## In this issue
1. [2025/370] Simple Public Key Anamorphic Encryption and ...
2. [2025/377] HiAE: A High-Throughput Authenticated Encryption ...
3. [2025/445] A proof of P≠NP (New symmetric encryption algorithm ...
4. [2025/446] Disincentivize Collusion in Verifiable Secret Sharing
5. [2025/447] Protecting Computations Against Continuous Bounded- ...
6. [2025/448] Ciphertext-Ciphertext Matrix Multiplication: Fast ...
7. [2025/449] Concretely Efficient Correlated Oblivious Permutation
8. [2025/450] Verifiable Decapsulation: Recognizing Faulty ...
9. [2025/451] Analysis of the Telegram Key Exchange
10. [2025/452] Polar Lattice Cryptography
11. [2025/453] Verifiable Secret Sharing Based on Fully Batchable ...
12. [2025/454] Quantum circuit for implementing AES S-box with low ...
13. [2025/455] StaMAC: Fault Protection via Stable-MAC Tags
14. [2025/456] A Democratic Distributed Post-Quantum ...
15. [2025/457] A 10-bit S-box generated by Feistel construction ...
16. [2025/458] CAKE requires programming - On the provable post- ...
17. [2025/459] Privacy and Security of FIDO2 Revisited
18. [2025/460] Achieving Data Reconstruction Hardness and ...
19. [2025/461] Machine-checking Multi-Round Proofs of Shuffle: ...
20. [2025/462] Practical Key Collision on AES and Kiasu-BC
21. [2025/463] Multi-Party Computation in Corporate Data ...
22. [2025/464] SoK: Efficient Design and Implementation of ...
23. [2025/465] zkAML: Zero-knowledge Anti Money Laundering in ...
24. [2025/466] Algebraic Cryptanalysis of Small-Scale Variants of ...
25. [2025/467] PMNS arithmetic for elliptic curve cryptography
26. [2025/468] Optimized Frobenius and Cyclotomic Cubing for ...
27. [2025/469] Practical Semi-Open Chat Groups for Secure ...
28. [2025/470] On Deniable Authentication against Malicious Verifiers
29. [2025/471] A Practical Tutorial on Deep Learning-based Side- ...
30. [2025/472] Quantum Attacks on Sum of Even-Mansour Construction ...
31. [2025/473] Cross-Platform Benchmarking of the FHE Libraries: ...
32. [2025/474] Black-Box Constant-Round Secure 2PC with Succinct ...
33. [2025/475] HammR: A ZKP Protocol for Fixed Hamming-Weight ...
34. [2025/476] A note on "industrial blockchain threshold ...
35. [2025/477] A Note on the Advanced Use of the Tate Pairing
36. [2025/478] Attacking Single-Cycle Ciphers on Modern FPGAs ...
37. [2025/479] Post Quantum Migration of Tor
38. [2025/480] Worst-case Analysis of Lattice Enumeration ...
39. [2025/481] RHQC: post-quantum ratcheted key exchange from ...
40. [2025/482] An Efficient Sequential Aggregate Signature Scheme ...
41. [2025/483] Adaptively Secure Threshold Blind BLS Signatures ...
42. [2025/484] EvoLUTe+: Fine-Grained Look-Up-Table-based RTL IP ...
43. [2025/485] Key reconstruction for QC-MDPC McEliece from ...
44. [2025/486] On One-Shot Signatures, Quantum vs Classical ...
45. [2025/487] webSPDZ: Versatile MPC on the Web
46. [2025/488] Exploring General Cyclotomic Rings in Torus-Based ...
47. [2025/489] Translating Between the Common Haar Random State ...
48. [2025/490] PREAMBLE: Private and Efficient Aggregation of ...
49. [2025/491] Blind Brother: Attribute-Based Selective Video ...
50. [2025/492] Endorser Peer Anonymization in Hyperledger Fabric ...
51. [2025/493] Tighter Concrete Security for the Simplest OT
52. [2025/494] Electromagnetic Side-Channel Analysis of PRESENT ...
53. [2025/495] A Security-Enhanced Pairing-Free Certificateless ...
54. [2025/496] Shortcut2Secrets: A Table-based Differential Fault ...
