From Newsgroup: sci.crypt
## In this issue
1. [2025/1000] Post-Quantum Multi-Message Public Key Encryption ...
2. [2025/1059] Post-Quantum Security of Keyed Sponge-Based ...
3. [2025/1495] Pairwise independence of AES-like block ciphers
4. [2025/1503] Constraint-Friendly Map-to-Elliptic-Curve-Group ...
5. [2025/1507] A Novel Quantum Voting System Based on Quantum ...
6. [2025/1508] Ion: Concretely Efficient Submaximal-Fluid MPC with ...
7. [2025/1509] LEAP: High-Performance Lattice-Based Pseudorandom ...
8. [2025/1510] Mosformer: Maliciously Secure Three-Party Inference ...
9. [2025/1511] Updatable aPAKE: Security Against Bulk ...
10. [2025/1512] Virtual End-to-End Encryption: Analysis of the ...
11. [2025/1513] d/v-CLSAG: Extension for Concise Linkable ...
12. [2025/1514] Rigorous Methods for Computational Number Theory
13. [2025/1515] Privacy-Preserving Federated Inference for Genomic ...
14. [2025/1516] GoSSamer: Lightweight and Linear-Communication ...
15. [2025/1517] Universally Composable Treatment of Multi-Party ...
16. [2025/1518] Sequential Indifferentiability of STH and EDM
17. [2025/1519] Does the UC-Security Notion for PAKE Imply Game- ...
18. [2025/1520] DAWN: Smaller and Faster NTRU Encryption via Double ...
19. [2025/1521] Universally Composable Subversion-Resilient ...
20. [2025/1522] Constant-Size Inner Product Arguments for Group- ...
21. [2025/1523] Decoupling Support Enumeration and Value Discovery ...
22. [2025/1524] AUPCH: Auditable Unlinkable Payment Channel Hubs
23. [2025/1525] Making Hard Problems Easier with Custom Data ...
24. [2025/1526] A general secondary construction of Boolean ...
25. [2025/1527] Universally Composable Transaction Order Fairness: ...
26. [2025/1528] Trustless Delegation of Vector Commitment ...
27. [2025/1529] UC-Security of the ZK-NR Protocol under Contextual ...
28. [2025/1530] PolySys: an Algebraic Leakage Attack Engine
29. [2025/1531] Improved Semi-Free-Start Collision Attacks on ...
30. [2025/1532] Breaking the Layer Barrier: Remodeling Private ...
31. [2025/1533] PARSAN-Mix: Packet-Aware Routing and Shuffling with ...
32. [2025/1534] RBOOT: Accelerating Homomorphic Neural Network ...
33. [2025/1535] Tight Bounds on Uniform-Challenge Black-Box ...
34. [2025/1536] Inner-Product Commitments Over Integers With ...
35. [2025/1537] Privacy-Preserving Two-Party RBF Kernel SVM ...
36. [2025/1538] Evaluating Ascon in Secure Multi-Party Computation ...
37. [2025/1539] EvH: Randomized Symmetric Cipher Paradigm with ...
38. [2025/1540] A Fine-Grained and Real-Time Functional Video ...
39. [2025/1541] Adaptive Attack on Static POK|e Keys
40. [2025/1542] SAT-Based Space Partitioning and Applications to ...
41. [2025/1543] Multiforked Iterated Even-Mansour and a Note on the ...
42. [2025/1544] MDS Diffusion Layers for Arithmetization-Oriented ...
## 2025/1000
* Title: Post-Quantum Multi-Message Public Key Encryption from Extended Reproducible PKE
* Authors: Hongxiao Wang, Ron Steinfeld, Markku-Juhani O. Saarinen, Muhammed F. Esgin, Siu-Ming Yiu
* [Permalink](
https://eprint.iacr.org/2025/1000)
* [Download](
https://eprint.iacr.org/2025/1000.pdf)
### Abstract
In applications such as secure group communication and broadcasting, it is important to $\mathit{efficiently}$ deliver multiple messages to different recipients at once. To this end, multi-message multi-recipient Public Key Encryption (mmPKE) enables the batch encryption of multiple messages for multiple independent recipients in one go, significantly reducing costsrCoparticularly bandwidthrCocompared to the trivial solution of encrypting each message individually. This capability is especially desirable in the post-quantum setting, where the ciphertext length is typically significantly larger than the corresponding plaintext. However, almost all prior works on mmPKE are limited to quantum-vulnerable traditional assumptions.
In this work, we propose the $\mathit{first}$ CPA-secure mmPKE and Multi-Key Encapsulation Mechanism (mmKEM) from the $\mathit{standard}$ Module Learning with Errors (MLWE) lattice assumption, named $\mathsf{mmCipher}\text{-}\mathsf{PKE}$ and $\mathsf{mmCipher}\text{-}\mathsf{KEM}$, respectively. This resolves a long-standing open problem posed by Bellare et al. (PKC '03). Our design proceeds in two steps: (i) We introduce a novel generic construction of mmPKE by proposing a new PKE variantrCo$\mathit{extended~reproducible~PKE~(XR\mbox{-}PKE)}$rCothat enables the reproduction of ciphertexts through additional hints; (ii) We instantiate a lattice-based XR-PKE using a new technique that can precisely estimate the impact of such hints on the ciphertext security while also establishing suitable parameters. We believe both to be of independent interest. As a bonus contribution, we explore generic constructions of $\mathit{adaptively~secure}$ mmPKE, resisting adaptive corruption and chosen-ciphertext attacks.
We also provide an efficient implementation and thorough evaluation of the practical performance of our $\mathsf{mmCipher}$. The results demonstrate substantial bandwidth and computational savings over the state-of-the-art. For example, for $1024$ recipients, our $\mathsf{mmCipher}\text{-}\mathsf{KEM}$ achieves a $23$--$45\times$ reduction in bandwidth overhead, with ciphertexts only $4$--$9\%$ larger than the plaintexts ($\mathit{near~optimal~bandwidth}$), while also offering a $3$--$5\times$ reduction in computational cost.
## 2025/1059
* Title: Post-Quantum Security of Keyed Sponge-Based Constructions through a Modular Approach
* Authors: Akinori Hosoyamada
* [Permalink](
https://eprint.iacr.org/2025/1059)
* [Download](
https://eprint.iacr.org/2025/1059.pdf)
### Abstract
Sponge-based constructions have successfully been receiving widespread adoption, as represented by the standardization of SHA-3 and Ascon by NIST. Yet, their provable security against quantum adversaries has not been investigated much. This paper studies the post-quantum security of some keyed sponge-based constructions in the quantum ideal permutation model, focusing on the Ascon AEAD mode and KMAC as concrete instances. For the Ascon AEAD mode, we prove the post-quantum security in the single-user setting up to about $\min(2^{c/3},2^{\kappa/3})$ queries, where $c$ is the capacity and $\kappa$ is the key length. Unlike the recent work by Lang et al.~(ePrint 2025/411), we do not need non-standard restrictions on nonce sets or the number of forgery attempts. In addition, our result guarantees even non-conventional security notions such as the nonce-misuse resilience confidentiality and authenticity under release of unverified plaintext. For KMAC, we show the security up to about $\min(2^{c/3}, 2^{r/2},2^{(\kappa-r)/2})$ queries, where $r$ is the rate, ignoring some small factors. In fact, we prove the security not only for KMAC but also for general modes such as the inner-, outer-, and full-keyed sponge functions.
We take a modular proof approach, adapting the ideas by several works in the classical ideal permutation model into the quantum setting: For the Ascon AEAD mode, we observe it can be regarded as an iterative application of a Tweakable Even-Mansour (TEM) cipher with a single low-entropy key, and gives the security bound as the sum of the post-quantum TPRP advantage of TEM and the classical security advantage of Ascon when TEM is replaced with a secret random object. The proof for keyed sponges is obtained analogously by regarding them as built on an Even-Mansour (EM) cipher with a single low-entropy key.
The post-quantum security of (T)EM has been proven by Alagic et al. (Eurocrypt 2022 and Eurocrypt 2024). However, they show the security only when the keys are uniformly random. In addition, the proof techniques, so-called the resampling lemmas, are inapplicable to our case with a low-entropy key. Thus, we introduce and prove a modified resampling lemma, thereby showing the security of (T)EM with a low-entropy key.
## 2025/1495
* Title: Pairwise independence of AES-like block ciphers
* Authors: Tim Beyne, Gregor Leander, Immo Sch|+tt
* [Permalink](
https://eprint.iacr.org/2025/1495)
* [Download](
https://eprint.iacr.org/2025/1495.pdf)
### Abstract
We show that $4r + 4$ rounds of a variant of the AES with independent and uniform random round keys are $\varepsilon$-pairwise independent with $\varepsilon = 2^{14}\, 2^{-30r}$. We deduce this bound from a two-norm version of pairwise-independence for SHARK-type ciphers based on the third-largest singular value of the difference-distribution table of the S-box. This approach was worked out in the master thesis of Immo Sch|+tt. Our bounds leave room for improvement, both in the constant prefactor $2^{14}$ rCo due to a rough conversion between norms rCo and in the exponent. These improvements will be worked out in an extended version of this note.
