## In this issue
1. [2024/746] The Art of Bonsai: How Well-Shaped Trees Improve ...
2. [2025/378] Side-Channel and Fault Injection Attacks on VOLEitH ...
3. [2025/612] More NTRU+Sign Signatures from Cyclotomic Trinomials
4. [2025/621] SPHINCSLET: An Area-Efficient Accelerator for the ...
5. [2025/622] Byzantine Reliable Broadcast and Tendermint ...
6. [2025/623] CertainSync: Rateless Set Reconciliation with Certainty
7. [2025/624] Trapdoor one-way functions from tensors
8. [2025/625] FHECAP: An Encrypted Control System with Piecewise ...
9. [2025/626] Tree-based Quantum Carry-Save Adder
10. [2025/627] Everlasting Fully Dynamic Group Signatures
11. [2025/628] Improving the Masked Division for the FALCON Signature
12. [2025/629] Audience Injection Attacks: A New Class of Attacks ...
13. [2025/630] Charge Your Clients: Payable Secure Computation and ...
14. [2025/631] Dyna-hinTS: Silent Threshold Signatures for Dynamic ...
15. [2025/632] On breaking McEliece keys using brute force
16. [2025/633] Hybrid-query bounds with partial input control - ...
17. [2025/634] Cryptography based on 2D Ray Tracing
18. [2025/635] Towards Scalable YOSO MPC via Packed Secret-Sharing
19. [2025/636] Impossible Differential Attack on SAND-64
20. [2025/637] A Study of Blockchain Consensus Protocols
21. [2025/638] Round-Efficient Adaptively Secure Threshold ...
22. [2025/639] Cryptomania v.s. Minicrypt in a Quantum World
23. [2025/640] Multi-Party Private Set Operations from Predicative ...
24. [2025/641] Scalable Non-Fungible Tokens on Bitcoin
25. [2025/642] A Meta-Complexity Characterization of Quantum ...
26. [2025/643] Obfuscation for Deep Neural Networks against Model ...
27. [2025/644] Attacking at non-harmonic frequencies in screaming- ...
28. [2025/645] GIGA Protocol: Unlocking Trustless Parallel ...
29. [2025/646] Secret-Key PIR from Random Linear Codes
30. [2025/647] Anamorphic Voting: Ballot Freedom Against Dishonest ...
31. [2025/648] HQC Beyond the BSC: Towards Error Structure-Aware ...
32. [2025/649] Guaranteed Termination Asynchronous Complete Secret ...
33. [2025/650] ADC-BE: Optimizing Worst-Case Bandwidth in ...
34. [2025/651] Low-Latency Bootstrapping for CKKS using Roots of Unity
35. [2025/652] MultiCent: Secure and Scalable Centrality Measures ...
36. [2025/653] Fission: Distributed Privacy-Preserving Large ...
37. [2025/654] ECDSA Cracking Methods
38. [2025/655] Taking AI-Based Side-Channel Attacks to a New Dimension
39. [2025/656] Unbounded Multi-Hop Proxy Re-Encryption with HRA ...
40. [2025/657] Key Derivation Functions Without a Grain of Salt
41. [2025/658] Efficient Verifiable Mixnets from Lattices, Revisited
42. [2025/659] Scalable and Fine-Tuned Privacy Pass from Group ...
43. [2025/660] Eccfrog512ck2: An Enhanced 512-bit Weierstrass ...
44. [2025/661] An LLM Framework For Cryptography Over Chat Channels
45. [2025/662] Attribute-Based Publicly Verifiable Secret Sharing
46. [2025/663] Intermundium-DL: Assessing the Resilience of ...
47. [2025/664] Publicly Verifiable Generalized Secret Sharing ...
48. [2025/665] MProve-Nova: A Privacy-Preserving Proof of Reserves ...
49. [2025/666] Adaptive Robustness of Hypergrid Johnson-Lindenstrauss
50. [2025/667] Vector Commitment Design, Analysis, and ...
