## In this issue
1. [2025/198] Engorgio: An Arbitrary-Precision Unbounded-Size ...
2. [2025/326] On the Adaptive Security of Free-XOR-based Garbling ...
3. [2025/383] Pencil: A Domain-Extended PRF with Full $n$-bit ...
4. [2025/569] Solving Data Availability Limitations in Client- ...
5. [2025/570] Partial Key Overwrite Attacks in Microcontrollers: ...
6. [2025/571] Universally Composable Relaxed Asymmetric Password- ...
7. [2025/572] Zinnia: An Expressive and Efficient Tensor-Oriented ...
8. [2025/573] Forking Lemma in EasyCrypt
9. [2025/574] Buffalo: A Practical Secure Aggregation Protocol ...
10. [2025/575] Wagner's Algorithm Provably Runs in Subexponential ...
11. [2025/576] Pre-Constructed Publicly Verifiable Secret Sharing ...
12. [2025/577] Making GCM Great Again: Toward Full Security and ...
13. [2025/578] Efficient Garbled Pseudorandom Functions and Lookup ...
14. [2025/579] REGKYC: Supporting Privacy and Compliance ...
15. [2025/580] Efficient Revocable Identity-Based Encryption from ...
16. [2025/581] Reusable Dynamic Multi-Party Homomorphic Encryption
17. [2025/582] Release the Power of Rejected Signatures: An ...
18. [2025/583] Counter Galois Onion (CGO) for Tor: Fast Non- ...
19. [2025/584] The Singularity Random Number Generator: Bridging ...
20. [2025/585] Adaptively-Secure Big-Key Identity-Based Encryption
21. [2025/586] Heuristic Algorithm for Solving Restricted SVP and ...
22. [2025/587] Lifeboats on the Titanic Cryptography
23. [2025/588] A Place for Everyone vs Everyone in its Place: ...
24. [2025/589] Defeating AutoLock: From Simulation to Real-World ...
25. [2025/590] $\mathsf{emGraph}$: Efficient Multiparty Secure ...
26. [2025/591] ColliderVM: Stateful Computation on Bitcoin
27. [2025/592] DSM: Decentralized State Machine - The Missing ...
28. [2025/593] Oblivious Immutable Memory
29. [2025/594] Efficient SNARKs for Boolean Circuits via Sumcheck ...
30. [2025/595] Partial Key Exposure Attacks on UOV and Its Variants
31. [2025/596] Highway to Hull: An Algorithm for Solving the ...
32. [2025/597] SoK: Self-Generated Nudes over Private Chats: How ...
33. [2025/598] Nominal State-Separating Proofs
34. [2025/599] Insecurity of One Decentralized Attribute-based ...
35. [2025/600] Improved Round-by-round Soundness IOPs via Reed- ...
36. [2025/601] PHOENIX: Crypto-Agile Hardware Sharing for ML-KEM ...
37. [2025/602] Lattice-Based Sanitizable Signature Schemes: ...
38. [2025/603] Mobile Byzantine Agreement in a Trusted World
39. [2025/604] On the success rate of simple side-channel attacks ...
## 2025/198
* Title: Engorgio: An Arbitrary-Precision Unbounded-Size Hybrid Encrypted Database via Quantized Fully Homomorphic Encryption
* Authors: Song Bian, Haowen Pan, Jiaqi Hu, Zhou Zhang, Yunhao Fu, Jiafeng Hua, Yi Chen, Bo Zhang, Yier Jin, Jin Dong, Zhenyu Guan
* [Permalink](
https://eprint.iacr.org/2025/198)
* [Download](
https://eprint.iacr.org/2025/198.pdf)
### Abstract
This work proposes an encrypted hybrid database framework that combines vectorized data search and relational data query over quantized fully homomorphic encryption (FHE). We observe that, due to the lack of efficient encrypted data ordering capabilities,
most existing encrypted database (EDB) frameworks do not support hybrid queries involving both vectorized and relational data. To further enrich query expressiveness while retaining evaluation efficiency, we propose Engorgio, a hybrid EDB framework
based on quantized data ordering techniques over FHE. Specifically, we design a new quantized data encoding scheme along with a set of novel comparison and permutation algorithms to accurately generate and apply orders between large-precision data items.
