## In this issue
1. [2025/748] Symphony of Speeds: Harmonizing Classic McEliece ...
2. [2025/749] GOLF: Unleashing GPU-Driven Acceleration for FALCON ...
3. [2025/750] Secure Rate-Distortion-Perception Trade-off Over ...
4. [2025/751] Improved Range Searching And Range Emptiness Under ...
5. [2025/752] LEAGAN: A Decentralized Version-Control Framework ...
6. [2025/753] Linear-Time Accumulation Schemes
7. [2025/754] On graph based pseudo quadratic multivariate maps ...
8. [2025/755] A Note on "CB-DA: Lightweight and Escrow-Free ...
9. [2025/756] PIRCOR: Communication-Optimal Hintless Single- ...
10. [2025/757] Threshold Niederreiter: Chosen-Ciphertext Security ...
11. [2025/758] Blockcipher-Based Key Commitment for Nonce-Derived ...
12. [2025/759] Let's DOIT: Using Intel's Extended HW/SW Contract ...
13. [2025/760] DGSP: An Efficient Scalable Fully Dynamic Group ...
14. [2025/761] TERRA : Trojan-Resilient Reverse-Firewall for ...
15. [2025/762] $\textbf{MALARIA}$: $\textbf{Ma}$nagement of ...
16. [2025/763] The Tangent Space Attack
17. [2025/764] Security of a secret sharing protocol on the Qline
18. [2025/765] ZKPoG: Accelerating WitGen-Incorporated End-to-End ...
19. [2025/766] Unbiasable Verifiable Random Functions from Generic ...
20. [2025/767] ALPACA: Anonymous Blocklisting with Constant-Sized ...
21. [2025/768] Incompleteness in Number-Theoretic Transforms: New ...
22. [2025/769] Finding the Inverse of some Shift Invariant ...
23. [2025/770] ZHE: Efficient Zero-Knowledge Proofs for HE Evaluations
24. [2025/771] Differential Fault Attacks on TFHE-friendly cipher ...
25. [2025/772] Publicly Auditable Garbled Circuit
26. [2025/773] Exploring Adversarial Attacks on the MaSTer ...
27. [2025/774] Towards a Modern LLL Implementation
28. [2025/775] AuthOr: Lower Cost Authenticity-Oriented Garbling ...
29. [2025/776] Clementine: A Collateral-Efficient, Trust- ...
30. [2025/777] Seamless Switching Between PBS and WoPBS for ...
31. [2025/778] Cryptography from Lossy Reductions: Towards OWFs ...
32. [2025/779] Improving the Round Complexity of MiniCast
33. [2025/780] The Planted Orthogonal Vectors Problem
34. [2025/781] Generalizing the Augot-Finiasz PKE to Other Code ...
35. [2025/782] AES Is Not Enough: the Block Ciphers Zoo Goes ...
36. [2025/783] Non-Adaptive Cryptanalytic Time-Space Lower Bounds ...
37. [2025/784] SHIP: A Shallow and Highly Parallelizable CKKS ...
38. [2025/785] DNDK: Combining Nonce and Key Derivation for Fast ...
39. [2025/786] Robust and Verifiable MPC with Applications to ...
40. [2025/787] Preprocessing for Life: Dishonest-Majority MPC with ...
41. [2025/788] Identity-Based Ring Signature from Quantum Token
42. [2025/789] Rushing at SPDZ: On the Practical Security of ...
43. [2025/790] PULSE: Parallel Private Set Union for Large-Scale ...
44. [2025/791] Analysis of One Privacy-Preserving Electricity Data ...
45. [2025/792] A Scrutiny of the Security of AES-based Hashing and ...
46. [2025/793] Solving systems of polynomial equations via ...
47. [2025/794] Formal Analysis of Multi-Device Group Messaging in ...
48. [2025/795] Efficient Noncommutative KEMs from Twisted Dihedral ...
49. [2025/796] Unified MEDS Accelerator
50. [2025/797] WEBCAT: Web-based Code Assurance and Transparency
51. [2025/798] CRAFT: Characterizing and Root-Causing Fault ...
