[digest] 2024 Week 43

Liste des GroupesRevenir à s crypt 
Sujet : [digest] 2024 Week 43
De : noreply (at) *nospam* example.invalid (IACR ePrint Archive)
Groupes : sci.crypt
Date : 28. Oct 2024, 03:31:46
Autres entêtes
Organisation : A noiseless patient Spider
Message-ID : <j3PDRgMT-p1xRpwxERJQxEqBujDgiC4j@eprint.iacr.org.invalid>
## In this issue

1. [2024/761] Lattice-based Broadcast Authenticated Searchable ...
2. [2024/763] Incorporating SIS Problem into Luby-Rackoff Cipher
3. [2024/775] Spec-o-Scope: Cache Probing at Cache Speed
4. [2024/1575] Efficiently-Thresholdizable Batched Identity Based ...
5. [2024/1718] Drifting Towards Better Error Probabilities in ...
6. [2024/1719] Compact Pseudorandom Functional Encryption from ...
7. [2024/1720] Pseudorandom Multi-Input Functional Encryption and ...
8. [2024/1721] An Efficient Noncommutative NTRU from Semidirect ...
9. [2024/1722] Revisiting Fermat's Factorization Method
10. [2024/1723] Proving the Security of the Extended Summation- ...
11. [2024/1724] Straight-Line Knowledge Extraction for Multi-Round ...
12. [2024/1725] PISA: Privacy-Preserving Smart Parking
13. [2024/1726] Certified Randomness implies Secure Classical ...
14. [2024/1727] (Quantum) Indifferentiability and Pre-Computation
15. [2024/1728] On Key Substitution Attacks against Aggregate ...
16. [2024/1729] cuTraNTT: A Novel Transposed Number Theoretic ...
17. [2024/1730] Secure and Efficient Outsourced Matrix ...
18. [2024/1731] Arc: Accumulation for Reed--Solomon Codes
19. [2024/1732] Radical 2-isogenies and cryptographic hash ...
20. [2024/1733] One Time Pad and the Short Key Dream
21. [2024/1734] Optimizing Message Range and Ciphertext Storage in ...
22. [2024/1735] The Mysteries of LRA: Roots and Progresses in Side- ...
23. [2024/1736] A graph-theoretic approach to analyzing decoding ...
24. [2024/1737] Embedded Curves and Embedded Families for SNARK- ...
25. [2024/1738] More Efficient Isogeny Proofs of Knowledge via ...
26. [2024/1739] Provably Robust Watermarks for Open-Source Language ...
27. [2024/1740] OpenNTT: An Automated Toolchain for Compiling High- ...
28. [2024/1741] The Learning Stabilizers with Noise problem
29. [2024/1742] Pseudorandom Obfuscation and Applications
30. [2024/1743] The Window Heuristic: Automating Differential Trail ...
31. [2024/1744] PEARL-SCALLOP: Parameter Extension Applicable in ...
32. [2024/1745] Pseudorandomness in the (Inverseless) Haar Random ...

## 2024/761

* Title: Lattice-based Broadcast Authenticated Searchable Encryption for Cloud Storage
* Authors: Yibo Cao, Shiyuan Xu, Xiu-Bo Chen, Gang Xu, Siu-Ming Yiu, Zongpeng Li
* [Permalink](https://eprint.iacr.org/2024/761)
* [Download](https://eprint.iacr.org/2024/761.pdf)

### Abstract

For security issue, data in cloud is encrypted. Searching encrypted data (without decryption) is a practical and important problem. Public key authenticated encryption with keyword search (PAEKS) enables the retrieval of encrypted data, while resisting the insider keyword guessing attacks (IKGAs). Most PAEKS schemes only work with single-receiver model, exhibiting very limited applicability. To address this concern, there have been researches on broadcast authenticated encryption with keyword search (BAEKS) to achieve multi-receiver ciphertext search. But to our best knowledge, existing BAEKS schemes are not quantum resistant. In this paper, we propose lattice-based BAEKS, the first post-quantum broadcast authenticated encryption with keyword search in multi-receiver model. In particular, we leverage several lattice sampling algorithms and rejection sampling technique to construct our BAEKS scheme. We also incorporate the minimal cover set technique and lattice basis extension algorithm to construct an enhanced version, namely FS-BAEKS, which addresses the secret key leakage problem. We give a rigorous security analysis of our schemes. For the efficiency of BAEKS and Test algorithms in our BAEKS scheme, the computational overheads are at least 2x and 89x faster than the state-of-the-art schemes respectively, which is practical for cloud storage systems.



## 2024/763

* Title: Incorporating SIS Problem into Luby-Rackoff Cipher
* Authors: Yu Morishima, Masahiro Kaminaga
* [Permalink](https://eprint.iacr.org/2024/763)
* [Download](https://eprint.iacr.org/2024/763.pdf)

### Abstract

With the rise of quantum computing, the security of traditional cryptographic systems, especially those vulnerable to quantum attacks, is under threat. While public key cryptography has been widely studied in post-quantum security, symmetric-key cryptography has received less attention. This paper explores using the Ajtai-Micciancio hash function, based on the Short Integer Solution (SIS) problem, as a pseudorandom function in the Luby-Rackoff cipher. Since lattice-based problems like SIS are believed to resist quantum algorithms, this approach provides the potential for a quantum-resistant block cipher. We also propose a novel statistical method based on the Generalized Extreme Value distribution to evaluate the number of secure rounds and resistance to differential cryptanalysis.



## 2024/775

* Title: Spec-o-Scope: Cache Probing at Cache Speed
* Authors: Gal Horowitz, Eyal Ronen, Yuval Yarom
* [Permalink](https://eprint.iacr.org/2024/775)
* [Download](https://eprint.iacr.org/2024/775.pdf)

### Abstract

Over the last two decades, microarchitectural side channels have been the focus of a large body of research on the development of new attack techniques, exploiting them to attack various classes of targets and designing mitigations.. One line of work focuses on increasing the speed of the attacks, achieving higher levels of temporal resolution that can allow attackers to learn finer-grained information. The most recent addition to this line of work is Prime+Scope [CCS '21], which only requires a single access to the L1 cache to confirm the absence of victim activity in a cache set. While significantly faster than prior attacks, Prime+Scope is still an order of magnitude slower than cache access. In this work, we set out to close this gap.

