## IACR News

Updates on the COVID-19 situation are on the
Announcement channel.

Here you can see all recent updates to the IACR webpage. These updates are also available:

#### 14 September 2021

###### Andrew M.K. Nassief

ePrint Report
BitBadges is a privacy preserving distributed identity platform that plans on utilizing CouchDB, the decentralized-internet SDK by Lonero, Blake3 hashing, and a PoCP or Proof of Computation consensus algorithm. It is privacy-preserving and offers a unique proposition for traditional blockchains centered around consensus algorithms. This paper introduces the conceptual design for BitBadges in its second version and as its own blockchain platform and cryptocurrency. The aim is to introduce various researchers to distributed consensus through an identity-based platform, while still keeping its decentralized and privacy-preserving nature. The main distributed computing paradigm or architectural design is centered around Peer to Peer Client Server models and a Point to Point message model. Its distributed system is centered around a grid computing design based off of fault tolerance and censorship-resistance. It also implements lockstep and modular operations. BitBadges was first iterated as a NFT hashing/badge creation solution and has slowly transitioned to an alternative to ERC721 to its own blockchain. BitBadges will be interoperable with various sidechain integrations for badge issuing and identity measures. These are further intentional integrations to make BitBadges further decentralized. The aim is to create a new model for distributed identity centered around PoCP.

###### Ueli Maurer, Christopher Portmann, Guilherme Rito

ePrint Report
When defining a security notion, one typically specifies what dishonest parties cannot achieve. For example, communication is confidential if a third party cannot learn anything about the messages being transmitted, and it is authentic if a third party cannot impersonate the real (honest) sender.
For certain applications, however, security crucially relies on giving dishonest parties certain capabilities.
As an example, in Designated Verifier Signature (DVS) schemes, one captures that only the designated verifier can be convinced of the authenticity of a message by guaranteeing that any dishonest party can forge signatures which look indistinguishable (to a third party) from original ones created by the sender.

However, composable frameworks cannot typically model such guarantees as they are only designed to bound what a dishonest party can do. In this paper we show how to model such guarantees---that dishonest parties must have some capability---in the Constructive Cryptography framework (Maurer and Renner, ICS 2011). More concretely, we give the first composable security definitions for Multi-Designated Verifier Signature (MDVS) schemes---a generalization of DVS schemes.

The ideal world is defined as the intersection of two worlds. The first captures authenticity in the usual way. The second provides the guarantee that a dishonest party can forge signatures. By taking the intersection we have an ideal world with the desired properties.

We also compare our composable definitions to existing security notions for MDVS schemes from the literature. We find that only recently, 23 years after the introduction of MDVS schemes, sufficiently strong security notions were introduced capturing the security of MDVS schemes (Damg{\r a}rd et al., TCC 2020). As we prove, however, these notions are still strictly stronger than necessary.

However, composable frameworks cannot typically model such guarantees as they are only designed to bound what a dishonest party can do. In this paper we show how to model such guarantees---that dishonest parties must have some capability---in the Constructive Cryptography framework (Maurer and Renner, ICS 2011). More concretely, we give the first composable security definitions for Multi-Designated Verifier Signature (MDVS) schemes---a generalization of DVS schemes.

The ideal world is defined as the intersection of two worlds. The first captures authenticity in the usual way. The second provides the guarantee that a dishonest party can forge signatures. By taking the intersection we have an ideal world with the desired properties.

We also compare our composable definitions to existing security notions for MDVS schemes from the literature. We find that only recently, 23 years after the introduction of MDVS schemes, sufficiently strong security notions were introduced capturing the security of MDVS schemes (Damg{\r a}rd et al., TCC 2020). As we prove, however, these notions are still strictly stronger than necessary.

###### Aron van Baarsen, Marc Stevens

ePrint Report
In this paper we study cryptographic finite abelian groups of unknown order and hardness assumptions in these groups. Abelian groups necessitate multiple group generators, which may be chosen at random. We formalize this setting and hardness assumptions therein. Furthermore, we generalize the algebraic group model and strong algebraic group model from cyclic groups to arbitrary finite abelian groups of unknown order. Building on these formalizations, we present techniques to deal with this new setting, and prove new reductions. These results are relevant for class groups of imaginary quadratic number fields and time-lock cryptography build upon them.

