CRYPTO WORKING GROUP Friday, December 01, 2023 De Kargadoor (http://www.kargadoor.nl/utrecht/zaalverhuur.html) Oudegracht 36, Utrecht Program 10:45 - 11:30 Mario Marhuenda Beltran (RU) Generic Security of the SAFE API and Its Applications        11:30 - 11:45 Coffee / tea break 11:45 - 12:30 Andreas Hülsing (TU/e) SDitH in the QROM 12:30 - 14:00 Lunch break (lunch not included) 14:00 - 14:45 Yu-Hsuan Huang (CWI) On the (In)Security of the BUFF Transform 14:45 - 15:00 Coffee / tea break 15:00 - 15:45 Fiona Weber (TU/e)        An Asymmetric Key-Update Mechanism for SDLSP -------------------------------------------------------------------------------- Abstracts -------------------------------------------------------------------------------- Mario Marhuenda Beltran (RU) *Generic Security of the SAFE API and Its Applications* We provide security foundations for SAFE, a recently introduced API framework for sponge-based hash functions tailored to prime-field-based protocols. SAFE aims to provide a robust and foolproof interface, has been implemented in the Neptune hash framework and some zero-knowledge proof projects, but currently lacks any security proof. Our results pave the way of using SAFE with the full taxonomy of hash functions, including SNARK-, lattice-, and x86-friendly hashes. -------------------------------------------------------------------------------- Andreas Hülsing (TU/e) *SDitH in the QROM* The MPC in the Head (MPCitH) paradigm has recently led to significant improvements for signatures in the code-based setting. In this paper we consider some modifications to a recent twist of MPCitH, called Hypercube-MPCitH, that in the code-based setting provides the currently best known signature sizes. By compressing the Hypercube-MPCitH five-round code-based identification scheme into three-rounds we obtain two main benefits. On the one hand, it allows us to further develop recent techniques to provide a tight security proof in the quantum-accessible random oracle model (QROM), avoiding the catastrophic reduction losses incurred using generic QROM-results for Fiat-Shamir. On the other hand, we can reduce the already low-cost online part of the signature even further. In addition, we propose the use of proof-of-work techniques that allow to reduce the signature size. On the technical side, we develop generalizations of several QROM proof techniques and introduce a variant of the recently proposed extractable QROM. -------------------------------------------------------------------------------- Yu-Hsuan Huang (CWI) *On the (In)Security of the BUFF Transform* The BUFF transform is a generic transformation for digital signature schemes, with the purpose of obtaining additional security properties beyond standard unforgeability, e.g., exclusive ownership and non-resignability. In the call for additional post-quantum signatures, these were explicitly mentioned by the NIST as ``additional desirable security properties'', and some of the submissions indeed refer to the BUFF transform with the purpose of achieving them, while some other submissions follow the design of the BUFF transform without mentioning it explicitly. In this work, we show the following negative results regarding the non-resignability property in general, and the BUFF transform in particular. In the plain model, we observe by means of a simple attack that any signature scheme for which the message has a high entropy given the signature does not satisfy the non-resignability property (while non-resignability is trivially not satisfied if the message can be efficiently computed from its signature). Given that the BUFF transform has high entropy in the message given the signature, it follows that the BUFF transform does not achieve non-resignability whenever the random oracle is instantiated with a hash function, no matter what hash function. When considering the random oracle model (ROM), the matter becomes slightly more delicate since prior works did not rigorously define the non-resignability property in the ROM. For the natural extension of the definition to the ROM, we observe that our impossibility result still holds, despite there having been positive claims about the non-resignability of the BUFF transform in the ROM. Indeed, prior claims of the non-resignability of the BUFF transform rely on faulty argumentation. On the positive side, we prove that a salted version of the BUFF transform satisfies a slightly weaker variant of non-resignability in the ROM, covering both classical and quantum attacks, if the entropy requirement in the (weakened) definition of non-resignability is statistical; for the computational variant, we show yet another negative result. -------------------------------------------------------------------------------- Fiona Weber (TU/e) *An Asymmetric Key-Update Mechanism for SDLSP* The Space Data Link Security Protocol (SDLSP) is used by various space agencies, including ESA and NASA, to secure civilian communication between mission-control and satellites. So far this protocol is only using symmetric cryptography which restricts its ability to securely update secret keys and causes quadratic scaling for future use-cases like satellite-to-satellite communication. We set out to design an asymmetric key-update/installation mechanism that resolves these issues. Our protocol uses the multi-KEM approach that has become increasingly common as part of the move to post-quantum cryptography and is based on Post-Quantum Noise. We analyzed and proved the security of this protocol in a simplified eCK-model that does not allow for corruption of ephemeral secrets. This model has the advantage of being simpler than the more traditional eCK-models, while only ignoring security-aspects that many practitioners consider a problem of the OS.