From Newsgroup: sci.crypt
## In this issue
1. [2024/884] Security of Fixed-Weight Repetitions of Special- ...
2. [2025/1058] Adaptive TDF from any TDF via Pseudorandom ...
3. [2025/1219] Foundations of Single-Decryptor Encryption
4. [2025/1235] HiAE Remains Secure in Its Intended Model: A ...
5. [2025/1237] Replication of Quantum Factorisation Records with ...
6. [2025/1238] Extended $c$-differential distinguishers of full ...
7. [2025/1239] Improved (Again) Key Pair Generation for Falcon, ...
8. [2025/1240] pracy: A Practical Compiler for Attribute-Based ...
9. [2025/1241] Public Key Linting for ML-KEM and ML-DSA
10. [2025/1242] Note: Full-round distinguisher for Synergy
11. [2025/1243] Improving special cases of the computational ...
12. [2025/1244] A New Bijective Pairing Alternative for Encoding ...
13. [2025/1245] Integrating and Benchmarking KpqC in TLS/X.509
14. [2025/1246] On Round-Optimal Computational VSS
15. [2025/1247] Field-Tested Authentication for Quantum Key ...
16. [2025/1248] Beyond Side-Channels: Evaluating Inner Product ...
17. [2025/1249] An Automated Model to Search For Differential Meet- ...
18. [2025/1250] The Weighted Sum Correlation Analysis
19. [2025/1251] Black Box to Blueprint: Visualizing Leakage ...
20. [2025/1252] Tree PCPs
21. [2025/1253] BitVM with Succinct On-Chain Cost from AB-LFE, ...
22. [2025/1254] Batch Decryption without Epochs and its Application ...
23. [2025/1255] Efficient Full Domain Functional Bootstrapping from ...
24. [2025/1256] Lattice-based Multi-key Homomorphic Signatures ...
25. [2025/1257] Non-Profiled Higher-Order Side-Channel Attacks ...
26. [2025/1258] Multi-Source Randomness Extraction and Generation ...
27. [2025/1259] Preimage-type Attacks for Reduced Ascon-Hash: ...
28. [2025/1260] Opossum Attack: Application Layer Desynchronization ...
29. [2025/1261] FAEST for Memory-Constrained Devices with Side- ...
30. [2025/1262] Vectorised Hashing Based on Bernstein-Rabin- ...
31. [2025/1263] OasisDB: An Oblivious and Scalable System for ...
32. [2025/1264] Copy Protecting Cryptographic Functionalities over ...
33. [2025/1265] A note on a recent attack against SPEEDY-7-192
34. [2025/1266] Efficiently parsing existing eID documents for ...
35. [2025/1267] SMOOTHIE: (Multi-)Scalar Multiplication ...
36. [2025/1268] WhatrCOs the Matter? An In-Depth Security Analysis of ...
37. [2025/1269] Linear Prover IOPs in Log Star Rounds
38. [2025/1270] Key Recovery from Side-Channel Power Analysis ...
39. [2025/1271] Applications Of Zero-Knowledge Proofs On Bitcoin
40. [2025/1272] EinHops: Einsum Notation for Expressive Homomorphic ...
41. [2025/1273] Threshold Structure-Preserving Signatures with ...
42. [2025/1274] Improved Matrix Inversion with Packed Ciphertexts ...
43. [2025/1275] Improving the Fault Robustness of Polynomial Masking
44. [2025/1276] On Weak NIZKs, One-way Functions and Amplification
45. [2025/1277] Scalable Accountable Byzantine Agreement and Beyond
46. [2025/1278] In the Vault, But Not Safe: Exploring the Threat of ...
## 2024/884
* Title: Security of Fixed-Weight Repetitions of Special-Sound Multi-Round Interactive Proofs
* Authors: Michele Battagliola, Riccardo Longo, Federico Pintore, Edoardo Signorini, Giovanni Tognolini
* [Permalink](
https://eprint.iacr.org/2024/884)
* [Download](
https://eprint.iacr.org/2024/884.pdf)
### Abstract
Interactive proofs are a cornerstone of modern cryptography and, as such, used in many areas, from digital signatures to multi-party computation. Often the knowledge error $\kappa$ of an interactive proof is not small enough and thus needs to be reduced. This is usually achieved by repeating the interactive proof in parallel $t$ times.
Recently, it was shown that the $t$-fold parallel repetition of any $(k_1,\ldots,k_{\mu})$-special-sound multi-round public-coin interactive proof reduces the knowledge error from $\kappa$ to $\kappa^t$, which is optimal.
However, parallel repetitions lead to an increase in transcript size. A common technique to mitigate this drawback, which is often employed in digital signatures obtained by using the Fiat-Shamir transform, is to use fixed-weight challenges, i.e. vectors of challenges having a constant number of entries (for which the last component is) equal to a fixed value.
While widely used, this method has not been fully assessed from a security standpoint. In particular, the effect of the technique on the knowledge error of repeated interactive proofs has remained unstudied.
In this work, we fill the gap and prove that a fixed-weight repetition of a $(k_1,\ldots,k_{\mu})$-special-sound multi-round public-coin interactive proof
is still knowledge sound. We provide an explicit bound for the knowledge error of the protocol, proving that it matches the maximum cheating probability of a dishonest prover.
Our results apply to some recently-proposed digital signatures which are supposed to be quantum resistant, for example the code-based signature CROSS.
## 2025/1058
* Title: Adaptive TDF from any TDF via Pseudorandom Ciphertext PKE
* Authors: Fuyuki Kitagawa, Takahiro Matsuda
* [Permalink](
https://eprint.iacr.org/2025/1058)
* [Download](
https://eprint.iacr.org/2025/1058.pdf)
### Abstract
We present a generic construction of adaptive trapdoor function (TDF) from the combination of any TDF and pseudorandom-ciphertext public-key encryption (PKE) scheme. As a direct corollary, we can obtain adaptive TDF from any trapdoor permutation (TDP) whose domain is both recognizable and sufficiently dense. In our construction, we can prove that the function's output is indistinguishable from uniform even when an adversary has access to the inversion oracle.
