[continued from previous message]
* Authors: Maxence Brugeres, Victor Languille, Petr Kuznetsov, Hamza Zarfaoui
* [Permalink](
https://eprint.iacr.org/2025/098)
* [Download](
https://eprint.iacr.org/2025/098.pdf)
### Abstract
We propose a decentralized asset-transfer system that enjoys full privacy: no party can learn the details of a transaction, except for its issuer and its recipient. Furthermore, the recipient is only aware of the amount of the transaction. Our system
does not rely on consensus or synchrony assumptions, and therefore, it is responsive, since it runs at the actual network speed. Under the hood, every transaction creates a consumable coin equipped with a non-interactive zero-knowledge proof (NIZK) that
confirms that the issuer has sufficient funds without revealing any information about her identity, the recipient's identity, or the payment amount. Moreover, we equip our system with a regulatory enforcement mechanism that can be used to regulate
transfer limits or restrict specific addresses from sending or receiving funds, while preserving the system's privacy guarantees.
Finally, we report on Paxpay, our implementation of Fully Private Asset Transfer (FPAT) that uses the Gnark library for the NIZKs. In our benchmark, Paxpay exhibits better performance than earlier proposals that either ensure only partial privacy,
require some kind of network synchrony or do not implement regulation features. Our system thus reconciles privacy, responsiveness, regulation enforcement and performance.
## 2025/99
* Title: Adaptive Hardcore Bit and Quantum Key Leasing over Classical Channel from LWE with Polynomial Modulus
* Authors: Duong Hieu Phan, Weiqiang Wen, Xingyu Yan, Jinwei Zheng
* [Permalink](
https://eprint.iacr.org/2025/099)
* [Download](
https://eprint.iacr.org/2025/099.pdf)
### Abstract
Quantum key leasing, also known as public key encryption with secure key leasing (PKE-SKL),
allows a user to lease a (quantum) secret key to a server for decryption purpose, with the capability of revoking the key afterwards.
In the pioneering work by Chardouvelis et al (arXiv:2310.14328), a PKE-SKL scheme utilizing classical channels was successfully built upon the noisy trapdoor claw-free (NTCF) family. This approach, however, relies on the superpolynomial hardness of
learning with errors (LWE) problem, which could affect both efficiency and security of the scheme.
In our work, we demonstrate that the reliance on superpolynomial hardness is unnecessary, and that LWE with polynomial-size modulus is sufficient to achieve the same goal.
Our approach enhances both efficiency and security, thereby improving the practical feasibility of the scheme on near-term quantum devices.
To accomplish this, we first construct a \textit{noticeable} NTCF (NNTCF) family with the adaptive hardcore bit property, based on LWE with polynomial-size modulus. To the best of our knowledge, this is the first demonstration of the adaptive hardcore
bit property based on LWE with polynomial-size modulus, which may be of independent interest.
Building on this foundation, we address additional challenges in prior work to construct the first PKE-SKL scheme satisfying the following properties:
(\textit{i}) the entire protocol utilizes only classical communication, and can also be lifted to support homomorphism.
(\textit{ii}) the security is solely based on LWE assumption with polynomial-size modulus.
As a demonstration of the versatility of our noticeable NTCF, we show that an efficient proof of quantumness protocol can be built upon it. Specifically, our protocol enables a classical verifier to test the quantumness while relying exclusively on the
LWE assumption with polynomial-size modulus.
## 2025/100
* Title: Zero-Knowledge Proofs of Quantumness
* Authors: Duong Hieu Phan, Weiqiang Wen, Xingyu Yan, Jinwei Zheng
* [Permalink](
https://eprint.iacr.org/2025/100)
* [Download](
https://eprint.iacr.org/2025/100.pdf)
### Abstract
With the rapid development of quantum computers, proofs of quantumness have recently become an interesting and intriguing research direction. However, in all current schemes for proofs of quantumness, quantum provers almost invariably face the risk of
being maliciously exploited by classical verifiers. In fact, through malicious strategies in interaction with quantum provers, classical verifiers could solve some instances of hard problems that arise from the specific scheme in use. In other words,
malicious verifiers can break some schemes (that quantum provers are not aware of) through interaction with quantum provers. All this is due to the lack of formalization that prevents malicious verifiers from extracting useful information in proofs of
quantumness.
