Lightnews — Scholar-powered news

Michele Orrù @tumbolia.bsky.social · 1d

Talk in just a few hours! 🗞️ eprint.iacr.org/2024/1552

Exciting to present it in the very same venue where I wrote a big chunk of it while attending @rightscon.org !

2

Michele Orrù @tumbolia.bsky.social · 18d

Would it be harder to believe Nicholas Bourbaki is a collective pseudonym or that Jean-Pierre Serre is a single person

2

Michele Orrù @tumbolia.bsky.social · 21d

Got invited to @college-de-france.fr for a seminar about zero-knowledge and online anonymity! 🎉🎉🎉

www.college-de-france.fr/fr/agenda/se...

4

Michele Orrù @tumbolia.bsky.social · Aug 30

A key takeaway: for 20 years, we’ve relied on a notion called indifferentiability to use random oracles over arbitrary-length spaces—but it’s not sufficient for knowledge soundness.
🗞️ eprint.iacr.org/2025/536

A Fiat–Shamir Transformation From Duplex Sponges

We analyze a variant of the Fiat–Shamir transformation based on an ideal permutation. The transformation relies on the popular duplex sponge paradigm, and minimizes the number of calls to the permutat...

eprint.iacr.org

1

Michele Orrù @tumbolia.bsky.social · Aug 30

Thrilled to announce that my latest paper with Alessandro Chiesa has been accepted to TCC, the IACR conference on the theory of cryptography!

1 6

Michele Orrù @tumbolia.bsky.social · Aug 24

at this conference everyone has 4+ coauthors except me lol

3

Michele Orrù @tumbolia.bsky.social · Aug 24

I'll present my latest paper on anonymous credentials and designated-verifier kzg at ACM CCS 2025 in Taipei!

2 1 10

Michele Orrù @tumbolia.bsky.social · Aug 17

Sorry for the late reply! Finally part of the CFRG!

1

Reposted by Michele Orrù

Saber @rt-saber.bsky.social · Aug 9

Phrack #72 release reveals TTPs, backdoors and targets of a Chinese/North Korean state actor mimicking Kimsuky

A copy of his workstation is available for all researchers to analyze!

Article: data.ddosecrets.com/APT%20Down%2...
Data dump: ddosecrets.com/article/apt-...

APT Down - The North Korea Files - Distributed Denial of Secrets

Approximately 9 GB of files exfiltrated from a North Korean threat actor's computer. The data is being released alongside Phrack, and South Korean victims were notified prior to publication. Resear...

ddosecrets.com

11 22

Reposted by Michele Orrù

Opal @opalescentopal.bsky.social · Jul 27

With Tom Lehrer's passing, I suppose this is a moment to share the story of the prank he played on the National Security Agency, and how it went undiscovered for nearly 60 years.

140 3.6K 8.6K

Michele Orrù @tumbolia.bsky.social · Jul 26

Yesterday, @cathie.bsky.social gave a great talk at @ietf.org 123 on the importance of standardizing Sigma protocols and our ongoing work toward a standard for zero-knowledge proofs! You can watch the talk here:

IETF 123: Crypto Forum (CFRG) 2025-07-24 15:00

YouTube video by IETF - Internet Engineering Task Force

www.youtube.com

1 1 7

Michele Orrù @tumbolia.bsky.social · Jul 16

hahahah i feel attacked

1 2

Michele Orrù @tumbolia.bsky.social · Jul 16

1 7

Michele Orrù @tumbolia.bsky.social · Jul 15

The paper is huge — it’s been a journey to nail down a proof.
I think it’s a solid step forward in narrowing down Fiat-Shamir attacks and characterizing the concrete security of ZKPs. It’s also been really helpful in shaping what a standard for Fiat-Shamir should look like.

3

Michele Orrù @tumbolia.bsky.social · Jul 15

We updated our paper on Fiat-Shamir!

