable Two-Round $n$-out-of-$n$ and Multi-Signatures from\n Lattices in the Quantum Random Oracle Model","author":"Qiqi Lai","year":"2024"},{"key":"ref55:ACNS:AlkDotPu24","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"376","DOI":"10.1007\/978-3-031-54770-6_15","article-title":"Practical Lattice-Based Distributed Signatures for a Small\n Number of Signers","volume":"14583","author":"Nabil Alkeilani Alkadri","year":"2024"},{"key":"ref56:cryptoeprint:2024\/1691","volume-title":"A Framework for Group Action-Based Multi-Signatures and\n Applications to LESS, MEDS, and ALTEQ","author":"Giuseppe D'Alconzo","year":"2024"},{"key":"ref57:C:BosTakTib22","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"276","DOI":"10.1007\/978-3-031-15979-4_10","article-title":"MuSig-L: Lattice-Based Multi-signature with Single-Round\n Online Phase","volume":"13508","author":"Cecilia Boschini","year":"2022"},{"key":"ref58:AC:GHHM21","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"637","DOI":"10.1007\/978-3-030-92062-3_22","article-title":"Tight Adaptive Reprogramming in the QROM","volume":"13090","author":"Alex B. Grilo","year":"2021"},{"key":"ref59:AC:BDFLSZ11","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"41","DOI":"10.1007\/978-3-642-25385-0_3","article-title":"Random Oracles in a Quantum World","volume":"7073","author":"Dan Boneh","year":"2011"},{"key":"ref60:AC:BerHul19","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"33","DOI":"10.1007\/978-3-030-34618-8_2","article-title":"Decisional Second-Preimage Resistance: When Does SPR Imply\n PRE?","volume":"11923","author":"Daniel J. Bernstein","year":"2019"},{"key":"ref61:PKC:HulRijSon16","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"387","DOI":"10.1007\/978-3-662-49384-7_15","article-title":"Mitigating Multi-target Attacks in Hash-Based Signatures","volume":"9614","author":"Andreas H\u00fclsing","year":"2016"},{"key":"ref62:IMA:DodSmaSta05","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"96","DOI":"10.1007\/11586821_8","article-title":"Hash Based Digital Signature Schemes","volume":"3796","author":"C. Dods","year":"2005"},{"key":"ref63:CCS:AhnGreHoh10","doi-asserted-by":"publisher","first-page":"473","DOI":"10.1145\/1866307.1866360","article-title":"Synchronized aggregate signatures: new definitions,\n constructions and applications","author":"Jae Hyun Ahn","year":"2010"},{"key":"ref64:EC:HohWat18","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"197","DOI":"10.1007\/978-3-319-78375-8_7","article-title":"Synchronized Aggregate Signatures from the RSA\n Assumption","volume":"10821","author":"Susan Hohenberger","year":"2018"},{"key":"ref65:USENIX:DGNW20","first-page":"2093","article-title":"Pixel: Multi-signatures for Consensus","author":"Manu Drijvers","year":"2020"},{"key":"ref66:DBLP:conf\/asiacrypt\/KhovratovichBM23","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"301","DOI":"10.1007\/978-981-99-8742-9_10","article-title":"Generic Security of the SAFE API and Its Applications","volume":"14445","author":"Dmitry Khovratovich","year":"2023"},{"key":"ref67:shake:FIPS15","article-title":"SHA-3 Standard: Permutation-Based Hash and\n Extendable-Output Functions","author":"National Institute of Standards","year":"2015","journal-title":"Federal Information Processing Standards Publication\n (FIPS)"},{"key":"ref68:AFRICACRYPT:GraKhoSch23","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"177","DOI":"10.1007\/978-3-031-37679-5_8","article-title":"Poseidon2: A Faster Version of the Poseidon Hash\n Function","volume":"14064","author":"Lorenzo Grassi","year":"2023"},{"key":"ref69:cryptoeprint:2021\/062","volume-title":"Compressed Permutation