## In this issue

1. [2023/1536] Leaky McEliece: Secret Key Recovery From Highly ...
2. [2024/1572] Bounded Collusion-Resistant Registered Functional ...
3. [2024/1593] Stateful Communication with Malicious Parties
4. [2025/191] Adaptive Distributional Security: A Framework for ...
5. [2025/197] Cryptanalysis of a nonlinear filter-based stream cipher
6. [2025/202] Distributed Non-Interactive Zero-Knowledge Proofs
7. [2025/203] Ciphertext-Simulatable HE from BFV with Randomized ...
8. [2025/204] Simpler and Stronger Models for Deniable Authentication
9. [2025/205] Addressing Scalability Issues of Blockchains with ...
10. [2025/206] Revisiting the Differential-Linear Attacks on ...
11. [2025/207] Efficient Mixed Garbling from Homomorphic Secret ...
12. [2025/208] Reductions Between Code Equivalence Problems
13. [2025/209] NovaTEE: Private Clearing and Settlement on Trusted ...
14. [2025/210] Practical Keyword Private Information Retrieval ...
15. [2025/211] Prior-Based Label Differential Privacy via Secure ...
16. [2025/212] Constructing Quantum Implementations with the ...
17. [2025/213] An Innovative Lightweight Symmetric Encryption ...
18. [2025/214] Rejected Challenges Pose New Challenges: Key ...
19. [2025/215] A note on the genus of the HAWK lattice
20. [2025/216] Practical Circuit Privacy/Sanitization for TFHE
21. [2025/217] Assumption-Free Fuzzy PSI via Predicate Encryption
22. [2025/218] LSM Trees in Adversarial Environments
23. [2025/219] Slot a la carte: Centralization Issues in ...
24. [2025/220] The Quantum Decoherence Model: Everlasting ...
25. [2025/221] Uniformly Most Powerful Tests for Ad Hoc ...
26. [2025/222] A Robust Variant of ChaCha20-Poly1305
27. [2025/223] Building Hard Problems by Combining Easy Ones: ...
28. [2025/224] Lightweight Single-Server PIR with ...
29. [2025/225] “Check-Before-you-Solve”: Verifiable Time-lock Puzzles
30. [2025/226] Improved Subfield Curve Search For Specific Field ...
31. [2025/227] Two Is All It Takes: Asymptotic and Concrete ...
32. [2025/228] Network agnostic consensus in constant time
33. [2025/229] ETK: External-Operations TreeKEM and the Security ...
34. [2025/230] Privately Constrained PRFs from DCR: Puncturing and ...
35. [2025/231] NoIC: PAKE from KEM without Ideal Ciphers
36. [2025/232] Authenticated BitGC for Actively Secure Rate-One 2PC
37. [2025/233] Anamorphic Resistant Encryption: the Good, the Bad ...
38. [2025/234] Merkle Mountain Ranges are Optimal: On witness ...
39. [2025/235] Doubly Efficient Cryptography: Commitments, ...
40. [2025/236] Diamond iO: A Straightforward Construction of ...
41. [2025/237] UC-Security of Encrypted Key Exchange: A Tutorial
42. [2025/238] On the Power of Polynomial Preprocessing: Proving ...
43. [2025/239] DART: Decentralized, Anonymous, and Regulation- ...
44. [2025/240] Robust Non-Interactive Zero-Knowledge Combiners
45. [2025/241] IBE-IBE: Intent-Based Execution through Identity- ...
46. [2025/242] Rational Secret Sharing with Competition
47. [2025/243] K-Linkable Ring Signatures and Applications in ...
48. [2025/244] Provable Speedups for SVP Approximation Under ...
49. [2025/245] Silent Circuit Relinearisation: Sublinear-Size ...
50. [2025/246] Towards Optimal Early Stopping Agreement Protocols
51. [2025/247] LatticeFold+: Faster, Simpler, Shorter Lattice- ...
52. [2025/248] New Exchanged Boomerang Distinguishers for 5-Round AES

## 2023/1536

* Title: Leaky McEliece: Secret Key Recovery From Highly Erroneous Side-Channel Information
* Authors: Marcus Brinkmann, Chitchanok Chuengsatiansup, Alexander May, Julian Nowakowski, Yuval Yarom
* [Permalink](https://eprint.iacr.org/2023/1536)
* [Download](https://eprint.iacr.org/2023/1536.pdf)

### Abstract

The McEliece cryptosystem is a strong contender for post-quantum schemes, including key encapsulation for confidentiality of key exchanges in network protocols.

