## In this issue
1. [2025/375] Evasive LWE: Attacks, Variants & Obfustopia
2. [2025/443] Homomorphic Signature-based Witness Encryption and ...
3. [2025/537] Improved Framework of Related-key Differential ...
4. [2025/538] Efficient Proofs of Possession for Legacy Signatures
5. [2025/539] Aegis: Scalable Privacy-preserving CBDC Framework ...
6. [2025/540] Tangram: Encryption-friendly SNARK framework under ...
7. [2025/541] Physical Design-Aware Power Side-Channel Leakage ...
8. [2025/542] That’s AmorE: Amortized Efficiency for Pairing Delegation
9. [2025/543] Models of Kummer lines and Galois representations
10. [2025/544] Security Analysis of Covercrypt: A Quantum-Safe ...
11. [2025/545] Enhancing E-Voting with Multiparty Class Group ...
12. [2025/546] BugWhisperer: Fine-Tuning LLMs for SoC Hardware ...
13. [2025/547] Improved Cryptanalysis of FEA-1 and FEA-2 using ...
14. [2025/548] Breaking HuFu with 0 Leakage: A Side-Channel Analysis
15. [2025/549] Public Key Accumulators for Revocation of Non- ...
16. [2025/550] Exact Formula for RX-Differential Probability ...
17. [2025/551] ANARKey: A New Approach to (Socially) Recover Keys
18. [2025/552] Black Box Crypto is Useless for Doubly Efficient PIR
19. [2025/553] HIPR: Hardware IP Protection through Low-Overhead ...
20. [2025/554] Analyzing Group Chat Encryption in MLS, Session, ...
21. [2025/555] Strong Federated Authentication With Password-based ...
22. [2025/556] Private SCT Auditing, Revisited
23. [2025/557] Soloist: Distributed SNARKs for Rank-One Constraint ...
24. [2025/558] Breaking and Fixing Content-Defined Chunking
25. [2025/559] Is Your Bluetooth Chip Leaking Secrets via RF Signals?
26. [2025/560] Jump, It Is Easy: JumpReLU Activation Function in ...
27. [2025/561] ThreatLens: LLM-guided Threat Modeling and Test ...
28. [2025/562] Analysis of One Certificateless Authentication and ...
29. [2025/563] An Optimized Instantiation of Post-Quantum MQTT ...
30. [2025/564] Combined Masking and Shuffling for Side-Channel ...
31. [2025/565] Attacking soundness for an optimization of the ...
32. [2025/566] Cryptanalysis of Fruit-F: Exploiting Key-Derivation ...
33. [2025/567] Starfish: A high throughput BFT protocol on ...
34. [2025/568] An in-depth security evaluation of the Nintendo DSi ...
## 2025/375
* Title: Evasive LWE: Attacks, Variants & Obfustopia
* Authors: Shweta Agrawal, Anuja Modi, Anshu Yadav, Shota Yamada
* [Permalink](
https://eprint.iacr.org/2025/375)
* [Download](
https://eprint.iacr.org/2025/375.pdf)
### Abstract
Evasive LWE (Wee, Eurocrypt 2022 and Tsabary, Crypto 2022) is a recently introduced, popular lattice assumption which has been used to tackle long-standing problems in lattice based cryptography. In this work, we develop new counter-examples against
Evasive LWE, in both the private and public-coin regime, propose counter-measures that define safety zones, and finally explore modifications to construct full compact FE/iO.
Attacks: Our attacks are summarized as follows.
- The recent work by Hseih, Lin and Luo [HLL23] constructed the first ABE for unbounded depth circuits by relying on the (public coin) ''circular'' evasive LWE assumption, which incorporates circularity into the Evasive LWE assumption. We provide a
new attack against this assumption by exhibiting a sampler such that the pre-condition is true but post-condition is false.
- We demonstrate a counter-example against public-coin evasive LWE which exploits the freedom to choose the error distributions in the pre and post conditions. Our attack crucially relies on the error in the pre-condition being larger than the error
in the post-condition.