## 2024/746
* Title: The Art of Bonsai: How Well-Shaped Trees Improve the Communication Cost of MLS
* Authors: Céline Chevalier, Guirec Lebrun, Ange Martinelli, Jérôme Plût
* [Permalink](
https://eprint.iacr.org/2024/746)
* [Download](
https://eprint.iacr.org/2024/746.pdf)
### Abstract
Messaging Layer Security (MLS) is a Secure Group Messaging protocol that uses for its handshake a binary tree – called a Ratchet Tree – in order to reach a logarithmic communication cost in the number of group members. This Ratchet Tree represents
users as its leaves; therefore any change in the group membership results in adding or removing a leaf in the tree. MLS consequently implements what we call a tree evolution mechanism, consisting of a user add algorithm – determining where to insert a
new leaf – and a tree expansion process – stating how to increase the size of the tree when no space is available for a new user. The tree evolution mechanism currently used by MLS is designed so that it naturally left-balances the Ratchet Tree.
However, such a tree structure is often quite inefficient in terms of communication cost. Furthermore, one may wonder whether the binary Ratchet Tree has a degree optimized for the features of MLS.
Therefore, we study in this paper how to improve the communication cost of the handshake in MLS – realized through an operation called a commit – by considering both the tree evolution mechanism and the tree degree used for the Ratchet Tree. To do so,
we determine the tree structure that optimizes its communication cost and we propose algorithms for both the user add and the tree expansion processes, that allow to remain close to that optimal structure and thus to have a communication cost as close
as possible to the optimum. We also find out the Ratchet Tree degree that is best suited to a given set of parameters induced by the encryption scheme used by MLS. This study shows that when using classical (i.e. pre-quantum) ciphersuites, a binary tree
is indeed the most appropriate Ratchet Tree; nevertheless, with post-quantum algorithms, it generally becomes more interesting to use instead a ternary tree.
Our improvements do not change the TreeKEM protocol and are easy to implement. With parameter sets corresponding to practical ciphersuites, they reduce TreeKEM’s communication cost by 5 to 10%. In particular, the gain of 10% appears in the post-quantum
setting – when both an optimized tree evolution mechanism and a ternary tree are necessary –, which is precisely the context where any optimization of the protocol’s communication cost is welcome, due to the large bandwidth of PQ encrypted
communication.
## 2025/378
* Title: Side-Channel and Fault Injection Attacks on VOLEitH Signature Schemes: A Case Study of Masked FAEST
* Authors: Sönke Jendral, Elena Dubrova
* [Permalink](
https://eprint.iacr.org/2025/378)
* [Download](
https://eprint.iacr.org/2025/378.pdf)
### Abstract
Ongoing efforts to transition to post-quantum public-key cryptosystems have created the need for algorithms with a variety of performance characteristics and security assumptions.
Among the candidates in NIST's post-quantum standardisation process for additional digital signatures is FAEST, a Vector Oblivious Linear Evaluation in-the-Head (VOLEitH)-based scheme, whose security relies on the one-wayness of the Advanced Encryption
Standard (AES).
The VOLEitH paradigm enables competitive performance and signature sizes under conservative security assumptions.
However, since it was introduced recently, in 2023, its resistance to physical attacks has not yet been analysed. In this paper, we present the first security analysis of VOLEitH-based signature schemes in the context of side-channel and fault injection
attacks. We demonstrate four practical attacks on a masked implementation of FAEST in ARM Cortex-M4 capable of recovering the full secret key with high probability (greater than 0.87) from a single signature. These attacks exploit vulnerabilities of
components specific to VOLEitH schemes and FAEST, such as the parallel all-but-one vector commitments, the VOLE generation, and the AES proof generation. Finally, we propose countermeasures to mitigate these attacks and enhance the physical security of
VOLEitH-based signature schemes.
