[continued from previous message]
Using this test involves several complications, most significantly that projection to affine lines does not preserve individual degrees, and we show how to overcome these difficulties. En route, we extend some existing machinery to more general
settings. Specifically, we give proximity generators for Reed-Muller codes, show a more systematic way of handling "side conditions" in IOP constructions, and generalize the compiling procedure of [Arnon, Chiesa, Fenzi, Yogev, Crypto 2024] to general
codes.
## 2025/601
* Title: PHOENIX: Crypto-Agile Hardware Sharing for ML-KEM and HQC
* Authors: Antonio Ras, Antoine Loiseau, Mikaƫl Carmona, Simon PontiƩ, GuƩnaƫl Renault, Benjamin Smith, Emanuele Valea
* [Permalink](
https://eprint.iacr.org/2025/601)
* [Download](
https://eprint.iacr.org/2025/601.pdf)
### Abstract
The transition to quantum-safe public-key cryptography has begun: for key agreement, NIST has standardized ML-KEM and selected HQC for future standardization. The relative immaturity of these schemes encourages crypto-agile implementations, to facilitate
easy transitions between them. Intelligent crypto-agility requires efficient sharing strategies to compute operations from different cryptosystems using the same resources. This is particularly challenging for cryptosystems with distinct mathematical
foundations, like lattice-based ML-KEM and code-based HQC.
We introduce PHOENIX, the first crypto-agile hardware coprocessor for lattice- and code-based cryptosystems--specifically, ML-KEM and HQC, at all three NIST security levels--with an effective agile sharing strategy.
PHOENIX accelerates polynomial multiplication, which is the main operation in both cryptosystems, and the current bottleneck of HQC. To maximise sharing, we replace HQC's Karatsuba-based polynomial multiplication with the Frobenius Additive FFT (FAFFT),
which is similar on an abstract level to ML-KEM's Number Theoretic Transform (NTT).
We show that the FAFFT already brings substantial performance improvements in software. In hardware, our sharing strategy for the FAFFT and NTT is based on a new SuperButterfly unit that seamlessly switches between these two FFT variants over completely
different rings. This is, to our knowledge, the first FAFFT hardware accelerator of any kind. We have integrated PHOENIX in a real System-on-Chip FPGA scenario, where our performance measurements show that efficient crypto-agility for lattice- and code-
based KEMs can be achieved with low overhead.
## 2025/602
* Title: Lattice-Based Sanitizable Signature Schemes: Chameleon Hash Functions and More
* Authors: Sebastian Clermont, Samed DĆ¼zlĆ¼, Christian Janson, Laurens Porzenheim, Patrick Struck
* [Permalink](
https://eprint.iacr.org/2025/602)
* [Download](
https://eprint.iacr.org/2025/602.pdf)
### Abstract
Sanitizable Signature Schemes (SSS) enable a designated party, the sanitizer, to modify predefined parts of a signed message without invalidating the signature, making them useful for applications like pseudonymization and redaction. Since their
introduction by Ateniese et al. (ESORICS'05), several classical SSS constructions have been proposed, but none have been instantiated from quantum-resistant assumptions. In this work, we develop the first quantum-secure sanitizable signature schemes
based on lattice assumptions. Our primary focus is on SSS constructions that rely on chameleon hash functions (CHFs), a key component for enabling the controlled modification of messages. While lattice-based CHFs exist, they do not meet the required
security guarantees for SSS, becoming insecure under adversarial access to an adapt oracle. To address this, we construct a novel lattice-based CHF that achieves collision resistance even in such settings, called full collision resistance. However, our
CHF lacks the uniqueness property, a limitation we show to be inherent in lattice-based CHFs. As a result, our SSS constructions initially fall short of achieving the critical security property of accountability. To overcome this, we apply a
transformation based on verifiable ring signatures (VRS), for which we present the first lattice-based instantiation. Additionally, we provide a comprehensive analysis of existing classical SSS constructions, explore their potential for post-quantum
instantiations, and present new attacks on previously assumed secure SSS schemes. Our work closes the gap in constructing quantum-secure SSS and lays the groundwork for further research into advanced cryptographic primitives based on lattice assumptions.
## 2025/603
* Title: Mobile Byzantine Agreement in a Trusted World
* Authors: Bo Pan, Maria Potop Butucaru
* [Permalink](
https://eprint.iacr.org/2025/603)
* [Download](
https://eprint.iacr.org/2025/603.pdf)
### Abstract
In this paper, we address the Byzantine Agreement problem in synchronous systems where Byzantine agents can move from process to process, corrupting their host.
We focus on three representative models: \emph{Garay's}, \emph{Bonnet's} and \emph{Buhrman's} models.
In \emph{Garay's model} when a process has been left by the Byzantine, it is in the \emph{cured} state and it is aware of its condition and thus can remain silent for a round to prevent the dissemination of wrong information.
In \emph{Bonnet's model} a cured process may send messages (based on a state corrupted by the malicious agent), however it will behave correctly in the way it sends those messages: i.e., send messages according to the algorithm.
In \emph{Buhrman's model} Byzantine agents move together with the message.
It has been shown that in order to solve Byzantine Agreement in the \emph{Garay's model} at least $4t+1$ processors are needed, for \emph{Bonnet's model} at least $5t+1$ processors are needed, while for \emph{Buhrman's model} at least $3t+1$ processors
are needed.
In this paper we target to increase the tolerance to mobile Byzantines by integrating a trusted counter abstraction to the above models. This abstraction prevents nodes to equivocate. In the new models we prove that at least $3t+1$, respectively $4t+1$,
and $2t+1$ processors are needed to tolerate $t$ mobile Byzantine agents. Furthermore, we propose novel Mobile Byzantine Agreement algorithms that match these new lower bounds for \emph{Garay's}, \emph{Bonnet's} and \emph{Buhrman's} models.
## 2025/604
* Title: On the success rate of simple side-channel attacks against masking with unlimited attack traces
* Authors: Aymeric Hiltenbrand, Julien Eynard, Romain Poussier
* [Permalink](
https://eprint.iacr.org/2025/604)
* [Download](
https://eprint.iacr.org/2025/604.pdf)
### Abstract
Side-channel attacks following a classical differential power
analysis (DPA) style are well understood, along with the effect the mask-
ing countermeasure has on them. However, simple attacks (SPA) where
the target variable does not vary thanks to a known value, such as the plaintext, are less studied. In this paper, we investigate how the masking countermeasure affects the success rate of simple attacks. To this end, we provide theoretical, simulated, and practical experiments. Interestingly,
we will see that masking can allow us to asymptotically recover more information on the secret than in the case of an unprotected implemen-
tation, depending on the masking type. We will see that this is true for masking encodings that add non-linearity with respect to the leakages,
such as arithmetic masking, while it is not for Boolean masking. We be-
lieve this context provides interesting results, as the average information
of arithmetic encoding is proven less informative than the Boolean one.
--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)