- The recent work by Agrawal, Kumari and Yamada [AKY24a] constructed the first functional encryption scheme for pseudorandom functionalities ($\mathsf{prFE}$) and extended this to obfuscation for pseudorandom functionalities ($\mathsf{prIO}$) [AKY24c]
by relying on private-coin evasive LWE. We provide a new attack against the stated assumption.
- The recent work by Branco et al. [BDJ+24] (concurrently to [AKY24c]) provides a construction of obfuscation for pseudorandom functionalities by relying on private-coin evasive LWE. By adapting the counter-example against [AKY24a], we provide an
attack against this assumption.
- Branco et al. [BDJ+24] showed that there exist contrived, somehow ''self-referential'', classes of pseudorandom functionalities for which pseudorandom obfuscation cannot exist. We develop an analogous result to the setting of pseudorandom
functional encryption.
While Evasive LWE was developed to specifically avoid zeroizing attacks as discussed above, our attacks show that in some (contrived) settings, the adversary may nevertheless obtain terms in the zeroizing regime.
Counter-measures: Guided by the learning distilled from the above attacks, we develop counter-measures to prevent against them. Our interpretation of the above attacks is that Evasive LWE, as defined, is too general -- we suggest restrictions to identify
safe zones for the assumption, using which, the broken applications can be recovered.
Variants to give full FE and iO: Finally, we show that certain modifications of Evasive LWE, which respect the counter-measures developed above, yield full compact FE in the standard model. We caution that the main goal of presenting these candidates is
as goals for cryptanalysis to further our understanding of this regime of assumptions.
## 2025/443
* Title: Homomorphic Signature-based Witness Encryption and Applications
* Authors: Alireza Kavousi, István András Seres
* [Permalink](
https://eprint.iacr.org/2025/443)
* [Download](
https://eprint.iacr.org/2025/443.pdf)
### Abstract
Practical signature-based witness encryption (SWE) schemes recently emerged as a viable alternative to instantiate timed-release cryptography in the honest majority setting. In particular, assuming threshold trust in a set of parties that release
signatures at a specified time, one can ``encrypt to the future'' using an SWE scheme. Applications of SWE schemes include voting, auctions, distributed randomness beacons, and more. However, the lack of homomorphism in existing SWE schemes reduces
efficiency and hinders deployment. In this work, we introduce the notion of homomorphic SWE (HSWE) to improve the practicality of timed-release encryption schemes. We show one can build HSWE using a pair of encryption and signature schemes where the
uniqueness of the signature is required when the encryption scheme relies on injective one-way functions. We then build three HSWE schemes in various settings using BLS, RSA, and Rabin signatures and show how to achieve a privacy-preserving variant that
only allows extracting the homomorphically aggregated result while keeping the individual plaintexts confidential
## 2025/537
* Title: Improved Framework of Related-key Differential Neural Distinguisher and Applications to the Standard Ciphers
* Authors: Rui-Tao Su, Jiong-Jiong Ren, Shao-Zhen Chen
* [Permalink](
https://eprint.iacr.org/2025/537)
* [Download](
https://eprint.iacr.org/2025/537.pdf)
### Abstract
In recent years, the integration of deep learning with differential cryptanalysis has led to differential neural cryptanalysis, enabling efficient data-driven security evaluation of modern cryptographic algorithms. Compared to traditional differential
cryptanalysis, differential neural cryptanalysis enhances the efficiency and automation of the analysis by training neural networks to automatically extract statistical features from ciphertext pairs. As research advances, neural distinguisher
construction faces challenges due to the absence of a unified framework capable of cross-algorithm generalization and feature optimization. There's no systematic way to build a framework from data formats and network architectures, which limits their
scalability across diverse ciphers and and their suitability for combining different cryptanalysis methods. While neural network training is data-driven, we lack interpretable explanations for the quality of differentially generated datasets. Therefore,
there is an urgent need to combine cryptographic theory with data analysis methods to systematically evaluate dataset quality.