We draw on techniques from research into microarchitectural weird gates, software constructs that exploit transient execution to perform arbitrary computation on cache state. We design the Spec-o-Scope gate, a new weird gate that performs 10 cache probes in quick succession, and forms the basis for our eponymous attack. Our Spec-o-Scope attack achieves an order of magnitude improvement in temporal resolution compared to the previous state-of-the-art of Prime+Scope, reducing the measurement time from ~70 cycles to only 5 --- only one cycle more than an L1 cache access. We experimentally verify that our attack can detect timing differences in a 5 cycle resolution. Finally, using our Spec-o-Scope attack, we show the first microarchitectural side-channel attack on an unmodified AES S-box-based implementation, which uses generic CPU features and does not require manipulation of the operating system's scheduler.



## 2024/1575

* Title: Efficiently-Thresholdizable Batched Identity Based Encryption, with Applications
* Authors: Amit Agarwal, Rex Fernando, Benny Pinkas
* [Permalink](https://eprint.iacr.org/2024/1575)
* [Download](https://eprint.iacr.org/2024/1575.pdf)

### Abstract

We propose a new cryptographic primitive called "batched identity-based encryption" (Batched IBE) and its thresholdized version. The new primitive allows encrypting messages with specific identities and batch labels, where the latter can represent, for example, a block number on a blockchain. Given an arbitrary subset of identities for a particular batch, our primitive enables efficient issuance of a single decryption key that can be used to decrypt all ciphertexts having identities that are included in the subset while preserving the privacy of all ciphertexts having identities that are excluded from the subset. At the heart of our construction is a new technique that enables public aggregation (i.e. without knowledge of any secrets) of any subset of identities, into a succinct digest. This digest is used to derive, via a master secret key, a single succinct decryption key for all the identities that were digested in this batch. In a threshold system, where the master key is distributed as secret shares among multiple authorities, our method significantly reduces the communication (and in some cases, computation) overhead for the authorities. It achieves this by making their costs for key issuance independent of the batch size.

We present a concrete instantiation of a Batched IBE scheme based on the KZG polynomial commitment scheme by Kate et al. (Asiacrypt'10) and a modified form of the BLS signature scheme by Boneh et al. (Asiacrypt'01). The construction is proven secure in the generic group model (GGM).

In a blockchain setting, the new construction can be used for achieving mempool privacy by encrypting transactions to a block, opening only the transactions included in a given block and hiding the transactions that are not included in it.  With the thresholdized version,  multiple authorities (validators) can collaboratively manage the decryption process.  Other possible applications include scalable support via blockchain for fairness of dishonest majority MPC, and conditional batched threshold decryption that can be used for implementing secure Dutch auctions and privacy preserving options trading.



## 2024/1718

* Title: Drifting Towards Better Error Probabilities in Fully Homomorphic Encryption Schemes
* Authors: Olivier Bernard, Marc Joye, Nigel P. Smart, Michael Walter
* [Permalink](https://eprint.iacr.org/2024/1718)
* [Download](https://eprint.iacr.org/2024/1718.pdf)

### Abstract

There are two security notions for FHE schemes the traditional notion of IND-CPA, and a more stringent notion of IND-CPA$^D$.  The notions are equivalent if the FHE schemes are perfectly correct, however for schemes with negligible failure probability the FHE parameters needed to obtain IND-CPA$^D$ security can be much larger than those needed to obtain IND-CPA security.  This paper uses the notion of ciphertext drift in order to understand the practical difference between IND-CPA and IND-CPA$^D$ security in schemes such as FHEW, TFHE and FINAL.  This notion allows us to define a modulus switching operation (the main culprit for the difference in parameters) such that one does not require adapting IND-CPA cryptographic parameters to meet the IND-CPA$^D$ security level. Further, the extra cost incurred by the new techniques has no noticeable performance impact in practical applications.  The paper also formally defines a stronger version for IND-CPA$^D$ security called sIND-CPA$^D$, which is proved to be strictly separated from the IND-CPA$^D$ notion.  Criterion for turning an IND-CPA$^D$ secure public-key encryption into an sIND-CPA$^D$ one is also provided.



## 2024/1719

* Title: Compact Pseudorandom Functional Encryption from Evasive LWE
* Authors: Shweta Agrawal, Simran Kumari, Shota Yamada
* [Permalink](https://eprint.iacr.org/2024/1719)
* [Download](https://eprint.iacr.org/2024/1719.pdf)

### Abstract

We provide the first construction of compact Functional Encryption (FE) for pseudorandom functionalities from the evasive LWE and LWE assumptions. Intuitively, a pseudorandom functionality means that the output of the circuit is indistinguishable from uniform for every input seen by the adversary. This yields the first compact FE for a nontrivial class of functions which does not rely on pairings.

We demonstrate the power of our new tool by using it to achieve optimal parameters for both key-policy and ciphertext-policy Attribute Based Encryption (ABE) schemes for circuits of unbounded depth, from just the LWE and evasive LWE assumptions. This improves prior work along the twin axes of assumptions and performance. In more detail, this allows to: (i) replace the assumption of circular evasive LWE used in the work of Hseih, Lin and Luo (FOCS 2023) by plain evasive LWE, (ii) remove the need for the circular tensor LWE assumption in the work of Agrawal, Kumari and Yamada (CRYPTO, 2024), (iii) improve parameters obtained by both aforementioned works to achieve asymptotic optimality.

Previously, optimal parameters for ABE schemes were only achieved using compact FE for P (Jain, Lin and Luo, Eurocrypt 2023) – we show that compact FE for a much weaker class (albeit with incomparable security) suffices. Thus we obtain the first optimal ABE schemes for unbounded depth circuits which can be conjectured post-quantum secure. Along the way, we define and construct a new primitive which we term laconic pseudorandom obfuscation from the same assumptions – this may be of independent interest.



## 2024/1720

* Title: Pseudorandom Multi-Input Functional Encryption and Applications
* Authors: Shweta Agrawal, Simran Kumari, Shota Yamada
* [Permalink](https://eprint.iacr.org/2024/1720)
* [Download](https://eprint.iacr.org/2024/1720.pdf)

### Abstract

We construct the first multi-input functional encryption (MIFE) and indistinguishability obfuscation (iO) schemes for pseudorandom functionalities, where the output of the functionality is pseudorandom for every input seen by the adversary. Our MIFE scheme relies on LWE and evasive LWE (Wee, Eurocrypt 2022 and Tsabary, Crypto 2022) for constant arity functions, and a strengthening of evasive LWE for polynomial arity. Thus, we obtain the first MIFE and iO schemes for a nontrivial functionality from conjectured post-quantum assumptions.