To address this issue, we formalize zero-knowledge proofs of quantumness. Intuitively, the zero-knowledge property necessitates that the information gained by the classical verifier from interactions with the quantum prover should not surpass what can be
simulated using a simulated classical prover interacting with the same verifier. As a result, the new zero-knowledge notion can prevent any malicious verifier from exploiting quantum advantage.
Interestingly, we find that the classical zero-knowledge proof is sufficient to compile some existing proofs of quantumness schemes into zero-knowledge proofs of quantumness schemes.
Due to some technical reasons, it appears to be more general to require zero-knowledge proof on the verifier side instead of the prover side. Intuitively, this helps to regulate the verifier's behavior from malicious to be honest-but-curious. As a result,
both parties will play not only one role in the proofs of quantumness but also the dual role in the classical zero-knowledge proof.
Specifically, the two principle proofs of quantumness schemes: Shor's factoring-based scheme and learning with errors-based scheme in [Brakerski et al, FOCS, 2018], can be transformed into zero-knowledge proofs of quantumness by requiring an extractable
non-interactive zero-knowledge argument on the verifier side.
Notably, the zero-knowledge proofs of quantumness can be viewed as an enhanced security notion for proofs of quantumness. To prevent malicious verifiers from exploiting the quantum device's capabilities or knowledge, it is advisable to transition
existing proofs of quantumness schemes to this framework whenever feasible.
## 2025/101
* Title: Unveiling Privacy Risks in Quantum Optimization Services
* Authors: Mateusz Leśniak, Michał Wroński, Ewa Syta, Mirosław Kutyłowski * [Permalink](
https://eprint.iacr.org/2025/101)
* [Download](
https://eprint.iacr.org/2025/101.pdf)
### Abstract
As cloud-based quantum computing services, such as those offered by D-Wave, become more popular for practical applications, privacy-preserving methods (such as obfuscation) are essential to address data security, privacy, and legal compliance concerns.
Several efficient obfuscation methods have been proposed, which do not increase the time complexity of solving the obfuscated problem, for quantum optimization problems. These include {\em sign reversing}, {\em variable permutation}, and the combination
of both methods assumed to provide greater protection. Unfortunately, sign reversing has already been shown to be insecure.
We present two attacks on variable permutation and the combined method, where it is possible to efficiently recover the deobfuscated problem, particularly when given access to the obfuscated problem and its obfuscated solution, as a cloud-based quantum
provider would have.
Our attacks are in the context of an optimization problem of cryptanalysis of the Trivium cipher family, but our approach generalizes to other similarly structured problems.
Our attacks are efficient and practical.
Deobfuscating an optimization problem with \( n \) variables obfuscated with the combined method has a complexity of $O(n^2)$ compared to the complexity of $O\left( n \cdot n! \cdot 2^n \right)$ of the brute force attack.
We provide an implementation of our attack; using a commodity laptop, our attack using the full Trivium cipher takes less than two minutes if optimized.
We also present possible countermeasures to mitigate our attacks and bring attention to the need for further development in this area.
## 2025/102
* Title: A practical distinguisher on the full Skyscraper permutation
* Authors: Antoine Bak
* [Permalink](
https://eprint.iacr.org/2025/102)
* [Download](
https://eprint.iacr.org/2025/102.pdf)
### Abstract
Skyscraper is a cryptographic permutation published in TCHES 2025, optimized for use in proof systems such as PlonK. This primitive is based on a 10-round Feistel network combining $x^2$ monomials and lookup-based functions to achieve competitive plain
performances and efficiency in proof systems supporting lookups. In terms of security, the $x^2$ monomials are supposed to provide security against statistical attacks, while lookups are supposed to provide security against algebraic attacks.
In this note, we show that this primitive has a much lower security margin than expected. Using a rebound attack, we find practical truncated differentials on the full permutation. As a corollary, we also find a practical collision attack on the
compression function based on a 9-round Skyscraper permutation, which significantly reduces the security margin of the primitive. All of these attacks have been implemented and work in practice.
