Towards compressed permutation oracles
Compressed oracles (Zhandry, Crypto 2019) are a powerful technique to reason about quantum random oracles, enabling a sort of lazy sampling in the presence of superposition queries. A long-standing open…
Brakedown’s expander code
This write-up summarizes the sampling analysis of the expander code from Brakedown [GLSTW21]. We elaborate their convexity argument for general linear expansion bounds, and we combine their approach with the…
Behemoth: transparent polynomial commitment scheme with constant opening proof size and verifier time
Polynomial commitment schemes are fundamental building blocks in numerous cryptographic protocols such as verifiable secret sharing, zero-knowledge succinct non-interactive arguments, and many more. The most efficient polynomial commitment schemes rely…
Owl: An Augmented Password-Authenticated Key Exchange Scheme
We present Owl, an augmented password-authenticated key exchange (PAKE) protocol that is both efficient and supported by security proofs. Owl is motivated by recognized limitations in SRP-6a and OPAQUE. SRP-6a…
Leakage Certification Made Simple
Side channel evaluations benefit from sound characterisations of adversarial leakage models, which are the determining factor for attack success. Two questions are of interest: can we estimate a quantity that…
LFHE: Fully Homomorphic Encryption with Bootstrapping Key Size Less than a Megabyte
Fully Homomorphic Encryption (FHE) enables computations to be performed on encrypted data, so one can outsource computations of confidential information to an untrusted party. Ironically, FHE requires the client to…
Shorter and Faster Identity-Based Signatures with Tight Security in the (Q)ROM from Lattices
We provide identity-based signature (IBS) schemes with tight security against adaptive adversaries, in the (classical or quantum) random oracle model (ROM or QROM), in both unstructured and structured lattices, based…
Batch Proofs are Statistically Hiding
Batch proofs are proof systems that convince a verifier that $x_1,dots, x_t in L$, for some $NP$ language $L$, with communication that is much shorter than sending the $t$ witnesses.…
Lattice-based Commit-Transferrable Signatures and Applications to Anonymous Credentials
Anonymous Credentials are an important tool to protect user’s privacy for proving possession of certain credentials. Although various efficient constructions have been proposed based on pre-quantum assumptions, there have been…
Threshold ECDSA in Three Rounds
We present a three-round protocol for threshold ECDSA signing with malicious security against a dishonest majority, which information-theoretically UC-realizes a standard threshold signing functionality, assuming ideal commitment and two-party multiplication…