## In this issue
1. [2024/559] Convolution-Friendly Image Compression in FHE
2. [2025/799] Code-based Masking: From Fields to Bits Bitsliced ...
3. [2025/800] Comparing classical and quantum conditional ...
4. [2025/801] POBA: Privacy-Preserving Operator-Side Bookkeeping ...
5. [2025/802] Optimizing Key Recovery in Classic McEliece: ...
6. [2025/803] Universally Composable On-Chain Quadratic Voting ...
7. [2025/804] Putting Sybils on a Diet: Securing Distributed Hash ...
8. [2025/805] Accelerating Multiparty Noise Generation Using Lookups
9. [2025/806] BERMUDA: A BPSec-Compatible Key Management Scheme ...
10. [2025/807] Registered ABE for Circuits from Evasive Lattice ...
11. [2025/808] Partially Registered Type of Multi-authority ...
12. [2025/809] Don’t be mean: Reducing Approximation Noise in TFHE ...
13. [2025/810] Actively Secure MPC in the Dishonest Majority ...
14. [2025/811] Side-Channel Power Trace Dataset for Kyber Pair- ...
15. [2025/812] Post-Quantum Cryptography in eMRTDs: Evaluating ...
16. [2025/813] HydraProofs: Optimally Computing All Proofs in a ...
17. [2025/814] Groebner Basis Cryptanalysis of Anemoi
18. [2025/815] Security Analysis of NIST Key Derivation Using ...
19. [2025/816] Randomized vs. Deterministic? Practical Randomized ...
20. [2025/817] Relating Definitions of Computational Differential ...
21. [2025/818] An Attack on TON’s ADNL Secure Channel Protocol
22. [2025/819] SoK: Dlog-based Distributed Key Generation
23. [2025/820] One Bit to Rule Them All – Imperfect Randomness ...
24. [2025/821] Multi-Client Attribute-Based and Predicate ...
25. [2025/822] Generalization of semi-regular sequences: Maximal ...
26. [2025/823] Sampling Arbitrary Discrete Distributions for RV ...
27. [2025/824] A Specification of an Anonymous Credential System ...
28. [2025/825] High-Performance FPGA Implementations of ...
29. [2025/826] Repeated Agreement is Cheap! On Weak Accountability ...
30. [2025/827] Fast Enhanced Private Set Union in the Balanced and ...
## 2024/559
* Title: Convolution-Friendly Image Compression in FHE
* Authors: Axel Mertens, Georgio Nicolas, Sergi Rovira
* [Permalink](
https://eprint.iacr.org/2024/559)
* [Download](
https://eprint.iacr.org/2024/559.pdf)
### Abstract
During the past few decades, the field of image processing has grown to cradle hundreds of applications,
many of which are outsourced to be computed on trusted remote servers.
More recently, Fully Homomorphic Encryption (FHE) has grown
in parallel as a powerful tool enabling computation on encrypted data,
and transitively on untrusted servers. As a result, new FHE-supported applications have emerged, but not all
have reached practicality due to hardware, bandwidth
or mathematical constraints inherent to FHE. One example is processing encrypted images, where practicality is closely related to bandwidth availability.
In this paper, we propose and implement a novel technique for
FHE-based image compression and decompression. Our technique is a stepping stone
towards practicality of encrypted image-processing and
applications such as private inference, object recognition, satellite-image searching
or video editing.
Inspired by the JPEG standard, and with new FHE-friendly compression/decompression algorithms, our technique allows a client
to compress and encrypt images before sending them to a server,
greatly reducing the required bandwidth.
The server homomorphically decompresses a ciphertext to obtain
an encrypted image to which generic
pixel-wise processing or convolutional filters can be applied.
To reduce the round-trip bandwidth requirement, we also propose
a method for server-side post-processing compression.
Using our pipeline, we demonstrate that a high-definition grayscale image ($1024\times1024$) can be homomorphically decompressed, processed and
re-compressed in \(\sim\)$8.1$s with a compression ratio of 100/34.4 on a standard personal computer
without compromising on fidelity.