Along the way, we identify subtle issues in the proof of witness encryption from evasive LWE by prior work and believe that a similar strengthening of evasive LWE should also be required for their proof, for the same reasons as ours. We demonstrate the power of our new tools via the following applications:

1. Multi Input Predicate Encryption for Constant Arity. Assuming evasive LWE and LWE, we construct a multi-input predicate encryption scheme (MIPE) for P, supporting constant arity. The only prior work to support MIPE for P with constant arity by Agrawal et al. (Crypto, 2023) relies on a strengthening of Tensor LWE in addition to LWE and evasive LWE.

2. Multi Input Predicate Encryption for Polynomial Arity. Assuming a stronger variant of evasive LWE and LWE, we construct MIPE for P for polynomial arity.. MIPE for polynomial arity supporting P was not known before, to the best of our knowledge.

3. Two Party ID Based Key Exchange. Assuming a stronger variant of evasive LWE and LWE, along with Decision Bilinear Diffie-Hellman, we provide the first two-party ID based Non-Interactive Key Exchange (ID-NIKE) scheme in the standard model. This leads to the first ID-NIKE in the standard model without using multilinear maps or indistinguishability obfuscation.

4. Instantiating the Random Oracle. We use our pseudorandom iO to instantiate the random oracle in several applications that previously used iO (Hohenberger, Sahai and Waters, Eurocrypt 2014) such as full-domain hash signature based on trapdoor permutations and more.

Our tools of MIFE and iO for pseudorandom functionalities appear quite powerful and yield extremely simple constructions when used in applications. We believe they provide a new pathway for basing “extreme” cryptography, which has so far required full fledged iO, on the presumably weaker evasive LWE in the post quantum regime.



## 2024/1721

* Title: An Efficient Noncommutative NTRU from Semidirect Product
* Authors: Vikas Kumar, Ali Raya, Aditi Kar Gangopadhyay, Sugata Gangopadhyay, Md Tarique Hussain
* [Permalink](https://eprint.iacr.org/2024/1721)
* [Download](https://eprint.iacr.org/2024/1721.pdf)

### Abstract

NTRU is one of the most extensively studied lattice-based schemes. Its flexible design has inspired different proposals constructed over different rings, with some aiming to enhance security and others focusing on improving performance. The literature has introduced a line of noncommutative NTRU-like designs that claim to offer greater resistance to existing attacks. However, most of these proposals are either theoretical or fall short in terms of time and memory requirements when compared to standard NTRU. To our knowledge, DiTRU (Africacrypt 2024) is the first noncommutative analog of NTRU provided as a complete package. Although DiTRU is practical, it operates at two times slower than NTRU with no decryption failure. Additionally, key generation, encryption, and decryption are 1.2, 1.7, and 1.7 times slower, respectively, with negligible decryption failure. In this work, we introduce a noncommutative version of NTRU that offers comparable performance and key sizes to NTRU while improving upon DiTRU. Our cryptosystem is based on the GR-NTRU framework, utilizing the group ring of a semidirect product of cyclic groups over the ring of Eisenstein integers. This design allows for an efficient construction with key generation speeds approximately two (three) times faster than NTRU (DiTRU). Further, the proposed scheme provides roughly a speed-up by a factor of 1.2 (2) while encrypting/decrypting messages of the same length over NTRU (DiTRU). We provide a reference implementation in C for the proposed cryptosystem to prove our claims.



## 2024/1722

* Title: Revisiting Fermat's Factorization Method
* Authors: Gajraj Kuldeep, Rune Hylsberg Jacobsen
* [Permalink](https://eprint.iacr.org/2024/1722)
* [Download](https://eprint.iacr.org/2024/1722.pdf)

### Abstract

This paper addresses the problem of factoring composite numbers by introducing a novel approach to represent their prime divisors. We develop a method to efficiently identify smaller divisors based on the difference between the primes involved in forming the composite number. Building on these insights, we propose an algorithm that significantly reduces the computational complexity of factoring, requiring half as many iterations as traditional quadratic residue-based methods. The presented algorithm offers a more efficient solution for factoring composite numbers, with potential applications in fields such as cryptography and computational number theory.



## 2024/1723

* Title: Proving the Security of the Extended Summation-Truncation Hybrid
* Authors: Avijit Dutta, Eik List
* [Permalink](https://eprint.iacr.org/2024/1723)
* [Download](https://eprint.iacr.org/2024/1723.pdf)

### Abstract

Since designing a dedicated secure symmetric PRF is difficult, various works studied optimally secure PRFs from the sum of independent permutations (SoP).
At CRYPTO'20, Gunsing and Mennink proposed the Summation-Truncation Hybrid (STH).
While based on SoP, STH releases additional $a \leq n$ bits of the permutation calls and sums $n-a$ bits of them.
Thus, it produces $n+a$ bits at $O(n-a/2)$-bit PRF security.
Both SoP or STH can be used directly in encryption schemes or MACs in place of permutation calls for higher security.
However, simply replacing every call as in GCM-SIV$r$ would demand more calls.

For encryption schemes, Iwata's XORP scheme is long known to provide a better trade-off between efficiency and security. It extends SoP to variable-length-outputs by using $r+1$ calls to a block cipher where the output of one call is added to each of the other $r$ outputs.
A similar extension can be conducted for STH that we call XTH, the XORP-Truncation Hybrid.
Such an extension was already suggested in the final discussion by Gunsing and Mennink, but left as an open problem. This work fills the gap by formalizing and proving the security of XTH.
For a rate of $r/(r+1)$ as in XORP, we show $O(n-a/2-1.5\log(r))$-bit security for XTH.



## 2024/1724

* Title: Straight-Line Knowledge Extraction for Multi-Round Protocols
* Authors: Lior Rotem, Stefano Tessaro
* [Permalink](https://eprint.iacr.org/2024/1724)
* [Download](https://eprint.iacr.org/2024/1724.pdf)

### Abstract

The Fiat-Shamir (FS) transform is the standard approach to compiling interactive proofs into non-interactive ones. However, the fact that knowledge extraction typically requires rewinding limits its applicability without having to rely on further heuristic conjectures. A better alternative is a transform that guarantees straight-line knowledge extraction. Two such transforms were given by Pass (CRYPTO '03) and Fischlin (CRYPTO '05), respectively, with the latter giving the most practical parameters. Pass's approach, which is based on cut-and-choose, was also adapted by Unruh (EUROCRYPT '12, '14, '15) to the quantum setting, where rewinding poses a different set of challenges.  All of these transforms are tailored at the case of three-round Sigma protocols, and do not apply to a number of popular paradigms for building succinct proofs (e.g., those based on folding or sumcheck) which rely on multi-round protocols.