###### Armando Faz-Hernández, Watson Ladd, Deepak Maram

ePrint Report
Cryptographic keys are increasingly stored in dedicated hardware or behind software interfaces. Doing so limits access, such as permitting only signing via ECDSA. This makes using them in existing ring and group signature schemes impossible as these schemes assume the ability to access the private key for other operations. We present a Σ-protocol that uses a committed public key to verify an ECDSA or Schnorr signature on a message, without revealing the public key. We then discuss how this protocol may be used to derive ring signatures in combination with Groth–Kohlweiss membership proofs and other applications. This scheme has been implemented and source code is freely available.

###### Nicholas Stifter, Aljosha Judmayer, Philipp Schindler, Edgar Weippl

ePrint Report
In this paper we outline a novel form of attack we refer to as Opportunistic Algorithmic Double-Spending (OpAl ). OpAl attacks not only avoid equivocation, i.e., do not require conflicting transactions, the attack is also carried out programmatically. Algorithmic double-spending is facilitated through transaction semantics that dynamically depend on the context and ledger state at the time of execution. Hence, OpAl evades common double-spending detection mechanisms and can opportunistically
leverage forks, even if the malicious sender itself is not aware of their existence. Furthermore, the cost of modifying a regular transaction to opportunistically perform an OpAl attack is low enough to consider it a viable default strategy for most use cases. Our analysis suggests that while Bitcoin’s stateless UTXO model is more robust against OpAl, designs with expressive transaction semantics, especially stateful smart contract platforms such as Ethereum, are particularly vulnerable.

###### Madura A. Shelton;Łukasz Chmielewski;Niels Samwel;Markus Wagner;Lejla Batina;Yuval Yarom

ePrint Report
Side-channel attacks are a major threat to the security of cryptographic implementations, particularly for small devices that are under the physical control of the adversary. While several strategies for protecting against side-channel attacks exist, these often fail in practice due to unintended interactions between values deep within the CPU. To detect and protect from side-channel attacks, several automated tools have recently been proposed; one of their common limitations is that they only support first-order leakage.

In this work, we present , the first automated tool for detecting and eliminating higher-order leakage from cryptographic implementations. Rosita++ proposes statistical and software-based tools to allow high-performance higher-order leakage detection. It then uses the code rewrite engine of Rosita (Shelton et al. NDSS 2021) to eliminate detected leakage. For the sake of practicality we evaluate Rosita++ against second and third order leakage, but our framework is not restricted to only these orders.

We evaluate Rosita++ against second-order leakage with three-share implementations of two ciphers, PRESENT and Xoodoo, and with the second-order Boolean-to-arithmetic masking, a core building block of masked implementations of many cryptographic primitives, including SHA-2, ChaCha and Blake. We show effective second-order leakage elimination at a performance cost of 36% for Xoodoo, 189% for PRESENT, and 29% for the Boolean-to-arithmetic masking. For third-order analysis, we evaluate Rosita++ against the third-order leakage using a four-share synthetic example that corresponds to typical four-share processing. Rosita++ correctly identified this leakage and applied code fixes.

In this work, we present , the first automated tool for detecting and eliminating higher-order leakage from cryptographic implementations. Rosita++ proposes statistical and software-based tools to allow high-performance higher-order leakage detection. It then uses the code rewrite engine of Rosita (Shelton et al. NDSS 2021) to eliminate detected leakage. For the sake of practicality we evaluate Rosita++ against second and third order leakage, but our framework is not restricted to only these orders.

We evaluate Rosita++ against second-order leakage with three-share implementations of two ciphers, PRESENT and Xoodoo, and with the second-order Boolean-to-arithmetic masking, a core building block of masked implementations of many cryptographic primitives, including SHA-2, ChaCha and Blake. We show effective second-order leakage elimination at a performance cost of 36% for Xoodoo, 189% for PRESENT, and 29% for the Boolean-to-arithmetic masking. For third-order analysis, we evaluate Rosita++ against the third-order leakage using a four-share synthetic example that corresponds to typical four-share processing. Rosita++ correctly identified this leakage and applied code fixes.

