## In this issue
1. [2025/384] Optimizing Final Exponentiation for Pairing- ...
2. [2025/388] Fair Exchange for Decentralized Autonomous ...
3. [2025/501] Quantum Key-Recovery Attacks on Permutation-Based ...
4. [2025/502] Registration-Based Encryption in the Plain Model
5. [2025/503] Max Bias Analysis: A New Approach on Computing the ...
6. [2025/504] Ideal Compartmented Secret Sharing Scheme Based on ...
7. [2025/505] Capitalized Bitcoin Fork for National Strategic Reserve
8. [2025/506] On the Estonian Internet Voting System, IVXV, SoK ...
9. [2025/507] Scalable Zero-knowledge Proofs for Non-linear ...
10. [2025/508] Towards Building Scalable Constant-Round MPC from ...
11. [2025/509] Almost Optimal KP and CP-ABE for Circuits from ...
12. [2025/510] Adaptive Adversaries in Byzantine-Robust Federated ...
13. [2025/511] VeriSSO: A Privacy-Preserving Legacy-Compatible ...
14. [2025/512] Optimizing AES-GCM on ARM Cortex-M4: A Fixslicing ...
15. [2025/513] Server-Aided Anonymous Credentials
16. [2025/514] On Extractability of the KZG Family of Polynomial ...
17. [2025/515] Compressed Sigma Protocols: New Model and ...
18. [2025/516] Don't Use It Twice: Reloaded! On the Lattice ...
19. [2025/517] Designated-Verifier SNARGs with One Group Element
20. [2025/518] Secret-Sharing Schemes for General Access ...
21. [2025/519] mid-pSquare: Leveraging the Strong Side-Channel ...
22. [2025/520] Masking-Friendly Post-Quantum Signatures in the ...
23. [2025/521] Division polynomials for arbitrary isogenies
24. [2025/522] New Techniques for Analyzing Fully Secure ...
25. [2025/523] Assembly optimised Curve25519 and Curve448 ...
26. [2025/524] Ring Referral: Efficient Publicly Verifiable Ad hoc ...
27. [2025/525] Deniable Secret Sharing
28. [2025/526] AI Agents in Cryptoland: Practical Attacks and No ...
29. [2025/527] SoK: Fully-homomorphic encryption in smart contracts
30. [2025/528] VeRange: Verification-efficient Zero-knowledge ...
31. [2025/529] On the Anonymity in "A Practical Lightweight ...
32. [2025/530] Lattice-based extended withdrawable signatures
33. [2025/531] Understanding the new distinguisher of alternant ...
34. [2025/532] Chunking Attacks on File Backup Services using ...
35. [2025/533] JesseQ: Efficient Zero-Knowledge Proofs for ...
36. [2025/534] Plonkify: R1CS-to-Plonk transpiler
37. [2025/535] zkPyTorch: A Hierarchical Optimized Compiler for ...
38. [2025/536] A Fiat-Shamir Transformation From Duplex Sponges
## 2025/384
* Title: Optimizing Final Exponentiation for Pairing-Friendly Elliptic Curves with Odd Embedding Degrees Divisible by 3
* Authors: Loubna Ghammam, Nadia El Mrabet, Walid Haddaji, Leila Ben Abdelghani * [Permalink](
https://eprint.iacr.org/2025/384)
* [Download](
https://eprint.iacr.org/2025/384.pdf)
### Abstract
In pairing-based cryptography, the final exponentiation with a large fixed exponent is essential to ensure unique outputs in both Tate and optimal ate pairings. While significant progress has been made in optimizing elliptic curves with even embedding
degrees, advancements for curves with odd embedding degrees, particularly those divisible by 3, have been more limited. This paper introduces new optimization techniques for computing the final exponentiation of the optimal ate pairing on these curves.
The first technique takes advantage of some existing seeds' forms, which enable cyclotomic cubing, and extends this approach to generate new seeds with a similar structure. The second technique involves generating new seeds with sparse ternary
representations, replacing squaring operations with cyclotomic cubing.
