## In this issue
1. [2023/700] PIE: $p$-adic Encoding for High-Precision ...
2. [2024/1590] Matching radar signals and fingerprints with MPC
3. [2025/159] A Holistic Framework for Impossible Boomerang Attacks
4. [2025/160] The Nonlinear Filter Model of Stream Cipher Redivivus
5. [2025/161] Secure Showing of Partial Attributes
6. [2025/162] Learning from Functionality Outputs: Private Join ...
7. [2025/163] Bootstrapping (T)FHE Ciphertexts via Automorphisms: ...
8. [2025/164] Multi-Authority Functional Encryption with Bounded ...
9. [2025/165] Shuffle Shamir Secret Shares Uniformly with Linear ...
10. [2025/166] Polynomial Inversion Algorithms in Constant Time ...
11. [2025/167] Wiretapping LLMs: Network Side-Channel Attacks on ...
12. [2025/168] Revisiting Beimel-Weinreb Weighted Threshold Secret ...
13. [2025/169] Efficient Pseudorandom Correlation Generators for ...
14. [2025/170] Efficient Error Detection Methods for the Number ...
15. [2025/171] A light white-box masking scheme using Dummy ...
16. [2025/172] SoK: Understanding zk-SNARKs: The Gap Between ...
17. [2025/173] A Critical Analysis of Deployed Use Cases for ...
18. [2025/174] VITARIT: Paying for Threshold Services on Bitcoin ...
19. [2025/175] Updatable Public-Key Encryption, Revisited
20. [2025/176] HyperLoop: Rationally secure efficient cross-chain ...
21. [2025/177] On the Power of Sumcheck in Secure Multiparty ...
22. [2025/178] Improved Differential and Linear Cryptanalysis on ...
23. [2025/179] Higher-Order Deterministic Masking with Application ...
24. [2025/180] On the Atomicity and Efficiency of Blockchain ...
25. [2025/181] Improved NTT and CRT-based RNR Blinding for Side- ...
26. [2025/182] Deny Whatever You Want: Dual-Deniable Public-Key ...
27. [2025/183] OBLIVIATOR: Oblivious Parallel Joins and other ...
28. [2025/184] NodeChain: Cheap Data Integrity Without Consensus
29. [2025/185] AutoDiVer: Automatically Verifying Differential ...
30. [2025/186] Computing Quaternion Embeddings and Endomorphism ...
31. [2025/187] Asymptotic improvements to provable algorithms for ...
32. [2025/188] BulletCT: Towards More Scalable Ring Confidential ...
33. [2025/189] Experimentally studying path-finding problem ...
34. [2025/190] Binary Codes for Error Detection and Correction in ...
## 2023/700
* Title: PIE: $p$-adic Encoding for High-Precision Arithmetic in Homomorphic Encryption
* Authors: Luke Harmon, Gaetan Delavignette, Arnab Roy, David Silva
* [Permalink](
https://eprint.iacr.org/2023/700)
* [Download](
https://eprint.iacr.org/2023/700.pdf)
### Abstract
A large part of current research in homomorphic encryption (HE) aims towards making HE practical for real-world applications. In any practical HE, an important issue is to convert the application data (type) to the data type suitable for the HE.
The main purpose of this work is to investigate an efficient HE-compatible encoding method that is generic, and can be easily adapted to apply to the HE schemes over integers or polynomials.
$p$-adic number theory provides a way to transform rationals to integers, which makes it a natural candidate for encoding rationals. Although one may use naive number-theoretic techniques to perform rational-to-integer transformations without reference
to $p$-adic numbers, we contend that the theory of $p$-adic numbers is the proper lens to view such transformations.
In this work we identify mathematical techniques (supported by $p$-adic number theory) as appropriate tools to construct a generic rational encoder which is compatible with HE. Based on these techniques, we propose a new encoding scheme PIE, that can
be easily combined with both AGCD-based and RLWE-based HE to perform high precision arithmetic. After presenting an abstract version of PIE, we show how it can be attached to two well-known HE schemes: the AGCD-based IDGHV scheme and the RLWE-based (
modified) Fan-Vercauteren scheme. We also discuss the advantages of our encoding scheme in comparison with previous works.
