## In this issue

1. [2024/1589] A Systematic Study of Sparse LWE
2. [2025/196] Endomorphisms for Faster Cryptography on Elliptic ...
3. [2025/374] Simple and General Counterexamples for Private-Coin ...
4. [2025/385] MERCURY: A multilinear Polynomial Commitment Scheme ...
5. [2025/395] Provably Secure Approximate Computation Protocols ...
6. [2025/396] Trail-Estimator: An Automated Verifier for ...
7. [2025/397] Blind Signatures from Cryptographic Group Actions
8. [2025/398] Tight Adaptive Simulation Security for Identity- ...
9. [2025/399] Computational Quantum Anamorphic Encryption and ...
10. [2025/400] Re-Randomize and Extract: A Novel Commitment ...
11. [2025/401] PEGASIS: Practical Effective Class Group Action ...
12. [2025/402] Related-Key Differential and Boomerang ...
13. [2025/403] Periodic Table of Cryptanalysis: Geometric Approach ...
14. [2025/404] SNARKs for Stateful Computations on Authenticated Data
15. [2025/405] Withdrawable signatures in Fiat-Shamir with aborts ...
16. [2025/406] AsyRand: fast asynchronous distributed randomness ...
17. [2025/407] Delegatable ABE with Full Security from Witness ...
18. [2025/408] Hybrid Obfuscated Key Exchange and KEMs
19. [2025/409] Low Communication Threshold FHE from Standard ...
20. [2025/410] TreeKEM: A Modular Machine-Checked Symbolic ...
21. [2025/411] Security of the Ascon Authenticated Encryption Mode ...
22. [2025/412] Multi-Authority Functional Encryption: Corrupt ...
23. [2025/413] Garblet: Multi-party Computation for Protecting ...
24. [2025/414] Deimos Cipher: A High-Entropy, Secure Encryption ...
25. [2025/415] On the Soundness of Algebraic Attacks against Code- ...
26. [2025/416] Trapdoor Hash Functions and PIR from Low-Noise LPN
27. [2025/417] Evaluation of Privacy-aware Support Vector Machine ...
28. [2025/418] ProofFrog: A Tool For Verifying Game-Hopping Proofs
29. [2025/419] Samaritan: Linear-time Prover SNARK from New ...
30. [2025/420] Non-Interactive Verifiable Aggregation
31. [2025/421] A Note on Obfuscation-based Attacks on Private-coin ...
32. [2025/422] Private Computation on Common Fuzzy Records
33. [2025/423] Multi-Client Attribute-Based Unbounded Inner ...
34. [2025/424] Matchmaker: Fast Secure Inference across Deployment ...
35. [2025/425] A Note on the Blindness of the Scheme from ePrint ...
36. [2025/426] Exploring How to Authenticate Application Messages ...
37. [2025/427] BUFFing Threshold Signature Schemes
38. [2025/428] On Improved Cryptanalytic Results against ChaCha ...
39. [2025/429] Enhanced CKKS Bootstrapping with Generalized ...
40. [2025/430] Non-interactive Anonymous Tokens with Private ...
41. [2025/431] Commitment Schemes Based on Module-LIP
42. [2025/432] Black-Box (and Fast) Non-Malleable Zero Knowledge
43. [2025/433] MIDAS: an End-to-end CAD Framework for Automating ...
44. [2025/434] Fine-Grained Verifier NIZK and Its Applications
45. [2025/435] Constant-Time Code: The Pessimist Case
46. [2025/436] The Algebraic One-More MISIS Problem and ...
47. [2025/437] Improved Cryptanalysis of ChaCha: Beating PNBs with ...