55. [2025/497] Fast Scloud+: A Fast Hardware Implementation for ...
56. [2025/498] Scoop: An Optimizer for Profiling Attacks against ...
57. [2025/499] SCAPEgoat: Side-channel Analysis Library
58. [2025/500] SecurED: Secure Multiparty Edit Distance for ...
## 2025/370
* Title: Simple Public Key Anamorphic Encryption and Signature using Multi-Message Extensions
* Authors: Shalini Banerjee, Tapas Pal, Andy Rupp, Daniel Slamanig
* [Permalink](
https://eprint.iacr.org/2025/370)
* [Download](
https://eprint.iacr.org/2025/370.pdf)
### Abstract
Anamorphic encryption (AE) considers secure communication in the presence of a powerful surveillant (typically called a ''dictator'') who only allows certain cryptographic primitives and knows all the secret keys in a system. The basic idea is that there
is a second (anamorphic) mode of encryption that allows to transmit an anamorphic message using a double key to a receiver that can decrypt this message using a double key. From the point of view of the dictator the encryption keys as well as the
ciphertexts in the regular and anamorphic mode are indistinguishable. The most recent works in this field consider public key anamorphic encryption (PKAE), i.e., the sender of an anamorphic message requires an encryption double key (or no key at all) and
the receiver requires a decryption double key. Known constructions, however, either work only for schemes that are mostly of theoretical interest or come with conceptual limitations.
In this paper we ask whether we can design such PKAE schemes without such limitations and being closer to PKE schemes used in practice. In fact, such schemes are more likely to be allowed by a cognizant dictator. Moreover, we initiate the study of
identity-based anamorphic encryption (IBAE), as the IBE setting seems to be a natural choice for a dictator. For both PKAE and IBAE, we show how well-known IND-CPA and IND-CCA secure primitives can be extended by an anamorphic encryption channel. In
contrast to previous work, we additionally consider CCA (rather than just CPA) security notions for the anamorphic channel and also build upon CPA (rather than just CCA) secure PKE.
Finally, we ask whether it is possible to port the recent concept of anamorphic signatures, which considers constructing symmetric anamorphic channels in case only signature schemes are allowed by the dictator, to the asymmetric setting, which we denote
by public-key anamorphic signatures (PKAS). Also here we consider security beyond IND-CPA for the anamorphic channel.
## 2025/377
* Title: HiAE: A High-Throughput Authenticated Encryption Algorithm for Cross-Platform Efficiency
* Authors: Han Chen, Tao Huang, Phuong Pham, Shuang Wu
* [Permalink](
https://eprint.iacr.org/2025/377)
* [Download](
https://eprint.iacr.org/2025/377.pdf)
### Abstract
This paper addresses the critical challenges in designing cryptographic algorithms that achieve both high performance and cross-platform efficiency on ARM and x86 architectures, catering to the demanding requirements of next-generation communication
systems, such as 6G and GPU/NPU interconnections. We propose HiAE, a high-throughput authenticated encryption algorithm optimized for performance exceeding 100 Gbps and designed to meet the stringent security requirements of future communication networks.
HiAE leverages the stream cipher structure, integrating the AES round function for non-linear diffusion.
Our design achieves exceptional efficiency, with benchmark results from software implementations across various platforms showing over 340 Gbps on x86 processors and 180 Gbps on ARM devices in AEAD mode, making it the fastest AEAD solution on ARM chips
and setting a new performance record on the latest x86 processors.
## 2025/445
* Title: A proof of P≠NP (New symmetric encryption algorithm against any linear attacks and differential attacks)
* Authors: Gao Ming
* [Permalink](
https://eprint.iacr.org/2025/445)
* [Download](
https://eprint.iacr.org/2025/445.pdf)
### Abstract
P vs NP problem is the most important unresolved problem in the field of computational complexity. Its impact has penetrated into all aspects of algorithm design, especially in the field of cryptography. The security of
cryptographic algorithms based on short keys depends on whether P is equal to NP. In fact, Shannon strictly proved that the one-time-pad system meets unconditional security, but because the one-time-pad system requires the length of
key to be at least the length of plaintext, how to transfer the key is a troublesome problem that restricts the use of the one-time-pad system in practice. Cryptography algorithms used in practice are all based on short key, and the security
of the short key mechanism is ultimately based on one-way assumption. In fact, the existence of one-way function can directly lead to the important conclusion P≠NP.