Furthermore, we optimize specific query types, including full table scan, batched query, and Top-k query to enhance the practical performance of the proposed framework. In the experiment, we show that, compared to the state-of-the-art EDB frameworks,
Engorgio is up to 28x--854x faster in homomorphic comparison, 65x--687x faster in homomorphic sorting and 15x--1,640x faster over a variety of end-to-end relational, vectorized, and hybrid SQL benchmarks. Using Engorgio, the amortized runtime for
executing a relational and hybrid query on a 48-core processor is under 3 and 75 seconds, respectively, over a 10K-row hybrid database.
## 2025/326
* Title: On the Adaptive Security of Free-XOR-based Garbling Schemes in the Plain Model
* Authors: Anasuya Acharya, Karen Azari, Chethan Kamath
* [Permalink](
https://eprint.iacr.org/2025/326)
* [Download](
https://eprint.iacr.org/2025/326.pdf)
### Abstract
A Garbling Scheme is a fundamental cryptographic primitive, with numerous theoretical and practical applications. Since its inception by Yao (FOCS'82, '86), optimizing the communication and computation complexities of securely garbling circuits has been
an area of active research. One such optimization, and perhaps the most fundamental, is the `Free-XOR' technique (Kolesnikov and Schneider, ICALP'08) which allows XOR gates in a function garbling to not require representation, and therefore communication.
Since then, several works have designed and analysed the security of schemes that adopt the Free-XOR optimisation. In particular: (1) Applebaum (JoC'16) proved that this can be securely instantiated assuming symmetric-key encryption satisfying a notion
called RK-KDM security; and (2) Zahur, Rosulek and Evans (Eurocrypt'15) proposed the so-called `Half Gates' scheme, and proved that it can be instantiated assuming hash functions satisfying a notion called CCR security. Although both schemes have been
proven selectively secure, prior work leaves it open to analyze whether they satisfy a stronger security notion -- adaptive security -- in the plain model.
In this work, we formally show that the selective security of these two schemes cannot be lifted to adaptive security under the same assumptions. To establish these barriers, we adopt techniques from the work of Kamath et al (Crypto'21), who proved
similar negative results for Yao's garbling. We use that as a starting point and introduce new techniques tailored towards addressing Free-XOR-based schemes.
## 2025/383
* Title: Pencil: A Domain-Extended PRF with Full $n$-bit Security for Strengthening GCM and More
* Authors: Ritam Bhaumik, Jean Paul Degabriele
* [Permalink](
https://eprint.iacr.org/2025/383)
* [Download](
https://eprint.iacr.org/2025/383.pdf)
### Abstract
We consider the problem of constructing efficient pseudorandom functions with Beyond-Birthday-Bound (BBB) security from blockciphers. More specifically, we are interested in variable-output-length pseudorandom functions (PRF) whose domain is twice that
of the underlying blockcipher. We present two such constructions, $\textsf{Pencil}$ and $\sharp\textsf{Pencil}$, which provide weak PRF and full PRF security, respectively, where both achieve full $n$-bit security. While several recent works have focused
on constructing BBB PRFs from blockciphers, much less attention has been given to weak PRF constructions which can potentially be constructed more efficiently and still serve as a useful primitive. Another understudied problem in this domain, is that of
extending the domain of a BBB PRF, which turns out to be rather challenging. Besides being of theoretical interest in itself, this is also a very practical problem. Often, the input to the BBB PRF is a nonce, but random nonces are much easier to handle
in practice as they do not require maintaining state---which can be very cumbersome in distributed systems and encrypted cloud storage. Accordingly, in order to maintain a BBB security bound, one requires random nonces of size between $1.5n$ and $2n$
bits long and corresponding BBB (weak) PRF constructions that admit matching input sizes. NIST has recently announced a pre-draft call for comments to standardise AEAD schemes that can encrypt larger amounts of data and admit larger nonces. The call
lists two approaches. The first is to define an analogue of GCM using a 256-bit blockcipher, and the second is based on a recent proposal by Gueron, to extend GCM with a key derivation function (KDF) called DNDK to increase its security. In essence, DNDK
is a BBB-secure expanding weak pseudorandom function with a domain size of 192 bits that is realised from AES. Our work makes relevant contributions to this domain in two important ways. Firstly, an immediate consequence of our work is that one can
construct a GCM analogue with BBB security from $\sharp\textsf{Pencil}$, without resorting to a 256-bit blockcipher. Our second contribution is that $\sharp\textsf{Pencil}$ can be used as a KDF in combination with GCM in an analogous manner to DNDK-GCM.