A McEliece secret key is a structured parity check matrix that is transformed via Gaussian elimination into an unstructured public key. We show that this transformation is highly critical with respect to side-channel leakage. We assume leakage of the
elementary row operations during Gaussian elimination, motivated by McEliece implementations in the cryptographic libraries Classic McEliece and Botan.

We propose a novel decoding algorithm to reconstruct a secret key from its public key with information from a Gaussian transformation leak. Even if the obtained side-channel leakage is extremely noisy, i.e., each bit is flipped with probability as high
as τ ≈ 0.4, we succeed to recover the secret key in a matter of minutes for all proposed (Classic) McEliece instantiations. Remarkably, for high-security McEliece parameters, our attack is more powerful in the sense that it can tolerate even larger τ.

We demonstrate our attack on the constant-time reference implementation of Classic McEliece in a single-trace setting, using an STM32L592 ARM processor.

Our result stresses the necessity of properly protecting highly structured code-based schemes such as McEliece against side-channel leakage.



## 2024/1572

* Title: Bounded Collusion-Resistant Registered Functional Encryption for Circuits
* Authors: Yijian Zhang, Jie Chen, Debiao He, Yuqing Zhang
* [Permalink](https://eprint.iacr.org/2024/1572)
* [Download](https://eprint.iacr.org/2024/1572.pdf)

### Abstract

As an emerging primitive, Registered Functional Encryption (RFE) eliminates the key-escrow issue that threatens numerous works for functional encryption, by replacing the trusted authority with a transparent key curator and allowing each user to sample
their decryption keys locally. In this work, we present a new black-box approach to construct RFE for all polynomial-sized circuits. It considers adaptive simulation-based security in the bounded collusion model (Gorbunov et al. - CRYPTO'12), where the
security can be ensured only if there are no more than Q >= 1 corrupted users and $Q$ is fixed at the setup phase. Unlike earlier works, we do not employ unpractical Indistinguishability Obfuscation (iO). Conversely, it can be extended to support
unbounded users, which is previously only known from iO.

Technically, our general compiler exploits garbled circuits and a novel variant of slotted Registered Broadcast Encryption (RBE), namely global slotted RBE. This primitive is similar to slotted RBE, but needs optimally compact public parameters and
ciphertext, so as to satisfy the efficiency requirement of the resulting RFE. Then we present two concrete global slotted RBE from pairings and lattices, respectively. With proposed compiler, we hence obtain two bounded collusion-resistant RFE schemes.
Here, the first scheme relies on k-Lin assumption, while the second one supports unbounded users under LWE and evasive LWE assumptions.



## 2024/1593

* Title: Stateful Communication with Malicious Parties
* Authors: Chen-Da Liu-Zhang, Christopher Portmann, Guilherme Rito
* [Permalink](https://eprint.iacr.org/2024/1593)
* [Download](https://eprint.iacr.org/2024/1593.pdf)

### Abstract

Cryptography's most common use is secure communication---e.g. Alice can use encryption to hide the contents of the messages she sends to Bob (confidentiality) and can use signatures to assure Bob she sent these messages (authenticity). While one
typically considers stateless security guarantees---for example a channel that Alice can use to send messages securely to Bob---one can also consider stateful ones---e.g. an interactive conversation between Alice, Bob and their friends where
participation is dynamic: new parties can join the conversation and existing ones can leave. A natural application of such stateful guarantees are messengers.

We introduce a modular abstraction for stateful group communication, called Chat Sessions, which captures security guarantees that are achievable in fully asynchronous settings when one makes no party-honesty assumptions: anyone (including group members
themselves) can be fully dishonest. Our abstraction is parameterized by (and enforces) a permissions policy that defines what operations parties have the right to perform in a given chat state. We show how to construct, use and extend Chat Sessions.

Our construction is fully decentralized (in particular, it need not a delivery service), does not incur additional interaction between chat participants (other than what is inherent from chat operations like sending a message) and liveness depends solely
on messages being delivered.