This work initiates the study of transforms with straight-line knowledge extraction for multi-round protocols. We give two transforms, which can be thought of as multi-round analogues of those by Fischlin and Pass. Our first transform leads to more efficient proofs, but its usage applies to a smaller class of protocols than the latter one. Our second transform also admits a proof of security in the Quantum Random Oracle Model (QROM), making it the first transform for multi-round protocols which does not incur the super-polynomial security loss affecting the existing QROM analysis of the FS transform (Don et al., CRYPTO '20).



## 2024/1725

* Title: PISA: Privacy-Preserving Smart Parking
* Authors: Sayon Duttagupta, Dave Singelée
* [Permalink](https://eprint.iacr.org/2024/1725)
* [Download](https://eprint.iacr.org/2024/1725.pdf)

### Abstract

In recent years, urban areas have experienced a rapid increase in vehicle numbers, while the availability of parking spaces has remained largely static, leading to a significant shortage of parking spots. This shortage creates considerable inconvenience for drivers and contributes to traffic congestion. A viable solution is the temporary use of private parking spaces by homeowners during their absence, providing a means to alleviate the parking problem and generate additional income for the owners. However, current systems for sharing parking spaces often neglect security and privacy concerns, exposing users to potential risks.
This paper presents PISA, a novel Privacy-Preserving Smart Parking scheme designed to address these issues through a cryptographically secure protocol. PISA enables the anonymous sharing of parking spots and allows vehicle owners to park without revealing any personal identifiers. Our primary contributions include the development of a comprehensive bi-directional anonymity framework that ensures neither party can identify the other, and the use of formal verification methods to substantiate the soundness and reliability of our security measures. Unlike existing solutions, which often lack a security focus, fail to provide formal validation, or are computationally intensive, PISA is designed to be both secure and efficient.



## 2024/1726

* Title: Certified Randomness implies Secure Classical Position-Verification
* Authors: Omar Amer, Kaushik Chakraborty, David Cui, Fatih Kaleoglu, Charles Lim, Minzhao Liu, Marco Pistoia
* [Permalink](https://eprint.iacr.org/2024/1726)
* [Download](https://eprint.iacr.org/2024/1726.pdf)

### Abstract

Liu et al. (ITCS22) initiated the study of designing a secure position verification protocol based on a specific proof of quantumness protocol and classical communication. In this paper, we study this interesting topic further and answer some of the open questions that are left in that paper. We provide a new generic compiler that can convert any single round proof of quantumness-based certified randomness protocol to a secure classical communication-based position verification scheme. Later, we extend our compiler to different kinds of multi-round proof of quantumness-based certified randomness protocols. Moreover, we instantiate our compiler with a random circuit sampling (RCS)-based certified randomness protocol proposed by Aaronson and Hung (STOC 23). RCS-based techniques are within reach of today's NISQ devices; therefore, our design overcomes the limitation of the Liu et al. protocol that would require a fault-tolerant quantum computer to realize. Moreover, this is one of the first cryptographic applications of RCS-based techniques other than certified randomness.



## 2024/1727

* Title: (Quantum) Indifferentiability and Pre-Computation
* Authors: Joseph Carolan, Alexander Poremba, Mark Zhandry
* [Permalink](https://eprint.iacr.org/2024/1727)
* [Download](https://eprint.iacr.org/2024/1727.pdf)

### Abstract

Indifferentiability is a popular cryptographic paradigm for analyzing the security of ideal objects---both in a classical as well as in a quantum world. It is typically stated in the form of a composable and simulation-based definition, and captures what it means for a construction (e.g., a cryptographic hash function) to be ``as good as'' an ideal object (e.g., a random oracle). Despite its strength, indifferentiability is not known to offer security against pre-processin} attacks in which the adversary gains access to (classical or quantum) advice that is relevant to the particular construction.  In this work, we show that indifferentiability is (generically) insufficient for capturing pre-computation. To accommodate this shortcoming, we propose a strengthening of indifferentiability which is not only composable but also takes arbitrary pre-computation into account. As an application, we show that the one-round sponge is indifferentiable (with pre-computation) from a random oracle. This yields the first (and tight) classical/quantum space-time trade-off for one-round sponge inversion.



## 2024/1728

* Title: On Key Substitution Attacks against Aggregate Signatures and Multi-Signatures
* Authors: Yuuki Fujita, Yusuke Sakai, Kyosuke Yamashita, Goichiro Hanaoka
* [Permalink](https://eprint.iacr.org/2024/1728)
* [Download](https://eprint.iacr.org/2024/1728.pdf)

### Abstract

When we use signature schemes in practice, we sometimes should consider security beyond unforgeability.
This paper considers security against key substitution attacks of multi-signer signatures (i.e., aggregate signatures and multi-signatures).
Intuitively, this security property ensures that a malicious party cannot claim the ownership of a signature that is created by an honest signer.
We investigate security against key substitution attacks of a wide range of aggregate signature schemes and multi-signature schemes: the Boneh-Gentry-Lynn-Shacham aggregate signature scheme, the sequential aggregate signature scheme by Lysyanskaya et al., the multi-signature scheme by Bellare and Neven, MuSig2, and the ordered multi-signature scheme by Boldyreva et al.
Furthermore, if the scheme does not provide security against key substitution attacks, then we modify the scheme to become secure against the attacks.