## 2025/1503
* Title: Constraint-Friendly Map-to-Elliptic-Curve-Group Relations and Their Applications
* Authors: Jens Groth, Harjasleen Malvai, Andrew Miller, Yi-Nuo Zhang
* [Permalink](
https://eprint.iacr.org/2025/1503)
* [Download](
https://eprint.iacr.org/2025/1503.pdf)
### Abstract
Hashing to elliptic curve groups is a fundamental operation used in many cryptographic applications, including multiset hashing and BLS signatures. With the recent rise of zero-knowledge applications, they are increasingly used in constraint programming settings. For example, multiset hashing enables memory consistency checks in zkVMs,
while BLS signatures are used in proof of stake protocols.
In such cases, it becomes critical for hash-to-elliptic-curve-group constructions to be constraint-friendly such that one can efficiently generate succinct proofs of correctness. However, existing constructions rely on cryptographic hash functions that are expensive to represent in arithmetic constraint systems, resulting in high proving costs.
We propose a constraint-efficient alternative: a map-to-elliptic-curve-group relation that bypasses the need for cryptographic hash functions and can serve as a drop-in replacement for hash-to-curve constructions in practical settings, including the aforementioned applications. Our relation naturally supports non-deterministic map-to-curve choices making them more efficient in constraint programming frameworks and enabling efficient integration into zero-knowledge proofs. We formally analyze the security of our approach in the elliptic curve generic group model (EC-GGM).
Our implementation in Noir/Barretenberg demonstrates the efficiency of our construction in constraint programming: it achieves over $23\times$ fewer constraints than the best hash-to-elliptic-curve-group alternatives, and, enables $50$-$100\times$ faster proving times at scale.
## 2025/1507
* Title: A Novel Quantum Voting System Based on Quantum Blind Signature without Entanglement
* Authors: Yu-Yuan Chou, Wen-Ching Wu, Jue-Sam Chou
* [Permalink](
https://eprint.iacr.org/2025/1507)
* [Download](
https://eprint.iacr.org/2025/1507.pdf)
### Abstract
In this paper, we specifically review Xu et al.rCOs quantum blind signature scheme for distributed e-voting systems, which primarily focuses on simulating real-life e-voting. The scheme aims to ensure voter anonymity in an e-voting system. However, we found that it not only suffers from identity impersonation attacks but also lacks the blindness property essential to a blind quantum signature. To address these shortcomings, we propose a new quantum blind signature scheme that leverages quantum mechanical properties and a one-way hash function. Considering that a voting scheme naturally involves an election committee member blindly signing a ballot embedded with the name of the selected candidate, we use our quantum blind signature as the foundation to design a quantum voting system. This system effectively prevents the repudiation and counterfeiting issues present in Xu et al.rCOs scheme. Additionally, we provide relevant security analyses to support our theoretical framework. The results demonstrate that our scheme outperforms existing literature not only in terms of e-voting security propertiesrCosuch as undeniability, anonymity, and untraceabilityrCobut also in conceptual simplicity and computational efficiency.
## 2025/1508
* Title: Ion: Concretely Efficient Submaximal-Fluid MPC with Linear Communication
* Authors: Yubo Zeng, Kang Yang, Dengguo Feng, Min Zhang
* [Permalink](
https://eprint.iacr.org/2025/1508)
* [Download](
https://eprint.iacr.org/2025/1508.pdf)
### Abstract
Secure Multi-Party Computation (MPC) in the classical setting requires parties to stay online through the whole computation, which engenders significant inconvenience, especially when dealing with large-scale and complex tasks. The notion of fluid MPC, introduced by Choudhuri et al. (Crypto 2021), aims to tackle this obstacle by presenting a dynamic participation model where parties have the flexibility to join and leave as needed. The best-known honest-majority MPC protocol by Bienstock et al. (Crypto 2023) in the fluid setting achieves linear communication complexity, but still requires significantly larger communication than MPC in the classical setting.
In this paper, we present two concretely efficient fluid MPC protocols with semi-honest security and linear communication in the honest majority setting. To achieve low concrete communication, we propose a separation-generation approach for random double sharings, along with a linear-communication resharing technique for transmitting sharings across two committees. For evaluating multiplication gates, our protocols in the fluid setting achieve the (almost) same communication as the state-of-the-art protocol ATLAS by Goyal et al. (Crypto 2021) in the classical setting. We also extend the two protocols to achieve malicious security while doubling the communication cost. Compared to the best-known fluid MPC protocol, we reduce the communication cost per multiplication gate by a factor of 6 re+ 9|u (resp., 19 re+ 28|u) for semi-honest security (resp., malicious security). As a trade-off, we relax the maximal fluidity where the parties only need to be active in a single round to the submaximal fluidity allowing an extra internal communication round for each committee. We believe that the new setting is a reasonable relaxation for applications and allows us to achieve practical efficiency for fluid MPC.
## 2025/1509
* Title: LEAP: High-Performance Lattice-Based Pseudorandom Number Generator
* Authors: Yu Zhang, Xianhui Lu, Yijian Liu, Yongjian Yin, Kunpeng Wang
* [Permalink](
https://eprint.iacr.org/2025/1509)
* [Download](
https://eprint.iacr.org/2025/1509.pdf)
### Abstract
At EUROCRYPT2012, Banerjee, Peikert, and Rosen introduced Ring Learning With Rounding (RLWR) problem and constructed lattice-based pseudorandom functions for the first time. Subsequently, Banerjee, Brenner, Leurent, Peikert, and Rosen named this family of lattice-based pseudorandom functions as SPRING, reanalyzed the security, and gave two practical instances. Building upon the SPRING family, Bouillaguet, Delaplace, Fouque, and Kirchner further extended it to a pseudorandom number generator called SPRING-RS. It is quite fast but still has a certain gap compared with the classical pseudorandom number generator based on symmetric cryptography, and the key size is large.
In this work, we present LEAP, a lattice-based pseudorandom number generation scheme characterized by high performance, adaptable parameter selection, and extensive support for parallel processing. Unlike the RLWR problem used in public key cryptography, LEAP treats the public parameter in the RLWR problem as the key as well. Hiding the public parameters leads to larger lattice dimensions and higher standard deviations of error in the concrete security analysis compared to RLWR under identical parameters. These adjustments imply enhanced security, allowing smaller parameters while maintaining the same security level, thereby improving performance. Additionally, we introduce a novel framework that reuses multiple parameters, significantly enhancing overall performance. To mitigate the issue of increased key size caused by treating the public parameter as the key, we design a pseudorandom number generator leveraging the small key size characteristic of a variant of the NTRU assumption, which provides the key required for the high-performance pseudorandom number generator.
Compared with the SPRING-RS, the LEAP can reduce the key size by 1.71X while improving performance by 3.30X at the same security level. Under the AVX2 and AVX512 implementations, the performance reaches 1.61 Cycles/byte and 1.14 Cycles/byte, and the throughput reaches 16.12 Gbps and 22.60 Gbps, respectively.
## 2025/1510
* Title: Mosformer: Maliciously Secure Three-Party Inference Framework for Large Transformers
* Authors: Ke Cheng, Yuheng Xia, Anxiao Song, Jiaxuan Fu, Wenjie Qu, Yulong Shen, Jiaheng Zhang
* [Permalink](
https://eprint.iacr.org/2025/1510)
* [Download](
https://eprint.iacr.org/2025/1510.pdf)
### Abstract
Transformer-based models like BERT and GPT have achieved state-of-the-art performance across a wide range of AI tasks but raise serious privacy concerns when deployed as cloud inference services.
To address this, secure multi-party computation (MPC) is commonly employed, encrypting both user inputs and model parameters to enable inference without revealing any private information.
However, existing MPC-based secure transformer inference protocols are predominantly designed under the semi-honest security model. Extending these protocols to support malicious security remains a significant challenge, primarily due to the substantial overhead introduced by securely evaluating complex non-linear functions required for adversarial resilience.
We introduce Mosformer, the first maliciously secure three-party (3PC) inference framework that efficiently supports large transformers such as BERT and GPT.
We first design constant-round comparison and lookup table protocols with malicious security, leveraging verifiable distributed point functions (VDPFs). Building on these, we develop a suite of 3PC protocols for efficient and secure evaluation of complex non-linear functions in transformers. Together with optimized modulus conversion, our approach substantially reduces the overhead of secure transformer inference while preserving model accuracy.
Experimental results on the vanilla transformer block show that Mosformer achieves up to a $5.3\times$ speedup and a $4.3\times$ reduction in communication over prior maliciously secure protocols.
Despite offering stronger security guarantees, Mosformer achieves comparable or even superior online performance to state-of-the-art semi-honest 2PC and 3PC frameworks, including BOLT (Oakland 2024), BumbleBee (NDSS 2025), SHAFT (NDSS 2025), and Ditto (ICML 2024), on full-scale models such as BERT and GPT-2.