## 2025/1219
* Title: Foundations of Single-Decryptor Encryption
* Authors: Fuyuki Kitagawa, Takashi Yamakawa
* [Permalink](
https://eprint.iacr.org/2025/1219)
* [Download](
https://eprint.iacr.org/2025/1219.pdf)
### Abstract
Single decryptor encryption (SDE) is public key encryption (PKE) where the decryption key is an unclonable quantum state. Coladangelo, Liu, Liu, and Zhandry (CRYPTO 2021) realized the first SDE assuming subexponentially secure indistinguishability obfuscation (iO) and one-way functions (OWFs), along with the polynomial hardness of the learning with errors (LWE) assumption. Since then, SDE has played a pivotal role in recent advances in quantum cryptography. However, despite its central importance in unclonable cryptography, many fundamental questions about SDE remain unanswered. For example, a line of works has proposed various security notions for SDE, but their relationships have hardly been discussed. Moreover, while many subsequent works have adopted the construction methodology of Coladangelo et al., none have explored its improvement, leaving the possibility of a more efficient approach to SDE.
In this work, we address these fundamental questions concerning SDE. Our contributions are threefold.
New security notion: We introduce a strengthened indistinguishability-based security notion for SDE, which we call CPA+ anti-piracy security. We show that CPA+ security unifies the existing security notions for SDE, as detailed in the third item.
New construction: We present an SDE scheme that satisfies CPA+ anti-piracy security, based solely on polynomially secure iO and OWFs. In addition to relying on weaker and more general assumptions, our SDE scheme offers a significant advantage over the scheme of Coladangelo et al., as both the construction and its security proof are much simpler.
Relationships among security notions: We demonstrate that CPA+ anti-piracy security implies all existing security notions for SDE, with the sole exception of identical challenge ciphertext security proposed by Georgiou and Zhandry (EPRINT 2020). Although we do not establish a direct implication from CPA+ anti-piracy security to identical challenge ciphertext security, we provide a generic transformation from an SDE scheme satisfying the former to one achieving the latter in the quantum random oracle model. Additionally, we establish various relationships among different security notions for SDE. By combining these results with our SDE construction, we derive several new feasibility results.
## 2025/1235
* Title: HiAE Remains Secure in Its Intended Model: A Clarification of Claimed Attacks
* Authors: Han Chen, Tao Huang, Phuong Pham, Shuang Wu
* [Permalink](
https://eprint.iacr.org/2025/1235)
* [Download](
https://eprint.iacr.org/2025/1235.pdf)
### Abstract
HiAE is a recently proposed high-throughput authenticated encryption algorithm that achieves exceptional performance on both x86 and ARM architectures. Following its publication, several cryptanalysis papers have claimed that HiAErCOs 256-bit encryption security is broken under the nonce-respecting model. In this note, we clarify that the claimed attacks rely critically on submitting forged-tag decryption queries rCo a type of behavior explicitly excluded by HiAErCOs original security model.
HiAE was designed under a standard nonce-based AEAD setting without decryption oracle access, offering 256-bit security against key and state recovery, and 128-bit security against forgery. This design approach follows the same principle as well-known schemes such as AEGIS and MORUS.
The conclusion that HiAE is broken is based on a misinterpretation of its security model, as the attacks rely on conditions that the design explicitly excludes.
## 2025/1237
* Title: Replication of Quantum Factorisation Records with an 8-bit Home Computer, an Abacus, and a Dog
* Authors: Peter Gutmann, Stephan Neuhaus
* [Permalink](
https://eprint.iacr.org/2025/1237)
* [Download](
https://eprint.iacr.org/2025/1237.pdf)
### Abstract
This paper presents implementations that match and, where possible, exceed current quantum factorisation records using a VIC-20 8-bit home computer from 1981, an abacus, and a dog. We hope that this work will inspire future efforts to match any further quantum factorisation records, should they arise.
## 2025/1238
* Title: Extended $c$-differential distinguishers of full $9$ and reduced-round Kuznyechik cipher
* Authors: Pantelimon Stanica, Ranit Dutta, Bimal Mandal
* [Permalink](
https://eprint.iacr.org/2025/1238)
* [Download](
https://eprint.iacr.org/2025/1238.pdf)
### Abstract
This paper introduces {\em truncated inner $c$-differential cryptanalysis}, a novel technique that for the first time enables the practical application of $c$-differential uniformity to block ciphers. While Ellingsen et al. (IEEE Trans. Inf. Theory, 2020) established the notion of $c$-differential uniformity using $(F(x\oplus a), cF(x))$, a key challenge remained: multiplication by $c$ disrupts the structural properties essential for block cipher analysis, particularly key addition.
We resolve this challenge by developing an \emph{inner} $c$-differential approach where multiplication by $c$ affects the input: $(F(cx\oplus a), F(x))$. We prove that the inner $c$-differential uniformity of a function $F$ equals the outer $c$-differential uniformity of $F^{-1}$, establishing a fundamental duality. This modification preserves cipher structure while enabling practical cryptanalytic applications.
Our main contribution is a comprehensive multi-faceted statistical-computational framework, implementing truncated $c$-differential analysis against the full 9-round Kuznyechik cipher (the inner $c$-differentials are immune to the key whitening at the backend). Through extensive computational analysis involving millions of differential pairs, we demonstrate statistically significant non-randomness across all tested round counts. For the full 9-round cipher, we identify multiple configurations triggering critical security alerts, with bias ratios reaching $1.7\times$ and corrected p-values as low as $1.85 \times 10^{-3}$,
suggesting insufficient security margin against this new attack
vector. This represents the first practical distinguisher against the full 9-round Kuznyechik.
## 2025/1239
* Title: Improved (Again) Key Pair Generation for Falcon, BAT and Hawk
* Authors: Thomas Pornin
* [Permalink](
https://eprint.iacr.org/2025/1239)
* [Download](
https://eprint.iacr.org/2025/1239.pdf)
### Abstract
In this short note, we describe some further improvements to the key pair generation process for the Falcon and Hawk lattice-based signature schemes, and for the BAT key encapsulation scheme, in a fully constant-time way and without any use of floating-point operations. Our new code is slightly faster than our previous implementation, and, more importantly for small embedded systems, uses less RAM space.