###### István András Seres, Balázs Pejó, Péter Burcsi

ePrint Report
Fuzzy Message Detection (FMD) is a recent cryptographic primitive invented by Beck et al. (CCS'21) where an untrusted server performs coarse message filtering for its clients in a recipient-anonymous way. In FMD - besides the true positive messages - the clients download from the server their cover messages determined by their false-positive detection rates. What is more, within FMD, the server cannot distinguish between genuine and cover traffic. In this paper, we formally analyze the privacy guarantees of FMD from four different angles.
First, we evaluate what privacy provisions are offered by FMD. We found that FMD does not provide relationship anonymity without additional cryptographic techniques protecting the senders' identities. Moreover, FMD only provides a reasonable degree of recipient unlinkability when users apply considerable false-positive rates, and concurrently there is significant traffic. Second, we perform a differential privacy (DP) analysis and coin a relaxed DP definition to capture the privacy guarantees FMD yields. Third, we study FMD through a game-theoretic lens and argue why FMD is not sustainable without altruistic users. Finally, we simulate FMD on real-world communication data. Our theoretical and empirical results assist FMD users to adequately select their false-positive detection rates for various applications with given privacy requirements.

###### Ling Sun, Wei Wang, Meiqin Wang

ePrint Report
One of the well-known superiorities of GIFT-64 over PRESENT lies in the correction of the strong linear hull effect. However, apart from the investigation of the 9-round linear hull effect in the design document, we find no linear attack result on GIFT-64. Although we do not doubt the security of GIFT-64 regarding the linear cryptanalysis, the actual resistance of the cipher to the linear attack should be evaluated since it promotes a comprehensive perception of the soundness of GIFT-64. Motivated by this observation, we implement an automatic search and find a 12-round linear distinguisher whose dominating trail is an optimal linear characteristic. Following that, the first 19-round linear attack is launched by utilising the newly identified distinguisher. On the other side, we notice that the previous differential attack of GIFT-64 covering 20 rounds claims the entire codebook. To reduce the data complexity of the 20-round attack, we apply the automatic method to exhaustively check 13-round differential trails with probabilities no less than $2^{-64}$ and identify multiple 13-round differentials facilitating 20-round attacks without using the full codebook. One of the candidate differentials with the maximum probability and the minimum number of guessed subkey bits is then employed to realise the first 20-round differential attack without relying on the complete codebook. Given the newly obtained results, we conjecture that the resistances of GIFT-64 against differential and linear attacks do not have a significant gap. Also, we note that the attack results in this paper are far from threatening the security of GIFT-64.

###### Christiane Kuhn, Dennis Hofheinz, Andy Rupp, Thorsten Strufe

ePrint Report
Onion routing (OR) protocols are a crucial tool for providing anonymous internet communication. An OR protocol enables a user to anonymously send requests to a server. A fundamental problem of OR protocols is how to deal with replies: ideally, we would want the server to be able to send a reply back to the anonymous user without knowing or disclosing the user's identity.

Existing OR protocols do allow for such replies, but do not provably protect the payload (i.e., message) of replies against manipulation. Kuhn et al. (IEEE S&P 2020) show that such manipulations can in fact be leveraged to break anonymity of the whole protocol.

In this work, we close this gap and provide the first framework and protocols for OR with protected replies. We define security in the sense of an ideal functionality in the universal composability model, and provide corresponding (less complex) game-based security notions for the individual properties.

We also provide two secure instantiations of our framework: one based on updatable encryption, and one based on succinct non-interactive arguments (SNARGs) to authenticate payloads both in requests and replies. In both cases, our central technical handle is an implicit authentication of the transmitted payload data, as opposed to an explicit, but insufficient authentication (with MACs) in previous solutions. Our results exhibit a new and surprising application of updatable encryption outside of long-term data storage.

Existing OR protocols do allow for such replies, but do not provably protect the payload (i.e., message) of replies against manipulation. Kuhn et al. (IEEE S&P 2020) show that such manipulations can in fact be leveraged to break anonymity of the whole protocol.

In this work, we close this gap and provide the first framework and protocols for OR with protected replies. We define security in the sense of an ideal functionality in the universal composability model, and provide corresponding (less complex) game-based security notions for the individual properties.