## 2024/1729

* Title: cuTraNTT: A Novel Transposed Number Theoretic Transform Targeting Low Latency Homomorphic Encryption for IoT Applications
* Authors: Supriya Adhikary, Wai Kong Lee, Angshuman Karmakar, Yongwoo Lee, Seong Oun Hwang, Ramachandra Achar
* [Permalink](https://eprint.iacr.org/2024/1729)
* [Download](https://eprint.iacr.org/2024/1729.pdf)

### Abstract

Large polynomial multiplication is one of the computational bottlenecks in fully homomorphic encryption implementations. Usually, these multiplications are implemented using the number-theoretic transformation to speed up the computation. State-of-the-art GPU-based implementation of fully homomorphic encryption computes the number theoretic transformation in two different kernels, due to the necessary synchronization between GPU blocks to ensure correctness in computation. This can be a serious limitation in embedded systems that only have constrained computational resources to support the time-consuming homomorphic encryption. In this paper, we proposed a series of techniques to improve the performance of number theoretic transform targeting homomorphic encryption on a GPU device. Firstly, we proposed to arrange the polynomials in a transposed manner and skip the last two levels of radix-4 number theoretic transformation, allowing us to completely
avoid the block synchronization in NTT implementation. This technique improved the performance of homomorphic encryption by 1.37× and 1.34× on RTX 4060 and Jetson Orin Nano respectively, compared to the conventional approach that uses full NTT without skipping any levels. However, such an approach also introduces extra overhead in the subsequent point-wise multiplication, which slows down the homomorphic multiplication. To reduce this negative impact, a fast 16 × 16 point-wise
multiplication implementation was proposed, which relies on the heavily optimized Toom-Cook 4-way algorithm. Experimental results show that our proposed homomorphic multiplication can achieve similar latency compared to Jung et al. and Yang et al., which are the best results to date. This shows that the proposed cuTraNTT is able to reduce the latency of homomorphic encryption without sacrificing the performance in homomorphic multiplication.



## 2024/1730

* Title: Secure and Efficient Outsourced Matrix Multiplication with Homomorphic Encryption
* Authors: Aikata Aikata, Sujoy Sinha Roy
* [Permalink](https://eprint.iacr.org/2024/1730)
* [Download](https://eprint.iacr.org/2024/1730.pdf)

### Abstract

Fully Homomorphic Encryption (FHE) is a promising privacy-enhancing technique that enables secure and private data processing on untrusted servers, such as privacy-preserving neural network (NN) evaluations. However, its practical application presents significant challenges. Limitations in how data is stored within homomorphic ciphertexts and restrictions on the types of operations that can be performed create computational bottlenecks. As a result, a growing body of research focuses on optimizing existing evaluation techniques for efficient execution in the homomorphic domain.

One key operation in this space is matrix multiplication, which forms the foundation of most neural networks. Several studies have even proposed new FHE schemes specifically to accelerate this operation. The optimization of matrix multiplication is also the primary goal of our work. We leverage the Single Instruction Multiple Data (SIMD) capabilities of FHE to increase data packing and significantly reduce the KeySwitch operation count— an expensive low-level routine in homomorphic encryption. By minimizing KeySwitching, we surpass current state-of-the-art solutions, requiring only a minimal multiplicative depth of two.

The best-known complexity for matrix multiplication at this depth is $\mathcal{O}(d)$ for matrices of size  $d\times d$. Remarkably, even the leading techniques that require a multiplicative depth of three still incur a KeySwitch complexity of $\mathcal{O}(d)$. In contrast, our method reduces this complexity to $\mathcal{O}(\log{d})$ while maintaining the same level of data packing. Our solution broadly applies to all FHE schemes supporting Single Instruction Multiple Data (SIMD) operations.
We further generalize the technique in two directions: allowing arbitrary packing availability and extending it to rectangular matrices. This versatile approach offers significant improvements in matrix multiplication performance and enables faster evaluation of privacy-preserving neural network applications.



## 2024/1731

* Title: Arc: Accumulation for Reed--Solomon Codes
* Authors: Benedikt Bünz, Pratyush Mishra, Wilson Nguyen, William Wang
* [Permalink](https://eprint.iacr.org/2024/1731)
* [Download](https://eprint.iacr.org/2024/1731.pdf)

### Abstract

Proof-Carrying Data (PCD) is a foundational tool for ensuring the correctness of incremental distributed computations that has found numerous applications in theory and practice. The state-of-the-art PCD constructions are obtained via accumulation or folding schemes. Unfortunately, almost all known constructions of accumulation schemes rely on homomorphic vector commitments (VCs), which results in relatively high computational costs and insecurity in the face of quantum adversaries. A recent work of Bünz, Mishra, Nguyen, and Wang removes the dependence on homomorphic VCs by relying only on the random oracle model, but introduces a bound on the number of consecutive accumulation steps, which in turn bounds the depth of the PCD computation graph and greatly affects prover and verifier efficiency.

In this work, we propose Arc, a novel hash-based accumulation scheme that overcomes this restriction and supports an unbounded number of accumulation steps. The core building block underlying Arc is a new accumulation scheme for claims about proximity of claimed codewords to the Reed--Solomon code. Our approach achieves near-optimal efficiency, requiring a small number of Merkle tree openings relative to the code rate, and avoids the efficiency loss associated with bounded accumulation depth. Unlike prior work, our scheme is also able to accumulate claims up to list-decoding radius, resulting in concrete efficiency improvements.

We use this accumulation scheme to construct two distinct accumulation schemes, again relying solely on random oracles. The first approach accumulates RS proximity claims and can be used as an almost-drop-in replacement in existing PCD deployments based on IOP-based SNARKs.
The second approach directly constructs an accumulation scheme for rank-1 constraint systems (and more generally polynomial constraint systems) that is simpler and more efficient than the former and prior approaches.

We introduce the notion of Interactive Oracle Reductions (IORs) to enable a modular and simple security analysis. These extend prior notions of Reductions of Knowledge to the setting of IOPs.



## 2024/1732

* Title: Radical 2-isogenies and cryptographic hash functions in dimensions 1, 2 and 3
* Authors: Sabrina Kunzweiler, Luciano Maino, Tomoki Moriya, Christophe Petit, Giacomo Pope, Damien Robert, Miha Stopar, Yan Bo Ti
* [Permalink](https://eprint.iacr.org/2024/1732)
* [Download](https://eprint.iacr.org/2024/1732.pdf)

### Abstract

We provide explicit descriptions for radical 2-isogenies in dimensions
one, two and three using theta coordinates. These formulas allow us to efficiently
navigate in the corresponding isogeny graphs.
As an application of this, we implement different versions of the CGL hash func-
tion. Notably, the three-dimensional version is fastest, which demonstrates yet
another potential of using higher dimensional isogeny graphs in cryptography.



