[continued from previous message]
A (single server) private information retrieval (PIR) allows a client to read data from a public database held on a remote server, without revealing to the server which locations she is reading. In a doubly efficient PIR (DEPIR), the database is first
preprocessed offline into a data structure, which then allows the server to answer any client query efficiently in sub-linear online time. Constructing DEPIR is a notoriously difficult problem, and this difficulty even extends to a weaker notion secret-
key DEPIR (SK-DEPIR), where the database is preprocessed using secret randomness and the client is given a secret key for making queries. We currently only have constructions of SK-DEPIR from the Ring LWE assumption or from non-standard code-based
assumptions.
We show that the black-box use of essentially all generic cryptographic primitives (e.g., key agreement, oblivious transfer, indistinguishability obfuscation, etc.), including idealized primitives (e.g., random oracles, generic multilinear groups,
virtual black-box obfuscation, etc.) is essentially useless for constructing SK-DEPIR. In particular, in any such SK-DEPIR construction, we can replace all black-box use of these primitives with just a black-box use of one-way functions. While we
conjecture that SK-DEPIR cannot be constructed using black-box one-way functions alone, we are unable to show this in its full generality. However, we do show this for 2-round schemes with a passive server that simply outputs requested locations in the
preprocessed data structure, which is the format of all known schemes. Overall, this shows that the black-box use of essentially all crypto primitives is insufficient for constructing 2-round passive-server SK-DEPIR, and does not provide any benefit
beyond black-box one-way functions for constructing general SK-DEPIR.
## 2025/553
* Title: HIPR: Hardware IP Protection through Low-Overhead Fine-Grain Redaction * Authors: Aritra Dasgupta, Sudipta Paria, Swarup Bhunia
* [Permalink](
https://eprint.iacr.org/2025/553)
* [Download](
https://eprint.iacr.org/2025/553.pdf)
### Abstract
Hardware IP blocks have been subjected to various forms of confidentiality and integrity attacks in recent years due to the globalization of the semiconductor industry. System-on-chip (SoC) designers are now considering a zero-trust model for security,
where an IP can be attacked at any stage of the manufacturing process for piracy, cloning, overproduction, or malicious alterations. Hardware redaction has emerged as a promising countermeasure to thwart confidentiality and integrity attacks by untrusted
entities in the globally distributed supply chain. However, existing redaction techniques provide this security at high overhead costs, making them unsuitable for real-world implementation. In this paper, we propose HIPR, a fine-grain redaction
methodology that is robust, scalable, and incurs significantly lower overhead compared to existing redaction techniques. HIPR redacts security-critical Boolean and sequential logic from the hardware design, performs interconnect randomization, and
employs multiple overhead optimization steps to reduce overhead costs. We evaluate HIPR on open-source benchmarks and reduce area overheads by 1 to 2 orders of magnitude compared to state-of-the-art redaction techniques without compromising security. We
also demonstrate that the redaction performed by HIPR is resilient against conventional functional and structural attacks on hardware IPs. The redacted test IPs used to evaluate HIPR are available at:
https://github.com/UF-Nelms-IoT-Git-Projects/HIPR.
## 2025/554
* Title: Analyzing Group Chat Encryption in MLS, Session, Signal, and Matrix
* Authors: Joseph Jaeger, Akshaya Kumar
* [Permalink](
https://eprint.iacr.org/2025/554)
* [Download](
https://eprint.iacr.org/2025/554.pdf)
### Abstract
We analyze the composition of symmetric encryption and digital signatures in secure group messaging protocols where group members share a symmetric encryption key. In particular, we analyze the chat encryption algorithms underlying MLS, Session, Signal,
and Matrix using the formalism of symmetric signcryption introduced by Jaeger, Kumar, and Stepanovs (Eurocrypt 2024). We identify theoretical attacks against each of the constructions we analyze that result from the insufficient binding between the
symmetric encryption scheme and the digital signature scheme. In the case of MLS and Session, these translate into practically exploitable replay and reordering attacks by a group-insider. For Signal this leads to a forgery attack by a group-outsider
with access to a user’s signing key, an attack previously discovered by Balbás, Collins, and Gajland (Asiacrypt 2023). In Matrix there are mitigations in the broader ecosystem that prevent exploitation. We provide formal security theorems that each of
the four constructions are secure up to these attacks. Additionally, in Session we identified two attacks outside the symmetric signcryption model. The first allows a group-outsider with access to an exposed signing key to forge arbitrary messages and
the second allows outsiders to replay ciphertexts.