In this paper, we originally constructed a short-key block cipher algorithm. The core feature of this algorithm is that for any block, when a plaintext-ciphertext pair is known, any key in the key space is valid, that is, for each block, the plaintext-
ciphertext pair and the key are independence, and the independence between blocks is also easy to construct. This feature is completely different from all existing short-key cipher algorithms.
Based on the above feature, we construct a problem and theoretically prove that the problem satisfies the properties of one-way functions, thereby solving the problem of the existence of one-way functions, that is, directly proving that P≠NP.
## 2025/446
* Title: Disincentivize Collusion in Verifiable Secret Sharing
* Authors: Tiantian Gong, Aniket Kate, Hemanta K. Maji, Hai H. Nguyen
* [Permalink](
https://eprint.iacr.org/2025/446)
* [Download](
https://eprint.iacr.org/2025/446.pdf)
### Abstract
In verifiable secret sharing (VSS), a dealer shares a secret input among several parties, ensuring each share is verifiable. Motivated by its applications in the blockchain space, we focus on a VSS where parties holding shares are not allowed to
reconstruct the dealer's secret (even partially) on their own terms, which we address as privacy-targeted collusion if attempted.
In this context, our work investigates mechanisms deterring such collusion in VSS among rational and malicious parties. For this problem, we make both algorithmic and combinatorial contributions:
1. We provide two collusion-deterrent mechanisms to discourage parties from colluding and recovering the dealer's secret. Notably, when it is desired to achieve fairness---where non-colluding parties are not at a loss---while allowing for the best
achievable malicious fault tolerance, we define ``trackable access structures'' (TAS) and design a deterrence mechanism tailored for VSS on these structures.
2. We estimate the size of the optimal TAS, construct them from Steiner systems, provide highly robust TAS using partial Steiner systems, and present efficient secret sharing schemes for the latter close-to-optimal TAS for various parameter regimes.
3. We demonstrate that trackability in access structures is connected to combinatorial objects like (partial) Steiner systems, uniform subsets with restricted intersections, and appropriate binary codes. The robustness of access structures is
equivalent to the minimum vertex cover of hypergraphs.
We believe these connections between cryptography, game theory, and discrete mathematics will be of broader interest.
## 2025/447
* Title: Protecting Computations Against Continuous Bounded-Communication Leakage
* Authors: Yuval Ishai, Yifan Song
* [Permalink](
https://eprint.iacr.org/2025/447)
* [Download](
https://eprint.iacr.org/2025/447.pdf)
### Abstract
We consider the question of protecting a general computation device, modeled by a stateful Boolean circuit, against leakage of partial information about its internal wires. Goyal et al. (FOCS 2016) obtained a solution for the case of bounded-
communication leakage, where the wires are partitioned into two parts and the leakage can be any function computed using $t$ bits of communication between the parts. However, this solution suffers from two major limitations: (1) it only applies to a one-
shot (stateless) computation, mapping an encoded input to an encoded output, and (2) the leakage-resilient circuit consumes fresh random bits, whose number scales linearly with the circuit complexity of the computed function.
In this work, we eliminate the first limitation and make progress on the second. Concretely:
- We present the first construction of stateful circuits that offer information-theoretic protection against continuous bounded-communication leakage. As an application, we extend a two-party ``malware-resilient'' protocol of Goyal et al. to the
continuous-leakage case.
- For simple types of bounded-communication leakage, which leak $t$ parities or $t$ disjunctions of circuit wires or their negations, we obtain a deterministic variant that does not require any fresh randomness beyond the randomness in the initial state.
Here we get computational security based on a subexponentially secure one-way function. This is the first deterministic leakage-resilient circuit construction for any nontrivial class of global leakage.
## 2025/448
* Title: Ciphertext-Ciphertext Matrix Multiplication: Fast for Large Matrices
* Authors: Jai Hyun Park
* [Permalink](
https://eprint.iacr.org/2025/448)
* [Download](
https://eprint.iacr.org/2025/448.pdf)
### Abstract
Matrix multiplication of two encrypted matrices (CC-MM) is a key challenge for privacy-preserving machine learning applications. As modern machine learning models focus on scalability, fast CC-MM on large datasets is increasingly in demand.
