## In this issue
1. [2023/1543] Switching the Top Slice of the Sandwich with Extra ...
2. [2025/193] On the Average Random Probing Model
3. [2025/669] SoK: FHE-Friendly Symmetric Ciphers and Transciphering
4. [2025/670] Biextensions in pairing-based cryptography
5. [2025/671] A Dilithium-like Multisignature in Fully Split Ring ...
6. [2025/672] Simpler and Faster Pairings from the Montgomery Ladder
7. [2025/673] Hybrid Fingerprinting for Effective Detection of ...
8. [2025/674] On the Security of Two IKKR-type Code-Based ...
9. [2025/675] Trilithium: Efficient and Universally Composable ...
10. [2025/676] Onion Encryption Revisited: Relations Among ...
11. [2025/677] Impossible Differential Attack on SAND-128
12. [2025/678] Recovering S-Box Design Structures and Quantifying ...
13. [2025/679] Efficient SPA Countermeasures using Redundant ...
14. [2025/680] Pirouette: Query Efficient Single-Server PIR
15. [2025/681] Quantum Periodic Distinguisher Construction: ...
16. [2025/682] SUMAC: an Efficient Administrated-CGKA Using ...
17. [2025/683] On the Definition of Malicious Private Information ...
18. [2025/684] Post-quantum Cryptographic Analysis of SSH
19. [2025/685] Proofs of Useful Work from Arbitrary Matrix ...
20. [2025/686] Fast amortized bootstrapping with small keys and ...
21. [2025/687] Myco: Unlocking Polylogarithmic Accesses in ...
22. [2025/688] Uncertainty Estimation in Neural Network-enabled ...
23. [2025/689] Neural network design options for RNG's verification
24. [2025/690] Zero-Knowledge Protocol for Knowledge of Known ...
25. [2025/691] Let us walk on the 3-isogeny graph: efficient, ...
26. [2025/692] DahLIAS: Discrete Logarithm-Based Interactive ...
27. [2025/693] Accountable Liveness
28. [2025/694] A Formal Security Analysis of Hyperledger AnonCreds
29. [2025/695] Efficient Foreign-Field Arithmetic in PLONK
30. [2025/696] Faster amortized bootstrapping using the incomplete ...
31. [2025/697] A Multi-Differential Approach to Enhance Related- ...
32. [2025/698] Mind the Grammar: Side-Channel Analysis driven by ...
33. [2025/699] Threshold (Fully) Homomorphic Encryption
34. [2025/700] Fherret: Proof of FHE Correct-and-Honest Evaluation ...
35. [2025/701] Hermes: Efficient and Secure Multi-Writer Encrypted ...
36. [2025/702] Two Party Secret Shared Joins
37. [2025/703] Priv-PFL: A Privacy-Preserving and Efficient ...
38. [2025/704] Reducing Honest Re-Encryption Attack to Chosen ...
39. [2025/705] Breaking ECDSA with Two Affinely Related Nonces
40. [2025/706] The Role of Quantum Computing in Enhancing ...
41. [2025/707] Post Quantum Cryptography (PQC) Signatures Without ...
42. [2025/708] Strong keys for tensor isomorphism cryptography
43. [2025/709] Thunderbolt: A Formally Verified Protocol for Off- ...
44. [2025/710] Arbigraph: Verifiable Turing-Complete Execution ...
## 2023/1543
* Title: Switching the Top Slice of the Sandwich with Extra Filling Yields a Stronger Boomerang for NLFSR-based Block Ciphers
* Authors: Amit Jana, Mostafizar Rahman, Prathamesh Ram, Dhiman Saha, Goutam Paul
* [Permalink](
https://eprint.iacr.org/2023/1543)
* [Download](
https://eprint.iacr.org/2023/1543.pdf)
### Abstract
The Boomerang attack was one of the first attempts to visualize a cipher ($E$) as a composition of two sub-ciphers ($E_1\circ E_0$) to devise and exploit two high-probability (say $p,q$) shorter trails instead of relying on a single low probability (say $
s$) longer trail for differential cryptanalysis. The attack generally works whenever $p^2 \cdot q^2 > s$. However, it was later succeeded by the so-called ``sandwich attack'' which essentially splits the cipher in three parts $E'_1\circ E_m \circ E'_0$
adding an additional middle layer ($E_m$) with distinguishing probability of $p^2\cdot r\cdot q^2$. It is primarily the generalization of a body of research in this direction that investigate what is referred to as the switching activity and capture the
dependencies and potential incompatibilities of the layers that the middle layer separates.