A key feature of Chat Sessions is modularity: we extend Chat Sessions to capture authenticity, confidentiality, anonymity and off-the-record, and show our construction provides these guarantees if the underlying communication channels do too. We
complement this by proving Maurer et al.'s Multi-Designated Receiver Public Key Encryption scheme (Eurocrypt '22) constructs matching communication channels (i.e. with all these guarantees).

We use Chat Sessions to construct UatChat: a simple and equally modular messaging application. Since UatChat preserves each of the guarantees mentioned above, this means we give the first fully Off-The-Record messaging application: parties can plausibly
deny not only having sent any messages but even of being aware of a chat's existence.



## 2025/191

* Title: Adaptive Distributional Security: A Framework for Input-Adaptive Cryptography
* Authors: Cruz Barnum, David Heath
* [Permalink](https://eprint.iacr.org/2025/191)
* [Download](https://eprint.iacr.org/2025/191.pdf)

### Abstract

It is often desirable to break cryptographic primitives into two components: an input-independent offline component, and a cheap online component used when inputs arrive. Security of such online/offline primitives must be proved in the input-adaptive
setting: the adversary chooses its input adaptively, based on what it sees in the offline-phase. Proving security in the input-adaptive setting can be difficult, particularly when one wishes to achieve simulation security and avoid idealized objects like
a random oracle (RO).

This work proposes a framework for reasoning about input-adaptive primitives: adaptive distributional security (ADS). Roughly, an ADS primitive provides security when it is used with inputs drawn from one of two distributions that are themselves hard to
distinguish. ADS is useful as a framework for the following reasons:
- An ADS definition can often circumvent impossibility results imposed on the corresponding simulation-based definition. This allows us to decrease the online-cost of primitives, albeit by using a weaker notion of security.
- With care, one can typically upgrade an ADS-secure object into a simulation-secure object (by increasing cost in the online-phase).
- ADS is robust, in the sense that (1) it enables a form of composition and (2) interesting ADS primitives are highly interconnected in terms of which objects imply which other objects.
- Many useful ADS-secure objects are plausibly secure from straightforward symmetric-key cryptography.

We start by defining the notion of an ADS encryption (ADE) scheme.
A notion of input-adaptive encryption can be easily achieved from RO, and the ADE definition can be understood as capturing the concrete property provided by RO that is sufficient to achieve input-adaptivity. From there, we use ADE to achieve ADS
variants of garbled circuits and oblivious transfer, to achieve simulation-secure garbled circuits, oblivious transfer, and two-party computation, and prove interconnectedness of these primitives. In sum, this results in a family of objects with
extremely cheap online-cost.



## 2025/197

* Title: Cryptanalysis of a nonlinear filter-based stream cipher
* Authors: Tim Beyne, Michiel Verbauwhede
* [Permalink](https://eprint.iacr.org/2025/197)
* [Download](https://eprint.iacr.org/2025/197.pdf)

### Abstract

It is shown that the stream cipher proposed by Carlet and Sarkar in ePrint report 2025/160 is insecure. More precisely, one bit of the key can be deduced from a few keystream bytes. This property extends to an efficient key-recovery attack. For example,
for the proposal with 80 bit keys, a few kilobytes of keystream material are sufficient to recover half of the key.



## 2025/202

* Title: Distributed Non-Interactive Zero-Knowledge Proofs
* Authors: Alex B. Grilo, Ami Paz, Mor Perry
* [Permalink](https://eprint.iacr.org/2025/202)
* [Download](https://eprint.iacr.org/2025/202.pdf)

### Abstract

Distributed certification is a set of mechanisms that allows an all-knowing prover to convince the units of a communication network that the network's state has some desired property, such as being $3$-colorable or triangle-free. Classical mechanisms,
such as proof labeling schemes (PLS), consist of a message from the prover to each unit, followed by on-e round of communication between each unit and its neighbors.
Later works consider extensions, called distributed interactive proofs, where the prover and the units can have multiple rounds of communication before the communication among the units. Recently, Bick, Kol, and Oshman (SODA '22) defined a zero-knowledge
version of distributed interactive proofs, where the prover convinces the units of the network’s state without revealing any other information about the network’s state or structure. In their work, they propose different variants of this model and
show that many graph properties of interest can be certified with them.