However, $\sharp\textsf{Pencil}$ being a full PRF as opposed to DNDK which is only a weak PRF, allows one to prove the KDF-GCM composition secure as an AEAD scheme. Finally, when contrasting $\textsf{Pencil}$ and DNDK as weak PRFs with comparable
parameters, our construction requires only half the blockcipher calls.
## 2025/569
* Title: Solving Data Availability Limitations in Client-Side Validation with UTxO Binding
* Authors: Yunwen Liu, Bo Wang, Ren Zhang
* [Permalink](
https://eprint.iacr.org/2025/569)
* [Download](
https://eprint.iacr.org/2025/569.pdf)
### Abstract
Issuing tokens on Bitcoin remains a highly sought-after goal, driven by its market dominance and robust security. However, Bitcoin's limited on-chain storage and functionality pose significant challenges. Among the various approaches to token issuance on
Bitcoin, client-side validation (CSV) has emerged as a prominent solution. CSV delegates data storage and functionalities beyond BitcoinΓÇÖs native capabilities to off-chain clients, while leveraging the blockchain to validate tokens and prevent double-
spending. Nevertheless, these protocols require participants to maintain token ownership and transactional data, rendering them vulnerable to data loss and malicious data withholding. In this paper, we propose UTxO binding, a novel framework that
achieves both robust data availability and enhanced functionality compared to existing CSV designs. This approach securely binds a Bitcoin UTxO, which prevents double-spending, to a UTxO on an auxiliary blockchain, providing data storage and
programmability. We formally prove its security and implement our design using Nervos CKB as the auxiliary blockchain.
## 2025/570
* Title: Partial Key Overwrite Attacks in Microcontrollers: a Survey
* Authors: pcy Sluys, Lennert Wouters, Benedikt Gierlichs, Ingrid Verbauwhede
* [Permalink](
https://eprint.iacr.org/2025/570)
* [Download](
https://eprint.iacr.org/2025/570.pdf)
### Abstract
Embedded devices can be exposed to a wide range of attacks. Some classes of attacks can be mitigated using security features or dedicated countermeasures. Examples include Trusted Execution Environments, and masking countermeasures against physical side-
channel attacks. However, a system that incorporates such secure components is not automatically a secure system. Partial Key Overwrite attacks are one class of attacks that specifically target the interface between different components of the security
system. These attacks may allow an adversary to extract otherwise protected cryptographic keys through careful manipulation of memory-mapped registers. So far this powerful class of attacks has received little attention in the academic literature. In
this work, we provide an overview of known Partial Key Overwrite vulnerabilities and how they were used in real-world attacks. Additionally, we evaluated 31 common microcontrollers and embedded microprocessors from eleven distinct vendors and detail our
findings. Based on a first high-level evaluation we selected 15 SoCs and performed an in-depth evaluation. This evaluation revealed that at least eight of these SoCs are vulnerable to partial key overwrite attacks.
## 2025/571
* Title: Universally Composable Relaxed Asymmetric Password-Authenticated Key Exchange
* Authors: Shuya Hanai, Keisuke Tanaka, Masayuki Tezuka, Yusuke Yoshida
* [Permalink](
https://eprint.iacr.org/2025/571)
* [Download](
https://eprint.iacr.org/2025/571.pdf)
### Abstract
Password-Authenticated Key Exchange (PAKE) establishes a secure channel between two parties who share a password. Asymmetric PAKE is a variant of PAKE, where one party stores a hash of the password to preserve security under the situation that the party
is compromised. The security of PAKE and asymmetric PAKE is often analyzed in the framework of universal composability (UC).
Abdalla et al. (CRYPTO '20) relaxed the UC security of PAKE and showed that the relaxed security still guarantees reasonable properties. This relaxation makes it possible to prove the security in the UC framework for several PAKE protocols.
In this paper, we propose a relaxed functionality of asymmetric PAKE by following the approach of Abdalla et al. We prove that the SPAKE2+ protocol UC-realizes this functionality. We also define a more relaxed functionality and prove that a variant of
the AuCPace protocol UC-realizes it.