## 2025/612
* Title: More NTRU+Sign Signatures from Cyclotomic Trinomials
* Authors: Ga Hee Hong, Joo Woo, Jonghyun Kim, Minkyu Kim, Hochang Lee, Jong Hwan Park
* [Permalink](
https://eprint.iacr.org/2025/612)
* [Download](
https://eprint.iacr.org/2025/612.pdf)
### Abstract
Recently, $\mathsf{NTRU}$+$\mathsf{Sign}$ was proposed as a new compact signature scheme, following `Fiat-Shamir with Aborts' (FSwA) framework. Its compactness is mainly based on their novel NTRU-based key structure that fits well with bimodal
distributions in the FSwA framework. However, despite its compactness, $\mathsf{NTRU}$+$\mathsf{Sign}$ fails to provide a diverse set of parameters that can meet some desired security levels. This limitation stems from its reliance on a ring $\mathbb{Z}_
q[x]/\langle x^n+1 \rangle$, where $n$ is restricted to powers of two, limiting the flexibility in selecting appropriate security levels. To overcome this limitation, we propose a revised version of $\mathsf{NTRU}$+$\mathsf{Sign}$ by adopting a ring $\
mathbb{Z}_q[x]/\langle x^n-x^{n/2}+1\rangle$ from cyclotomic trinomials, where $n=2^{i}3^{j}$ for some positive integers $i$ and $j$. Our parameterization offers three distinct security levels: approximately $120$, $190$, and $260$ bits, while preserving
the compactness in $\mathbb{Z}_q[x]/\langle x^n+1 \rangle$. We implement these re-parameterized $\mathsf{NTRU}$+$\mathsf{Sign}$ schemes, showing that the performance of $\mathsf{NTRU}$+$\mathsf{Sign}$ from cyclotomic trinomials is still comparable to
previous lattice-based signature schemes such as $\mathsf{Dilithium}$ and $\mathsf{HAETAE}$.
## 2025/621
* Title: SPHINCSLET: An Area-Efficient Accelerator for the Full SPHINCS+ Digital Signature Algorithm
* Authors: Sanjay Deshpande, Yongseok Lee, Cansu Karakuzu, Jakub Szefer, Yunheung Paek
* [Permalink](
https://eprint.iacr.org/2025/621)
* [Download](
https://eprint.iacr.org/2025/621.pdf)
### Abstract
This work presents SPHINCSLET, the first fully standard-compliant and area-efficient hardware implementation of the SLH-DSA algorithm, formerly known as SPHINCS+, a post-quantum digital signature scheme. SPHINCSLET is designed to be parameterizable
across different security levels and hash functions, offering a balanced trade-off between area efficiency and performance. Existing hardware implementations either feature a large area footprint to achieve fast signing and verification or adopt a
coprocessor-based approach that significantly slows down these operations. SPHINCSLET addresses this gap by delivering a 4.7$\times$ reduction in area compared to high-speed designs while achieving a 2.5$\times$ to 5$\times$ improvement in signing time
over the most efficient coprocessor-based designs for a SHAKE256-based SPHINCS+ implementation. The SHAKE256-based SPHINCS+ FPGA implementation targeting the AMD Artix-7 requires fewer than 10.8K LUTs for any security level of SLH-DSA. Furthermore, the
SHA-2-based SPHINCS+ implementation achieves a 2$\times$ to 4$\times$ speedup in signature generation across various security levels compared to existing SLH-DSA hardware, all while maintaining a compact area footprint of 6K to 15K LUTs. This makes it
the fastest SHA-2-based SLH-DSA implementation to date. With an optimized balance of area and performance, SPHINCSLET can assist resource-constrained devices in transitioning to post-quantum cryptography.
## 2025/622
* Title: Byzantine Reliable Broadcast and Tendermint Consensus with trusted components
* Authors: Yackolley Amoussou-Guenou, Lionel Beltrando, Maurice Herlihy, Maria Potop-Butucaru
* [Permalink](
https://eprint.iacr.org/2025/622)
* [Download](
https://eprint.iacr.org/2025/622.pdf)
### Abstract
Byzantine Reliable Broadcast is one of the most popular communication primitives in distributed systems. Byzantine reliable broadcast ensures that processes agree to deliver a message from an initiator, even if some processes (possibly
including the initiator) are Byzantine. In asynchronous settings, it is known since the prominent work of Bracha \cite{Bracha87} that Byzantine reliable broadcast can be implemented deterministically if the total number of processes, denoted by $n$,
satisfies $n \geq 3t+1$ where $t$ is an upper bound on the number of Byzantine processes. Here, we study Byzantine Reliable Broadcast when processes are equipped with \emph{trusted components}, special software or hardware designed to prevent
equivocation. Our contribution is threefold. First, we show that, despite common belief, when each process is equipped with a trusted component, Bracha's algorithm still needs $n \geq 3t+1$. Second, we present a novel algorithm that uses a single trusted
component (at the initiator) that implements Byzantine Reliable Asynchronous Broadcast with $n \geq 2t+1$.