In this work, we define and study distributed non-interactive zero-knowledge proofs (dNIZK); these can be seen as a non-interactive version of the aforementioned model, and also as a zero-knowledge version of PLS. We prove the following:

- There exists a dNIZK protocol for $3$-coloring with $O(\log n)$-bit messages from the prover and $O(\log n)$-size messages among neighbors. This disproves a conjecture from previous work asserting that the total number of bits from the prover should
grow linearly with the number of edges.

- There exists a family of dNIZK protocols for triangle-freeness, that presents a trade-off between the size of the messages from the prover and the size of the messages among neighbors. Interestingly, we also introduce a variant of this protocol where
the message size depends only on the maximum degree of a node and not on the total number of nodes, improving upon the previous non-zero-knowledge protocol for this problem.

- There exists a dNIZK protocol for any graph property in NP in the random oracle models, which is secure against an arbitrary number of malicious parties. Previous work considered compilers from PLS to distributed zero-knowledge protocol, which results
in protocols with parameters that are incomparable to ours.



## 2025/203

* Title: Ciphertext-Simulatable HE from BFV with Randomized Evaluation
* Authors: Intak Hwang, Seonhong Min, Yongsoo Song
* [Permalink](https://eprint.iacr.org/2025/203)
* [Download](https://eprint.iacr.org/2025/203.pdf)

### Abstract

Homomorphic Encryption (HE) is a privacy-enhancing technology that enables computation over encrypted data without the need for decryption. A primary application of HE is in the construction of communication-efficient Two-Party Computation (2PC)
protocols between a client and a server, serving as the key owner and the evaluator, respectively. However, the 2PC protocol built on an HE scheme is not necessarily secure, as the standard IND-CPA security of HE does not guarantee the privacy of the
evaluation circuit.
Several enhanced security notions for HE, such as circuit privacy and sanitization, have been proposed to address this issue, but they require significant overhead in terms of parameter size or time complexity.

In this work, we introduce a novel security notion for HE, called ciphertext simulatability, which precisely captures the security requirements of HE in the construction of 2PC. Then, we provide a concrete construction of ciphertext-simulatable HE from
the BFV scheme by modifying its evaluation algorithm. We provide theoretical analysis and demonstrate experimental results to ensure that our solution has insignificant overhead in terms of parameter size and error growth.
As a matter of independent interest, we demonstrate how our approach of designing ciphertext-simulatable BFV can be further extended to satisfy stronger security notions such as sanitization.



## 2025/204

* Title: Simpler and Stronger Models for Deniable Authentication
* Authors: Guilherme Rito, Christopher Portmann, Chen-Da Liu-Zhang
* [Permalink](https://eprint.iacr.org/2025/204)
* [Download](https://eprint.iacr.org/2025/204.pdf)

### Abstract

Deniable Authentication is a highly desirable guarantee for secure messaging: it allows Alice to authentically send a message $m$ to a designated receiver Bob in a *Plausibly Deniable* manner. Concretely, while Bob is guaranteed Alice sent $m$, he cannot
convince a judge Judy that Alice really sent this message---even if he gives Judy his secret keys. This is because Judy knows Bob *can* make things up. This paper models the security of Multi-Designated Verifier Signatures (MDVS) and Multi-Designated
Receiver Signed Public Key Encryption (MDRS-PKE)---two (related) types of schemes that provide such guarantees---in the Constructive Cryptography (CC) framework (Maurer and Renner, ICS '11).

The only work modeling dishonest parties' ability of "making things up" was by Maurer et al. (ASIACRYPT '21), who modeled the security of MDVS, also in CC. Their security model has two fundamental limitations:
1. deniability is not guaranteed when honest receivers read;
2. it relies on the CC-specific concept of specifications.

We solve both problems. Regarding the latter, our model is a standard simulator-based one. Furthermore, our composable treatment allowed to identify a new property, Forgery Invalidity, without which we do not know how to prove the deniability of neither
MDVS nor MDRS-PKE when honest receivers read. Finally, we prove that Chakraborty et al.'s MDVS (EUROCRYPT '23) has this property, and that Maurer et al.'s MDRS-PKE (EUROCRYPT '22) preserves it from the underlying MDVS.