## 2025/748
* Title: Symphony of Speeds: Harmonizing Classic McEliece Cryptography with GPU Innovation
* Authors: Wen Wu, Jiankuo Dong, Zhen Xu, Zhenjiang Dong, Dung Duong, Fu Xiao, Jingqiang Lin
* [Permalink](
https://eprint.iacr.org/2025/748)
* [Download](
https://eprint.iacr.org/2025/748.pdf)
### Abstract
The Classic McEliece key encapsulation mechanism (KEM), a candidate in the fourth-round post-quantum cryptography (PQC) standardization process by the National Institute of Standards and Technology (NIST), stands out for its conservative design and
robust security guarantees. Leveraging the code-based Niederreiter cryptosystem, Classic McEliece delivers high-performance encapsulation and decapsulation, making it well-suited for various applications. However, there has not been a systematic
implementation of Classic McEliece on GPU platforms. This paper presents the first high-performance implementation of Classic McEliece on NVIDIA GPUs. Firstly, we present the first GPU-based implementation of Classic McEliece, utilizing a ``CPU-GPU''
heterogeneous approach and a kernel fusion strategy. We significantly reduce global memory accesses, optimizing memory access patterns. This results in encapsulation and decapsulation performance of 28,628,195 ops/s and 3,051,701 ops/s, respectively, for
McEliece348864. Secondly, core operations like Additive Fast Fourier Transforms (AFFT), and Transpose AFFT (TAFFT) are optimized. We introduce the concept of the (T)AFFT stepping chain and propose two universal schemes: Memory Access Stepping Strategy (
MASS) and Layer-Fused Memory Access Stepping Strategy (LFMASS), which achieve a speedup of 30.56% and 38.37%, respectively, compared to the native
GPU-based McEliece6960119 implementation. Thirdly, extensive experiments on the NVIDIA RTX4090 show significant performance gains, achieving up to 344$\times$ higher encapsulation and 125$\times$ higher decapsulation compared to the official CPU-based
AVX implementation, decisively outperforming existing ARM Cortex-M4 and FPGA implementations.
## 2025/749
* Title: GOLF: Unleashing GPU-Driven Acceleration for FALCON Post-Quantum Cryptography
* Authors: Ruihao Dai, Jiankuo Dong, Mingrui Qiu, Zhenjiang Dong, Fu Xiao, Jingqiang Lin
* [Permalink](
https://eprint.iacr.org/2025/749)
* [Download](
https://eprint.iacr.org/2025/749.pdf)
### Abstract
Quantum computers leverage qubits to solve certain computational problems significantly faster than classical computers. This capability poses a severe threat to traditional cryptographic algorithms, leading to the rise of post-quantum cryptography (PQC)
designed to withstand quantum attacks. FALCON, a lattice-based signature algorithm, has been selected by the National Institute of Standards and Technology (NIST) as part of its post-quantum cryptography standardization process. However, due to the
computational complexity of PQC, especially in cloud-based environments, throughput limitations during peak demand periods have become a bottleneck, particularly for FALCON.
In this paper, we introduce GOLF (GPU-accelerated Optimization for Lattice-based FALCON), a novel GPU-based parallel acceleration framework for FALCON. GOLF includes algorithm porting to the GPU, compatibility modifications, multi-threaded parallelism
with distinct data, single-thread optimization for single tasks, and specific enhancements to the Fast Fourier Transform (FFT) module within FALCON. Our approach achieves unprecedented performance in FALCON acceleration on GPUs.
On the NVIDIA RTX 4090, GOLF reaches a signature generation throughput of 42.02 kops/s and a signature verification throughput of 10,311.04 kops/s. These results represent a 58.05$\times$ / 73.14$\times$ improvement over the reference FALCON
implementation and a 7.17$\times$ / 3.79$\times$ improvement compared to the fastest known GPU implementation to date. GOLF demonstrates that GPU acceleration is not only feasible for post-quantum cryptography but also crucial for addressing throughput
bottlenecks in real-world applications.
## 2025/750
* Title: Secure Rate-Distortion-Perception Trade-off Over Channels: A Randomized Distributed Function Computation (RDFC) Application
* Authors: Gustaf Ahlgren, Onur Gunlu
* [Permalink](
https://eprint.iacr.org/2025/750)
* [Download](
https://eprint.iacr.org/2025/750.pdf)
### Abstract
Secure rate-distortion-perception (RDP) trade-offs arise in critical applications, such as semantic compression and privacy-preserving generative coding, where preserving perceptual quality while minimizing distortion is vital. This paper studies a
framework for secure RDP over noiseless and noisy broadcast channels under strong secrecy constraints. We first characterize the exact secure RDP region for noiseless transmission channels. We then develop an inner bound on the secure RDP region for a
memoryless broadcast channel with correlated noise components at the receivers' observations and prove its tightness under a more capable broadcast channel assumption. Our results demonstrate how optimized binning schemes simultaneously achieve high
perceptual quality, low distortion, and strong secrecy, illuminating fundamental information-theoretic limits for next-generation trustworthy computation systems.