## 2024/1589

* Title: A Systematic Study of Sparse LWE
* Authors: Aayush Jain, Huijia Lin, Sagnik Saha
* [Permalink](https://eprint.iacr.org/2024/1589)
* [Download](https://eprint.iacr.org/2024/1589.pdf)

### Abstract

In this work, we introduce the sparse LWE assumption, an assumption that draws inspiration from both Learning with Errors (Regev JACM 10) and Sparse Learning Parity with Noise (Alekhnovich FOCS 02). Exactly like LWE, this assumption posits
indistinguishability of $(\mathbf{A}, \mathbf{s}\mathbf{A}+\mathbf{e} \mod p)$ from $(\mathbf{A}, \mathbf{u})$ for a random $\mathbf{u}$ where the secret $\mathbf{s}$, and the error vector $\mathbf{e}$ is generated exactly as in LWE. However, the
coefficient matrix $\mathbf{A}$ in sparse LPN is chosen randomly from $\mathbb{Z}^{n\times m}_{p}$ so that each column has Hamming weight exactly $k$ for some small $k$. We study the problem in the regime where $k$ is a constant or polylogarithmic. The
primary motivation for proposing this assumption is efficiency. Compared to LWE, the samples can be computed and stored with roughly $O(n/k)$ factor improvement in efficiency. Our results can be summarized as:

Foundations:
We show several properties of sparse LWE samples, including: 1) The hardness of LWE/LPN with dimension $k$ implies the hardness of sparse LWE/LPN with sparsity $k$ and arbitrary dimension $n \ge k$. 2) When the number of samples $m=\Omega(n \log p)$,
length of the shortest vector of a lattice spanned by rows of a random sparse matrix is large, close to that of a random dense matrix of the same dimension (up to a small constant factor). 3) Trapdoors with small polynomial norm exist for random sparse
matrices with dimension $n \times m = O(n \log p)$. 4) Efficient algorithms for sampling such matrices together with trapdoors exist when the dimension is $n \times m = \widetilde{\mathcal{O}}(n^2)$.

Cryptanalysis:
We examine the suite of algorithms that have been used to break LWE and sparse LPN. While naively many of the attacks that apply to LWE do not exploit sparsity, we consider natural extensions that make use of sparsity. We propose a model to capture all
these attacks. Using this model we suggest heuristics on how to identify concrete parameters. Our initial cryptanalysis suggests that concretely sparse LWE with a modest $k$ and slightly bigger dimension than LWE will satisfy similar level of security as
LWE with similar parameters.

Applications:
We show that the hardness of sparse LWE implies very efficient homomorphic encryption schemes for low degree computations. We obtain the first secret key Linearly Homomorphic Encryption (LHE) schemes with slightly super-constant, or even constant,
overhead, which further has applications to private information retrieval, private set intersection, etc. We also obtain secret key homomorphic encryption for arbitrary constant-degree polynomials with slightly super-constant, or constant, overhead.

We stress that our results are preliminary. However, our results make a strong case for further investigation of sparse LWE.



## 2025/196

* Title: Endomorphisms for Faster Cryptography on Elliptic Curves of Moderate CM Discriminants, II
* Authors: Dimitri Koshelev, Antonio Sanso
* [Permalink](https://eprint.iacr.org/2025/196)
* [Download](https://eprint.iacr.org/2025/196.pdf)

### Abstract

The present article is a natural extension of the previous one about the GLV method of accelerating a (multi-)scalar multiplication on elliptic curves of moderate CM discriminants $D < 0$. In comparison with the first article, much greater magnitudes of $
D$ (in absolute value) are achieved, although the base finite fields of the curves have to be pretty large. This becomes feasible by resorting to quite powerful algorithmic tools developed primarily in the context of lattice-based and isogeny-based
cryptography. Curiously, pre-quantum cryptography borrows research outcomes obtained when seeking conversely quantum-resistant solutions or attacks on them.

For instance, some $2$-cycle of pairing-friendly MNT curves (with $-D \approx 100{,}000{,}000$, i.e., $\log_2(-D) \approx 26.5$) is relevant for the result of the current article. The given $2$-cycle was generated at one time by Guillevic to provide $\
approx 128$ security bits, hence it was close to application in real-world zk-SNARKs. Another more performant MNT $2$-cycle (with slightly smaller security level, but with much larger $D$) was really employed in the protocol Coda (now Mina) until zero-
knowledge proof systems on significantly faster pairing-free (or half-pairing) $2$-cycles were invented. It is also shown in the given work that more lollipop curves, recently proposed by Costello and Korpal to replace MNT ones, are now covered by the
GLV technique.