## 2025/205

* Title: Addressing Scalability Issues of Blockchains with Hypergraph Payment Networks
* Authors: Arad Kotzer, Bence Ladóczki, János Tapolcai, Ori Rottenstreich
* [Permalink](https://eprint.iacr.org/2025/205)
* [Download](https://eprint.iacr.org/2025/205.pdf)

### Abstract

Payment channels are auspicious candidates in layer-2 solutions to reduce the number of on-chain transactions on traditional blockchains and increase transaction throughput. To construct payment channels, peers lock funds on 2-of-2 multisig addresses and
open channels between one another to transact via instant peer-to-peer transactions. Transactions between peers without a direct channel are made possible by routing the payment over a series of adjacent channels. In certain cases, this can lead to
relatively low transaction success rates and high transaction fees. In this work, we introduce pliability to constructing payment channels and graft edges with more than two endpoints into the payment graph. We refer to these constructions as hyperedges.
We present hyperedge-based topologies to form hypergraphs and compare them to Bitcoin's Lightning network and other state-of-the-art solutions. The results demonstrate that hyperedge-based implementations can both increase transaction success rate, in
addition to decreasing the network cost by more than 50% compared to that of the Lightning Network.



## 2025/206

* Title: Revisiting the Differential-Linear Attacks on ChaCha from IEEE TIT and INDOCRYPT 2024 (Extended Abstract)
* Authors: Xinhai Wang, Lin Ding, Zhengting Li, Jiang Wan, Bin Hu
* [Permalink](https://eprint.iacr.org/2025/206)
* [Download](https://eprint.iacr.org/2025/206.pdf)

### Abstract

The ChaCha stream cipher has become one of the best known ARX-based ciphers because of its widely use in several systems, such as in TLS, SSH and so on. In this paper, we find some errors in the attacks on ChaCha256 from IEEE TIT and INDOCRYPT 2024, and
then corrected cryptanalytic attacks on ChaCha256 are given. However, the corrected attacks have extremely large time and data complexities. The corrected results show that the technique proposed in IEEE TIT may not be able to obtain improved
differential-linear attacks on ChaCha.



## 2025/207

* Title: Efficient Mixed Garbling from Homomorphic Secret Sharing and GGM-Tree * Authors: Jian Guo, Wenjie Nan
* [Permalink](https://eprint.iacr.org/2025/207)
* [Download](https://eprint.iacr.org/2025/207.pdf)

### Abstract

We present new techniques for garbling mixed arithmetic and boolean circuits, utilizing the homomorphic secret sharing scheme introduced by Roy \& Singh (Crypto 2021), along with the half-tree protocol developed by Guo et al (Eurocrypt 2023). Compared to
some two-party interactive protocols, our mixed garbling only requires several times $(<10)$ more communication cost.

We construct the bit decomposition/composition gadgets with communication cost $O((\lambda+\lambda_{\text{DCR}}/k)b)$ for integers in the range $(-2^{b-1}, 2^{b-1})$, requiring $O(2^k)$ computations for the GGM-tree. Our approach is compatible with
constant-rate multiplication protocols, and the cost decreases as $k$ increases. Even for a small $k=8$, the concrete efficiency ranges from $6\lambda b$ ($b \geq 1000$ bits) to $9\lambda b$ ($b \sim 100$ bits) per decomposition/composition. In addition,
we develop the efficient gadgets for mod $q$ and unsigned truncation based on bit decomposition and composition.

We construct efficient arithmetic gadgets over various domains. For bound integers, we improve the multiplication rate in the work of Meyer et al. (TCC 2024) from $\textstyle\frac{\zeta-2}{\zeta+1}$ to $\frac{\zeta-2}{\zeta}$. We propose new garbling
schemes over other domains through bounded integers with our modular and truncation gadgets, which is more efficient than previous constructions. For $\mathbb{Z}_{2^b}$, additions and multiplication can be garbled with a communication cost comparable to
our bit decomposition. For general finite field $\mathbb{F}_{p^n}$, particularly for large values of $p$ and $n$, we garble the addition and multiplication at the cost of $O((\lambda+\lambda_{\text{DCR}}/k)b)$, where $b = n\lceil \log p \rceil$. For
applications to real numbers, we introduce an ``error-based'' truncation that makes the cost of multiplication dependent solely on the desired precision.