This work revisits the philosophy of the sandwich attack over multiple rounds for NLFSR-based block ciphers and introduces a new method to find high probability boomerang distinguishers. The approach formalizes boomerang attacks using only ladder, And
switches. The cipher is treated as $E = E_1 \circ E_m$, a specialized form of a sandwich attack which we called as the ``open-sandwich attack''. The distinguishing probability for this attack configuration is $r \cdot q^2$.
Using this innovative approach, the study successfully identifies a deterministic boomerang distinguisher for the keyed permutation of the TinyJambu cipher over 320 rounds. Additionally, a 640-round boomerang with a probability of $2^{-22}$ is presented
with 95% success rate. In the related-key setting, we unveil full-round boomerangs with probabilities of $2^{-19}$, $2^{-18}$, and $2^{-12}$ for all three variants, demonstrating a 99% success rate.
Similarly, for Katan-32, a more effective related-key boomerang spanning 140 rounds with a probability of $2^{-15}$ is uncovered with 70% success rate. Further, in the single-key setting, a 84-round boomerang with probability $2^{-30}$ found with success
rate of 60%. This research deepens the understanding of boomerang attacks, enhancing the toolkit for cryptanalysts to develop efficient and impactful attacks on NLFSR-based block ciphers.
## 2025/193
* Title: On the Average Random Probing Model
* Authors: Julien Béguinot, Loïc Masure
* [Permalink](
https://eprint.iacr.org/2025/193)
* [Download](
https://eprint.iacr.org/2025/193.pdf)
### Abstract
Masking is one of the main countermeasures against side-channel analysis
since it relies on provable security. In this context, “provable” means that a security
bound can be exhibited for the masked implementation through a theoretical analysis
in a given threat model. The main goal in this line of research is therefore to provide
the tightest security bound, in the most realistic model, in the most generic way.
Yet, all of these objectives cannot be reached together. That is why the masking
literature has introduced a large spectrum of threat models and reductions between
them, depending on the desired trade-off with respect to these three goals. In this
paper, we focus on three threat models, namely the noisy-leakage model (realistic
yet hard to work with), the random probing (unrealistic yet easy to work with), and
more particularly a third intermediate model called average random probing. Average
random probing has been introduced by Dziembowski et al. at Eurocrypt 2015, in order to exhibit a tight reduction between noisy-leakage and random probing models,
recently proven by Brian et al. at Eurocrypt 2024. This milestone has strong practical consequences, since otherwise the reduction from the noisy leakage model
to the random probing model introduces a prohibitively high constant factor in the
security bound, preventing security evaluators to use it in practice. However, we
exhibit a gap between the average random probing definitions of Dziembowski et al.
(denoted hereafter by DFS-ARP) and Brian et al. (simply denoted by ARP). Whereas
any noisy leakage can be tightly reduced to DFS-ARP, we show in this paper that it cannot be tightly reduced to ARP, unless requiring extra assumptions, e.g., if the
noisy leakage is deterministic. Our proof techniques do not involve more tools than
the one used so far in such reductions, namely basic probability facts, and known
properties of the total variation distance. As a consequence, the reduction from the
noisy leakage to the random probing — without high constant factor — remains
unproven. This stresses the need to clarify the practical relevance of analyzing the
security of masking in the random probing model since most of the current efforts
towards improving the constructions and their security proofs in the random probing
model might be hindered by potentially unavoidable loss in the reduction from more
realistic but currently less investigated leakage models.
## 2025/669
* Title: SoK: FHE-Friendly Symmetric Ciphers and Transciphering
* Authors: Chao Niu, Benqiang Wei, Zhicong Huang, Zhaomin Yang, Cheng Hong, Meiqin Wang, Tao Wei
* [Permalink](
https://eprint.iacr.org/2025/669)
* [Download](
https://eprint.iacr.org/2025/669.pdf)
### Abstract
Fully Homomorphic Encryption (FHE) enables computation on encrypted data without decryption, demonstrating significant potential for privacy-preserving applications.
