From Newsgroup: sci.crypt
## In this issue
1. [2024/1663] A Hidden-Bits Approach to Statistical ZAPs from LWE
2. [2025/981] Algebraic Cryptanalysis of AO Primitives Based on ...
3. [2025/1063] MIZAR: Boosting Secure Three-Party Deep Learning ...
4. [2025/1300] PlasmaFold: An Efficient and Scalable Layer 2 with ...
5. [2025/1500] Data Matching in Unequal Worlds and Applications to ...
6. [2025/1551] M&M: Secure Two-Party Machine Learning through ...
7. [2025/1552] Minimalist Model for Impossible Differentials
8. [2025/1553] Understanding Unexpected Fixed-Key Differential ...
9. [2025/1598] How to kickstart Secure Message Transfer with Short ...
10. [2025/1603] Post-quantum Security of Key-Alternating Feistel ...
11. [2025/1611] Probabilistic Skipping-Based Data Structures with ...
12. [2025/1612] Low-Latency Rate-Distortion-Perception Trade-offs ...
13. [2025/1613] Tightly Secure Inner-Product Functional Encryption ...
14. [2025/1614] Broadcast-Optimal Secure Computation From Black-Box ...
15. [2025/1615] The Chaotic Entropic Expansion (CEE): A Transparent ...
16. [2025/1616] Transforming the POKE public key Protocol into a ...
17. [2025/1617] Game-Theoretically Fair Coin Toss with Arbitrary ...
18. [2025/1618] IND-CPA-D and KR-D Security With Reduced Noise from ...
19. [2025/1619] Generic Anonymity Wrapper for Messaging Protocols
20. [2025/1620] The Coding Limits of Robust Watermarking for ...
21. [2025/1621] Page-efficient Encrypted Multi-Maps: New Techniques ...
22. [2025/1622] General Modularity Lemmata about Random Variable ...
23. [2025/1623] Tetris: Versatile TFHE LUT and Its Application to ...
24. [2025/1624] New Limits for Homomorphic Encryption
25. [2025/1625] A Practical and Fully Distributed E-Voting Protocol ...
26. [2025/1626] Post-Quantum Blockchain: Transition Landscape ...
27. [2025/1627] IND-CPA-D of Relaxed Functional Bootstrapping: A ...
28. [2025/1628] Fully Adaptive Decentralized MA-ABE: Simplified, ...
29. [2025/1629] Solving Concealed ILWE and its Application for ...
30. [2025/1630] Velox: Scalable Fair Asynchronous MPC from ...
31. [2025/1631] Computationally and Communication Efficient Batched ...
32. [2025/1632] Enhancing the DATF Technique in Differential-Linear ...
33. [2025/1633] LastRings: Lattice-based Scalable Threshold Ring ...
34. [2025/1634] BlockLens: Detecting Malicious Transactions in ...
35. [2025/1635] Haystack ciphers: White-box countermeasures as ...
36. [2025/1636] Differentially Private Access in Encrypted Search: ...
37. [2025/1637] Pseudorandom Correlation Functions from Ring-LWR
38. [2025/1638] Rayls II: Fast, Private, and Compliant CBDCs
39. [2025/1639] Rayls: A Novel Design for CBDCs
40. [2025/1640] On the construction of Barnes-Wall lattices and ...
41. [2025/1641] Fujisaki-Okamoto Transformation under Average-Case ...
42. [2025/1642] Mixed Arithmetic-Binary Circuits in Fluid MPC ...
43. [2025/1643] SCA-GPT: Generation-Plan-Tool Assisted LLM Agent ...
44. [2025/1644] Fast Pseudorandom Correlation Functions from Sparse LPN
45. [2025/1645] Hardened CTIDH: Dummy-Free and Deterministic CTIDH
46. [2025/1646] Scalable zkSNARKs for Matrix Computations: A ...
47. [2025/1647] Universally Composable Password-Hardened Encryption
48. [2025/1648] Breaking Full ChiLow-32
49. [2025/1649] SQIsign with Fixed-Precision Integer Arithmetic
50. [2025/1650] WISCH: Efficient data signing via correlated signatures
51. [2025/1651] On the Cardinality of the Walsh Support of a ...
52. [2025/1652] Computing Pairings on Elliptic Curves with ...
## 2024/1663
* Title: A Hidden-Bits Approach to Statistical ZAPs from LWE
* Authors: Eli Bradley, George Lu, Shafik Nassar, Brent Waters, David J. Wu
* [Permalink](
https://eprint.iacr.org/2024/1663)
* [Download](
https://eprint.iacr.org/2024/1663.pdf)
### Abstract
We give a new approach for constructing statistical ZAP arguments (a two-message public-coin statistically witness indistinguishable argument) from quasi-polynomial hardness of the learning with errors (LWE) assumption with a polynomial modulus-to-noise ratio. Previously, all ZAP arguments from lattice-based assumptions relied on correlation-intractable hash functions. In this work, we present the first construction of a ZAP from LWE via the classic hidden-bits paradigm. Our construction matches previous lattice-based schemes by being public-coin and satisfying statistical witness indistinguishability.
## 2025/981
* Title: Algebraic Cryptanalysis of AO Primitives Based on Polynomial Decomposition Applications to Rain and Full AIM-IIIIV
* Authors: Hong-Sen Yang, Qun-Xiong Zheng, Jing Yang
* [Permalink](
https://eprint.iacr.org/2025/981)
* [Download](
https://eprint.iacr.org/2025/981.pdf)
### Abstract
The LowMC-based post-quantum signature scheme Picnic was selected as a third-round candidate for NIST PQC, attracting wide attention to the design of efficient and secure post-quantum signature schemes using Symmetric Techniques for Advanced Protocols (STAP). Symmetric primitives designed for advanced protocols such as secure multi-party computation (MPC), fully homomorphic encryption (FHE), and zero-knowledge (ZK) proof systems, with the goal of reducing the number of multiplication operations, are referred to as arithmetic-oriented (AO) primitives. These cryptographic primitives are typically constructed over large finite fields, which makes classical statistical analysis methods like differential and linear cryptanalysis inefficient. Due to their inherent algebraic properties, the mainstream security evaluation approaches are based on algebraic attacks. In this paper, we analyze the security of the MPC-friendly primitives \textsc{Rain} (CCS 2022) and AIM (CCS 2023) used in the post-quantum signature schemes Rainier and AIMer. Existing algebraic attacks on \textsc{Rain} and AIM were conducted over $\mathbb{F}_2$. We propose a novel algebraic attack over $\mathbb{F}_{2^n}$ that uses the polynomial decomposition to reduce degrees of equations. By further combining with the guess-and-determine technique, meet-in-the-middle modeling, and resultant, we are able to attack \textsc{Rain} and the full AIM. Specifically, we successfully attacked 2-round \textsc{Rain} with $2^{73.7}/2^{107.0}/2^{138.9}$ primitive calls, 3-round \textsc{Rain} with $2^{167.6}/2^{243.6}/2^{319.1}$ field operations, for the $128/192/256$-bit key. For the full AIM, we successfully attacked it with $2^{114.0}/2^{163.2}/2^{228.3}$ primitive calls for the $128/192/256$-bit key. The attack complexities mainly lie in solving univariate polynomial equations and computing resultants, and hence the complexity evaluations are accurate.
## 2025/1063
* Title: MIZAR: Boosting Secure Three-Party Deep Learning with Co-Designed Sign-Bit Extraction and GPU Acceleration
* Authors: Ye Dong, Xudong Chen, Xiangfu Song, Yaxi Yang, Tianwei Zhang, Jin-Song Dong
* [Permalink](
https://eprint.iacr.org/2025/1063)
* [Download](
https://eprint.iacr.org/2025/1063.pdf)
### Abstract
Three-party secret sharing-based computation has emerged as a promising approach for secure deep learning, benefiting from its high throughput. However, it still faces persistent challenges in computing complex operations such as secure Sign-Bit Extraction, particularly in high-latency and low-bandwidth networks. A recent work, Aegis (Lu et al., Cryptology ePrint'2023), made significant strides by proposing a constant-round DGK-style Sign-Bit Extraction protocol with GPU acceleration on Piranha (Watson et. al., USENIX Security'2022). However, Aegis exhibits two critical limitations: it \romannumeral1) overlooks the use of \textit{bit-wise prefix-sum}, and \romannumeral2) inherits non-optimized modular arithmetic over prime fields and excessive memory overhead from the underlying GPU-based MPC framework. This results in suboptimal performance in terms of communication, computation, and GPU memory usage.
Driven by the limitations of Aegis, we propose an optimized constant-round secure Sign-Bit Extraction protocol with communication and GPU-specific optimizations. Concretely, we construct a new masked randomized list by exploiting the upper bound of bit-wise prefix-sum to reduce online communication by up to $50\%$, and integrate fast modular-reduction and kernel fusion techniques to enhance GPU utilization in MPC protocols. Besides, we propose specific optimizations for secure piecewise polynomial approximations and Maxpool computation in neural network evaluations. Finally, we instantiate these protocols as a framework MIZAR and report their improved performance over state-of-the-art GPU-based solutions: \romannumeral1) For secure Sign-Bit Extraction, we achieve a speedup of $2$--$2.5\times$ and reduce communication by $2$--$3.5\times$. \romannumeral2) Furthermore, we improve the performance of secure evaluation of nonlinear functions and neural networks by $1.5$--$3.5\times$. \romannumeral3) Lastly, our framework achieves $10\%$--$50\%$ GPU memory savings.
## 2025/1300
* Title: PlasmaFold: An Efficient and Scalable Layer 2 with Client-Side Proving * Authors: Pierre Daix-Moreux, Chengru Zhang
* [Permalink](
https://eprint.iacr.org/2025/1300)
* [Download](
https://eprint.iacr.org/2025/1300.pdf)
### Abstract
Despite the growing popularity of blockchains, their scalability remains a significant challenge. Layer-2s (L2s) aim to address this by introducing an operator to process transactions off-chain and post compact summaries to the Layer-1 (L1). However, existing L2 designs struggle with unsatisfactory throughput improvements, complex exit games, limited data availability, stringent synchronization requirements or high computational overhead for users.
This paper introduces PlasmaFold, a novel L2 designed to overcome each of those limitations. PlasmaFold utilizes a hybrid architecture: an operator (aggregator) generates proofs on server side for the honest construction of blocks, while users maintain balance proofs on their own devices. This separation of concerns enables instant, non-interactive exits via balance proofs, while block proofs handle most of the validations, minimizing usersrCO costs. By leveraging Incrementally Verifiable Computation (IVC), PlasmaFold achieves both instant synchronization and concrete efficiency. Using PlasmaFold proving routines, users can update their balance proofs within a browser in under 1 second per transaction using less than 1 GB of RAM. Our construction does not impact scaling, we show that it remains possible to leverage recent verifiable plasma research designed to keep a minimal on-chain footprint, thereby enabling PlasmaFold to reach a theoretical throughput of over 14000 transactions per second.
## 2025/1500
* Title: Data Matching in Unequal Worlds and Applications to Smart Contracts
* Authors: Dmitry Khovratovich, Mikhail Vladimirov, Benedikt Wagner
* [Permalink](
https://eprint.iacr.org/2025/1500)
* [Download](
https://eprint.iacr.org/2025/1500.pdf)
### Abstract
SNARKs enable compact proofs that an NP statement is true and that the prover knows a valid witness. They have become a key building block in modern smart contract applications, including rollups and privacy-focused cryptocurrencies.