## 2025/1240
* Title: pracy: A Practical Compiler for Attribute-Based Encryption in Python
* Authors: Sven Argo, Marloes Venema, Adrian Ackermann, Tim G|+neysu
* [Permalink](
https://eprint.iacr.org/2025/1240)
* [Download](
https://eprint.iacr.org/2025/1240.pdf)
### Abstract
Attribute-based encryption (ABE) is a versatile primitive that has been considered in many applications to enforce access control cryptographically. To actually benefit from ABE in practice, we require implementations of schemes that
satisfy all the properties that are needed. Many theoretical advancements have been
made to attain such properties, ultimately resulting in powerful abstractions such
as pair encodings. To build an ABE scheme, we use a compiler (in the theoretical
sense), which transforms a provably secure pair encoding scheme into a provably secure ABE scheme. Although several such compilers have been introduced, they all abstract away many details that are relevant for engineers, which can hinder the
implementation of schemes in practice.
To address this problem, we propose pracy, which is a tool that automatically implements an ABE scheme from an input pair encoding scheme. To achieve this, we first note that we need to overcome a general issue in any automation efforts rCo
including automated optimization and security analysis rCo in the field of pairing-based
cryptography. In particular, there exist no parsers that properly model the interaction
between the predicate and the pair encodings. Therefore, we devise a new formal model and type system, which capture this interaction in a way that is compatible
with automated implementation efforts. To illustrate the feasibility of our model
and system, we construct pracy, which is a (practical) compiler in Python that can
implement ABE schemes in multiple target programming languages such as Python and C/C++. With pracy, we not only make the implementation of ABE schemes
from pair encodings more accessible to practitioners, we realize the potential that
pair encodings have to simplify implementation efforts.
## 2025/1241
* Title: Public Key Linting for ML-KEM and ML-DSA
* Authors: Evangelos Karatsiolis, Franziskus Kiefer, Juliane Kr|nmer, Mirjam Loiero, Christian Tobias, Maximiliane Weish|nupl
* [Permalink](
https://eprint.iacr.org/2025/1241)
* [Download](
https://eprint.iacr.org/2025/1241.pdf)
### Abstract
With the advancing standardization of post-quantum cryptographic schemes, the need for preparing the IT security infrastructure for integrating post-quantum schemes increases. The focus of this work is a specific part of the IT security infrastructure, namely public key infrastructures. For public certification authorities, it is crucial to guarantee the quality of public keys certified by them. To this end, linting is deployed, which describes the process of analyzing the content of a certificate with respect to predefined rules, the so-called lints. In this work, we initiate the study of lints for post-quantum cryptography. As a starting point, we choose lattice-based schemes and analyze the public keys of the NIST standards ML-KEM and ML-DSA. We base our analyses on the NIST FIPS standards and IETF documents. We formally describe the identified lints and classify them with respect to the property of the public key that the lint checks. We implement the lints for a common X.509 certificate linter and provide an open-source tool.
## 2025/1242
* Title: Note: Full-round distinguisher for Synergy
* Authors: Orr Dunkelman, Eran Lambooij, Ga|2tan Leurent
* [Permalink](
https://eprint.iacr.org/2025/1242)
* [Download](
https://eprint.iacr.org/2025/1242.pdf)
### Abstract
In this note we study the proposed cipher Synergy and describe a full round differential with probability $2^{-21.29}$. The claims have been experimentally verified.
## 2025/1243
* Title: Improving special cases of the computational isogeny problem
* Authors: Steven Galbraith, Valerie Gilchrist, Damien Robert
* [Permalink](
https://eprint.iacr.org/2025/1243)
* [Download](
https://eprint.iacr.org/2025/1243.pdf)
### Abstract
Given two elliptic curves over F_q, computing an isogeny mapping one to the other is conjectured to be classically and quantumly hard. This problem plays an important role in the security of elliptic curve cryptography. In 2024, Galbraith applied recently developed techniques for isogenies to improve the state-of-the-art for this problem.
In this work, we focus on computing ascending isogenies. We give a simplified framework for computing self-pairings, and show how they can be used to improve upon the approach from Galbraith to recover these ascending isogenies and eliminate a heuristic assumption from his work. We show that this new approach gives an improvement to the overall isogeny recovery when the curves have a small crater (super-polynomial in size). We also study how these self-pairings affect the security of the (PEARL)SCALLOP group action, gaining an improvement over the state-of-the-art for some very particular parameter choices. The current SCALLOP parameters remain unaffected.
## 2025/1244
* Title: A New Bijective Pairing Alternative for Encoding Natural Numbers
* Authors: Manideep Thotakura
* [Permalink](
https://eprint.iacr.org/2025/1244)
* [Download](
https://eprint.iacr.org/2025/1244.pdf)
### Abstract
Pairing functions uniquely encode pairs of natural numbers into single values, a fundamental operation
in mathematics and computer science. This paper presents an alternative approach inspired by geometric
visualizationrCoviewing pairs as arrangements of square blocks with missing tiles.
Our method achieves packing efficiency comparable to the classical Cantor pairing function and
matches the time complexity of both Cantor and Szudzik functions. Encoding is performed in constant
time using simple arithmetic operations, while decoding requires square root computations, resulting in
efficient inversion.
By combining algebraic rigor with intuitive geometric insight, this approach offers a practical and
accessible alternative for applications involving data encoding, spatial structures, and combinatorial
problems.