## 2025/799
* Title: Code-based Masking: From Fields to Bits Bitsliced Higher-Order Masked SKINNY
* Authors: John Gaspoz, Siemen Dhooghe
* [Permalink](
https://eprint.iacr.org/2025/799)
* [Download](
https://eprint.iacr.org/2025/799.pdf)
### Abstract
Masking is one of the most prevalent and investigated countermeasures against side-channel analysis. As an alternative to the simple (e.g., additive) encoding function of Boolean masking, a collection of more algebraically complex masking types has
emerged. Recently, inner product masking and the more generic code-based masking have proven to enable higher theoretical security properties than Boolean masking. In CARDIS 2017, Poussier et al. connected this ``security order amplification'' effect to
the bit-probing model, demonstrating that for the same shared size, sharings from more complex encoding functions exhibit greater resistance to higher-order attacks. Despite these advantages, masked gadgets designed for code-based implementations face
significant overhead compared to Boolean masking. Furthermore, existing code-based masked gadgets are not designed for efficient bitslice representation, which is highly beneficial for software implementations. Thus, current code-based masked gadgets are
constrained to operate over words (e.g., elements in $\mathbb{F}_{2^k}$), limiting their applicability to ciphers where the S-box can be efficiently computed via power functions, such as AES. In this paper, we address the aforementioned limitations. We
first introduce foundational masked linear and non-linear circuits that operate over bits of code-based sharings, ensuring composability and preserving bit-probing security, specifically achieving $t$-Probe Isolating Non-Interference ($t$-PINI).
Utilizing these circuits, we construct masked ciphers that operate over bits, preserving the security order amplification effect during computation. Additionally, we present an optimized bitsliced masked assembly implementation of the SKINNY cipher,
which outperforms Boolean masking in terms of randomness and gate count. The third-order security of this implementation is formally proven and validated through practical side-channel leakage evaluations on a Cortex-M4 core, confirming its robustness
against leakages up to one million traces.
## 2025/800
* Title: Comparing classical and quantum conditional disclosure of secrets
* Authors: Uma Girish, Alex May, Leo Orshansky, Chris Waddell
* [Permalink](
https://eprint.iacr.org/2025/800)
* [Download](
https://eprint.iacr.org/2025/800.pdf)
### Abstract
The conditional disclosure of secrets (CDS) setting is among the most basic primitives studied in information-theoretic cryptography. Motivated by a connection to non-local quantum computation and position-based cryptography, CDS with quantum resources
has recently been considered. Here, we study the differences between quantum and classical CDS, with the aims of clarifying the power of quantum resources in information-theoretic cryptography. We establish the following results:
1) For perfectly correct CDS, we give a separation for a promise version of the not-equals function, showing a quantum upper bound of $O(\log n)$ and classical lower bound of $\Omega(n)$.
2) We prove a $\Omega(\log \mathsf{R}_{0,A\rightarrow B}(f)+\log \mathsf{R}_{0,B\rightarrow A}(f))$ lower bound on quantum CDS where $\mathsf{R}_{0,A\rightarrow B}(f)$ is the classical one-way communication complexity with perfect correctness.
3) We prove a lower bound on quantum CDS in terms of two round, public coin, two-prover interactive proofs.
4) We give a logarithmic upper bound for quantum CDS on forrelation, while the best known classical algorithm is linear. We interpret this as preliminary evidence that classical and quantum CDS are separated even with correctness and security error
allowed.
We also give a separation for classical and quantum private simultaneous message passing for a partial function, improving on an earlier relational separation. Our results use novel combinations of techniques from non-local quantum computation and
communication complexity.
