We present the first rigorous dynamic analysis of BKZ, the most widely used lattice reduction algorithm besides LLL: we provide guarantees on the quality of the current lattice basis during execution. Previous analyses were either heuristic or ...

We propose a generic compiler that can convert any zero-knowledge (ZK) proof for SIMD circuits to general circuits efficiently, and an extension that can preserve the space complexity of the proof systems. Our compiler can immediately produce new ...

We describe in this paper how to perform a padding oracle attack against the GlobalPlatform SCP02 protocol. SCP02 is implemented in smart cards and used by transport companies, in the banking world and by mobile network operators (UICC/SIM cards). ...

Bulletproofs (Bünz et al., in: 2018 IEEE symposium on security and privacy, IEEE Computer Society Press, pp 315–334, 2018) are a celebrated ZK proof system that allows for short and efficient proofs, and have been implemented and deployed in ...

Constructing one-way functions from average-case hardness is a long-standing open problem. A positive result would exclude Pessiland (Impagliazzo ’95) and establish a highly desirable win–win situation: either (symmetric) cryptography exists ...$\mathsf{}$$\mathsf{}$$\mathsf{}$$$$\mathsf{}$$$$$$$$\mathsf{}$$$$$

At CRYPTO ’94, Cramer, Damgård, and Schoenmakers introduced a general technique for constructing honest-verifier zero-knowledge proofs of partial knowledge (PPK), where a prover Alice wants to prove to a verifier Bob she knows $\tau$ witnesses for $\tau$ ...$$$$$\mathrm{}$$$$\mathrm{}$$\mathrm{}$$\mathrm{}$$\mathrm{}$$$$$$$$$$$$$$\mathrm{}$$\mathrm{}$$\mathrm{}$

This paper studies several building blocks needed for electronic voting in order to prepare for the post-quantum era. In particular, we present lattice-based constructions for a generic zero-knowledge (ZK) proof of ballot correctness, a ZK proof ...

Homomorphic encryption (HE) protects data in-use, but can be computationally expensive. To avoid the costly bootstrapping procedure that refreshes ciphertexts, some works have explored client-aided outsourcing protocols, where the client ...

Interactive oracle proofs (IOPs) (Ben-Sasson et al., in: Hirt and Smith (eds) TCC 2016-B, Part II, volume 9986 of LNCS, pp 31–60, 2016. https://doi.org/10.1007/978-3-662-53644-5_2; Reingold et al. in SIAM J Comput, 2021) have emerged as a powerful ...

In this paper, we present a new representation of the AES key schedule, with some implications to the security of AES-based schemes. In particular, we show that the AES-128 key schedule can be split into four independent parallel computations ...

Leakage-resilient cryptography aims to protect cryptographic primitives from so-called “side channel attacks” that exploit their physical implementation to learn their input or secret state. Starting from the works of Ishai, Sahai and Wagner (...

Cryptographic group actions are a relaxation of standard cryptographic groups that have less structure. This lack of structure allows them to be plausibly quantum resistant despite Shor’s algorithm, while still having a number of applications. The ...

A multilinear polynomial is a multivariate polynomial of degree at most one in each variable. This paper introduces a new scheme to commit to multilinear polynomials and to later prove evaluations thereof. The scheme exponentially improves on the ...$\mathrm{}$${\mathrm{}}^{}$

Since the celebrated work of Impagliazzo and Rudich (STOC 1989), a number of black-box impossibility results have been established. However, these works only ruled out classical black-box reductions among cryptographic primitives. Therefore, it ...

Combinatorial attacks on small max norm LWE keys suffer enormous memory requirements, which render them inefficient in realistic attack scenarios. Therefore, more memory-efficient substitutes for these algorithms are needed. In this work, we ...${\mathrm{}}^{\mathrm{}}$${\mathrm{}}^{\mathrm{}}$${}^{}$$\mathrm{}\mathrm{}$${\mathrm{}\mathrm{}}^{}$${\mathrm{}}^{\mathrm{}}$${\mathrm{}}^{\mathrm{}}$

It is well-known that randomness is essential for secure cryptography. The randomness used in cryptographic primitives is not necessarily recoverable even by the party who can, e.g., decrypt or recover the underlying secret/message. Several ...${\mathsf{}}^{\mathrm{}}$${\mathsf{}}^{\mathrm{}}$

A two-input function is a dual PRF if it is a PRF when keyed by either of its inputs. Dual PRFs are assumed in the design and analysis of numerous primitives and protocols including HMAC, AMAC, TLS 1.3 and MLS. But, not only do we not know whether ...

Boomerang attacks are extensions of differential attacks that make it possible to combine two unrelated differential properties of the first and second part of a cryptosystem with probabilities p and q into a new differential-like property of the ...${}^{\mathrm{}}{}^{\mathrm{}}$${}^{\mathrm{}}$${\mathrm{}}^{\mathrm{}}$${\mathrm{}}^{\mathrm{}}$${\mathrm{}}^{\mathrm{}}$

Polynomial commitments schemes are a powerful tool that enables one party to commit to a polynomial p of degree d, and prove that the committed function evaluates to a certain value z at a specified point u, i.e. $p(u)=z$, without revealing any ...$\mathrm{}$${\mathrm{}}^{\mathrm{}}$$\mathrm{}$

We construct the first actively-secure Multi-Party Computation (MPC) protocols with an arbitrary number of parties in the dishonest majority setting, for an arbitrary field $\mathbb{F}$ with constant communication overhead over the “passive-GMW” protocol (...${\mathcal{}}_{}$${\mathcal{}}_{}$$\mathcal{}$$\mathcal{}$$\mathcal{}$${\mathcal{}}_{}$${\mathcal{}}_{}$