We also provide two secure instantiations of our framework: one based on updatable encryption, and one based on succinct non-interactive arguments (SNARGs) to authenticate payloads both in requests and replies. In both cases, our central technical handle is an implicit authentication of the transmitted payload data, as opposed to an explicit, but insufficient authentication (with MACs) in previous solutions. Our results exhibit a new and surprising application of updatable encryption outside of long-term data storage.

###### Divesh Aggarwal, Nico Döttling, Jesko Dujmovic, Mohammad Hajiabadi, Giulio Malavolta, Maciej Obremski

ePrint Report
Consider the following problem: You have a device that is supposed to compute a linear combination of its inputs, which are taken from some finite field. However, the device may be faulty and compute arbitrary functions of its inputs. Is it possible to encode the inputs in such a way that only linear functions can be evaluated over the encodings? I.e., learning an arbitrary function of the encodings will not reveal more information about the inputs than a linear combination.

In this work, we introduce the notion of algebraic restriction codes (AR codes), which constrain adversaries who might compute any function to computing a linear function. Our main result is an information-theoretic construction AR codes that restrict any class of function with a bounded number of output bits to linear functions. Our construction relies on a seed which is not provided to the adversary.

While interesting and natural on its own, we show an application of this notion in cryptography. In particular, we show that AR codes lead to the first construction of rate-1 oblivious transfer with statistical sender security from the Decisional Diffie-Hellman assumption, and the first-ever construction that makes black-box use of cryptography. Previously, such protocols were known only from the LWE assumption, using non-black-box cryptographic techniques. We expect our new notion of AR codes to find further applications, e.g., in the context of non-malleability, in the future.

In this work, we introduce the notion of algebraic restriction codes (AR codes), which constrain adversaries who might compute any function to computing a linear function. Our main result is an information-theoretic construction AR codes that restrict any class of function with a bounded number of output bits to linear functions. Our construction relies on a seed which is not provided to the adversary.

While interesting and natural on its own, we show an application of this notion in cryptography. In particular, we show that AR codes lead to the first construction of rate-1 oblivious transfer with statistical sender security from the Decisional Diffie-Hellman assumption, and the first-ever construction that makes black-box use of cryptography. Previously, such protocols were known only from the LWE assumption, using non-black-box cryptographic techniques. We expect our new notion of AR codes to find further applications, e.g., in the context of non-malleability, in the future.

###### Mihai Christodorescu, Sivanarayana Gaddam, Pratyay Mukherjee, Rohit Sinha

ePrint Report
Threshold cryptography enables cryptographic operations while keeping the secret keys distributed at all times.
Agrawal et al. (CCS'18) propose a framework for Distributed Symmetric-key Encryption (DiSE). They introduce a new notion of Threshold Symmetric-key Encryption (TSE), in that encryption and decryption are performed by interacting with a threshold number of servers. However, the necessity for interaction on each invocation limits performance when encrypting large datasets, incurring heavy computation and communication on the servers.

This paper proposes a new approach to resolve this problem by introducing a new notion called Amortized Threshold Symmetric-key Encryption (ATSE), which allows a "privileged" client (with access to sensitive data) to encrypt a large group of messages using a single interaction. Importantly, our notion requires a client to interact for decrypting each ciphertext, thus providing the same security (privacy and authenticity) guarantee as DiSE with respect to a "not-so-privileged" client. We construct an ATSE scheme based on a new primitive that we formalize as flexible threshold key-derivation (FTKD), which allows parties to interactively derive pseudorandom keys in different modes in a threshold manner. Our FTKD construction, which uses bilinear pairings, is based on a distributed variant of left/right constrained PRF by Boneh and Waters (Asiacrypt'13).

Despite our use of bilinear maps, our scheme achieves significant speed-ups due to the amortized interaction. Our experiments show 40x lower latency and 30x more throughput in some settings.