## 2025/801
* Title: POBA: Privacy-Preserving Operator-Side Bookkeeping and Analytics
* Authors: Dennis Faut, Valerie Fetzer, Jörn Müller-Quade, Markus Raiber, Andy Rupp
* [Permalink](
https://eprint.iacr.org/2025/801)
* [Download](
https://eprint.iacr.org/2025/801.pdf)
### Abstract
Many user-centric applications face a common privacy problem: the need to collect, store, and analyze sensitive user data. Examples include check-in/check-out based payment systems for public transportation, charging/discharging electric vehicle
batteries in smart grids, coalition loyalty programs, behavior-based car insurance, and more. We propose and evaluate a generic solution to this problem. More specifically, we provide a formal framework integrating privacy-preserving data collection,
storage, and analysis, which can be used for many different application scenarios, present an instantiation, and perform an experimental evaluation of its practicality.
We consider a setting where multiple operators (e.g., different mobility providers, different car manufacturers and insurance companies), who do not fully trust each other, intend to maintain and analyze data produced by the union of their user sets. The
data is collected in an anonymous (wrt.\ all operators) but authenticated way and stored in so-called user logbooks. In order for the operators to be able to perform analyses at any time without requiring user interaction, the logbooks are kept on the
operator's side. Consequently, this potentially sensitive data must be protected from unauthorized access. To achieve this, we combine several selected cryptographic techniques, such as threshold signatures and oblivious RAM. The latter ensures that user
anonymity is protected even against memory access pattern attacks.
To the best of our knowledge, we provide and evaluate the first generic framework that combines data collection, operator-side data storage, and data analysis in a privacy-preserving manner, while providing a formal security model, a UC-secure protocol,
and a full implementation. With three operators, our implementation can handle over two million new logbook entries per day.
## 2025/802
* Title: Optimizing Key Recovery in Classic McEliece: Advanced Error Correction for Noisy Side-Channel Measurements
* Authors: Nicolas Vallet, Pierre-Louis Cayrel, Brice Colombier, Vlad-Florin Dragoi, Vincent Grosso
* [Permalink](
https://eprint.iacr.org/2025/802)
* [Download](
https://eprint.iacr.org/2025/802.pdf)
### Abstract
Classic McEliece is one of the code-based Key Encapsulation Mechanism finalists in the ongoing NIST post-quantum cryptography standardization process. Several key-recovery side-channel attacks on the decapsulation algorithm have already been published.
However none of them discusses the feasibility and/or efficiency of the attack in the case of noisy side-channel acquisitions. In this paper, we address this issue by proposing two improvements on the recent key-recovery attack published by Drăgoi et al.
. First, we introduce an error correction algorithm for the lists of Hamming weights obtained by side-channel measurements, based on the assumption, validated experimentally, that the error on a recovered Hamming weight is bounded to $\pm1$. We then
offer a comparison between two decoding efficiency metrics, the theoretical minimal error correction capability and an empirical average correction probability. We show that the minimal error correction capability, widely used for linear codes, is not
suitable for the (non-linear) code formed by the lists of Hamming weights. Conversely, experimental results show that out of 1 million random erroneous lists of $2t=128$ Hamming weights, only 2 could not be corrected by the proposed algorithm. This shows
that the probability of successfully decoding a list of erroneous Hamming weights is very high, regardless of the error weight. In addition to this algorithm, we describe how the secret Goppa polynomial $g$, recovered during the first step of the attack,
can be exploited to reduce both the time and space complexity of recovering the secret permuted support $\mathcal{L}$.