In this work, we present a CC-MM algorithm for large matrices. The algorithm consists of plaintext matrix multiplications (PP-MM) and ciphertext matrix transpose algorithms (C-MT). We propose a fast C-MT algorithm, which is computationally inexpensive
compared to PP-MM. By leveraging high-performance BLAS libraries to optimize PP-MM, we implement large-scale CC-MM with substantial performance improvements. Furthermore, we propose lightweight algorithms, significantly reducing the key size from $1\ 960$
MB to $1.57$ MB for CC-MM with comparable efficiency.
In a single-thread implementation, the C-MT algorithm takes $0.76$ seconds to transpose a $2\ 048\times 2\ 048$ encrypted matrix. The CC-MM algorithm requires $85.2$ seconds to multiply two $4\ 096\times 4\ 096$ encrypted matrices. For large matrices,
our algorithm outperforms the state-of-the-art CC-MM method from Jiang-Kim-Lauter-Song [CCS'18] by a factor of over $800$.
## 2025/449
* Title: Concretely Efficient Correlated Oblivious Permutation
* Authors: Feng Han, Xiao Lan, Weiran Liu, Lei Zhang, Hao Ren, Lin Qu, Yuan Hong
* [Permalink](
https://eprint.iacr.org/2025/449)
* [Download](
https://eprint.iacr.org/2025/449.pdf)
### Abstract
Oblivious permutation (OP) enables two parties, a sender with a private data vector $x$ and a receiver with a private permutation π, to securely obtain the shares of π(x). OP has been used to construct many important MPC primitives and applications
such as secret shuffle, oblivious sorting, private set operations, secure database analysis, and privacy-preserving machine learning. Due to its high complexity, OP has become a performance bottleneck in several practical applications, and many efforts
have been devoted to enhancing its concrete efficiency. Chase et al. (Asiacrypt'20) proposed an offline-online OP paradigm leveraging a pre-computable resource termed Share Translation. While this paradigm significantly reduces online costs, the
substantial offline cost of generating Share Translation remains an area for further investigation.
In this work, we redefine the pre-computable resource as a cryptographic primitive known as Correlated Oblivious Permutation (COP) and conduct in-depth analyses and optimizations of the two COP generation solutions: network-based solution and matrix-
based solution. The optimizations for the network-based solution halve the communication/computation cost of constructing a switch (the basic unit of the permutation network) and reduce the number of switches in the permutation network. The optimizations
for the matrix-based solution halve the communication cost of small-size COP generation and reduce the cost of large-size COP generation with in-outside permutation decomposition.
We implement our two COP generation protocols and conduct comprehensive evaluations. Taking commonly used 128-bit input data as an example, our network-based and matrix-based solutions are up to 1.7x and 1.6x faster than baseline protocols, respectively.
We further facilitate the state-of-the-art (SOTA) PSU protocols with our optimized COP, achieving over 25% reduction in communication cost and 35% decrease in execution time. This shows that our COP optimizations bring significant improvements for real-
world MPC primitives.
## 2025/450
* Title: Verifiable Decapsulation: Recognizing Faulty Implementations of Post-Quantum KEMs
* Authors: Lewis Glabush, Felix Günther, Kathrin Hövelmanns, Douglas Stebila * [Permalink](
https://eprint.iacr.org/2025/450)
* [Download](
https://eprint.iacr.org/2025/450.pdf)
### Abstract
Cryptographic schemes often contain verification steps that are essential for security. Yet, faulty implementations missing these steps can easily go unnoticed, as the schemes might still function correctly. A prominent instance of such a verification
step is the re-encryption check in the Fujisaki-Okamoto (FO) transform that plays a prominent role in the post-quantum key encapsulation mechanisms (KEMs) considered in NIST's PQC standardization process. In KEMs built from FO, decapsulation performs a
re-encryption check that is essential for security, but not for functionality. In other words, it will go unnoticed if this essential step is omitted or wrongly implemented, opening the door for key recovery attacks. Notably, such an implementation flaw
was present in HQC's reference implementation and was only noticed after 19 months.