However, FHE faces several challenges, one of which is the significant plaintext-to-ciphertext expansion ratio, resulting in high communication overhead between client and server. The transciphering technique can effectively address this problem by first
encrypting data with a space-efficient symmetric cipher, then converting symmetric ciphertext to FHE ciphertext without decryption.
Numerous FHE-friendly symmetric ciphers and transciphering methods have been developed by researchers, each with unique advantages and limitations. These often require extensive knowledge of both symmetric cryptography and FHE to fully grasp, making
comparison and selection among these schemes challenging. To address this, we conduct a comprehensive survey of over 20 FHE-friendly symmetric ciphers and transciphering methods, evaluating them based on criteria such as security level, efficiency, and
compatibility. We have designed and executed experiments to benchmark the performance of the feasible combinations of symmetric ciphers and transciphering methods across various application scenarios. Our findings offer insights into achieving efficient
transciphering tailored to different task contexts. Additionally, we make our example code available open-source, leveraging state-of-the-art FHE implementations.
## 2025/670
* Title: Biextensions in pairing-based cryptography
* Authors: Jianming Lin, Damien Robert, Chang-An Zhao, Yuhao Zheng
* [Permalink](
https://eprint.iacr.org/2025/670)
* [Download](
https://eprint.iacr.org/2025/670.pdf)
### Abstract
Bilinear pairings constitute a cornerstone of public-key cryptography, where advancements in Tate pairings and their efficient variants have emerged as a critical research domain within cryptographic science. Currently, the computation of pairings can be
effectively implemented through three distinct algorithmic approaches: Miller’s algorithm, the elliptic net algorithm (as developed by Stange), and cubical-based algorithms (as proposed by Damien Robert). Biextensions are the geometric object
underlying the arithmetic of pairings, and all three approaches can be seen as a different way to represent biextension elements. In this paper, we revisit the biextension geometric point of view for pairing computation and investigate in more detail the
cubical representation for pairing-based cryptography. Utilizing the twisting isomorphism, we derive explicit formulas and algorithmic frameworks for the ate pairing and optimal ate pairing computations. Additionally, we present detailed formulas and
introduce an optimized shared cubical ladder algorithm for super-optimal ate pairings. Through concrete computational analyses, we compare the performance of our cubical-based methods with the Miller's algorithm on various well-known families of pairing-
friendly elliptic curves. Our results demonstrate that the cubical-based algorithm outperforms the Miller's algorithm by bits in certain specific situations, establishing its potential as an alternative for pairing computation.
## 2025/671
* Title: A Dilithium-like Multisignature in Fully Split Ring and Quantum Random Oracle Model
* Authors: Shimin Pan, Tsz Hon Yuen, Siu-Ming Yiu
* [Permalink](
https://eprint.iacr.org/2025/671)
* [Download](
https://eprint.iacr.org/2025/671.pdf)
### Abstract
Multisignature schemes are crucial for secure operations in digital wallets and escrow services within smart contract platforms, particularly in the emerging post-quantum era. Existing post-quantum multisignature constructions either do not address the
stringent requirements of the Quantum Random Oracle Model (QROM) or fail to achieve practical efficiency due to suboptimal parameter choices.
In this paper, we present a novel Dilithium-based multisignature scheme designed to be secure in the QROM and optimized for practical use. Our scheme operates over the polynomial ring $\mathbb{Z}_q[X]/(x^n+1)$ with $q \equiv 1 \pmod{2n}$, enabling full
splitting of the ring and allowing for efficient polynomial arithmetic via the Number Theoretic Transform (NTT). This structure not only ensures post-quantum security but also bridges the gap between theoretical constructs and real-world implementation
needs.
We further propose a new hardness assumption, termed
$\nu$-SelfTargetMSIS, extending SelfTargetMSIS (Eurocrypt 2018) to accommodate multiple challenge targets. We prove its security in the QROM and leverage it to construct a secure and efficient multisignature scheme. Our approach avoids the limitations of
previous techniques, reduces security loss in the reduction, and results in a more compact and practical scheme suitable for deployment in post-quantum cryptographic systems.