## 2025/103
* Title: Technology-Dependent Synthesis and Optimization of Circuits for Small S-boxes
* Authors: Zihao Wei, Siwei Sun, Fengmei Liu, Lei Hu, Zhiyu Zhang
* [Permalink](
https://eprint.iacr.org/2025/103)
* [Download](
https://eprint.iacr.org/2025/103.pdf)
### Abstract
Boolean formula minimization is a notoriously hard problem that is known to be $\varSigma_2^P$-complete. Circuit minimization, typically studied in the context of a much broader subject known as synthesis and optimization of circuits, introduces another
layer of complexity since ultimately those technology-independent epresentations (e.g., Boolean formulas and truth tables) has to be transformed into a netlist of cells of the target technology library. To manage those complexities, the industrial
community typically separates the synthesis process into two steps: technology-independent optimization and technology mapping. In each step, this approach only tries to find the local optimal solution and relies heavily on heuristics rather than a
systematic search. However, for small S-boxes, a more systematic exploration of the design space is possible. Aiming at the global optimum, we propose a method which can synthesize a truth table for a small S-box directly into a netlist of the cells of a
given technology library. Compared with existing technology-dependent synthesis tools like LIGHTER and PEIGEN, our method produces improved results for many S-boxes with respect to circuit area. In particular, by applying our method to the $\mathbb{F}_{2^
4}$-inverter involved in the tower field implementation of the AES S-box, we obtain the currently known lightest implementation of the AES S-box. The search framework can be tweaked to take circuit delay into account. As a result, we find implementations
for certain S-boxes with both latency and area improved.
## 2025/104
* Title: Additive Randomized Encodings from Public Key Encryption
* Authors: Nir Bitansky, Saroja Erabelli, Rachit Garg
* [Permalink](
https://eprint.iacr.org/2025/104)
* [Download](
https://eprint.iacr.org/2025/104.pdf)
### Abstract
Introduced by Halevi, Ishai, Kushilevitz, and Rabin (CRYPTO 2023), Additive randomized encodings (ARE) reduce the computation of a $k$-party function $f(x_1,\dots,x_k)$ to locally computing encodings $\hat x_i$ of each input $x_i$ and then adding them
together over some Abelian group into an output encoding $\hat y = \sum \hat x_i$, which reveals nothing but the result. The appeal of ARE comes from the simplicity of the non-local computation, involving only addition. This gives rise for instance to
non-interactive secure function evaluation in the shuffle model where messages from different parties are anonymously shuffled before reaching their destination. Halevi, Ishai, Kushilevitz, and Rabin constructed ARE based on Diffie-Hellman type
assumptions in bilinear groups.
We construct ARE assuming public-key encryption. The key insight behind our construction is that one-sided ARE, which only guarantees privacy for one of the parties, are relatively easy to construct, and yet can be lifted to full-fledged ARE. We also
give a more efficient black-box construction from the CDH assumption.
## 2025/105
* Title: Twist and Shout: Faster memory checking arguments via one-hot addressing and increments
* Authors: Srinath Setty, Justin Thaler
* [Permalink](
https://eprint.iacr.org/2025/105)
* [Download](
https://eprint.iacr.org/2025/105.pdf)
### Abstract
A memory checking argument enables a prover to prove to a verifier that it is correctly processing reads and writes to memory. They are used widely in modern SNARKs, especially in zkVMs, where the prover proves the correct execution of a CPU including
the correctness of memory operations.
We describe a new approach for memory checking, which we call the method of one-hot addressing and increments. We instantiate this method via two different families of protocols, called Twist and Shout. Twist supports read/write memories, while Shout
targets read-only memories (also known as lookup arguments). Both Shout and Twist have logarithmic verifier costs. Unlike prior works, these protocols do not invoke "grand product" or "grand sum" arguments.
Twist and Shout significantly improve the prover costs of prior works across the full range of realistic memory sizes, from tiny memories (e.g., 32 registers as in RISC-V), to memories that are so large they cannot be explicitly materialized (e.g.,
structured lookup tables of size $2^{64}$ or larger, which arise in Lasso and the Jolt zkVM). Detailed cost analysis shows that Twist and Shout are well over 10x cheaper for the prover than state-of-the-art memory-checking procedures configured to have
logarithmic proof length.