## 2025/751
* Title: Improved Range Searching And Range Emptiness Under FHE Using Copy-And-Recurse
* Authors: Eyal Kushnir, Hayim Shaul
* [Permalink](
https://eprint.iacr.org/2025/751)
* [Download](
https://eprint.iacr.org/2025/751.pdf)
### Abstract
Range counting is the problem of preprocessing a set $P\subset R^d$ of $n$ points, such that given a query range $\gamma$ we can efficiently compute $|P\cap\gamma|$. In the more general range searching problem the goal is to compute $f(P\cap\gamma)$, for
some function $f$.
It was already shown (Kushnir et al. PETS'24) how to efficiently answer a range searching query under FHE using a technique they called Copy-and-Recurse to traverse partition trees.
In the Range emptiness problem the goal is to compute only whether $P\cap\gamma =\emptyset$. This was shown (in plaintext) to be done more efficiently.
Range emptiness is interesting on its own and also used as a building block in other algorithms.
In this paper we improve and extend the results of Kushnir et al.
First, for range searching we reduce the overhead term to the optimal $O(n)$, so for example if the ranges are halfspaces in $R^d$ bounded by hyperplanes then range searching can be done with a circuit of size $O(t\cdot n^{1-1/d+\varepsilon}+n)$, where $
t$ is the size of the sub-circuit that checks whether a point lies under a hyperplane.
Second, we introduce a variation of copy-and-recurse that we call leveled copy-and-recurse. With this variation we improve range searching in the 1-dimensional case as well as traversal of other trees (e.g., binary trees and B-trees).
Third, we show how to answer range emptiness queries under FHE more efficiently than range counting.
We implemented our algorithms and show that our techniques for range emptiness yield a solution that is $\times 3.6$ faster than the previous results for a database of $2^{25}$ points.
## 2025/752
* Title: LEAGAN: A Decentralized Version-Control Framework for Upgradeable Smart Contracts
* Authors: Gulshan Kumar, Rahul Saha, Mauro Conti, William J Buchanan
* [Permalink](
https://eprint.iacr.org/2025/752)
* [Download](
https://eprint.iacr.org/2025/752.pdf)
### Abstract
Smart contracts are integral to decentralized systems like blockchains and enable the automation of processes through programmable conditions. However, their immutability, once deployed, poses challenges when addressing errors or bugs. Existing solutions,
such as proxy contracts, facilitate upgrades while preserving application integrity. Yet, proxy contracts bring issues such as storage constraints and proxy selector clashes - along with complex inheritance management. This paper introduces a novel
upgradeable smart contract framework with version control, named "decentraLized vErsion control and updAte manaGement in upgrAdeable smart coNtracts (LEAGAN)." LEAGAN is the first decentralized updatable smart contract framework that employs data
separation with Incremental Hash (IH) and Revision Control System (RCS). It updates multiple contract versions without starting anew for each update, and reduces time complexity, and where RCS optimizes space utilization through differentiated version
control. LEAGAN also introduces the first status contract in upgradeable smart contracts, and which reduces overhead while maintaining immutability. In Ethereum Virtual Machine (EVM) experiments, LEAGAN shows 40\% better space utilization, 30\% improved
time complexity, and 25\% lower gas consumption compared to state-of-the-art models. It thus stands as a promising solution for enhancing blockchain system efficiency.
## 2025/753
* Title: Linear-Time Accumulation Schemes
* Authors: Benedikt Bünz, Alessandro Chiesa, Giacomo Fenzi, William Wang
* [Permalink](
https://eprint.iacr.org/2025/753)
* [Download](
https://eprint.iacr.org/2025/753.pdf)
### Abstract
Proof-carrying data (PCD) is a powerful cryptographic primitive for computational integrity in a distributed setting. State-of-the-art constructions of PCD are based on accumulation schemes (and, closely related, folding schemes).
We present WARP, the first accumulation scheme with linear prover time and logarithmic verifier time. Our scheme is hash-based (secure in the random oracle model), plausibly post-quantum secure, and supports unbounded accumulation depth.