\yag{Lastly, building on our broadcast algorithm, we present TenderTee, a transformation of the Tendermint consensus algorithm by using trusted component, giving better Byzantine resilience. Tendertee works with $n \geq 2t+1$, where Tendermint needed $n=
3t+1$.}
## 2025/623
* Title: CertainSync: Rateless Set Reconciliation with Certainty
* Authors: Tomer Keniagin, Eitan Yaakobi, Ori Rottenstreich
* [Permalink](
https://eprint.iacr.org/2025/623)
* [Download](
https://eprint.iacr.org/2025/623.pdf)
### Abstract
Set reconciliation is a fundamental task in distributed systems, particularly in blockchain networks, where it enables the synchronization of transaction pools among peers and facilitates block dissemination. Existing traditional set reconciliation
schemes are either statistical, providing success probability as a function of the communication overhead and the size of the symmetric difference, or require parametrization and estimation of the size of the symmetric difference, which can be prone to
error. In this paper, we present CertainSync, a novel reconciliation framework that, to the best of our knowledge, is the first to guarantee successful set reconciliation without any parametrization or estimators in use. The framework is rateless and
adapts to the unknown symmetric difference size. The set reconciliation is guaranteed to be completed successfully whenever the communication overhead reaches a lower bound derived from the symmetric difference size and the universe size. Our framework
is based on recent constructions of Invertible Bloom Lookup Tables (IBLTs) ensuring successful element listing as long as the number of elements is bounded. We provide a theoretical analysis to prove the certainty in the set reconciliation for multiple
constructions. The approach is also validated by simulations, showing the ability to synchronize sets with efficient communication costs while maintaining reconciliation guarantees compared to other baseline schemes for set reconciliation. To further
improve communication overhead for large universes as blockchain networks, CertainSync is extended with a universe reduction technique to minimize communication overhead. We compare and validate the extended framework UniverseReduceSync against the basic
CertainSync framework through simulations using real blockchain transaction hash data from the Ethereum blockchain network. The results illustrate a trade-off between improved communication costs and maintaining reconciliation guarantees without relying
on parametrization or estimators, offering a comprehensive solution for set reconciliation in diverse scenarios.
## 2025/624
* Title: Trapdoor one-way functions from tensors
* Authors: Anand Kumar Narayanan
* [Permalink](
https://eprint.iacr.org/2025/624)
* [Download](
https://eprint.iacr.org/2025/624.pdf)
### Abstract
Weyman and Zelevinsky generalised Vandermonde matrices to higher dimensions, which we call Vandermonde-Weyman-Zelevinsky tensors.
We generalise Lagrange interpolation to higher dimensions by devising a nearly linear time algorithm that given a Vandermonde-Weyman-Zelevinsky tensor and a sparse target vector, finds a tuple of vectors that hit the target under tensor evaluation.
Tensor evaluation to us means evaluating the usual multilinear form associated with the tensor in all but one chosen dimension. Yet, this interpolation problem phrased with respect to a random tensor appears to be a hard multilinear system. Leveraging
this dichotomy, we propose preimage sampleable trapdoor one-way functions in the spirit of Gentry-Peikert-Vaikuntanathan (GPV) lattice trapdoors. We design and analyse ``Hash-and-Sign'' digital signatures from such trapdoor one-way functions, yielding
short signatures whose lengths scale nearly linearly in the security parameter. We also describe an encryption scheme.
Our trapdoor is a random Vandermonde-Weyman-Zelevinsky tensor over a finite field and a random basis change. We hide the Vandermonde-Weyman-Zelevinsky tensor under the basis change and publish the resulting pseudorandom tensor. The one way function is
the tensor evaluation derived from the public tensor, restricted so as to only map to sparse vectors. We then design the domain sampler and preimage sampler demanded by the GPV framework. The former samples inputs that map to uniform images under the
one-way function. The latter samples preimages given supplementary knowledge of the trapdoor. Preimage sampling is a randomised version of interpolation and knowing the basis change allows efficient translation between interpolation corresponding to the
public and trapdoor tensors. An adversary seeking a preimage must solve a pseudorandom multilinear system, which seems cryptographically hard.