This paper proposes a novel framework for constructing related-key neural differential distinguishers that integrates three core innovations: (1) multi-ciphertext multi-difference formats to enhance dataset diversity and feature coverage, (2) structural
filtering for prioritizing high-probability differential paths aligned with cryptographic architectures, and (3) Deep Residual Shrinkage Network (DRSN) with adaptive thresholding to suppress noise and amplify critical differential features. By applying
this framework to two standardized algorithms DES and PRESENT, our results demonstrate significant advancements. For DES, the framework achieves an 8-round related-key neural distinguisher and improves 6/7-round distinguisher accuracy by over 40%. For
PRESENT, we construct the first 9-round related-key neural distinguisher, which outperforms existing neutral distinguishers in both round coverage and accuracy. Additionally, we employ kernel principal component analysis (KPCA) and K-means clustering to
evaluate the quality of differential datasets for DES and PRESENT, revealing that clustering compactness strongly correlates with distinguisher performance. Furthermore, we propose a validation algorithm to verify differential combinations with
cryptographic advantages from a machine learning perspective, identifying ‘good’ plaintext-key differential combinations. We apply this approach to the SIMECK algorithm, demonstrating its broad applicability. These findings validate the framework’s
effectiveness in bridging cryptographic analysis with data-driven feature extraction and offer new insights for automated security evaluation of block ciphers.
## 2025/538
* Title: Efficient Proofs of Possession for Legacy Signatures
* Authors: Anna P. Y. Woo, Alex Ozdemir, Chad Sharp, Thomas Pornin, Paul Grubbs * [Permalink](
https://eprint.iacr.org/2025/538)
* [Download](
https://eprint.iacr.org/2025/538.pdf)
### Abstract
Digital signatures underpin identity, authenticity, and trust in modern computer systems. Cryptography research has shown that it is possible to prove possession of a valid message and signature for some public key, without revealing the message or
signature. These proofs of possession work only for specially-designed signature schemes. Though these proofs of possession have many useful applications to improving security, privacy, and anonymity, they are not currently usable for widely deployed,
legacy signature schemes such as RSA, ECDSA, and Ed25519. Unlocking practical proofs of possession for these legacy signature schemes requires closing a huge efficiency gap.
This work brings proofs of possession for legacy signature schemes very close to practicality. Our design strategy is to encode the signature's verification algorithm as a rank-one constraint system (R1CS), then use a zkSNARK to prove knowledge of a
solution. To do this efficiently we (1) design and analyze a new zkSNARK called Dorian that supports randomized computations, (2) introduce several new techniques for encoding hashes, elliptic curve operations, and modular arithmetic, (3) give a new
approach that allows performing the most expensive parts of ECDSA and Ed25519 verifications outside R1CS, and (4) generate a novel elliptic curve that allows expressing Ed25519 curve operations very efficiently. Our techniques reduce R1CS sizes by up to
200$\times$ and prover times by 3-22$\times$.
We can generate a 240-byte proof of possession of an RSA signature over a message the size of a typical TLS certificate (two kilobytes) in only three seconds.
## 2025/539
* Title: Aegis: Scalable Privacy-preserving CBDC Framework with Dynamic Proof of Liabilities
* Authors: Gweonho Jeong, Jaewoong Lee, Minhae Kim, Byeongkyu Han, Jihye Kim, Hyunok Oh
* [Permalink](
https://eprint.iacr.org/2025/539)
* [Download](
https://eprint.iacr.org/2025/539.pdf)
### Abstract
Blockchain advancements, currency digitalization, and declining cash usage have fueled global interest in Central Bank Digital Currencies (CBDCs). The BIS states that the hybrid model, where central banks authorize intermediaries to manage distribution,
is more suitable than the direct model. However, designing a CBDC for practical implementation requires careful consideration. First, the public blockchain raises privacy concerns due to transparency. While zk-SNARKs can be a solution, they can introduce
significant proof generation overhead for large-scale transactions. Second, intermediaries that provide user-facing services on behalf of the central bank commonly performs Proof of Liabilities on customers' static liabilities. However, in real-world
scenarios where user liabilities can arbitrarily increase or decrease, the static nature poses such as window attacks.