We achieve our result by constructing an interactive oracle reduction of proximity that works with any linear code over a sufficiently large field. We take a novel approach by constructing a straightline extractor that relies on erasure correction,
rather than error-tolerant decoding like prior extractors. Along the way, we introduce a variant of straightline round-by-round knowledge soundness that is compatible with our extraction strategy.
## 2025/754
* Title: On graph based pseudo quadratic multivariate maps of prescribed degree as instruments of key establishment
* Authors: Vasyl Ustimenko, Tymoteusz Chojecki
* [Permalink](
https://eprint.iacr.org/2025/754)
* [Download](
https://eprint.iacr.org/2025/754.pdf)
### Abstract
Let us assume that one of two trusted parties (administrator) manages the information system (IS) and another one (user) is going to use the resources of this IS during the certain time interval. So they need establish secure user’s access password to
the IS resources of this system via selected authenticated key exchange protocol. So they need to communicate via insecure communication channel and secretly con-struct a cryptographically strong session key that can serve for the establishment of
secure passwords in the form of tuples in certain alphabet during the certain time interval. Nowadays selected protocol has to be postquantum secure. We propose the implementation of this scheme in terms of Symbolic Computa-tions. The key exchange
protocol is one of the key exchange algorithms of Noncommutative Cryptography with the platform of multivariate transformation of the affine space over selected finite commutative ring. The session key is a multivariate map on the affine space.
Platforms and multivariate maps are construct-ed in terms of Algebraic Graph Theory.
## 2025/755
* Title: A Note on "CB-DA: Lightweight and Escrow-Free Certificate-Based Data Aggregation for Smart Grid"
* Authors: Zhengjun Cao, Lihua Liu
* [Permalink](
https://eprint.iacr.org/2025/755)
* [Download](
https://eprint.iacr.org/2025/755.pdf)
### Abstract
We show that the data aggregation scheme [IEEE TDSC, 2023, 20(3), 2011-2024] is flawed, because the signer only signs a part of data, not the whole data. An adversary can replace the unsigned component to cheat the verifier. To frustrate this attack,
all components of the target data should be concatenated together and then be hashed and signed, so as to ensure that the signature verification can prove the whole message integrity.
## 2025/756
* Title: PIRCOR: Communication-Optimal Hintless Single-Server PIR via Homomorphic Rotation
* Authors: Xue Yang, Ruida Wang, Depan Peng, Kun Liu, Xianhui Lu, Xiaohu Tang
* [Permalink](
https://eprint.iacr.org/2025/756)
* [Download](
https://eprint.iacr.org/2025/756.pdf)
### Abstract
This work addresses the hintless single-server Private Information Retrieval (PIR) from the perspective of high-level protocol design and introduces PIRCOR and PIRCOR$^{*}$ that outperform the state-of-the-art PIRANA (Liu et. al., IEEE S&P 2024) and YPIR
(Menon and Wu, USENIX Security 2024) in terms of the query size and the query generation time. In PIRCOR, we construct an efficient Rotation-based Expanded Binary Code (REBC) to expand $\alpha$ primary codewords into $\beta$ expanded codewords by the
Rotation-Mutual-Multiplication operation. By leveraging the innovative REBC, PIRCOR reduces the query size for single-query PIR by a factor of $\mathcal{O}\left(N^{\frac{\delta-1}{\delta}}\right)$ compared to PIRANA, while also avoiding the $\mathcal{O}(
N +\frac{|\mathrm{DB}|}{N})$ linear scaling inherent in YPIR ($N$, $\delta$ and $|\mathrm{DB}|$ are the (R)LWE secret dimension, the number of codewords with a Hamming weight of $1$ and the number of database elements). Based on PIRCOR, we further
present PIRCOR$^{*}$ by additionally introducing the Rotation-self-Multiplication operation, which achieves a $\mathbf{50\%}$ reduction in rotation operations and a smaller query size when $\delta = 2$.
Building upon PIRCOR and PIRCOR$^{*}$, we further propose their optimized variants, PIRCOR-op and PIRCOR$^{*}$-op, to further reduce the online response time. Similar to YPIR that leverage pre-processing, PIRCOR-op and PIRCOR$^{*}$-op allow all
rotations and part of multiplications to be carried out in an offline stage before receiving the query. Additionally, we also design FHE-operator acceleration with leveled optimization and implementation optimization of ciphertext rotation.