## 2025/374

* Title: Simple and General Counterexamples for Private-Coin Evasive LWE
* Authors: Nico Döttling, Abhishek Jain, Giulio Malavolta, Surya Mathialagan, Vinod Vaikuntanathan
* [Permalink](https://eprint.iacr.org/2025/374)
* [Download](https://eprint.iacr.org/2025/374.pdf)

### Abstract

We present a simple counterexample to all known variants of the private-coin evasive learning with errors (LWE) assumption. Unlike prior works, our counterexample is direct, it does not use heavy cryptographic machinery (such as obfuscation or witness
encryption), and it applies to all variants of the assumption. Our counterexample can be seen as a "zeroizing" attack against evasive LWE, calling into question the soundness of the underlying design philosophy.



## 2025/385

* Title: MERCURY: A multilinear Polynomial Commitment Scheme with constant proof size and no prover FFTs
* Authors: Liam Eagen, Ariel Gabizon
* [Permalink](https://eprint.iacr.org/2025/385)
* [Download](https://eprint.iacr.org/2025/385.pdf)

### Abstract

We construct a pairing-based polynomial commitment scheme for multilinear polynomials of size $n$ where
constructing an opening proof requires $O(n)$ field operations, and $2n+O(\sqrt n)$ scalar multiplications. Moreover,
the opening proof consists of a constant number of field elements.
This is a significant improvement over previous works which would require either
1. $O(n\log n)$ field operations; or
2. $O(\log n)$ size opening proof.

The main technical component is a new method of verifiably folding a witness via univariate polynomial division.
As opposed to previous methods, the proof size and prover time remain constant *regardless of the folding factor*.



## 2025/395

* Title: Provably Secure Approximate Computation Protocols from CKKS
* Authors: Intak Hwang, Yisol Hwang, Miran Kim, Dongwon Lee, Yongsoo Song
* [Permalink](https://eprint.iacr.org/2025/395)
* [Download](https://eprint.iacr.org/2025/395.pdf)

### Abstract

Secure multi-party computation (MPC) enables collaborative, privacy-preserving computation over private inputs. Advances in homomorphic encryption (HE), particularly the CKKS scheme, have made secure computation practical, making it well-suited for real-
world applications involving approximate computations. However, the inherent approximation errors in CKKS present significant challenges in developing MPC protocols.

This paper investigates the problem of secure approximate MPC from CKKS. We first analyze CKKS-based protocols in two-party setting. When only one party holds a private input and the other party acts as an evaluator, a simple protocol with the noise
smudging technique on the encryptor's side achieves security in the standard manner. When both parties have private inputs, we demonstrate that the protocol incorporating independent errors from each party achieves a relaxed standard security notion,
referred to as a liberal security. Nevertheless, such a protocol fails to satisfy the standard security definition. To address this limitation, we propose a novel protocol that employs a distributed sampling approach to generate smudging noise in a
secure manner, which satisfies the standard security definition.

Finally, we extend the two-party protocols to the multi-party setting. Since the existing threshold CKKS-based MPC protocol only satisfies the liberal security, we present a novel multi-party protocol achieving the standard security by applying multi-
party distributed sampling of a smudging error.

For all the proposed protocols, we formally define the functionalities and provide rigorous security analysis within the simulation-based security framework. To the best of our knowledge, this is the first work to explicitly define the functionality of
CKKS-based approximate MPC and achieve formal security guarantees.



## 2025/396

* Title: Trail-Estimator: An Automated Verifier for Differential Trails in Block Ciphers
* Authors: Thomas Peyrin, Quan Quan Tan, Hongyi Zhang, Chunning Zhou
* [Permalink](https://eprint.iacr.org/2025/396)
* [Download](https://eprint.iacr.org/2025/396.pdf)