In this work, we develop a modified FO transform that binds re-encryption to functionality, ensuring that a faulty implementation which skips re-encryption will be exposed through basic correctness tests. We do so by adapting the "verifiable verification"
methodology of Fischlin and Günther (CCS 2023) to the context of FO-based KEMs. More concretely, by exporting an unpredictable confirmation code from the public key encryption and embedding it into the key derivation function, we can confirm that (most
of) the re-encryption step was indeed performed during decapsulation. We formalize this concept, establish modified FO transforms, and prove how unpredictable PKE confirmation codes turn into noticeable correctness errors for faulty implementations. We
show how to apply this technique to ML-KEM and HQC, both with negligible overhead, by leveraging the entropy lost through ciphertext compression or truncation. We confirm that our approach works through mathematical proofs, as well as experimental data.
Our experiments show that the implementation flaw in HQC's reference implementation indeed makes basic test cases when following our approach.
## 2025/451
* Title: Analysis of the Telegram Key Exchange
* Authors: Martin R. Albrecht, Lenka Mareková, Kenneth G. Paterson, Eyal Ronen, Igors Stepanovs
* [Permalink](
https://eprint.iacr.org/2025/451)
* [Download](
https://eprint.iacr.org/2025/451.pdf)
### Abstract
We describe, formally model, and prove the security of Telegram's key exchange protocols for client-server communications. To achieve this, we develop a suitable multi-stage key exchange security model along with pseudocode descriptions of the Telegram
protocols that are based on analysis of Telegram's specifications and client source code. We carefully document how our descriptions differ from reality and justify our modelling choices. Our security proofs reduce the security of the protocols to that
of their cryptographic building blocks, but the subsequent analysis of those building blocks requires the introduction of a number of novel security assumptions, reflecting many design decisions made by Telegram that are suboptimal from the perspective
of formal analysis. Along the way, we provide a proof of IND-CCA security for the variant of RSA-OEAP+ used in Telegram and identify a hypothetical attack exploiting current Telegram server behaviour (which is not captured in our protocol descriptions).
Finally, we reflect on the broader lessons about protocol design that can be taken from our work.
## 2025/452
* Title: Polar Lattice Cryptography
* Authors: Gideon Samid
* [Permalink](
https://eprint.iacr.org/2025/452)
* [Download](
https://eprint.iacr.org/2025/452.pdf)
### Abstract
Presenting a protocol that builds a cryptographic solution which shifts security responsibility from the cipher designer to the cipher user. The Polar Lattice is a pattern-devoid cryptographic cipher. It is based on a geometric construct -- a polar
lattice, on which the letters of a plaintext alphabet A, are presented as two points each letter, so that to transmit a letter the transmitter transmits a randomized pathway, a trail, (ciphertext) that begins at the first point of the transmitted letter
and ends at the second point of the transmitted letter; the transmitted pathway is a set of steps on the lattice. Once a letter is transmitted the next bits on the ciphertext mark the beginning of the pathway that points to the next letter. The size and
the geometric construction of the polar lattice are randomized and kept secret. The randomized pathways may be long or short, the attacker does not know how to parcel the ciphertext to individual trails pointing to distinct letters in the plaintext
alphabet A. The polar lattice may be implemented algebraically, or geometrically; the lattice may be a physical nano-construct. The polar lattice is very power efficient, very fast. It claims all the attributes associated with pattern devoid cryptography:
it allows for only brute force cryptanalysis, which in turn can be defeated through increased ciphertext size, unlimited key size and structure complexity.
## 2025/453
* Title: Verifiable Secret Sharing Based on Fully Batchable Polynomial Commitment for Privacy-Preserving Distributed Computation
* Authors: Xiangyu Kong, Min Zhang, Yu Chen
* [Permalink](
https://eprint.iacr.org/2025/453)
* [Download](
https://eprint.iacr.org/2025/453.pdf)
### Abstract
Privacy-preserving distributed computation enables a resource-limited client to securely delegate computations on sensitive data to multiple servers by distributing shares of the data. In such systems, verifiable secret sharing (VSS) is a fundamental
component, ensuring secure data distribution and directly impacting the overall performance. The most practical approach to construct VSS is through polynomial commitment (PC), with two main research directions to improve the VSS efficiency. The first
focuses on improving the dealer time by designing PC that supports batch evaluation, i.e., generating multiple evaluation$\&$proof pairs in one shot. The second aims to reduce the broadcast cost by designing PC that supports batch opening, i.e.,
producing a compact proof for multiple evaluations.