For 8 KB element retrieval in an 8 GB database, PIRCOR achieves a $\mathbf{10.7\times}$ query size reduction compared to PIRANA. When benchmarked against YPIR, the improvements are even more striking: PIRCOR reduces the query size by $\mathbf{26.8\times}$
and accelerates query generation by a staggering $\mathbf{6,080\times}$. Notably, the enhanced PIRCOR$^{*}$ achieves a $\mathbf{53.6\times}$ reduction in query size compared to YPIR, while improving query generation time by an impressive $\mathbf{12,160\
times}$.
## 2025/757
* Title: Threshold Niederreiter: Chosen-Ciphertext Security and Improved Distributed Decoding
* Authors: Pascal Giorgi, Fabien Laguillaumie, Lucas Ottow, Damien Vergnaud
* [Permalink](
https://eprint.iacr.org/2025/757)
* [Download](
https://eprint.iacr.org/2025/757.pdf)
### Abstract
Threshold public-key encryption securely distributes private key shares among multiple participants, requiring a minimum number of them to decrypt messages. We introduce a quantum-resistant threshold public-key encryption scheme based on the code-based
Niederreiter cryptosystem that achieves security against chosen ciphertext attacks. A previous attempt was made recently by Takahashi, Hashimoto, and Ogata (published at DCC in 2023) but we show that it contains a critical security flaw that allow
adversaries to exploit malformed ciphertexts to gain information about the secret key.
In this work, we formalize a generic conversion enhancing security of (classical) public-key encryption from one-wayness against passive attacks to indistinguishability against chosen-ciphertext attacks. The conversion uses a non-interactive zero-
knowledge argument with strong security properties to ensure ciphertext well-formedness. We then provide an instantiation for Niederreiter encryption based on recent techniques introduced in the "MPC-in-the-head" paradigm. The publicly verifiable
validity of ciphertexts makes this scheme suitable for threshold public-key encryption and prevents an attack similar to the one on Takahashi-Hashimoto-Ogata scheme. To improve the multi-party computation protocol for decryption (involving secure
computations on polynomials), we introduce a field-switching technique that allows to significantly reduce the shared secret key size and computational overhead.
## 2025/758
* Title: Blockcipher-Based Key Commitment for Nonce-Derived Schemes
* Authors: Panos Kampanakis, Shai Halevi, Nevine Ebeid, Matt Campagna
* [Permalink](
https://eprint.iacr.org/2025/758)
* [Download](
https://eprint.iacr.org/2025/758.pdf)
### Abstract
AES-GCM has been the status quo for efficient symmetric encryption for decades. As technology and cryptographic applications evolved over time, AES-GCM has posed some challenges to certain use-cases due to its default 96-bit nonce size, 128-bit block
size, and lack of key commitment. Nonce-derived schemes are one way of addressing these challenges: Such schemes derive multiple keys from nonce values, then apply standard AES-GCM with the derived keys (and possibly another 96-bit nonce). The approach
overcomes the nonce length and data limit issues since each derived key is only used to encrypt a few messages. By itself, the use of nonce-derived keys does not address key commitment, however. Some schemes chose to include a built-in key commitment
mechanism, while others left it out of scope.
In this work, we explore efficient key commitment methods that can be added to any nonce-derived scheme in a black-box manner. Our focus is on options that use the underlying block cipher and no other primitive, are efficient, and only use standard
primitives which are FIPS-approved. For concreteness we focus here specifically on adding key commitment to XAES-256-GCM, a nonce-scheme originally proposed by Filippo Valsorda, but these methods can be adapted to any other nonce-derived scheme. We
propose an efficient CMAC-based key commitment solution, and prove its security in the ideal-cipher model. We argue that adding this solution yields a FIPS-compliant mode, quantify the data and message length limits of this mode and compare this
combination to other nonce-derived modes. We also benchmark our key committing XAES-256-GCM performance.