## 2025/555
* Title: Strong Federated Authentication With Password-based Credential Against Identity Server Corruption
* Authors: Changsong Jiang, Chunxiang Xu, Guomin Yang, Li Duan, Jing Wang
* [Permalink](
https://eprint.iacr.org/2025/555)
* [Download](
https://eprint.iacr.org/2025/555.pdf)
### Abstract
We initiate the study of strong federated authentication with password-based credential against identity server corruption (SaPBC). We provide a refined formal security model, which captures all the necessary security properties in registration,
authentication, and session key establishment between a user and an application server. The new model with fine-grained information leakage separates the leakage of password-related files and long-term secrets (including passwords and credentials).
Moreover, we present two SaPBC protocols constructed from efficient cryptographic primitives for these corruption scenarios. In addition to rigorous security proofs, we also conduct comprehensive performance evaluation of the two protocols.
## 2025/556
* Title: Private SCT Auditing, Revisited
* Authors: Lena Heimberger, Christopher Patton, Bas Westerbaan
* [Permalink](
https://eprint.iacr.org/2025/556)
* [Download](
https://eprint.iacr.org/2025/556.pdf)
### Abstract
In order for a client to securely connect to a server on the web, the client must trust certificate authorities (CAs) only to issue certificates to the legitimate operator of the server. If a certificate is miss-issued, it is possible for an attacker to
impersonate the server to the client. The goal of Certificate Transparency (CT) is to log every certificate issued in a manner that allows anyone to audit the logs for miss-issuance. A client can even audit a CT log itself, but this would leak sensitive
browsing data to the log operator. As a result, client-side audits are rare in practice.
In this work, we revisit private CT auditing from a real-world perspective. Our study is motivated by recent changes to the CT ecosystem and advancements in Private Information Retrieval (PIR). First, we find that checking for inclusion of Signed
Certificate Timestamps (SCTs) in a log — the audit performed by clients — is now possible with PIR in under a second and under 100kb of communication with minor adjustments to the protocol that have been proposed previously. Our results also show how
to scale audits by using existing batching techniques and the algebraic structure of the PIR protocols, in particular to obtain certificate hashes by included in the log.
Since PIR protocols are more performant with smaller databases, we also suggest a number of strategies to lower the size of the SCT database for audits. Our key observation is that the web will likely transition to a new model for certificate issuance.
While this transition is primarily motivated by the need to adapt the PKI to larger, post-quantum signature schemes, it also removes the need for SCT audits in most cases. We present the first estimates of how this transition may impact SCT auditing,
based on data gathered from public CT logs. We find that large scale deployment of the new issuance model may reduce the number of SCT audits needed by a factor of 1,000, making PIR-based auditing practical to deploy.
## 2025/557
* Title: Soloist: Distributed SNARKs for Rank-One Constraint System
* Authors: Weihan Li, Zongyang Zhang, Yun Li, Pengfei Zhu, Cheng Hong, Jianwei Liu
* [Permalink](
https://eprint.iacr.org/2025/557)
* [Download](
https://eprint.iacr.org/2025/557.pdf)
### Abstract
Distributed SNARKs enable multiple provers to collaboratively generate proofs, enhancing the efficiency and scalability of large-scale computations. The state-of-the-art distributed SNARK for Plonk, Pianist (S\&P '24), achieves constant proof size,
constant amortized communication complexity, and constant verifier complexity. However, when proving the Rank-One Constraint System (R1CS), a widely used intermediate representation for SNARKs, Pianist must perform the transformation from R1CS into Plonk
before proving, which can introduce a start-up cost of $10\times$ due to the expansion of the statement size. Meanwhile, existing distributed SNARKs for R1CS, e.g., DIZK (USENIX Sec. '18) and Hekaton (CCS '24), fail to match the superior asymptotic
complexities of Pianist.