## 2024/1590
* Title: Matching radar signals and fingerprints with MPC
* Authors: Benjamin Hansen Mortensen, Mathias Karsrud Nordal, Martin Strand
* [Permalink](
https://eprint.iacr.org/2024/1590)
* [Download](
https://eprint.iacr.org/2024/1590.pdf)
### Abstract
Vessels can be recognised by their navigation radar due to the characteristics of the emitted radar signal. This is particularly useful if one wants to build situational awareness without revealing one's own presence. Most countries maintain databases of
radar fingerprints but will not readily share these due to national security regulations. Sharing of such information will generally require some form of information exchange agreement.
However, all parties in a coalition benefit from correct identification. We use secure multiparty computation to match a radar signal measurement against secret databases and output plausible matches with their likelihoods. We also provide a demonstrator
using MP-SPDZ.
## 2025/159
* Title: A Holistic Framework for Impossible Boomerang Attacks
* Authors: Yincen Chen, Qinggan Fu, Ning Zhao, Jiahao Zhao, Ling Song, Qianqian Yang
* [Permalink](
https://eprint.iacr.org/2025/159)
* [Download](
https://eprint.iacr.org/2025/159.pdf)
### Abstract
In 2011, Lu introduced the impossible boomerang attack at DCC. This powerful cryptanalysis technique combines the strengths of the impossible differential and boomerang attacks, thereby inheriting the advantages of both cryptographic techniques. In this
paper, we propose a holistic framework comprising two generic and effective algorithms and a MILP-based model to search for the optimal impossible boomerang attack systematically. The first algorithm incorporates any key guessing strategy, while the
second integrates the meet-in-the-middle (MITM) attack into the key recovery process. Our framework is highly flexible, accommodating any set of attack parameters and returning the optimal attack complexity. When applying our framework to Deoxys-BC-256,
Deoxys-BC-384, Joltik-BC-128, Joltik-BC-192, and SKINNYe v2, we achieve several significant improvements. We achieve the first 11-round impossible boomerang attacks on Deoxys-BC-256\ and Joltik-BC-128. For SKINNYe v2, we achieve the first 33-round
impossible boomerang attack, then using the MITM approach in the key recovery attack, the time complexity is significantly reduced. Additionally, for the 14-round Deoxys-BC-384 and Joltik-BC-192, the time complexity of the impossible boomerang attack is
reduced by factors exceeding 2^{27} and 2^{12}, respectively.
## 2025/160
* Title: The Nonlinear Filter Model of Stream Cipher Redivivus
* Authors: Claude Carlet, Palash Sarkar
* [Permalink](
https://eprint.iacr.org/2025/160)
* [Download](
https://eprint.iacr.org/2025/160.pdf)
### Abstract
The nonlinear filter model is an old and well understood approach to the design of secure stream ciphers. Extensive research over several decades has shown how to attack stream ciphers based on this model and has identified the security properties
required of the Boolean function used as the filtering function to resist such attacks. This led to the problem of constructing Boolean functions which provide adequate security and at the same time are efficient to implement. Unfortunately, over the
last two decades no good solutions to this problem appeared in the literature. The lack of good solutions has effectively led to nonlinear filter model becoming more or less obsolete. This is a big loss to the cryptographic design toolkit, since the
great advantages of the nonlinear filter model are its simplicity, well understood security and the potential to provide low cost solutions for hardware oriented stream ciphers. In this paper we construct balanced functions on an odd number $n\geq 5$ of
variables with the following provable properties: linear bias equal to $2^{-\lfloor n/2\rfloor -1}$, algebraic degree equal to $2^{\lfloor \log_2\lfloor n/2\rfloor \rfloor}$, algebraic immunity at least $\lceil (n-1)/4\rceil$, fast algebraic immunity at
least $1+\lceil (n-1)/4\rceil $, and can be implemented using $O(n)$ NAND gates. The functions are obtained from a simple modification of the well known class of Maiorana-McFarland bent functions. By appropriately choosing $n$ and the length $L$ of the
linear feedback shift register, we show that it is possible to obtain examples of stream ciphers which are $\kappa$-bit secure against known types of attacks for various values of $\kappa$. We provide concrete proposals for $\kappa=80,128,160,192,224$
and $256$. For the $80$-bit, $128$-bit, and the $256$-bit security levels, the circuits for the corresponding stream ciphers require about 1743.5, 2771.5, and 5607.5 NAND gates respectively. For the $80$-bit and the $128$-bit security levels, the gate
count estimates compare quite well to the famous ciphers Trivium and Grain-128a respectively, while for the $256$-bit security level, we do not know of any other stream cipher design which has such a low gate count.