In the widely used Groth16 framework, however, long statements incur high costs.
A common workaround is to pass the statementrCOs hash to the SNARK and move the statement into the witness. The smart contract then hashes the statement first, and the circuit that is proven additionally checks consistency of the hash and the statement.
Unfortunately, virtually any hash function is expensive to call either in a smart contract (in terms of gas) or in the proven circuit (in terms of prover time).
We demonstrate a novel solution to this dilemma, which we call hybrid compression. Our method allows us to use two different hash functionsrCoone optimized for the proof circuit, and another optimized for on-chain verificationrCothereby combining the efficiency advantages of both. We prove the security of this approach in the standard model under reasonable assumptions about the two hash functions, and our benchmarks show that it achieves near-optimal performance in both gas usage and prover time. As an example, compressing an 8 KB statement with our approach results in a 10-second prover time and a smart contract spending 270K gas, whereas the existing approaches either need a much longer proof generation (290 seconds for SHA-256 hashing) or a much more expensive contract (5M gas for Poseidon hashing).
Along the way, we develop a two-party protocol of independent interest in communication complexity: an efficient deterministic method for checking input equality when the two parties do not share the same hash function.
## 2025/1551
* Title: M&M: Secure Two-Party Machine Learning through Efficient Modulus Conversion and Mixed-Mode Protocols
* Authors: Ye Dong, Wen-jie Lu, Xiaoyang Hou, Kang Yang, Jian Liu
* [Permalink](
https://eprint.iacr.org/2025/1551)
* [Download](
https://eprint.iacr.org/2025/1551.pdf)
### Abstract
Secure two-party machine learning has made substantial progress through the use of mixed-mode protocols. Despite these advancements, existing approaches often suffer from efficiency bottlenecks due to the inherent mismatch between the optimal domains of various cryptographic primitives, such as Homomorphic Encryption and Oblivious Transfer. In response to these challenges, we introduce the \tNAME{} framework, which features an efficient modulus conversion protocol. This breakthrough enables seamless integration of the most suitable cryptographic subprotocols within their optimal modulus domains, allowing linear computations to be executed over a prime modulus and nonlinear computations over a two-power modulus, with a minimal modulus conversion overhead. We further establish new benchmarks for the performance of fundamental primitives, namely comparison and multiplication, across various two-party techniques, together with our practical optimizations to improve efficiency. By incorporating these techniques, \tNAME{} demonstrates significant performance enhancements over state-of-the-art solutions: \romannumeral1) we report a $6\times$-$100\times$ improvement for approximated truncations with 1-bit error tolerance; \romannumeral2) an average of $5\times$ (resp. $4\times$) reduction in communication (resp. runtime) for machine learning functions; \romannumeral3) and a 25\%-99\% improvement in cost-efficiency for private inference of deep neural networks and 50\% improvement in private training of gradient boosting decision trees.
## 2025/1552
* Title: Minimalist Model for Impossible Differentials
* Authors: Patrick Derbez, Marie Euler
* [Permalink](
https://eprint.iacr.org/2025/1552)
* [Download](
https://eprint.iacr.org/2025/1552.pdf)
### Abstract
This paper introduces a new MILP modeling to find impossible differential (ID) distinguishers and attacks. Standard models for ID are negative models, in the sense that a differential is impossible if and only if the model has no solution. Our new modelling technique focuses on probable ID, differentials that are probably impossible. While this might lead to false positives, the main advantage is that searching for such probable ID can be achieved through a positive model. This facilitates the search for the best impossible differential attacks without first exhausting all possible ID distinguishers on a target. We also propose to simplify the modelling by only considering two possible states for internal cells: inactive and unknown. In this case there are no longer direct contradictions but only indirect ones, assuming that it is impossible that all cells are inactive.
With these two simple ideas, we are able to retrieve the longest impossible differentials distinguishers on MIDORI, SKINNY, PRESENT, SIMON, Simeck and SPECK. Furthermore, as the model looking for candidates is based on satisfiability, it can be incorporated in a larger model which looks directly for the best attacks in order to enumerate the distinguishers in the order of the complexity of the associated attacks, which we did for the AES, ARADI, SIMON and SKINNY.
## 2025/1553
* Title: Understanding Unexpected Fixed-Key Differential Behaviours: How to Avoid Major Weaknesses in Lightweight Designs (Extended Version)
* Authors: Anne Canteaut, Merlin Fruchon
* [Permalink](
https://eprint.iacr.org/2025/1553)
* [Download](
https://eprint.iacr.org/2025/1553.pdf)
### Abstract
Many design strategies and differential attacks rely on the so-called hypothesis of stochastic equivalence, which states that the differential behaviour of a cipher for any fixed key can be approximated by its average behaviour over all keys. However, this assumption is known to be invalid in general. For instance, all two-round differential characteristics of AES are plateau, meaning that their probabilities highly depend on the key. While such discrepancies were traditionally expected to occur only for a small number of rounds, several counter-examples have been exhibited recently thanks to the quasi-differential framework.
This paper aims to show why the divergence between fixed-key and average behaviour can be even more pronounced and is definitely harder to anticipate when analyzing differentials, rather than individual characteristics, which is the quantity actually relevant in differential cryptanalysis. Indeed, when a differential aggregates many characteristics that do not satisfy the hypothesis of stochastic equivalence, several scenarios may arise: the sets of weak keys may be identical across all characteristics, resulting in a strong clustering effect, or entirely disjoint, eliminating any such effect. Focusing on (truncated) differentials that include plateau characteristics, we demonstrate how this mechanism explains the unexpected differential behaviour observed in Midori64 and Scream over an arbitrary number of rounds, as recently reported by Baudrin et al. We also clarify how this situation differs from invariant subspaces, except in a few specific cases. Furthermore, we identify the properties of the Sbox that give rise to this weakness and all vulnerable Sboxes among the optimal 4-bit functions.
## 2025/1598
* Title: How to kickstart Secure Message Transfer with Short Authentication Strings and Out-Of-Band Communication
* Authors: Wasilij Beskorovajnov, J||rn M|+ller-Quade
* [Permalink](
https://eprint.iacr.org/2025/1598)
* [Download](
https://eprint.iacr.org/2025/1598.pdf)
### Abstract
We study rCLsend this data to that device nowrCY exchanges under an active network adversary without PKI or pre-shared secrets. We model a human-verifiable out-of-band channel for comparing short codes as a first-class UC functionality. Building on this, we give two commitment-style protocols, a one-sided and a mutual one, that are direct UC equivalents of MANA-IV and prove they realize authenticated channels with explicit misbinding parameter \(\varepsilon=2^{-t}\). We then compose SAS-based authentication with standard KEM/DEM encryption to obtain a UC-secure message-transfer functionality, preserving the explicit \(\varepsilon\) under composition, and we detail practical instantiations over signatures or MACs.
Complementing the theory, we systematize real-world tooling: popular file-transfer utilities either form unauthenticated WebRTC/DTLS channels or use PAKE rCLone-coderCY designs that couple rendezvous and a longer password string but none deploy a session-bound SAS.
Our approach decouples rendezvous from authentication and reduces the out-of-band burden to comparing a short \(t\)-bit string.
We also sketch an RO-free variant (coin-flip plus non-malleable commitments) with the same user interface.
## 2025/1603
* Title: Post-quantum Security of Key-Alternating Feistel Ciphers
* Authors: Jyotirmoy Basak, Ritam Bhaumik, Amit Kumar Chauhan, Ravindra Jejurikar, Ashwin Jha, Anandarup Roy, Andr|- Schrottenloher, Suprita Talnikar
* [Permalink](
https://eprint.iacr.org/2025/1603)
* [Download](
https://eprint.iacr.org/2025/1603.pdf)
### Abstract
Since Kuwakado and Morii's work (ISIT 2010 & ISITA 2012), it is known that the classically secure 3-round Luby-Rackoff PRP and Even-Mansour cipher become insecure against an adversary equipped with quantum query access. However, while this query model (the so-called Q2 model) has led to many more attacks, it seems that restricting the adversary to classical query access prevents such breaks (the so-called Q1 model). Indeed, at EUROCRYPT 2022, Alagic et al. proved the Q1-security of the Even-Mansour cipher. Notably, such a proof needs to take into account the dichotomy between construction queries, which are classical, and primitive queries, which are quantum (since the random oracle / permutation models a public function that the adversary can compute).
In this paper, we focus on Feistel ciphers. More precisely, we consider Key-Alternating Feistels built from random functions or permutations. We borrow the tools used by Alagic et al. and adapt them to this setting, showing that in the Q1 setting: $\bullet$ the 3-round Key-Alternating Feistel, even when the round functions are the same random oracle, is a pseudo-random permutation; $\bullet$ similarly the 4-round KAF is a strong pseudo-random permutation.
## 2025/1611
* Title: Probabilistic Skipping-Based Data Structures with Robust Efficiency Guarantees
* Authors: Marc Fischlin, Moritz Huppert, Sam A. Markelon
* [Permalink](
https://eprint.iacr.org/2025/1611)
* [Download](
https://eprint.iacr.org/2025/1611.pdf)
### Abstract
Probabilistic data structures like hash tables, skip lists, and treaps support efficient operations through randomized hierarchies that enable "skipping" elements, achieving sub-linear query complexity on average for perfectly correct responses. They serve as critical components in performance-sensitive systems where correctness is essential and efficiency is highly desirable. While simpler than deterministic alternatives like balanced search trees, these structures traditionally assume that input data are independent of the structure's internal randomness and state - an assumption questionable in malicious environments - potentially leading to a significantly increased query complexity. We present adaptive attacks on all three aforementioned structures that, in the case of hash tables and skip lists, cause exponential degradation compared to the input-independent setting. While efficiency-targeting attacks on hash tables are well-studied, our attacks on skip lists and treaps provide new insights into vulnerabilities of skipping-based probabilistic data structures. Next, we propose simple and efficient modifications to the original designs of these data structures to provide provable security against adaptive adversaries. Our approach is formalized through Adaptive Adversary Property Conservation (AAPC), a general security notion that captures deviation from the expected efficiency guarantees in adversarial scenarios. We use this notion to present rigorous robustness proofs for our versions of the data structures. Lastly, we perform experiments whose empirical results closely agree with our analytical results.
## 2025/1612
* Title: Low-Latency Rate-Distortion-Perception Trade-offs Through Randomized Distributed Function Computations
* Authors: Onur Gunlu, Maciej Skorski, H. Vincent Poor
* [Permalink](
https://eprint.iacr.org/2025/1612)
* [Download](
https://eprint.iacr.org/2025/1612.pdf)
### Abstract
Semantic communication systems focus on the transmission of meaning rather than the exact reconstruction of data, reshaping communication network design to achieve transformative efficiency in latency-sensitive and bandwidth-limited scenarios. Within this context, we investigate the rate-distortion-perception (RDP) problem for image compression, which plays a central role in producing perceptually realistic outputs under rate constraints. By employing the randomized distributed function computation (RDFC) framework, we derive an achievable non-asymptotic RDP region that captures the finite blocklength trade-offs among rate, distortion, and perceptual quality, aligning with the objectives of semantic communications. This region is further generalized to include either side information or a secrecy requirement, the latter ensuring strong secrecy against eavesdroppers through physical-layer security mechanisms and maintaining robustness in the presence of quantum-capable adversaries. The main contributions of this work are: (i) achievable bounds for non-asymptotic RDP regions subject to realism and distortion constraints; (ii) extensions to cases where side information is available at both the encoder and decoder; (iii) achievable, nonasymptotic RDP bounds with strong secrecy guarantees; (iv) characterization of the asymptotic secure RDP region under a perfect realism constraint; and (v) demonstrations of significant rate reductions and the effects of finite blocklengths, side information, and secrecy constraints. These findings offer concrete guidelines for the design of low-latency, secure, and high-fidelity image compression and generative modeling systems that generate realistic outputs, with relevance for, e.g., privacy-critical applications.