### Abstract

Differential cryptanalysis is a powerful technique for attacking block ciphers, wherein the Markov cipher assumption and stochastic hypothesis are commonly employed to simplify the search and probability estimation of differential trails. However, these
assumptions often neglect inherent algebraic constraints, potentially resulting in invalid trails and inaccurate probability estimates. Some studies identified violations of these assumptions and explored how they impose constraints on key material, but
they have not yet fully captured all relevant ones. This study proposes Trail-Estimator, an automated verifier for differential trails on block ciphers, consisting of two parts: a constraint detector Cons-Collector and a solving tool Cons-Solver. We
first establish the fundamental principles that will allow us to systematically identify all constraint subsets within a differential trail, upon which Cons-Collector is built. Then, Cons-Solver utilizes specialized preprocessing techniques to
efficiently solve the detected constraint subsets, thereby determining the key space and providing a comprehensive probability distribution of differential trails. To validate its effectiveness, Trail-Estimator is applied to verify 14 differential trails
for the SKINNY, LBLOCK, and TWINE block ciphers. Experimental results show that Trail-Estimator consistently identifies previously undetected constraints for SKINNY and discovers constraints for the first time for LBLOCK and TWINE. Notably, it is the
first tool to discover long nonlinear constraints extending beyond five rounds in these ciphers. Furthermore, Trail-Estimator's accuracy is validated by experiments showing its predictions closely match the real probability distribution of short-round
differential trails.



## 2025/397

* Title: Blind Signatures from Cryptographic Group Actions
* Authors: Dung Hoang Duong, Xuan Thanh Khuc, Youming Qiao, Willy Susilo, Chuanqi Zhang
* [Permalink](https://eprint.iacr.org/2025/397)
* [Download](https://eprint.iacr.org/2025/397.pdf)

### Abstract

We provide a generic construction of blind signatures from cryptographic group actions following the framework of the blind signature CSIOtter introduced by Katsumata et al. (CRYPTO'23) in the context of isogeny (commutative group action). We adapt and
modify that framework to make it work even for non-commutative group actions. As a result, we obtain a blind signature from abstract group actions which are proven to be secure in the random oracle model. We also propose an instantiation based on a
variant of linear code equivalence, interpreted as a symmetric group action.



## 2025/398

* Title: Tight Adaptive Simulation Security for Identity-based Inner-Product FE in the (Quantum) Random Oracle Model
* Authors: Tenma Edamura, Atsushi Takayasu
* [Permalink](https://eprint.iacr.org/2025/398)
* [Download](https://eprint.iacr.org/2025/398.pdf)

### Abstract

Abdalla et al. (ASIACRYPT 2020) introduced a notion of identity-based inner-product functional encryption (IBIPFE) that combines identity-based encryption and inner-product functional encryption (IPFE). Thus far, several pairing-based and lattice-based
IBIPFE schemes have been proposed. However, there are two open problems. First, there are no known IBIPFE schemes that satisfy the adaptive simulation-based security. Second, known IBIPFE schemes that satisfy the adaptive indistinguishability-based
security or the selective simulation-based security do not have tight reductions. In this paper, we propose lattice-based and pairing-based IBIPFE schemes that satisfy the tight adaptive simulation-based security. At first, we propose a generic
transformation from an indistinguishability-based secure $(L + 1)$-dimensional (IB)IPFE scheme to a simulation-based secure $L$-dimensional (IB)IPFE scheme. The proposed transformation improves Agrawal et al.'s transformation for plain IPFE (PKC 2020)
that requires an indistinguishability-based secure $2L$-dimensional scheme. Then, we construct a lattice-based IBIPFE scheme that satisfies the tight adaptive indistinguishability-based security under the LWE assumption in the quantum random oracle model.
We apply the proposed transformation and obtain the first lattice-based IBIPFE scheme that satisfies adaptive simulation-based security. Finally, we construct a pairing-based IBIPFE scheme that satisfies the tight adaptive simulation-based security
under the DBDH assumption in the random oracle model. The pairing-based scheme does not use the proposed transformation towards the best efficiency.



