## In this issue
1. [2025/81] Integer Commitments, Old and New Tools
2. [2025/82] Meet-in-the-Middle Attack on Primitives with Binary ...
3. [2025/83] Recover from Excessive Faults in Partially- ...
4. [2025/84] Arbitrary-Threshold Fully Homomorphic Encryption ...
5. [2025/85] Enhancing Threshold Group Action Signature Schemes: ...
6. [2025/86] Artificial Results From Hardware Synthesis
7. [2025/87] On Gaussian Sampling for $q$-ary Lattices and ...
8. [2025/88] ICT: Insured Cryptocurrency Transactions
9. [2025/89] An Introduction to Protein Cryptography
10. [2025/90] Friendly primes for efficient modular arithmetic ...
11. [2025/91] poqeth: Efficient, post-quantum signature ...
12. [2025/92] Public-Key Quantum Money From Standard Assumptions ...
13. [2025/93] A Survey on Transciphering and Symmetric Ciphers ...
14. [2025/94] Multi-Key Homomorphic Secret Sharing
15. [2025/95] Non-Interactive Distributed Point Functions
16. [2025/96] Simultaneous-Message and Succinct Secure Computation
17. [2025/97] Available Attestation: Towards a Reorg-Resilient ...
18. [2025/98] Fast, private and regulated payments in ...
19. [2025/99] Adaptive Hardcore Bit and Quantum Key Leasing over ...
20. [2025/100] Zero-Knowledge Proofs of Quantumness
21. [2025/101] Unveiling Privacy Risks in Quantum Optimization ...
22. [2025/102] A practical distinguisher on the full Skyscraper ...
23. [2025/103] Technology-Dependent Synthesis and Optimization of ...
24. [2025/104] Additive Randomized Encodings from Public Key ...
25. [2025/105] Twist and Shout: Faster memory checking arguments ...
26. [2025/106] NTRU+Sign: Compact NTRU-Based Signatures Using ...
27. [2025/107] dCTIDH: Fast & Deterministic CTIDH
28. [2025/108] Subset sum, a new insight
29. [2025/109] A Formal Treatment of Homomorphic Encryption Based ...
30. [2025/110] Verification-efficient Homomorphic Signatures for ...
31. [2025/111] On the structure of the Schur squares of Twisted ...
32. [2025/112] Post-Quantum Stealth Address Protocols
33. [2025/113] Post-Quantum Threshold Ring Signature Applications ...
34. [2025/114] Better Codes for the HQC Cryptosystem
35. [2025/115] Signatures with Tight Adaptive Corruptions from ...
36. [2025/116] A Horizontal Attack on the Codes and Restricted ...
37. [2025/117] Post-Quantum Online/Offline Signatures
38. [2025/118] How to Prove False Statements: Practical Attacks on ...
39. [2025/119] SoK: PQC PAKEs - Cryptographic Primitives, Design ...
40. [2025/120] Module Learning with Errors with Truncated Matrices
41. [2025/121] On symbolic computations over arbitrary commutative ...
42. [2025/122] Qelect: Lattice-based Single Secret Leader Election ...
43. [2025/123] Falcon on ARM Cortex-M4: an Update
44. [2025/124] GPU Implementations of Three Different Key- ...
45. [2025/125] A Privacy Model for Classical & Learned Bloom Filters
## 2025/81
* Title: Integer Commitments, Old and New Tools
* Authors: Iftach Haitner, Yehuda Lindell, Nikolaos Makriyannis
* [Permalink](
https://eprint.iacr.org/2025/081)
* [Download](
https://eprint.iacr.org/2025/081.pdf)
### Abstract
This self-contained and detailed tutorial covers RSA-based integer commitments and related protocols. It also presents a new, highly efficient setup protocol for sampling commitment parameters.
## 2025/82
* Title: Meet-in-the-Middle Attack on Primitives with Binary Matrix Linear Layer
* Authors: Qingliang Hou, Kuntong Li, Guoyan Zhang, Yanzhao Shen, Qidi You, Xiaoyang Dong
* [Permalink](
https://eprint.iacr.org/2025/082)
* [Download](
https://eprint.iacr.org/2025/082.pdf)
### Abstract
Meet-in-the-middle (MitM) is a powerful approach for the cryptanalysis of symmetric primitives. In recent years, MitM has led to many improved records about key recovery, preimage and collision attacks with the help of automated tools. However, most of
the previous work target $\texttt{AES}$-like hashing where the linear layer is an MDS matrix. And we observe that their automatic model for MDS matrix is not suitable for primitives using a binary matrix as their linear layer.
