Jesko

What's the limit of succinctness for pairing-based SNARGs? We answer this by constructing the first pairing-based SNARG with a proof of exactly 2 group elements (and 0 additional bits!)! Joint work w/@IND_Jesko & Eylon Yogev.🧵👇 🔗 ia.cr/2025/2160

@kleptographic Also, Ramdom Circuits

@IND_Jesko "Key Agregation" bruh

This year's (IACR) Crypto shirt is teaching me new words. #succim

@CryptoOrrDun Once I have two points in the ball q1, q2 (and I can pick the query points) I can do a binary search in both directions to find the intersection points p1,p2. That is all I need to query for the dim reduction. Then recurse on the red n-1 dim space. (no artist)

@IND_Jesko If the points are generated non-randomly, you get into trouble. If the points are generated randomly, then it takes a lot of time for each new dimension reduction.

A quick question: I have a sphere hidden in R^n. I know it's radius, and I am allowed membership queries. I know that if I pick points from some distribution, the chance of the point to be in the sphere is p. So after 1/p points, I'm inside the sphere. Now what?

@CryptoOrrDun Here is a different approach (maybe better). Find two points in the ball. Find the points where the line though these intersect the n-dim ball. The n-1 dimensional space at the center of these intersection points contains a n-1 dimensional ball with the same center. Recurse.

@CryptoOrrDun You can also skip queries that hit the convex hull of the points you know are in the ball around the center. Those will be in the ball too

@avCva_mei We need that the operations can be modeled via some find of oracle and this is rather hard to do with non generic applications of lattice-based cryptography

@avCva_mei Our result only really applies to PIR without preprocessing. Of course you can turn this Ashe based pir into one without preprocessing by doing the preprocessing in the online phase. But even then it is still very hard to apply our result.

You are a Eurocrypt attendee and hungover from all the boating yesterday? Come join my talk at 9:00 in track 3. Ill talk about lower bounds on the number of public key operations in PIR in a hangover respecting manner.

I'm excited for the laconic cryptography event tomorrow at eurocrypt

@SmartCryptology @HLipmaa @PratyushRT Are techniques like this eprint.iacr.org/2019/720.pdf not practical? I don't know much about FHE implementations, but isn't TFHE a variant of GSW? These techniques should apply and be much more versatile than using symmetric-key crypto

@HLipmaa @PratyushRT A nice rule of thumb is about 10k bits per bit of message (it using TFHE). However with TFHE transciphering is super fast (see our recent WAHC paper). So you can send and store messages using something like Krevium to get one bit of message = one bit of ciphertext.

So much fuss about FHE, but is there an FHE scheme where the ciphertext is not 7000 bits at the 128-bit security level?

@Cryptomaeher @claudiorlandi That is pretty much the classic DDH hash proof system, right? pk=g^a⋅h^b and sk=(a,b)

@claudiorlandi That's.... there must be a law against doing that!

Apropos weird things that screw up beautiful definitions: is it wlog to assume that in a PKE there's a uniquely determined sk for every pk? Naturally there are PKE where many equivalent sk exist, but are there any that I can't fix by always choosing a "canonical" sk?

@gkaptchuk @tusharjois Just saw this at RWC and was interested. Can you explain in more detail than the paper why you changed you to sample from the language model in comparison to arxiv.org/pdf/1909.01496… ? It seems to me they make better use of the entropy in natural language

@tusharjois put together an amazing, easy-to-use way to play with Meteor via Google Colab. You can just load it up and start generating steganographic messages! Link available from meteorfrom.space. If you're interested, check out the paper at ia.cr/2021/686 10/10

My joint work "Meteor: Cryptographically Secure Steganography for Realistic Distributions" w/ @tusharjois, @matthew_d_green , and @avirubin is going to be featured tonight at CCS! Why is steganography interesting in 2021? Hasn't everyone stopped working on stego? A quick🧵1/?

@diagprov @CryptographyFM Thank you for the recommendations. I'll look into those resources.

Episode 21 of Cryptography FM is live! Check out “Episode 21: Proving Fundamental Equivalencies in Isogeny Mathematics!” at fireside.fm/episode/UhS0As…

@secparam I've just recently read the paper and was wandering why in the construction with restricted false-positive rates you always choose ambiguous encryptions with message space 2? Wouldn't power of 2,4,8... lead to smaller ciphertexts with the same false positive rate?

Introducing fuzzy message detection. Testing if a ciphertext is yours is a recurring problem in anonymous messaging and private cryptocurrencies. Existing approaches require you to fully trust a server or download all messages. We found a middle ground: eprint.iacr.org/2021/089

@CISPA @SRaktuell Ok, ich nehme es zurück