## 2025/1245
* Title: Integrating and Benchmarking KpqC in TLS/X.509
* Authors: Minjoo Sim, Gyeongju Song, Minwoo Lee, Seyoung Yoon, Anubhab Baksi, Hwajeong Seo
* [Permalink](
https://eprint.iacr.org/2025/1245)
* [Download](
https://eprint.iacr.org/2025/1245.pdf)
### Abstract
This paper reports on the implementation and performance evaluation of Korean Post-Quantum Cryptography standards within existing TLS/X.509 infrastructure. We integrated HAETAE, AIMer, SMAUG-T, and NTRU+rCothe four KpqC standard algorithmsrCointo the OpenSSL ecosystem via a modified liboqs framework. Then, we measured static overhead (certificate size) and dynamic overhead (TLS handshake latency) under both computational-bound (localhost) and network-bound (LAN) settings. Our results indicate that, focusing on the Korean standards, KpqC certificates are 11.5rCo48 times larger than the classical ECC baseline. In performance, the tested KpqC KEMs increase handshake latency by over 750\% in computation-bound tests (localhost) and by up to 35\% in network-bound tests (LAN). To our knowledge, this study constitutes the first practical evaluation of KpqC standards in real-world TLS environments, providing concrete performance data to guide post-quantum migration strategies.
## 2025/1246
* Title: On Round-Optimal Computational VSS
* Authors: Karim Baghery, Navid Ghaedi Bardeh, Shahram Khazaei, Mahdi Rahimi
* [Permalink](
https://eprint.iacr.org/2025/1246)
* [Download](
https://eprint.iacr.org/2025/1246.pdf)
### Abstract
In ASIACRYPT 2011, Backes, Kate, and Patra (BKP) introduced two computationally secure round-optimal (2-round) Verifiable Secret Sharing (VSS) schemes in the honest-majority setting, one based on non-homomorphic commitments and the other on homomorphic ones. Their scheme based on non-homomorphic commitments has $O(n^2)$ computational complexity and necessitates $O(n^2\lambda)$ public and private communication for the dealer, where $n$ denotes the number of parties and $\lambda$ is the security parameter. They showed that these costs are $n$ times higher compared to their round-optimal VSS scheme employing homomorphic commitments and posed a research question regarding the inevitability of this gap. In this paper, we fill this gap by introducing a new variant of the recently proposed unified framework $\mathbf{\Pi}$ by Baghery at PKC 2025, designed to enable the construction of more efficient round-optimal VSS schemes in the honest-majority setting. Compared to the original framework, our variant reduces the required rounds by one while maintaining compatibility with any commitments and achieving comparable efficiency. Leveraging this new general construction, we develop several round-optimal VSS schemes that surpass state-of-the-art alternatives. Particularly noteworthy is the new round-optimal VSS scheme based on non-homomorphic commitments, which improves the BKP scheme by a factor of $n$ across all efficiency metrics. Compared to their schemes based on homomorphic commitments, our schemes demonstrate significantly expedited verification and reconstruction. Implementation results further validate the practicality of these new VSS schemes. For example, for $(n, t)=(256, 127)$, where $t$ represents the threshold, compared to the hash-based BKP VSS scheme, our proposed scheme showcases speed-ups exceeding $120,000\times$ (and $50\times$) for the dealer (and parties, respectively), while also requiring $365\times$ (and $512\times$) less communication.
## 2025/1247
* Title: Field-Tested Authentication for Quantum Key Distribution and DoS Attacks
* Authors: Antoine Gansel, Juliane Kr|nmer, Tim Schumacher, Patrick Struck, Maximilian Tippmann, Thomas Walther
* [Permalink](
https://eprint.iacr.org/2025/1247)
* [Download](
https://eprint.iacr.org/2025/1247.pdf)
### Abstract
Authentication is a crucial requirement for the security of Quantum Key Distribution (QKD). Yet, the integration of suitable methods in QKD systems tends to receive little attention from the research community. As a result, Wegman-Carter message authentication established itself as the go-to solution, leading to serious inefficiencies and additional trust assumptions, making it hard to recover from denial-of-service attacks. Another method is to use the lattice-based signature scheme Dilithium, as proposed by Wang et al. (npj quantum information; 2021). This method avoids the drawbacks of Wegman-Carter but, unfortunately, introduces new disadvantages. In this work, we implement and test several authentication methods on an actual QKD system. We compare and analyze three authentication variants, i.e., Wegman-Carter, Dilithium, and the established message-authentication code Chaskey, as a new method for authentication in QKD, which uses fewer quantum keys. We focus on the key consumptions, runtimes, and practicality in a field test of the QKD system. Lastly, we take a broader look at authentication for QKD in the context of Denial-of-Service attacks and propose a solution by combining several authentication methods to achieve their individual advantages while simultaneously avoiding several drawbacks.
## 2025/1248
* Title: Beyond Side-Channels: Evaluating Inner Product Masking Against SIFA
* Authors: Wu Qianmei, Sayandeep Saha, Wei Cheng, Fan Zhang, Shivam Bhasin
* [Permalink](
https://eprint.iacr.org/2025/1248)
* [Download](
https://eprint.iacr.org/2025/1248.pdf)
### Abstract
Statistical Ineffective Fault Attack (SIFA) presents a critical threat to cryptographic implementations by circumventing conventional detection-based countermeasures effective against traditional fault attacks. Particularly, SIFA operates via two mechanisms: SIFA-1 exploits fault effectiveness dependency on target values, while SIFA-2 leverages conditional propagation of faulted values based on sensitive intermediates. Recent studies suggest that, masking, mainly a side-channel protection, also exhibits promising resistance to SIFA-1, such as prime masking. In this paper, we systematically evaluate the resilience of Inner Product Masking (IPM) against SIFA, which has been established in prior works as a powerful side-channel-resistant alternative to Boolean masking. Specifically, with regard to SIFA-1, our theoretical analysis demonstrates that Inner Product (IP) encoding provides stronger SIFA-1 resistance than both Boolean and prime masking under generic multi-bit fault models using various fault types. More interestingly, an equivalence between Side-channel and SIFA-1 security has been theoretically established for IP encoding, indicating that optimal IP encoding exists that simultaneously provides the highest side-channel resistance and maximizes the complexity of effective SIFA-1 attacks. For SIFA-2, our analysis reveals that IPMrCOs protection remains fundamentally bounded by the computational field size, consistent with previous results in this regard, e.g., for prime field masking. However, some vulnerabilities to persistent faults are anticipated for the most recently proposed IPM multiplication gadget. Given the compatibility with existing ciphers and demonstrated superior resistance against SIFA-1, IPM emerges as a more promising fault-resistant encoding technique compared to prime masking.
