*12:17* [Pub][ePrint]
Compact and Side Channel Secure Discrete Gaussian Sampling, by Sujoy Sinha Roy and Oscar Reparaz and Frederik Vercauteren and Ingrid Verbauwhede
Discrete Gaussian sampling is an integral part of many lattice based cryptosystems such as public-key encryption, digital signature schemes and homomorphic encryption schemes. In this paper we propose a compact and fast Knuth-Yao sampler for sampling from a narrow discrete Gaussian distribution with very high precision. The designed samplers have a maximum statistical distance of $2^{-90}$ to a true discrete Gaussian distribution. In this paper we investigate various optimization techniques to achieve minimum area and cycle requirement. For the standard deviation 3.33, the most area-optimal implementation of the bit-scan operation based Knuth-Yao sampler consumes 30 slices on the Xilinx Virtex 5 FPGAs, and requires on average 17 cycles to generate a sample. We improve the speed of the sampler by using a precomputed table that directly maps the initial random bits into samples with very high probability. The fast sampler consumes 35 slices and spends on average 2.5 cycles to generate a sample. However the sampler architectures are not secure against timing and power analysis based attacks. In this paper we propose a random shuffle method to protect the Gaussian distributed polynomial against such attacks. The side channel attack resistant sampler architecture consumes 52 slices and spends on average 420 cycles to

generate a polynomial of 256 coefficients.

*09:17* [Pub][ePrint]
Universally Composable Efficient Priced Oblivious Transfer from a Flexible Membership Encryption, by Pratish Datta and Ratna Dutta and Sourav Mukhopadhyay
Membership encryption is a newly developed cryptographic primitive that combines membership proof and encryption into an unified setting. This paper presents a new flexible membership encryption scheme which is provably secure and significantly more efficient than the previous scheme. Further we apply our proposed membership encryption to construct a round optimal 1-out-of-$n$ priced oblivious transfer (POT) protocol which, unlike the existing 1-out-of-n POT schemes,is proven secure under the universally composable (UC) security model and thus preserves security when it is executed with multiple protocol instances that run concurrently in an adversarily controlled way. Moreover, using our membership encryption, the POT protocol exhibits constantcommunication complexity on the buyer\'s side and $O(n)$ communication cost on the vendor\'s side, which is so far the best known in the literature.

*09:17* [Pub][ePrint]
An Algebraic Approach to Non-Malleability, by Vipul Goyal and Silas Richelson and Alon Rosen and Margarita Vald
In their seminal work on non-malleable cryptography, Dolev, Dwork and Naor, showed how to construct a non-malleable commitment with logarithmically-many \"rounds\"/\"slots\", the idea being that any adversary may successfully maul in some slots but would fail in at least one. Since then new ideas have been introduced, ultimately resulting in constant-round protocols based on any one-way function. Yet, in spite of this remarkable progress, each of the known constructions of non-malleable commitments leaves something to be desired.In this paper we propose a new technique that allows us to to construct a non-malleable protocol with only a single ``slot\", and to improve in at least one aspect over each of the previously proposed protocols. Two direct byproducts of our new ideas are a four round non-malleable commitment and a four round non-malleable zero-knowledge argument, the latter matching the round complexity of the best known zero-knowledge argument (without the non-malleability requirement). The protocols are based on the existence of one-way permutations (or alternatively one-way functions with an extra round) and admit very efficient instantiations via standard homomorphic commitments and sigma protocols.

Our analysis relies on algebraic reasoning, and makes use of error correcting codes in order to ensure that committers\' tags differ in many coordinates. One way of viewing our construction is as a method for combining many atomic sub-protocols in a way that simultaneously amplifies soundness and non-malleability, thus requiring much weaker guarantees to begin with, and resulting in a protocol which is much trimmer in complexity compared to the existing ones.

*09:17* [Pub][ePrint]
Non-interactive zero-knowledge proofs in the quantum random oracle model, by Dominique Unruh
We present a construction for non-interactive zero-knowledge proofs ofknowledge in the random oracle model from general sigma-protocols. Our

construction is secure against quantum adversaries. Prior

constructions (by Fiat-Shamir and by Fischlin) are only known to be

secure against classical adversaries, and Ambainis, Rosmanis, Unruh

(FOCS 2014) gave evidence that those constructions might not be secure

against quantum adversaries in general.

To prove security of our constructions, we additionally develop new

techniques for adaptively programming the quantum random oracle.