The first technique improves efficiency by $1.7\%$ and $1.5\%$ compared to the square and multiply (\textbf{SM}) method for existing seeds at $192-$bit and $256-$bit security levels, respectively. For newly generated seeds, it achieves efficiency gains
of $3.4\%$ at $128-$bit, $5\%$ at $192-$bit, and $8.6\%$ at $256-$bit security levels. The second technique improves efficiency by $3.3\%$ at $128-$bit, $19.5\%$ at $192-$bit, and $4.3\%$ at $256-$bit security levels.
## 2025/388
* Title: Fair Exchange for Decentralized Autonomous Organizations via Threshold Adaptor Signatures
* Authors: Ruben Baecker, Paul Gerhart, Jonathan Katz, Dominique Schröder
* [Permalink](
https://eprint.iacr.org/2025/388)
* [Download](
https://eprint.iacr.org/2025/388.pdf)
### Abstract
A Decentralized Autonomous Organization (DAO) enables multiple parties to collectively manage digital assets in a blockchain setting. We focus on achieving fair exchange between DAOs using a cryptographic mechanism that operates with minimal blockchain
assumptions and, crucially, does not rely on smart contracts.
Specifically, we consider a setting where a DAO consisting of $n_\mathsf{S}$ sellers holding shares of a witness $w$ interacts with a DAO comprising $n_\mathsf{B}$ buyers holding shares of a signing key $sk$; the goal is for the sellers to exchange $w$
for a signature under $sk$ transferring a predetermined amount of funds. Fairness is required to hold both between DAOs (i.e., ensuring that each DAO receives its asset if and only if the other does) as well as within each DAO (i.e., ensuring that all members of a DAO receive their asset if and only if every other member does)
.
We formalize these fairness properties and present an efficient protocol for DAO-based fair exchange under standard cryptographic assumptions. Our protocol leverages certified witness encryption and threshold adaptor signatures, two primitives of
independent interest that we introduce and show how to construct efficiently.
## 2025/501
* Title: Quantum Key-Recovery Attacks on Permutation-Based Pseudorandom Functions
* Authors: Hong-Wei Sun, Fei Gao, Rong-Xue Xu, Dan-Dan Li, Zhen-Qiang Li, Ke-Jia Zhang
* [Permalink](
https://eprint.iacr.org/2025/501)
* [Download](
https://eprint.iacr.org/2025/501.pdf)
### Abstract
Due to their simple security assessments, permutation-based pseudo-random functions (PRFs) have become widely used in cryptography. It has been shown that PRFs using a single $n$-bit permutation achieve $n/2$ bits of security, while those using two
permutation calls provide $2n/3$ bits of security in the classical setting. This paper studies the security of permutation-based PRFs within the Q1 model, where attackers are restricted to classical queries and offline quantum computations. We present
improved quantum-time/classical-data tradeoffs compared with the previous attacks. Specifically, under the same assumptions/hardware as Grover's exhaustive search attack, i.e. the offline Simon algorithm, we can recover keys in quantum time $\tilde{O}(2^{
n/3})$, with $O(2^{n/3})$ classical queries and $O(n^2)$ qubits. Furthermore, we enhance previous superposition attacks by reducing the data complexity from exponential to polynomial, while maintaining the same time complexity. This implies that
permutation-based PRFs become vulnerable when adversaries have access to quantum computing resources. It is pointed out that the above quantum attack can be used to quite a few cryptography, including PDMMAC and pEDM, as well as general instantiations
like XopEM, EDMEM, EDMDEM, and others.
## 2025/502
* Title: Registration-Based Encryption in the Plain Model
* Authors: Jesko Dujmovic, Giulio Malavolta, Wei Qi
* [Permalink](
https://eprint.iacr.org/2025/502)
* [Download](
https://eprint.iacr.org/2025/502.pdf)
### Abstract
Registration-based encryption (RBE) is a recently developed alternative to identity-based encryption, that mitigates the well-known key-escrow problem by letting each user sample its own key pair. In RBE, the key authority is substituted by a key curator,
a completely transparent entity whose only job is to reliably aggregate users' keys. However, one limitation of all known RBE scheme is that they all rely on one-time trusted setup, that must be computed honestly.
In this work, we ask whether this limitation is indeed inherent and we initiate the systematic study of RBE in the plain model, without any common reference string. We present the following main results:
- (Definitions) We show that the standard security definition of RBE is unachievable without a trusted setup and we propose a slight weakening, where one honest user is required to be registered in the system.