## 2025/1613
* Title: Tightly Secure Inner-Product Functional Encryption Revisited: Compact, Lattice-based, and More
* Authors: Shuai Han, Hongxu Yi, Shengli Liu, Dawu Gu
* [Permalink](
https://eprint.iacr.org/2025/1613)
* [Download](
https://eprint.iacr.org/2025/1613.pdf)
### Abstract
Currently, the only tightly secure inner-product functional encryption (IPFE) schemes in the multi-user and multi-challenge setting are the IPFE scheme due to Tomida (Asiacrypt 2019) and its derivatives. However, these tightly secure schemes have large ciphertext expansion and are all based on the matrix decisional Diffie-Hellman (DDH) assumption.
To improve the efficiency of tightly secure IPFE and enrich the diversity of its underlying assumptions, we construct a set of tightly secure IPFE schemes, with very compact ciphertexts and efficient algorithms, from the matrix DDH, the decisional composite residuosity (DCR), and the learning-with-errors (LWE) assumptions, respectively. In particular,
-- our DDH-based scheme has about 5|u~100|u shorter public/secret keys, 2|u~2.9|u shorter ciphertexts and about 5|u~100|u faster algorithms than all existing tightly secure IPFE schemes, at the price of 3~7 bits of decreased security level, resolving an open problem raised by Tomida (Asiacrypt 2019);
-- our DCR-based scheme constitutes the first tightly secure IPFE scheme from the DCR assumption;
-- our LWE-based scheme is the first almost tightly secure IPFE scheme from lattices, hence achieving post-quantum security.
We obtain our schemes by proposing a generic and flexible construction of IPFE with a core technical tool called two-leveled inner-product hash proof system (TL-IP-HPS). Specifically, our IPFE construction is in a compact design, and to achieve tight security, we propose an economic proof strategy to reuse the spaces in such compact IPFE. Interestingly, our new proof strategy also applies to the loosely secure IPFE schemes proposed by Agrawal, Libert and Stehl|- (Crypto 2016), and yields a tighter bound on their security loss.
## 2025/1614
* Title: Broadcast-Optimal Secure Computation From Black-Box Oblivious Transfer * Authors: Michele Ciampi, Divya Ravi, Luisa Siniscalchi, Yu Xia
* [Permalink](
https://eprint.iacr.org/2025/1614)
* [Download](
https://eprint.iacr.org/2025/1614.pdf)
### Abstract
When investigating the round-complexity of multi-party computation protocols (MPC) protocols, it is common to assume that in each round parties can communicate over broadcast channels. However, broadcast is an expensive resource, and as such its use should be minimized. For this reason, Cohen, Garay, and Zikas (Eurocrypt 2020) investigated the tradeoffs between the use of broadcast in two-round protocols assuming setup and the achievable security guarantees.
Despite the prolific line of research that followed the results of Cohen, Garay, and Zikas, none of the existing results considered the problem of minimizing the use of broadcast while relying in a EYaAEYaOEYaAEYaEEYay-EYaAEYaLEYaN way on the underlying cryptographic primitives.
In this work, we fully characterize the necessary and sufficient requirements in terms of broadcast usage in the EYaaEYauEYaaraAEYaLEYacEYaAEYaaEYai EYaUEYaAEYauEYaLEYafEYauEYaiEYaa setting for round-optimal MPC with black-box use of minimal cryptographic assumptions. Our main result shows that to securely realize any functionality with EYaoEYacEYaAEYacEYauEYaUEYaLEYaoEYaa EYaAEYaAEYaLEYafEYai in the common reference string model with black-box use of two-round oblivious transfer it is necessary and sufficient for the parties to adhere to the following pattern: in the first two rounds the parties exchange messages over peer-to-peer channels, and in the last round the messages are sent over a broadcast channel. We also extend our results to the correlated randomness setting where we prove that one round of peer-to-peer interaction and one round of broadcast is optimal to evaluate any functionality with unanimous abort.
## 2025/1615
* Title: The Chaotic Entropic Expansion (CEE): A Transparent Post-Quantum Data Confidentiality Primitive via Entropic Chaotic Maps
* Authors: MINKA MI NGUIDJOI Thierry Emmanuel
* [Permalink](
https://eprint.iacr.org/2025/1615)
* [Download](
https://eprint.iacr.org/2025/1615.pdf)
### Abstract
Weintroduce the Chaotic Entropic Expansion (CEE), a new one-way function based on iterated
polynomial maps over finite fields. For polynomials f in a carefully defined class Fd, we
prove that N iterations preserve min-entropy of at least log2q reA N log2d bits and achieve
statistical distance ren (q reA 1)(dN reA 1)/(2reUq) from uniform. We formalize security through the
Affine Iterated Inversion Problem (AIIP) and provide reductions to the hardness of solving
multivariate quadratic equations (MQ) and computing discrete logarithms (DLP).
Against quantum adversaries, CEE achieves O(2++/2) security for ++-bit classical security. We
provide comprehensive cryptanalysis and parameter recommendations for practical deployment.
While slower than AES, CEErCOs algebraic structure enables unique applications in verifiable
computation and post-quantum cryptography within the CASH framework.
## 2025/1616
* Title: Transforming the POKE public key Protocol into a Key Encapsulation Mechanism
* Authors: Nouhou Abdou Idris, Yunusa Abdulsalam, Mustapha Hedabou
* [Permalink](
https://eprint.iacr.org/2025/1616)
* [Download](
https://eprint.iacr.org/2025/1616.pdf)
### Abstract
The inherent presence of large-scale quantum computers is
deemed to threaten the traditional public-key cryptographic systems.
As a result, NIST has necessitated the development of post-quantum
cryptography (PQC) algorithms. Isogeny-based schemes have compact
key sizes; however, there have been some fundamental vulnerabilities in
the smooth-degree isogeny systems. Therefore, the literature has concentrated its efforts on higher-dimensional isogenies of non-smooth degrees.
In this work, we present POKE-KEM, a key encapsulation mechanism
(KEM) derived from the POKE public-key encryption (PKE) scheme
via a Fujisaki-Okamoto (FO) transformation with its corresponding optimized security levels during transformation. Despite POKErCOs efficiency
advantages, its current formulation provides only IND-CPA security, limiting practical deployment where adaptive chosen-ciphertext security is
essential. The resulting POKE-KEM construction achieves IND-CCA security under the computational hardness of the C-POKE problem in both
the random oracle model (ROM) and quantum random oracle model
(QROM). Our implementation demonstrates significant practical advantages across all NIST security levels (128, 192, and 256 bits), supporting
the practical viability of POKE-KEM for post-quantum cryptographic
deployments. We provide a comprehensive security analysis including
formal proofs of correctness, rigidity, and IND-CCA security. Our underlying construction leverages the difficulty of recovering isogenies with
unknown, non-smooth degrees, resistant to known quantum attacks
## 2025/1617
* Title: Game-Theoretically Fair Coin Toss with Arbitrary Preferences
* Authors: Forest Zhang, Ke Wu
* [Permalink](
https://eprint.iacr.org/2025/1617)
* [Download](
https://eprint.iacr.org/2025/1617.pdf)
### Abstract
Fair multi-party coin toss protocols are fundamental to many cryptographic applications. While Cleve's celebrated result (STOC'86) showed that strong fairness is impossible against half-sized coalitions, recent works have explored a relaxed notion of fairness called Cooperative-Strategy-Proofness (CSP-fairness).
CSP-fairness ensures that no coalition has an incentive to deviate from the protocol. Previous research has established the feasibility of CSP-fairness against majority-sized coalitions, but these results focused on specific preference structures where each player prefers exactly one outcome out of all possible choices. In contrast, real-world scenarios often involve players with more complicated preference structures, rather than simple binary choices.
In this work, we initiate the study of CSP-fair multi-party coin toss protocols that accommodate arbitrary preference profiles, where each player may have an unstructured utility distribution over all possible outcomes. We demonstrate that CSP-fairness is attainable against majority-sized coalitions even under arbitrary preferences.
In particular, we give the following results:
\begin{itemize}
\item We give a reduction from achieving CSP-fairness for arbitrary preference profiles to achieving CSP-fairness for structured split-bet profiles, where each player distributes the same amount of total utility across all outcomes.
\item We present two CSP-fair protocols: (1) a \emph{size-based protocol}, which defends against majority-sized coalitions, and (2) a \emph{bets-based protocol}, which defends against coalitions controlling a majority of the total utilities.
\item Additionally, we establish an impossibility result for CSP-fair binary coin toss with split-bet preferences, showing that our protocols are nearly optimal.
\end{itemize}
## 2025/1618
* Title: IND-CPA-D and KR-D Security With Reduced Noise from the HintLWE Problem
* Authors: Tabitha Ogilvie
* [Permalink](
https://eprint.iacr.org/2025/1618)
* [Download](
https://eprint.iacr.org/2025/1618.pdf)
### Abstract
Approximate Homomorphic Encryption (AHE), introduced by Cheon et al. [CKKS17] offers a powerful solution for encrypting real-valued data by relaxing the correctness requirement and allowing small decryption errors. Existing constructions from (Ring) Learning with Errors achieve standard IND-CPA security, but this does not fully capture scenarios where an adversary observes decrypted outputs. Li and Micciancio [LiMic21] showed that when decryptions are passively leaked, these schemes become vulnerable to practical key recovery attacks even against honest-but-curious attackers. They formalise security when decryptions are shared with new notions of IND-CPA-D and KR-D security.
We propose new techniques to achieve provable IND-CPA-D and KR-D security for AHE, while adding substantially less additional decryption noise than the prior provable results. Our approach hinges on refined "game-hopping" tools in the bit-security framework, which allow bounding security loss with a lower noise overhead. We also give a noise-adding strategy independent of the number of oracle queries, removing a costly dependence inherent in the previous solution.
Beyond generic noise-flooding, we show that leveraging the recently introduced HintLWE problem [KLSS23] can yield particularly large security gains for AHE ciphertexts that are the result of "rescaling", a common operation in CKKS. Our analysis uses the fact that rescale-induced noise amounts to a linear ``hint" on the secret to enable a tighter reduction to LWE (via HintLWE). In many practical parameter regimes where the rescaling noise dominates, our results imply an additional precision loss of as little as two bits is sufficient to restore a high level of security against passive key-recovery attacks for standard parameters.
Overall, our results enable a provably secure and efficient real-world deployment of Approximate Homomorphic Encryption in scenarios with realistic security requirements.