In this paper, we propose a new smart contract-based privacy-preserving CBDC framework based on zk-SNARKs, called $\textbf{Aegis}$. our framework introduces a transaction batching technique to enhance scalability and defines a new dynamic PoL which is
near-real time. We formally define the security models for our system and provide rigorous security proofs to demonstrate its robustness. To evaluate the system’s performance, we instantiate our proposed framework and measure its efficiency. The result
indicates that, the end-to-end process, including proof generation for 512 transactions, takes approximately 2.8 seconds, with a gas consumption of 74,726 per user.
## 2025/540
* Title: Tangram: Encryption-friendly SNARK framework under Pedersen committed engines
* Authors: Gweonho Jeong, Myeongkyun Moon, Geonho Yoon, Hyunok Oh, Jihye Kim
* [Permalink](
https://eprint.iacr.org/2025/540)
* [Download](
https://eprint.iacr.org/2025/540.pdf)
### Abstract
SNARKs are frequently used to prove encryption, yet the circuit size often becomes large due to the intricate operations inherent in encryption. It entails considerable computational overhead for a prover and can also lead to an increase in the size of
the public parameters (e.g., evaluation key).
We propose an encryption-friendly SNARK framework, $\textsf{Tangram}$, which allows anyone to construct a system by using their desired encryption and proof system.
Our approach revises existing encryption schemes to produce Pedersen-like ciphertext, including identity-based, hierarchical identity-based, and attribute-based encryption.
Afterward, to prove the knowledge of the encryption, we utilize a modular manner of commit-and-prove SNARKs, which uses commitment as a `bridge'.
With our framework, one can prove encryption significantly faster than proving the whole encryption within the circuit.
We implement various $\textsf{Tangram}$ gadgets and evaluate their performance. Our results show 12x - 3500x times better performance than encryption-in-the-circuit.
## 2025/541
* Title: Physical Design-Aware Power Side-Channel Leakage Assessment Framework using Deep Learning
* Authors: Dipayan Saha, Jingbo Zhou, Farimah Farahmandi
* [Permalink](
https://eprint.iacr.org/2025/541)
* [Download](
https://eprint.iacr.org/2025/541.pdf)
### Abstract
Power side-channel (PSC) vulnerabilities present formidable challenges to the security of ubiquitous microelectronic devices in mission-critical infrastructure. Existing side-channel assessment techniques mostly focus on post-silicon stages by analyzing
power profiles of fabricated devices, suffering from low flexibility and prohibitively high cost while deploying security countermeasures. While pre-silicon PSC assessments offer flexibility and low cost, the true nature of the power signatures cannot be
fully captured through RTL or gate-level design. Although physical design-level analysis provides precise power traces, collecting data is time and resource-consuming at the layout level. To address this challenge, we propose, for the first time, a fast
and efficient physical design-level PSC assessment framework using a graph neural network (GNN). This framework predicts dynamic power traces for new layouts, using them to assess physical design security through metrics evaluation. Our experiments on
AES-GF layout implementations achieve a tremendous 133 times speedup compared to conventional simulation-based flow without sacrificing substantial accuracy.
## 2025/542
* Title: That’s AmorE: Amortized Efficiency for Pairing Delegation
* Authors: Adrian Perez Keilty, Diego F. Aranha, Elena Pagnin, Francisco Rodríguez-Henríquez
* [Permalink](
https://eprint.iacr.org/2025/542)
* [Download](
https://eprint.iacr.org/2025/542.pdf)
### Abstract
Over two decades since their introduction in 2005, all major verifiable pairing delegation protocols for public inputs have been designed to ensure information-theoretic security. However, we note that a delegation protocol involving only ephemeral
secret keys in the public view can achieve everlasting security, provided the server is unable to produce a pairing forgery within the protocol’s execution time. Thus, computationally bounding the adversary’s capabilities during the protocol’s
execution, rather than across its entire lifespan, may be more reasonable, especially when the goal is to achieve significant efficiency gains for the delegating party. This consideration is particularly relevant given the continuously evolving
computational costs associated with pairing computations and their ancillary blocks, which creates an ever-changing landscape for what constitutes efficiency in pairing delegation protocols.
With the goal of fulfilling both efficiency and everlasting security, we present AmorE, a protocol equipped with an adjustable security and efficiency parameter for sequential pairing delegation, which achieves state-of-the-art amortized efficiency in
terms of the number of pairing computations. For example, delegating batches of 10 pairings on the BLS48-575 elliptic curve via our protocol costs to the client, on average, less than a single scalar multiplication in G2 per delegated pairing, while
still ensuring at least 40 bits of statistical security.