## 2025/672
* Title: Simpler and Faster Pairings from the Montgomery Ladder
* Authors: Giacomo Pope, Krijn Reijnders, Damien Robert, Alessandro Sferlazza, Benjamin Smith
* [Permalink](
https://eprint.iacr.org/2025/672)
* [Download](
https://eprint.iacr.org/2025/672.pdf)
### Abstract
We show that Montgomery ladders compute pairings as a by-product, and explain how a small adjustment to the ladder results in simple and efficient algorithms for the Weil and Tate pairing on elliptic curves using cubical arithmetic. We demonstrate the
efficiency of the resulting cubical pairings in several applications from isogeny-based cryptography. Cubical pairings are simpler and more performant than pairings computed using Miller's algorithm: we get a speed-up of over 40% for use-cases in
SQIsign, and a speed-up of about 7% for use-cases in CSIDH. While these results arise from a deep connection to biextensions and cubical arithmetic, in this article we keep things as concrete (and digestible) as possible. We provide a concise and
complete introduction to cubical arithmetic as an appendix.
## 2025/673
* Title: Hybrid Fingerprinting for Effective Detection of Cloned Neural Networks
* Authors: Can Aknesil, Elena Dubrova, Niklas Lindskog, Jakob Sternby, Håkan Englund
* [Permalink](
https://eprint.iacr.org/2025/673)
* [Download](
https://eprint.iacr.org/2025/673.pdf)
### Abstract
As artificial intelligence plays an increasingly important role in decision-making within critical infrastructure, ensuring the authenticity and integrity of neural networks is crucial. This paper addresses the problem of detecting cloned neural networks.
We present a method for identifying clones that employs a combination of metrics from both the information and physical domains: output predictions, probability score vectors, and power traces measured from the device running the neural network during
inference. We compare the effectiveness of each metric individually, as well as in combination. Our results show that the effectiveness of both the information and the physical domain metrics is excellent for a clone that is a near replica of the target
neural network. Furthermore, both the physical domain metric individually and the hybrid approach outperformed the information domain metrics at detecting clones whose weights were extracted with low accuracy. The presented method offers a practical
solution for verifying neural network authenticity and integrity. It is particularly useful in scenarios where neural networks are at risk of model extraction attacks, such as in cloud-based machine learning services.
## 2025/674
* Title: On the Security of Two IKKR-type Code-Based Cryptosystems
* Authors: Kirill Vedenev
* [Permalink](
https://eprint.iacr.org/2025/674)
* [Download](
https://eprint.iacr.org/2025/674.pdf)
### Abstract
The paper analyzes the security of two recently proposed code-based cryptosystems that employ encryption of the form $y = m G_{\text{pub}} + eE_{pub}$: the Krouk-Kabatiansky-Tavernier (KKT) cryptosystem and the Lau-Ivanov-Ariffin-Chin-Yap (LIACY)
cryptosystem. We demonstrate that the KKT cryptosystem can be reduced to a variant of the McEliece scheme, where a small set of columns in the public generator matrix is replaced with random ones. This reduction implies that the KKT cryptosystem is
vulnerable to existing attacks on Wieschebrink's encryption scheme, particularly when Generalized Reed-Solomon (GRS) codes are used. In addition, we present a full key-recovery attack on the LIACY cryptosystem by exploiting its linear-algebraic structure
and leveraging distinguishers of subcodes of GRS codes. Our findings reveal critical vulnerabilities in both systems, effectively compromising their security despite their novel designs.
## 2025/675
* Title: Trilithium: Efficient and Universally Composable Distributed ML-DSA Signing
* Authors: Antonín Dufka, Semjon Kravtšenko, Peeter Laud, Nikita Snetkov
* [Permalink](
https://eprint.iacr.org/2025/675)
* [Download](
https://eprint.iacr.org/2025/675.pdf)
### Abstract
In this paper, we present Trilithium: a protocol for distributed key generation and signing compliant with FIPS 204 (ML-DSA). Our protocol allows two parties, "server" and "phone" with assistance of correlated randomness provider (CRP) to produce a
standard ML-DSA signature. We prove our protocol to be secure against a malicious server or phone in the universal composability (UC) model, introducing some novel techniques to argue the security of two-party secure computation protocols with active
security against one party, but only active privacy against the other. We provide an implementation of our protocol in Rust and benchmark it, showing the practicality of the protocol.