## 2025/161
* Title: Secure Showing of Partial Attributes
* Authors: Foteini Baldimtsi, Julia Kastner, Julian Loss, Omar Renawi
* [Permalink](
https://eprint.iacr.org/2025/161)
* [Download](
https://eprint.iacr.org/2025/161.pdf)
### Abstract
Anonymous Attribute-Based Credentials (ABCs) allow users to prove possession of attributes while adhering to various authentication policies and without revealing unnecessary information. Single-use ABCs are particularly appealing for their lightweight
nature and practical efficiency. These credentials are typically built using blind signatures, with Anonymous Credentials Light (ACL) being one of the most prominent schemes in the literature. However, the security properties of single-use ABCs,
especially their secure showing property, have not been fully explored, and prior definitions and corresponding security proofs fail to address scenarios involving partial attribute disclosure effectively. In this work, we propose a stronger secure
showing definition that ensures robust security even under selective attribute revelation. Our definition extends the winning condition of the existing secure showing experiment by adding various constraints on the subsets of opened attributes. We show
how to represent this winning condition as a matching problem in a suitable bipartite graph, thus allowing for it to be verified efficiently. We then prove that ACL satisfies our strong secure showing notion without any modification. Finally, we define
double-spending prevention for single-use ABCs, and show how ACL satisfies the definition.
## 2025/162
* Title: Learning from Functionality Outputs: Private Join and Compute in the Real World
* Authors: Francesca Falzon, Tianxin Tang
* [Permalink](
https://eprint.iacr.org/2025/162)
* [Download](
https://eprint.iacr.org/2025/162.pdf)
### Abstract
Private Join and Compute (PJC) is a two-party protocol recently proposed by Google for various use-cases, including ad conversion (Asiacrypt 2021) and which generalizes their deployed private set intersection sum (PSI-SUM) protocol (EuroS&P 2020).
PJC allows two parties, each holding a key-value database, to privately evaluate the inner product of the values whose keys lie in the intersection. While the functionality output is not typically considered in the security model of the MPC literature,
it may pose real-world privacy risks, thus raising concerns about the potential deployment of protocols like PJC.
In this work, we analyze the risks associated with the PJC functionality output. We consider an adversary that is a participating party of PJC and describe four practical attacks that break the other party's input privacy, and which are able to recover
both membership of keys in the intersection and their associated values. Our attacks consider the privacy threats associated with deployment and highlight the need to include the functionality output as part of the MPC security model.
## 2025/163
* Title: Bootstrapping (T)FHE Ciphertexts via Automorphisms: Closing the Gap Between Binary and Gaussian Keys
* Authors: Olivier Bernard, Marc Joye
* [Permalink](
https://eprint.iacr.org/2025/163)
* [Download](
https://eprint.iacr.org/2025/163.pdf)
### Abstract
The GINX method in TFHE offers low-latency ciphertext bootstrapping with relatively small bootstrapping keys, but is limited to binary or ternary key distributions. In contrast, the AP method supports arbitrary key distributions, however at the cost of
significantly large bootstrapping keys. Building on AP, automorphism-based methods (LMK⁺, EUROCRYPT 2023) achieve smaller keys, though each automorphism application necessitates a key switch, introducing computational overhead and noise.
This paper advances automorphism-based methods in two important ways. First, it proposes a novel traversal blind rotation algorithm that optimizes the number of key switches for a given key material. Second, it introduces an automorphism-parametrized
external product that seamlessly applies an automorphism to one of the input ciphertexts. Together, these techniques substantially reduce the number of key switches, resulting in faster bootstrapping and improved noise control. As an independent
contribution, this paper also introduce a comprehensive theoretical framework for analyzing the expected number of automorphism key switches, whose predictions perfectly align with the results of extensive numerical experiments, demonstrating its
practical relevance.