## 2025/1511
* Title: Updatable aPAKE: Security Against Bulk Precomputation Attacks
* Authors: Dennis Dayanikli, Anja Lehmann
* [Permalink](
https://eprint.iacr.org/2025/1511)
* [Download](
https://eprint.iacr.org/2025/1511.pdf)
### Abstract
Asymmetric Password-Authenticated Key Exchange (aPAKE) enables secure key establishment between a client and a server using a pre-shared password, while providing security against offline attacks. However, aPAKE does not guarantee any precomputation resistance, and considers passwords to become immediately available upon server compromise. A recent work by Dayanikli and Lehmann (EuroS&P'24) observed that many existing aPAKE protocols provide stronger precomputation attack resistance than what is guaranteed through the aPAKE model: they often rely on salted password hashes, where a unique salt makes precomputation attacks more difficult. While these salts are sent in clear to the client during authentication, and thus trivial to obtain for an attacker, this makes a difference in multi-user settings with millions of user accounts per server. In order to run bulk precomputation attacks on all users' passwords, the attacker needs to start an authentication session on behalf of every user to obtain their salts. However, this protection is still limited as salts are static, and the attacker can gradually extract all salt values for precomputation attacks.
In this work, we build upon the observation that many aPAKE protocols include salts for their password protection, and propose a new aPAKE variant that makes such bulk precomputation attacks practically infeasible. We propose updatable aPAKE which employs updatable salts. In updatable aPAKE, the salt is implicitly refreshed with each successful user authentication, forcing an attacker to rebuild their precomputation table after every honest user's login -- offering a level of precomputation resistance similar to that of strong aPAKE protocols. We formalize the security of updatable aPAKE in the Universal Composability framework and show how OKAPE-HMQV, the currently most efficient aPAKE protocol, can be lifted to the updatable aPAKE setting in a provably secure way. The core idea is that this salt update can be integrated through relying on the password-based server-side authentication, that is already guaranteed through aPAKE. We also observe that OKAPE-HMQV is very similar to SRP-6a, the currently most widely deployed aPAKE protocol, and explain how the same idea can be used to upgrade this legacy protocol to achieve strong bulk precomputation attack resistance with minimal overhead.
## 2025/1512
* Title: Virtual End-to-End Encryption: Analysis of the Doctolib Protocol
* Authors: Dennis Dayanikli, Laura Holz, Anja Lehmann
* [Permalink](
https://eprint.iacr.org/2025/1512)
* [Download](
https://eprint.iacr.org/2025/1512.pdf)
### Abstract
Doctolib is a popular healthcare platform, used by over 90 million users across France, Italy, and Germany. One of its main features is the secure data exchange between patients and doctors, with 7 million documents shared per month. Doctolib claims to provide the "world's first end-to-end encryption platform built for health applications". The encryption protocol, described in a Whitepaper and Github repository, relies on envelope encryption and lets users upload ciphertexts for the secure data exchange. The ciphertexts are stored and retrieved through a distributed system, consisting of a data server and a key server. To access the data, recipients fetch the ciphertexts and decrypt them with their private key. However, the platform does not require end-users to maintain any cryptographic keys themselves and instead relies on a virtual device that leverages the two-server setting. The virtual device splits the user's private key over both servers, and uses password-based authentication for its retrieval. Overall, the goal of the protocol is to ensure confidentiality of the uploaded medical records as long as at most one server is corrupt. In this work, we analyze the security of Doctolib's distributed encryption protocol. First, we define a set of formal security models for such password-based distributed envelope encryption, that capture the optimal security properties under different corruption settings. We then analyze the protocol - abstracted from the available information - in our model, and show that it does not achieve the desired security guarantees. We finally propose a simple modification that strengthens the original protocol through the use of a distributed oblivious pseudorandom function that provably achieves all our security properties.
## 2025/1513
* Title: d/v-CLSAG: Extension for Concise Linkable Spontaneous Anonymous Group Signatures
* Authors: sowle
* [Permalink](
https://eprint.iacr.org/2025/1513)
* [Download](
https://eprint.iacr.org/2025/1513.pdf)
### Abstract
In this paper we present a Schnorr-like linkable ring signature scheme we call d/v-CLSAG that is an extension of the d-CLSAG scheme proposed in 2019 by Brandon Goodell, Sarang Noether, and Arthur Blue. The proposed extension allows the use of different group generators for different layers of ring members: $\mathbf{pk} := \mathbf{sk} \circ \mathbf{G},\ \mathbf{G} = (G_{k_0},\dots,G_{k_{d-1}}) \in \texttt{G}^d$, while the original scheme assumes the use of the same generator $G$ across all layers: $\mathbf{pk} := \mathbf{sk} \circ \mathbf{G},\ \mathbf{G} = (G,\dots,G) \in \texttt{G}^d$. To improve the signature size, we use key aggregation techniques in the same way, but for distinct group generators $\{G_k\}$ individually. Note that we don't require the absence of efficiently-computable discrete logarithm relations between $\{G_k\}$. However, it might be possible, that adding such a limitation would allow us to reduce the signature size. This is the subject of future studies.
We provide the security statements for the proposed updated scheme.
## 2025/1514
* Title: Rigorous Methods for Computational Number Theory
* Authors: Koen de Boer, Alice Pellet-Mary, Benjamin Wesolowski
* [Permalink](
https://eprint.iacr.org/2025/1514)
* [Download](
https://eprint.iacr.org/2025/1514.pdf)
### Abstract
We present the first algorithm for computing class groups and unit groups of arbitrary number fields that provably runs in probabilistic subexponential time, assuming the Extended Riemann Hypothesis (ERH). Previous subexponential algorithms were either restricted to imaginary quadratic fields, or relied on several heuristic assumptions that have long resisted rigorous analysis.
The heart of our method is a new general strategy to provably solve a recurring computational problem in number theory (assuming ERH): given an ideal class $[\mathfrak a]$ of a number field $K$, sample an ideal $\mathfrak b \in [\mathfrak a]$ belonging to a particular family of ideals (e.g., the family of smooth ideals, or near-prime ideals). More precisely, let $\mathcal{S}$ be an arbitrary family of ideals, and $\mathcal{S}_B$ the family of $B$-smooth ideals. We describe an efficient algorithm that samples ideals $\mathfrak b \in [\mathfrak a]$ such that $\mathfrak b \in \mathcal{S}\cdot\mathcal{S}_B$ with probability proportional to the density of $\mathcal{S}$ within the set of all ideals.
The case where $\mathcal{S}$ is the set of prime ideals yields the family $\mathcal{S}\cdot\mathcal{S}_B$ of near-prime ideals, of particular interest in that it constitutes a dense family of efficiently factorable ideals. The case of smooth ideals $\mathcal{S} = \mathcal{S}_B$ regularly comes up in index-calculus algorithms (notably to compute class groups and unit groups), where it has long constituted a theoretical obstacle overcome only by heuristic arguments.
## 2025/1515
* Title: Privacy-Preserving Federated Inference for Genomic Analysis with Homomorphic Encryption
* Authors: Anish Chakraborty, Nektarios Georgios Tsoutsos
* [Permalink](
https://eprint.iacr.org/2025/1515)
* [Download](
https://eprint.iacr.org/2025/1515.pdf)
### Abstract
In recent years, federated learning has gained significant momentum as a collaborative machine learning approach, particularly in the field of medicine. While the decentralized nature of federated learning boasts greater security guarantees compared to traditional machine learning methods, it is still susceptible to myriad attacks. Moreover, as federated learning becomes increasingly ubiquitous in medicine, its use for classification tasks is expected to increase; however, maintaining patient data confidentiality remains a significant challenge, especially for genetic data. In this work, we introduce a novel framework for secure federated inference on nucleotide-based genotype data and provide a gateway to private inference through fully homomorphic encryption. A federated model with five local clients was created and trained before being encrypted with the TFHE cryptosystem and placed for inference. This framework successfully identified promoter sequences encoded within given DNA sequences, showing its potential applications in secure genomic data analysis in a federated context. Our work represents a crucial step in privacy-preserving federated inference on nucleotide-based data.
## 2025/1516
* Title: GoSSamer: Lightweight and Linear-Communication Asynchronous (Dynamic Proactive) Secret Sharing and the Applications
* Authors: Xinxin Xing, Yizhong Liu, Boyang Liao, Jianwei Liu, Bin Hu, Xun Lin, Yuan Lu, Tianwei Zhang
* [Permalink](
https://eprint.iacr.org/2025/1516)
* [Download](
https://eprint.iacr.org/2025/1516.pdf)
### Abstract
Asynchronous complete secret sharing (ACSS) and asynchronous dynamic proactive secret sharing (ADPSS) are fundamental primitives for secret sharing and resharing in threshold systems. They serve broad applications in distributed key management (DKM), multi-party computation, and blockchain. However, ACSS constructions that employ homomorphic commitments incur notable computational overhead, especially in batched executions. Conversely, lightweight variants require quadratic per-secret communication, which grows rapidly with the committee size. Building upon instances of ACSS, ADPSS constructions inevitably inherit these inefficiencies.
To address these limitations, we introduce GoSSamer, a concretely and asymptotically efficient protocol suite, where both GoSSamer-ACSS and GoSSamer-ADPSS achieve (1) lightweight computation with only finite-field arithmetic and hash functions, (2) asymptotically optimal, linear per-secret communication, (3) optimal resilience in asynchronous networks, a nd (4) post-quantum security.Leveraging our proposed share propagation and verification mechanisms, GoSSamer-ACSS reduces the runtime by 97% against the linear-communication scheme hbACSS (NDSS'22), and lowers the bandwidth usage by 75% compared to the lightweight solution SS24 (JoC'24) in a 64-node committee. By decoupling the ADPSS framework from the commitment-based ACSS through a new consistency verification technique, GoSSamer-ADPSS boosts key resharing throughput by 16-22$\times$ compared to LongLive (Usenix Security'23), and reduces its bandwidth by 47.6% in 16-node committees. GoSSamer directly accelerates real-world applications like distributed key management. Specifically, the runtime in GoSSamer-ACSS-based distributed key generation outperforms DXK+23 (Usenix Security'23) by 7-11$\times$, while GoSSamer-ADPSS-based key resharing outperforms LongLive by 9-13$\times$.