## 2025/625
* Title: FHECAP: An Encrypted Control System with Piecewise Continuous Actuation
* Authors: Song Bian, Yunhao Fu, Dong Zhao, Haowen Pan, Yuexiang Jin, Jiayue Sun, Hui Qiao, Zhenyu Guan
* [Permalink](
https://eprint.iacr.org/2025/625)
* [Download](
https://eprint.iacr.org/2025/625.pdf)
### Abstract
We propose an encrypted controller framework for linear time-invariant systems with actuator non-linearity based on fully homomorphic encryption (FHE). While some existing works explore the use of partially homomorphic encryption (PHE) in implementing
linear control systems, the impacts of the non-linear behaviors of the actuators on the systems are often left unconcerned. In particular, when the inputs to the controller become too small or too large, actuators may burn out due to unstable system
state oscillations. To solve this dilemma, we design and implement FHECAP, an FHE-based controller framework that can homomorphically apply non-linear functions to the actuators to rectify the system inputs. In FHECAP, we first design a novel data
encoding scheme tailored for efficient gain matrix evaluation. Then, we propose a high-precision homomorphic algorithm to apply non-arithmetic piecewise function to realize the actuator normalization. In the experiments, compared with the existing state-
of-the-art encrypted controllers, FHECAP achieves $4\times$--$1000\times$ reduction in computational latency. We evaluate the effectiveness of FHECAP in the real-world application of encrypted control for spacecraft rendezvous. The simulation results
show that the FHECAP achieves real-time spacecraft rendezvous with negligible accuracy loss.
## 2025/626
* Title: Tree-based Quantum Carry-Save Adder
* Authors: Hyunjun Kim, Sejin Lim, Kyungbae Jang, Siyi Wang, Anubhab Baksi, Anupam Chattopadhyay, Hwajeong Seo
* [Permalink](
https://eprint.iacr.org/2025/626)
* [Download](
https://eprint.iacr.org/2025/626.pdf)
### Abstract
Quantum computing is regarded as one of the most significant upcoming advancements in computer science.
Although fully operational quantum computers have yet to be realized, they are expected to solve specific problems that are difficult to solve using classical computers.
Given the limitations of quantum computing resources, it is crucial to design compact quantum circuits for core operations, such as quantum arithmetic.
In this paper, we focus on optimizing the circuit depth of quantum multi-operand addition, which is a fundamental component in quantum implementations (as an example, SHA-2).
Building on the foundational quantum carry-save approach by Phil Gossett, we introduce a tree-based quantum carry-save adder.
Our design integrates the Wallace and Dadda trees to optimize carry handling during multi-operand additions.
To further reduce circuit depth, we utilize additional ancilla qubits for parallel operations and introduce an efficient technique for reusing these ancilla qubits.
Our tree-based carry-save adder achieves the lowest circuit depth ($T$-depth) and provides an improvement of over 82% (up to 99%) in the qubit count–circuit depth product for multi-operand addition.
Furthermore, we apply our method to multiplication, achieving the lowest circuit depth and an improvement of up to 87% in the qubit count–circuit depth product.
## 2025/627
* Title: Everlasting Fully Dynamic Group Signatures
* Authors: Yimeng He, San Ling, Khai Hanh Tang, Huaxiong Wang
* [Permalink](
https://eprint.iacr.org/2025/627)
* [Download](
https://eprint.iacr.org/2025/627.pdf)
### Abstract
Group signatures allow a user to sign anonymously on behalf of a group of users while allowing a tracing authority to trace the signer's identity in case of misuse. In Chaum and van Heyst's original model (EUROCRYPT'91), the group needs to stay fixed.
Throughout various attempts, including partially dynamic group signatures and revocations, Bootle et al. (ACNS'16, J. Cryptol.) formalized the notion of fully dynamic group signatures (FDGS), enabling both enrolling and revoking users of the group.