## 2025/208

* Title: Reductions Between Code Equivalence Problems
* Authors: Mahdi Cheraghchi, Nikhil Shagrithaya, Alexandra Veliche
* [Permalink](https://eprint.iacr.org/2025/208)
* [Download](https://eprint.iacr.org/2025/208.pdf)

### Abstract

In this paper we present two reductions between variants of the Code Equivalence problem. We give polynomial-time Karp reductions from Permutation Code Equivalence (PCE) to both Linear Code Equivalence (LCE) and Signed Permutation Code Equivalence (SPCE).
Along with a Karp reduction from SPCE to the Lattice Isomorphism Problem (LIP) proved in a paper by Bennett and Win (2024), our second result implies a reduction from PCE to LIP.



## 2025/209

* Title: NovaTEE: Private Clearing and Settlement on Trusted Execution Hardware * Authors: Ahmet Ramazan Ağırtaş, James Ball, Michael Belegris, Gustave Charles-Saigne
* [Permalink](https://eprint.iacr.org/2025/209)
* [Download](https://eprint.iacr.org/2025/209.pdf)

### Abstract

NovaTEE is a novel private multilateral settlement network designed to address critical inefficiencies in both traditional financial markets and cryptocurrency trading. The current clearing landscape suffers from fragmented capital allocation,
restrictive prime brokerage relationships, and prolonged settlement timeframes in traditional finance, while cryptocurrency markets face challenges with over-collateralization, siloed lending pools, and security risks from centralized exchanges.

We introduce a settlement system that leverages Trusted Execution Environments (TEEs) and threshold cryptography to enable secure, private, and efficient settlement of obligations between multiple parties. The system utilizes a distributed key generation
model and novel clearing mechanisms to optimize capital efficiency through multilateral netting, while maintaining strong privacy guarantees and regulatory compliance capabilities. By combining TEE-based security with advanced cryptographic protocols,
including zero-knowledge proofs and sparse Merkle trees for data verification, our solution enables efficient cross-venue and cross-chain settlement while protecting sensitive trading information. This approach significantly reduces capital requirements
for market participants, optimizes transaction costs, and provides institutional-grade clearing infrastructure without compromising on security or privacy. The system's architecture ensures that no single party has complete access to transaction details
while maintaining auditability through a distributed backup network, offering a practical solution for institutional adoption of on-chain settlement.



## 2025/210

* Title: Practical Keyword Private Information Retrieval from Key-to-Index Mappings
* Authors: Meng Hao, Weiran Liu, Liqiang Peng, Cong Zhang, Pengfei Wu, Lei Zhang, Hongwei Li, Robert H. Deng
* [Permalink](https://eprint.iacr.org/2025/210)
* [Download](https://eprint.iacr.org/2025/210.pdf)

### Abstract

This paper introduces practical schemes for keyword Private Information Retrieval (keyword PIR), enabling private queries on public databases using keywords. Unlike standard index-based PIR, keyword PIR presents greater challenges, since the query's
position within the database is unknown and the domain of keywords is vast. Our key insight is to construct an efficient and compact key-to-index mapping, thereby reducing the keyword PIR problem to standard PIR. To achieve this, we propose three
constructions incorporating several new techniques. The high-level approach involves (1) encoding the server's key-value database into an indexable database with a key-to-index mapping and (2) invoking standard PIR on the encoded database to retrieve
specific positions based on the mapping. We conduct comprehensive experiments, with results showing substantial improvements over the state-of-the-art keyword PIR, ChalametPIR (CCS'24), i.e., a $15\sim178 \times$ reduction in communication and $1.1 \sim
2.4 \times$ runtime improvement, depending on database size and entry length. Our constructions are practical, executing keyword PIR in just 47 ms for a database containing 1 million 32-byte entries.