## 2025/676
* Title: Onion Encryption Revisited: Relations Among Security Notions
* Authors: Daichong Chao, Liehuang Zhu, Dawei Xu, Tong Wu, Chuan Zhang, Fuchun Guo
* [Permalink](
https://eprint.iacr.org/2025/676)
* [Download](
https://eprint.iacr.org/2025/676.pdf)
### Abstract
This paper compares the relative strengths of prominent security notions for onion encryption within the Tor setting, specifically focusing on CircuitHiding (EUROCRYPT 2018, an anonymity flavor notion) and OnionAE (PETS 2018, a stateful authenticated
encryption flavor notion). Although both are state-of-the-art, Tor-specific notions, they have exhibited different definitional choices, along with variations in complexity and usability. By employing an indirect approach, we compare them using a set of
onion layer-centric notions: IND\$-CPA, IPR/IPR$^+$, and INT-sfCTXT, to compare with the two, respectively. Since the same notion set that implies OnionAE does not imply CircuitHiding, and vice versa, this leads to the conclusion that OnionAE and
CircuitHiding are mutually separable. Therefore, neither notion fully expresses satisfactory security on its own. Importantly, IND\$-CPA, IPR$^+$ (a stronger variant of IPR), and INT-sfCTXT collectively and strictly imply OnionAE and CircuitHiding. Given
their onion layer-centric and thus simpler nature, this provides a practical approach to simultaneously satisfying CircuitHiding and OnionAE. While the formal treatment of (general) public-key onion routing has been relatively well-studied, formal
treatment tailored to Tor remains insufficient, and thus our work narrows this gap.
## 2025/677
* Title: Impossible Differential Attack on SAND-128
* Authors: Nobuyuki Sugio
* [Permalink](
https://eprint.iacr.org/2025/677)
* [Download](
https://eprint.iacr.org/2025/677.pdf)
### Abstract
Impossible differential attack is one of the major cryptanalytical methods for symmetric-key block ciphers. In this paper, we evaluate the security of SAND-128 against impossible differential attack. SAND is an AND-RX-based lightweight block cipher
proposed by Chen et al. in Designs, Codes and Cryptography 2022. There are two variants of SAND, namely SAND-64 and SAND-128, due to structural differences. In this paper, we search for impossible differential distinguishers of SAND-128 using the
Constraint Programming (CP) and reveal 14-round impossible differential distinguishers. The number of 14-round distinguishers is $2^{14} \times 7 = 114,688$. Furthermore, we demonstrate a key recovery attack on 21-round SAND-128. The complexities for the
attack require $2^{124}$ data, $2^{127.2}$ encryptions, and $2^{122}$ bytes of memory, respectively. Although this result currently achieves the best attack on round-reduced SAND-128, this attack does not threaten the security of SAND-128 against
impossible differential attack.
## 2025/678
* Title: Recovering S-Box Design Structures and Quantifying Distances between S-Boxes using Deep Learning
* Authors: Donggeun Kwon, Deukjo Hong, Jaechul Sung, Seokhie Hong
* [Permalink](
https://eprint.iacr.org/2025/678)
* [Download](
https://eprint.iacr.org/2025/678.pdf)
### Abstract
At ASIACRYPT’19, Bonnetain et al. demonstrated that an S-box can be distinguished from a permutation chosen uniformly at random by quantifying the distances between their behaviors. In this study, we extend this approach by proposing a deep learning-
based method to quantify distances between two different S-boxes and evaluate similarities in their design structures. First, we introduce a deep learning-based framework that trains a neural network model to recover the design structure of a given S-box
based on its cryptographic table. We then interpret the decision-making process of our trained model to analyze which coefficients in the table play significant roles in identifying S-box structures. Additionally, we investigate the inference results of
our model across various scenarios to evaluate its generalization capabilities. Building upon these insights, we propose a novel approach to quantify distances between structurally different S-boxes. Our method effectively assesses structural
similarities by embedding S-boxes using the deep learning model and measuring the distances between their embedding vectors. Furthermore, experimental results confirm that this approach is also applicable to structures that the model has never seen
during training. Our findings demonstrate that deep learning can reveal the underlying structural similarities between S-boxes, highlighting its potential as a powerful tool for S-box reverse-engineering.