In this paper, we propose the $\texttt{n-XOR}$ model to describe the $\texttt{XOR}$ operation with an arbitrary number of inputs. And it can be applied to primitives with a binary matrix of arbitrary size. Then, we propose a check model to eliminate the
possible inaccuracies caused by $\texttt{n-XOR}$. But the check model is limited by the input size (not greater than 4). Combined with the two new models, we find a MitM key recovery attack on 11-round $\texttt{Midori64}$. When the whitening keys are
excluded, a MitM key recovery attack can be mounted on the 12-round $\texttt{Midori64}$. Compared with the previous best work, both of the above results have distinct advantages in terms of reducing memory and data complexity.
At last, we apply the $\texttt{n-XOR}$ model to the hashing modes of primitives with large size binary matrix. The preimage attack on weakened $\texttt{camellia}-{\tt MMO}$ (without $FL/FL^{-1}$ and whitening layers) and $\texttt{Aria}-{\tt DM}$ are both
improved by 1 round.
## 2025/83
* Title: Recover from Excessive Faults in Partially-Synchronous BFT SMR
* Authors: Tiantian Gong, Gustavo Franco Camilo, Kartik Nayak, Andrew Lewis-Pye, Aniket Kate
* [Permalink](
https://eprint.iacr.org/2025/083)
* [Download](
https://eprint.iacr.org/2025/083.pdf)
### Abstract
Byzantine fault-tolerant (BFT) state machine replication (SMR) protocols form the basis of modern blockchains as they maintain a consistent state across all blockchain nodes while tolerating a bounded number of Byzantine faults. We analyze BFT SMR in the
excessive fault setting where the actual number of Byzantine faults surpasses a protocol's tolerance.
We start by devising the very first repair algorithm for linearly chained and quorum-based partially synchronous SMR to recover from faulty states caused by excessive faults. Such a procedure can be realized using any commission fault detection module --
an algorithm that identifies the faulty replicas without falsely locating any correct replica. We achieve this with a slightly weaker liveness guarantee, as the original security notion is impossible to satisfy given excessive faults.
We implement recoverable HotStuff in Rust. The throughput resumes to the normal level (without excessive faults) after recovery routines terminate for $7$ replicas and is slightly reduced by $\leq 4.3\%$ for $30$ replicas. On average, it increases the
latency by $12.87\%$ for $7$ replicas \usenix{and $8.85\%$ for $30$ replicas}.
Aside from adopting existing detection modules, we also establish the sufficient condition for a general BFT SMR protocol to allow for complete and sound fault detection when up to $(n-2)$ Byzantine replicas (out of $n$ total replicas) attack safety. We
start by providing the first closed-box fault detection algorithm for any SMR protocol without any extra rounds of communication. We then describe open-box instantiations of our fault detection routines in Tendermint and Hotstuff, further reducing the
overhead, both asymptotically and concretely.
## 2025/84
* Title: Arbitrary-Threshold Fully Homomorphic Encryption with Lower Complexity * Authors: Yijia Chang, Songze Li
* [Permalink](
https://eprint.iacr.org/2025/084)
* [Download](
https://eprint.iacr.org/2025/084.pdf)
### Abstract
Threshold fully homomorphic encryption (ThFHE) enables multiple parties to compute functions over their sensitive data without leaking data privacy. Most of existing ThFHE schemes are restricted to full threshold and require the participation of all
parties to output computing results. Compared with these full-threshold schemes, arbitrary threshold (ATh)-FHE schemes are robust to non-participants and can be a promising solution to many real-world applications. However, existing AThFHE schemes are
either inefficient to be applied with a large number of parties $N$ and a large data size $K$, or insufficient to tolerate all types of non-participants. In this paper, we propose an AThFHE scheme to handle all types of non-participants with lower
complexity over existing schemes. At the core of our scheme is the reduction from AThFHE construction to the design of a new primitive called approximate secret sharing (ApproxSS). Particularly, we formulate ApproxSS and prove the correctness and
security of AThFHE on top of arbitrary-threshold (ATh)-ApproxSS's properties. Such a reduction reveals that existing AThFHE schemes implicitly design ATh-ApproxSS following a similar idea called ``noisy share''. Nonetheless, their ATh-ApproxSS design has
high complexity and become the performance bottleneck. By developing ATASSES, an ATh-ApproxSS scheme based on a novel ``encrypted share'' idea, we reduce the computation (resp. communication) complexity from $\mathcal{O}(N^2K)$ to $\mathcal{O}(N^2+K)$ (
resp. from $\mathcal{O}(NK)$ to $\mathcal{O}(N+K)$). We not only theoretically prove the (approximate) correctness and security of ATASSES, but also empirically evaluate its efficiency against existing baselines. Particularly, when applying to a system
with one thousand parties, ATASSES achieves a speedup of $3.83\times$ -- $15.4\times$ over baselines.