However, in their scheme, the verification process needs to take into account the latest system information, and a previously generated signature will be invalidated as soon as, for example, there is a change in the group. We therefore raise a research
question: Is it possible to construct an FDGS under which the validity of a signature can survive future changes in the system information?
In this paper, we propose Everlasting Fully Dynamic Group Signatures (EFDGS) that allow signers to generate signatures that do not require verification with any specific epoch. Specifically, once the signatures are created, they are valid forever. It
also guarantees that the signer can only output such a signature when she is a valid user of the system. We realize the above new model by constructing a plausibly post-quantum standard-lattice-based EFDGS.
## 2025/628
* Title: Improving the Masked Division for the FALCON Signature
* Authors: Pierre-Augustin Berthet, Justine Paillet, CĂ©dric Tavernier, Lilian Bossuet, Brice Colombier
* [Permalink](
https://eprint.iacr.org/2025/628)
* [Download](
https://eprint.iacr.org/2025/628.pdf)
### Abstract
FALCON is a post-quantum signature selected by the National Institute of Standards and Technology (NIST). Although its side-channel resilience has been studied and a masking countermeasure proposed, the division is a major performance bottleneck. This
work proposes a different approach to the masked FALCON division. We use the Newton method and a convergent sequence to approximate this operation. The performance of the masked division is improved by a factor 6.7 for two shares and 6.98 for three
shares. For the Gaussian sampler, the improvements are of a factor 1.45 for two shares and 1.43 for three shares. Formal security proofs using the MIMO-SNI criteria are also provided.
## 2025/629
* Title: Audience Injection Attacks: A New Class of Attacks on Web-Based Authorization and Authentication Standards
* Authors: Pedram Hosseyni, Ralf Kuesters, Tim WĂĽrtele
* [Permalink](
https://eprint.iacr.org/2025/629)
* [Download](
https://eprint.iacr.org/2025/629.pdf)
### Abstract
We introduce audience injection attacks, a novel class of vulnerabilities that impact widely used Web-based authentication and authorization protocols, including OAuth 2.0, OpenID Connect, FAPI, CIBA, the Device Authorization Grant, and various well-
established extensions, such as Pushed Authorization Requests, Token Revocation, Token Introspection, and their numerous combinations.
These protocols underpin services for billions of users across diverse ecosystems worldwide, spanning low-risk applications like social logins to high-risk domains such as open banking, insurance, and healthcare.
Audience injection attacks exploit a critical weakness in a core security mechanism of these protocols - the handling of so-called audiences in signature-based client authentication mechanisms. This vulnerability allows attackers to compromise
fundamental security objectives whenever these mechanisms are utilized across two or more server endpoints. They enable the attacker to impersonate users and gain unauthorized access to their resources, even in high-security protocol families
specifically designed for sensitive applications.
We responsibly disclosed these vulnerabilities to the relevant standardization bodies, which recognized their severity.
In collaboration with these organizations, we developed fixes and supported a coordinated response, leading to an ongoing effort to update a dozen of standards, numerous major implementations, and far-reaching ecosystems.
## 2025/630
* Title: Charge Your Clients: Payable Secure Computation and Its Applications
* Authors: Cong Zhang, Liqiang Peng, Weiran Liu, Shuaishuai Li, Meng Hao, Lei Zhang, Dongdai Lin
* [Permalink](
https://eprint.iacr.org/2025/630)
* [Download](
https://eprint.iacr.org/2025/630.pdf)
### Abstract
The online realm has witnessed a surge in the buying and selling of data, prompting the emergence of dedicated data marketplaces. These platforms cater to servers (sellers), enabling them to set prices for access to their data, and clients (buyers), who
can subsequently purchase these data, thereby streamlining and facilitating such transactions. However, the current data market is primarily confronted with the following issues. Firstly, they fail to protect client privacy, presupposing that clients
submit their queries in plaintext. Secondly, these models are susceptible to being impacted by malicious client behavior, for example, enabling clients to potentially engage in arbitrage activities.
To address the aforementioned issues, we propose payable secure computation, a novel secure computation paradigm specifically designed for data pricing scenarios. It grants the server the ability to securely procure essential pricing information while
protecting the privacy of client queries. Additionally, it fortifies the server's privacy against potential malicious client activities. As specific applications, we have devised customized payable protocols for two distinct secure computation scenarios:
Keyword Private Information Retrieval (KPIR) and Private Set Intersection (PSI).