## 2025/803
* Title: Universally Composable On-Chain Quadratic Voting for Liquid Democracy * Authors: Lyudmila Kovalchuk, Bingsheng Zhang, Andrii Nastenko, Zeyuan Yin, Roman Oliynykov, Mariia Rodinko
* [Permalink](
https://eprint.iacr.org/2025/803)
* [Download](
https://eprint.iacr.org/2025/803.pdf)
### Abstract
Decentralized governance plays a critical role in blockchain communities, allowing stakeholders to shape the evolution of platforms such as Cardano, Gitcoin, Aragon, and MakerDAO through distributed voting on proposed projects in order to support the
most beneficial of them. In this context, numerous voting protocols for decentralized decision-making have been developed, enabling secure and verifiable voting on individual projects (proposals). However, these protocols are not designed to support more
advanced models such as quadratic voting (QV), where the voting power, defined as the square root of a voter’s stake, must be distributed among the selected by voter projects. Simply executing multiple instances of a single-choice voting scheme in
parallel is insufficient, as it can not enforce correct voting power splitting. To address this, we propose an efficient blockchain-based voting protocol that supports liquid democracy under the QV model, while ensuring voter privacy, fairness and
verifiability of the voting results. In our scheme, voters can delegate their votes to trusted representatives (delegates), while having the ability to distribute their voting power across selected projects. We model our protocol in the Universal
Composability framework and formally prove its UC-security under the Decisional Diffie–Hellman (DDH) assumption. To evaluate the performance of our protocol, we developed a prototype implementation and conducted performance testing. The results show
that the size and processing time of a delegate’s ballot scale linearly with the number of projects, while a voter’s ballot scales linearly with both the number of projects and the number of available delegation options. In a representative setting
with 64 voters, 128 delegates and 128 projects, the overall traffic amounts to approximately 2.7 MB per voted project, confirming the practicality of our protocol for modern blockchain-based governance systems.
## 2025/804
* Title: Putting Sybils on a Diet: Securing Distributed Hash Tables using Proofs of Space
* Authors: Christoph U. Günther, Krzysztof Pietrzak
* [Permalink](
https://eprint.iacr.org/2025/804)
* [Download](
https://eprint.iacr.org/2025/804.pdf)
### Abstract
Distributed Hash Tables (DHTs) are peer-to-peer protocols that serve as building blocks for more advanced applications. Recent examples, motivated by blockchains, include decentralized storage networks (e.g., IPFS), data availability sampling, or
Ethereum's peer discovery protocol.
In the blockchain context, DHTs are vulnerable to Sybil attacks, where an adversary compromises the network by joining with many malicious nodes. Mitigating such attacks requires restricting the adversary's ability to create a lot of Sybil nodes.
Surprisingly, the above applications take no such measures. Seemingly, existing techniques are unsuitable for the proposed applications.
For example, a simple technique proposed in the literature uses proof of work (PoW), where nodes periodically challenge their peers to solve computational challenges. This, however, does not work well in practice. Since the above applications do not
require honest nodes to have a lot of computational power, challenges cannot be too difficult. Thus, even moderately powerful hardware can sustain many Sybil nodes.
In this work, we investigate using Proof of Space (PoSp) to limit the number of Sybils DHTs. While PoW proves that a node wastes computation, PoSp proves that a node wastes disk space. This aligns better with the resource requirements of the above
applications. Many of them are related to storage and ask honest nodes to contribute a substantial amount of disk space to ensure the application's functionality.
With this synergy in mind, we propose a mechanism to limit Sybils where honest nodes dedicate a fraction of their disk space to PoSp. This guarantees that the adversary cannot control a constant fraction of all DHT nodes unless it provides a constant
fraction of whole the disk space contributed to the application in total. Since this is typically a significant amount, attacks become economically expensive.
## 2025/805
* Title: Accelerating Multiparty Noise Generation Using Lookups
* Authors: Fredrik Meisingseth, Christian Rechberger, Fabian Schmid
* [Permalink](
https://eprint.iacr.org/2025/805)
* [Download](
https://eprint.iacr.org/2025/805.pdf)
### Abstract
There is rising interest in combining Differential Privacy (DP) and Secure Multiparty Computation (MPC) techniques to protect distributed database query evaluations from both adversaries taking part in the computation and those observing the outputs.
This requires implementing both the query evaluation and noise generation parts of a DP mechanism directly in MPC. While query evaluation can be done using existing highly optimized MPC techniques for secure function evaluation, efficiently generating
the correct noise distribution is a more novel challenge.