Oracles (And the Collision-Resistance\n of Sponge\/SHA3)","author":"Dominique Unruh","year":"2021"},{"key":"ref70:USENIX:GKRRS21","first-page":"519","article-title":"Poseidon: A New Hash Function for Zero-Knowledge Proof\n Systems","author":"Lorenzo Grassi","year":"2021"},{"key":"ref71:nistcall","article-title":"Submission Requirements and Evaluation Criteria for the\n Post-Quantum Cryptography Standardization Process","author":"National Institute of Standards","year":"2016","journal-title":"National Institute of Standards and Technology Reports"},{"key":"ref72:STOC:Grover96","doi-asserted-by":"publisher","first-page":"212","DOI":"10.1145\/237814.237866","article-title":"A Fast Quantum Mechanical Algorithm for Database Search","author":"Lov K. Grover","year":"1996"},{"key":"ref73:zalka1999grover","doi-asserted-by":"publisher","first-page":"2746","DOI":"10.1103\/PhysRevA.60.2746","article-title":"Grover's quantum searching algorithm is optimal","volume":"60","author":"Christof Zalka","year":"1999","journal-title":"Phys. Rev. A"},{"key":"ref74:EPRINT:Fluhrer17b","volume-title":"Reassessing Grover's Algorithm","author":"Scott Fluhrer","year":"2017"},{"key":"ref75:DBLP:conf\/IEEEares\/HulsingRB13","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"194","DOI":"10.1007\/978-3-642-40588-4_14","article-title":"Optimal Parameters for XMSS MT","volume":"8128","author":"Andreas H\u00fclsing","year":"2013"},{"key":"ref76:ICALP:BBHR18","series-title":"LIPIcs","doi-asserted-by":"publisher","DOI":"10.4230\/LIPIcs.ICALP.2018.14","article-title":"Fast Reed-Solomon Interactive Oracle Proofs of Proximity","volume":"107","author":"Eli Ben-Sasson","year":"2018"},{"key":"ref77:cryptoeprint:2024\/1586","volume-title":"WHIR: Reed\u2013Solomon Proximity Testing with Super-Fast\n Verification","author":"Gal Arnon","year":"2024"},{"key":"ref78:AC:Unruh17","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"65","DOI":"10.1007\/978-3-319-70694-8_3","article-title":"Post-quantum Security of Fiat-Shamir","volume":"10624","author":"Dominique Unruh","year":"2017"},{"key":"ref79:TCC:ChiFen24","doi-asserted-by":"publisher","first-page":"67","DOI":"10.1007\/978-3-031-78011-0_3","article-title":"zkSNARKs in the ROM with Unconditional UC-Security","author":"Alessandro Chiesa","year":"2024"},{"key":"ref80:FOCS:Zhandry12","doi-asserted-by":"publisher","first-page":"679","DOI":"10.1109\/FOCS.2012.37","article-title":"How to Construct Quantum Random Functions","author":"Mark Zhandry","year":"2012"},{"key":"ref81:Kaye2006","doi-asserted-by":"crossref","DOI":"10.1093\/oso\/9780198570004.001.0001","volume-title":"An Introduction to Quantum Computing","author":"Phillip Kaye","year":"2006"}],"container-title":["IACR Communications in Cryptology"],"language":"en","deposited":{"date-parts":[[2025,4,8]],"date-time":"2025-04-08T21:24:05Z","timestamp":1744147445000},"score":0.0,"resource":{"primary":{"URL":"https:\/\/cic.iacr.org\/p\/2\/1\/13"}},"issued":{"date-parts":[[2025,4,8]]},"references-count":81,"journal-issue":{"issue":"1","published-online":{"date-parts":[[2025,4,8]]}},"URL":"https:\/\/doi.org\/10.62056\/aey7qjp10","archive":["Internet Archive","Internet Archive"],"ISSN":["3006-5496"],"issn-type":[{"value":"3006-5496","type":"electronic"}],"published":{"date-parts":[[2025,4,8]]},"assertion":[{"value":"2025-01-14","order":0,"name":"received","label":"Received","group":{"name":"publication_history","label":"Publication History"}},{"value":"2025-03-11","order":1,"name":"accepted","label":"Accepted","group":{"name":"publication_history","label":"Publication History"}}],"article-number":"cc2-1-17"}],"items-per-page":20,"query":{"start-index":0,"search-terms":null}}}