Prior memory-checking procedures can also be configured to have larger proofs. Even then, we estimate that Twist and Shout are at least 2--4x faster for the prover in key applications.
Finally, using Shout, we provide two fast-prover SNARKs for non-uniform constraint systems, both of which achieve minimal commitment costs (the prover commits only to the witness): (1) SpeedySpartan applies to Plonkish constraints, substantially
improving the previous state-of-the-art protocol, BabySpartan; and (2)Spartan++ applies to CCS (a generalization of Plonkish and R1CS), improving prover times over the previous state-of-the-art protocol, Spartan, by 6x.
## 2025/106
* Title: NTRU+Sign: Compact NTRU-Based Signatures Using Bimodal Distributions
* Authors: Joo Woo, Jonghyun Kim, Ga Hee Hong, Seungwoo Lee, Minkyu Kim, Hochang Lee, Jong Hwan Park
* [Permalink](
https://eprint.iacr.org/2025/106)
* [Download](
https://eprint.iacr.org/2025/106.pdf)
### Abstract
We present a new lattice-based signature scheme, called ‘NTRU+Sign’, using the Fiat-Shamir with Aborts framework. The proposed scheme is designed based on a novel NTRU-based key structure that fits well with bimodal distributions, enabling efficiency
improvements compared to its predecessor, BLISS. The novel NTRU-based key structure is characterized by: (1) effectively changing a modulus from 2q to q, which is different from the existing usage of 2q for bimodal distributions, and (2) drastically
reducing the magnitude of a secret key, which directly leads to compactness of signature sizes. We provide two concrete parameter sets for NTRU+Sign, supporting 93-bit and 211-bit security levels. Using the technique from GALACTICS (that was suggested as
the constant-time implementation of BLISS),
our analysis shows that NTRU+Sign achieves a good balance between computational efficiency and signature compactness, with constant-time implementation. For instance, at the NIST-3 security level, NTRU+Sign produces signatures that are significantly
smaller than Dilithium and HAETAE, while providing faster verification speeds. These advantages position NTRU+Sign as a competitive and practical
solution for real-world deployments.
## 2025/107
* Title: dCTIDH: Fast & Deterministic CTIDH
* Authors: Fabio Campos, Andreas Hellenbrand, Michael Meyer, Krijn Reijnders
* [Permalink](
https://eprint.iacr.org/2025/107)
* [Download](
https://eprint.iacr.org/2025/107.pdf)
### Abstract
This paper presents dCTIDH, a CSIDH implementation that combines two recent developments into a novel state-of-the-art deterministic implementation. We combine the approach of deterministic variants of CSIDH with the batching strategy of CTIDH, which
shows that the full potential of this key space has not yet been explored. This high-level adjustment in itself leads to a significant speed-up. To achieve an effective deterministic evaluation in constant time, we introduce Wombats, a new approach to
performing isogenies in batches, specifically tailored to the behavior required for deterministic CSIDH using CTIDH batching.
Furthermore, we explore the two-dimensional space of optimal primes for dCTIDH, with regard to both the performance of dCTIDH in terms of finite-field operations per prime and the efficiency of finite-field operations, determined by the prime shape, in
terms of cycles. This allows us to optimize both for choice of prime and scheme parameters simultaneously. Lastly, we implement and benchmark constant-time, deterministic dCTIDH. Our results show that dCTIDH not only outperforms state-of-the-art
deterministic CSIDH, but even non-deterministic CTIDH: dCTIDH-2048 is faster than CTIDH-2048 by 17 percent, and is almost five times faster than dCSIDH-2048.
## 2025/108
* Title: Subset sum, a new insight
* Authors: Samir Bouftass
* [Permalink](
https://eprint.iacr.org/2025/108)
* [Download](
https://eprint.iacr.org/2025/108.pdf)
### Abstract
In this paper, we show that subset sum problem consists on finding a solution over $\mathbb{N}_2$ of equation $n = \textbf{A}X \bullet U$ where A and n are given matrix and integer and U = $[(2^0) (2^1) .... (2^{d-2}) (2^{d-1})]$. We show that it can
be subdivized into 2 solvable subproblems.