## 2025/85
* Title: Enhancing Threshold Group Action Signature Schemes: Adaptive Security and Scalability Improvements
* Authors: Michele Battagliola, Giacomo Borin, Giovanni Di Crescenzo, Alessio Meneghetti, Edoardo Persichetti
* [Permalink](
https://eprint.iacr.org/2025/085)
* [Download](
https://eprint.iacr.org/2025/085.pdf)
### Abstract
Designing post-quantum digital signatures is a very active research area at present, with several protocols being developed, based on a variety of mathematical assumptions. Many of these signatures schemes can be used as a basis to define more advanced
schemes, such as ring or threshold signatures, where multiple parties are involved in the signing process. Unfortunately, the majority of these protocols only considers a static adversary, that must declare which parties to corrupt at the beginning of
the execution. However, a stronger security notion can be achieved, namely security against adaptive adversaries, that can corrupt parties at any times.
In this paper we tackle the challenges of designing a post-quantum adap- tively secure threshold signature scheme: starting from the GRASS sig- nature scheme, which is only static secure, we show that it is possible to turn it into an adaptive secure
threshold signature that we call GRASS+. In particular, we introduce two variants of the classical GAIP problem and discuss their security. We prove that our protocol is adaptively secure in the Random Oracle Model, if the adversary corrupts only t 2
parties. We are also able to prove that GRASS+ achieves full adaptive security, with a corruption threshold of t, in the Black Box Group Action Model with Random Oracle. Finally, we improve the performance of the scheme by exploiting a better secret
sharing, inspired from the work of Desmedt, Di Crescenzo, and Burmester from ASIACRYPT’94.
## 2025/86
* Title: Artificial Results From Hardware Synthesis
* Authors: Ahmed Alharbi, Charles Bouillaguet
* [Permalink](
https://eprint.iacr.org/2025/086)
* [Download](
https://eprint.iacr.org/2025/086.pdf)
### Abstract
In this paper, we revisit venerable lower-bounds on the $AT$ or $AT^2$ performance metric of hardware circuits. A series of works started in the late 1970's has established that if a hardware circuit of area $A$ computes a function $f : \{0, 1\}^n \rightarrow \{0, 1\}^m$ in $T$ clock cycles, then $AT^2$ is asymptotically
larger than (a form of) the communication complexity of $f$. These lower-bounds ignore the active component of the circuit such as the logic gates and only take into account the area of the wiring.
However, it seems that it is common practice to report the performance characteristics of hardware designs after synthesis, namely after having ``compiled'' the design into the topological description of a hardware circuit made of standard cells. The area of the cells can be be determined with certainty, whereas the area occupied by the wires cannot. This may leads to optimistic performance
figures, that may even violate the old lower-bounds.
In this paper, we take the case of the Möbius transform as a case study, following the work of Banik and Regazzoni in TCHES, 2024(2) who presented hardware designs that implement it. We first determine the communication complexity of the Möbius
transform. Then, following the old methodology, we derive lower-bounds on the area (in $\mu m^2$) of any circuit that implement the operation using several open Process Design Kits for ASIC production. For large enough instances, the wires provably
occupy more area than the logic gates themselves. This invalidate previous theoretical claims about the performance of circuits implementing the Möbius transform.