## 2025/1249
* Title: An Automated Model to Search For Differential Meet-In-The-Middle Attack: Applications to AndRX Ciphers
* Authors: Debasmita Chakraborty, Soumya Sahoo, Phuong Hoa Nguyen, Santanu Sarkar
* [Permalink](
https://eprint.iacr.org/2025/1249)
* [Download](
https://eprint.iacr.org/2025/1249.pdf)
### Abstract
Differential meet-in-the-middle (MITM) cryptanalysis, recently introduced
by Boura et al., has emerged as a powerful and versatile technique for assessing the
security of modern block cipher designs. Since its introduction, this method has
been effectively applied to a variety of block ciphers, including different variants of
SKINNY, CRAFT, and AES. However, identifying such attacks manuallyrCoespecially on
bit-oriented ciphers with large block sizesrCocan be a complex and error-prone process,
which underscores the growing importance of automated solutions in this domain. In this work, we present, for the first time to the best of our knowledge, a novel
and efficient automated tool for constructing optimized differential MITM attacks on
bit-oriented block ciphers, with a particular focus on AndRX designs. Our framework
begins by modeling an efficient constraint programming (CP) model to search for single-key optimal differential trails in AndRX ciphers. Building on this, we propose
a unified bitwise CP model to automatically construct optimized differential MITM
attacks within the same design framework. Furthermore, we incorporate two dedicated optimization strategiesrConamely, the equivalent subkey technique and the selective key guessing techniquerCoboth of which are tailored to the structural properties of AndRX ciphers and significantly enhance key recovery efficiency. Additionally, we also apply two additional optimization techniques: the parallel partitioning technique and the reducing data with imposed conditions techniques to further enhance the differential MITM attack on AndRX ciphers.
To demonstrate the practical effectiveness of our tool, we apply it to all versions of SIMON and Simeck, two widely studied
representatives of the AndRX family, and report improved cryptanalytic results. Specifically, we present differential MITM attacks on SIMON-32-64, SIMON-48-96,
SIMON-64-128, and SIMON-96-144, covering 23, 25, 32, and 38 rounds, respectively. All of these results represent improvements in the number of attacked rounds compared to the best known differential attacks, classical meet-in-the-middle (MITM), and Demirci-Sel|ouk MITM (DS-MITM) attacks on the corresponding versions of SIMON.
For instance, we present a 37-round differential MITM attack on SIMON-96-144, which extends the best known differential, classical MITM, and DS-MITM attacks by 1, 17, and 18 rounds, respectively. In the case of Simeck, we report a 29-round
differential MITM attack on Simeck-48-96, improving the previous best differential
attack by one round. These results demonstrate the strength and versatility of our
automated tool. Importantly, our automated method for constructing differential MITM attacks operates at the bit level and is generic in nature, making it applicable
to a broad class of bit-oriented block ciphers beyond the AndRX family.
## 2025/1250
* Title: The Weighted Sum Correlation Analysis
* Authors: Elena Dubrova, S||nke Jendral, Yanning Ji, Ruize Wang
* [Permalink](
https://eprint.iacr.org/2025/1250)
* [Download](
https://eprint.iacr.org/2025/1250.pdf)
### Abstract
This paper introduces the weighted sum correlation analysis method, a profiled higher-order side-channel attack that quantifies the significance of time-domain samples based on a chosen leakage model. We also demonstrate the utility of the Hilbert transform in side-channel analysis, showing how its phase-shifting property can be exploited to construct an effective fused score that combines multiple correlation coefficients into a single metric. We validate the presented method on the challenging case of the AES-CCM accelerator in a commercial Bluetooth chip, leveraging RF signals captured via a software-defined radio as a side channel. Compared to the correlation analysis methods presented at RWC'25 and CHES'25, the weighted sum approach achieves at least a threefold reduction in the number of traces required for key recovery. Remarkably, it also outperforms deep learning-based analysis.
## 2025/1251
* Title: Black Box to Blueprint: Visualizing Leakage Propagation in Deep Learning Models for SCA
* Authors: Suvadeep Hajra, Debdeep Mukhopadhyay
* [Permalink](
https://eprint.iacr.org/2025/1251)
* [Download](
https://eprint.iacr.org/2025/1251.pdf)
### Abstract
Deep learning (DL)-based side-channel analysis (SCA) has emerged as a powerful approach for extracting secret information from cryptographic devices. However, its performance often deteriorates when targeting implementations protected by masking and desynchronization-based countermeasures, or when analyzing long side-channel traces. In earlier work, we proposed EstraNet, a Transformer Network (TN)-based model designed to address these challenges by capturing long-distance dependencies and incorporating shift-invariant attention mechanisms.
In this work, we perform an in-depth analysis of the internal behavior of EstraNet and propose methods to further enhance its effectiveness. First, we introduce {\bf DL-ProVe} (Deep Learning Leakage Propagation Vector Visualization), a novel technique for visualizing how leakage from secret shares in a masked implementation propagates and recombines into the unmasked secret through the layers of a DL model trained for SCA. We then apply DL-ProVe to EstraNet, providing the first detailed explanation of how leakage is accumulated and combined within such an architecture.
Our analysis reveals a critical limitation in EstraNetrCOs multi-head GaussiP attention mechanism when applied to long traces. Based on this insights, we identify a new architectural hyperparameter which enables fine-grained control over the initialization of the attention heads. Our experimental results demonstrate that tuning this hyperparameter significantly improves EstraNetrCOs performance on long traces (with upto 250K features), allowing it to reach the guessing entropy 1 using only 3 attack traces while the original EstraNet model fails to do so even with 5K traces.
These findings not only deepen our understanding of EstraNetrCOs internal workings but also introduce a robust methodology for interpreting, diagnosing, and improving DL models for SCA.