## 2025/1619
* Title: Generic Anonymity Wrapper for Messaging Protocols
* Authors: Lea Thiemt, Paul R||sler, Alexander Bienstock, Rolfe Schmidt, Yevgeniy Dodis
* [Permalink](
https://eprint.iacr.org/2025/1619)
* [Download](
https://eprint.iacr.org/2025/1619.pdf)
### Abstract
Modern messengers use advanced end-to-end encryption protocols to protect message content even if user secrets are ever temporarily exposed. Yet, encryption alone does not prevent user tracking, as protocols often attach metadata, such as sequence numbers, public keys, or even plain user identifiers. This metadata reveals the social network as well as communication patterns between users. Existing protocols that hide metadata in Signal (i.e., Sealed Sender), for MLS-like constructions (Hashimoto et al., CCS 2022), or in mesh networks (Bienstock et al., CCS 2023) are relatively inefficient or specially tailored for only particular settings. Moreover, all existing practical solutions reveal crucial metadata upon exposures of user secrets.
In this work, we introduce a formal definition of Anonymity Wrappers (AW) that generically hide metadata of underlying two-party and group messaging protocols. Our definition captures forward and post-compromise anonymity as well as authenticity in the presence of temporary state exposures. Inspired by prior wrapper designs, the idea of our provably secure AW construction is to use shared keys of the underlying wrapped (group) messaging protocols to derive and continuously update symmetric keys for hiding metadata. Beyond hiding metadata on the wire, we also avoid and hide structural metadata in users' local states for stronger anonymity upon their exposure.
We implement our construction, evaluate its performance, and provide a detailed comparison with Signal's current approach based on Sealed Sender: Our construction reduces the wire size of small 1:1 messages from 441 bytes to 114 bytes. For a group of 100 members, it reduces the wire size of outgoing group messages from 7240 bytes to 155 bytes. We see similar improvements in computation time for encryption and decryption, but these improvements come with substantial storage costs for receivers. For this reason, we develop extensions with a Bloom filter for compressing the receiver storage. Based on this, Signal considers deploying our solution.
## 2025/1620
* Title: The Coding Limits of Robust Watermarking for Generative Models
* Authors: Danilo Francati, Yevin Nikhel Goonatilake, Shubham Pawar, Daniele Venturi, Giuseppe Ateniese
* [Permalink](
https://eprint.iacr.org/2025/1620)
* [Download](
https://eprint.iacr.org/2025/1620.pdf)
### Abstract
We prove a sharp threshold for the robustness of cryptographic watermarking for generative models. This is achieved by introducing a coding abstraction, which we call messageless secret-key codes, that formalizes sufficient and necessary requirements of robust watermarking: soundness, tamper detection, and pseudorandomness. Thus, we establish that robustness has a precise limit: For binary outputs no scheme can survive if more than half of the encoded bits are modified, and for an alphabet of size q the corresponding threshold is $(1reA1/q)$ of the symbols.
Complementing this impossibility, we give explicit constructions that meet the bound up to a constant slack. For every $\delta > 0$, assuming pseudorandom functions and access to a public counter, we build linear-time codes that tolerate up to $(1/2)(1reA\delta)$ errors in the binary case and $(1reA1/q)(1reA\delta)$ errors in the $q$-ary case. Together with the lower bound, these yield the maximum robustness achievable under standard cryptographic assumptions.
We then test experimentally whether this limit appears in practice by looking at the recent watermarking for images of Gunn, Zhao, and Song (ICLR 2025). We show that a simple crop and resize operation reliably flipped about half of the latent signs and consistently prevented belief-propagation decoding from recovering the codeword, erasing the watermark while leaving the image visually intact.
These results provide a complete characterization of robust watermarking, identifying the threshold at which robustness fails, constructions that achieve it, and an experimental confirmation that the threshold is already reached in practice.
## 2025/1621
* Title: Page-efficient Encrypted Multi-Maps: New Techniques for Optimal Search Bandwidth
* Authors: Francesca Falzon, Zichen Gui, Michael Reichle
* [Permalink](
https://eprint.iacr.org/2025/1621)
* [Download](
https://eprint.iacr.org/2025/1621.pdf)
### Abstract
Encrypted multi-maps (EMMs) allow a client to outsource a multi-map to an untrusted server and then later retrieve the values corresponding to a queried label. They are a core building block for various applications such as encrypted cloud storage and searchable encryption. One important metric of EMMs is memory-efficiency: most schemes incur many random memory accesses per search query, leading to larger overhead compared to plaintext queries. Memory-efficient EMMs reduce random accesses but, in most known solutions, this comes at the cost of higher query bandwidth.
This work focuses on EMMs run on SSDs and we construct two page-efficient schemes---one static and one dynamic---both with optimal search bandwidth. Our static scheme achieves $\bigOtilde{\log N/p}$ page-efficiency and $\bigo(1)$ client storage, where $N$ denotes the size of the EMM and $p$ the SSD's page size. Our dynamic scheme achieves forward and backward privacy with $\bigOtilde{\log N/p}$ page-efficiency and $\bigo(M)$ client storage, where $M$ denotes the number of labels. Among schemes with optimal server storage, these are the first to combine optimal bandwidth with good page-efficiency, saving up to $\bigo(p)$ and $\bigOtilde{p\log\log (N/p)}$ bandwidth over the state-of-the-art static and dynamic schemes, respectively. Our implementation on real-world data shows strong practical performance.
## 2025/1622
* Title: General Modularity Lemmata about Random Variable Commitment Schemes, and a Certified Laplace Mechanism
* Authors: Fredrik Meisingseth, Christian Rechberger, Fabian Schmid
* [Permalink](
https://eprint.iacr.org/2025/1622)
* [Download](
https://eprint.iacr.org/2025/1622.pdf)
### Abstract
At Crypto'24, Bell et al. propose a definition of Certified Differential Privacy (DP) and a quite general blueprint for satisfying it. The core of the blueprint is the new primitive called random variable commitment schemes (RVCS). Bell et al. construct RVCS's for fair coins and binomial distributions.
In this work, we prove three lemmata that enable simple modular design of new RVCS's: First, we show that the properties of RVCS's are closed under polynomial sequential composition. Secondly, we show that homomorphically evaluating a function $f$ on the output of an RVCS for distribution $Z$ leads to an RVCS for distribution $f(Z)$. Thirdly, we show (roughly) that applying a `Commit-and-Prove'-style proof of knowledge for a function $f$ onto the output of an RVCS for distribution $Z$ results in an RVCS for distribution $f(Z)$. These lemmata together implies that there exists RVCS's for any distribution which can be sampled exactly in strict polynomial time, under, for instance, the discrete logarithm assumption. This is, to the best of our knowledge, the first result establishing the possibility of RVCS's for arbitrary distributions. We demonstrate the usefulness of these lemmata by constructing RVCS's for arbitrarily biased coins and a discrete Laplace distribution, leading to a certified DP protocol for a discrete Laplace mechanism. We observe that the definitions in BGKW do not directly allow sampling algorithms with non-zero honest abort probability, which rules out many practical sampling algorithms. We propose a slight relaxation of the definitions which enables the use of sampling methods with negligible abort probability. It is with respect to these weakened definitions that we prove our certified discrete Laplace mechanism.
## 2025/1623
* Title: Tetris: Versatile TFHE LUT and Its Application to FHE Instruction Set Architecture
* Authors: Ruida Wang, Jikang Bai, Xuan Shen, Xianhui Lu, Zhihao Li, Binwu Xiang, Zhiwei Wang, Hongyu Wang, Lutan Zhao, Kunpeng Wang, Rui Hou
* [Permalink](
https://eprint.iacr.org/2025/1623)
* [Download](
https://eprint.iacr.org/2025/1623.pdf)
### Abstract
Fully Homomorphic Encryption (FHE) enables computation over encrypted data, but deployment is hindered by the gap between plaintext and ciphertext programming models. FHE compilers aim to automate this translation, with a promising approach being FHE Instruction Set Architecture (FHE-ISA) based on homomorphic look-up-tables (LUT). However, existing FHE LUT techniques are limited to 16-bit precision and face critical performance bottlenecks.
We introduce Tetris, a versatile TFHE LUT framework for high-precision FHE instructions. Tetris incorporates three advances: a) A GLWE-based design with refined noise control, enabling up to 32-bit LUTs; b) A batched TFHE circuit bootstrapping algorithm that enhances the LUT performance; and c) Adaptive parameterization and parallel execution strategy that is optimized for high-precision evaluation.
These techniques deliver: a) The first general FHE instruction set with 16-bit bivariate and 32-bit univariate operations; b) Performance improvements of 2|u-863|u over modern TFHE LUT approaches, and 2901|u lower latency than the leading CKKS-based solution [CRYPTO'25]; (c) Up to 65|u speedups over existing FHE-ISA implementations, and 3|u-40|u faster than related FHE compilers.
## 2025/1624
* Title: New Limits for Homomorphic Encryption
* Authors: Sven Sch|nge, Marc Vorstermans
* [Permalink](
https://eprint.iacr.org/2025/1624)
* [Download](
https://eprint.iacr.org/2025/1624.pdf)
### Abstract
We make progress on the foundational problem of determining the strongest security notion achievable by homomorphic encryption. Our results are negative. We prove that a wide class of semi-homomorphic public key encryption schemes (SHPKE) cannot be proven IND-PCA secure (indistinguishability against plaintext checkability attacks), a relaxation of IND-CCA security. This class includes widely used and versatile schemes like ElGamal PKE, Paillier PKE, and the linear encryption system by Boneh, Boyen, and Shacham (Crypto'04). Besides their homomorphic properties, these schemes have in common that they all provide efficient algorithms for recognizing valid ciphertexts (and public keys) from public values. In contrast to CCA security, where the adversary is given access to a decryption oracle, in a PCA attack, the adversary solely has access to an oracle that decides for a given ciphertext/plaintext pair $(c,m)$ if decrypting $c$ indeed gives $m$. Since the notion of IND-PCA security is weaker than IND-CCA security, it is not only easier to achieve, leading to potentially more efficient schemes in practice, but it also side-steps existing impossibility results that rule out the IND-CCA security.
To rule out IND-PCA security we thus have to rely on novel techniques. We provide two results, depending on whether the attacker is allowed to query the PCA oracle after it has received the challenge (IND-PCA2 security) or not (IND-PCA1 security -- the more challenging scenario). First, we show that IND-PCA2 security can be ruled out unconditionally if the number of challenges is smaller than the number of queries made after the challenge. Next, we prove that no Turing reduction can reduce the IND-PCA1 security of SHPKE schemes with $O(\kappa^3)$ PCA queries overall to interactive complexity assumptions that support $t$-time access to their challenger with $t=O(\kappa)$.
To obtain our second impossibility results, we develop a new meta-reduction-based methodology that can be used to tackle security notions where the attacker is granted access to a \emph{decision} oracle. This makes it challenging to utilize the
techniques of existing meta-reduction-based impossibility results that focus on definitions where the attacker is allowed to access an inversion oracle (e.g. long-term key corruptions or a signature oracle).
To obtain our result, we have to overcome several technical challenges that are entirely novel to the setting of public key encryption.
## 2025/1625
* Title: A Practical and Fully Distributed E-Voting Protocol for the Swiss Context
* Authors: V|-ronique Cortier, Alexandre Debant, Olivier Esseiva, Pierrick Gaudry, Audhild H|+g|Nsen, Chiara Spadafora
* [Permalink](
https://eprint.iacr.org/2025/1625)
* [Download](
https://eprint.iacr.org/2025/1625.pdf)
### Abstract
Internet voting in Switzerland for political elections is strongly regulated by the Federal Chancellery (FCh). It puts a great emphasis on the individual verifiability: security against a corrupted voting device is ensured via return codes, sent by postal mail. For a long time, the FCh was accepting to trust an offline component to set up data and in particular the voting material. Today, the FCh aims at removing this strong trust assumption.