Fundamentally, the root cause of the contradiction between ``VLSI-era'' lower-bounds and current performance claims is that the lower-bounds apply to a geometric description of the circuit where the length of wiring is known, while it is common to report performance results on the basis of hardware synthesis alone, where a
topological description of the circuit has been obtained but the actual length of wires is unknown.
## 2025/87
* Title: On Gaussian Sampling for $q$-ary Lattices and Linear Codes with Lee Weight
* Authors: Maiara F. Bollauf, Maja Lie, Cong Ling
* [Permalink](
https://eprint.iacr.org/2025/087)
* [Download](
https://eprint.iacr.org/2025/087.pdf)
### Abstract
We show that discrete Gaussian sampling for a $q$-ary lattice is equivalent to codeword sampling for a linear code over $\mathbb{Z}_q$ with the Lee weight. This insight allows us to derive the theta series of a $q$-ary lattice from the Lee weight
distribution of the associated code. We design a novel Gaussian sampler for $q$-ary lattices assuming an oracle that computes the symmetrized weight enumerator of the associated code.
We apply this sampler to well-known lattices, such as the $E_8$, Barnes-Wall, and Leech lattice, highlighting both its advantages and limitations, which depend on the underlying code properties. For certain root lattices, we show that the sampler is
indeed efficient, forgoing the need to assume an oracle. We also discuss applications of our results in digital signature schemes and the Lattice Isomorphism Problem. In many cases, our sampler achieves a significant speed-up compared to state-of-the-art
sampling algorithms in cryptographic applications.
## 2025/88
* Title: ICT: Insured Cryptocurrency Transactions
* Authors: Aydin Abadi, Amirreza Sarencheh, Henry Skeoch, Thomas Zacharias
* [Permalink](
https://eprint.iacr.org/2025/088)
* [Download](
https://eprint.iacr.org/2025/088.pdf)
### Abstract
Cryptocurrencies have emerged as a critical medium for digital financial transactions, driving widespread adoption while simultaneously exposing users to escalating fraud risks. The irreversible nature of cryptocurrency transactions, combined with the
absence of consumer protection mechanisms, leaves users vulnerable to substantial financial losses and emotional distress. To address these vulnerabilities, we introduce Insured Cryptocurrency Transactions (ICT), a novel decentralized insurance framework
designed to ensure financial recovery for honest users affected by fraudulent cryptocurrency transactions. We rigorously formalize the ICT framework, establishing strong security guarantees to protect against malicious adversaries. Furthermore, we
present Insured Cryptocurrency Exchange (ICE), a concrete instantiation of ICT tailored for centralized cryptocurrency exchanges. ICE relies primarily on a standard smart contract and provides a robust mechanism to compensate users in cases of security
breaches, insolvency, or fraudulent activities affecting the exchange. We have implemented ICE’s smart contract and evaluated its on-chain costs. The evaluation results demonstrate ICE’s low operational overhead. To our knowledge, ICT and ICE
represent the first formal approaches to decentralized insurance frameworks in the cryptocurrency domain.
## 2025/89
* Title: An Introduction to Protein Cryptography
* Authors: Hayder Tirmazi, Tien Phuoc Tran
* [Permalink](
https://eprint.iacr.org/2025/089)
* [Download](
https://eprint.iacr.org/2025/089.pdf)
### Abstract
We introduce protein cryptography, a recently proposed method that encodes data into the amino acid sequences of proteins. Unlike traditional digital encryption, this approach relies on the inherent diversity, complexity, and replication resistance of
biological macromolecules, making them highly secure against duplication or tampering. The experimental realization of protein cryptography remains an open problem. To accelerate experimental progress in this area, we provide an accessible and self-
contained introduction to the fundamentals of cryptography for biologists with limited mathematical and computational backgrounds. Furthermore, we outline a framework for encoding, synthesizing, and decoding information using proteins. By enabling
biologists to actively engage in the development of protein cryptography, this work bridges disciplinary boundaries and paves the way for applications in secure data storage.