- (Constructions) We present constructions of RBE in the plain model, based on standard cryptographic assumptions. Along the way, we introduce the notions of non-interactive witness indistinguishable (NIWI) proofs secure against chosen statements
attack and re-randomizable RBE, which may be of independent interest.
A major limitation of our constructions, is that users must be updated upon every new registration.
- (Lower Bounds) We show that this limitation is in some sense inherent. We prove that any RBE in the plain model that satisfies a certain structural requirement, which holds for all known RBE constructions, must update all but a vanishing
fraction of the users, upon each new registration. This is in contrast with the standard RBE settings, where users receive a logarithmic amount of updates throughout the lifetime of the system.
## 2025/503
* Title: Max Bias Analysis: A New Approach on Computing the Entropy of Free Ring-Oscillator
* Authors: Nicolas David, Eric Garrido
* [Permalink](
https://eprint.iacr.org/2025/503)
* [Download](
https://eprint.iacr.org/2025/503.pdf)
### Abstract
This work introduce a new approach called Max bias analysis for the entropy computation of structures of Free Ring Oscillator-based Physical Random Number Generator. It employs the stochastic model based on the well-established Wiener process,
specifically adapted to only capture thermal noise contributions while accounting for potential non-zero bias in the duty cycle.
Our analysis is versatile, applicable to combinations of multiple sampled Ring Oscillator (RO) filtering by any function. The entropy computation takes as inputs the parameters of the thermal stochastic model and delivers directly a proven bound for both
Shannon entropy and min-entropy to fulfill AIS31 and NIST SP 800-90 B. As an example, we apply the new methodology on an enhanced structure of TRNG combining several free-running Ring Oscillators filtered by a vectorial function built from a linear error
correcting code that optimizes the functional performance in terms of [entropy rate/silicium area used] and that maintains the mathematical proof of the entropy lower bound as simple as possible.
## 2025/504
* Title: Ideal Compartmented Secret Sharing Scheme Based on the Chinese Remainder Theorem for Polynomial Rings
* Authors: Alexandru-Valentin Basaga, Sorin Iftene
* [Permalink](
https://eprint.iacr.org/2025/504)
* [Download](
https://eprint.iacr.org/2025/504.pdf)
### Abstract
A secret sharing scheme starts with a secret and then derives from it
certain shares (or shadows) which are distributed to users.
The secret may be recovered only by certain
predetermined groups. In case of compartmented secret sharing, the
set of users is partitioned into compartments and the secret
can be recovered only if the number of participants from
any compartment is greater than or equal to a fixed compartment threshold
and the total number of participants is greater than or equal to a global threshold.
In this paper we use the Chinese Remainder Theorem for Polynomial Rings in order to construct an ideal compartmented secret sharing scheme, inspired by the work from [20].
## 2025/505
* Title: Capitalized Bitcoin Fork for National Strategic Reserve
* Authors: Charanjit Singh Jutla, Arnab Roy
* [Permalink](
https://eprint.iacr.org/2025/505)
* [Download](
https://eprint.iacr.org/2025/505.pdf)
### Abstract
We describe a strategy for a nation to acquire majority stake in Bitcoin with zero cost to the taxpayers of the nation. We propose a bitcoin fork sponsored by the the government of the nation, and backed by the full faith of treasury of the nation, such
that the genesis block of this fork attributes fixed large amount of new kinds of tokens called strategic-reserve-bitcoin tokens (SRBTC) to the nation's treasury, which is some multiple (greater than one) of the amount of all Bitcoin tokens (BTC)
currently set in the Bitcoin protocol. The BTC tokens continue to be treated 1:1 as SRBTC tokens in the forked chain. The only capital that the nation puts up is its explicit guarantee that the SRBTC tokens of the fork will be accepted as legal tender,
such as payment of tax to the treasury.
We suggest that this is a better approach than starting a new blockchain that mimics Bitcoin, as it will be partially fair to the current holders of Bitcoin, which in turn would make it competitive in the space of other such possible forks by other
powerful nations. Moreover, such a proof-of-work blockchain retains its egalitarian and democratic nature, which competitively deters the said nation from any dilutions in the future.