We propose $\textsf{Soloist}$, an optimized distributed SNARK for R1CS. $\textsf{Soloist}$ achieves constant proof size, constant amortized communication complexity, and constant verifier complexity, relative to the R1CS size $n$. Utilized with $\ell$
sub-provers, its prover complexity is $O(n/\ell \cdot \log(n/\ell))$. The concrete prover time is~$\ell\times$ as fast as the R1CS-targeted Marlin (Eurocrypt '20). For zkRollups, $\textsf{Soloist}$ can prove more transactions, with $2.5 \times$ smaller
memory costs, $2.8\times$ faster preprocessing, and $1.8\times$ faster proving than Pianist.
$\textsf{Soloist}$ leverages an improved inner product argument and a new batch bivariate polynomial commitment variant of KZG (Asiacrypt '10). To achieve constant verification, we propose a new preprocessing method with a lookup argument for
unprescribed tables, which are usually assumed pre-committed in prior works. Notably, all these schemes are equipped with scalable distributed mechanisms.
## 2025/558
* Title: Breaking and Fixing Content-Defined Chunking
* Authors: Kien Tuong Truong, Simon-Philipp Merz, Matteo Scarlata, Felix Günther, Kenneth G. Paterson
* [Permalink](
https://eprint.iacr.org/2025/558)
* [Download](
https://eprint.iacr.org/2025/558.pdf)
### Abstract
Content-defined chunking (CDC) algorithms split streams of data into smaller blocks, called chunks, in a way that preserves chunk boundaries when the data is partially changed. CDC is ubiquitous in applications that deduplicate data such as backup
solutions, software patching systems, and file hosting platforms. Much like compression, CDC can introduce leakage when combined with encryption: fingerprinting attacks can exploit chunk length patterns to infer information about the data.
To address these risks, many systems—mainly in the cloud backup setting—have developed bespoke mitigations by mixing a cryptographic key into the chunking process. We study these keyed CDC (KCDC) schemes “in the wild”, presenting efficient key
recovery attacks against five different KCDC schemes, deployed in the backup solutions Borg, Bupstash, Duplicacy, Restic, and Tarsnap. Our attacks are in a realistic threat model that relies only on weak known or chosen-plaintext capabilities. This shows,
in particular, that they fail to protect against fingerprinting attacks. To demonstrate practical exploitability, we also present “end-to-end” attacks on three complete encrypted backup applications, namely Borg, Restic and Tarsnap. These build on
our attacks on the underlying KCDC schemes.
In an effort to tackle these problems, we introduce the first formal treatment for KCDC schemes and propose a provably secure construction that fulfills a strong notion of security. We benchmark our construction against existing (broken) approaches,
showing that it has competitive performance. In doing so, we take a step towards making real-world systems that rely on KCDC more resilient to attacks.
## 2025/559
* Title: Is Your Bluetooth Chip Leaking Secrets via RF Signals?
* Authors: Yanning Ji, Elena Dubrova, Ruize Wang
* [Permalink](
https://eprint.iacr.org/2025/559)
* [Download](
https://eprint.iacr.org/2025/559.pdf)
### Abstract
In this paper, we present a side-channel attack on the hardware AES accelerator of a Bluetooth chip used in millions of devices worldwide, ranging from wearables and smart home products to industrial IoT. The attack leverages information about AES
computations unintentionally transmitted by the chip together with RF signals to recover the encryption key. Unlike traditional side-channel attacks that rely on power or near-field electromagnetic emissions as sources of information, RF-based attacks
leave no evidence of tampering, as they do not require package removal, chip decapsulation, or additional soldered components. However, side-channel emissions extracted from RF signals are considerably weaker and noisier, necessitating more traces for
key recovery. The presented profiled machine learning-assisted attack can recover the full encryption key from 90,000 traces captured at a one-meter distance from the target device, with each trace being an average of 10,000 samples per encryption. This
is a twofold improvement over the correlation analysis-based attack on the same AES accelerator.