## 2025/90
* Title: Friendly primes for efficient modular arithmetic using the Polynomial Modular Number System
* Authors: Fangan Yssouf Dosso, Nadia El Mrabet, Nicolas Méloni, François Palma, Pascal Véron
* [Permalink](
https://eprint.iacr.org/2025/090)
* [Download](
https://eprint.iacr.org/2025/090.pdf)
### Abstract
The Polynomial Modular Number System (PMNS) is a non-positional number system designed for modular arithmetic. Its efficiency, both in software and hardware, has been demonstrated for integers commonly used in Elliptic Curve Cryptography. In recent
papers, some authors introduce specific prime forms that are particularly well-suited for PMNS arithmetic. In this work, we extend their results to a broader class of prime numbers. In practice, our approach yields performance that is competitive with,
and in some cases superior to, Pseudo-Mersenne arithmetic. As a result, we expand the set of prime numbers that are well-suited for modular arithmetic. Furthermore, we contribute a database of proof of concept Elliptic Curves constructed with those
primes that verify the Brainpool Standard.
## 2025/91
* Title: poqeth: Efficient, post-quantum signature verification on Ethereum
* Authors: Ruslan Kysil, István András Seres, Péter Kutas, Nándor Kelecsényi
* [Permalink](
https://eprint.iacr.org/2025/091)
* [Download](
https://eprint.iacr.org/2025/091.pdf)
### Abstract
This work explores the application and efficient deployment of (standardized) post-quantum (PQ) digital signature algorithms in the blockchain environment. Specifically, we implement and evaluate four PQ signatures in the Ethereum Virtual Machine: W-OTS$^
{+}$, XMSS, SPHINCS+, and MAYO. We focus on optimizing the gas costs of the verification algorithms as that is the signature schemes' only algorithm executed on-chain, thus incurring financial costs (transaction fees) for the users. Hence, the
verification algorithm is the signature schemes' main bottleneck for decentralized applications.
We examine two methods to verify post-quantum digital signatures on-chain. Our practical performance evaluation shows that full on-chain verification is often prohibitively costly. Naysayer proofs (FC'24) allow a novel optimistic verification mode. We
observe that the Naysayer verification mode is generally the cheapest, at the cost of additional trust assumptions. We release our implementation called poqeth as an open-source library.
## 2025/92
* Title: Public-Key Quantum Money From Standard Assumptions (In The Generic Model)
* Authors: Jake Doliskani
* [Permalink](
https://eprint.iacr.org/2025/092)
* [Download](
https://eprint.iacr.org/2025/092.pdf)
### Abstract
Our main result is a quantum polynomial-time reduction from the group action discrete logarithm (DLP) problem to a specific cloning problem. A consequence of this result is that the public-key quantum money scheme proposed by Zhandry (2024), based on
abelian group actions, is secure in the generic group action model. Specifically, our result shows that breaking the quantum money scheme is equivalent, under quantum polynomial-time reductions, to solving the group action DLP. Two immediate implications
of our results are: i) A separation between quantum money and quantum lightning. This separation arises because our reduction is non-uniform, and quantum lightning is not secure against non-uniform adversaries. ii) Cloning vs. preparing Fourier states.
Our main theorem shows that the problem of cloning group action Fourier states is equivalent to the problem of preparing these states.
## 2025/93
* Title: A Survey on Transciphering and Symmetric Ciphers for Homomorphic Encryption
* Authors: Indranil Thakur, Angshuman Karmakar, Chaoyun Li, Bart Preneel
* [Permalink](
https://eprint.iacr.org/2025/093)
* [Download](
https://eprint.iacr.org/2025/093.pdf)
### Abstract
Data privacy concerns are sharply rising in the current digital era, hyperdriven by cloud computing, big data analytics, and the Internet of Things. Homomorphic Encryption (HE) has emerged as an ideal technique for computing on encrypted data, but
current schemes suffer from slow encryption speed and large ciphertext expansion. Practical implementation is hindered, especially when the client has limited bandwidth, memory, and computing power. In 2011, Naehrig et al. proposed transciphering,
reducing computational and communication overload on the client side. This involves symmetric ciphers with minimized multiplicative complexity,
referred to as HE-Friendly Ciphers (HEFCs).
In this work, we present a detailed study of transciphering for HE by systematizing existing knowledge and crystallizing research challenges. Particularly we conduct a comprehensive study on state-of-the-art HEFC constructions. Our work highlights gaps,
open problems, and directions for future research.