Recently, Zhang et al. (Usenix Security 2022) proposed a transparent PC that supports batch evaluation and obtained a transparent VSS with optimal dealer time. However, their scheme does not support batch opening, leading to high broadcast costs in VSS.
To the best of our knowledge, no transparent PC currently supports both batch evaluation and batch opening, thus limiting the performance of existing VSS schemes.
In this paper, we propose a transparent fully batchable polynomial commitment (TFB-PC), that simultaneously supports batch evaluation and batch opening. Leveraging TFB-PC, we present a VSS scheme with optimal complexity: $O(n\log n)$ dealer time, $O(n)$
participant time and $O(n)$ communication cost. Furthermore, we implement our VSS scheme and compare its performance with Zhang et al.’s VSS
(the naive approach). Results show that our scheme achieves $954\text{-}27,595\times$ reduction in communication cost and a $1,028\text{-}1,155,106\times$ speed up in participant time for $2^{11}$-$2^{21}$ parties.
## 2025/454
* Title: Quantum circuit for implementing AES S-box with low costs
* Authors: Huinan Chen, Binbin Cai, Fei Gao, Song Lin
* [Permalink](
https://eprint.iacr.org/2025/454)
* [Download](
https://eprint.iacr.org/2025/454.pdf)
### Abstract
Advanced Encryption Standard (AES) is one of the most widely used and extensively studied encryption algorithms globally, which is renowned for its efficiency and robust resistance to attacks. In this paper, three quantum circuits are designed to
implement the S-box, which is the sole nonlinear component in AES. By incorporating a linear key schedule, we achieve a quantum circuit for implementing AES with the minimum number of qubits used. As a consequence, only 264/328/398 qubits are needed to
implement the quantum circuits for AES-128/192/256. Furthermore, through quantum circuits of the S-box and key schedule, the overall size of the quantum circuit required for Grover's algorithm to attack AES is significantly decreased. This enhancement
improves both the security and resource efficiency of AES in a quantum computing environment.
## 2025/455
* Title: StaMAC: Fault Protection via Stable-MAC Tags
* Authors: Siemen Dhooghe, Artemii Ovchinnikov, Dilara Toprakhisar
* [Permalink](
https://eprint.iacr.org/2025/455)
* [Download](
https://eprint.iacr.org/2025/455.pdf)
### Abstract
Fault attacks pose a significant threat to cryptographic implementations, motivating the development of countermeasures, primarily based on a combination of redundancy and masking techniques. Redundancy, in these countermeasures, is often implemented via
duplication or linear codes. However, their inherent structure remains susceptible to strategic fault injections bypassing error checks. To address this, the CAPA countermeasure from CRYPTO 2018 leveraged information-theoretic MAC tags for protection
against fault and combined attacks. However, a recent attack has shown that CAPA can only protect against either side-channel analysis or fault attacks, but not both simultaneously, and with significant hardware costs. Its successor, M&M, improves
efficiency but lacks protection against ineffective faults.
In this paper, we propose StaMAC, a framework aimed at securely incorporating MAC tags against both side-channel and fault adversaries in a non-combined scenario. We extend the security notions outlined in StaTI from TCHES 2024, and propose the notion of
MAC-stability, ensuring fault propagation in masked and MACed circuits, necessitating only a single error check at the end of the computation. Additionally, we show that the stability notion from StaTI is arbitrarily composable (whereas it was previously
thought to be only serially composable), making it the first arbitrary composable fault security notion which does not require intermediate error checks or correction. Then, we establish the improved protection of masking combined with MAC tags compared
to linear encoding techniques by showing bounds on the advantage considering several fault adversaries: a gate/register faulting adversary, an arbitrary register faulting adversary, and a random register faulting adversary. Then, we show how to transform
any probing secure circuit to protect against fault attacks using the proposed MAC-stable gadgets implementing field operations. Finally, we demonstrate StaMAC on an AES implementation, evaluating its security and hardware costs compared to the
countermeasures using MAC tags.