## 2025/1517
* Title: Universally Composable Treatment of Multi-Party Isomorphic State Channels
* Authors: Maxim Jourenko, Xiangyu Su, Adam Blatchley Hansen, Mario Larangeira * [Permalink](
https://eprint.iacr.org/2025/1517)
* [Download](
https://eprint.iacr.org/2025/1517.pdf)
### Abstract
Layer-2 protocols are pivotal in enhancing the scalability of blockchain systems, enabling faster off-chain transactions while maintaining security. These protocols can bridge consensus-based blockchain systems and advanced applications, such as Multiparty Computation (MPC) protocols, often defined within the Universal Composability (UC) Framework. However, despite the existence of some UC-defined protocols, there is currently no comprehensive UC definition for isomorphic multiparty state channels, in particular that are not dependent on the ledger model: account or UTxO based ledger. These protocols depend heavily on timelock mechanisms and the accurate representation of time, which are challenging to model within the UC Framework. Our work addresses this gap by proposing a UC-based definition, i.e., functionality, for isomorphic multi-party state channels that realistically model timely actions of honest users, a critical feature for the security of the channel protocol. Moreover our definition is agnostic with respect to the ledger model. Additionally, we introduce an extended timelock-aided global ledger functionality and demonstrate the security of existing protocols, namely Hydra proposed by Chakravarty et al. (FC'21), under the UC Framework and our proposed functionalities. This contribution provides a robust foundation for developing secure and scalable off-chain protocols in blockchain ecosystems. Finally, we concretely provide the construction of the extension of the Hydra Protocol, only outlined by the original work, and also prove it secure under our framework.
## 2025/1518
* Title: Sequential Indifferentiability of STH and EDM
* Authors: Nilanjan Datta, Avijit Dutta, Sougata Mandal, Hrithik Nandi
* [Permalink](
https://eprint.iacr.org/2025/1518)
* [Download](
https://eprint.iacr.org/2025/1518.pdf)
### Abstract
The notion of indifferentiability was proposed by Maurer et al. to bound the distinguishing advantage of a construction built on a public primitive, from a public random function. In Indocrypt'10, Mandal et al. have shown that the sum of two independent permutations is indifferentiable from a public random function up to $2^{2n/3}$ queries. Later in ACNS'15, Mennink and Preneel identified an analytical flaw of Mandal et al's result and revised the security bound to $2^{2n/3}/n$. In Eurocrypt'18, Bhattacharya and Nandi have improved their indifferentiable bound to $2^n$ queries, which was again identified as incorrect in the analysis by Gunsing et al. In this paper, we study the indifferentiability of a few other PRF constructions, namely STH and EDM constructions. We will show that neither STH nor STH2 is indifferentiable, which led us to propose a generalized version called gSTH. We have shown that gSTH achieves a tight $l$-bit security bound, where $l$ denotes the size of the constants in terms of bits used in the construction. While we show that EDM achieves a tight $n/2$-bit indifferentiable bound with respect to our proposed simulator, single-keyed EDM is not indifferentiable from a public random function. We would like to mention that all the proofs and the attacks have been done in the sequential indifferentiability model.
## 2025/1519
* Title: Does the UC-Security Notion for PAKE Imply Game-Based Security?
* Authors: Jiayu Xu
* [Permalink](
https://eprint.iacr.org/2025/1519)
* [Download](
https://eprint.iacr.org/2025/1519.pdf)
### Abstract
A Password-Authenticated Key Exchange (PAKE) protocol allows two parties to jointly establish a cryptographically strong key, in the setting where the only information shared in advance is a low-entropy "password". The two standard security definitions for PAKE are the game-based one by Bellare, Pointcheval and Rogaway (BPR-security, EUROCRYPT 2000) and the Universally Composable (UC) one by Canetti et al. (EUROCRYPT 2005). It is well-known that UC-security implies BPR-security; however, there are a large number of variants of both definitions, and the relation between them is not entirely clear.
In this work, we thoroughly study a variant of BPR-security by Katz, Ostrovsky and Yung (KOY-security, JACM 2009):
1. We show, via a counterexample, that UC-security does \emph{not} imply KOY-security;
2. We then prove that a variant of UC-security, called implicit-only UC-security (Dupont et al., EUROCRYPT 2018), implies KOY-security.
Interestingly, we make the observation that KOY- and implicit-only UC-security essentially strengthen their standard counterparts in the same manner. We also present detailed explanations of all four security notions.
## 2025/1520
* Title: DAWN: Smaller and Faster NTRU Encryption via Double Encoding
* Authors: Yijian Liu, Yu Zhang, Xianhui Lu, Yao Cheng, Yongjian Yin
* [Permalink](
https://eprint.iacr.org/2025/1520)
* [Download](
https://eprint.iacr.org/2025/1520.pdf)
### Abstract
This paper introduces DAWN, a compact and efficient NTRU encryption utilizing double encoding, which is provably secure under the NTRU assumption and the Ring-LWE assumption. We propose a novel technique for NTRU encryption called the zero divisor encoding. Unlike the polynomial encoding technique proposed by Hoffstein and Silverman (2001) and the vector encoding technique proposed by Zhang, Feng, and Yan in NEV (Asiacrypt 2023), our zero divisor encoding technique leverages the algebraic structure of the ring used in NTRU, enabling greater ciphertext compression while maintaining negligible decryption failure.
We further develop a paradigm for NTRU encryption called the double encoding paradigm to maximize the potential of the zero divisor encoding. This paradigm transforms optimizing an NTRU-based encryption into constructing a better encoding within the NTRU context, providing more concrete direction for scheme development. Several previous NTRU encryptions can be situated within this paradigm with different parameters, facilitating direct comparison. We instantiate this paradigm based on the provably IND-CPA secure NTRU variant by Stehl|- and Steinfeld (Eurocrypt 2011) to achieve an IND-CPA secure PKE, and subsequently employ the Fujisaki-Okamoto transformation to achieve an IND-CCA secure KEM.
We present two parameter settings of DAWN: DAWN-$\alpha$ minimizes ciphertext size, achieving lengths of 436 bytes under NIST-I security and 973 bytes under NIST-V security; DAWN-$\beta$ minimizes the combined size of the public key and ciphertext, attaining combined sizes of 964 bytes under NIST-I security and 2054 bytes under NIST-V security. DAWN achieves superior compactness and performance among current lattice-based KEMs without introducing additional security assumptions. Compared to NEV (Asiacrypt 2023), the previously leading NTRU-based KEM in balancing compactness and performance, DAWN demonstrates 20\%--29\% greater compactness at approximate security levels and decryption failure probabilities, while executing 1.1X--2.0X faster in a complete ephemeral key exchange process.
## 2025/1521
* Title: Universally Composable Subversion-Resilient Authenticated Key Exchange
* Authors: Jiahao Liu, Yi Wang, Rongmao Chen, Xinyi Huang, Jinshu Su, Moti Yung * [Permalink](
https://eprint.iacr.org/2025/1521)
* [Download](
https://eprint.iacr.org/2025/1521.pdf)
### Abstract
Subversion-resilient cryptography has garnered increasing attention in recent years due to growing concerns about cryptographic subversions in real-world applications. Among the existing countermeasures, the notion of cryptographic reverse firewalls (RFs), initially proposed by Mironov and Stephens-Davidowitz (EUROCRYPT 2015) and later extended by Chakraborty et al. (EUROCRYPT 2022) to the universally composable (UC) model, has proven to be a powerful tool for building subversion-resilient cryptographic protocols. In this work, we focus on designing subversion-resilient authenticated key exchange (AKE) protocols, which are critical components of secure Internet communication. We present the f irst generic framework for subversion-resilient UC-secure AKE protocols leveraging RFs. In spired by the state-of-the-art advancements by Chakraborty et al. (ASIACRYPT 2024), we address subversions: where a partyrCOs implementation is covertly altered to exfiltrate secrets or behave unpredictably when triggered by adversarial inputs. A key contribution of our work is the introduction of a new AKE functionality which, for the first time, incorporates security against key control, an essential aspect of achieving subversion resilience. We also provide a concrete instantiation of our framework, demonstrating its feasibility in practice. Notably, the RFs in our proposed AKE protocol are transparent, an important property of RF as defined originally, which allows deployment of RF without all parties explicitly knowing about it and allows robust security. Achieving transparency for RFs has been widely regarded as challenging, particularly when addressing broader subversion attacks (e.g., input-trigger attacks) in the UC model. Our approach, thus, not only advances the state of AKE protocol design, but also offers insights into building other subversion-resilient protocols in the UC model using transparent RFs.