## 2025/679
* Title: Efficient SPA Countermeasures using Redundant Number Representation with Application to ML-KEM
* Authors: Rishub Nagpal, Vedad Hadžić, Robert Primas, Stefan Mangard
* [Permalink](
https://eprint.iacr.org/2025/679)
* [Download](
https://eprint.iacr.org/2025/679.pdf)
### Abstract
Simple power analysis (SPA) attacks and their extensions,
profiled and soft-analytical side-channel attacks (SASCA), represent a significant threat to the security of cryptographic devices and remain
among the most powerful classes of passive side-channel attacks. In this
work, we analyze how numeric representations of secrets can affect the
amount of exploitable information leakage available to the adversary.
We present an analysis of how mutual information changes as a result
of the integer ring size relative to the machine word-size. Furthermore,
we study the Redundant Number Representation (RNR) countermeasure
and show that its application to ML-KEM can resist the most powerful
SASCA attacks and provides a low-cost alternative to shuffling. We eval-
uate the performance of RNR-ML-KEM with both simulated and prac-
tical SASCA experiments on the ARM Cortex-M4 based on a worst-case
attack methodology. We show that RNR-ML-KEM sufficiently renders
these attacks ineffective. Finally, we evaluate the performance of the RNR-ML-KEM NTT and INTT and show that SPA security can be
achieved with a 62.8% overhead for the NTT and 0% overhead for the
INTT relative to the ARM Cortex-M4 reference implementation used.
## 2025/680
* Title: Pirouette: Query Efficient Single-Server PIR
* Authors: Jiayi Kang, Leonard Schild
* [Permalink](
https://eprint.iacr.org/2025/680)
* [Download](
https://eprint.iacr.org/2025/680.pdf)
### Abstract
Private information retrieval (PIR) allows a client to query a public database privately and serves as a key building block for privacy-enhancing applications. Minimizing query size is particularly important in many use cases, for example when clients
operate on low-power or bandwidth-constrained devices. However, existing PIR protocols exhibit large query sizes: to query $2^{25}$ records, the smallest query size of 14.8KB is reported in Respire [Burton et al., CCS'24]. Respire is based on fully
homomorphic encryption (FHE), where a common approach to lower the client-to-server communication cost is transciphering. When combining the state-of-the-art transciphering [Bon et al., CHES'24] with Respire, the resulting protocol (referred to as T-
Respire) has a 336B query size, while incurring a 16.2x times higher server computation cost than Respire.
Our work presents the Pirouette protocol, which achieves a query size of just 36B without transciphering. This represents a 9.3x reduction compared to T-Respire and a 420x reduction to Respire. For queries over $2^{25}$ records, the single-core server
computation in Pirouette is only 2x slower than Respire and 8.1x faster than T-Respire, and the server computation is highly parallelizable. Furthermore, Pirouette requires no database-specific hint for clients and naturally extends to support queries
over encrypted databases.