## 2025/1252
* Title: Tree PCPs
* Authors: Tamer Mour, Alon Rosen, Ron Rothblum
* [Permalink](
https://eprint.iacr.org/2025/1252)
* [Download](
https://eprint.iacr.org/2025/1252.pdf)
### Abstract
Probabilistically checkable proofs (PCPs) allow encoding a computation so that it can be quickly verified by only reading a few symbols. Inspired by tree codes (Schulman, STOC'93), we propose tree PCPs; these are PCPs that evolve as the computation progresses so that a proof for time $t$ is obtained by appending a short string to the end of the proof for time $t-1$. At any given time, the tree PCP can be locally queried to verify the entire computation so far.
We construct tree PCPs for non-deterministic space-s computation, where at time step $t$, the proof only grows by an additional $poly(s,\log(t))$ bits, and the number of queries made by the verifier to the overall proof is $poly(s) \cdot t^\epsilon$, for an arbitrary constant $\epsilon > 0$.
Tree PCPs are well-suited to proving correctness of ongoing computation that unfolds over time. They may be thought of as an information-theoretic analog of the cryptographic notion of incrementally verifiable computation (Valiant, TCC'08). In the random oracle model, tree PCPs can be compiled to realize a variant of incrementally verifiable computation where the prover is allowed a small number of queries to a large evolving state. This yields the first construction of (a natural variant of) IVC in the random oracle model.
## 2025/1253
* Title: BitVM with Succinct On-Chain Cost from AB-LFE, HMAC, or Privacy-Free GC
* Authors: Weikeng Chen
* [Permalink](
https://eprint.iacr.org/2025/1253)
* [Download](
https://eprint.iacr.org/2025/1253.pdf)
### Abstract
This paper aims to be a systematization of knowledge on how to instantiate BitVM with succinct on-chain cost from attribute-based laconic function evaluation (AB-LFE), homomorphic message authentication codes (HMAC), or privacy-free garbled circuits (GC) with suitable properties, specifically with:
- AB-LFE with unbounded depth and with bounded depth, which implies reusable privacy-free garbled circuits
- HMAC in with unbounded depth, which implies succinct privacy-free garbled circuits
- privacy-free garbled circuits and their succinct garbling as in BitGC
They vary in complexity, concrete overhead, succinctness, reusability, and security mechanisms against a malicious garbler. This paper is a literature review, as instantiating BitVM with them is straightforward.
## 2025/1254
* Title: Batch Decryption without Epochs and its Application to Encrypted Mempools
* Authors: Dan Boneh, Evan Laufer, Ertem Nusret Tas
* [Permalink](
https://eprint.iacr.org/2025/1254)
* [Download](
https://eprint.iacr.org/2025/1254.pdf)
### Abstract
Suppose Alice holds a secret key $\mathsf{sk}$ in a public key encryption scheme. For a given set of ciphertexts, Alice wants to create a short pre-decryption key that lets anyone decrypt this exact set of ciphertexts and nothing else. This problem is called batch decryption. When the secret key $\mathsf{sk}$ is shared among a number of decryption parties the problem is called batch threshold decryption. This question comes up in the context of an encrypted mempool where the goal is to publish a short pre-decryption key that can be used to decrypt all ciphertexts in a block. Prior work constructed batch threshold decryption with some limitations.
In this work, we construct three new batch decryption and batch threshold decryption schemes. We first observe that a key-policy ABE (KP-ABE) scheme directly gives a batch decryption scheme. However, the best KP-ABE schemes, which happen to be lattice-based, lead to relatively long public keys and ciphertexts. We then use very different techniques to construct a new lattice-based batch decryption scheme with shorter parameters. Our construction employs a recent preimage sampler due to Waters, Wee, and Wu. Finally, for completeness, we show that a trilinear map leads to a highly efficient threshold batch decryption scheme.
## 2025/1255
* Title: Efficient Full Domain Functional Bootstrapping from Recursive LUT Decomposition
* Authors: Intak Hwang, Shinwon Lee, Seonhong Min, Yongsoo Song
* [Permalink](
https://eprint.iacr.org/2025/1255)
* [Download](
https://eprint.iacr.org/2025/1255.pdf)
### Abstract
Fully Homomorphic Encryption over the Torus (TFHE) enables efficient evaluation of arbitrary lookup tables (LUT) over encrypted data, allowing complex functions to be computed without decryption. However, in TFHE, only lookup tables with a negacyclic structure can be homomorphically evaluated, which limits the range of functions that can be supported. To overcome this limitation and enable the evaluation of arbitrary functions, the notion of full-domain functional bootstrapping (FDFB) was introduced. However, existing FDFB methods require at least two consecutive bootstrapping operations to evaluate a single function, resulting in significant latency and overhead.
In this work, we present a novel FDFB scheme that supports arbitrary lookup tables by decomposing them into multiple small negacyclic LUTs and one compact full-domain LUT. This structure allows most computations to be handled by fast negacyclic bootstrapping, significantly reducing the computational cost.
To address the need for maintaining distinct evaluation keys for each LUT length, we apply Extended Bootstrapping (PKC 2021), which enables all operations to run within a fixed ring dimension. Combined with Extended Bootstrapping, our method nearly halves the bootstrapping cost compared to prior FDFB approaches while maintaining a constant key size, negligible parameter overhead, and strong scalability.
Finally, we implement our algorithm using the TFHE-go library and evaluate its performance across various settings. Our method achieves up to a 3.41|u speedup over previous FDFB schemes without increasing key size, and retains up to a 1.91|u advantage even when Extended Bootstrapping is applied to both.