## 2025/560
* Title: Jump, It Is Easy: JumpReLU Activation Function in Deep Learning-based Side-channel Analysis
* Authors: Abraham Basurto-Becerra, Azade Rezaeezade, Stjepan Picek
* [Permalink](
https://eprint.iacr.org/2025/560)
* [Download](
https://eprint.iacr.org/2025/560.pdf)
### Abstract
Deep learning-based side-channel analysis has become a popular and powerful option for side-channel attacks in recent years. One of the main directions that the side-channel community explores is how to design efficient architectures that can break the
targets with as little as possible attack traces, but also how to consistently build such architectures.
In this work, we explore the usage of the JumpReLU activation function, which was designed to improve the robustness of neural networks. Intuitively speaking, improving the robustness seems a natural requirement for side-channel analysis, as hiding
countermeasures could be considered adversarial attacks.
In our experiments, we explore three strategies: 1) exchanging the activation functions with JumpReLU at the inference phase, training common side-channel architectures with JumpReLU, and 3) conducting hyperparameter search with JumpReLU as the
activation function. While the first two options do not yield improvements in results (but also do not show worse performance), the third option brings advantages, especially considering the number of neural networks that break the target. As such, we
conclude that using JumpReLU is a good option to improve the stability of attack results.
## 2025/561
* Title: ThreatLens: LLM-guided Threat Modeling and Test Plan Generation for Hardware Security Verification
* Authors: Dipayan Saha, Hasan Al Shaikh, Shams Tarek, Farimah Farahmandi
* [Permalink](
https://eprint.iacr.org/2025/561)
* [Download](
https://eprint.iacr.org/2025/561.pdf)
### Abstract
Current hardware security verification processes predominantly rely on manual threat modeling and test plan generation, which are labor-intensive, error-prone, and struggle to scale with increasing design complexity and evolving attack methodologies. To
address these challenges, we propose ThreatLens, an LLM-driven multi-agent framework that automates security threat modeling and test plan generation for hardware security verification. ThreatLens integrates retrieval-augmented generation (RAG) to
extract relevant security knowledge, LLM-powered reasoning for threat assessment, and interactive user feedback to ensure the generation of practical test plans. By automating these processes, the framework reduces the manual verification effort,
enhances coverage, and ensures a structured, adaptable approach to security verification. We evaluated our framework on the NEORV32 SoC, demonstrating its capability to automate security verification through structured test plans and validating its
effectiveness in real-world scenarios.
## 2025/562
* Title: Analysis of One Certificateless Authentication and Key Agreement Scheme for Wireless Body Area Network
* Authors: Zhengjun Cao, Lihua Liu
* [Permalink](
https://eprint.iacr.org/2025/562)
* [Download](
https://eprint.iacr.org/2025/562.pdf)
### Abstract
We show that the certificateless authentication scheme [Mob. Networks Appl. 2022, 27, 346-356] fails to keep anonymity, not as claimed. The scheme neglects the basic requirement for bit-wise XOR, and tries to encrypt data by the operator. The negligence
results in some trivial equalities. The adversary can retrieve the user's identity from one captured string via the open channel.
## 2025/563
* Title: An Optimized Instantiation of Post-Quantum MQTT protocol on 8-bit AVR Sensor Nodes
* Authors: YoungBeom Kim, Seog Chung Seo
* [Permalink](
https://eprint.iacr.org/2025/563)
* [Download](
https://eprint.iacr.org/2025/563.pdf)
### Abstract
Since the selection of the National Institute of Standards and Technology (NIST) Post-Quantum Cryptography (PQC) standardization algorithms, research on integrating PQC into security protocols such as TLS/SSL, IPSec, and DNSSEC has been actively pursued.