To justify our proposal we setup three competitive games, and show strategies for different players that are in Nash equilibrium and which throw further light on these claims. In particular,
1. The first game shows that if the only two alternatives for investors is to invest in BTC or SRBTC, then individuals who have a certain fraction $\theta$ of their wealth already invested in BTC, will invest new money in the original chain, whereas the
individuals whose current wealth invested in BTC is less than the $\theta$ fraction will invest new money in SRBTC.
2. The second game shows that if there is a third alternative for investment, which is cash that is losing value (inflation-adjusted) by a percentage $d$, then the investors who had less than $\theta$ fraction of wealth in Bitcoin, will invest in SRBTC
only if the dilution of SRBTC is large enough (as an increasing (linear) function of $1/d$). Here by dilution we mean the new SRBTC tokens that are allowed to be eventually mined in the fork.
3. The third game shows that investors would prefer a fork of Bitcoin over a replica of Bitcoin that doesn't value original BTC, when both are available and even if both are backed similarly by one or more nations.
## 2025/506
* Title: On the Estonian Internet Voting System, IVXV, SoK and Suggestions
* Authors: Shymaa M. Arafat
* [Permalink](
https://eprint.iacr.org/2025/506)
* [Download](
https://eprint.iacr.org/2025/506.pdf)
### Abstract
The Estonian i-voting experience is probably the richest to analyze; a country that is considered a pioneer in digitizing both the government and private sector since 2001, and hence digital voting in 2005, yet there are still some complaints submitted,
critics and remarks to consider about the IVXV system. In this paper, we introduce a Systemization of Knowledge of the Estonian IVXV i-voting system and propose some added security enhancements. The presented SoK includes applications implemented by
election observers in 2023 & 2024 elections, which, to our knowledge, has never been mentioned and/or analyzed in the academic literature before. The paper also updates the general knowledge about an extra right given to auditors
(but not observers) in the June 2024 European election, recent complaints, and about newer solutions suggested by academia in 2024. Finally, we discuss the current system status in 2024 EP elections and propose our own suggestions to some problems stated
in the OSCE-ODIHR 2023 report that are still there.
## 2025/507
* Title: Scalable Zero-knowledge Proofs for Non-linear Functions in Machine Learning
* Authors: Meng Hao, Hanxiao Chen, Hongwei Li, Chenkai Weng, Yuan Zhang, Haomiao Yang, Tianwei Zhang
* [Permalink](
https://eprint.iacr.org/2025/507)
* [Download](
https://eprint.iacr.org/2025/507.pdf)
### Abstract
Zero-knowledge (ZK) proofs have been recently explored for the integrity of machine learning (ML) inference. However, these protocols suffer from high computational overhead, with the primary bottleneck stemming from the evaluation of non-linear
functions. In this paper, we propose the first systematic ZK proof framework for non-linear mathematical functions in ML using the perspective of table lookup. The key challenge is that table lookup cannot be directly applied to non-linear functions in
ML since it would suffer from inefficiencies due to the intolerably large table. Therefore, we carefully design several important building blocks, including digital decomposition, comparison, and truncation, such that they can effectively utilize table
lookup with a quite small table size while ensuring the soundness of proofs. Based on these blocks, we implement complex mathematical operations and further construct ZK proofs for current mainstream non-linear functions in ML such as ReLU, sigmoid, and
normalization. The extensive experimental evaluation shows that our framework achieves 50 ∼ 179× runtime improvement compared to the state-of-the-art work, while maintaining a similar level of communication efficiency.
## 2025/508
* Title: Towards Building Scalable Constant-Round MPC from Minimal Assumptions via Round Collapsing
* Authors: Vipul Goyal, Junru Li, Rafail Ostrovsky, Yifan Song
* [Permalink](
https://eprint.iacr.org/2025/508)
* [Download](
https://eprint.iacr.org/2025/508.pdf)
### Abstract
In this work, we study the communication complexity of constant-round secure multiparty computation (MPC) against a fully malicious adversary and consider both the honest majority setting and the dishonest majority setting. In the (strong) honest
majority setting (where $t=(1/2-\epsilon)n$ for a constant $\epsilon$), the best-known result without relying on FHE is given by Beck et al. (CCS 2023) based on the LPN assumption that achieves $O(|C|\kappa)$ communication, where $\kappa$ is the security
parameter and the achieved communication complexity is independent of the number of participants. In the dishonest majority setting, the best-known result is achieved by Goyal et al. (ASIACRYPT 2024), which requires $O(|C|n\kappa)$ bits of communication
and is based on the DDH and LPN assumptions.