## 2025/1522
* Title: Constant-Size Inner Product Arguments for Group-Scalar Relations, Dynamic Threshold VRFs, and More
* Authors: Omid Mir, Octavio Perez-Kempner, Sebastian Ramacher, Daniel Slamanig
* [Permalink](
https://eprint.iacr.org/2025/1522)
* [Download](
https://eprint.iacr.org/2025/1522.pdf)
### Abstract
Abstract. Linear algebraic relations, such as inner products rf?a, brf-, underlie a wide range of cryp- tographic constructions, including zero-knowledge proofs, SNARKs, polynomial commitment schemes, and more. In this work, we consider group-scalar relations, i.e., statements of the form rf?A, brf-, where A is a vector of group elements and b is a vector of field elements. In many crypto- graphic settings, it is necessary to prove relationships between group elements like public keys, or other cryptographic objects without access to the underlying discrete logarithms. Our results are as follows:
rCo At the protocol level, we introduce the first Inner Product Argument (IPA) that specifically fo- cuses on group-scalar relations in bilinear groups. It achieves constant-size proofs and constant- time verification, maintaining commitments and arguments entirely in the source group. Our techniques enable new applications and significantly improve efficiency compared to state-of- the-art IPAs such as Dory (TCC rCO21) and GIPA (Asiacrypt rCO21), which rely on recursive folding techniques and thus have logarithmic proofs and verification time. We prove security in the Algebraic Group Model under the q-DHE and q-DL assumptions.
rCo At the primitive level, we present a new class of functional commitments for linear functions over group-scalar elements. It enables even more applications such as polynomial commit- ments for values hidden inside group exponentiations.
rCo To showcase our contributions, we demonstrate new applicationsrComost notably, we introduce the notion of dynamic threshold verifiable random functions, which we believe to be a valuable tool for distributed randomness generation. We further present dynamic threshold signatures without random oracles, polynomial commitments over group-encoded inputs, and their ap- plications to oblivious proofs.
Our results provide modular and efficient tools to build cryptographic protocols without typical SNARK frameworks, simplifying real-world deployments. To demonstrate the practicality of our contributions, we provide an implementation and related benchmarks.
## 2025/1523
* Title: Decoupling Support Enumeration and Value Discovery in Non-Binary ISD
* Authors: Freja Elbro, Paolo Santini
* [Permalink](
https://eprint.iacr.org/2025/1523)
* [Download](
https://eprint.iacr.org/2025/1523.pdf)
### Abstract
Information Set Decoding (ISD) refers to a class of algorithms designed to decode arbitrary linear codes over finite fields. It is among the state-of-the-art methods for solving the Syndrome Decoding Problem (SDP), which lies at the core of code-based cryptography. Since most cryptographic systems operate over the binary field, ISD algorithms are generally designed for this setting. However, emerging cryptographic systems, such as SDitH, that rely on the SDP over non-binary fields, make research into non-binary ISD increasingly relevant. While there have been numerous improvements to ISD algorithms for binary fields, generalizations of these improvements to non-binary fields have resulted in only modest runtime improvements. The only technique which applies specifically to non-binary fields was proposed only last year by Carrier, Hatey and Tillich and consists in solving the SDP over the projective space.
In this paper we continue along this line of research and introduce a novel technique to perform ISD in non-binary fields. Our key idea consists in speeding-up the enumeration of low weight vectors by enumerating only the supports and not the actual values, since these can be recovered by solving a (small) linear system. This idea is at the core of LA-ISD, the first algorithm we propose in the paper. We further enhance it by exploiting a meet-in-the-middle search leading to MitM-LA, the second algorithm we propose in this paper. We analyze our algorithms in both the finite and asymptotic regimes and show that they compare well with competitive solutions. In particular, LA-ISD results in the best memory-less algorithm, while MitM-LA is (slightly) faster than the state-of-the-art algorithm by Carrier, Hatey and Tillich for many parameter-sets as well as asymptotically.
## 2025/1524
* Title: AUPCH: Auditable Unlinkable Payment Channel Hubs
* Authors: Pedro Moreno-Sanchez, Mohsen Minaei, Srinivasan Raghuraman, Panagiotis Chatzigiannis, Duc V. Le
* [Permalink](
https://eprint.iacr.org/2025/1524)
* [Download](
https://eprint.iacr.org/2025/1524.pdf)
### Abstract
Cryptocurrencies, which have gained significant adoption in
recent years, face ongoing challenges in scalability and privacy. Payment Channel Hubs (PCHs) constitute a solution to both issues by shifting transactions off the public ledger. Various PCH constructions have been proposed, offering different degrees of unlinkability, efficiency, and inter- operability. However, regulatory compliance remains a significant con-
cern, particularly under emerging frameworks like the EUrCOs Markets in Crypto-Assets (MiCA) regulation and FATF Travel Rule requirements.
This work addresses a gap in existing PCH constructions: the lack of regulatory-compliant auditability mechanisms. While concurrent work
AuditPCH attempts to address this challenge, it suffers from fundamen-
tal limitations, including reliance on channel closures for auditing, vul- nerability to unilateral de-anonymization by the hub, and lack of formal security guarantees for the auditing process. Our approach fundamen-
tally differs by providing targeted, non-disruptive auditability that al-
lows auditability for high-risk payments while preserving unlinkability
for the rest. To achieve this, we present Verifiable Linkable Randomiz-
able Puzzles (VLRP), a new cryptographic primitive that enables a party
to commit to a secret using two distinct keys: a verifiability key (VK)
and an auditability key (AK). This primitive provides (i) verifiability
that the owner of the VK issued the commitment, (ii) the ability to ran-
domize the commitment to ensure unlinkability, even for the owner of the
VK, while still allowing traceability using the AK, and (iii) collaborative auditing that prevents unilateral de-anonymization.
We then present Auditable Unlinkable Payment Channel Hubs, AUPCH,
a PCH built on VLRP that offers auditability guarantees with stronger se- curity guarantees than existing approaches. AUPCH provides modular
integration with existing PCH frameworks (A2L, BlindHub), operates
without requiring channel closures, and ensures that auditing requires collaboration between hub and auditing agent, preventing abuse by ei-
ther party alone. Crucially, our approach acts as a wrapper around exist-
ing PCH implementations, requiring only replacing randomizable puzzle
calls with VLRP calls, a minimal change that dramatically reduces de-
ployment complexity compared to building new systems from scratch.
## 2025/1525
* Title: Making Hard Problems Easier with Custom Data Distributions and Loss Regularization: A Case Study in Modular Arithmetic
* Authors: Eshika Saxena, Alberto Alfarano, Fran|oois Charton, Zeyuan Allen-Zhu, Emily Wenger, Kristin Lauter
* [Permalink](
https://eprint.iacr.org/2025/1525)
* [Download](
https://eprint.iacr.org/2025/1525.pdf)
### Abstract
Recent work showed that ML-based attacks on Learning with Errors (LWE), a hard problem used in post-quantum cryptography, outperform classical algebraic attacks in certain settings. Although promising, ML attacks struggle to scale to more complex LWE settings. Prior work connected this issue to the difficulty of training ML models to do modular arithmetic, a core feature of the LWE problem. To address this, we develop techniques that significantly boost the performance of ML models on modular arithmetic tasksrCoenabling the models to sum up to $N=128$ elements modulo $q \le 974269$. Our core innovation is the use of custom training data distributions and a carefully designed loss function that better represents the problem structure. We apply an initial proof of concept of our techniques to LWE specifically and find that they allow recovery of 2x harder secrets than prior work. Our techniques also help ML models learn other well-studied problems better, including copy, associative recall, and parity, motivating further study.
## 2025/1526
* Title: A general secondary construction of Boolean functions including the indirect sum and its generalizations
* Authors: Claude Carlet, Deng Tang
* [Permalink](
https://eprint.iacr.org/2025/1526)
* [Download](
https://eprint.iacr.org/2025/1526.pdf)
### Abstract
We study a secondary construction of Boolean functions, which generalizes the direct sum and the indirect sum. We detail how these two classic secondary constructions are particular cases of this more general one, as well as two known generalizations of the indirect sum. This unifies the known secondary constructions of Boolean functions. We study very precisely the Walsh transform of the constructed functions. This leads us to an interesting observation on the Walsh transforms $W_g,W_{g'},W_{g''}$, and $W_{g\oplus g'\oplus g''}$ when $g,g',g''$ are Boolean functions such that $(g\oplus g')(g\oplus g'')$ equals the zero function.
## 2025/1527
* Title: Universally Composable Transaction Order Fairness: Refined Definitions and Adaptive Security
* Authors: Michele Ciampi, Aggelos Kiayias, Yu Shen
* [Permalink](
https://eprint.iacr.org/2025/1527)
* [Download](
https://eprint.iacr.org/2025/1527.pdf)
### Abstract
While consistency and liveness are the defining properties of ledger consensus, fair ordering has emerged as an independent consideration whose importance is underscored by the observation of real world transaction inclusion strategies that manipulate fairness such as Miner Extractable Value. Receiver-order fairness is a fine-grain notion of fairness that determines the order of any two submitted transactions based on the two sequences of reception timestamps for the two transactions across all nodes in the network. Given this information, ledger serialization can be viewed as the social choice problem of producing the most agreeable transaction order based on the "preferences" of the miners or validators. In this work, our contribution is three-fold: (i) We put forward a formal Universally Composable definition for order fairness that encompasses receiver order fairness as well as input causality. (ii) We design a novel ledger protocol that preserves input causality and receiver order fairness. (iii) We capture in our composable definition and construction the role that transaction fees play when dealing with fairness.