Due to the inherent nonlinearity of sampling algorithms for common noise distributions, this challenge is quite non-trivial, as is evident from the substantial number of works proposing protocols for multiparty noise sampling. In this work, we
propose a new approach for joint noise sampling that leverages recent advances in multiparty lookup table (LUT) evaluations. The construction we propose is largely agnostic to the target noise distribution and builds on obliviously evaluating the LUT at
an index drawn from a distribution that can be very cheaply generated in MPC, thus translating this cheap distribution into the much more complicated target noise distribution. In our instantiation, the index is a concatenation of cheaply biased bits,
and we approximate a discrete Laplace distribution to a negligible statistical distance. We demonstrate the concrete efficiency of the construction by implementing it using 3-party replicated secret sharing (RSS) in the honest-majority setting with both
semi-honest and malicious security. In particular, we achieve sub-kilobyte communication complexity, being an improvement over the state-of-the-art by several orders of magnitude and a computation time of a few milliseconds. Samples of a discrete Laplace
distribution are generated with (amortized over $1000$ samples) 362 bytes of communication and under a millisecond computation time per party in the semi-honest setting. Using recent results for batched multiplication checking, we have an overhead for
malicious security that, per sample, amortizes to below a byte of communication and 10 ms of runtime.
Finally, our open-source implementation extends the online-to-total communication trade-off for MAESTRO-style lookup tables which might be of independent interest.
## 2025/806
* Title: BERMUDA: A BPSec-Compatible Key Management Scheme for DTNs
* Authors: Fiona Fuchs, Felix Walter, Florian Tschorsch
* [Permalink](
https://eprint.iacr.org/2025/806)
* [Download](
https://eprint.iacr.org/2025/806.pdf)
### Abstract
Delay- and Disruption-tolerant Networks (DTNs) enable communication in challenging environments like space and underwater. Despite the need for secure communication, key management remains an unresolved challenge in DTNs.
Both DTN security protocols, BSP and BPSec, explicitly exclude key management from their scope, and research in this area remains limited. Traditional Internet-based key management methods are largely unsuitable due to the unique constraints of DTNs. In
this paper, we present BERMUDA, a BPSec-compatible key management framework for unicast messaging. Our approach combines established building blocks, including a hierarchical PKI and ECDH, with an adapted version of NOVOMODO for certificate revocation.
To evaluate its applicability, we implement a DTN chat application as an example use case and analyze the system's scalability. While our findings demonstrate the feasibility of BERMUDA for DTNs, we also show limitations related to scalability and
computational load in resource-constrained scenarios. By bridging the gap between conceptual designs and practical deployment, this work advances key management research in DTNs, contributing to secure communication in these demanding networks.
## 2025/807
* Title: Registered ABE for Circuits from Evasive Lattice Assumptions
* Authors: Xinrui Yang, Yijian Zhang, Ying Gao, Jie Chen
* [Permalink](
https://eprint.iacr.org/2025/807)
* [Download](
https://eprint.iacr.org/2025/807.pdf)
### Abstract
Attribute-based encryption (ABE) enables fine-grained access control but traditionally depends on a central authority to issue decryption keys. Key-policy registered ABE removes this trust assumption by letting users generate their own keys and register
public keys with an untrusted curator, who aggregates them into a compact master public key for encryption.
In this paper, we propose a black-box construction of key-policy registered attribute-based encryption from lattice assumptions in the standard model. Technically, our starting point is the registration-based encryption scheme by Döttling et al. (
Eurocrypt, 2023). Building on this foundation, we incorporate the public-coin evasive learning with errors (LWE) assumption and the tensor LWE assumption introduced by Wee (Eurocrypt, 2022) to construct a registered ABE scheme that supports arbitrary
bounded-depth circuit policies. Compared to prior private-coin approaches, our scheme is based on more intuitive and transparent security assumptions. Furthermore, the entire construction relies solely on standard lattice-based homomorphic evaluation
techniques, without relying on other expensive cryptographic primitives. The scheme also enjoys scalability: the sizes of the master public key, helper decryption key and ciphertext grow polylogarithmically with the number of users. Each user's key pair
remains succinct, with both the public and secret keys depending solely on the security parameter and the circuit depth.