We now take a closer look at the gap between what symmetric cryptography has focused on for over 10 years (indifferentiability) and what is actually needed for the soundness of ZKPs and SNARKs (something stronger!).

eprint.iacr.org/2025/536

A Fiat–Shamir Transformation From Duplex Sponges

We analyze a variant of the Fiat–Shamir transformation based on an ideal permutation. The transformation relies on the popular duplex sponge paradigm, and minimizes the number of calls to the permutat...

eprint.iacr.org

2 5 15

Michele Orrù @tumbolia.bsky.social · Jul 11

Yes! Right. Secret signature or verification key (the latter I think is more common)

1

Michele Orrù @tumbolia.bsky.social · Jul 9

If the hash input is secret though you’ll be leaking some side channel information right? And the procedure is only terminating in expected time

1

Michele Orrù @tumbolia.bsky.social · Jul 2

ACM CCS ? and I do remember them even welcoming economical studies on malware — www.youtube.com/watch?v=5uAK...

ACM CCS 2017 - Economic Factors of Vulnerability Trade and Exploitation - Luca Allodi

YouTube video by Association of Computing Machinery 2017

www.youtube.com

Reposted by Michele Orrù

ePrint Updates @eprint.ing.bot · Jun 12

On the Concrete Security of BBS/BBS+ Signatures (Rutchathon Chairattana-Apirom, Stefano Tessaro) ia.cr/2025/1093

$Abstract. BBS/BBS+ signatures are the most promising solution to instantiate practical and lightweight anonymous credentials. They underlie standardization efforts by the W3C and the IRTF. Due to their potential for large scale deployment, it is paramount to understand their concrete security, but a number of questions have been left open by prior works. To this end, the security proofs by Au et al. (SCN ’06), Camenisch et al. (TRUST ’16), and Tessaro and Zhu (EUROCRYPT ’23) show reductions from q-SDH in groups of prime order p, where q is the number of issued signatures. However, these prior works left the possibility open that BBS/BBS+ is “even more secure” than what can be guaranteed by such proofs. Indeed, while the q-SDH assumption is subject to an attack that uses $O(\sqrt{p/q})$ group exponentiations (Cheon, EUROCRYPT ’06) for several choices of q, no attack with a similar complexity appears to affect either of BBS+ and “deterministic” BBS, for which the best known attacks amount to recovering the secret key by breaking the discrete logarithm problem. The assumption that this attack is best possible also seemingly justifies the choice of parameters in practice. Our result shows that this expectation is not true. We show new attacks against BBS+ and deterministic BBS which, after seeing q signatures, allow us to recover the secret key with the same complexity as solving the Θ(q)-Discrete Logarithm problem, which in turn is proportional to $O(\sqrt{p/q})$ for many choices of q. Further, we also extend the attack to a reduction showing that the security of BBS+ and deterministic BBS implies the Θ(q)-SDH assumption.$ Image showing part 2 of abstract.

2 1

Michele Orrù @tumbolia.bsky.social · May 25

lmao

4

Reposted by Michele Orrù

Christian Knabenhans @cknabs.bsky.social · May 20

I'm happy to finally open-source lattirust, a library for lattice-based zero-knowledge/succinct arguments! Lattirust is somewhat like arkworks, but for lattices; and like lattigo, but for arguments.

➔ github.com/lattirust

lattirust

Lattice zero-knowledge/succinct arguments, and more - lattirust

github.com

2 16 32

Michele Orrù @tumbolia.bsky.social · May 17

that's not always the case right? If I am making an OR proof, I generate the commitment and the response of the simulated branch before getting the challenge of the verifier

Michele Orrù @tumbolia.bsky.social · May 17

In any case Nico was in the original discussions for this project and knows the door is open :)

Michele Orrù @tumbolia.bsky.social · May 17

Im not sure what thus means, are you saying that if a prover message is generated at the round i, it should be sent in the round i?

2

Michele Orrù @tumbolia.bsky.social · May 16

The narg proof string (the « transcript ») is serialized from the prover messages, I think that’s what you are asking?

1