Our protocol is based on a novel YOSO-style approach that allows encrypting transactions for a short period of time. Notably, the communication complexity required to decrypt the transactions is independent of the number of encrypted transactions. To the best our our knowledge, we are the first to provide a YOSO-style approach with such asymptotic complexity while relying on standard cryptographic assumptions.
## 2025/1528
* Title: Trustless Delegation of Vector Commitment Construction in Resource-Constrained Settings
* Authors: Parisa Hassanizadeh, Shahriar Ebrahimi, Stefan Dziembowski, Janusz Szczepanski
* [Permalink](
https://eprint.iacr.org/2025/1528)
* [Download](
https://eprint.iacr.org/2025/1528.pdf)
### Abstract
Many data types, such as video and audio, consist of sequential elements where both integrity and order are essential for authenticity. In practice, verifiers often access only partial sequences due to privacy or volume constraints, as in surveillance, journalism, and public records. Vector commitment (VC) schemes that support verifiable partial disclosures address this need, but constructing and maintaining such VCs is challenging for resource-constrained devices such as cameras. For example, in CCTV systems, a trusted module updating the VC for millions of frames must store and process hundreds of megabytes, which is often infeasible.
We propose a proving system that enables trustless reconstruction of VCs from only the chained hash of the sequence. The data source computes and signs a cumulative hash. An untrusted prover then constructs the VC from the raw data and proves that the data used for construction is consistent with the signed hash chain. The constructed VC subsequently enables authentication of partial disclosures. The main challenge is that proving the full VC construction in zero-knowledge is computationally expensive. To address this, we design a folding-based zkSNARK tailored to this task.
We analyze the construction in a realistic setting with a constrained source device (Raspberry Pi Zero) and a consumer-grade prover (midrange laptop). Our results show that even for relatively short sequences (e.g., 30 minutes of video footage), handling the VC within the source device's trusted module is infeasible due to both storage and computational limitations. In contrast, the proposed trustless offloading imposes only a few minutes of local computation on the prover to generate a proof for full VC construction (around 2 minutes for the 30 minutes of footage). Our implementation is available as open source at:
https://github.com/zero-savvy/proven-view.
## 2025/1529
* Title: UC-Security of the ZK-NR Protocol under Contextual Entropy Constraints: A Composable Zero-Knowledge Attestation Framework
* Authors: MINKA MI NGUIDJOI Thierry Emmanuel
* [Permalink](
https://eprint.iacr.org/2025/1529)
* [Download](
https://eprint.iacr.org/2025/1529.pdf)
### Abstract
The CRO Trilemma formalizes the inherent incompatibility between confidentiality, reliability, and legal opposability in proof systems. This paper provides the complete Universal Composability (UC) security proof for the ZK-NR protocol, a layered architecture designed to approach this bound. We model each dialectical layer (Iron, Gold, Clay) as an ideal functionality with erasure semantics and prove indistinguishability between real and ideal executions under post-quantum assumptions. The results establish the composable security of ZK-NR and formally achieve a CRO index +o_CRO < 0.4 + negl(++) against adaptive contextual adversaries.
## 2025/1530
* Title: PolySys: an Algebraic Leakage Attack Engine
* Authors: Zachary Espiritu, Seny Kamara, Tarik Moataz, Andrew Park
* [Permalink](
https://eprint.iacr.org/2025/1530)
* [Download](
https://eprint.iacr.org/2025/1530.pdf)
### Abstract
In this work, we propose a novel framework called PolySys for modeling and designing leakage attacks as constraint-solving algorithms over polynomial systems. PolySys formalizes the design of attacks using invertible encodings, structural and leakage equations, and efficient
constraint-solving algorithms including SAT and constraint solvers. It is capable of modeling resolution, known-data, and inference attacks for common leakage patterns. To demonstrate the practicality of our framework, we implement a PolySys attack engine in Python and apply it to state-of-the-art query recovery, data resolution, and query inference attacks on point and range multi-maps. Our results show that PolySys outperforms all existing attacks under identical assumptions, achieving up to 60|u higher recovery rates in some scenarios.
While scalability remains a challenge for larger datasets, PolySys represents a promising step toward a general-purpose framework for designing leakage attacks. We believe future work can further enhance its efficiency to scale to larger and more complex workloads.
## 2025/1531
* Title: Improved Semi-Free-Start Collision Attacks on RIPEMD-160 (Full Version)
* Authors: Zhuolong Zhang, Muzhou Li, Haoyang Wang, Shiqi Hou, Wei Wang, Meiqin Wang
* [Permalink](
https://eprint.iacr.org/2025/1531)
* [Download](
https://eprint.iacr.org/2025/1531.pdf)
### Abstract
As an ISO/IEC standard, RIPEMD-160 has been extensively studied for (Semi-Free-Start) collision attacks. A significant breakthrough was achieved at FSE 2024 with the first 41-, 42-, and 43-step SFS collision attacks, which leveraged an automatic search model (EUROCRYPT 2023) and a message modification strategy (FSE 2020). However, these attacks are limited by reliance on heuristic objective functions and suboptimal message modification techniques. This paper enhances the existing framework from two perspectives. Firstly, we refine the automatic search model by incorporating a holistic objective function that considers all critical probability components, moving beyond simple Hamming weight.
Secondly, we introduce two generic techniques to further improve (SFS) collision attacks: the first application of differential clustering and a dedicated message modification strategy. As a result, we present the first valid SFS collision attack on 44-step RIPEMD-160. Additionally, we significantly reduce the time complexities of existing attacks on 41-, 42-, and 43-step variants, making it feasible to find colliding message pairs for 41- and 42-step versions within practical time for the first time.
## 2025/1532
* Title: Breaking the Layer Barrier: Remodeling Private Transformer Inference with Hybrid CKKS and MPC
* Authors: Tianshi Xu, Wen-jie Lu, Jiangrui Yu, Yi Chen, Chenqi Lin, Runsheng Wang, Meng Li
* [Permalink](
https://eprint.iacr.org/2025/1532)
* [Download](
https://eprint.iacr.org/2025/1532.pdf)
### Abstract
This paper presents an efficient framework for private Transformer inference that combines Homomorphic Encryption (HE) and Secure Multi-party Computation (MPC) to protect data privacy. Existing methods often leverage HE for linear layers (e.g., matrix multiplications) and MPC for non-linear layers (e.g., Softmax activation functions), but the conversion between HE and MPC introduces significant communication costs. The proposed framework, dubbed BLB, overcomes this by breaking down layers into fine-grained operators and further fusing adjacent linear operators, reducing the need for HE/MPC conversions. To manage the increased ciphertext bit width from the fused linear operators, BLB proposes the first secure conversion protocol between CKKS and MPC and enables CKKS-based computation of the fused operators. Additionally, BLB proposes an efficient matrix multiplication protocol for fused computation in Transformers. Extensive evaluations on BERT-base, BERT-large, and GPT2-base show that BLB achieves a $21\times$ reduction in communication overhead compared to BOLT (S&P'24) and a $2\times$ reduction compared to Bumblebee (NDSS'25), along with latency reductions of $13\times$ and $1.8\times$, respectively, when leveraging GPU acceleration.
## 2025/1533
* Title: PARSAN-Mix: Packet-Aware Routing and Shuffling with Additional Noise for Latency Optimization in Mix Networks (Extended Version)
* Authors: Mahdi Rahimi
* [Permalink](
https://eprint.iacr.org/2025/1533)
* [Download](
https://eprint.iacr.org/2025/1533.pdf)
### Abstract
Mix networks (mix-nets) offer strong anonymity by routing client packets through intermediary hops, where they are shuffled with other packets to obscure their origins from a global adversary monitoring all communication exchanges. However, this anonymity is achieved at the expense of increased end-to-end latency, as packets traverse multiple hops (incurring routing delays) and experience additional delays at each hop for shuffling purposes. Consequently, the overall latency for delivering a messagerCocomprising multiple packetsrCois determined by the packet with the highest combined routing and shuffling delay, which can significantly degrade the client experience, particularly in latency-sensitive applications.
To address this issue, our work \textbf{first} derives the theoretical statistics of the total latency experienced by a message, revealing a clear correlation between latency and the number of packets. \textbf{Second}, we propose two approaches to reduce this total latency. First, we present a method to adjust the shuffling delays at each hop, offsetting potential anonymity loss by integrating client-generated noise, backed by differential privacy guarantees. Next, we introduce packet-aware routing techniques, offering two novel methods that prioritize messages with more packets, forwarding them through faster links. However, this may cause certain nodes to be overloaded with disproportionate traffic. To solve this, we \textbf{third} introduce an efficient load-balancing algorithm to redistribute traffic without compromising the packet-aware nature of the routing. \textbf{Finally}, through comprehensive analytical and simulation experiments, we validate our theoretical latency bounds and evaluate the efficacy of our latency management strategies. The results confirm both methods substantially reduce latency with minimal impact on anonymity, while the strategic routing method remains robust against advanced adversarial attacks.
Note that this paper is an extended version of PARSAN-Mix (accepted and presented at ACNS 2025), mainly aimed at providing full proofs of the theorems together with additional empirical analysis.