In a typical setting, by utilizing additional key material, the LLW⁺ approach (TCHES 2024) reduces key switches by 17% compared to LMK⁺. Our combined techniques achieve a 46% reduction using similar key material and can eliminate an arbitrary large
number (e.g., > 99%) of key switches with only a moderate (9x) increase in key material size.
## 2025/164
* Title: Multi-Authority Functional Encryption with Bounded Collusions from Standard Assumptions
* Authors: Rishab Goyal, Saikumar Yadugiri
* [Permalink](
https://eprint.iacr.org/2025/164)
* [Download](
https://eprint.iacr.org/2025/164.pdf)
### Abstract
Multi-Authority Functional Encryption ($\mathsf{MA}$-$\mathsf{FE}$) [Chase, TCC'07; Lewko-Waters, Eurocrypt'11; Brakerski et al., ITCS'17] is a popular generalization of functional encryption ($\mathsf{FE}$) with the central goal of decentralizing the
trust assumption from a single central trusted key authority to a group of multiple, independent and non-interacting, key authorities. Over the last several decades, we have seen tremendous advances in new designs and constructions for $\mathsf{FE}$
supporting different function classes, from a variety of assumptions and with varying levels of security. Unfortunately, the same has not been replicated in the multi-authority setting. The current scope of $\mathsf{MA}$-$\mathsf{FE}$ designs is rather
limited, with positive results only known for (all-or-nothing) attribute-based functionalities, or need full power of general-purpose code obfuscation. This state-of-the-art in $\mathsf{MA}$-$\mathsf{FE}$ could be explained in part by the implication
provided by Brakerski et al. (ITCS'17). It was shown that a general-purpose obfuscation scheme can be designed from any $\mathsf{MA}$-$\mathsf{FE}$ scheme for circuits, even if the $\mathsf{MA}$-$\mathsf{FE}$ scheme is secure only in a bounded-collusion
model, where at most two keys per authority get corrupted.
In this work, we revisit the problem of $\mathsf{MA}$-$\mathsf{FE}$, and show that existing implication from $\mathsf{MA}$-$\mathsf{FE}$ to obfuscation is not tight. We provide new methods to design $\mathsf{MA}$-$\mathsf{FE}$ for circuits from simple
and minimal cryptographic assumptions. Our main contributions are summarized below
1. We design a $\mathsf{poly}(\lambda)$-authority $\mathsf{MA}$-$\mathsf{FE}$ for circuits in the bounded-collusion model. Under the existence of public-key encryption, we prove it to be statically simulation-secure. Further, if we assume sub-
exponential security of public-key encryption, then we prove it to be adaptively simulation-secure in the Random Oracle Model.
2. We design a $O(1)$-authority $\mathsf{MA}$-$\mathsf{FE}$ for circuits in the bounded-collusion model. Under the existence of 2/3-party non-interactive key exchange, we prove it to be adaptively simulation-secure.
3. We provide a new generic bootstrapping compiler for $\mathsf{MA}$-$\mathsf{FE}$ for general circuits to design a simulation-secure $(n_1 + n_2)$-authority $\mathsf{MA}$-$\mathsf{FE}$ from any two $n_1$-authority and $n_2$-authority $\mathsf{MA}$-$\
mathsf{FE}$.
## 2025/165
* Title: Shuffle Shamir Secret Shares Uniformly with Linear Online Communication
* Authors: Jiacheng Gao, Yuan Zhang, Sheng Zhong
* [Permalink](
https://eprint.iacr.org/2025/165)
* [Download](
https://eprint.iacr.org/2025/165.pdf)
### Abstract
In this paper, we revisit shuffle protocol for Shamir secret sharing. Upon examining previous works, we observe that existing constructions either produce non-uniform shuffle or require large communication and round complexity, e.g. exponential in the
number of parties. We propose two shuffle protocols, both of which shuffle uniformly within $O(\frac{k + l}{\log k}n^2m\log m)$ communication for shuffling rows of an $m\times l$ matrix shared among $n$ parties, where $k\leq m$ is a parameter balancing
communication and computation. Our first construction is more concretely efficient, while our second construction requires only $O(nml)$ online communication within $O(n)$ round. In terms of overall communication and online communication, both shuffle
protocols outperform current optimal shuffle protocols for Shamir secret sharing.