We propose a protocol that abides by this new will. At the heart of our system lies a setup phase where several parties create the voting material in a distributed way, while allowing one of the parties to remain offline during the voting phase. A complication arises from the fact that the voting material has to be printed, sent by postal mail, and then used by the voter to perform several operations that are critical for security. Usability constraints are taken into account in our design,
both in terms of computation complexity (linear setup and tally) and in terms of user experience (we ask the voter to type a high-entropy string only once).
The security of our scheme is proved in a symbolic setting, using the ProVerif prover, for various corruption scenarios, demonstrating that it fulfills the ChancelleryrCOs requirements and sometimes goes slightly beyond them.
## 2025/1626
* Title: Post-Quantum Blockchain: Transition Landscape Amidst Evolving Complexity
* Authors: Kigen Fukuda, ShinrCOichiro Matsuo
* [Permalink](
https://eprint.iacr.org/2025/1626)
* [Download](
https://eprint.iacr.org/2025/1626.pdf)
### Abstract
The emergence of Cryptographically Relevant Quantum Com-
puters (CRQCs) poses an existential threat to the security of contem-
porary blockchain networks, which rely on public-key cryptography vul-
nerable to ShorrCOs algorithm. While the need for a transition to Post-
Quantum Cryptography (PQC) is widely acknowledged, the evolution of
blockchains from simple transactional ledgers to complex, multi-layered financial ecosystems has rendered early, simplistic migration plans ob-
solete. This paper provides a comprehensive analysis of the blockchain
PQC migration landscape as it stands in 2025. We dissect the core tech-
nical challenges, including the performance overhead of PQC algorithms,
the loss of signature aggregation efficiency vital for consensus and scala- bility, and the cascading complexities within Layer 2 protocols and smart contracts. Furthermore, the analysis extends to critical operational and socio-economic hurdles, such as the ethical dilemma of dormant assets
and the conflicting incentives among diverse stakeholders including users, developers, and regulators. By synthesizing ongoing community discus-
sions and roadmaps for Bitcoin, Ethereum, and others, this work estab-
lishes a coherent framework to evaluate migration requirements, aiming
to provide clarity for stakeholders navigating the path toward a quantum- secure future.
## 2025/1627
* Title: IND-CPA-D of Relaxed Functional Bootstrapping: A New Attack, A General Fix, and A Stronger Model
* Authors: Zeyu Liu, Yunhao Wang, Ben Fisch
* [Permalink](
https://eprint.iacr.org/2025/1627)
* [Download](
https://eprint.iacr.org/2025/1627.pdf)
### Abstract
Fully homomorphic encryption (FHE) is a powerful and widely used primitive in lots of real-world applications, with IND-CPA as its standard security guarantee. Recently, Li and Micciancio [Eurocrypt'21] introduced IND-CPA-D security, which strengthens the standard IND-CPA security by allowing the attacker to access a decryption oracle for honestly generated ciphertexts (generated via either an encryption oracle or an honest homomorphic circuit evaluation process).
Recently, Jung et al. [CCS'24] and Checri et al. [Crypto'24] have shown that even exact FHE schemes like FHEW/TFHE/BGV/BFV may still not be IND-CPA-D secure, by exploiting the bootstrapping failure. However, such existing attacks can be mitigated by setting negligible bootstrapping failure probability.
On the other hand, Liu and Wang [Asiacrypt'24] proposed relaxed functional bootstrapping, which has orders of magnitude performance improvement and furthermore allows a free function evaluation during bootstrapping. These efficiency advantages make it a competitive choice in many applications but its ``relaxed'' nature also opens new directions of IND-CPA-D attack. In this work, we show that the underlying secret key could be recovered within 10 minutes against all existing relaxed functional bootstrapping constructions, and even within 1 minute for some of them. Moreover, our attack works even with a negligible bootstrapping failure probability, making it immune to existing mitigation methods.
Additionally, we propose a general fix that mitigates all the existing modulus-switching-error-based attacks, including ours, in the IND-CPA-D model. This is achieved by constructing a new modulus switching procedure with essentially no overhead. Lastly, we show that IND-CPA-D may not be sufficient for some applications, even in the passive adversary model. Thus, we extend this model to IND-CPA-D with randomness (IND-CPA-DR).
## 2025/1628
* Title: Fully Adaptive Decentralized MA-ABE: Simplified, Optimized, ASP Supported
* Authors: Pratish Datta, Junichi Tomida, Nikhil Vanjani
* [Permalink](
https://eprint.iacr.org/2025/1628)
* [Download](
https://eprint.iacr.org/2025/1628.pdf)
### Abstract
We revisit decentralized multirCaauthority attributerCabased encryption (MArCaABE) through the lens of fully adaptive security -- the most realistic setting in which an adversary can decide onrCatherCafly which users and which attribute authorities to corrupt. Previous constructions either tolerated only static authority corruption or relied on highly complex rCLdual system with dualrCasubsystemsrCY proof technique that inflated ciphertexts and keys.
Our first contribution is a streamlined security analysis showing -- perhaps surprisingly -- that the classic LewkorCoWaters MA-ABE scheme [EUROCRYPT 2011] already achieves full adaptive security, provided its design is carefully reinterpreted and, more crucially, its security proof is re-orchestrated to conclude with an information-theoretic hybrid in place of the original target-group-based computational step. By dispensing with dual subsystems and target-group-based assumptions, we achieve a significantly simpler and tighter security proof along with a more lightweight implementation. Our construction reduces ciphertext size by 33 percent, shrinks user secret keys by 66 percent, and requires 50 percent fewer pairing operations during decryption -- all while continuing to support arbitrary collusions of users and authorities. These improvements mark a notable advance over the state-of-the-art fully adaptive decentralized MA-ABE scheme of Datta et al. [EUROCRYPT 2023]. We instantiate the scheme in both compositerCaorder bilinear groups under standard subgrouprCadecision assumptions and in asymmetric primerCaorder bilinear groups under the MatrixrCaDiffierCoHellman assumption. We further show how the KowalczykrCoWee attributerCareuse technique [EUROCRYPT 2019] seamlessly lifts our construction from ``onerCauserCOrCO boolean span programs (BSP) to ``multirCauserCOrCO policies computable in $\mathsf{NC^{1}}$, resulting in a similarly optimized construction over the state-of-the-art by Chen et al. [ASIACRYPT 2023].
Going beyond the Boolean world, we present the first MA-ABE construction for arithmetic span program (ASP) access policies, capturing a richer class of Boolean, arithmetic, and combinatorial computations. This advancement also enables improved concrete efficiency by allowing attributes to be handled directly as field elements, thereby eliminating the overhead of converting arithmetic computations into Boolean representations. The construction -- again presented in composite and prime orders -- retains decentralization and adaptive userrCakey security, and highlights inherent barriers to handling corrupted authorities in the arithmetic setting.
## 2025/1629
* Title: Solving Concealed ILWE and its Application for Breaking Masked Dilithium
* Authors: Simon Damm, Asja Fischer, Alexander May, Soundes Marzougui, Leander Schwarz, Henning Seidler, Jean-Pierre Seifert, Jonas Thietke, Vincent Quentin Ulitzsch
* [Permalink](
https://eprint.iacr.org/2025/1629)
* [Download](
https://eprint.iacr.org/2025/1629.pdf)
### Abstract
Lattice-based signatures like Dilithium (ML-DSA) prove knowledge of a secret key $s \in \mathbb{Z}_n$ by using Integer LWE (ILWE) samples $z = \langle \vec c, \vec s \rangle +y $, for some known hash value $c \in \mathbb{Z}_n$ of the message and unknown error $y$. Rejection sampling guarantees zero-knowledge, which makes the ILWE problem, that asks to recover s from many zrCOs, unsolvable.
Side-channel attacks partially recover y, thereby obtaining more informative samples resulting in arCopotentially tractablerCoILWE problem. The standard method to solve the resulting problem is Ordinary Least Squares (OLS), which requires independence of $y$ from $\langle c, s \rangle$ rCoan assumption that is violated by zero-knowledge samples.
We present efficient algorithms for a variant of the ILWE problem that was not addressed in prior work, which we coin Concealed ILWE (CILWE). In this variant, only a fraction of the ILWE samples is zero-knowledge. We call this fraction the concealment rate. This ILWE variant naturally occurs in side-channel attacks on lattice-based signatures. A case in point are profiling side-channel attacks on Dilithium implementations that classify whether y = 0. This gives rise to either zero-error ILWE samples $z = \langle c, s \rangle$ with $y = 0$ (in case of correct classification), or ordinary zero-knowledge ILWE samples (in case of misclassification).
As we show, OLS is not practical for CILWE instances, as it requires a prohibitively large amount of samples for even small (under 10%) concealment rates. A known integer linear programming-based approach can solve some CILWE instances, but suffers from two short-comings. First, it lacks provable efficiency guarantees, as ILP is NP-hard in the worst case. Second, it does not utilize small, independent error y samples, that could occur in addition to zero-knowledge samples. We introduce two statistical regression methods to cryptanalysis, Huber and Cauchy regression. They are both efficient and can handle instances with all three types of samples. At the same time, they are capable of handling high concealment rates, up to 90% in practical experiments. While Huber regression comes with theoretically appealing correctness guarantees, Cauchy regression performs best in practice. We use this efficacy to execute a novel profiling attack against a masked Dilithium implementation. The resulting ILWE instances suffer from both concealment and small, independent errors. As such, neither OLS nor ILP can recover the secret key. Cauchy regression, however, allows us to recover the secret key in under three minutes for all NIST security levels.
## 2025/1630
* Title: Velox: Scalable Fair Asynchronous MPC from Lightweight Cryptography
* Authors: Akhil Bandarupalli, Xiaoyu Ji, Aniket Kate, Chen-Da Liu-Zhang, Daniel P||llmann, Yifan Song
* [Permalink](
https://eprint.iacr.org/2025/1630)
* [Download](
https://eprint.iacr.org/2025/1630.pdf)
### Abstract
Multi-party computation (MPC) enables a set of mutually $n$ distrusting parties to compute any function on their private inputs. Mainly, MPC facilitates agreement on the functionrCOs output while preserving the secrecy of honest inputs, even against a subset of $t$ parties controlled by an adversary. With applications spanning from anonymous broadcast to private auctions, MPC is considered a cornerstone of distributed cryptography, and significant research efforts have been aimed at making MPC practical in the last decade. However, most libraries either make strong assumptions like the network being bounded synchronous, or incur high computation overhead from the extensive use of expensive public-key operations that prevent them from scaling beyond a few dozen parties.
This work presents Velox, an asynchronous MPC protocol that offers fairness against an optimal adversary corrupting up to $t<\frac{n}{3}$ parties. Velox significantly enhances practicality by leveraging lightweight cryptographic primitives - such as symmetric-key encryption and hash functions - which are 2-3 orders of magnitude faster than public-key operations, resulting in substantial computational efficiency. Moreover, Velox is highly communication-efficient, with linear amortized communication relative to circuit size and only $\mathcal{O}(n^3)$ field elements of additive overhead. Concretely, Velox requires just $9.33$ field elements per party per multiplication gate, more than $10\times$ reduction compared to the state of the art. Moreover, Velox also offers Post-Quantum Security as lightweight cryptographic primitives retain their security against a quantum adversary.