In this work, we achieve the following results: (1) For any constant $\epsilon<1$, we give the first constant-round MPC in the dishonest majority setting for corruption threshold $t<(1-\epsilon)n$ with $O(|C|\kappa+D (n+\kappa)^2\kappa)$ communication
assuming random oracles and oblivious transfers, where $D$ is the circuit depth. (2) We give the first constant-round MPC in the standard honest majority setting (where $t=(n-1)/2$) with $O(|C|\kappa+D (n+\kappa)^2\kappa)$ communication only assuming
random oracles.
Unlike most of the previous constructions of constant-round MPCs that are based on multiparty garbling, we achieve our result by letting each party garble his local computation in a non-constant-round MPC that meets certain requirements. We first design
a constant-round MPC that achieves $O(|C|\kappa + Dn^2\kappa)$ communication assuming random oracles in the strong honest majority setting of $t=n/4$. Then, we combine the party virtualization technique and the idea of MPC-in-the-head to boost the
corruption threshold to $t<(1-\epsilon)n$ for any constant $\epsilon<1$ assuming oblivious transfers to achieve our first result. Finally, our second result is obtained by instantiating oblivious transfers using a general honest-majority MPC and the OT
extension technique built on random oracles.
## 2025/509
* Title: Almost Optimal KP and CP-ABE for Circuits from Succinct LWE
* Authors: Hoeteck Wee
* [Permalink](
https://eprint.iacr.org/2025/509)
* [Download](
https://eprint.iacr.org/2025/509.pdf)
### Abstract
We present almost-optimal lattice-based attribute-based encryption (ABE) and laconic function evaluation (LFE). For depth d circuits over $\ell$-bit inputs, we obtain
* key-policy (KP) and ciphertext-policy (CP) ABE schemes with ciphertext, secret key and public key size $O(1)$;
* LFE with ciphertext size $\ell + O(1)$ as well as CRS and digest size $O(1)$;
where O(·) hides poly(d, λ) factors. The parameter sizes are optimal, up to the poly(d) dependencies. The security of our schemes rely on succinct LWE (Wee, CRYPTO 2024). Our results constitute a substantial improvement over the state of the art; none
of our results were known even under the stronger evasive LWE assumption.
## 2025/510
* Title: Adaptive Adversaries in Byzantine-Robust Federated Learning: A survey. * Authors: Jakub Kacper Szeląg, Ji-Jian Chin, Sook-Chin Yip
* [Permalink](
https://eprint.iacr.org/2025/510)
* [Download](
https://eprint.iacr.org/2025/510.pdf)
### Abstract
Federated Learning (FL) has recently emerged as one of the leading paradigms for collaborative machine learning, serving as a tool for model computation without a need to expose one’s privately stored data. However, despite its advantages, FL systems
face severe challenges within its own security solutions that address both privacy and robustness of models. This paper focuses on vulnerabilities within the domain of FL security with emphasis on model-robustness. Identifying critical gaps in current
defences, particularly against adaptive adversaries which modify their attack strategies after being disconnected and rejoin systems to continue attacks. To our knowledge, other surveys in this domain do not cover the concept of adaptive adversaries,
this along with the significance of their impact serves as the main motivation for this work. Our contributions are fivefold: (1) we present a comprehensive overview of FL systems, presenting a complete summary of its fundamental building blocks, (2) an
extensive overview of existing vulnerabilities that target FL systems in general, (3) highlight baseline attack vectors as well as state-of-the-art approaches to development of attack methods and defence mechanisms, (4) introduces a novel baseline method
of attack leveraging reconnecting malicious clients, and (5) identifies future research directions to address and counter adaptive attacks. We demonstrate through experimental results that existing baseline secure aggregation rules used in other works
for comparison such as Krum and Trimmed Mean are insufficient against those attacks. Further, works improving upon those algorithms do not address this concern either. Our findings serve as a basis for redefining FL security paradigms in the direction of
adaptive adversaries.