## 2025/543
* Title: Models of Kummer lines and Galois representations
* Authors: Razvan Barbulescu, Damien Robert, Nicolas Sarkis
* [Permalink](
https://eprint.iacr.org/2025/543)
* [Download](
https://eprint.iacr.org/2025/543.pdf)
### Abstract
In order to compute a multiple of a point on an elliptic curve in Weierstrass form one can use formulas in only one of the two coordinates of the points. These $x$-only formulas can be seen as an arithmetic on the Kummer line associated to the curve.
In this paper, we look at models of Kummer lines, and define an intrinsic notion of isomorphisms of Kummer lines. This allows us to give conversion formulas between Kummer models in a unified manner. When there is one rational point $T$ of $2$-torsion on
the curve, we also use Mumford's theory of theta groups to show that there are two type of models: the “symmetric” ones with respect to $T$ and the “anti-symmetric“ ones. We show how this recovers the Montgomery model and various variants of the
theta model.
We also classify when curves admit these different models via Galois representations and modular curves. When an elliptic curve is viewed inside a $2$-isogeny volcano, we give a criteria to say if it has a given Kummer model based solely on its position
in the volcano. We also give applications to the ECM factorization algorithm.
## 2025/544
* Title: Security Analysis of Covercrypt: A Quantum-Safe Hybrid Key Encapsulation Mechanism for Hidden Access Policies
* Authors: Théophile Brézot, Chloé Hébant, Paola de Perthuis, David Pointcheval
* [Permalink](
https://eprint.iacr.org/2025/544)
* [Download](
https://eprint.iacr.org/2025/544.pdf)
### Abstract
The ETSI Technical Specification 104 015 proposes a framework to build Key Encapsulation Mechanisms (KEMs) with access policies and attributes, in the Ciphertext-Policy Attribute-Based Encryption (CP-ABE) vein. Several security guarantees and
functionalities are claimed, such as pre-quantum and post-quantum hybridization to achieve security against Chosen-Ciphertext Attacks (CCA), anonymity, and traceability.
In this paper, we present a formal security analysis of a more generic construction, with application to the specific Covercrypt scheme, based on the pre-quantum ECDH and the post-quantum ML-KEM KEMs. We additionally provide an open-source library that
implements the ETSI standard, in Rust, with high effiency.
## 2025/545
* Title: Enhancing E-Voting with Multiparty Class Group Encryption
* Authors: Michele Battagliola, Giuseppe D'Alconzo, Andrea Gangemi, Chiara Spadafora
* [Permalink](
https://eprint.iacr.org/2025/545)
* [Download](
https://eprint.iacr.org/2025/545.pdf)
### Abstract
CHide is one of the most prominent e-voting protocols, which, while combining security and efficiency, suffers from having very long encrypted credentials.
In this paper, starting from CHide, we propose a new protocol, based on multiparty Class Group Encryption (CGE) instead of discrete logarithm cryptography over known order groups, achieving a computational complexity of $O(nr)$, for $n$ votes and $r$
voters, and using a single MixNet. The homomorphic properties of CGE allow for more compact credentials while maintaining the same level of security at the cost of a small slowdown in efficiency.
## 2025/546
* Title: BugWhisperer: Fine-Tuning LLMs for SoC Hardware Vulnerability Detection
* Authors: Shams Tarek, Dipayan Saha, Sujan Kumar Saha, Farimah Farahmandi
* [Permalink](
https://eprint.iacr.org/2025/546)
* [Download](
https://eprint.iacr.org/2025/546.pdf)
### Abstract
The current landscape of system-on-chips (SoCs) security verification faces challenges due to manual, labor-intensive, and inflexible methodologies. These issues limit the scalability and effectiveness of security protocols, making bug detection at the
Register-Transfer Level (RTL) difficult. This paper proposes a new framework named BugWhisperer that utilizes a specialized, fine-tuned Large Language Model (LLM) to address these challenges. By enhancing the LLM's hardware security knowledge and
leveraging its capabilities for text inference and knowledge transfer, this approach automates and improves the adaptability and reusability of the verification process. We introduce an open-source, fine-tuned LLM specifically designed for detecting
security vulnerabilities in SoC designs. Our findings demonstrate that this tailored LLM effectively enhances the efficiency and flexibility of the security verification process. Additionally, we introduce a comprehensive hardware vulnerability database
that supports this work and will further assist the research community in enhancing the security verification process.