At the core of our constructions is a novel permutation-sharing technique, which can be used to permute arbitrarily many vectors by computing matrix-vector products. Once shared, applying a permutation becomes much cheaper, which results in a faster
online phase. Letting each party share one secret uniform permutation in the offline phase and applying them sequentially in the online phase, we obtain our first shuffle protocol. To further optimize online complexity and simplify the trade-off, we
adopt the shuffle correlation proposed by Gao et al. and obtain the second shuffle protocol with $O(nml)$ online communication and $O(n^2ml)$ online computation. This brings an additional benefit that the online complexity is now independent of offline
complexity, which reduces parameter optimization to optimizing offline efficiency.
Our constructions require only most basic primitives in Shamir secret sharing scheme, and work for arbitrary field $\mathbb{F}$ of size larger than $n$. As shuffle is a frequent operation in algorithm design, we expect them to accelerate many other
primitives in context of Shamir secret sharing MPC, such as sorting, oblivious data structure, etc.
## 2025/166
* Title: Polynomial Inversion Algorithms in Constant Time for Post-Quantum Cryptography
* Authors: Abhraneel Dutta, Emrah Karagoz, Edoardo Persichetti, Pakize Sanal
* [Permalink](
https://eprint.iacr.org/2025/166)
* [Download](
https://eprint.iacr.org/2025/166.pdf)
### Abstract
The computation of the inverse of a polynomial over a quotient ring or a finite field plays a very important role during the key generation of post-quantum cryptosystems like NTRU, BIKE, and LEDACrypt. It is therefore important that there exist an
efficient algorithm capable of running in constant time, to prevent timing side-channel attacks. In this article, we study both constant-time algorithms based on Fermat's Little Theorem and the Extended $GCD$ Algorithm, and provide a detailed comparison
in terms of performance. According to our conclusion, we see that the constant-time Extended $GCD$-based Bernstein-Yang's algorithm shows a better performance with 1.76x-3.76x on \texttt{x86} platforms compared to FLT-based methods. Although we report
numbers from a software implementation, we additionally provide a short glimpse of some recent results when these two algorithms are implemented on various hardware platforms. Finally, we also explore other exponentiation algorithms that work similarly
to the Itoh-Tsuji inversion method. These algorithms perform fewer polynomial multiplications and show a better performance with 1.56x-1.96x on \texttt{x86} platform compared to Itoh-Tsuji inversion method.
## 2025/167
* Title: Wiretapping LLMs: Network Side-Channel Attacks on Interactive LLM Services
* Authors: Mahdi Soleimani, Grace Jia, In Gim, Seung-seob Lee, Anurag Khandelwal
* [Permalink](
https://eprint.iacr.org/2025/167)
* [Download](
https://eprint.iacr.org/2025/167.pdf)
### Abstract
Recent server-side optimizations like speculative decoding significantly enhance the interactivity and resource efficiency of Large Language Model (LLM) services. However, we show that these optimizations inadvertently introduce new side-channel
vulnerabilities through network packet timing and size variations that tend to be input-dependent. Network adversaries can leverage these side channels to learn sensitive information contained in \emph{encrypted} user prompts to and responses from public
LLM services.
This paper formalizes the security implications using a novel indistinguishability framework and introduces a novel attack that establishes the insecurity of real-world LLM services with streaming APIs under our security framework.
Our proposed attack effectively deconstructs encrypted network packet traces to reveal the sizes of underlying LLM-generated tokens and whether the tokens were generated with or without certain server-side optimizations. Our attack can accurately predict
private attributes in real-world privacy-sensitive LLM applications in medicine and finance with $71$--$92\%$ accuracy on an open-source vLLM service and $50$--$90\%$ accuracy on the commercial ChatGPT service. Finally, we show that solutions that hide
these side channels to different degrees expose a tradeoff between security and performance --- specifically, interactivity and network bandwidth overheads.
## 2025/168
* Title: Revisiting Beimel-Weinreb Weighted Threshold Secret Sharing Schemes
* Authors: Oriol Farràs, Miquel Guiot
* [Permalink](
https://eprint.iacr.org/2025/168)
* [Download](
https://eprint.iacr.org/2025/168.pdf)
### Abstract
A secret sharing scheme is a cryptographic primitive that allows a dealer to share a secret among a set of parties, so that only authorized subsets of them can recover it. The access structure of the scheme is the family of authorized subsets. In a
weighted threshold secret sharing scheme, each party is assigned a weight according to its importance, and the authorized subsets are those in which the sum of their weights is at least the threshold value.