## 2025/572
* Title: Zinnia: An Expressive and Efficient Tensor-Oriented Zero-Knowledge Programming Framework
* Authors: Zhantong Xue, Pingchuan Ma, Zhaoyu Wang, Shuai Wang
* [Permalink](
https://eprint.iacr.org/2025/572)
* [Download](
https://eprint.iacr.org/2025/572.pdf)
### Abstract
Zero-knowledge proofs (ZKPs) are cryptographic protocols that enable a prover to convince a verifier of a statement's truth without revealing any details beyond its validity. Typically, the statement is encoded as an arithmetic circuit, and allows the
prover to demonstrate that the circuit evaluates to true without revealing its inputs. Despite their potential to enhance privacy and security, ZKPs are difficult to write and optimize, limiting their adoption in machine learning and data science. To
address these challenges, we introduce Zinnia, a zero-knowledge programming framework with high utility, expressiveness and efficiency for tensor-oriented computation. Zinnia provides a high-level programming language that enables developers to easily
write ZKP programs, and it employs a novel symbolic execution-inspired approach to extracting semantics from these programs to generate arithmetic circuits. Zinnia supports tensor-oriented computations and provides a rich set of programming constructs,
optimizations, and a powerful static type system for expressing and optimizing complex logic. We evaluate Zinnia across 25 real-world programming tasks and a user study, comparing it to existing solutions, including DSLs and zkVMs (Halo2, SP1, and RISC0).
Our results demonstrate that Zinnia outperforms these baselines in utility, expressiveness, and efficiency, with a statistically significant reduction in development time, $2-3\times$ shorter code length, 19.3% smaller circuit size, and up to $245\times$
faster proving time compared to zkVMs, paving the way for practical ZKP applications in various domains.
## 2025/573
* Title: Forking Lemma in EasyCrypt
* Authors: Denis Firsov, Jakub Janků
* [Permalink](
https://eprint.iacr.org/2025/573)
* [Download](
https://eprint.iacr.org/2025/573.pdf)
### Abstract
Formal methods are becoming an important tool for ensuring correctness and security of cryptographic constructions. However, the support for certain advanced proof techniques, namely rewinding, is scarce among existing verification frameworks, which
hinders their application to complex schemes such as multi-party signatures and zero-knowledge proofs.
We expand the support for rewinding in EasyCrypt by implementing a version of the general forking lemma by Bellare and Neven. We demonstrate its usability by proving EUF-CMA security of Schnorr signatures.
## 2025/574
* Title: Buffalo: A Practical Secure Aggregation Protocol for Asynchronous Federated Learning
* Authors: Riccardo Taiello, Clémentine Gritti, Melek Önen, Marco Lorenzi
* [Permalink](
https://eprint.iacr.org/2025/574)
* [Download](
https://eprint.iacr.org/2025/574.pdf)
### Abstract
Federated Learning (FL) has become a crucial framework for collaboratively training Machine Learning (ML) models while ensuring data privacy. Traditional synchronous FL approaches, however, suffer from delays caused by slower clients (called stragglers),
which hinder the overall training process.
Specifically, in a synchronous setting, model aggregation happens once all the intended clients have submitted their local updates to the server. To address these inefficiencies, Buffered Asynchronous FL (BAsyncFL) was introduced, allowing clients to
update the global model as soon as they complete local training. In such a setting, the new global model is obtained once the buffer is full, thus removing synchronization bottlenecks. Despite these advantages, existing Secure Aggregation (SA) techniquesΓ
Çödesigned to protect client updates from inference attacksΓÇörely on synchronized rounds, making them unsuitable for asynchronous settings.
In this paper, we present Buffalo, the first practical SA protocol tailored for BAsyncFL. Buffalo leverages lattice-based encryption to handle scalability challenges in large ML models and introduces a new role, the assistant, to support the server in
securely aggregating client updates. To protect against an actively corrupted server, we enable clients to verify that their local updates have been correctly integrated into the global model. Our comprehensive evaluationΓÇöincorporating theoretical
analysis and real-world experiments on benchmark datasetsΓÇödemonstrates that Buffalo is an efficient and scalable privacy-preserving solution in BAsyncFL environments.
## 2025/575
* Title: Wagner's Algorithm Provably Runs in Subexponential Time for SIS$^\infty$
* Authors: Léo Ducas, Lynn Engelberts, Johanna Loyer
* [Permalink](
https://eprint.iacr.org/2025/575)
* [Download](
https://eprint.iacr.org/2025/575.pdf)
### Abstract
At CRYPTO 2015, Kirchner and Fouque claimed that a carefully tuned variant of the Blum-Kalai-Wasserman (BKW) algorithm (JACM 2003) should solve the Learning with Errors problem (LWE) in slightly subexponential time for modulus $q=\mathrm{poly}(n)$ and
narrow error distribution, when given enough LWE samples. Taking a modular view, one may regard BKW as a combination of Wagner's algorithm (CRYPTO 2002), run over the corresponding dual problem, and the Aharonov-Regev distinguisher (JACM 2005). Hence the
subexponential Wagner step alone should be of interest for solving this dual problem - namely, the Short Integer Solution problem (SIS) - but this appears to be undocumented so far.