## 2025/547
* Title: Improved Cryptanalysis of FEA-1 and FEA-2 using Square Attacks
* Authors: Abhishek Kumar, Amit Kumar Chauhan, Somitra Kumar Sanadhya
* [Permalink](
https://eprint.iacr.org/2025/547)
* [Download](
https://eprint.iacr.org/2025/547.pdf)
### Abstract
This paper presents a security analysis of the South Korean Format-Preserving Encryption (FPE) standards FEA-1 and FEA-2. In 2023, Chauhan \textit{et al.} presented the first third-party analysis of FEA-1 and FEA-2 against the square attack. The authors
proposed new distinguishing attacks covering up to three rounds of FEA-1 and five rounds of FEA-2, with a data complexity of $2^8$ plaintexts. Additionally, using these distinguishers, they presented key recovery attacks for four rounds of FEA-1 and six
rounds of FEA-2, for 192-bit and 256-bit key sizes. The complexities of both the four-round FEA-1 and six-round FEA-2 key recovery attacks are $2^{137.6}$. \\
In this work, we successfully extend the number of rounds attacked for both FEA-1 and FEA-2, using the square attack technique. Specifically, we present a four-round distinguishing attack against FEA-1 and six-round distinguishing attack against FEA-2.
The data complexities of these distinguishers are $2^{64}$ plaintexts. Furthermore, we apply these distinguishers to perform key recovery attacks on five rounds of FEA-1 and seven rounds of FEA-2, targeting the 256-bit key size. The time complexities of
the presented key recovery attacks are $2^{193.6}$.
## 2025/548
* Title: Breaking HuFu with 0 Leakage: A Side-Channel Analysis
* Authors: Julien Devevey, Morgane Guerreau, Thomas Legavre, Ange Martinelli, Thomas Ricosset
* [Permalink](
https://eprint.iacr.org/2025/548)
* [Download](
https://eprint.iacr.org/2025/548.pdf)
### Abstract
HuFu is an unstructured lattice-based signature scheme proposed during the NIST PQC standardization process. In this work, we present a side-channel analysis of HuFu's reference implementation.
We first exploit the multiplications involving its two main secret matrices, recovering approximately half of their entries through a non-profiled power analysis with a few hundred traces. Using these coefficients, we reduce the dimension of the
underlying LWE problem, enabling full secret key recovery with calls to a small block-sized BKZ.
To mitigate this attack, we propose a countermeasure that replaces sensitive computations involving a secret matrix with equivalent operations derived solely from public elements, eliminating approximately half of the identified leakage and rendering the
attack unfeasible.
Finally, we perform a non-profiled power analysis targeting HuFu's Gaussian sampling procedure, recovering around 75\% of the remaining secret matrix's entries in a few hundred traces. While full key recovery remains computationally intensive, we
demonstrate that partial knowledge of the secret significantly improves the efficiency of signature forgery.
## 2025/549
* Title: Public Key Accumulators for Revocation of Non-Anonymous Credentials
* Authors: Andrea Flamini, Silvio Ranise, Giada Sciarretta, Mario Scuro, Nicola Smaniotto, Alessandro Tomasi
* [Permalink](
https://eprint.iacr.org/2025/549)
* [Download](
https://eprint.iacr.org/2025/549.pdf)
### Abstract
Digital identity wallets allow citizens to prove who they are and manage digital documents, called credentials, such as mobile driving licenses or passports. As with physical documents, secure and privacy-preserving management of the credential lifecycle
is crucial: a credential can change its status from issued to valid, revoked or expired. In this paper, we focus on the analysis of cryptographic accumulators as a revocation scheme for digital identity wallet credentials. We describe the most well-
established public key accumulators, and how zero-knowledge proofs can be used with accumulators for revocation of non-anonymous credentials. In addition, we assess the computational and communication costs analytically and experimentally. Our results
show that they are comparable with existing schemes used in the context of certificate revocation.