## 2025/399

* Title: Computational Quantum Anamorphic Encryption and Anamorphic Secret Sharing
* Authors: SAYANTAN GANGULY, Shion Samadder Chaudhury
* [Permalink](https://eprint.iacr.org/2025/399)
* [Download](https://eprint.iacr.org/2025/399.pdf)

### Abstract

The concept of anamorphic encryption, first formally introduced by Persiano et al. in their influential 2022 paper titled ``Anamorphic Encryption: Private Communication Against a Dictator,'' enables embedding covert messages within ciphertexts. One of
the key distinctions between a ciphertext embedding a covert message and an original ciphertext, compared to an anamorphic ciphertext, lies in the indistinguishability between the original ciphertext and the anamorphic ciphertext. This encryption
procedure has been defined based on a public-key cryptosystem. Initially, we present a quantum analogue of the classical anamorphic encryption definition that is based on public-key encryption. Additionally, we introduce a definition of quantum
anamorphic encryption that relies on symmetric key encryption. Furthermore, we provide a detailed generalized construction of quantum anamorphic symmetric key encryption within a general framework, which involves taking any two quantum density matrices
of any different dimensions and constructing a single quantum density matrix, which is the quantum anamorphic ciphertext containing ciphertexts of both of them. Subsequently, we introduce a definition of computational anamorphic secret-sharing and extend
the work of \c{C}akan et al. on computational quantum secret-sharing to computational quantum anamorphic secret-sharing, specifically addressing scenarios with multiple messages, multiple keys, and a single share function. This proposed secret-sharing
scheme demonstrates impeccable security measures against quantum adversaries.



## 2025/400

* Title: Re-Randomize and Extract: A Novel Commitment Construction Framework Based on Group Actions
* Authors: Kaijie Jiang, Anyu Wang, Hengyi Luo, Guoxiao Liu, Tang Gang, Yanbin Pan, Xiaoyun Wang
* [Permalink](https://eprint.iacr.org/2025/400)
* [Download](https://eprint.iacr.org/2025/400.pdf)

### Abstract

Cryptographic group actions have attracted growing attention as a useful tool for constructing cryptographic schemes.
Among their applications, commitment schemes are particularly interesting as fundamental primitives, playing a crucial role in protocols such as zero-knowledge proofs, multi-party computation, and more.

In this paper, we introduce a novel framework to construct commitment schemes based on cryptographic group actions.
Specifically, we propose two key techniques for general group actions: re-randomization and randomness extraction.
Roughly speaking, a re-randomization algorithm introduces randomness within an orbit for any input element, while a randomness extractor maps this randomness to uniformity over the message space.
We demonstrate that these techniques can significantly facilitate the construction of commitment schemes, providing a flexible framework for constructing either perfectly hiding or perfectly binding commitments, depending on the type of extractor
involved.
Moreover, we extend our framework to support the construction of commitments with additional desirable properties beyond hiding and binding, such as dual-mode commitments and enhanced linkable commitments.
These extensions are achieved by further adapting the extractor to satisfy trapdoor or homomorphic properties.
Finally, we instantiate all our proposed commitment schemes using lattices, specifically leveraging the lattice isomorphism problem (LIP) and the lattice automorphism problem (LAP) as underlying cryptographic assumptions.
To the best of our knowledge, this is the first commitment scheme construction based on LIP/LAP.
Additionally, we use LIP to provide a repair and improvement to the tensor isomorphism-based non-interactive commitment scheme proposed by D'Alconzo, Flamini, and Gangemi (ASIACRYPT 2023), which was recently shown to be insecure by an attack from
Gilchrist, Marco, Petit, and Tang (CRYPTO 2024).



## 2025/401

* Title: PEGASIS: Practical Effective Class Group Action using 4-Dimensional Isogenies
* Authors: Pierrick Dartois, Jonathan Komada Eriksen, Tako Boris Fouotsa, Arthur Herlédan Le Merdy, Riccardo Invernizzi, Damien Robert, Ryan Rueger, Frederik Vercauteren, Benjamin Wesolowski
* [Permalink](https://eprint.iacr.org/2025/401)
* [Download](https://eprint.iacr.org/2025/401.pdf)

### Abstract

In this paper, we present the first practical algorithm to compute an effective group action of the class group of any imaginary quadratic order $\mathcal{O}$ on a set of supersingular elliptic curves primitively oriented by $\mathcal{O}$. Effective
means that we can act with any element of the class group directly, and are not restricted to acting by products of ideals of small norm, as for instance in CSIDH. Such restricted effective group actions often hamper cryptographic constructions, e.g. in
signature or MPC protocols.