We re-interpret this Wagner step as walking backward through a chain of projected lattices, zigzagging through some auxiliary superlattices. We further randomize the bucketing step using Gaussian randomized rounding to exploit the powerful discrete
Gaussian machinery. This approach avoids sample amplification and turns Wagner's algorithm into an approximate discrete Gaussian sampler for $q$-ary lattices.
For an SIS lattice with $n$ equations modulo $q$, this algorithm runs in subexponential time $\exp(O(n/\log \log n))$ to reach a Gaussian width parameter $s = q/\mathrm{polylog}(n)$ only requiring $m = n + \omega(n/\log \log n)$ many SIS variables. This
directly provides a provable algorithm for solving the Short Integer Solution problem in the infinity norm ($\mathrm{SIS}^\infty$) for norm bounds $\beta = q/\mathrm{polylog}(n)$. This variant of SIS underlies the security of the NIST post-quantum
cryptography standard Dilithium. Despite its subexponential complexity, Wagner's algorithm does not appear to threaten Dilithium's concrete security.
## 2025/576
* Title: Pre-Constructed Publicly Verifiable Secret Sharing and Applications
* Authors: Karim Baghery, Noah Knapen, Georgio Nicolas, Mahdi Rahimi
* [Permalink](
https://eprint.iacr.org/2025/576)
* [Download](
https://eprint.iacr.org/2025/576.pdf)
### Abstract
Conventional Publicly Verifiable Secret Sharing (PVSS) protocols allow a dealer to share a secret among $n$ parties without interaction, ensuring that any $t + 1$ parties (where $t+1 \le n$) can recover the secret, while anyone can publicly verify the
validity of both the individual shares and the reconstructed secret. PVSS schemes are shown to be a key tool in a wide range of practical applications. In this paper, we introduce Pre-constructed PVSS (PPVSS), an extension of standard PVSS schemes,
highlighting its enhanced utility and efficiency in various protocols. Unlike standard PVSS, PPVSS requires the dealer to publish a commitment or encryption of the main secret and incorporates a novel secret reconstruction method. We show that these
refinements make PPVSS more practical and versatile than conventional PVSS schemes.
To build a PPVSS scheme, we first point out that the well-known PVSS scheme by Schoenmakers (CRYPTO'99) and its pairing-based variant presented by Heidarvand and Villar (SAC'08) can be seen as special cases of PPVSS, where the dealer also publishes a
commitment to the main secret. However, these protocols are not practical for many applications due to efficiency limitations and are less flexible compared to a standard PPVSS scheme. To address this, we propose a general strategy for transforming a
Shamir-based PVSS scheme into a PPVSS scheme. Using this strategy, we construct two practical PPVSS schemes in both the Random Oracle (RO) and plain models, grounded in state-of-the-art PVSS designs. Leveraging the new RO-based PPVSS scheme, we revisit
some applications and present more efficient variants. Notably, we propose a new universally verifiable e-voting protocol that improves on the alternative scheme by Schoenmakers (CRYPTO'99), reducing the verification complexity with $m$ voters from $O(n^
2m)$ to $O(nm)$ exponentiations--a previously unattainable goal with standard PVSS schemes. Our implementation results demonstrate that both our proposed PPVSS schemes and the new universally verifiable e-voting protocol significantly outperform existing
alternatives in terms of efficiency.
## 2025/577
* Title: Making GCM Great Again: Toward Full Security and Longer Nonces
* Authors: Woohyuk Chung, Seongha Hwang, Seongkwang Kim, Byeonghak Lee, Jooyoung Lee
* [Permalink](
https://eprint.iacr.org/2025/577)
* [Download](
https://eprint.iacr.org/2025/577.pdf)
### Abstract
The GCM authenticated encryption (AE) scheme is one of the most widely used AE schemes in the world, while it suffers from risk of nonce misuse, short message length per encryption and an insufficient level of security. The goal of this paper is to
design new AE schemes achieving stronger provable security in the standard model and accepting longer nonces (or providing nonce misuse resistance), with the design rationale behind GCM.