## 2025/808
* Title: Partially Registered Type of Multi-authority Attribute-based Encryption
* Authors: Viktória I. Villányi, Vladimir Božović
* [Permalink](
https://eprint.iacr.org/2025/808)
* [Download](
https://eprint.iacr.org/2025/808.pdf)
### Abstract
Attribute-based encryption can be considered a generalization of public key encryption, enabling fine-grained access control over
encrypted data using predetermined access policies. In general, we distinguish between key-policy and ciphertext-policy attribute-based encryption schemes. Our new scheme is built upon the multi-authority
attribute-based encryption with an honest-but-curious central authority
scheme in a key-policy setting presented earlier by Božović et al., and it can be considered an extension of their scheme. In their paper, trust was shared between the central authority and the participating authorities,
who were responsible for issuing attribute-specific secret keys. The central authority was not capable of decrypting any message as long as there
exists an honest attribute authority. In our new scheme, we maintain this feature, and add another level of security by allowing users to participate
in the key generation process and contribute to the final user-specific attribute secret keys. Users gain more control over their own secret keys,
and they will be the only parties with access to the final user-specific
secret keys. Furthermore, no secure channels, only authenticated communication channels are needed between users and authorities. After the
modifications our scheme will be closer to the registered multi-authority attribute-based encryption. We refer to our scheme as a partially registered type of multi-authority attribute-based encryption scheme. We
prove the security of our scheme in the Selective-ID model.
## 2025/809
* Title: Don’t be mean: Reducing Approximation Noise in TFHE through Mean Compensation
* Authors: Thomas de Ruijter, Jan-Pieter D'Anvers, Ingrid Verbauwhede
* [Permalink](
https://eprint.iacr.org/2025/809)
* [Download](
https://eprint.iacr.org/2025/809.pdf)
### Abstract
Fully Homomorphic Encryption (FHE) allows computations on encrypted data without revealing any information about the data itself. However, FHE ciphertexts include noise for security reasons, which increases during operations and can lead to decryption
errors. This paper addresses the noise introduced during bootstrapping in Torus Fully Homomorphic Encryption (TFHE), particularly focusing on approximation errors during modulus switching and gadget decomposition. We propose a mean compensation technique
that removes the mean term from the noise equations, achieving up to a twofold reduction in noise variance. This method can be combined with bootstrap key unrolling for further noise reduction. Mean compensation can reduce the error probability of a
standard parameter set from $2^{-64.30}$ to $2^{-100.47}$, or allows the selection of more efficient parameters leading to a speedup of bootstrapping up to a factor $2.14\times$.
## 2025/810
* Title: Actively Secure MPC in the Dishonest Majority Setting: Achieving Constant Complexity in Online Communication, Computation Per Gate, Rounds, and Private Input Size
* Authors: Seunghwan Lee, Jaesang Noh, Taejeong Kim, Dohyuk Kim, Dong-Joon Shin * [Permalink](
https://eprint.iacr.org/2025/810)
* [Download](
https://eprint.iacr.org/2025/810.pdf)
### Abstract
SPDZ-style and BMR-style protocols are widely known as practical MPC protocols that achieve active security in the dishonest majority setting. However, to date, SPDZ-style protocols have not achieved constant rounds, and BMR-style protocols have
struggled to achieve scalable communication or computation. Additionally, there exists fully homomorphic encryption (FHE)-based MPC protocols that achieve both constant rounds and scalable communication, but they face challenges in achieving active
security in the dishonest majority setting and are considered impractical due to computational inefficiencies.