We implement Velox comprehensively, covering both offline and online phases, and evaluate its performance on a geographically distributed testbed through a real-world application: anonymous broadcast. Our implementation securely shuffles a batch of $k=256$ messages in $4$ seconds with $n=16$ parties and $18$ seconds with $n=64$ parties, a $36\times$ and $28.6\times$ reduction in latency compared to the prior best work. At scale with $n=112$ parties, Velox is able to shuffle the same batch of messages in under $50$ seconds from end to end, illustrating its effectiveness and scalability. Overall, our work removes significant barriers faced by prior asynchronous MPC solutions, making asynchronous MPC practical and efficient for large-scale deployments involving $100$s of parties.
## 2025/1631
* Title: Computationally and Communication Efficient Batched Asynchronous DPSS from Lightweight Cryptography
* Authors: Akhil Bandarupalli, Xiaoyu Ji, Soham Jog, Aniket Kate, Chen-Da Liu-Zhang, Yifan Song
* [Permalink](
https://eprint.iacr.org/2025/1631)
* [Download](
https://eprint.iacr.org/2025/1631.pdf)
### Abstract
Verifiable Secret Sharing (VSS) is a fundamental primitive in threshold cryptography and multi-party computation. It preserves secrecy, integrity, and availability of a shared secret for a fixed set of parties, with a subset of them being malicious. In practical applications, especially when the secret sharing is expected to be maintained over long durations, the VSS scheme should be able to cater to a dynamic setting where involved parties may change. The primitive known as Dynamic Proactive Secret Sharing (DPSS) is beneficial here, as it facilitates the secure transfer of secrets from the original committee to a new committee. Nevertheless, prior works on DPSS protocols either rely on unrealistic time bounds on message delivery or have a high computational cost, which limits their scalability beyond tens of parties.
In this work, we present a scalable asynchronous DPSS protocol that utilizes lightweight cryptographic tools, such as hash functions and symmetric-key encryption. Our protocol achieves full security and optimal fault tolerance with amortized linear communication costs. Unlike existing solutions, our proposed protocol is also post-quantum secure. By balancing computation and communication, our approach offers practical performance at scale. Our implementation results demonstrate improved scalability and efficiency, surpassing the current state-of-the-art achieving a $22.1\times$ lower latency than the prior best work. Furthermore, our solution also scales gracefully with increasing $n$ and reshares a batch of $100,000$ secrets between committees of sizes $n=112$ parties in under a minute.
## 2025/1632
* Title: Enhancing the DATF Technique in Differential-Linear Cryptanalysis
* Authors: Cheng Che, Tian Tian
* [Permalink](
https://eprint.iacr.org/2025/1632)
* [Download](
https://eprint.iacr.org/2025/1632.pdf)
### Abstract
Differential-linear cryptanalysis was introduced by Langford and Hellman at CRYPTO'94 and has been an important cryptanalysis method against symmetric-key primitives. The current primary framework for constructing differential-linear distinguishers involves dividing the cipher into three parts: the differential part $E_0$, the middle connection part $E_m$, and the linear part $E_1$. This framework was first proposed at EUROCRYPT 2019, where DLCT was introduced to evaluate the differential-linear bias of $E_m$ over a single round. Recently, the TDT method and the generalized DLCT method were proposed at CRYPTO 2024 to evaluate the differential-linear bias of $E_m$ covering multiple rounds. Unlike the DLCT framework, the DATF technique could also handle $E_m$ covering more rounds.
In this paper, we enhance the DATF technique in differential-linear cryptanalysis from three perspectives. First, we improve the precision of differential-linear bias estimation by introducing new transitional rules, a backtracking strategy, and a partitioning technique to DATF. Second, we present a general bias computation method for Boolean functions that significantly reduces computational complexity compared to the exhaustive search used by Liu et al. in the previous DATF technique. Third, we propose an effective method for searching for differential-linear distinguishers with good biases based on DATF. Additionally, the bias computation method has independent interests with a wide application in other cryptanalysis methods, such as differential cryptanalysis and cube attacks. Notably, all these enhancements to DATF are equally applicable to HATF. To show the validity and versatility of our new techniques, we apply the enhanced DATF to the NIST standard Ascon, the AES finalist Serpent, the NIST LWC finalist Xoodyak, and the eSTREAM finalist Grain v1. In all applications, we either present the first differential-linear distinguishers for more rounds or update the best-known ones.
## 2025/1633
* Title: LastRings: Lattice-based Scalable Threshold Ring Signatures
* Authors: Sohyun Jeon, Calvin Abou Haidar, Mehdi Tibouchi
* [Permalink](
https://eprint.iacr.org/2025/1633)
* [Download](
https://eprint.iacr.org/2025/1633.pdf)
### Abstract
In this paper, we construct the first lattice-based threshold ring signature scheme with signature size scaling logarithmically in the size of the ring while supporting arbitrary thresholds. Our construction is also concretely efficient, achieving signature sizes of less than 150kB for ring sizes up to $N = 4096$ (with threshold size $T=N/2$, say). This is substantially more compact than previous work.
Our approach is inspired by the recent work of Aardal et al. (CRYPTO 2024) on the compact aggregation of $\mathsf{Falcon}$ signatures, that uses the $\mathsf{LaBRADOR}$ lattice-based SNARKs to combine a collection of $\mathsf{Falcon}$ signatures into a single succinct argument of knowledge of those signatures. We proceed in a similar way to obtain compact threshold ring signatures from \falcon, but crucially require that the proof system be zero-knowledge in order to ensure the privacy of signers. Since $\mathsf{LaBRADOR}$ is not a zkSNARK, we associate it with a separate (non-succinct) lattice-based zero-knowledge proof system to achieve our desired properties.
## 2025/1634
* Title: BlockLens: Detecting Malicious Transactions in Ethereum Using LLM Techniques
* Authors: Chi Feng, Lei Fan
* [Permalink](
https://eprint.iacr.org/2025/1634)
* [Download](
https://eprint.iacr.org/2025/1634.pdf)
### Abstract
This paper presents BlockLens, a supervised, trace-level framework for detecting malicious Ethereum transactions using large language models. Unlike previous approaches that rely on static features or storage-level abstractions, our method processes complete execution traces, capturing opcode sequences, memory information, gas usage, and call structures to accurately represent the runtime behavior of each transaction. This framework harnesses the exceptional reasoning capabilities of LLMs for long input sequences and is fine-tuned on transaction data.
We present a tokenization strategy aligned with Ethereum Virtual Machine (EVM) semantics that converts transaction execution traces into tokens. Each transaction captures its complete execution trace through simulated execution and is sliced into overlapping chunks using a sliding window, allowing for long-range context modeling within memory constraints. During inference, the model outputs both a binary decision and a probability score indicating the likelihood of malicious behavior.
We implemented the framework based on LLaMA 3.2-1B and fine-tuned the model using LoRA. We evaluated it on a curated dataset that includes both real-world attacks and normal DeFi transactions. Our model outperforms representative baselines, achieving higher F1 scores and recall at top-k thresholds. Additionally, this work offers interpretable chunk-level outputs that enhance explainability and facilitate actionable decision-making in security-critical environments.
## 2025/1635
* Title: Haystack ciphers: White-box countermeasures as Symmetric encryption
* Authors: Alex Charl|?s, Aleksei Udovenko
* [Permalink](
https://eprint.iacr.org/2025/1635)
* [Download](
https://eprint.iacr.org/2025/1635.pdf)
### Abstract
In the area of white-box cryptography implementations, many existing protections are susceptible to attacks derived from physical cryptanalysis, which can be applied with minimal human effort and no prior design knowledge. The absence of a clear and comprehensive security model hinders the development of effective countermeasures against these attacks.
We introduce the Haystack ciphers, a formal model for the security of white-box countermeasures against such attacks. In this model, the countermeasures are represented simply as symmetric-key encryption schemes. We show that their chosen-plaintext (IND-CPA) security is closely related to the resistance of the countermeasures against computational trace-based attacks. Similarly, their chosen-ciphertext (IND-CCA) security is closely associated with the resistance against fault injection attacks in the white-box model.
Secure Haystack ciphers constitute the next formal milestone for advancing white-box designs and countermeasures, the minimal requirement that is not currently clearly achieved but is plausibly feasible with available tools.
We review the white-box literature with respect to our model and bridge the gap between white-box and fault attacks, which are very powerful but were only partially considered in the white-box literature so far. We study known fault protections from the physical cryptography literature and present new fault attacks in the white-box setting, which raises the need and shapes the requirements for future secure countermeasures against fault attacks.
## 2025/1636
* Title: Differentially Private Access in Encrypted Search: Achieving Privacy at a Small Cost?
* Authors: Daniel P||llman, Tianxin Tang
* [Permalink](
https://eprint.iacr.org/2025/1636)
* [Download](
https://eprint.iacr.org/2025/1636.pdf)
### Abstract
Encrypted search focuses on protecting sensitive data in outsourced environments while enabling private queries. Although standard encrypted search algorithms are efficient, they often leak some information about the queries and data. One such leakage is the access pattern on the outsourced storage. Recent leakage-abuse attacks have exploited this seemingly harmless leakage to successfully recover both queries and data, shifting research priorities towards finding the right balance between privacy and performance. While some proposals leverage oblivious RAM or other oblivious data structures to hide the access pattern, they typically incur significant bandwidth costs.
In response, researchers have developed new schemes that ensure access leakage satisfies differential privacy (DP). Yet the security implications of these new guarantees remain unclear. Especially, compared with conventional differential privacy, the application and threat model are significantly different. To understand these implications, we investigate two concrete instances of (encrypted) range-query schemes (appeared in SODA rCO19 and CCS rCO22) that achieve differentially private access. We analyze their security guarantees using inference attacks to recover queries and data on real-world datasets. Our findings raise a critical concern that ensuring access leakage is differentially private either falls short of providing strong security for the queries and data, diverging from the initial goals, or offers only weak security but at a high efficiency/correctness cost. As part of our analysis, we also propose a generic security definition for DP access, and identify two general techniques for leakage mitigation, bucketization and partitioning, that may be of independent interest.
## 2025/1637
* Title: Pseudorandom Correlation Functions from Ring-LWR
* Authors: Sebastian Hasler, Pascal Reisert, Ralf K|+sters
* [Permalink](
https://eprint.iacr.org/2025/1637)
* [Download](
https://eprint.iacr.org/2025/1637.pdf)
### Abstract
State-of-the-art actively secure multi-party computation protocols, like SPDZ (Damg|Nrd et al., CRYPTO 2012), use correlated randomness, like Beaver triples, to achieve a highly efficient online phase. For a long time, the generation of the correlated randomness in the offline phase relied on classical cryptographic primitives, like somewhat homomorphic encryption or oblivious transfer, that required significant communication.
More recently, Boyle et al. (FOCS 2020) defined a new primitive called pseudorandom correlation functions (PCFs) to generate correlated randomness non-interactively. PCFs set up keys for each party in an initial interactive phase, which can then be used by the parties to generate a large number of shares of the correlated randomness without further communication. In the random oracle model (ROM), two-party PCFs can be generically constructed based on evaluating a weak pseudorandom function (WPRF) using a powerful-enough HSS scheme. However, the concrete efficiency of instantiations of this approach has not been analyzed so far. There are also some works that construct PCFs based on other approaches, but they cannot be used for correlations of degree $\ge 2$ (e.g., Beaver triples) over large rings/fields (such as those used in SPDZ).