However, PQC migration for Internet of Things (IoT) communication protocols remains largely unexplored. Embedded devices in IoT environments have limited computational power and memory, making it crucial to optimize PQC algorithms for efficient
computation and minimal memory usage when deploying them on low-spec IoT devices. In this paper, we introduce KEM-MQTT, a lightweight and efficient Key Encapsulation Mechanism (KEM) for the Message Queuing Telemetry Transport (MQTT) protocol, widely used
in IoT environments. Our approach applies the NIST KEM algorithm Crystals-Kyber (Kyber) while leveraging MQTT’s characteristics and sensor node constraints. To enhance efficiency, we address certificate verification issues and adopt KEMTLS to eliminate
the need for Post-Quantum Digital Signatures Algorithm (PQC-DSA) in mutual authentication. As a result, KEM-MQTT retains its lightweight properties while maintaining the security guarantees of TLS 1.3. We identify inefficiencies in existing Kyber
implementations on 8-bit AVR microcontrollers (MCUs), which are highly resource-constrained. To address this, we propose novel implementation techniques that optimize Kyber for AVR, focusing on high-speed execution, reduced memory consumption, and secure
implementation, including Signed LookUp-Table (LUT) Reduction. Our optimized Kyber achieves performance gains of 81%,75%, and 85% in the KeyGen, Encaps, and DeCaps processes, respectively, compared to the reference implementation. With approximately 3 KB
of stack usage, our Kyber implementation surpasses all state-of-the-art Elliptic Curve Diffie-Hellman (ECDH) implementations. Finally, in KEM-MQTT using Kyber-512, an 8-bit AVR device completes the handshake preparation process in 4.32 seconds, excluding
the physical transmission and reception times.
## 2025/564
* Title: Combined Masking and Shuffling for Side-Channel Secure Ascon on RISC-V * Authors: Linus Mainka, Kostas Papagiannopoulos
* [Permalink](
https://eprint.iacr.org/2025/564)
* [Download](
https://eprint.iacr.org/2025/564.pdf)
### Abstract
Both masking and shuffling are very common software countermeasures against side-channel attacks. However, exploring possible combinations of the two countermeasures to increase and fine-tune side-channel resilience is less investigated. With this work,
we aim to bridge that gap by both concretising the security guarantees of several masking and shuffling combinations presented in earlier work and additionally investigating their randomness cost. We subsequently implement these approaches to also
analyse their performance. In this context, we present five different protected implementations of the new standard for lightweight cryptography, Ascon, on a 32-bit RISC-V architecture: A 3rd-order masked, unshuffled implementation and three combined 3rd-
order masked and shuffled implementations. Additionally, we present a levelled implementation where only the particularly vulnerable keyed initialisation and finalisation of the permutation are masked and shuffled, while the rest is only shuffled. To
further improve the security and performance of our implementations we make use of the Probe Isolating Non-Interference (PINI) masked AND gadget, coupled with techniques like bit-slicing and bit-interleaving. Utilising benchmarking and an MI-shortcut
security analysis, we pinpoint the best masking-shuffling combinations that maximize security at reasonable overheads.
## 2025/565
* Title: Attacking soundness for an optimization of the Gemini Polynomial Commitment Scheme
* Authors: Lydia Garms, Michael Livesey
* [Permalink](
https://eprint.iacr.org/2025/565)
* [Download](
https://eprint.iacr.org/2025/565.pdf)
### Abstract
We demonstrate an attack on the soundness of a widely
known optimization of the Gemini multilinear Polynomial Commitment
Scheme (PCS). The attack allows a malicious prover to falsely claim that
a multilinear polynomial takes a value of their choice, for any input point.
We stress that the original Gemini multilinear PCS and HyperKZG, an
adaptation of Gemini, are not affected by the attack.
## 2025/566
* Title: Cryptanalysis of Fruit-F: Exploiting Key-Derivation Weaknesses and Initialization Vulnerabilities
* Authors: Subhadeep Banik, Hailun Yan
* [Permalink](
https://eprint.iacr.org/2025/566)
* [Download](
https://eprint.iacr.org/2025/566.pdf)
### Abstract
Fruit-F is a lightweight short-state stream cipher designed by Ghafari et al. The authors designed this version of the cipher, after earlier versions of the cipher viz. Fruit 80/v2 succumbed to correlation attacks. The primary motivation behind this
design seemed to be preventing correlation attacks. Fruit-F has a Grain-like structure with two state registers of size 50 bits each. In addition, the cipher uses an 80-bit secret key and an 80-bit IV. The authors use a complex key-derivation function to
update the non-linear register which prevents the same key-bit alignment across fixed-length window of keystream bits, which is essentially what stops the correlation attacks.