This paper proposes a new approach to resolve this problem by introducing a new notion called Amortized Threshold Symmetric-key Encryption (ATSE), which allows a "privileged" client (with access to sensitive data) to encrypt a large group of messages using a single interaction. Importantly, our notion requires a client to interact for decrypting each ciphertext, thus providing the same security (privacy and authenticity) guarantee as DiSE with respect to a "not-so-privileged" client. We construct an ATSE scheme based on a new primitive that we formalize as flexible threshold key-derivation (FTKD), which allows parties to interactively derive pseudorandom keys in different modes in a threshold manner. Our FTKD construction, which uses bilinear pairings, is based on a distributed variant of left/right constrained PRF by Boneh and Waters (Asiacrypt'13).

Despite our use of bilinear maps, our scheme achieves significant speed-ups due to the amortized interaction. Our experiments show 40x lower latency and 30x more throughput in some settings.

###### Martin Hirt, Chen-Da Liu-Zhang, Ueli Maurer

ePrint Report
The goal of secure multi-party computation (MPC) is to allow a set of parties to perform an arbitrary computation task, where the security guarantees depend on the set of parties that are corrupted. The more parties are corrupted, the less is guaranteed, and typically the guarantees are completely lost when the number of corrupted parties exceeds a certain corruption bound.

Early and also many recent protocols are only statically secure in the sense that they provide no security guarantees if the adversary is allowed to choose adaptively which parties to corrupt. Security against an adversary with such a strong capability is often called adaptive security and a significant body of literature is devoted to achieving adaptive security, which is known as a difficult problem. In particular, a main technical obstacle in this context is the so-called ``commitment problem'', where the simulator is unable to consistently explain the internal state of a party with respect to its pre-corruption outputs. As a result, protocols typically resort to the use of cryptographic primitives like non-committing encryption, incurring a substantial efficiency loss.

This paper provides a new, clean-slate treatment of adaptive security in MPC, exploiting the specification concept of constructive cryptography (CC). A new natural security notion, called CC-adaptive security, is proposed, which is technically weaker than standard adaptive security but nevertheless captures security against a fully adaptive adversary. Known protocol examples separating between adaptive and static security are also insecure in our notion. Moreover, our notion avoids the commitment problem and thereby the need to use non-committing or equivocal tools.

We exemplify this by showing that the protocols by Cramer, Damgard and Nielsen (EUROCRYPT'01) for the honest majority setting, and (the variant without non-committing encryption) by Canetti, Lindell, Ostrovsky and Sahai (STOC'02) for the dishonest majority setting, achieve CC-adaptive security. The latter example is of special interest since all UC-adaptive protocols in the dishonest majority setting require some form of non-committing or equivocal encryption.

Early and also many recent protocols are only statically secure in the sense that they provide no security guarantees if the adversary is allowed to choose adaptively which parties to corrupt. Security against an adversary with such a strong capability is often called adaptive security and a significant body of literature is devoted to achieving adaptive security, which is known as a difficult problem. In particular, a main technical obstacle in this context is the so-called ``commitment problem'', where the simulator is unable to consistently explain the internal state of a party with respect to its pre-corruption outputs. As a result, protocols typically resort to the use of cryptographic primitives like non-committing encryption, incurring a substantial efficiency loss.

This paper provides a new, clean-slate treatment of adaptive security in MPC, exploiting the specification concept of constructive cryptography (CC). A new natural security notion, called CC-adaptive security, is proposed, which is technically weaker than standard adaptive security but nevertheless captures security against a fully adaptive adversary. Known protocol examples separating between adaptive and static security are also insecure in our notion. Moreover, our notion avoids the commitment problem and thereby the need to use non-committing or equivocal tools.

We exemplify this by showing that the protocols by Cramer, Damgard and Nielsen (EUROCRYPT'01) for the honest majority setting, and (the variant without non-committing encryption) by Canetti, Lindell, Ostrovsky and Sahai (STOC'02) for the dishonest majority setting, achieve CC-adaptive security. The latter example is of special interest since all UC-adaptive protocols in the dishonest majority setting require some form of non-committing or equivocal encryption.

###### Annick Chopard, Martin Hirt, Chen-Da Liu-Zhang

ePrint Report
Secure multi-party computation (MPC) allows a set of $n$ parties to jointly compute an arbitrary computation over their private inputs. Two main variants have been considered in the literature according to the underlying communication model. Synchronous MPC protocols proceed in rounds, and rely on the fact that the communication network provides strong delivery guarantees within each round. Asynchronous MPC protocols achieve security guarantees even when the network delay is arbitrary.