## 2025/109
* Title: A Formal Treatment of Homomorphic Encryption Based Outsourced Computation in the Universal Composability Framework
* Authors: Wasilij Beskorovajnov, Sarai Eilebrecht, Yufan Jiang, Jörn Mueller-Quade
* [Permalink](
https://eprint.iacr.org/2025/109)
* [Download](
https://eprint.iacr.org/2025/109.pdf)
### Abstract
The adoption of Homomorphic Encryption (HE) and Secure
Function Evaluation (SFE) applications in the real world remains lim-
ited, even nearly 50 years after the introduction of HE. This is particu-
larly unfortunate given the strong privacy and confidentiality guarantees
these tools can offer to modern digital life.
While attempting to incorporate a simple straw-man PSI protocol into
a web service for matching individuals based on their profiles, we en- countered several shortcomings in current outsourcing frameworks. Ex-
isting outsourced protocols either require clients to perform tasks beyond merely contributing their inputs or rely on a non-collusion assumption
between a server and a client, which appears implausible in standard web service scenarios.
To address these issues, we present, to the best of our knowledge, the first general construction for non-interactive outsourced computation based
on black-box homomorphic encryption. This approach relies on a non-
collusion assumption between two dedicated servers, which we consider
more realistic in a web-service setting. Furthermore, we provide a proof
of our construction within the Universal Composability (UC) framework,
assuming semi-honest (i.e., passive) adversaries.
Unlike general one-sided two-party SFE protocols, our construction addi- tionally requires sender privacy. Specifically, the sender must contribute
its inputs solely in encrypted form. This ensures stronger privacy guar-
antees and broadens the applicability of the protocol.
Overall, the range of applications for our construction includes all one-
sided two-party sender-private SFE protocols as well as server-based
arithmetic computations on encrypted inputs. Finally, we demonstrate
the practical applicability of our general outsourced computation frame-
work by applying it to the specific use case of Outsourced Private Set Intersection (OPSI) in a real-world scenario, accompanied by a detailed evaluation of its efficiency.
## 2025/110
* Title: Verification-efficient Homomorphic Signatures for Verifiable Computation over Data Streams
* Authors: Gaspard Anthoine, Daniele Cozzo, Dario Fiore
* [Permalink](
https://eprint.iacr.org/2025/110)
* [Download](
https://eprint.iacr.org/2025/110.pdf)
### Abstract
Homomorphic signatures for NP (HSNP) allow proving that a signed value is the result of a non-deterministic computation on signed inputs. At CCS'22, Fiore and Tucker introduced HSNP, showed how to use them for verifying arbitrary computations on data
streams, and proposed a generic HSNP construction obtained by efficiently combining zkSNARKs with linearly homomorphic signatures (LHS), namely those supporting linear functions. Their proposed LHS however suffered from an high verification cost. In this
work we propose an efficient LHS that significantly improves on previous work in terms of verification time. Using the modular approach of Fiore and Tucker, this yields a verifier-efficient HSNP. We show that the HSNP instantiated with our LHS is
particularly suited to the case when the data is taken from consecutive samples, which captures important use cases including sliding window statistics such as variances, histograms and stock market predictions.
## 2025/111
* Title: On the structure of the Schur squares of Twisted Generalized Reed-Solomon codes and application to cryptanalysis
* Authors: Alain Couvreur, Rakhi Pratihar, Nihan Tanisali, Ilaria Zappatore
* [Permalink](
https://eprint.iacr.org/2025/111)
* [Download](
https://eprint.iacr.org/2025/111.pdf)
### Abstract
Twisted generalized Reed-Solomon (TGRS) codes constitute an interesting family of evaluation codes, containing a large class of maximum distance separable codes non-equivalent to generalized Reed-Solomon (GRS) ones.
Moreover, the Schur squares of TGRS codes may be much larger than those of GRS codes with same dimension.