We implement our two payable protocols and compare them with the state-of-the-art related protocols that do not support pricing as a baseline. Since our payable protocols are more powerful in the data pricing setting, the experiment results show that
they do not introduce much overhead over the baseline protocols.
Our payable KPIR achieves the same online cost as baseline, while the setup is about $1.3-1.6\times$ slower than it. Our payable PSI needs about $2\times$ more communication cost than that of baseline protocol, while the runtime is $1.5-3.2\times$ slower
than it depending on the network setting.
## 2025/631
* Title: Dyna-hinTS: Silent Threshold Signatures for Dynamic Committees
* Authors: Aniket Kate, Pratyay Mukherjee, Samipa Samanta, Pratik Sarkar
* [Permalink](
https://eprint.iacr.org/2025/631)
* [Download](
https://eprint.iacr.org/2025/631.pdf)
### Abstract
The works of Garg et al. [S&P'24] (aka hinTS) and Das et al. [CCS'23] introduced the notion of silent threshold signatures (STS) - where a set of signers silently perform local computation to generate a public verification key. To sign a message, any set
of $t$ signers sign the message non-interactively and these are aggregated into a constant-sized signature. This paradigm avoids performing expensive Distributed Key Generation procedure for each set of signers while keeping the public verification key
constant-sized.
In this work, we propose the notion of committee-based silent threshold signature (c-STS) scheme. In a c-STS scheme, a set of signers initially perform a one-time setup to generate the verification key, and then a subset of signers are randomly chosen
for an epoch to perform the threshold signing while the other signers are not authorized to sign during that epoch. This captures existing systems like Ethereum Altair and Dfinity where only a specific committee is authorized to sign in a designated
epoch. The existing STS schemes cannot be extended to the committee setting because the signature verification only attests to the number of signing parties, not which committee they belong to.
So, we upgrade hinTS to the committee setting by proposing Dyna-hinTS. It is the $first$ c-STS scheme and it requires a one-time silent setup and generates a one-time public verification key that does not vary with the committee. Assuming a set of 1024
signers (with corrupt 682 signers), hinTS generates an aggregated signature in 1.7s whereas Dyna-hinTS generates it in $0.35$s within a committee of $80$ signers. This yields a $4.9\times$ improvement over hinTS for signature generation at the cost of
increasing signature verification time by $4\%$ over hinTS. Dyna-hinTS supports general access structure, weighted signatures and improves existing multiverse threshold signatures.
## 2025/632
* Title: On breaking McEliece keys using brute force
* Authors: Lorenz Panny
* [Permalink](
https://eprint.iacr.org/2025/632)
* [Download](
https://eprint.iacr.org/2025/632.pdf)
### Abstract
In the McEliece public-key encryption scheme, a private key is almost always not determined uniquely by its associated public key. This paper gives a structural characterization of equivalent private keys, generalizing a result known for the more
approachable special case $\lvert L\rvert=q$.
These equivalences reduce the cost estimate for a simple private-key search using the support-splitting algorithm (SSA) by a polynomial but practically very substantial factor.
We provide an optimized software implementation of the SSA for this kind of key search and demonstrate its capabilities in practice by solving a key-recovery challenge with a naïve a‑priori cost estimate of $2^{83}$ bit operations in just ${\approx}\,
1400$ core days, testing ${\approx}\,9400$ private-key candidates per core and second in the process.
We stress that the speedup from those equivalences is merely polynomial and does not indicate any weakness in realistic instantiations of the McEliece cryptosystem, whose parameter choices are primarily constrained by decoding attacks rather than
ludicrously more expensive key-recovery attacks.
## 2025/633
* Title: Hybrid-query bounds with partial input control - framework and application to tight M-eTCR
* Authors: Andreas HĂĽlsing, Mikhail Kudinov, Christian Majenz
* [Permalink](
https://eprint.iacr.org/2025/633)
* [Download](
https://eprint.iacr.org/2025/633.pdf)
### Abstract
[continued in next message]
--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)