For these access structures, the best general constructions were presented by Beimel and Weinreb [IPL 2006]: The scheme with perfect security has share size $n^{O(\log n)}$, while the scheme with computational security has share size polynomial in $n$.
However, these constructions require the use of shallow monotone sorting networks, which limits their practical use.
In this context, we revisit this work and provide variants of these constructions that are feasible in practice. This is done by considering alternative circuits and formulas for weighted threshold functions that do not require monotone sorting networks.
We show that, under the assumption that subexponentially secure one-way functions exist, any WTAS over $n$ parties and threshold $\sigma$ admits a computational secret sharing scheme where the size of the shares is $\mathrm{polylog}(n)$ and the size of
the public information is $O(n^2\log n\log \sigma)$. Moreover, we show that any authorized subset only needs to download $O(n\log n\log \sigma)$ bits of public information to recover the secret.
## 2025/169
* Title: Efficient Pseudorandom Correlation Generators for Any Finite Field
* Authors: Zhe Li, Chaoping Xing, Yizhou Yao, Chen Yuan
* [Permalink](
https://eprint.iacr.org/2025/169)
* [Download](
https://eprint.iacr.org/2025/169.pdf)
### Abstract
Correlated randomness lies at the core of efficient modern secure multi-party computation (MPC) protocols. Costs of generating such correlated randomness required for the MPC online phase protocol often constitute a bottleneck in the overall protocol.
A recent paradigm of {\em pseudorandom correlation generator} (PCG) initiated by Boyle et al. (CCS'18, Crypto'19) offers an appealing solution to this issue. In sketch, each party is given a short PCG seed, which can be locally expanded into long
correlated strings, satisfying the target correlation. Among various types of correlations, there is oblivious linear evaluation (OLE), a fundamental and useful primitive for typical MPC protocols on arithmetic circuits.
Towards efficient generating a great amount of OLE, and applications to MPC protocols, we establish the following results:
(i) We propose a novel {\em programmable} PCG construction for OLE over any field $\mathbb{F}_p$. For $kN$ OLE correlations, we require $O(k\log{N})$ communication and $O(k^2N\log{N})$ computation, where $k$ is an arbitrary integer $\geq 2$. Previous
works either have quadratic computation (Boyle et al. Crypto'19), or can only support fields of size larger than $2$ (Bombar et al. Crypto'23).
(ii) We extend the above OLE construction to provide various types of correlations for any finite field. One of the fascinating applications is an efficient PCG for two-party {\em authenticated Boolean multiplication triples}. For $kN$ authenticated
triples, we offer PCGs with seed size of $O(k^2\log{N})$ bits. To our best knowledge, such correlation has not been realized with sublinear communication and quasi-linear computation ever before.
(iii) In addition, the \emph{programmability} admits efficient PCGs for multi-party Boolean triples, and thus the first efficient MPC protocol for Boolean circuits with {\em silent} preprocessing. In particular, we show $kN$ $m$-party Boolean
multiplication triples can be generated in $O(m^2k\log{N})$-bit communication, while the state-of-the-art FOLEAGE (Asiacrypt'24) requires a broadcast channel and takes $mkN+O(m^2\log{kN})$ bits communication.
(iv) Finally, we present efficient PCGs for circuit-dependent preprocessing, matrix multiplications triples, and string OTs etc. Compared to previous works, each has its own right.