## 2025/211

* Title: Prior-Based Label Differential Privacy via Secure Two-Party Computation
* Authors: Amit Agarwal, Stanislav Peceny, Mariana Raykova, Phillipp Schoppmann, Karn Seth
* [Permalink](https://eprint.iacr.org/2025/211)
* [Download](https://eprint.iacr.org/2025/211.pdf)

### Abstract

Differential privacy (DP) is a fundamental technique used in machine learning (ML) training for protecting the privacy of sensitive individual user data. In the past few years, a new approach for combining prior-based Local Differential Privacy (LDP)
mechanisms with a relaxed DP criterion, known as Label DP, has shown great promise in increasing the utility of the final trained model without compromising on the DP privacy budget. In this work, we identify a crucial privacy gap in the current
implementations of these prior-based LDP mechanisms, namely the leakage of sensitive priors. We address the challenge of implementing such LDP mechanisms without leaking any information about the priors while preserving the efficiency and accuracy of the
current insecure implementations. To that end, we design simple and efficient secure two-party computation (2PC) protocols for addressing this challenge, implement them, and perform end-to-end testing on standard datasets such as MNIST, CIFAR-10. Our
empirical results indicate that the added security benefit essentially comes almost for free in the sense that the gap between the current insecure implementations and our proposed secure version, in terms of run-time overhead and accuracy degradation,
is minimal. E.g., for CIFAR-10, with strong DP privacy parameter, the additional runtime due to 2PC is $\approx 3.9\%$ over WAN with $0.4\%$ decrease in accuracy over an insecure (non-2PC) approach.



## 2025/212

* Title: Constructing Quantum Implementations with the Minimal T-depth or Minimal Width and Their Applications
* Authors: Zhenyu Huang, Fuxin Zhang, Dongdai Lin
* [Permalink](https://eprint.iacr.org/2025/212)
* [Download](https://eprint.iacr.org/2025/212.pdf)

### Abstract

With the rapid development of quantum computers, optimizing the quantum implementations of symmetric-key ciphers, which constitute the primary components of the quantum oracles used in quantum attacks based on Grover and Simon's algorithms, has become an
active topic in the cryptography community. In this field, a challenge is to construct quantum circuits that require the least amount of quantum resources. In this work, we aim to address the problem of constructing quantum circuits with the minimal T-
depth or width (number of qubits) for nonlinear components, thereby enabling implementations of symmetric-key ciphers with the minimal T-depth or width. Specifically, we propose several general methods for obtaining quantum implementation of generic
vectorial Boolean functions and multiplicative inversions in GF(2^n), achieving the minimal T-depth and low costs across other metrics. As an application, we present a highly compact T-depth-3 Clifford+T circuit for the AES S-box. Compared to the T-depth-
3 circuits presented in previous works (ASIACRYPT 2022, IEEE TC 2024), our circuit has significant reductions in T-count, full depth and Clifford gate count. Compared to the state-of-the-art T-depth-4 circuits, our circuit not only achieves the minimal T-
depth but also exhibits reduced full depth and closely comparable width. This leads to lower costs for the DW-cost and T-DW-cost. Additionally, we propose two methods for constructing minimal-width implementations of vectorial Boolean functions. As
applications, for the first time, we present a 9-qubit Clifford+T circuit for the AES S-box, a 16-qubit Clifford+T circuit for a pair of AES S-boxes, and a 5-qubit Clifford+T circuit for the chi function of SHA3. These circuits can be used to derive
quantum circuits that implement AES or SHA3 without ancilla qubits.



## 2025/213

* Title: An Innovative Lightweight Symmetric Encryption Algorithm Integrating NeoAlzette ARX S-box and XCR CSPRNG
* Authors: Jiang Yu
* [Permalink](https://eprint.iacr.org/2025/213)
* [Download](https://eprint.iacr.org/2025/213.pdf)

### Abstract

This paper introduces "Little OaldresPuzzle_Cryptic," a novel lightweight symmetric encryption algorithm.

At the core of this algorithm are two main cryptographic components: the NeoAlzette permutation S-box based on ARX (Addition-Rotation-XOR) primitives and the innovative pseudo-random number generator XorConstantRotation (XCR), used exclusively in the key
expansion process. The NeoAlzette S-box, a non-linear function for 32-bit pairs, is meticulously designed for both encryption strength and operational efficiency, ensuring robust security in resource-constrained environments. During the encryption and
decryption processes, a pseudo-randomly selected mixed linear diffusion function, distinct from XCR, is applied, enhancing the complexity and unpredictability of the encryption.

We comprehensively explore the various technical aspects of the Little OaldresPuzzle_Cryptic algorithm.


[continued in next message]

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)