## 2025/681
* Title: Quantum Periodic Distinguisher Construction: Symbolization Method and Automated Tool
* Authors: Qun Liu, Haoyang Wang, Jinliang Wang, Boyun Li, Meiqin Wang
* [Permalink](
https://eprint.iacr.org/2025/681)
* [Download](
https://eprint.iacr.org/2025/681.pdf)
### Abstract
As one of the famous quantum algorithms, Simon's algorithm enables the efficient derivation of the period of periodic functions in polynomial time. However, the complexity of constructing periodic functions has hindered the widespread application of
Simon's algorithm in symmetric-key cryptanalysis. Currently, aside from the exhaustive search-based testing method introduced by Canale et al. at CRYPTO 2022, there is no unified model for effectively searching for periodic distinguishers. Although Xiang
et al. established a link between periodic function and truncated differential theory at ToSC 2024, their approach lacks the ability to construct periods using unknown differentials and does not provide automated tools. This limitation underscores the
inadequacy of existing methods in identifying periodic distinguishers for complex structures. In this paper, we address the challenge of advancing periodic distinguishers for symmetric-key ciphers. First, we propose a more generalized theory for
constructing periodic distinguishers, addressing the limitations of Xiang et al.'s theory in handling unknown differences. We further extend our theory to probabilistic periodic distinguishers, thereby extending the separability property proposed by Hodž
ić et al. in 2020. As a result, our theory can cover a wider range of periodic distinguishers. Second, we introduce a novel symbolic representation to simplify the search of periodic distinguishers. Based upon this representation, we propose the first
fully automated SMT-based search model, which efficiently addresses the challenges of manual searching in complex structures. Finally, we extend the model to SPN structures based on our new theory. Our model has broad applicability through significant
advancements in analyzing generalized Feistel structures (GFSs) and SPN-based ciphers. As a general model, we have achieved new quantum distinguishers with the following round configurations: 10 rounds for GFS-4F, 10 rounds for LBlock, 10 rounds for
TWINE, and 16 rounds for Skipjack-B, improving the previous best results by 2, 2, 2, and 3 rounds, respectively. In the domain of SPN-based ciphers, our model has enabled the identification of novel periodic distinguishers, including the first 9-round
distinguisher for SKINNY and the first 12-round distinguisher for CRAFT. These achievements lay the foundation for quantum cryptanalysis of SPN-based ciphers using Simon’s algorithm.
## 2025/682
* Title: SUMAC: an Efficient Administrated-CGKA Using Multicast Key Agreement
* Authors: Nicolas Bon, Céline Chevalier, Guirec Lebrun, Ange Martinelli
* [Permalink](
https://eprint.iacr.org/2025/682)
* [Download](
https://eprint.iacr.org/2025/682.pdf)
### Abstract
Since the standardization of the Secure Group Messaging protocol Messaging Layer Security (MLS) [4 ], whose core subprotocol is a Continuous Group Key Agreement (CGKA) mechanism named TreeKEM, CGKAs have become the norm for group key exchange protocols.
However, in order to alleviate the security issue originating from the fact that all users in a CGKA are able to carry out sensitive operations on the member group, an augmented protocol called Administrated-CGKA (A-CGKA) has been recently created [2].
An A-CGKA includes in the cryptographic protocol the management of the administration rights that restrict the set of privileged users, giving strong security guarantees for the group administration. The protocol designed in [2] is a plugin added to a
regular (black-box) CGKA, which consequently add some complexity to the underlying CGKA and curtail its performances. Yet, leaving the fully decentralized paradigm of a CGKA offers the perspective of new protocol designs, potentially more efficient.
We propose in this paper an A-CGKA called SUMAC, which offers strongly enhanced communication and storage performances compared to other A-CGKAs and even to TreeKEM. Our protocol is based on a novel design that modularly combines a regular CGKA used by
the administrators of the group and a Tree-structured Multicast Key Agreement (TMKA) [9] – which is a centralized group key exchange mechanism administrated by a single group manager – between each administrator and all the standard users. That TMKA
gives SUMAC an asymptotic communication cost logarithmic in the number of users, similarly to a CGKA. However, the concrete performances of our protocol are much better than the latter, especially in the post-quantum framework, due to the intensive use
of secret-key cryptography that offers a lighter bandwidth than the public-key encryption schemes from a CGKA.
In practice, SUMAC improves the communication cost of TreeKEM by a factor 1.4 to 2.4 for admin operations and a factor 2 to 38 for user operations. Similarly, its storage cost divides that of TreeKEM by a factor 1.3 to 23 for an administrator and 3.9 to
1,070 for a standard user.
Our analysis of SUMAC is provided along with a ready-to-use open-source rust implementation that confirms the feasibility and the performances of our protocol.
## 2025/683
* Title: On the Definition of Malicious Private Information Retrieval
* Authors: Bar Alon, Amos Beimel
* [Permalink](
https://eprint.iacr.org/2025/683)
* [Download](
https://eprint.iacr.org/2025/683.pdf)
### Abstract
[continued in next message]
--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)