## 2025/550
* Title: Exact Formula for RX-Differential Probability through Modular Addition for All Rotations
* Authors: Alex Biryukov, Baptiste Lambin, Aleksei Udovenko
* [Permalink](
https://eprint.iacr.org/2025/550)
* [Download](
https://eprint.iacr.org/2025/550.pdf)
### Abstract
This work presents an exact and compact formula for the probability of rotation-xor differentials (RX-differentials) through modular addition, for arbitrary rotation amounts, which has been a long-standing open problem. The formula comes with a rigorous
proof and is also verified by extensive experiments.
Our formula uncovers error in a recent work from 2022 proposing a formula for rotation amounts bigger than 1. Surprisingly, it also affects correctness of the more studied and used formula for the rotation amount equal to 1 (from TOSC 2016). Specifically,
it uncovers rare cases where the assumptions of this formula do not hold. Correct formula for arbitrary rotations now opens up a larger search space where one can often find better trails.
For applications, we propose automated mixed integer linear programming (MILP) modeling techniques for searching optimal RX-trails based on our exact formula. They are consequently applied to several ARX designs, including Salsa, Alzette and a small-key
variant of Speck, and yield many new RX-differential distinguishers, some of them based on provably optimal trails. In order to showcase the relevance of the RX-differential analysis, we also design Malzette, a 12-round Alzette-based permutation with
maliciously chosen constants, which has a practical RX-differential distinguisher, while standard differential/linear security arguments suggest sufficient security.
## 2025/551
* Title: ANARKey: A New Approach to (Socially) Recover Keys
* Authors: Aniket Kate, Pratyay Mukherjee, Hamza Saleem, Pratik Sarkar, Bhaskar Roberts
* [Permalink](
https://eprint.iacr.org/2025/551)
* [Download](
https://eprint.iacr.org/2025/551.pdf)
### Abstract
In a social key recovery scheme, users back up their secret keys (typically using Shamir's secret sharing) with their social connections, known as a set of guardians. This places a heavy burden on the guardians, as they must manage their shares both
securely and reliably. Finding and managing such a set of guardians may not be easy, especially when the consequences of losing a key are significant.
We take an alternative approach of social recovery within a community, where each member already holds a secret key (with possibly an associated public key) and uses other community members as their guardians forming a mutual dependency among themselves.
Potentially, each member acts as a guardian for upto $(n-1)$ other community members. Therefore, in this setting, using standard Shamir's sharing leads to a linear ($O(n)$) blow-up in the internal secret storage of the guardian for each key recovery.
Our solution avoids this linear blowup in internal secret storage by relying on a novel secret-sharing scheme, leveraging the fact that each member already manages a secret key. In fact, our scheme does not require guardians to store anything beyond
their own secret keys.
We propose the first formal definition of a social key recovery scheme for general access structures in the community setting. We prove that our scheme is secure against any malicious and adaptive adversary that may corrupt up to $t$ parties. As a main
technical tool, we use a new notion of secret sharing, that enables $(t+1)$ out of $n$ sharing of a secret even when the shares are generated independently -- we formalize this as bottom-up secret sharing (BUSS), which may be of independent interest.
Finally, we provide an implementation benchmarking varying the number of guardians both in a regional, and geo-distributed setting. For instance, for 8 guardians, our backup protocol takes around 146-149 ms in a geo-distributed WAN setting, and 4.9-5.9
ms in the LAN setting; for recovery protocol, the timings are approximately the same for the WAN setting (as network latency dominates), and 1.2-1.4 ms for the LAN setting.
## 2025/552
* Title: Black Box Crypto is Useless for Doubly Efficient PIR
* Authors: Wei-Kai Lin, Ethan Mook, Daniel Wichs
* [Permalink](
https://eprint.iacr.org/2025/552)
* [Download](
https://eprint.iacr.org/2025/552.pdf)
### Abstract
[continued in next message]
--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)