## 2025/94
* Title: Multi-Key Homomorphic Secret Sharing
* Authors: Geoffroy Couteau, Lalita Devadas, Aditya Hegde, Abhishek Jain, Sacha Servan-Schreiber
* [Permalink](
https://eprint.iacr.org/2025/094)
* [Download](
https://eprint.iacr.org/2025/094.pdf)
### Abstract
Homomorphic secret sharing (HSS) is a distributed analogue of fully homomorphic encryption (FHE) where following an input-sharing phase, two or more parties can locally compute a function over their private inputs to obtain shares of the function output.
Over the last decade, HSS schemes have been constructed from an array of different assumptions. However, all existing HSS schemes, except ones based on assumptions known to imply multi-key FHE, require a public-key infrastructure (PKI) or a correlated
setup between parties. This limitation carries over to many applications of HSS.
In this work, we construct multi-key homomorphic secret sharing (MKHSS), where given only a common reference string (CRS), two parties can secret share their inputs to each other and then perform local computations as in HSS. We present the first MKHSS
schemes supporting all NC1 computations from either the decisional Diffie-Hellman (DDH), decisional composite residuosity (DCR), or class group assumptions.
Our constructions imply the following applications in the CRS model:
- Succinct two-round secure computation. Under the same assumptions as our MKHSS schemes, we construct succinct, two-round secure two-party computation for NC1 circuits. Previously, such a result was only known from the learning with errors assumption.
- Attribute-based NIKE. Under DCR or class group assumptions, we construct non-interactive key exchange (NIKE) protocols where two parties agree on a key if and only if their secret attributes satisfy a public NC1 predicate. This significantly
generalizes the existing notion of password-based NIKE.
- Public-key PCFs. Under DCR or class group assumptions, we construct public-key pseudorandom correlation functions (PCFs) for any NC1 correlation. This yields the first public-key PCFs for Beaver triples (and more) from non-lattice assumptions.
- Silent MPC. Under DCR or class group assumptions, we construct a p-party secure computation protocol in the silent preprocessing model where the preprocessing phase has communication O(p), ignoring polynomial factors. All prior protocols that do not
rely on spooky encryption require $Ω(p^2)$ communication.
## 2025/95
* Title: Non-Interactive Distributed Point Functions
* Authors: Elette Boyle, Lalita Devadas, Sacha Servan-Schreiber
* [Permalink](
https://eprint.iacr.org/2025/095)
* [Download](
https://eprint.iacr.org/2025/095.pdf)
### Abstract
Distributed Point Functions (DPFs) are a useful cryptographic primitive enabling a dealer to distribute short keys to two parties, such that the keys encode additive secret shares of a secret point function. However, in many applications of DPFs, no
single dealer entity has full knowledge of the secret point function, necessitating the parties to run an interactive protocol to emulate the setup. Prior works have aimed to minimize complexity metrics of such distributed setup protocols, e.g., round
complexity, while remaining black-box in the underlying cryptography.
We construct Non-Interactive DPFs (NIDPF), which have a one-round (simultaneous-message, semi-honest) setup protocol, removing the need for a trusted dealer. Specifically, our construction allows each party to publish a special "public key" to a public
channel or bulletin board, where the public key encodes the party's secret function parameters. Using the public key of another party, any pair of parties can locally derive a DPF key for the point function parameterized by the two parties' joint inputs.
We realize NIDPF from an array of standard assumptions, including DCR, SXDH, QR, and LWE. Each party's public key is of size $O(N^{2/3})$, for point functions with a domain of size $N$, which leads to a sublinear communication setup protocol. The only
prior approach to realizing such a non-interactive setup required using multi-key fully-homomorphic encryption or indistinguishability obfuscation.
As immediate applications of our construction, we get "public-key setups" for several existing constructions of pseudorandom correlation generators and round-efficient protocols for secure comparisons.
## 2025/96
* Title: Simultaneous-Message and Succinct Secure Computation
* Authors: Elette Boyle, Abhishek Jain, Sacha Servan-Schreiber, Akshayaram Srinivasan
* [Permalink](
https://eprint.iacr.org/2025/096)
* [Download](
https://eprint.iacr.org/2025/096.pdf)
### Abstract
We put forth and instantiate a new primitive we call simultaneous-message and succinct (SMS) secure computation. An SMS scheme enables a minimal communication pattern for secure computation in the following scenario: Alice has a large private input X,
Bob has a small private input y, and Charlie wants to learn $f(X, y)$ for some public function $f$.