As a result, we propose two enhanced variants of GCM and GCM-SIV, dubbed eGCM and eGCM-SIV, respectively. eGCM and eGCM-SIV are built on top of a new CENC-type encryption mode, dubbed eCTR: using 2n-bit counters, eCTR enjoys beyond-birthday-bound
security without significant loss of efficiency. eCTR is combined with an almost uniform and almost universal hash function, yielding a variable input-length variable output-length pseudorandom function, dubbed HteC. GCM and GCM-SIV are constructed using
eCTR and HteC as building blocks.
eGCM and eGCM-SIV accept nonces of arbitrary length, and provide almost the full security (namely, n-bit security when they are based on an n-bit block cipher) for a constant maximum input length, under the assumption that the underlying block cipher is
a pseudorandom permutation (PRP). Their efficiency is also comparable to GCM in terms of the rate and the overall speed.
## 2025/578
* Title: Efficient Garbled Pseudorandom Functions and Lookup Tables from Minimal Assumption
* Authors: Wei-Kai Lin, Zhenghao Lu, Hong-Sheng Zhou
* [Permalink](
https://eprint.iacr.org/2025/578)
* [Download](
https://eprint.iacr.org/2025/578.pdf)
### Abstract
Yao's garbled circuits have received huge attention in both theory and practice. While garbled circuits can be constructed using minimal assumption (i.e., the existence of pseudorandom functions or one-way functions), the state-of-the-art constructions (
e.g., Rosulek-Roy, Crypto 2021) are based on stronger assumptions. In particular, the ``Free-XOR'' technique (Kolesnikov-Schneider, ICALP 2008) is essential in these state-of-the-art constructions, and their security can only be proven in the random
oracle model, or rely on the ``circular-correlation robust hash'' assumption.
In this paper, we aim to develop new techniques to construct efficient garbling schemes using minimal assumptions. Instead of generically replacing the Free-XOR technique, we focus on garbling schemes for specific functionalities. We successfully
eliminated the need for Free-XOR in several state-of-the-art schemes, including the one-hot garbling (Heath and Kolesnikov, CCS 2021) and the garbled pseudorandom functions, and the garbled lookup tables (Heath, Kolesnikov and Ng, Eurocrypt 2024). Our
schemes are based on minimal assumptions, i.e., standard pseudorandom functions (PRFs)---we resolved the need for circular security. The performance of our scheme is almost as efficient as the best results except for a small constant factor. Namely, for
any lookup table $\{0,1\}^n \to \{0,1\}^m$, our scheme takes $n + (5n+9)m\lambda + 2^n \cdot m$ bits of communication, where $\lambda$ is the security parameter of PRF.
## 2025/579
* Title: REGKYC: Supporting Privacy and Compliance Enforcement for KYC in Blockchains
* Authors: Xihan Xiong, Michael Huth, William Knottenbelt
* [Permalink](
https://eprint.iacr.org/2025/579)
* [Download](
https://eprint.iacr.org/2025/579.pdf)
### Abstract
Know Your Customer (KYC) is a core component of the Anti-Money Laundering (AML) framework, designed to prevent illicit activities within financial systems. However, enforcing KYC and AML on blockchains remains challenging due to difficulties in
establishing accountability and preserving user privacy. This study proposes REGKYC, a privacy-preserving Attribute-Based Access Control (ABAC) framework that balances user privacy with externally mandated KYC and AML requirements. REGKYC leverages a
structured ABAC model to support the flexible verification of KYC attributes and the enforcement of compliance policies, providing benefits to multiple stakeholders. First, it enables legitimate users to meet compliance requirements while preserving the
privacy of their on-chain activities. Second, it empowers Crypto-asset Service Providers (CASPs) to tailor compliance policies to operational needs, ensuring adaptability to evolving regulations. Finally, it enhances regulatory accountability by enabling
authorized deanonymization of malicious actors. We hope this work inspires future research to harmonize user privacy and regulatory compliance in blockchain systems.