## 2025/1256
* Title: Lattice-based Multi-key Homomorphic Signatures Forward-unforgeable against Signing Key Leakage
* Authors: Ye Xu, Takashi Nishide
* [Permalink](
https://eprint.iacr.org/2025/1256)
* [Download](
https://eprint.iacr.org/2025/1256.pdf)
### Abstract
Homomorphic signature (HS) schemes enable an untrusted server to run some computation over the data signed under the same key and derive a short signature for authenticating the computation result. Fiore et al. (AsiacryptrCO16) introduced novel lattice-based multi-key homomorphic signatures (MKHS) to support an evaluation of signatures under multiple/different keys, and anyone can verify the resultant signature by using corresponding public verification keys. However, a limitation of their scheme is that even if only one signing key is leaked, a malicious server can forge a signature on a fake computation result involving the inputs of uncorrupted signers. To address this issue, we propose a new scheme built upon the work of Fiore et al., aiming to achieve a stronger security guarantee, which we call forward unforgeability, against signing key leakage. Our MKHS scheme is constructed based on the short integer solution (SIS) problem as Fiore et al., and can be forward-unforgeable even if an adversary obtains all the signing keys. Furthermore, we propose a variant by introducing a helper entity to amortize the overhead of signature verifications.
## 2025/1257
* Title: Non-Profiled Higher-Order Side-Channel Attacks against Lattice-Based Post-Quantum Cryptography
* Authors: Tolun Tosun, Elisabeth Oswald, Erkay Sava+f
* [Permalink](
https://eprint.iacr.org/2025/1257)
* [Download](
https://eprint.iacr.org/2025/1257.pdf)
### Abstract
In this work, we present methods for conducting higher-order non-profiled side-channel attacks on Lattice-Based Cryptography (LBC). Our analysis covers two scenarios: one where the device leakage is known and follows Hamming weight model, and another where the leakage model is not Hamming weight based and unknown to the attacker. We focus on the Post-Quantum Cryptography (PQC) standards, the Dilithium digital signature (i.e. ML-DSA) and the Kyber key encapsulation (i.e. ML-KEM) algorithms. For Hamming weight leakage, we develop efficient higher-order Correlation Power Analysis (HOCPA) attacks in which the attacker must compute a function known as the optimal prediction function. We revisit the definition of optimal prediction function and introduce a recursive method for computing it efficiently. Our approach is particularly useful when a closed-form formula is unavailable, as in LBC. Then, we introduce sin and cos prediction functions, which prove optimal for HOCPA attacks against second and higher-order masking protection. We validate our methods through simulations and real-device experiments on open-source masked implementations of Dilithium and Kyber on an Arm Cortex-M4. we achieve full secret-key recovery using only 700 and 2400 traces for second and third-order masked implementations of Dilithium, and 2200 and 14500 traces for second and third-order masked implementations of Kyber, respectively. For the unknown leakage scenarios, we leverage generic Side-Channel Analysis (SCA) distinguishers. A key challenge here is the injectivity of modular multiplications in NTT based polynomial multiplication, typically addressed by bit-dropping in the literature. However, we experimentally show that bit-dropping is largely inefficient against protected implementations of LBC. To overcome this limitation, we present a novel two-step attack to Kyber, combining generic distinguishers and lattice reduction techniques. Our approach decreases the number of predictions from q^2 to q and does not rely on bit-dropping. Our experimental results demonstrate a speed-up of up to 23490x in attack run-time over the baseline along with improved success rate.
## 2025/1258
* Title: Multi-Source Randomness Extraction and Generation in the Random-Oracle Model
* Authors: Sandro Coretti, Pooya Farshim, Patrick Harasser, Karl Southern
* [Permalink](
https://eprint.iacr.org/2025/1258)
* [Download](
https://eprint.iacr.org/2025/1258.pdf)
### Abstract
We study the multi-source randomness extraction and generation properties of the monolithic random oracle (RO), whereby one is tasked with extracting or generating uniform random bits from multiple arbitrary unpredictable sources. We formalize this problem according to the query complexities of the involved partiesrCosources, distinguishers, and predictors, where the latter are used to define unpredictability.
We show both positive and negative results. On the negative side, we rule out definitions where the predictor is not at least as powerful as the source or the distinguisher. On the positive side, we show that the RO is a multi-source extractor when the query complexity of the distinguisher is bounded. Our main positive result in this setting is with respect to arbitrary unpredictable sources, which we establish via a combination of a compression argument (Dodis, Guo, and Katz, EUROCRYPT'17) and the decomposition of high min-entropy sources into flat sources.
Our work opens up a rich set of problems, ranging from statistical multi-source extraction with respect to unbounded distinguishers to novel decomposition techniques (Unruh, CRYPTO'07; Coretti et al., EUROCRYPT'18) and multi-source extraction for non-monolithic constructions.
## 2025/1259
* Title: Preimage-type Attacks for Reduced Ascon-Hash: Application to Ed25519
* Authors: Marcel Nageler, Lorenz Schmid, Maria Eichlseder
* [Permalink](
https://eprint.iacr.org/2025/1259)
* [Download](
https://eprint.iacr.org/2025/1259.pdf)
### Abstract
Hash functions and extendable output functions are some of the most fundamental building blocks in cryptography. They are often used to build commitment schemes where a committer binds themselves to some value that is also hidden from the verifier until the opening is sent. Such commitment schemes are commonly used to build signature schemes, e.g., Ed25519 via Schnorr signatures, or non-interactive zero-knowledge proofs. We specifically analyze the binding security when Ascon-Hash256 or Ascon-XOF128 is used inside of Ed25519, which is closely related to finding second preimages. While there is ample prior work on Ascon-XOF128 and Ascon-Hash256, none of it applies in this setting either because it analyzes short outputs of 64 or 128 bits or because the complexity is above the security claim and generic attack of 128 bits. We show how to exploit the setting of finding a forgery for Ed25519. We find that this setting is quite challenging due to the large 320-bit internal state combined with the 128-bit security level. We propose a second-preimage attack for 1-round Ascon-Hash256 with a complexity of $2^{64}$ Gaussian eliminations and a random-prefix-preimage attack (also known as Nostradamus attack) for 1-round Ascon-Hash256, for the Ed25519 setting, with complexity $2^{29.7}$ Gaussian eliminations.