## 2025/759
* Title: Let's DOIT: Using Intel's Extended HW/SW Contract for Secure Compilation of Crypto Code
* Authors: Santiago Arranz-Olmos, Gilles Barthe, Benjamin Grégoire, Jan Jancar, Vincent Laporte, Tiago Oliveira, Peter Schwabe
* [Permalink](
https://eprint.iacr.org/2025/759)
* [Download](
https://eprint.iacr.org/2025/759.pdf)
### Abstract
It is a widely accepted standard practice to implement cryptographic software so that secret inputs do not influence the cycle count. Software following this paradigm is often referred to as "constant-time" software and typically involves following three
rules: 1) never branch on a secret-dependent condition, 2) never access memory at a secret-dependent location, and 3) avoid variable-time arithmetic operations on secret data. The third rule requires knowledge about such variable-time arithmetic
instructions, or vice versa, which operations are safe to use on secret inputs. For a long time, this knowledge was based on either documentation or microbenchmarks, but critically, there were never any guarantees for future microarchitectures. This
changed with the introduction of the data-operand-independent-timing (DOIT) mode on Intel CPUs and, to some extent, the data-independent-timing (DIT) mode on Arm CPUs. Both Intel and Arm document a subset of their respective instruction sets that are
intended to leak no information about their inputs through timing, even on future microarchitectures if the CPU is set to run in a dedicated DOIT (or DIT) mode.
In this paper, we present a principled solution that leverages DOIT to enable cryptographic software that is future-proof constant-time, in the sense that it ensures that only instructions from the DOIT subset are used to operate on secret data, even
during speculative execution after a mispredicted branch or function return location. For this solution, we build on top of existing security type systems in the Jasmin framework for high-assurance cryptography.
We then use our solution to evaluate the extent to which existing cryptographic software built to be "constant-time" is already secure in this stricter paradigm implied by DOIT and what the performance impact is to move from constant-time to future-proof
constant-time.
## 2025/760
* Title: DGSP: An Efficient Scalable Fully Dynamic Group Signature Scheme Using $\rm{SPHINCS}^+$
* Authors: Mojtaba Fadavi, Seyyed Arash Azimi, Sabyasachi Karati, Samuel Jaques * [Permalink](
https://eprint.iacr.org/2025/760)
* [Download](
https://eprint.iacr.org/2025/760.pdf)
### Abstract
A group signature scheme enables users of a group to anonymously sign messages on behalf of the group, while a designated authority can revoke anonymity when needed to ensure user accountability. Among group signature schemes, fully dynamic ones are
particularly desirable as they allow new users to join and misbehaved existing users to be revoked without requiring system-wide updates.
This paper introduces DGSP, a post-quantum fully dynamic group signature scheme that addresses key limitations of existing schemes like DGMT and SPHINX-in-the-Head (SITH). Leveraging the properties of ${\rm SPHINCS}^+$, DGSP achieves a superior balance
between scalability and efficiency by (i) supporting up to $2^{60}$ users, (ii) requiring negligible setup time, and (iii) featuring efficient algorithms with short signatures of constant-size. Notably, while DGMT is limited to $2^{15}$ users, DGSP
extends this to $2^{60}$ while keeping signatures compact—only 3.03 to 4.93 times larger than those of DGMT, yet just 0.021 to 0.004 times the size of SITH signatures. This makes DGSP a compelling solution for applications requiring both large-scale
user support and signature efficiency in the post-quantum setting. Moreover, DGSP strengthens managerial accountability compared to DGMT by (i) enabling users to verify their certificates generated by the manager and (ii) ensuring public verifiability of
the manager's signature attribution. Although SITH claims to support $2^{60}$ users, our analysis reveals that its opening algorithm is highly inefficient, making it impractical to handle such a large number of users.
Our security analysis shows that DGSP achieves unforgeability, anonymity, and traceability in the standard model. We also provide a complete implementation of DGSP. Our experimental study exhibits that DGSP is superior over existing schemes in terms of
efficiency and scalability.
## 2025/761
* Title: TERRA : Trojan-Resilient Reverse-Firewall for Cryptographic Applications
* Authors: Chandan Kumar, Nimish Mishra, Suvradip Chakraborty, Satrajit Ghosh, Debdeep Mukhopadhyay
* [Permalink](
https://eprint.iacr.org/2025/761)
* [Download](
https://eprint.iacr.org/2025/761.pdf)
### Abstract
Reverse firewalls (RFs), introduced by Mironov and Stephens Davidowitz at Eurocrypt 2015, provide a defence mechanism for cryptographic protocols against subversion attacks. In a subversion setting, an adversary compromises the machines of honest parties,
enabling the leakage of their secrets through the protocol transcript. Previous research in this area has established robust guarantees, including resistance against data exfiltration for an RF. In this work, we present a new perspective focused on the
implementation specifics of RFs. The inherently untrusted nature of RFs exposes their real-world implementations to the risk of Trojan insertion — an especially pressing issue in today’s outsourced supply chain ecosystem. We argue how Trojan-affected
RF implementations can compromise their core exfiltration resistance property, leading to a complete breakdown of the RF’s security guarantees.