## 2024/1733

* Title: One Time Pad and the Short Key Dream
* Authors: Umberto Cerruti
* [Permalink](https://eprint.iacr.org/2024/1733)
* [Download](https://eprint.iacr.org/2024/1733.pdf)

### Abstract

This is a survey on the One Time Pad (OTP) and its derivatives, from its origins to modern times. OTP, if used correctly, is (the only) cryptographic code that no computing power, present or future, can break. Naturally, the discussion shifts to the creation of long random sequences, starting from short ones, which can be easily shared. We could call it the Short Key Dream. Many problems inevitably arise, which affect many fields of computer science, mathematics and knowledge in general. This work presents a vast bibliography that includes fundamental classical works and current papers on randomness, pseudorandom number generators, compressibility, unpredictability and more.



## 2024/1734

* Title: Optimizing Message Range and Ciphertext Storage in GSW Encryption Using CRT and PVW-like Compression Scheme
* Authors: Kung-Wei Hu, Huan-Chih Wang, Ja-Ling Wu
* [Permalink](https://eprint.iacr.org/2024/1734)
* [Download](https://eprint.iacr.org/2024/1734.pdf)

### Abstract

This paper explores advancements in the Gentry-Sahai-Waters (GSW) fully homomorphic encryption scheme, addressing challenges related to message data range limitations and ciphertext size constraints. We introduce a novel approach utilizing the Chinese Remainder Theorem (CRT) for message decomposition, significantly expanding the allowable message range to the entire plaintext space. This method enables unrestricted message selection and supports parallel homomorphic operations without intermediate decryption. Additionally, we adapt existing ciphertext compression techniques, such as the PVW-like scheme, to reduce memory overhead associated with ciphertexts. Our experimental results demonstrate the effectiveness of the CRT-based decomposition in increasing the upper bound of message values and improving the scheme's capacity for consecutive homomorphic operations. However, compression introduces a trade-off, necessitating a reduced message range due to error accumulation. This research contributes to enhancing the practicality and efficiency of the GSW encryption scheme for complex computational scenarios while managing the balance between expanded message range, computational complexity, and storage requirements.



## 2024/1735

* Title: The Mysteries of LRA: Roots and Progresses in Side-channel Applications
* Authors: Jiangshan Long, Changhai Ou, Zhu Wang, Fan Zhang
* [Permalink](https://eprint.iacr.org/2024/1735)
* [Download](https://eprint.iacr.org/2024/1735.pdf)

### Abstract

Evaluation of cryptographic implementations with respect to side-channels has been mandated at high security levels nowadays. Typically, the evaluation involves four stages: detection, modeling, certification and secret recovery. In pursuit of specific goal at each stage, inherently different techniques used to be considered necessary. However, since the recent works of Eurocrypt2022 and Eurocrypt2024, linear regression analysis (LRA) has uniquely become the technique that is well-applied throughout all the stages. In this paper, we concentrate on this silver bullet technique within the field of side-channel. First, we address the fundamental problems of why and how to use LRA. The discussion of nominal and binary nature explains its strong applicability. To sustain effective outcomes, we provide in-depth analyses about the design matrix, regarding the sample distribution of plaintext and the chosen polynomial degree. We summarize ideal conditions that totally avoid multicollinearity problem, and explore the novel evaluator-advantageous property of LRA by means of model diagnosis. Then, we trace the roots where we theoretically elaborate its connections with traditional side-channel techniques, including Correlation Power Analysis (CPA), Distance-of-Means analysis (DoM) and Partition Power Analysis (PPA), in terms of regression coefficients, regression model and coefficient of determination. Finally, we probe into the state-of-the-art combined LRA with the so-called collapse function, demonstrating its relationship with another refined technique, G-DoM. We argue that properly relaxing the definition of bit groups equally satisfies our conclusions. Experimental results are in line with the theory, confirming its correctness.



## 2024/1736

* Title: A graph-theoretic approach to analyzing decoding failures of BIKE
* Authors: Sarah Arpin, Tyler Raven Billingsley, Daniel Rayor Hast, Jun Bo Lau, Ray Perlner, Angela Robinson
* [Permalink](https://eprint.iacr.org/2024/1736)
* [Download](https://eprint.iacr.org/2024/1736.pdf)

### Abstract

We present experimental findings on the decoding failure rate (DFR) of BIKE, a fourth-round candidate in the NIST Post-Quantum Standardization process, at the 20-bit security level using graph-theoretic approaches.  We select parameters according to BIKE design principles and conduct a series of experiments using Rust to generate significantly more decoding failure instances than in prior work using SageMath.  For each decoding failure, we study the internal state of the decoder at each iteration and find that for 97% of decoding failures at block size $r=587$, the decoder reaches a fixed point within 7 iterations.  We then consider the corresponding Tanner graphs of each decoding failure instance to determine whether the decoding failures are due to absorbing sets. We find that 81% of decoding failures at $r=587$ were caused by absorbing sets, and of these the majority were $(d,d)$-near codewords.



## 2024/1737

* Title: Embedded Curves and Embedded Families for SNARK-Friendly Curves
* Authors: Aurore Guillevic, Simon Masson
* [Permalink](https://eprint.iacr.org/2024/1737)
* [Download](https://eprint.iacr.org/2024/1737.pdf)

### Abstract

Based on the CM method for primality testing (ECPP) by Atkin and Morain published in 1993, we present two algorithms: one to generate embedded elliptic curves of SNARK-friendly curves, with a variable discriminant D; and another to generate families (parameterized by polynomials) with a fixed discriminant D.. When D = 3 mod 4, it is possible to obtain a prime-order curve, and form a cycle. We apply our technique first to generate more embedded curves like Bandersnatch with BLS12-381 and we propose a plain twist-secure cycle above BLS12-381 with D = 6673027. We also devise about the scarcity of Bandersnatch-like CM curves, and show that with our algorithm, it is only a question of core-hours to find them. Second, we obtain families of prime-order embedded curves of discriminant D = 3 for BLS and KSS18 curves. Our method obtains families of embedded curves above KSS16 and can work for any KSS family. Our work generalizes the work on Bandersnatch (Masson, Sanso, and Zhang, and Sanso and El Housni).