In this work, we propose an MPC framework that constructs an efficient and scalable FHE-based MPC protocol by integrating a linear secret sharing scheme (LSSS)-based MPC and FHE. The resulting FHE-based MPC protocol achieves active security in the
dishonest majority setting and constant complexity in online communication, computation per gate, rounds, and private input size. Notably, when instantiated with the SPDZ protocol and gate FHE for the framework, the resulting FHE-based MPC protocol
efficiently achieves active security in the dishonest majority setting by using SPDZ-style MAC and ensures the computation per gate time within 3 ms. Moreover, its offline phase achieves scalable communication and computation, both of which grow linearly
with the number of parties $n$. In other words, the proposed FHE-based MPC preserves the key advantages of existing FHE-based MPCs and simultaneously overcomes the weaknesses of them. As a result, the proposed FHE-based MPC is a highly practical and
secure like SPDZ-style and BMR-style protocols.
For the first time, we introduce the concept of circuit-privacy, which ensures that external adversaries who eavesdrop on communications do not obtain information about the circuit. We rigorously prove that our construction inherently satisfy circuit-
privacy, thereby establishing a novel security option for MPC.
## 2025/811
* Title: Side-Channel Power Trace Dataset for Kyber Pair-Pointwise Multiplication on Cortex-M4
* Authors: Azade Rezaeezade, Trevor Yap, Dirmanto Jap, Shivam Bhasin, Stjepan Picek
* [Permalink](
https://eprint.iacr.org/2025/811)
* [Download](
https://eprint.iacr.org/2025/811.pdf)
### Abstract
We present a dataset of side-channel power measurements captured during pair-pointwise multiplication in the decapsulation procedure of the Kyber Key Encapsulation Mechanism (KEM). The dataset targets the pair-pointwise multiplication step in the NTT
domain, a key computational component of Kyber. The dataset is collected using the reference implementation from the PQClean project. We hope the dataset helps in research in ``classical'' power analysis and deep learning-based side-channel attacks on
post-quantum cryptography (PQC).
## 2025/812
* Title: Post-Quantum Cryptography in eMRTDs: Evaluating PAKE and PKI for Travel Documents
* Authors: Nouri Alnahawi, Melissa Azouaoui, Joppe W. Bos, Gareth T. Davies, SeoJeong Moon, Christine van Vredendaal, Alexander Wiesmaier
* [Permalink](
https://eprint.iacr.org/2025/812)
* [Download](
https://eprint.iacr.org/2025/812.pdf)
### Abstract
Passports, identity cards and travel visas are examples of machine readable travel documents (MRTDs) or eMRTDs for their electronic variants. The security of the data exchanged between these documents and a reader is secured with a standardized password
authenticated key exchange (PAKE) protocol known as PACE.
A new world-wide protocol migration is expected with the arrival of post-quantum cryptography (PQC) standards. In this paper, we focus on the impact of this migration on constrained embedded devices as used in eMRTDs. We present a feasibility study of a
candidate post-quantum secure PAKE scheme as the replacement for PACE on existing widely deployed resource-constrained chips. In a wider context, we study the size, performance and security impact of adding post-quantum cryptography with a focus on chip
storage and certificate chains for existing eMRTDs.
We show that if the required post-quantum certificates for the eMRTD fit in memory, the migration of existing eMRTD protocols to their post-quantum secure equivalent is already feasible but a performance penalty has to be paid. When using a resource
constrained SmartMX3 P71D600 smart card, designed with classical cryptography in mind, then execution times of a post-quantum secure PAKE algorithm using the recommended post-quantum parameter of the new PQC standard ML-KEM can be done in under a second.
This migration will be aided by future inclusion of dedicated hardware accelerators and increased memory to allow storage of larger keys and improve performance.
## 2025/813
* Title: HydraProofs: Optimally Computing All Proofs in a Vector Commitment (with applications to efficient zkSNARKs over data from multiple users)
* Authors: Christodoulos Pappas, Dimitris Papadopoulos, Charalampos Papamanthou * [Permalink](
https://eprint.iacr.org/2025/813)
* [Download](
https://eprint.iacr.org/2025/813.pdf)
### Abstract
[continued in next message]
--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)