## 2025/1534
* Title: RBOOT: Accelerating Homomorphic Neural Network Inference by Fusing ReLU within Bootstrapping
* Authors: Zhaomin Yang, Chao Niu, Benqiang Wei, Zhicong Huang, Cheng Hong, Tao Wei
* [Permalink](
https://eprint.iacr.org/2025/1534)
* [Download](
https://eprint.iacr.org/2025/1534.pdf)
### Abstract
A major bottleneck in secure neural network inference using Fully Homomorphic Encryption (FHE) is the evaluation of non-linear activation functions like ReLU, which are inefficient to compute under FHE. State-of-the-art solutions approximate ReLU using high-degree polynomials, incurring significant computational overhead. We propose novel methods for functional bootstrapping with CKKS, and based on these methods we present RBOOT, an optimized framework that seamlessly integrates ReLU evaluation into CKKS bootstrapping, significantly reducing multiplication depth and boosting efficiency. Our key insight is that the EvalMod step in CKKS bootstrapping is composed of trigonometric functions, which can be transformed into various common non-linear functions. By co-optimizing these components, we can exploit such non-linearity to construct ReLU (and other non-linear functions) within the bootstrapping process itself, greatly reducing the computation overhead. Results on four widely used CNN models show that RBOOT achieves $2.77\times$ faster end-to-end inference and $81\%$ lower memory usage compared to previous polynomial approximation works, while maintaining comparable accuracy.
## 2025/1535
* Title: Tight Bounds on Uniform-Challenge Black-Box Reductions from Sigma Protocols
* Authors: Iftach Haitner, Nikolaos Makriyannis
* [Permalink](
https://eprint.iacr.org/2025/1535)
* [Download](
https://eprint.iacr.org/2025/1535.pdf)
### Abstract
Sigma protocols are fundamental cryptographic tools, serving as the foundation of many practical schemesrComost notably, the Schnorr identification and signature schemes. To prove the security of Sigma protocols, one typically reduces breaking a Sigma protocol to solving a presumed hard problem (e.g., computing the discrete logarithm in a certain group). In many settings, however, these reductions are not tight: given an adversary that breaks a Sigma protocol with probability $\varepsilon$, the reduction only yields an adversary for the underlying problem with probability $\varepsilon^2$. This quadratic loss affects efficiency, as it forces choosing larger security parameters to reach a target security level.
In this work, we show that this quadratic loss is inherent for two natural classes of reductions. For interactive protocols, we prove it for uniform-challenge, black-box reductions, which query the adversary using uniformly sampled challenges. For non-interactive protocols (i.e., in the random-oracle model), we prove it for weakly programmable, black-box reductions, which answer the adversaryrCOs oracle queries with uniformly sampled outputs. Applying our bounds to the reductions from Schnorr identification and signatures to discrete logarithm yields lower bounds that match known positive resultsrConamely, the classical worst-case reduction of Pointcheval and Stern (Journal of Cryptology, 2000) and the higher-moment reduction of Rotem and Segev (Journal of Cryptology, 2024).
Our approach reduces the analysis of such reductions to the values of simple hitting gamesrCocombinatorial games that we introduce. Bounding these games is our main technical contribution, and we believe these bounds can enable more modular proofs of related results.
## 2025/1536
* Title: Inner-Product Commitments Over Integers With Applications to Succinct Arguments
* Authors: Shihui Fu
* [Permalink](
https://eprint.iacr.org/2025/1536)
* [Download](
https://eprint.iacr.org/2025/1536.pdf)
### Abstract
Proving statements over integers is crucial in modern cryptographic protocols because certain computations, such as range proofs and Diophantine satisfiability, are more efficiently expressed over integers. Currently, the prevailing approach to achieve this is to convert the integer relations into statements tractable for proof systems over a finite field $\mathbb{Z}_p$. However, finding these corresponding tractable statements over $\mathbb{Z}_p$ is not always straightforward, and in practical schemes, the conversion often introduces computational overheads. Therefore, there is a growing interest in proving the statements directly over integers.
Due to the significant applicability of inner-product arguments (IPA) in constructing succinct proof systems, in this work, we extend them to work natively in the integer setting. We introduce and construct inner-product commitment schemes over integers that allow a prover to open two committed integer vectors to a claimed inner product. The commitment size is constant and the verification proof size is logarithmic in the vector length. The construction significantly improves the slackness parameter of witness extraction, surpassing the existing state-of-the-art approach. Our construction is based on the folding techniques for Pedersen commitments defined originally over $\mathbb{Z}_p$. We develop general-purpose techniques to make it work properly over $\mathbb{Z}$, which may be of independent interest.
Building upon our IPAs, we first present a novel batchable argument of knowledge of nonnegativity of exponents that can be used to further reduce the proof size of Dew-PCS (Arun et al., PKC 2023). Second, we present a construction for range proofs that allows for extremely efficient batch verification of a large number of range proofs over much larger intervals. We also provide a succinct zero-knowledge argument of knowledge with a logarithmic-size proof for more general arithmetic circuit satisfiability over integers.
## 2025/1537
* Title: Privacy-Preserving Two-Party RBF Kernel SVM Training Based on Neat and Accurate Secure Exponentiation
* Authors: Qingyu Mo, Wenyuan Wu, Jingwei Chen
* [Permalink](
https://eprint.iacr.org/2025/1537)
* [Download](
https://eprint.iacr.org/2025/1537.pdf)
### Abstract
Privacy-preserving machine learning (PPML) is a powerful tool for multiple parties to collaboratively train a model or perform model inference without exposing their private data in the context of Internet of things. A key challenge in PPML is the efficient evaluation of non-polynomial functions. In this work, we propose NASE, a neat and accurate secure exponentiation protocol for radius basis function (RBF) kernel evaluation. Leveraging the property of the RBF kernel, NASE enjoys a lightweight construction that reduces computation overhead by up to 1.65$\times$ and communication overhead by up to 3.97$\times$ compared to SIRNN, the prior SOTA framework for secure exponentiation published in IEEE S\&P 2021.
Taking NASE as the foundation stone, we propose a privacy-preserving two-party kernel SVM training protocol. Based on BFV scheme and MPC technique, we introduce group-batch sampling for sampling in ciphertext and propose the partial rotation method tailored to our scenario to optimize dot product computation. Additionally, we propose an error-tolerant $DReLU$ protocol for secure sign evaluation of secret sharings over a prime field that reduces the communication cost by around $\frac{1}{3}$ compared to the existing method. Our protocol achieves model accuracy comparable to plaintext training according to experiments on real-world datasets, and an order-of-magnitude reduction in both communication and computation overhead is attained compared to the previous work.
## 2025/1538
* Title: Evaluating Ascon in Secure Multi-Party Computation using Reverse Multiplication-Friendly Embeddings
* Authors: Peter Schwarz, Erik Pohle, Aysajan Abidin, Bart Preneel
* [Permalink](
https://eprint.iacr.org/2025/1538)
* [Download](
https://eprint.iacr.org/2025/1538.pdf)
### Abstract
We present the first systematic study on communication-efficient evaluation of the lightweight cipher family Ascon within secure multi-party computation (MPC).
By leveraging AsconrCOs parallel, bit-oriented structure, we adapt its design using Reverse Multiplication-Friendly Embeddings (RMFEs, introduced by Cascudo et al.\ in CRYPTO'18) in a single-circuit evaluation, enabling efficient packing of groups of bits into field elements.
Our protocol, which uses relatively small RMFEs, achieves substantial reductions in communication cost compared to baseline MPC protocols.
For example, in a medium-sized setting (with $n = 13$ MPC parties), our protocol reduces the communication cost for an Ascon permutation by roughly $38\%$.
For large amounts of parties (e.g., $n=255$), the reduction can reach $50\%$.
These improvements are achieved even though RMFEs only pack a few bits per field element, due to favorable amortization of both substitution and linear layers.
We also provide a Boolean circuit implementation of Ascon in the MP-SPDZ framework, enabling straightforward benchmarking.
Our findings are particularly beneficial for bandwidth-constrained environments where the use of lightweight ciphers, such as Ascon, is necessary due to the resource limitations of client devices, as in the case of transciphering data from IoT sensors.
Since our optimizations target the Ascon permutation, they naturally extend to all cryptographic modes (encryption, decryption, hashing) defined for the standard.
## 2025/1539
* Title: EvH: Randomized Symmetric Cipher Paradigm with Holographic Storage and Parallelism, Compression, & Erasure Recovery Integration
* Authors: Hillel Avni, Shlomi Dolev, Komal Kumari, Stav Perle Elbar, Shantanu Sharma, Jeffrey Ullman, Moti Yung
* [Permalink](
https://eprint.iacr.org/2025/1539)
* [Download](
https://eprint.iacr.org/2025/1539.pdf)
### Abstract
Standard symmetric encryption schemes, such as AES and block ciphers and their modes in general, are highly effective for many standard scenarios. But what if the situation is somewhat different from the standard: e.g., the encrypting process may fail to update the ciphertext at some limited number of times, can the decryption recover the message in full, nevertheless? Or, another situation is when encrypting a bulk of messages that should be packed together within the same ciphertext space (i.e., encryption done holographically)? Can a process compress the messages this way? Another issue may be that we want to hide the ciphertext and camouflage it as some other cryptographic exchange (like exchanging an encrypted set to perform a protocol like rCLprivate set intersectionrCY), or when we want to hide the number of messages packed together? Can a paradigm be developed that allows these non-standard properties that, under specific working conditions, may become necessary? Can it be based directly on a simple symmetric key cryptographic tool (and preferably be post-quantum)? This paper introduces Encryption via Hash (EvH), a symmetric randomized cipher built upon keyed cryptographic hash (i.e., MAC) functions and Bloom Filters. EvHrCOs core novelty lies in its prefix decryption capability. This unique property enables a paradigm in which encryption is tightly integrated with online compression and robust resilience to omission errors. By representing message prefixes in a Bloom filter, EvH allows a receiver to decrypt the initial part of a message even if subsequent data is lost and recover from an omission of a prefix decryption in the middle of the encipherment process, a significant advantage over conventional block cipher modes. Furthermore, this prefix-based approach facilitates simultaneous compression during the decryption phase by dynamically pruning invalid message continuations, using shared k-gram dictionaries or Large Language Models (LLMs). The result is a stateless and parallelizable cipher that, while computationally distinct from traditional ciphers, offers unique functional benefits for such specific use cases, and the price is that its correctness is ensured probabilistically (but the error can be well controlled and made small).