## 2025/580
* Title: Efficient Revocable Identity-Based Encryption from Middle-Product LWE * Authors: Takumi Nishimura, Atsushi Takayasu
* [Permalink](
https://eprint.iacr.org/2025/580)
* [Download](
https://eprint.iacr.org/2025/580.pdf)
### Abstract
The Middle-Product Learning with Errors (MPLWE) assumption is a variant of the Learning with Errors (LWE) assumption. The MPLWE assumption reduces the key size of corresponding LWE-based schemes by setting keys as sets of polynomials. Moreover, MPLWE has
more robust security than other LWE variants such as Ring-LWE
and Module-LWE. Lombardi et al. proposed an identity-based encryption (IBE) scheme (LVV-IBE) based on the MPLWE assumption in the random oracle model (ROM) by following Gentry et al.'s IBE scheme (GPV-IBE) based on LWE. Due to the benefit of MPLWE, LVV-
IBE has a shorter master public key and a secret key than GPV-IBE without changing the size of a ciphertext. However, Lombardi et al.'s proof is not tight in the ROM, while Katsumata et al. proved that GPV-IBE achieves tight adaptive anonymity in the
quantum ROM (QROM). Revocable IBE (RIBE) is a variant of IBE supporting a key revocation mechanism to remove malicious users from the system. Takayasu proposed the most efficient RIBE scheme (Takayasu-RIBE) based on LWE achieving tight adaptive anonymity
in the QROM. Although a concrete RIBE scheme based on MPLWE has not been proposed, we can construct a scheme (LVV-based RIBE) by applying Ma and Lin's generic transformation to LVV-IBE. Due to the benefit of MPLWE, LVV-based RIBE has an asymptotically
shorter master public key and a shorter secret key than Takayasu-RIBE although the former has a larger ciphertext than the latter. Moreover, the security proof is not tight and anonymous in the ROM due to security proofs of Ma-Lin and Lombardi et al. In
this paper, we propose a concrete RIBE scheme based on MPLWE. Compared with the above RIBE schemes, the proposed RIBE scheme is the most asymptotically efficient since the sizes of a master public key and a secret key (resp. ciphertext) of the proposed
scheme are the same as those of LVV-based RIBE scheme (resp. Takayasu-RIBE). Moreover, we prove the tight adaptive anonymity of the proposed RIBE scheme in the QROM. For this purpose, we also prove the tight adaptive anonymity of LVV-IBE in the QROM.
## 2025/581
* Title: Reusable Dynamic Multi-Party Homomorphic Encryption
* Authors: Jung Hee Cheon, Hyeongmin Choe, Seunghong Kim, Yongdong Yeo
* [Permalink](
https://eprint.iacr.org/2025/581)
* [Download](
https://eprint.iacr.org/2025/581.pdf)
### Abstract
Homomorphic Encryption (HE) is a promising primitive for evaluating arbitrary circuits while keeping the user's privacy. We investigate how to use HE in the multi-party setting where data is encrypted with several distinct keys. One may use the Multi-Key
Homomorphic Encryption (MKHE) in this setting, but it has space/computation overhead of $\mathcal O(n)$ for the number of users $n$, which makes it impractical when $n$ grows large. On the contrary, Multi-Party Homomorphic Encryption (MPHE) is the other
Homomorphic Encryption primitive in the multi-party setting, where the space/computation overhead is $\mathcal O(1)$; however, is limited in terms of ciphertext reusability and dynamicity, that ciphertexts are encrypted just for a group of parties and
cannot be reused for other purposes, and that additional parties cannot join the computation dynamically.
Contrary to MKHE, where the secret key owners engage only in the decryption phase, we consider a more relaxed situation where the secret key owners can communicate before the computation. In that case, we can reduce the size of a ciphertext and the
evaluation complexity from $\mathcal O(n)$ to $\mathcal O(1)$ as in a single-key HE setting. We call this primitive as {\em Reusable Dynamic Multi-Party Homomorphic Encryption}, which is more suitable in real-world scenarios.
We show that 1) the procedures before the computation can be done in a very few rounds of communications, 2) the evaluation/space complexities are independent of the number of users, and 3) the functionalities are as efficient as MKHE, with asymptotic
analysis and with implementation.
## 2025/582
* Title: Release the Power of Rejected Signatures: An Efficient Side-Channel Attack on Dilithium
* Authors: Zheng Liu, An Wang, Congming Wei, Yaoling Ding, Jingqi Zhang, Annyu Liu, Liehuang Zhu
* [Permalink](
https://eprint.iacr.org/2025/582)
* [Download](
https://eprint.iacr.org/2025/582.pdf)
### Abstract
[continued in next message]
--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)