Exploiting these structural differences, in 2018, Beelen, Bossert, Puchinger and Rosenkilde proposed a subfamily of Maximum Distance Separable (MDS) Twisted Reed--Solomon (TRS) codes over $\mathbb{F}_q$ with $\ell$ twists $q \approx n^{2^{\ell}}$ for
McEliece encryption, claiming their resistance to both Sidelnikov Shestakov attack and
Schur products--based attacks. In short, they claimed these codes to resist to classical key recovery attacks on McEliece encryption scheme instantiated with Reed-Solomon (RS) or GRS codes. In 2020, Lavauzelle and Renner presented an original attack on
this system based on the computation of the subfield subcode of the public TRS code.
In this paper, we show that the original claim on the resistance of TRS and TGRS codes to Schur products based--attacks is wrong.
We identify a broad class of codes including TRS and TGRS ones that is distinguishable from random by computing the Schur square
of some shortening of the code. Then, we focus on the case of single twist ({i.e.}, $\ell = 1$), which is the most efficient one in terms of decryption complexity, to derive an attack. The technique is similar to the distinguisher-based attacks of RS
code-based systems given by Couvreur, Gaborit, Gauthier-Umaña, Otmani, Tillich in 2014.
## 2025/112
* Title: Post-Quantum Stealth Address Protocols
* Authors: Marija Mikić, Mihajlo Srbakoski, Strahinja Praška
* [Permalink](
https://eprint.iacr.org/2025/112)
* [Download](
https://eprint.iacr.org/2025/112.pdf)
### Abstract
The Stealth Address Protocol (SAP) allows users to receive assets through stealth addresses that are unlinkable to their stealth meta-addresses. The most widely used SAP, Dual-Key SAP (DKSAP), and the most performant SAP, Elliptic Curve Pairing Dual-Key
SAP (ECPDKSAP), are based on elliptic curve cryptography, which is vulnerable to quantum attacks. These protocols depend on the elliptic curve discrete logarithm problem, which could be efficiently solved on a sufficiently powerful quantum computer using
the Shor algorithm. In this paper three novel post-quantum SAPs based on lattice-based cryptography are presented: LWE SAP, Ring-LWE SAP and Module-LWE SAP. These protocols leverage Learning With Errors (LWE) problem to ensure quantum-resistant privacy.
Among them, Module-LWE SAP, which is based on the Kyber key encapsulation mechanism, achieves the best performance and outperforms ECPDKSAP by approximately 66.8% in the scan time of the ephemeral public key registry.
## 2025/113
* Title: Post-Quantum Threshold Ring Signature Applications from VOLE-in-the-Head
* Authors: James Hsin-Yu Chiang, Ivan Damgård, William R. Duro, Sunniva Engan, Sebastian Kolby, Peter Scholl
* [Permalink](
https://eprint.iacr.org/2025/113)
* [Download](
https://eprint.iacr.org/2025/113.pdf)
### Abstract
We propose efficient, post-quantum threshold ring signatures constructed from one-wayness of AES encryption and the VOLE-in-the-Head zero-knowledge proof system. Our scheme scales efficiently to large rings and extends the linkable ring signatures
paradigm. We define and construct key-binding deterministic tags for signature linkability, that also enable succinct aggregation with approximate lower bound arguments of knowledge; this allows us to achieve succinct aggregation of our signatures
without SNARKs. Finally, we extend our threshold ring signatures to realize post-quantum anonymous ledger transactions in the spirit of Monero. Our constructions assume symmetric key primitives only.
Whilst it is common to build post-quantum signatures from the one-wayness property of AES and a post-quantum NIZK scheme, we extend this paradigm to define and construct novel security properties from AES that are useful for advanced signature
applications. We introduce key-binding and pseudorandomness of AES to establish linkability and anonymity of our threshold ring signatures from deterministic tags, and similarly establish binding and hiding properties of block ciphers modeled as ideal
permutations to build commitments from AES, a crucial building block for our proposed post-quantum anonymous ledger scheme.