While the problem of MPC has largely been studied in both variants with respect to both feasibility and efficiency results, there is still a substantial gap when it comes to communication complexity of adaptively secure protocols. Concretely, while adaptively secure synchronous MPC protocols with linear communication are known for a long time, the best asynchronous protocol communicates $\mathcal{O}(n^4 \kappa)$ bits per multiplication.

In this paper, we make progress towards closing this gap by providing two protocols. First, we present an adaptively secure asynchronous protocol with optimal resilience $t<n/3$ and $\mathcal{O}(n^2 \kappa)$ bits of communication per multiplication, improving over the state of the art protocols in this setting by a quadratic factor in the number of parties. The protocol has cryptographic security and follows the CDN approach [Eurocrypt'01], based on additive threshold homomorphic encryption.

Second, we show an optimization of the above protocol that tolerates up to $t<(1-\epsilon)n/3$ corruptions and communicates $\mathcal{O}(n\cdot \poly(\kappa))$ bits per multiplication under stronger assumptions.

While the problem of MPC has largely been studied in both variants with respect to both feasibility and efficiency results, there is still a substantial gap when it comes to communication complexity of adaptively secure protocols. Concretely, while adaptively secure synchronous MPC protocols with linear communication are known for a long time, the best asynchronous protocol communicates $\mathcal{O}(n^4 \kappa)$ bits per multiplication.

In this paper, we make progress towards closing this gap by providing two protocols. First, we present an adaptively secure asynchronous protocol with optimal resilience $t<n/3$ and $\mathcal{O}(n^2 \kappa)$ bits of communication per multiplication, improving over the state of the art protocols in this setting by a quadratic factor in the number of parties. The protocol has cryptographic security and follows the CDN approach [Eurocrypt'01], based on additive threshold homomorphic encryption.

Second, we show an optimization of the above protocol that tolerates up to $t<(1-\epsilon)n/3$ corruptions and communicates $\mathcal{O}(n\cdot \poly(\kappa))$ bits per multiplication under stronger assumptions.

###### Aram Jivanyan, Aaron Feickert

ePrint Report
We propose a modification to the Lelantus private transaction protocol to provide recipient privacy, improved security, and additional usability features. Our decentralized anonymous payment (DAP) construction, Spark, enables non-interactive one-time addressing to hide recipient addresses in transactions. The modified address format permits flexibility in transaction visibility. Address owners can securely provide third parties with opt-in visibility into incoming transactions or all transactions associated to the address; this functionality allows for offloading chain scanning and balance computation without delegating spend authority. It is also possible to delegate expensive proving operations without compromising spend authority when generating transactions. Further, the design is compatible with straightforward linear multisignature operations to allow mutually non-trusting parties to cooperatively receive and generate transactions associated to a multisignature address. We prove that Spark satisfies formal DAP security properties of balance, non-malleability, and ledger indistinguishability.

###### Marloes Venema, Greg Alpár, Jaap-Henk Hoepman

ePrint Report
Attribute-based encryption (ABE) cryptographically implements fine-grained access control on data. As such, data can be stored by an entity that is not necessarily trusted to enforce access control, or an entity that is not even trusted to have access to the plaintext data at all. Instead, access control can be externally enforced by a trusted entity. Additionally, some multi-authority variants of ABE---which do not have a central authority---can effectively and securely implement access control in multiple-domain settings. Furthermore, ABE is the only cryptographic approach to fine-grained access control that does not require an online trusted third party during access requests, and thus provides better availability properties.

Many schemes use pairings due to their versatility and efficiency. In the last sixteen years, much progress has been made in pairing-based ABE. Along the way, several important core properties have been proposed. Nowadays, it is possible to support most core functionality under strong security guarantees, while incurring acceptable storage and computational costs. It is therefore a good time to ask ourselves whether pairing-based ABE has reached its full potential. To answer this question, we provide a comprehensive systemized overview of various existing pairing-based ABE schemes and their properties. We use this overview to analyze how the core properties are realized, and whether they are compatible with one another. Furthermore, we investigate the relationship between the ABE properties and real-world properties such as confidentiality, integrity, and availability. In our analyses, we uncover some remaining challenges, which we pose as open problems. If these can be solved, ABE reaches its full potential, implementing efficient and secure access control.