In this paper, we improve the complexity and concrete efficiency of PCFs over large rings/fields by presenting a new generic PCF based on the hardness of the Ring-Learning with Rounding problem (Ring-LWR) and FHE. We only share BFV keys in the initial interactive phase. The two parties then use the random oracle to locally sample BFV (pseudo-)ciphertexts encrypting pseudorandom plaintexts. We use a new bootstrapping algorithm for these (pseudo-)ciphertexts that reduces initially saturated noise to a level where the parties can use the homomorphic properties of the BFV scheme to correlate the encrypted randomness locally. Both parties can then produce, without further interaction, shares of the correlated randomness with their secret key share. Our new PCF works with any form of correlated randomness that can be expressed as an arithmetic circuit over a base ring $\mathbb Z_t$ or field $\mathbb F_{p^d}$, e.g., Beaver or matrix triples.
## 2025/1638
* Title: Rayls II: Fast, Private, and Compliant CBDCs
* Authors: Mario Yaksetig, Pedro M. F. Pereira, Stephen Yang, Mahdi Nejadgholi, Jiayu Xu
* [Permalink](
https://eprint.iacr.org/2025/1638)
* [Download](
https://eprint.iacr.org/2025/1638.pdf)
### Abstract
In this work, we introduce an upgrade to Rayls, a novel central bank digital currency (CBDC) design that provides privacy, high performance, and regulatory compliance. In the Rayls construction, commercial banks each run their own (private) ledger and are connected to an underlying decentralized programmable blockchain via a relayer.
We introduce an improved and more efficient protocol that allows for efficient anonymous transactions between banks, which is (still) called Enygma. Our design is 'quantum-private' as a quantum adversary is not able to infer any information (i.e., payer, payee, amounts) about the transactions that take place in the network. One of the main improvements of this work is that the design is now completely quantum-secure except for the current use of ZK-SNARKs. We note, however, that this is modular and can simply be updated as desired.
We achieve high performance in cross-bank settlement via the use of ZK-SNARKs and 'double' batching and an optimized ZK implementation, with a prover time three times faster than the initial implementation and a cheaper on-chain verifier. Our transactions consist of a set of commitments and a zero-knowledge proof. As a result, each transaction can pay more than 1 bank at once and, secondly, each of these individual commitments can contain aggregated transfers from multiple users. For example, bank A transfers $1M to a different bank B and that amount is actually a sum of multiple users making transfers to bank B. Commercial banks can then enforce regulatory rules locally within their ledgers. Our system is in production with one of the largest clearing houses in the world and is currently being explored in a CBDC pilot.
## 2025/1639
* Title: Rayls: A Novel Design for CBDCs
* Authors: Mario Yaksetig, Jiayu Xu
* [Permalink](
https://eprint.iacr.org/2025/1639)
* [Download](
https://eprint.iacr.org/2025/1639.pdf)
### Abstract
In this work, we introduce Rayls, a new central bank digital currency (CBDC) design that provides privacy, high performance, and regulatory compliance. In our construction, commercial banks each run their own (private) ledger and are connected to an underlying decentralized programmable blockchain via a relayer.
We also introduce a novel protocol that allows for efficient anonymous transactions between banks, which we call Enygma. Our design is `quantum-private' as a quantum adversary is not able to infer any information (i.e., payer, payee, amounts) about the transactions that take place in the network. We achieve high performance in cross-bank settlement via the use of ZK-SNARKs and 'double' batching. Concretely, our transactions consist of a set of commitments and a zero-knowledge proof. As a result, each transaction can pay more than 1 bank at once and, secondly, each of these individual commitments can contain aggregated transfers from multiple users. For example, bank A transfers $1M to a different bank B and that amount is actually a sum of multiple users making transfers to bank B. Commercial banks can then enforce regulatory rules locally within their ledgers. Our system is in production with one of the largest clearing houses in the world and is currently being explored in a CBDC pilot.
## 2025/1640
* Title: On the construction of Barnes-Wall lattices and their application in cryptography
* Authors: Artyom Kuninets, Anton Leevik, Ekaterina Malygina, Evgeniy Melnichuk, Denis Nabokov
* [Permalink](
https://eprint.iacr.org/2025/1640)
* [Download](
https://eprint.iacr.org/2025/1640.pdf)
### Abstract
In this work, we investigate the application of Barnes-Wall lattices in post-quantum cryptographic schemes. We survey and analyze several constructions of Barnes-Wall lattices, including subgroup chains, the generalized $k$-ing construction, and connections with Reed-Muller codes, highlighting their equivalence over both $\mathbb{Z}[i]$ and $\mathbb{Z}$. Building on these structural insights, we introduce a new algorithm for efficient sampling from discrete Gaussian distribution on $BW_{2^n}$ lattices. Our approach exploits the $k$-ing and squaring constructions to achieve low-variance sampling, which is particularly relevant for cryptographic applications such as digital signature schemes. We further examine the cryptographic hardness of Lattice Isomorphism Problem (LIP), showing that Barnes-Wall lattices provide inherent resistance to hull-based and other known attacks. Our results on sampling algorithms, combined with existing advances in the cryptanalysis of the LIP, indicate that Barnes-Wall lattices hold strong potential for the design of post-quantum schemes based on the LIP problem.
## 2025/1641
* Title: Fujisaki-Okamoto Transformation under Average-Case Decryption Error: Tighter and More General Proofs with Applications to PQC
* Authors: Jiangxia Ge, Kang Yang, Yang Yu, Yu Yu
* [Permalink](
https://eprint.iacr.org/2025/1641)
* [Download](
https://eprint.iacr.org/2025/1641.pdf)
### Abstract
The decryption error is an important parameter that requires estimation when applying the Fujisaki-Okamoto (FO) transformation. In general, compared with the worst-case decryption error $\delta_{wc}$, the average-case decryption error $\delta_{ac}$ is simpler to estimate, as the latter is decoupled from the malicious message selected by the adversary. In light of this, Duman et al. (PKC 2023) proposed FO variants $FOAC_0:=FO_m^\bot\circ ACWC_0$ and $FOAC:=FO_m^\bot\circ ACWC$, and subsequently proved their IND-CCA security based on $\delta_{ac}$ and $\gamma$-spread in the ROM and QROM.
In this paper, we revisit the security proof of these variants and obtain the following results:
1, We present a tighter IND-CCA security proof of $FOAC_0$ in the ROM and QROM, while removing the requirement of $\gamma$-spread imposed by Duman et al. Furthermore, as a direct corollary, we fill the gap in the IND-CCA security proof of BAT (CHES 2022) and give a correct one.
2, We present a tighter IND-CCA msecurity proof of $FOAC$ in the QROM. In this proof, we also provide a tighter OW-CPA security proof of ACWC in the QROM, which reduces the loss factor of $q^2$ introduced by Duman et al. to $q$. This actually answers an open question proposed by them, where $q$ denotes the total number of random oracle queries.
3, Based on FOmnbot, we define $FOACmnbot:=FOmnbot\circ ACWC$ and provide its IND-CCA security proof in the ROM and QROM. The advantage of FOACmnbot is that it neither introduces ciphertext expansion as $FOAC_0$ does nor requires $\gamma$-spread as FOAC does.
In addition, we propose a new Check Query Replacement technique to complete our QROM proofs, which may be of independent interest.
## 2025/1642
* Title: Mixed Arithmetic-Binary Circuits in Fluid MPC Against Honest Majority of 4-Party and Its Applications Against Semi-Honest Adversary
* Authors: Furkan Kerim |caba+f, O-fuz Yayla
* [Permalink](
https://eprint.iacr.org/2025/1642)
* [Download](
https://eprint.iacr.org/2025/1642.pdf)
### Abstract
Secure multi party computation protocols (MPC) translating between arithmetic and binary data types have recently gained attraction which is introduced by Rotaru and Wood in 2019, called daBit, and improved by Escudero et. al. called edaBits. EdaBits are simply secret shares in arithmetic domain and bit decomposition of the arithmetic share is the binary form the secret shares. These protocols are preprocessing for MPC protocols in order to improve efficiency. Furthermore, fluid MPC setting, introduced by Choudhuri, Goel, Green, Jain and Kaptchuk in 2021, is a framework which the parties, called dynamic parties, do not have be online throughout the whole process. Fluid MPC framework is still has to be worked and conventional protocols and techniques has to be adapted for it. Our work introduces an edaBits protocol specifically designed for the fluid MPC setting under a four-party honest-majority model. The protocol, which consists of eight subprotocols, achieves security against an honest majority and departs slightly from the traditional cut-and-choose paradigm. It attains linear memory and time complexity, as well as constant communication complexity. Finally, we demonstrate two applications that employ edaBits within the fluid MPC framework under the semi-honest adversary model.
## 2025/1643
* Title: SCA-GPT: Generation-Plan-Tool Assisted LLM Agent for Full-Automated Side-Channel Analysis on Cryptosystems
* Authors: Wenquan Zhou, An Wang, Yaoling Ding, Annv Liu, Jingqi Zhang, Jiakun Li, Liehuang Zhu
* [Permalink](
https://eprint.iacr.org/2025/1643)
* [Download](
https://eprint.iacr.org/2025/1643.pdf)
### Abstract
Non-invasive security constitutes an essential component of hardware security, primarily involving side-channel analysis (SCA), with various international standards explicitly mandating rigorous testing. However, current SCA assessments heavily depend on expert manual procedures, resulting in significant expenditures of time and resources. Automated evaluation frameworks are not yet available. In recent years, Large Language Models (LLMs) have been widely adopted in various fields such as language generation, owing to their emergent capabilities. Particularly, LLM agents equipped with tool-usage capabilities have significantly expanded the potential of these models to interact with the physical world.
Motivated by these recent advances in LLM agents, we propose SCA-GPT, a LLM agent framework tailored for SCA tasks. The framework incorporates a Retrieval-Augmented Generation (RAG)-based expert knowledge base along with multiple SCA tools. We present a domain-specific expert knowledge base construction approach and two complementary evaluation metrics. Retrieval experiments validate the effectiveness of our knowledge base construction, achieving an average weighted score of 88.7% and an nDCG@5 of 90%, which demonstrates the contribution of structured expert entries to retrieval accuracy.By effectively infusing expert knowledge, SCA-GPT achieves fully automated, end-to-end ISO/IEC 17825-compliant tests. We conduct comprehensive experiments across three leading LLMsrCoDeepSeek V3, Kimi K2 and GLM 4.5rCousing datasets spanning seven cryptographic algorithms (e.g., AES, RSA, ECC, Kyber) and deploying on four hardware platforms, including smart cards, microcontrollers, and FPGAs. Results show that DeepSeek V3, Kimi K2, and GLM 4.5 achieve accuracies of 91.0%, 87.7%, and 82.0%, respectively, with the agent reducing testing time by an average of 76% compared with manual procedures. Notably, SCA-GPT is the first advanced LLM agent specifically designed for SCA tasks.