In this paper, we first present two attacks against Fruit-F. The first attack stems from the fact that the key-derivation can be rewritten as the Boolean xor of two key-dependent terms one of which is the Boolean OR of two bits of the key. Using this we
show that the cipher does not offer 80-bit security: the effective key space of Fruit-F is slightly less than $2^{80}$, i.e. a simple brute force attack costs around $2^{80}-2^{49}$ time. The second is a differential attack using the cipher's complex
initialization process. We show that under some given conditions, it is possible to have two initial vectors $V_1$ and $V_2$ that produce identical keystream vectors with any given key. Using this as a distinguisher, it is possible to collect enough
linear and quadratic equations of the secret key to find it in practical time with very few keystream bits.
## 2025/567
* Title: Starfish: A high throughput BFT protocol on uncertified DAG with linear amortized communication complexity
* Authors: Nikita Polyanskii, Sebastian Mueller, Ilya Vorobyev
* [Permalink](
https://eprint.iacr.org/2025/567)
* [Download](
https://eprint.iacr.org/2025/567.pdf)
### Abstract
Current DAG-based BFT protocols face a critical trade-off: certified DAGs provide strong security guarantees but require additional rounds of communication to progress the DAG construction, while uncertified DAGs achieve lower latency at the cost of
either reduced resistance to adversarial behaviour or higher communication costs.
This paper presents Starfish, a partially synchronous DAG-based BFT protocol that achieves the security properties of certified DAGs, the efficiency of uncertified approaches and linear amortized communication complexity. The key innovation is Encoded
Cordial Dissemination, a push-based dissemination strategy that combines Reed-Solomon erasure coding with Data Availability Certificates (DACs). Each of the $n=3f+1$ validators disseminates complete transaction data for its own blocks while distributing
encoded shards for others' blocks, enabling efficient data reconstruction with just $f+1$ shards. Building on the previous uncertified DAG BFT commit rule, Starfish extends it to efficiently verify data availability through committed leader blocks
serving as DACs. For large enough transaction data, this design allows Starfish to achieve $O(n)$ amortized communication complexity per committed transaction byte. The average and worst-case end-to-end latencies for Starfish are rigorously proven to be
bounded by $7.5\delta$ and $11\delta$ in the steady state, where $\delta$ denotes the actual network delay.
Experimental evaluation against state-of-the-art DAG BFT protocols demonstrates Starfish's robust performance under steady-state and Byzantine scenarios.
Our results show that strong Byzantine fault tolerance, high performance, and low communication complexity can coexist in DAG BFT protocols, making Starfish particularly suitable for large-scale distributed ledger deployments.
## 2025/568
* Title: An in-depth security evaluation of the Nintendo DSi gaming console
* Authors: pcy Sluys, Lennert Wouters, Benedikt Gierlichs, Ingrid Verbauwhede
* [Permalink](
https://eprint.iacr.org/2025/568)
* [Download](
https://eprint.iacr.org/2025/568.pdf)
### Abstract
The Nintendo DSi is a handheld gaming console released by Nintendo in 2008. In Nintendo's line-up the DSi served as a successor to the DS and was later succeeded by the 3DS. The security systems of both the DS and 3DS have been fully analysed and
defeated. However, for over 14 years the security systems of the Nintendo DSi remained standing and had not been fully analysed. To that end this work builds on existing research and demonstrates the use of a second-order fault injection attack to
extract the ROM bootloaders stored in the custom system-on-chip used by the DSi. We analyse the effect of the induced fault and compare it to theoretical fault models. Additionally, we present a security analysis of the extracted ROM bootloaders and
develop a modchip using cheap off-the-shelf components. The modchip allows to jailbreak the console, but more importantly allows to resurrect consoles previously assumed irreparable.
--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)