Given a common reference string (CRS) setup phase, an SMS scheme for a function f is instantiated with two parties holding inputs $X$ and $y$, and has the following structure:
- The parties simultaneously exchange a single message.
- Communication is succinct, scaling sublinearly in the size of $X$ and the output $f(X, y)$.
- Without further interaction, the parties can locally derive additive secret shares of $f(X, y)$.
Indeed, Alice and Bob simultaneously send each other a message using the CRS and their private inputs. Using the transcript and their private state, the parties locally derive additive secret shares of $f(X, y)$, which they can send to Charlie. As such,
an SMS scheme incurs a communication cost to Charlie that is only twice that of the function output length. Importantly, the size of Alice’s message does not grow with the size of her input $X$, and both Alice’s and Bob’s first-round messages grow
sublinearly in the size of the output. Additionally, Alice’s or Bob’s view provides no information about the other party’s input besides the output of $f(X, y)$, even if colluding with Charlie.
We obtain the following results:
- Assuming Learning With Errors (LWE), we build an SMS scheme supporting evaluation of depth-$d$ circuits, where Alice's message is of size $|f(X, y)|^{(2/3)}$· poly(λ, d), Bob's message is of size $(|y| + |f(X, y)|^{(2/3)})$ · poly(λ, d), and λ is
the security parameter. We can further extend this to support all functions by assuming the circular security of LWE.
- Assuming sub-exponentially secure indistinguishability obfuscation, in conjunction with other standard assumptions, we build an SMS scheme supporting arbitrary polynomial-sized batch functions of the form $(f(x_1, y), ..., f(x_L, y))$, for $X = (x_1, ..
., x_L)$. The size of Alice's and Bob's messages in this construction is poly(λ) and poly(λ, |f|, log L), respectively.
We show that SMS schemes have several immediate applications. An SMS scheme gives:
- A direct construction of trapdoor hash functions (TDH) (Döttling et al., Crypto'19) for the same class of functions as the one supported by the SMS scheme.
- A simple and generic compiler for obtaining compact, rate-1 fully homomorphic encryption (FHE) from any non-compact FHE scheme.
- A simple and generic compiler for obtaining correlation-intractable (CI) hash functions that are secure against all efficiently-searchable relations.
In turn, under the LWE assumption, we obtain the first construction of TDH for all functions and generic approaches for obtaining rate-1 FHE and CI hashing. We also show that our iO-based construction gives an alternative approach for two-round secure
computation with communication succinctness in the output length (Hubáček and Wichs, ITCS'15).
## 2025/97
* Title: Available Attestation: Towards a Reorg-Resilient Solution for Ethereum Proof-of-Stake
* Authors: Mingfei Zhang, Rujia Li, Xueqian Lu, Sisi Duan
* [Permalink](
https://eprint.iacr.org/2025/097)
* [Download](
https://eprint.iacr.org/2025/097.pdf)
### Abstract
Ethereum transitioned from Proof-of-Work consensus to Proof-of-Stake (PoS) consensus in September 2022. While this upgrade brings significant improvements (e.g., lower energy costs and higher throughput), it also introduces new vulnerabilities. One
notable example is the so-called malicious \textit{reorganization attack}. Malicious reorganization denotes an attack in which the Byzantine faulty validators intentionally manipulate the canonical chain so the blocks by honest validators are discarded.
By doing so, the faulty validators can gain benefits such as higher rewards, lower chain quality, or even posing a liveness threat to the system.
In this work, we show that the majority of the known attacks on Ethereum PoS are some form of reorganization attacks. In practice, most of these attacks can be launched even if the network is synchronous (there exists a known upper bound for message
transmission and processing). Different from existing studies that mitigate the attacks in an ad-hoc way, we take a systematic approach and provide an elegant yet efficient solution to reorganization attacks. Our solution is provably secure such that no
reorganization attacks can be launched in a synchronous network. In a partially synchronous network, our approach achieves the conventional safety and liveness properties of the consensus protocol. Our evaluation results show that our solution is
resilient to five types of reorganization attacks and also highly efficient.
## 2025/98
* Title: Fast, private and regulated payments in asynchronous networks
[continued in next message]
--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)