Building on this perspective, we propose an enhanced definition for ``Trojan-resilient Reverse Firewalls'' (Tr-RF), incorporating an additional Trojan resilience property. We then present concrete instantiations of Tr-RFs for Coin Tossing (CT) and
Oblivious Transfer (OT) protocols, utilizing techniques from Private Circuit III (CCS'16) to convert legacy RFs into Tr-RFs. We also give simulation-based proofs to claim the enhanced security guarantees of our Tr-RF instantiations. Additionally, we
offer concrete implementations of our Tr-RF based CT and OT protocols utilizing the Open-Portable Trusted Execution Environment (OP-TEE). Through OP-TEE, we practically realize assumptions made in Private Circuit III that are critical to ensuring Tr-RF
security, bridging the gap between theoretical models and real-world applications. To the best of our knowledge, this provides the first practical implementation of reverse firewalls for any cryptographic functionality. Our work emphasizes the importance
of evaluating protocol specifications within implementation-specific contexts.
## 2025/762
* Title: $\textbf{MALARIA}$: $\textbf{Ma}$nagement of Low-$\textbf{La}$tency $\textbf{R}$outing $\textbf{I}$mpact on Mix Network $\textbf{A}$nonymity (Extended Version)
* Authors: Mahdi Rahimi
* [Permalink](
https://eprint.iacr.org/2025/762)
* [Download](
https://eprint.iacr.org/2025/762.pdf)
### Abstract
Mix networks (mixnets) offer robust anonymity even against adversaries monitoring all network links; however, they impose high latency on communications. To address this, recent research has explored strategic low-latency routing within mixnets. While
these strategies appear to reduce latency, their impact on mixnet anonymity has not been carefully assessed, raising concerns about potential deanonymization of clients. Tackling this challenge, this paper first quantifies the anonymity loss associated
with low-latency routing techniques in mixnets. Building on these insights, second, we introduce a novel low-latency routing method that maintains mixnet anonymity while achieving significant latency reductions compared to the state-of-the-art solution
LARMix (NDSS, 2024). Our approach also ensures a more balanced load distribution among mixnet nodes. Moreover, under adversarial conditions where parts of the mixnet are compromised, our method does not confer significant advantages to the adversary,
unlike LARMix. Thus, our proposal emerges as the optimal choice for low-latency routing in mixnets. Furthermore, we note that this version expands on both the analytical and experimental results of the previously published paper in NCA 2024, specifically
through investigating the anonymity of Loopix-like mixnets.
## 2025/763
* Title: The Tangent Space Attack
* Authors: Axel Lemoine
* [Permalink](
https://eprint.iacr.org/2025/763)
* [Download](
https://eprint.iacr.org/2025/763.pdf)
### Abstract
We propose a new method for retrieving the algebraic structure of a generic alternant code given an arbitrary generator matrix, provided certain conditions are met. We then discuss how this challenges the security of the McEliece cryptosystem
instantiated with this family of codes. The central object of our work is the quadratic hull related to a linear code, defined as the intersection of all quadrics passing through the columns of a given generator or parity-check matrix, where the columns
are considered as points in the affine or projective space. The geometric properties of this object reveal important information about the internal algebraic structure of the code. This is particularly evident in the case of generalized Reed-Solomon
codes, whose quadratic hull is deeply linked to a well-known algebraic variety called the rational normal curve. By utilizing the concept of Weil restriction of affine varieties, we demonstrate that the quadratic hull of a generic dual alternant code
inherits many interesting features from the rational normal curve, on account of the fact that alternant codes are subfield-subcodes of generalized Reed-Solomon codes. If the rate of the generic alternant code is sufficiently high, this allows us to
construct a polynomial-time algorithm for retrieving the underlying generalized Reed-Solomon code from which the alternant code is defined, which leads to an efficient key-recovery attack against the McEliece cryptosystem when instantiated with this
class of codes. Finally, we discuss the generalization of this approach to Algebraic-Geometry codes and Goppa codes.
[continued in next message]
--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)