Many schemes use pairings due to their versatility and efficiency. In the last sixteen years, much progress has been made in pairing-based ABE. Along the way, several important core properties have been proposed. Nowadays, it is possible to support most core functionality under strong security guarantees, while incurring acceptable storage and computational costs. It is therefore a good time to ask ourselves whether pairing-based ABE has reached its full potential. To answer this question, we provide a comprehensive systemized overview of various existing pairing-based ABE schemes and their properties. We use this overview to analyze how the core properties are realized, and whether they are compatible with one another. Furthermore, we investigate the relationship between the ABE properties and real-world properties such as confidentiality, integrity, and availability. In our analyses, we uncover some remaining challenges, which we pose as open problems. If these can be solved, ABE reaches its full potential, implementing efficient and secure access control.

###### F. Betül Durak, Henning Horst, Michael Horst, Serge Vaudenay

ePrint Report
We propose a new construction for format-preserving encryption. Our design provides the flexibility for use in format-preserving encryption (FPE) and for static table-driven tokenization. Our algorithm is a substitution-permutation network based on random Sboxes. Using pseudorandom generators and pseudorandom functions, we prove a strong adaptive security based on the super-pseudorandom permutation assumption of our core design. We obtain empirical parameters to reach this assumption. We suggest parameters for quantum security.

Our design accommodates very small domains, with a radix $a$ from 4 to the Unicode alphabet size and a block length $\ell$ starting 2. The number of Sbox evaluations per encryption is asymptotically $\ell^{\frac32}$, which is also the number of bytes we need to generate using AES in CTR mode for each tweak setup. For instance, we tokenize 10 decimal digits using 29 (parallel) AES computations to be done only once, when the tweak changes.

Our design accommodates very small domains, with a radix $a$ from 4 to the Unicode alphabet size and a block length $\ell$ starting 2. The number of Sbox evaluations per encryption is asymptotically $\ell^{\frac32}$, which is also the number of bytes we need to generate using AES in CTR mode for each tweak setup. For instance, we tokenize 10 decimal digits using 29 (parallel) AES computations to be done only once, when the tweak changes.

###### Masahito Ishizaka, Shinsaku Kiyomoto

ePrint Report
Affine message authentication code (AMAC) (CRYPTO'14) is a group-based MAC with a specific algebraic structure. Downgradable AMAC (DAMAC) (CT-RSA'19) is an AMAC with a functionality that we can downgrade a message with an authentication tag while retaining validity of the tag. In this paper, we revisit DAMAC for two independent applications, namely downgradable identity-based signatures (DIBS) and trapdoor sanitizable signatures (TSS) (ACNS'08). DIBS are the digital signature analogue of downgradable identity-based encryption (CT-RSA'19), which allow us to downgrade an identity associated with a secret-key. In TSS, an entity given a trapdoor for a signed-message can partially modify the message while keeping validity of the signature. We show that DIBS can be generically constructed from DAMAC, and DIBS can be transformed into (wildcarded) hierarchical/wicked IBS. We also show that TSS can be generically constructed from DIBS. By instantiating them, we obtain the first wildcarded hierarchical/wicked IBS and the first invisible and/or unlinkable TSS. Moreover, we prove that DIBS are equivalent to not only TSS, but also their naive combination, named downgradable identity-based trapdoor sanitizable signatures.