## 2025/1644
* Title: Fast Pseudorandom Correlation Functions from Sparse LPN
* Authors: Lennart Braun, Geoffroy Couteau, Kelsey Melissaris, Mahshid Riahinia, Elahe Sadeghi
* [Permalink](
https://eprint.iacr.org/2025/1644)
* [Download](
https://eprint.iacr.org/2025/1644.pdf)
### Abstract
We introduce a new and efficient pseudorandom correlation function whose security reduces to the sparse LPN assumption in the random oracle model. Our construction is the first to achieve high concrete efficiency while relying on well-established assumptions: previous candidates either required introducing new assumptions, or had poor concrete performances. We complement our result with an in-depth analysis of the sparse LPN assumption, providing new insight on how to evaluate the strength of concrete sets of parameters.
## 2025/1645
* Title: Hardened CTIDH: Dummy-Free and Deterministic CTIDH
* Authors: Gustavo Banegas, Andreas Hellenbrand, Matheus Saldanha
* [Permalink](
https://eprint.iacr.org/2025/1645)
* [Download](
https://eprint.iacr.org/2025/1645.pdf)
### Abstract
Isogeny-based cryptography has emerged as a promising post-quantum alternative,
with CSIDH and its constant-time variants \ctidh and \dctidh offering efficient
group-action protocols. However, \ctidh and~\dctidh rely on dummy
operations in differential addition chains (DACs) and Matryoshka, which
can be exploitable by fault-injection attacks.
In this work, we present the first \emph{dummy-free} implementation of \dctidh. Our approach combines two recent ideas: \dacshund, which enforces equal-length DACs within each batch without padding, and a reformulated Matryoshka structure that removes dummy multiplications and validates all intermediate points.
Our analysis shows that small primes such as $3,5,$ and $7$ severely restrict feasible
\dacshund configurations, motivating new parameter sets that exclude them.
We implement dummy-free \dctidh-2048-194 and \dctidh-2048-205,
achieving group action costs of roughly $357{,}000$rCo$362{,}000$ $\Fp$-multiplications,
with median evaluation times of $1.59$rCo$1.60$ (Gcyc).
These results do not surpass \dctidh, but they outperform \ctidh by roughly $5\%$
while eliminating dummy operations entirely. Compared to dCSIDH, our construction
is more than $4\times$ faster.
To the best of our knowledge, this is the first \textit{efficient} implementation of a CSIDH-like protocol that is simultaneously deterministic, constant-time, and fully dummy-free.
## 2025/1646
* Title: Scalable zkSNARKs for Matrix Computations: A Generic Framework for Verifiable Deep Learning
* Authors: Mingshu Cong, Sherman S. M. Chow, Siu Ming Yiu, Tsz Hon Yuen
* [Permalink](
https://eprint.iacr.org/2025/1646)
* [Download](
https://eprint.iacr.org/2025/1646.pdf)
### Abstract
Sublinear proof sizes have recently become feasible in verifiable machine learning (VML), yet no approach achieves the trio of strictly linear prover time, logarithmic proof size and verification time, and architecture privacy. Hurdles persist because we lack a succinct commitment to the full neural network and a framework for heterogeneous models, leaving verification dependent on architecture knowledge. Existing limits motivate our new approach: a unified proof-composition framework that casts VML as the design of zero-knowledge succinct non-interactive arguments of knowledge (zkSNARKs) for matrix computations. Representing neural networks with linear and non-linear layers as a directed acyclic graph of atomic matrix operations enables topology-aware composition without revealing the graph. Modeled this way, we split proving into a reduction layer and a compression layer that attests to the reduction with a proof of proof. At the reduction layer, inspired by reduction of knowledge (Crypto '23), root-node proofs are reduced to leaf-node proofs under an interface standardized for heterogeneous linear and non-linear operations. Next, a recursive zkSNARK compresses the transcript into a single proof while preserving architecture privacy.
Complexity-wise, for a matrix expression with $M$ atomic operations on $n \times n$ matrices, the prover runs in $O(M n^2)$ time while proof size and verification time are $O(\log(M n))$, outperforming known VML systems. Honed for this framework, we formalize relations directly in matrices or vectors---a more intuitive form for VML than traditional polynomials. Our LiteBullet proof, an inner-product proof based on folding and its connection to sumcheck (Crypto '21), yields a polynomial-free alternative. With these ingredients, we reconcile heterogeneity, zero-knowledge, succinctness, and architecture privacy in a single VML system.
## 2025/1647
* Title: Universally Composable Password-Hardened Encryption
* Authors: Behzad Abdolmaleki, Ruben Baecker, Paul Gerhart, Mike Graf, Mojtaba Khalili, Daniel Rausch, Dominique Schr||der
* [Permalink](
https://eprint.iacr.org/2025/1647)
* [Download](
https://eprint.iacr.org/2025/1647.pdf)
### Abstract
Password-Hardened Encryption (PHE) protects against offline brute-force attacks by involving an external ratelimiter that enforces rate-limited decryption without learning passwords or keys. Threshold Password-Hardened Encryption (TPHE), introduced by Brost et al. (CCSrCO20), distributes this trust among multiple ratelimiters. Despite its promise, the security foundations of TPHE remain unclear. We make three contributions:
(1) We uncover a flaw in the proof of Brost et al.rCOs TPHE scheme, which invalidates its claimed security and leaves the guarantees of existing constructions uncertain;
(2) We provide the first universal composability (UC) formalization of PHE and TPHE, unifying previous fragmented models and supporting key rotation, an essential feature for long-term security and related primitives such as updatable encryption;
(3) We present the first provably secure TPHE scheme, which is both round-optimal and UC-secure, thus composable in real-world settings; and we implement and evaluate our protocol, demonstrating practical efficiency that outperforms prior work in realistic WAN scenarios.
## 2025/1648
* Title: Breaking Full ChiLow-32
* Authors: Jian Guo, Shichang Wang, Tianyu Zhang
* [Permalink](
https://eprint.iacr.org/2025/1648)
* [Download](
https://eprint.iacr.org/2025/1648.pdf)
### Abstract
ChiLow is a family of tweakable block ciphers proposed at EUROCRYPT 2025. In this paper, we present a cryptanalysis on ChiLow based on the Meet-in-the-Middle (MITM) attack framework.
For ChiLow-32, we first present an MITM attack on full ChiLow-32 exploiting the cipher's diffusion properties, which achieves a time complexity of $2^{122.6}$ using 97 known plaintext-ciphertext (P-C) pairs. Building on this, we further introduce a refinement based on the linearization of $\chi$ function. By using more known pairs, we significantly improve the attack, reducing the time complexity to $2^{108.6}$ with 196 known P-C pairs. For ChiLow-40, we mount an attack on reduced-round versions: a 7-round attack with time complexity $2^{127.4}$ requiring 164 known P-C pairs, and a 6-round attack with time complexity $2^{88.9}$ requiring 162 known P-C pairs.
## 2025/1649
* Title: SQIsign with Fixed-Precision Integer Arithmetic
* Authors: Won Kim, Jeonghwan Lee, Hyeonhak Kim, Changmin Lee
* [Permalink](
https://eprint.iacr.org/2025/1649)
* [Download](
https://eprint.iacr.org/2025/1649.pdf)
### Abstract
SQIsign is an isogeny-based, post-quantum signature scheme over supersingular elliptic curves that represents isogenies via objects of a quaternion algebra, enabling very compact signatures and efficient computations. However, the SQIsign implementation relies on GMP library, which dynamically allocates size of integers so hinders portability and complicates memory control. Furthermore, a consolidated worst-case bound on the integer coefficients representing quaternion algebra elements does not exist, leaving the required static precision unclear for a GMP-free implementation.
In this work, we audit every routine in the SQIsign Round-2 specification that manipulates quaternion elements and prove a uniform worst-case bound on coefficient growth. Complementing the theoretical bounds, we repeat the key generation and signing process of Round-2 SQIsign reference code implemented with GMP library, record peak operand sizes, and derive experimental bounds. Based on this bound, we choose a fixed-size precision representation and implement SQIsign in C without dynamic allocation such as GMP library.
## 2025/1650
* Title: WISCH: Efficient data signing via correlated signatures
* Authors: Ariel Futoransky, Ramses Fernandez, Emilio Garcia, Gabriel Larotonda, Sergio Demian Lerner
* [Permalink](
https://eprint.iacr.org/2025/1650)
* [Download](
https://eprint.iacr.org/2025/1650.pdf)
### Abstract
We present WISCH, a commit-reveal protocol that combines compact aggregate signatures with hash-based commitments to enable selective disclosure of correlated data in multiparty computation. The protocol separates an on-chain verification core from off chain preparation, so that verification cost depends only on the number of openings, not on the size of the underlying message space. This yields asymptotic efficiency: on-chain cost grows linearly in the number of revealed items and is independent of the ambient domain, while the per-byte overhead decreases with the message granularity. Security is established via a simulation-based proof in a UC framework with an ideal ledger functionality, in the algebraic group and global random-oracle models, under standard assumptions for discrete-log-based signatures and hash-based commitments. Thus WISCH provides selectively verifiable revelation with succinct on-chain checks and provable security guarantees.
## 2025/1651
* Title: On the Cardinality of the Walsh Support of a Boolean Function
* Authors: Maxence Jauberty, Pierrick M|-aux
* [Permalink](
https://eprint.iacr.org/2025/1651)
* [Download](
https://eprint.iacr.org/2025/1651.pdf)
### Abstract
We provide a complete characterization of the possible cardinalities of Walsh supports of Boolean functions. Our approach begins with a detailed study of SiegenthalerrCOs construction and its properties, which allow us to derive relations between admissible support sizes in successive numbers of variables. We then introduce new notions such as Walsh space, reduction, and equivalence on supports, which form the structural framework of our analysis. For $n=6$, we perform an experimental enumeration of affine-equivalence classes, and we analyze the geometric structure of supports of small cardinalities, proving uniqueness for sizes $10$ and $13$ and obtaining partial results for size $16$. By combining these findings with a sieving method, we rule out twelve impossible cardinalities and establish constructive methods that transform a support of size $s$ into one of size $4s+r$ for different values of $r$, sufficient to obtain every admissible cardinality for $n \geq 7$. As a consequence, we provide a complete characterization and resolve several open problems.
## 2025/1652
* Title: Computing Pairings on Elliptic Curves with Embedding Degree Two via Biextensions
* Authors: Yuhao Zheng, Jianming Lin, Chang-an Zhao
* [Permalink](
https://eprint.iacr.org/2025/1652)
* [Download](
https://eprint.iacr.org/2025/1652.pdf)
### Abstract
Bilinear pairings have emerged as a fundamental tool in public-key cryptography, enabling
advanced protocols such as Identity-Based Encryption (IBE), short signatures, and zero-knowledge proofs.
This paper focuses on optimizing pairing computations on curves with embedding degree 2, addressing both
theoretical foundations and practical implementations. We propose an optimized double-and-add ladder
algorithm that leverages the technique of y-coordinate recovery, achieving superior performance for the
Tate pairing on supersingular curves and the Omega pairing on non-supersingular curves. Our method is
implemented based on the RELIC cryptographic library, demonstrating significant efficiency improvements
over MillerrCOs algorithm. Specifically, it reduces the number of Fp-multiplications (resp. CPU clock cycles)
by 17.53% (resp. 13.58%) for the reduced Tate pairing on SS-1536 and by 12.37% (resp. 8.39%) for the
Omega pairing on NSS-1536. This work establishes the first comprehensive implementation framework for
cubical-based pairing computations on curves with embedding degree 2, providing quantified optimizations
for practical cryptographic deployment.
--- Synchronet 3.21a-Linux NewsLink 1.2