## 2024/1738

* Title: More Efficient Isogeny Proofs of Knowledge via Canonical Modular Polynomials
* Authors: Thomas den Hollander, Sören Kleine, Marzio Mula, Daniel Slamanig, Sebastian A. Spindler
* [Permalink](https://eprint.iacr.org/2024/1738)
* [Download](https://eprint.iacr.org/2024/1738.pdf)

### Abstract

Proving knowledge of a secret isogeny has recently been proposed as a means to generate supersingular elliptic curves of unknown endomorphism ring, but is equally important for cryptographic protocol design as well as for real world deployments. Recently, Cong, Lai and Levin (ACNS'23) have investigated the use of general-purpose (non-interactive) zero-knowledge proof systems for proving the knowledge of an isogeny of degree $2^k$ between supersingular elliptic curves. In particular, their approach is to model this relation via a sequence of $k$ successive steps of a walk in the supersingular isogeny graph and to show that the respective $j$-invariants are roots of the second modular polynomial. They then arithmetize this relation and show that this approach, when compared to state-of-the-art tailor-made proofs of knowledge by Basso et al. (EUROCRYPT'23), gives a 3-10$\times$ improvement in proof and verification times, with comparable proof sizes.

 In this paper we ask whether we can further improve the modular polynomial-based approach and generalize its application to primes ${\ell>2}$, as used in some recent isogeny-based constructions. We will answer these questions affirmatively, by designing efficient arithmetizations for each ${\ell \in \{2, 3, 5, 7, 13\}}$ that achieve an improvement over Cong, Lai and Levin of up to 48%.

 Our main technical tool and source of efficiency gains is to switch from classical modular polynomials to canonical modular polynomials. Adapting the well-known results on the former to the latter polynomials, however, is not straight-forward and requires some technical effort. We prove various interesting connections via novel use of resultant theory, and advance the understanding of canonical modular polynomials, which might be of independent interest.



## 2024/1739

* Title: Provably Robust Watermarks for Open-Source Language Models
* Authors: Miranda Christ, Sam Gunn, Tal Malkin, Mariana Raykova
* [Permalink](https://eprint.iacr.org/2024/1739)
* [Download](https://eprint.iacr.org/2024/1739.pdf)

### Abstract

The recent explosion of high-quality language models has necessitated new methods for identifying AI-generated text. Watermarking is a leading solution and could prove to be an essential tool in the age of generative AI. Existing approaches embed watermarks at inference and crucially rely on the large language model (LLM) specification and parameters being secret, which makes them inapplicable to the open-source setting. In this work, we introduce the first watermarking scheme for open-source LLMs. Our scheme works by modifying the parameters of the model, but the watermark can be detected from just the outputs of the model. Perhaps surprisingly, we prove that our watermarks are unremovable under certain assumptions about the adversary's knowledge. To demonstrate the behavior of our construction under concrete parameter instantiations, we present experimental results with OPT-6.7B and OPT-1.3B. We demonstrate robustness to both token substitution and perturbation of the model parameters.. We find that the stronger of these attacks, the model-perturbation attack, requires deteriorating the quality score to 0 out of 100 in order to bring the detection rate down to 50%.



## 2024/1740

* Title: OpenNTT: An Automated Toolchain for Compiling High-Performance NTT Accelerators in FHE
* Authors: Florian Krieger, Florian Hirner, Ahmet Can Mert, Sujoy Sinha Roy
* [Permalink](https://eprint.iacr.org/2024/1740)
* [Download](https://eprint.iacr.org/2024/1740.pdf)

### Abstract

Modern cryptographic techniques such as fully homomorphic encryption (FHE) have recently gained broad attention. Most of these cryptosystems rely on lattice problems wherein polynomial multiplication forms the computational bottleneck. A popular method to accelerate these polynomial multiplications is the Number-Theoretic Transformation (NTT). Recent works aim to improve the practical deployability of NTT and propose toolchains supporting the NTT hardware accelerator design processes. However, existing design tools do not provide on-the-fly twiddle factor generation (TFG) which leads to high memory demands. Inspired by this situation, we present OpenNTT, a fully automated, open-source framework to compile NTT hardware accelerators with TFG for various NTT types and parameter sets. We address the challenge of combining conflict-free memory accesses and efficient, linear twiddle factor generation through a dedicated NTT processing order. Following this order, we develop a flexible twiddle factor generation method with minimal memory usage. These core concepts together with a frequency-optimized hardware architecture form our OpenNTT framework. We use OpenNTT to compile and test NTT hardware designs with various parameter sets on FPGAs. The obtained results show a clear memory reduction due to TFG and a speedup by 2.7× in latency and 2.2× in area-time-product, compared to prior arts.



## 2024/1741

* Title: The Learning Stabilizers with Noise problem
* Authors: Alexander Poremba, Yihui Quek, Peter Shor
* [Permalink](https://eprint.iacr.org/2024/1741)
* [Download](https://eprint.iacr.org/2024/1741.pdf)

### Abstract

Random classical codes have good error correcting properties, and yet they are notoriously hard to decode in practice. Despite many decades of extensive study, the fastest known algorithms still run in exponential time. The Learning Parity with Noise (LPN) problem, which can be seen as the task of decoding a random linear code in the presence of noise, has thus emerged as a prominent hardness assumption with numerous applications in both cryptography and learning theory.

Is there a natural quantum analog of the LPN problem? In this work, we introduce the Learning Stabilizers with Noise (LSN) problem, the task of decoding a random stabilizer code in the presence of local depolarizing noise. We give both polynomial-time and exponential-time quantum algorithms for solving LSN in various depolarizing noise regimes, ranging from extremely low noise, to low constant noise rates, and even higher noise rates up to a threshold. Next, we provide concrete evidence that LSN is hard. First, we show that LSN includes LPN as a special case, which suggests that it is at least as hard as its classical counterpart. Second, we prove a worst-case to average-case reduction for variants of LSN. We then ask: what is the computational complexity of solving LSN? Because the task features quantum inputs, its complexity cannot be characterized by traditional complexity classes. Instead, we show that the LSN problem lies in a recently introduced (distributional and oracle) unitary synthesis class. Finally, we identify several applications of our LSN assumption, ranging from the construction of quantum bit commitment schemes to the computational limitations of learning from quantum data.



## 2024/1742

* Title: Pseudorandom Obfuscation and Applications
* Authors: Pedro Branco, Nico Döttling, Abhishek Jain, Giulio Malavolta, Surya Mathialagan, Spencer Peters, Vinod Vaikuntanathan
* [Permalink](https://eprint.iacr.org/2024/1742)
* [Download](https://eprint.iacr.org/2024/1742.pdf)

### Abstract

We introduce the notion of pseudorandom obfuscation (PRO), a way to obfuscate (keyed) pseudorandom functions $f_K$ in an average-case sense. We introduce several variants of pseudorandom obfuscation and show constructions and  applications. For some of our applications that can be achieved using full-fledged indistinguishability obfuscation (iO), we show constructions using lattice-based assumptions alone; the other applications we enable using PRO are simply not known even assuming iO. We briefly summarize our contributions below.