###### Pierre Civit, Seth Gilbert, Vincent Gramoli, Rachid Guerraoui, Jovan Komatovic

ePrint Report
It is known that the Byzantine consensus problem among $n$ processes cannot be solved in a non-synchronous system if the number of faulty processes exceeds $t_0$, where $t_0 = n/3$.
Indeed, if the number of faulty processes is greater than the $t_0$ threshold, correct processes might never decide or (even worse) correct processes might decide and disagree.
We focus in this paper on the latter case, where disagreement occurs.
Specifically, we investigate the accountable Byzantine consensus problem in non-synchronous systems: the problem of solving Byzantine consensus whenever possible (i.e., whenever the number of faulty processes does not exceed the $t_0$ bound) and otherwise allowing correct processes to obtain a proof of culpability of (at least) $t_0 + 1$ faulty processes whenever correct processes disagree.
We present three complementary contributions:
(i) We give a simple transformation named $AB$ that enables any Byzantine consensus protocol to obtain accountability.
Besides being simple, $ABC$ is also efficient: it induces an overhead of (1) two all-to-all communication rounds and $O(n^2)$ exchanged bits of information in all executions with up to $t_0$ faults, and (2) three all-to-all communication rounds and $O(n^3)$ exchanged bits of information otherwise.
Therefore, any protocol that solves the Byzantine consensus problem with quadratic (or greater) communication complexity retains its complexity in solving the problem after our transformation.
(ii) We show that $ABC$, despite its simplicity, allows for optimal communication complexity in solving the accountable Byzantine consensus problem.
That is, (1) we prove that any accountable Byzantine consensus incurs cubic communication complexity whenever disagreement occurs, and (2) we demonstrate that the lower bound is tight by applying $ABC$ to any cubic Byzantine consensus protocol (e.g., binary DBFT).
(iii) We show that $ABC$ is not limited to the Byzantine consensus problem.
Specifically, we define a class of easily accountable agreement tasks and we prove that generalized $ABC$ transformation indeed provides accountability for such tasks.
Important distributed tasks, like Byzantine reliable and Byzantine consistent broadcast, fall into this class.

###### Wonseok Choi, Byeonghak Lee, Jooyoung Lee, Yeongmin Lee

ePrint Report
In this paper, we propose a new block cipher-based authenticated encryption scheme, dubbed the Synthetic Counter with Masking~(SCM) mode. SCM follows the NSIV paradigm proposed by Peyrin and Seurin~(CRYPTO 2016), where a keyed hash function accepts a nonce N with associated data and a message, yielding an authentication tag T, and then the message is encrypted by a counter-like mode using both T and N. Here we move one step further by encrypting nonces; in the encryption part, the inputs to the block cipher are determined by T, counters, and an encrypted nonce, and all its outputs are also masked by an (additional) encrypted nonce, yielding keystream blocks.

As a result, we obtain, for the first time, a block cipher-based authenticated encryption scheme of rate 1/2 that provides n-bit security with respect to the query complexity (ignoring the influence of message length) in the nonce-respecting setting, and at the same time guarantees graceful security degradation in the faulty nonce model, when the underlying n-bit block cipher is modeled as a secure pseudorandom permutation. Seen as a slight variant of GCM-SIV, SCM is also parallelizable and inverse-free, and its performance is still comparable to GCM-SIV.

As a result, we obtain, for the first time, a block cipher-based authenticated encryption scheme of rate 1/2 that provides n-bit security with respect to the query complexity (ignoring the influence of message length) in the nonce-respecting setting, and at the same time guarantees graceful security degradation in the faulty nonce model, when the underlying n-bit block cipher is modeled as a secure pseudorandom permutation. Seen as a slight variant of GCM-SIV, SCM is also parallelizable and inverse-free, and its performance is still comparable to GCM-SIV.

###### Ariel Gabizon, Zachary J. Williamson

ePrint Report
We present a variant of the Kate, Zaverucha and Goldberg polynomial commitment scheme [KZG] where $d$ polynomials can be opened at a point that is a $d$'th power, such that the amount of verifier group operations does not depend on $d$.
Our method works by reducing opening multiple polynomials at a single point $x$, to opening a single polynomial at many points via an ``FFT-like identity''.

As an application we present a version of the PlonK zk-SNARK[GWC] with significantly improved verifier performance, at the cost roughly tripling the prover time. Specifically, in addition to the two pairings, the verifier only performs six scalar muliptlications, rather than 16 or 18 as in the versions presented in [GWC].

As an application we present a version of the PlonK zk-SNARK[GWC] with significantly improved verifier performance, at the cost roughly tripling the prover time. Specifically, in addition to the two pairings, the verifier only performs six scalar muliptlications, rather than 16 or 18 as in the versions presented in [GWC].