## 2025/511
* Title: VeriSSO: A Privacy-Preserving Legacy-Compatible Single Sign-On Protocol Using Verifiable Credentials
* Authors: Ifteher Alom, Sudip Bhujel, Yang Xiao
* [Permalink](
https://eprint.iacr.org/2025/511)
* [Download](
https://eprint.iacr.org/2025/511.pdf)
### Abstract
Single Sign-On (SSO) is a popular authentication mechanism enabling users to access multiple web services with a single set of credentials. Despite its convenience, SSO faces outstanding privacy challenges. The Identity Provider (IdP) represents a single
point of failure and can track users across different Relying Parties (RPs). Multiple colluding RPs may track users through common identity attributes. In response, anonymous credential-based SSO solutions have emerged to offer privacy-preserving
authentication without revealing unnecessary user information. However, these solutions face two key challenges: supporting RP authentication without compromising user unlinkability and maintaining compatibility with the predominant Authorization Code
Flow (ACF).
This paper introduces VeriSSO, a novel SSO protocol based on verifiable credentials (VC) that supports RP authentication while preserving privacy and avoiding single points of failure. VeriSSO employs an independent authentication server committee to
manage RP and user authentication, binding RP authentication with credential-based anonymous user authentication. This approach ensures user unlinkability while supporting RP authentication and allows RPs to continue using their existing verification
routines with identity tokens as in the ACF workflow. VeriSSO's design also supports lawful de-anonymization, ensuring user accountability for misbehavior during anonymity. Experimental evaluations of VeriSSO demonstrate its efficiency and practicality,
with authentication processes completed within 100 milliseconds.
## 2025/512
* Title: Optimizing AES-GCM on ARM Cortex-M4: A Fixslicing and FACE-Based Approach
* Authors: Hyunjun Kim, Hwajeong Seo
* [Permalink](
https://eprint.iacr.org/2025/512)
* [Download](
https://eprint.iacr.org/2025/512.pdf)
### Abstract
The Advanced Encryption Standard (AES) in Galois/Counter Mode (GCM) delivers both confidentiality and integrity yet poses performance and security challenges on resource-limited microcontrollers. In this paper, we present an optimized AES-GCM
implementation for the ARM Cortex-M4 that combines Fixslicing AES with the FACE (Fast AES-CTR Encryption) strategy, significantly reducing redundant computations in AES-CTR. We further examine two GHASH implementations—a 4-bit Table-based approach and
a Karatsuba-based constant-time variant—to balance speed, memory usage, and resistance to timing attacks. Our evaluations on an STM32F4 microcontroller show that Fixslicing+FACE reduces AES-128 GCTR cycle counts by up to 19.41\%, while the Table-based
GHASH achieves nearly double the speed of its Karatsuba counterpart. These results confirm that, with the right mix of bitslicing optimizations, counter-mode caching, and lightweight polynomial multiplication, secure and efficient AES-GCM can be attained
even on low-power embedded devices.
## 2025/513
* Title: Server-Aided Anonymous Credentials
* Authors: Rutchathon Chairattana-Apirom, Franklin Harding, Anna Lysyanskaya, Stefano Tessaro
* [Permalink](
https://eprint.iacr.org/2025/513)
* [Download](
https://eprint.iacr.org/2025/513.pdf)
### Abstract
This paper formalizes the notion of server-aided anonymous credentials (SAACs), a new model for anonymous credentials (ACs) where, in the process of showing a credential, the holder is helped by additional auxiliary information generated in an earlier (
anonymous) interaction with the issuer. This model enables lightweight instantiations of 'publicly verifiable and multi-use' ACs from pairing-free elliptic curves, which is important for compliance with existing national standards. A recent candidate for
the EU Digital Identity Wallet, BBS#, roughly adheres to the SAAC model we have developed; however, it lacks formal security definitions and proofs.
In this paper, we provide rigorous definitions of security for SAACs, and show how to realize SAACs from the weaker notion of keyed-verification ACs (KVACs) and special types of oblivious issuance protocols for zero-knowledge proofs. We instantiate this
paradigm to obtain two constructions: one achieves statistical anonymity with unforgeability under the Gap $q$-SDH assumption, and the other achieves computational anonymity and unforgeability under the DDH assumption.