## 2025/1540
* Title: A Fine-Grained and Real-Time Functional Video Encryption and Sharing Scheme
* Authors: Haikuo Yu, Jiahui Hou, Suyuan Liu, Lan Zhang, Xiang-Yang Li
* [Permalink](
https://eprint.iacr.org/2025/1540)
* [Download](
https://eprint.iacr.org/2025/1540.pdf)
### Abstract
In video-centric applications, video objects and backgrounds often contain sensitive information, which raises serious privacy concerns. It is necessary to restrict access to certain objects or backgrounds in the video stream while allowing permitted users to view a specific subset of video content. However, masking the prohibited objects for each user, then encoding and delivering each individually processed video to the target user will generate multiple copies of the same video. This can lead to significant storage, processing, and communication overhead when the number of users is large. In this work, inspired by the idea of functional encryption, we propose a fine-grained and real-time video encryption and sharing scheme, named FVES$^+$. In FVES$^+$, we encode and encrypt the videos only once, and different users can decode and decrypt the encrypted videos to acquire different contents depending on their access authorities. Theoretically, FVES$^+$ achieve IND-CPA security.
We implement and evaluate FVES$^+$ using PC and mobile devices as end-devices. FVES$^+$ achieves real-time performance, averaging $35.1$ FPS across three public datasets, including the stages of object detection, encoding, and encryption. When there are $n$ different access requirements by end-users, FVES$^+$ improves video sharing speed by $\Theta(n)\times$ compared to the baseline methods. Our experiments validate the effectiveness and efficiency of FVES$^+$.
## 2025/1541
* Title: Adaptive Attack on Static POK|e Keys
* Authors: David Lim, Yan Bo Ti
* [Permalink](
https://eprint.iacr.org/2025/1541)
* [Download](
https://eprint.iacr.org/2025/1541.pdf)
### Abstract
Isogeny-based cryptosystems continue to show promise in post-quantum cryptography. In recent years, numerous constructions have been proposed, one of which is POK|e, a compact and efficient public-key exchange system that uses higher-dimensional isogenies. This paper leverages a well-known adaptive attack on SIDH by Galbrath, Petit, Shani and Ti, and demonstrates a similar attack on POK|e, when given a key exchange oracle with the same assumptions as those posed by Galbraith et al. This attack relies on the user to employ long-term static keys which is against the intent of the designers of POK|e. Indeed, this attack provides further evidence that POK|e should not be used with a long-term static key.
## 2025/1542
* Title: SAT-Based Space Partitioning and Applications to Ascon-Hash256
* Authors: Guozhen Liu, Shun Li, Huina Li, Weidong Qiu, Siwei Sun
* [Permalink](
https://eprint.iacr.org/2025/1542)
* [Download](
https://eprint.iacr.org/2025/1542.pdf)
### Abstract
We introduce an efficient SAT-based space partitioning technique that enables systematic exploration of large search spaces in cryptanalysis. The approach divides complex search spaces into manageable subsets through combinatorial necklace generation, allowing precise tracking of explored regions while maintaining search completeness.
We demonstrate the technique's effectiveness through extensive cryptanalysis of Ascon-Hash256. For differential-based collision attacks, we conduct an exhaustive search of 2-round collision trails, proving that no collision trail with weight less than 156 exists. Through detailed complexity analysis and parameter optimization, we present an improved 2-round collision attack with complexity $2^{61.79}$. We also discover new Semi-Free-Start (SFS) collision trails that enable practical attacks on both 3-round and 4-round Ascon-Hash256, especially improving the best known 4-round SFS trail from weight 295 to 250.
Furthermore, applying the technique to Meet-in-the-Middle structure search yields improved attacks on 3-round Ascon-Hash256. We reduce the collision attack complexity from $2^{116.74}$ to $2^{114.13}$ with memory complexity $2^{112}$ (improved from $2^{116}$), and the preimage attack complexity from $2^{162.80}$ to $2^{160.75}$ with memory complexity $2^{160}$ (improved from $2^{162}$).
## 2025/1543
* Title: Multiforked Iterated Even-Mansour and a Note on the Tightness of IEM Proofs
* Authors: Elena Andreeva, Amit Singh Bhati, Andreas Weninger
* [Permalink](
https://eprint.iacr.org/2025/1543)
* [Download](
https://eprint.iacr.org/2025/1543.pdf)
### Abstract
The Iterated Even-Mansour (IEM) construction was introduced by Bogdanov et al. at EUROCRYPT 2012 and can be seen as an abstraction or idealization of blockciphers like AES. IEM provides insights into the soundness of this blockcipher structure and the best possible security for any number of rounds. IEM with $r$ permutations on $n$-bit blocks is secure up to $q \approx 2^{rn/(r+1)}$ queries to the cipher and each permutation.
Forkciphers, introduced at ASIACRYPT 2019 as expanding symmetric ciphers, have since found applications in encryption, authenticated encryption and key derivation. Kim et al. (ToSC 2020) proposed the first IEM-style forkcipher, FTEM, but their security proof is limited to a 2-round design with tweak processing based on XORing AXU hashes. This offers limited insight into practical forkciphers like ForkSkinny, which use 40 to 56 rounds and a different tweak schedule. No security results currently exist for forked IEM constructions with more than two rounds.
We propose a generalized forked IEM construction called GIEM which integrates any tweakey schedule (including tweak-dependent round keys or constant keys) and thus encompasses IEM, FTEM and similar IEM-related constructions.
We define three forkcipher-related instantiations, FEM (2 branches and no tweaks), FTEMid (2 branches and idealized tweakey schedule) and MFTEM (unlimited branches and AXU-based tweakey schedule).
We prove that each construction achieves security similar to the respective non-forked construction.
This shows the soundness of the forking design strategy and can serve as a basis for new constructions with more than two branches.
In their work, Bogdanov et al. also propose an attack against IEM using $q \approx 2^{rn/(r+1)}$ queries, which is used in a number of follow-up works to argue the tightness of IEM-related security bounds. In this work, we demonstrate that the attack is ineffective with the specified query complexity. To salvage the purported tightness results, we turn to an attack by Gazi (CRYPTO 2013) against cascading block ciphers and provide the necessary parameters to apply it to IEM. This validates the tightness of the known IEM security bound.
## 2025/1544
* Title: MDS Diffusion Layers for Arithmetization-Oriented Symmetric Ciphers: The Rotational-Add Construction
* Authors: Baofeng Wu, Wen Kong, Dewei Kong, Hailun Yan
* [Permalink](
https://eprint.iacr.org/2025/1544)
* [Download](
https://eprint.iacr.org/2025/1544.pdf)
### Abstract
We introduce the rotational-add diffusion layers aimed for applications in the design of arithmetization-oriented (AO) symmetric ciphers, such as fully homomorphic encryption (FHE)-friendly symmetric ciphers. This generalizes the rotational-XOR diffusion layers which have been utilized in the design of many important conventional symmetric ciphers like SHA-256, SM4, ZUC and Ascon. A rotational-add diffusion layer is defined over the finite field $\mathbb{F}_{p}$ for arbitrary prime $p$, enabling implementations using only rotations and modular additions/subtractions. The advantage of using such diffusion layers in AO ciphers is that, the costs of scalar multiplications can be reduced since the appearing scalars include only $\pm 1$, thus the total costs depend on sizes of the rotation offsets. In this paper, we investigate characterizations and constructions of lightest rotational-add diffusion layers over $(\mathbb{F}_{p}^{m})^{n}$ that are maximum distance separable (MDS) with a focus on the case $n=4$. It turns out that the minimum achievable size of the rotation offsets is 5 subject to the MDS property constraint. We specify a large class of rotational-add diffusion layers with 5 rotations and traverse all possible patterns of appearance of the scalars $\pm1$. In four cases we can derive computationally tractable necessary and sufficient conditions for the rotational-add diffusion layers to attain the MDS property. These conditions enable explicit characterization of suitable primes $p$ for given parameters. Leveraging these results, we construct three distinct families of rotational-add MDS diffusion layers applicable to AO ciphers. Although a rotational-add diffusion layer with 7 rotations and only additions has already been used in the design of the FHE-friendly block cipher YuX recently, to our knowledge, our work presents the first systematic theoretical characterization of rotational-add MDS diffusion layers and provides explicit constructions of them.
--- Synchronet 3.21a-Linux NewsLink 1.2