## 2025/114
* Title: Better Codes for the HQC Cryptosystem
* Authors: Cyrius Nugier, Jean-Christophe Deneuville
* [Permalink](
https://eprint.iacr.org/2025/114)
* [Download](
https://eprint.iacr.org/2025/114.pdf)
### Abstract
In the HQC cryptosystem, the length $n$ of the code determines several concrete parameters such as the bandwidth usage, the memory consumption, or the decoding efficiency. In this paper, we show that currently known methods to explicitly generate
asymptotically good (especially with high relative distances), binary codes with efficient associated procedures cannot be used to improve $n$. We also show that concatenated codes are currently better suited, and by exhausting small codes, find a closer
to optimal concatenated code for HQC, which improves upon currently used codes.
## 2025/115
* Title: Signatures with Tight Adaptive Corruptions from Search Assumptions
* Authors: Keitaro Hashimoto, Wakaha Ogata, Yusuke Sakai
* [Permalink](
https://eprint.iacr.org/2025/115)
* [Download](
https://eprint.iacr.org/2025/115.pdf)
### Abstract
We construct the first tightly secure signature schemes in the multi-user setting with adaptive corruptions from classical discrete logarithm, RSA, factoring, or post-quantum group action discrete logarithm assumption. In contrast to our scheme, the
previous tightly secure schemes are based on the decisional assumption (e.g., (group action) DDH) or interactive search assumptions (e.g., one-more CDH).
The security of our schemes is independent of the number of users, signing queries, and RO queries, and forging our signatures is as hard as solving the underlying search problem. Our starting point is an identification scheme with multiple secret keys
per public key (e.g., Okamoto identification (CRYPTO'92) and parallel-OR identification (CRYPTO'94)). This property allows a reduction to solve a search problem while answering corruption queries for all users in the signature security game. To convert
such an identification scheme into a signature scheme tightly, we employ randomized Fischlin's transformation introduced by Kondi and shelat (Asiacrypt 2022) that provides straight-line extraction. Intuitively, the transformation properties guarantee the
tight security of our signature scheme in the programmable random oracle model, but we successfully prove its tight security in the non-programmable random oracle model.
## 2025/116
* Title: A Horizontal Attack on the Codes and Restricted Objects Signature Scheme (CROSS)
* Authors: Jonas Schupp, Georg Sigl
* [Permalink](
https://eprint.iacr.org/2025/116)
* [Download](
https://eprint.iacr.org/2025/116.pdf)
### Abstract
CROSS is a post-quantum secure digital signature scheme submitted to NIST’s Call for Additional Signatures which was recently selected for round 2. It features signature and key sizes in the range of SLH-DSA while providing a substantially faster
signing operation. Within this work, we provide the first passive side-channel attack on the scheme. The attack recovers the secret key from all except one parameter sets from a single power trace while requiring at maximum two power traces for the R-SDP(
G) 1 Fast instance. To successfully mount the attack, we show how to recover the secret key from side-channel information gained from the syndrome computation in CROSS’ identification protocol. We furthermore show how the hypothesis space for the
attack can be restricted using information from the published signature.
## 2025/117
* Title: Post-Quantum Online/Offline Signatures
* Authors: Martin R. Albrecht, Nicolas Gama, James Howe, Anand Kumar Narayanan * [Permalink](
https://eprint.iacr.org/2025/117)
* [Download](
https://eprint.iacr.org/2025/117.pdf)
### Abstract
Post-quantum signatures have high costs compared to RSA and ECDSA, in particular for smart cards. A line of work originating from Even, Goldreich, and Micali (CRYPTO'89) aimed to reduce digital signature latency by splitting up signing into an online and
offline phase. The online/offline paradigm combines an ordinary long-term signature scheme with a fast, generally one-time, signature scheme. We reconsider this paradigm in the context of lattice-based post-quantum signatures in the GPV framework, with
an example instantiation based on Falcon.
## 2025/118
* Title: How to Prove False Statements: Practical Attacks on Fiat-Shamir
* Authors: Dmitry Khovratovich, Ron D. Rothblum, Lev Soukhanov
* [Permalink](
https://eprint.iacr.org/2025/118)
* [Download](
https://eprint.iacr.org/2025/118.pdf)
### Abstract
The Fiat-Shamir (FS) transform is a prolific and powerful technique for compiling public-coin interactive protocols into non-interactive ones. Roughly speaking, the idea is to replace the random coins of the verifier with the evaluations of a complex
hash function.
[continued in next message]
--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)