## 2025/456
* Title: A Democratic Distributed Post-Quantum Certificateless Encryption Scheme
* Authors: Thomas Prévost, Bruno Martin, Olivier Alibart
* [Permalink](
https://eprint.iacr.org/2025/456)
* [Download](
https://eprint.iacr.org/2025/456.pdf)
### Abstract
We propose a post-quantum certificateless encryption scheme based on a web of trust instead of a centralized Key Generation Center. Our scheme allows nodes to communicate securely. It is the nodes already present in the network that vote on the
acceptance of new nodes, and agree on the shared key. The threshold required for the acceptance of a new node is configurable. Our protocol thus allows to completely operate without the Key Generation Center (or Key Distribution Center).
Our scheme is based on Quasi-Cyclic Moderate Density Parity Check Code McEliece, which is resistant to quantum computer attacks. The voting system uses Shamir secret sharing, coupled with the Kabatianskii-Krouk-Smeets signature scheme, both are also
resistant to quantum computer attacks.
We provide a security analysis of our protocol, as well as a formal verification and a proof of concept code.
## 2025/457
* Title: A 10-bit S-box generated by Feistel construction from cellular automata
* Authors: Thomas Prévost, Bruno Martin
* [Permalink](
https://eprint.iacr.org/2025/457)
* [Download](
https://eprint.iacr.org/2025/457.pdf)
### Abstract
In this paper, we propose a new 10-bit S-box generated from a Feistel construction. The subpermutations are generated by a 5-cell cellular automaton based on a unique well-chosen rule and bijective affine transformations. In particular, the cellular
automaton rule is chosen based on empirical tests of its ability to generate good pseudorandom output on a ring cellular automaton. Similarly, Feistel's network layout is based on empirical data regarding the quality of the output S-box.
We perform cryptanalysis of the generated 10-bit S-box: we test the properties of algebraic degree, algebraic complexity, nonlinearity, strict avalanche criterion, bit independence criterion, linear approximation probability, differential approximation
probability, differential uniformity and boomerang uniformity of our S-box, and relate them to those of the AES S-box. We find security properties comparable to or sometimes even better than those of the standard AES S-box. We believe that our S-box
could be used to replace the 5-bit substitution of ciphers like ASCON.
## 2025/458
* Title: CAKE requires programming - On the provable post-quantum security of (O)CAKE
* Authors: Kathrin Hövelmanns, Andreas Hülsing, Mikhail Kudinov, Silvia Ritsch
* [Permalink](
https://eprint.iacr.org/2025/458)
* [Download](
https://eprint.iacr.org/2025/458.pdf)
### Abstract
In this work we revisit the post-quantum security of KEM-based password-authenticated key exchange (PAKE), specifically that of (O)CAKE. So far, these schemes evaded a security proof considering quantum adversaries. We give a detailed analysis of why
this is the case, determining the missing proof techniques. To this end, we first provide a proof of security in the post-quantum setting, up to a single gap. This proof already turns out to be technically involved, requiring advanced techniques to
reason in the QROM, including the compressed oracle and the extractable QROM. To pave the way towards closing the gap, we then further identify an efficient simulator for the ideal cipher. This provides certain programming abilities as a necessary and
sufficient condition to close the gap in the proof: we demonstrate that we can close the gap using the simulator, and give a meta-reduction based on KEM-anonymity that shows the impossibility of a non-programming reduction that covers a class of KEMs
that includes Kyber / ML-KEM.
## 2025/459
* Title: Privacy and Security of FIDO2 Revisited
* Authors: Manuel Barbosa, Alexandra Boldyreva, Shan Chen, Kaishuo Cheng, Luís Esquível
* [Permalink](
https://eprint.iacr.org/2025/459)
* [Download](
https://eprint.iacr.org/2025/459.pdf)
### Abstract
We revisit the privacy and security analyses of FIDO2, a widely deployed standard for passwordless authentication on the Web.
We discuss previous works
and conclude that each of them has at least one of the following limitations: (i) impractical trusted setup assumptions,
[continued in next message]
--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)