## 2025/170
* Title: Efficient Error Detection Methods for the Number Theoretic Transforms in Lattice-Based Algorithms
* Authors: Mohamed Abdelmonem, Lukas Holzbaur, Håvard Raddum, Alexander Zeh
* [Permalink](
https://eprint.iacr.org/2025/170)
* [Download](
https://eprint.iacr.org/2025/170.pdf)
### Abstract
The Number Theoretic Transform (NTT) is a crucial component in many post-quantum cryptographic (PQC) algorithms, enabling efficient polynomial multiplication. However, the reliability of NTT computations is an important concern, especially for safety-
critical applications. This work presents novel techniques to improve the fault tolerance of NTTs used in prominent PQC schemes such as Kyber, Dilithium, and Falcon. The work first establishes a theoretical framework for error detection in NTTs,
exploiting the inherent algebraic properties of these transforms. It derives necessary and sufficient conditions for constructing error-detecting vectors that can identify single faults without the need for costly recomputation. For the Dilithium scheme,
the work further advances the state-of-the-art by developing the first algorithm capable of detecting up to two maliciously placed faults. The proposed error detection methods are shown to reduce the number of required multiplications by half, leading to
significant improvements in computational efficiency compared to existing single error-detecting algorithms. Concrete implementations for Kyber, Dilithium, and Falcon demonstrate the practicality and effectiveness of the error-detection scheme.
## 2025/171
* Title: A light white-box masking scheme using Dummy Shuffled Secure Multiplication
* Authors: Alex Charlès, Aleksei Udovenko
* [Permalink](
https://eprint.iacr.org/2025/171)
* [Download](
https://eprint.iacr.org/2025/171.pdf)
### Abstract
In white-box cryptography, early encoding-based countermeasures have been broken by the DCA attack, leading to the utilization of masking schemes against a surge of automated attacks. The recent filtering attack from CHES 2024 broke the last viable
masking scheme from CHES 2021 resisting both computational and algebraic attacks, raising the need for new countermeasures.
In this work, we perform the first formal study of the combinations of existing countermeasures and demonstrate that applying Dummy Shuffling (EUROCRYPT 2021) then ISW masking (CRYPTO 2003) to a circuit carries algebraic, correlation, and filtering
security - necessary conditions to withstand state-of-the-art automated attacks. We also show that applying these two countermeasures in the opposite order leads to a Higher-Order Filtering attack, highlighting the importance of the order of application
of the combined countermeasures.
We also propose a new masking scheme called S5, standing for the Semi-Shuffled Secret Sharing Scheme, a scheme merging Dummy Shuffling and ISW in a single countermeasure more efficiently than a direct composition.
## 2025/172
* Title: SoK: Understanding zk-SNARKs: The Gap Between Research and Practice
* Authors: Junkai Liang, Daqi Hu, Pengfei Wu, Yunbo Yang, Qingni Shen, Zhonghai Wu
* [Permalink](
https://eprint.iacr.org/2025/172)
* [Download](
https://eprint.iacr.org/2025/172.pdf)
### Abstract
Zero-knowledge succinct non-interactive arguments of knowledge (zk-SNARKs) are a powerful tool for proving computation correctness, attracting significant interest from researchers, developers, and users. However, the complexity of zk-SNARKs has created
gaps between these groups, hindering progress. Researchers focus on constructing efficient proving systems with stronger security and new properties, while developers and users prioritize toolchains, usability, and compatibility.
In this work, we provide a comprehensive study of zk-SNARK, from theory to practice, pinpointing gaps and limitations. We first present a master recipe that unifies the main steps in converting a program into a zk-SNARK. We then classify existing zk-
SNARKs according to their key techniques. Our classification addresses the main difference in practically valuable properties between existing zk-SNARK schemes. We survey over 40 zk-SNARKs since 2013 and provide a reference table listing their categories
and properties. Following the steps in master recipe, we then survey 11 general-purpose popular used libraries. We elaborate on these libraries' usability, compatibility, efficiency and limitations. Since installing and executing these zk-SNARK systems
is challenging, we also provide a completely virtual environment in which to run the compiler for each of them. We identify that the proving system is the primary focus in cryptography academia. In contrast, the constraint system presents a bottleneck in
industry. To bridge this gap, we offer recommendations and advocate for the opensource community to enhance documentation, standardization and compatibility.
## 2025/173
* Title: A Critical Analysis of Deployed Use Cases for Quantum Key Distribution and Comparison with Post-Quantum Cryptography
* Authors: Nick Aquina, Bruno Cimoli, Soumya Das, Kathrin Hövelmanns, Fiona Johanna Weber, Chigo Okonkwo, Simon Rommel, Boris Škorić, Idelfonso Tafur Monroy, Sebastian Verschoor
* [Permalink](
https://eprint.iacr.org/2025/173)
* [Download](
https://eprint.iacr.org/2025/173.pdf)
### Abstract
[continued in next message]
--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)