Our algorithm is a refinement of the Clapoti approach by Page and Robert, and uses $4$-dimensional isogenies. As such, it runs in polynomial time, does not require the computation of the structure of the class group, nor expensive lattice reductions, and
our refinements allows it to be instantiated with the orientation given by the Frobenius endomorphism. This makes the algorithm practical even at security levels as high as CSIDH-4096. Our implementation in SageMath takes 1.5s to compute a group action
at the CSIDH-512 security level, 21s at CSIDH-2048 level and around 2 minutes at the CSIDH-4096 level. This marks the first instantiation of an effective cryptographic group action at such high security levels. For comparison, the recent KLaPoTi approach
requires around 200s at the CSIDH-512 level in SageMath and 2.5s in Rust.



## 2025/402

* Title: Related-Key Differential and Boomerang Cryptanalysis in the Fixed-Key Model
* Authors: Chengcheng Chang, Kai Hu, Muzhou Li, Meiqin Wang
* [Permalink](https://eprint.iacr.org/2025/402)
* [Download](https://eprint.iacr.org/2025/402.pdf)

### Abstract

Differential cryptanalysis, along with its variants such as boomerang attacks, is widely used to evaluate the security of block ciphers. These cryptanalytic techniques often rely on assumptions like the \textit{hypothesis of stochastic equivalence} and \
textit{Markov ciphers assumption}. Recently, more attention has been paid to verifying whether differential characteristics (DCs) meet these assumptions, finding both positive and negative results.
A part of these efforts includes the automatic search methods for both the value and difference propagation (e.g., Liu et al. CRYPTO 2020, Nageler et al. ToSC 2025/1), structural constraints analysis (e.g., Tan and Peyrin, ToSC 2022/4), and the
quasidifferential (Beyne and Rijmen, CRYPTO 2022).
Nevertheless, less attention has been paid to the related-key DCs and boomerang distinguishers, where the same assumptions are used. To the best of our knowledge, only some related-tweakey DCs of \skinny were checked thanks to its linear word-based key-
schedule, and no similar work is done for boomerang distinguishers.


The verification of related-key DCs and boomerang distinguishers is as important as that of DCs, as they often hold the longest attack records for block ciphers.
This paper focuses on investigating the validity of DCs in the related-key setting and boomerang distinguishers in both single- and related-key scenarios.
For this purpose, we generalize Beyne and Rijmen's quasidifferential techniques for the related-key DCs and boomerang attacks.

First, to verify related-key DCs, the related-key quasi-DC is proposed. Similar to the relationship between the quasi-DC and DC, the exact probability of a related-key DC is equal to the sum of all corresponding related-key quasi-DCs' correlations.
Since the related-key quasi-DCs involve the key information, we can determine the probability of the target related-key DC in different key subspaces.
We find both positive and negative results.
For example, we verify the 18-round related-key DC used in the best attack on \gift-64 whose probability is $2^{-58}$, finding that this related-key DC has a higher probability for $2^{128} \times (2^{-5} + 2^{-8})$ keys which is around $2^{-50}$, but it
is impossible for the remaining keys.

Second, we identify proper bases to describe the boomerang distinguishers with the geometric approach. A quasi-BCT is constructed to consider the value influence in the boomerang connectivity table (BCT). For the DC parts, the quasi-biDDT is used.
Connecting the quasi-BCT and quasi-biDDT, we can verify the probability of a boomerang distinguisher with quasi-boomerang characteristics.
This also allows us to analyze the probability of the boomerang in different key spaces.
For a 17-round boomerang distinguisher of \skinny-64-128 whose probability is $2^{-50}$, we find that the probability can be $2^{-44}$ for half of keys, and impossible for the other half.



## 2025/403

* Title: Periodic Table of Cryptanalysis: Geometric Approach with Different Bases
* Authors: Kai Hu, Chi Zhang, Chengcheng Chang, Jiashu Zhang, Meiqin Wang, Thomas Peyrin
* [Permalink](https://eprint.iacr.org/2025/403)
* [Download](https://eprint.iacr.org/2025/403.pdf)

### Abstract

In the past three decades, we have witnessed the creation of various cryptanalytic attacks. However, relatively little research has been done on their potential underlying connections. The geometric approach, developed by Beyne in 2021, shows that a
cipher can be viewed as a linear operation when we treat its input and output as points in an induced \textit{free vector space}.
By performing a change of basis for the input and output spaces, one can obtain various transition matrices. Linear, differential, and (ultrametic) integral attacks have been well reinterpreted by Beyne's theory in a unified way.