- Constructions of PRO: We show how to construct the strongest version of PRO, assuming the sub-exponential hardness of the learning with errors (LWE) problem, and of the evasive LWE problem (Wee, EUROCRYPT 2022; Tsabary, CRYPTO 2022).
   
- Applications outside the iO World: We show how to construct a succinct witness encryption scheme from PRO,  where the size of the ciphertext is independent of the witness size. Such a witness encryption scheme is not known to exist even assuming iO.
   
- Applications in the iO World: Our weakest variant of pseudorandom obfuscation, named obfuscation for identical pseudorandom functions (iPRO), is weaker than iO: rather than obfuscating arbitrary circuits as in iO, iPRO only obfuscates circuits computing pseudorandom functions. We show that iPRO already enables several applications of iO, such as unleveled fully homomorphic encryption (without assuming circular security) and succinct randomized encodings.

- From iPRO to iO: Despite being a seemingly weaker notion than iO, we show two pathways to constructing full-fledged iO from iPRO. Our first construction builds iO from iPRO and (standard assumptions on) cryptographic bilinear maps. Combined with our construction of iPRO, this gives us a construction of iO from a new combination of assumptions, namely LWE, evasive LWE and bilinear maps. Our second construction builds iO (and even ideal obfuscation) from iPRO in the pseudorandom oracle model (Jain, Lin, Luo and Wichs, CRYPTO 2023). To our knowledge, this is the first purely lattice-based, and hence plausibly post-quantum secure, construction of iO  with a proof of security from LWE and evasive LWE.

Finally, we highlight some barriers in achieving the strongest version of pseudorandom obfuscation.



## 2024/1743

* Title: The Window Heuristic: Automating Differential Trail Search in ARX Ciphers with Partial Linearization Trade-offs
* Authors: Emanuele Bellini, David GERAULT, Juan Grados, Thomas Peyrin
* [Permalink](https://eprint.iacr.org/2024/1743)
* [Download](https://eprint.iacr.org/2024/1743.pdf)

### Abstract

The search for optimal differential trails for ARX ciphers is known to be difficult and scale poorly as the word size (and the branching through the carries of modular additions) increases.To overcome this problem, one may approximate the modular addition with the XOR operation, a process called linearization. The immediate drawback of this approach is that many valid and good trails are discarded. In this work, we explore different partial linearization trade-offs to model the modular addition through the \emph{window heuristic}, which restricts carry propagation to windows of $w_s$ consecutive positions. This strategy
enables the exploration of full linearization ($w_s = 0$), normal modelling ($w_s = n$), and all the different trade-offs between completeness and speed in between.
We give the corresponding SAT and MILP model and their parallel versions, and apply them to \chachacore, \speckfamily, \leafamily, and \hightfamily. Our method greatly outperforms all previous modeling of modular addition.
In particular, we find the first differential path for 4 rounds of \chachacore with a probability greater than $2^{-256}$, and a corresponding 6 rounds boomerang distinguisher.
This indicates that purely differential-based attacks have the potential to become competitive with differential-linear attacks,
currently, the best-known attacks against \chachacore and other ARX ciphers.
Finally, we exhibit an improved key recovery attack on reduced \leafamily.



## 2024/1744

* Title: PEARL-SCALLOP: Parameter Extension Applicable in Real-Life SCALLOP
* Authors: Bill Allombert, Jean-François Biasse, Jonathan Komada Eriksen, Péter Kutas, Chris Leonardi, Aurel Page, Renate Scheidler, Márton Tot Bagi
* [Permalink](https://eprint.iacr.org/2024/1744)
* [Download](https://eprint.iacr.org/2024/1744.pdf)

### Abstract

A crucial ingredient for many cryptographic primitives such as key exchange protocols and advanced signature schemes is a commutative group action where the structure of the underlying group can be computed efficiently. SCALLOP provides such a group action, based on oriented supersingular elliptic curves.
We present PEARL-SCALLOP, a variant of SCALLOP that changes several parameter and design choices, thereby improving on both efficiency and security and enabling feasible parameter generation for larger security levels. Within the SCALLOP framework, our parameters are essentially optimal; the orientation is provided by a $2^e$-isogeny, where $2^e$ is roughly equal to the discriminant of the acting class group.

As an important subroutine we present a practical algorithm for generating oriented supersingular elliptic curves. To demonstrate our improvements, we provide a proof-of-concept implementation which instantiates PEARL-SCALLOP at all relevant security levels. Our timings are more than an order of magnitude faster than any previous implementation.



## 2024/1745

* Title: Pseudorandomness in the (Inverseless) Haar Random Oracle Model
* Authors: Prabhanjan Ananth, John Bostanci, Aditya Gulati, Yao-Ting Lin
* [Permalink](https://eprint.iacr.org/2024/1745)
* [Download](https://eprint.iacr.org/2024/1745.pdf)

### Abstract

We study the (in)feasibility of quantum pseudorandom notions in a quantum analog of the random oracle model, where all the parties, including the adversary, have oracle access to the same Haar random unitary. In this model, we show the following:

• (Unbounded-query secure) pseudorandom unitaries (PRU) exist. Moreover, the PRU construction makes two calls to the Haar oracle.

• We consider constructions of PRUs making a single call to the Haar oracle. In this setting, we show that unbounded-query security is impossible to achieve. We complement this result by showing that bounded-query secure PRUs do exist with a single query to the Haar oracle.

• We show that multi-copy pseudorandom state generators and function-like state generators (with classical query access), making a single call to the Haar oracle, exist.

Our results have two consequences: (a) when the Haar random unitary is instantiated suitably, our results present viable approaches for building quantum pseudorandom objects without relying upon one-way functions and, (b) for the first time, we show that the key length in pseudorandom unitaries can be generically shrunk (relative to the output length). Our results are also some of the first usecases of the new ``path recording'' formalism for Haar random unitaries, introduced in the recent breakthrough work of Ma and Huang.

Date Sujet#  Auteur
28 Oct 24 o [digest] 2024 Week 431IACR ePrint Archive

Haut de la page

Les messages affichés proviennent d'usenet.

NewsPortal