## 2025/514
* Title: On Extractability of the KZG Family of Polynomial Commitment Schemes
* Authors: Juraj Belohorec, Pavel Dvořák, Charlotte Hoffmann, Pavel Hubáček, Kristýna Mašková, Martin Pastyřík
* [Permalink](
https://eprint.iacr.org/2025/514)
* [Download](
https://eprint.iacr.org/2025/514.pdf)
### Abstract
We present a unifying framework for proving the knowledge-soundness of KZG-like polynomial commitment schemes, encompassing both univariate and multivariate variants. By conceptualizing the proof technique of Lipmaa, Parisella, and Siim for the
univariate KZG scheme (EUROCRYPT 2024), we present tools and falsifiable hardness assumptions that permit black-box extraction of the multivariate KZG scheme. Central to our approach is the notion of a canonical Proof-of-Knowledge of a Polynomial (PoKoP)
of a polynomial commitment scheme, which we use to capture the extractability notion required in constructions of practical zk-SNARKs. We further present an explicit polynomial decomposition lemma for multivariate polynomials, enabling a more direct
analysis of interpolating extractors and bridging the gap between univariate and multivariate commitments. Our results provide the first standard-model proofs of extractability for the multivariate KZG scheme and many of its variants under falsifiable
assumptions.
## 2025/515
* Title: Compressed Sigma Protocols: New Model and Aggregation Techniques
* Authors: Yuxi Xue, Tianyu Zheng, Shang Gao, Bin Xiao, Man Ho Au
* [Permalink](
https://eprint.iacr.org/2025/515)
* [Download](
https://eprint.iacr.org/2025/515.pdf)
### Abstract
Sigma protocols ($\Sigma$-protocols) provide a foundational paradigm for constructing secure algorithms in privacy-preserving applications. To enhance efficiency, several extended models [BG18], [BBB+18], [AC20] incorporating various optimization
techniques have been proposed as ``replacements'' for the original $\Sigma$-protocol. However, these models often lack the expressiveness needed to handle complex relations and hinder designers from applying appropriate instantiation and optimization
strategies.
In this paper, we introduce a novel compressed $\Sigma$-protocol model that effectively addresses these limitations by providing concrete constructions for relations involving non-linear constraints. Our approach is sufficiently expressive to encompass a
wide range of relations. Central to our model is the definition of doubly folded commitments, which, along with a proposed Argument of Knowledge, generalizes the compression and amortization processes found in previous models. Despite the ability to
express more relations, this innovation also provides a foundation to discuss a general aggregation technique, optimizing the proof size of instantiated schemes.
To demonstrate the above statements, we provide a brief review of several existing protocols that can be instantiated using our model to demonstrate the versatility of our construction. We also present use cases where our generalized model enhances
applications traditionally considered ``less compact'', such as binary proofs [BCC+15] and $k$-out-of-$n$ proofs [ACF21]. In conclusion, our new model offers a more efficient and expressive alternative to the current use of $\Sigma$-protocols, paving the
way for broader applicability and optimization in cryptographic applications.
## 2025/516
* Title: Don't Use It Twice: Reloaded! On the Lattice Isomorphism Group Action * Authors: Alessandro Budroni, Jesús-Javier Chi-Domínguez, Ermes Franch
* [Permalink](
https://eprint.iacr.org/2025/516)
* [Download](
https://eprint.iacr.org/2025/516.pdf)
### Abstract
Group actions have emerged as a powerful framework in post-quantum cryptography, serving as the foundation for various cryptographic primitives. The Lattice Isomorphism Problem (LIP) has recently gained attention as a promising hardness assumption for
designing quantum-resistant protocols. Its formulation as a group action has opened the door to new cryptographic applications, including a commitment scheme and a linkable ring signature.
In this work, we analyze the security properties of the LIP group action and present new findings. Specifically, we demonstrate that it fails to satisfy the weak unpredictability and weak pseudorandomness properties when the adversary has access to as
few as three and two instances with the same secret, respectively. This significantly improves upon prior analysis by Budroni et al. (PQCrypto 2024).
As a direct consequence of our findings, we reveal a vulnerability in the linkable ring signature scheme proposed by Khuc et al. (SPACE 2024), demonstrating that the hardness assumption underlying the linkable anonymity property does not hold.
## 2025/517
* Title: Designated-Verifier SNARGs with One Group Element
* Authors: Gal Arnon, Jesko Dujmovic, Yuval Ishai
[continued in next message]
--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)