Thus far, the geometric approach always uses the same basis for the input and output spaces. We observe here that this restriction is unnecessary and allowing different bases makes the geometric approach more flexible and able to interpret/predict more
attack types. Given some set of bases for the input and output spaces, a family of basis-based attacks is defined by combining them, and all attacks in this family can be studied in a unified automatic search method.

We revisit three kinds of bases from previous geometric approach papers and extend them to four extra ones by introducing new rules when generating new bases. With the final seven bases, we can obtain $7^{2d}$ different basis-based attacks in the $d$-th
order spaces, where the \textit{order} is defined as the number of messages used in one sample during the attack.

We then provide four examples of applications of this new framework. First, we show that by choosing a better pair of bases, Beyne and Verbauwhede's ultrametric integral cryptanalysis can be interpreted as a single element of a transition matrix rather
than as a linear combination of elements. This unifies the ultrametric integral cryptanalysis with the previous linear and quasi-differential attacks.
Second, we revisit the multiple-of-$n$ property with our refined geometric approach and exhibit new multiple-of-$n$ distinguishers that can reach more rounds of the \skinny-64 cipher than the state-of-the-art.
Third, we study the multiple-of-$n$ property for the first-order case, which is similar to the subspace trail but it is the divisibility property that is considered. This leads to a new distinguisher for 11-round-reduced \skinny-64.
Finally, we give a closed formula for differential-linear approximations without any assumptions, even confirming that the two differential-linear approximations of \simeck-32 and \simeck-48 found by Hadipour \textit{et al.} are deterministic
independently of concrete key values.
We emphasize that all these applications were not possible before.



## 2025/404

* Title: SNARKs for Stateful Computations on Authenticated Data
* Authors: Johannes Reinhart, Erik-Oliver Blass, Bjoern Annighoefer
* [Permalink](https://eprint.iacr.org/2025/404)
* [Download](https://eprint.iacr.org/2025/404.pdf)

### Abstract

We present a new generalization of (zk-)SNARKs combining two additional features at the same time. Besides the verification of correct computation, our new SNARKs also allow, first, the verification of input data authenticity. Specifically, a verifier
can confirm that the input to the computation originated from a trusted source. Second, our SNARKs support verification of stateful computations across multiple rounds, ensuring that the output of the current round correctly depends on the internal state
of the previous round. Our SNARKs are specifically suited to applications in cyber-physical control systems, where computations are periodically carried out and need to be checked immediately. Our focus is on concrete practicality, so we abstain from
arithmetizing hash functions or signatures in our SNARKs. Rather, we modify the internals of an existing SNARK to extend its functionality. Additionally, we present new optimizations to reduce proof size, prover time, and verification time in our setting.
With our construction, prover runtime improves significantly over the baseline by a factor of 89. Verification time is 70 % less for computations on authenticated data and 33 % less for stateful computations. To demonstrate relevance and practicality,
we implement and benchmark our new SNARKs in a sample real-world scenario with a (simple) quadcopter flight control system.



## 2025/405

* Title: Withdrawable signatures in Fiat-Shamir with aborts constructions
* Authors: Ramses Fernandez
* [Permalink](https://eprint.iacr.org/2025/405)
* [Download](https://eprint.iacr.org/2025/405.pdf)

### Abstract

This article presents an extension of the work performed by Liu, Baek and Susilo on withdrawable signatures to the Fiat-Shamir with aborts paradigm. We introduce an abstract construction, and provide security proofs for this proposal. As an instantiation,
we provide a concrete construction for a withdrawable signature scheme based on Dilithium.



## 2025/406

* Title: AsyRand: fast asynchronous distributed randomness beacon with reconfiguration
* Authors: Liang Zhang, Tao Liu, Zhanrong Ou, Haibin Kan, Jiheng Zhang
* [Permalink](https://eprint.iacr.org/2025/406)
* [Download](https://eprint.iacr.org/2025/406.pdf)

### Abstract


[continued in next message]

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)