## 2025/1260
* Title: Opossum Attack: Application Layer Desynchronization using Opportunistic TLS
* Authors: Robert Merget, Nurullah Erinola, Marcel Maehren, Lukas Knittel, Sven Hebrok, Marcus Brinkmann, Juraj Somorovsky, J||rg Schwenk
* [Permalink](
https://eprint.iacr.org/2025/1260)
* [Download](
https://eprint.iacr.org/2025/1260.pdf)
### Abstract
Many protocols, like HTTP, FTP, POP3, and SMTP, were origi-
nally designed as synchronous plaintext protocols rCo commands
and data are sent in the clear, and the client waits for the response
to a pending request before sending the next one. Later, two main
solutions were introduced to retrofit these protocols with TLS
protection. (1) Implicit TLS: Designate a new, well-known TCP
port for each protocol-over-TLS, and start with TLS immediately.
(2) Opportunistic TLS: Keep the original well-known port and start
with the plaintext protocol, then switch to TLS in response to a
command like STARTTLS.
In this work, we present a novel weakness in the way TLS is
integrated into popular application layer protocols through implicit
and opportunistic TLS. This weakness breaks authentication, even
in modern TLS implementations if both implicit TLS and oppor-
tunistic TLS are supported at the same time. This authentication
flaw can then be utilized to influence the exchanged messages after
the TLS handshake from a pure MitM position.In contrast to previ-
ous attacks on opportunistic TLS, this attack class does not rely on
bugs in the implementations and only requires one of the peers to
support opportunistic TLS.
We analyze popular application layer protocols that support
opportunistic TLS regarding their vulnerability to the attack. To
demonstrate the practical impact of the attack, we analyze exploita-
tion techniques for HTTP (RFC 2817) in detail, and show four
different exploit directions. To estimate the impact of the attack on
deployed servers, we conducted a series of IPv4-wide scans over
multiple protocols and ports to check for support of opportunistic
TLS. We found that support for opportunistic TLS is still widespread
for many application protocols, with over 3 million servers support-
ing both, implicit and opportunistic TLS at the same time. In the
case of HTTP, we found 20,121 servers that support opportunistic
HTTP across 35 ports, with 2,268 of these servers also supporting
HTTPS and 539 using the same domain names for implicit HTTPS,
presenting an exploitable scenario.
## 2025/1261
* Title: FAEST for Memory-Constrained Devices with Side-Channel Protections
* Authors: Diego F. Aranha, Johan Degn, Jonathan Eilath, Kent Nielsen, Peter Scholl
* [Permalink](
https://eprint.iacr.org/2025/1261)
* [Download](
https://eprint.iacr.org/2025/1261.pdf)
### Abstract
We introduce a new compact and constant-time implementation of the FAEST v1.1 signature scheme that allows it to run in resource-constrained Arm Cortex-M4 microcontrollers under 190M cycles for signing or verifying at level 1 security. The main technique for reducing the memory footprint is a new abstraction to reuse or recompute VOLEs on demand, which reduces memory consumption by at least an order of magnitude. Based on the compact implementation, we develop a masked version of FAEST aiming at security against first-order attacks, achieving a performance overhead of 1.26x and a memory overhead of 1.93x. The masked implementation also thwarts horizontal attacks by employing additional shuffling countermeasures. The security of the masked implementation is demonstrated through leakage assessment experiments in the ChipWhisperer platform, both for the main building blocks and the full signature scheme. We conclude the paper by discussing how the side-channel protections can be ported to version 2.0 submitted to NIST.
## 2025/1262
* Title: Vectorised Hashing Based on Bernstein-Rabin-Winograd Polynomials over Prime Order Fields
* Authors: Kaushik Nath, Palash Sarkar
* [Permalink](
https://eprint.iacr.org/2025/1262)
* [Download](
https://eprint.iacr.org/2025/1262.pdf)
### Abstract
We introduce the new AXU hash function decBRWHash, which is parameterised by the positive integer $c$ and is based on Bernstein-Rabin-Winograd (BRW) polynomials. Choosing $c>1$ gives a hash function which can be implemented using $c$-way single instruction multiple data (SIMD) instructions. We report a set of very comprehensive hand optimised assembly implementations of 4-decBRWHash using avx2 SIMD instructions available on modern Intel processors. For comparison, we also report similar carefully optimised avx2 assembly implementations of polyHash, an AXU hash function based on usual polynomials. Our implementations are over prime order fields, specifically the primes $2^{127}-1$ and $2^{130}-5$. For the prime $2^{130}-5$, for avx2 implementations, compared to the famous Poly1305 hash function, 4-decBRWHash is faster for messages which are a few hundred bytes long and achieves a speed-up of about 16% for message lengths in a few kilobytes range and improves to a speed-up of about 23% for message lengths in a few megabytes range.
## 2025/1263
* Title: OasisDB: An Oblivious and Scalable System for Relational Data
* Authors: Haseeb Ahmed, Nachiket Rao, Abdelkarim Kati, Florian Kerschbaum, Sujayya Maiyya
* [Permalink](
https://eprint.iacr.org/2025/1263)
* [Download](
https://eprint.iacr.org/2025/1263.pdf)
### Abstract
We present OasisDB, an oblivious and scalable RBDMS framework designed to securely manage relational data while protecting against access and volume pattern attacks. Inspired by plaintext RDBMSs, OasisDB leverages existing oblivious key value stores (KV-stores) as storage engines and securely scales them to enhance per-formance. Its novel multi-tier architecture allows for independent scaling of each tier while supporting multi-user environments without compromising privacy. We demonstrate OasisDBrCOs flexibility by deploying it with two distinct oblivious KV-stores, PathORAM and Waffle, and show its capability to execute a variety of SQL queries, including point and range queries, joins, aggregations, and limited updates. Experimental evaluations on the Epinions dataset show that OasisDB scales linearly with the number of machines. When deployed with a plaintext KV-store, OasisDB introduces negligible overhead in its multi-tier architecture compared to a plaintext database, CockroachDB. We also compare OasisDB with ObliDB, an oblivious RDBMS, highlighting its advantages with scalability and multi-user support.
## 2025/1264
* Title: Copy Protecting Cryptographic Functionalities over Entropic Inputs
* Authors: Fuyuki Kitagawa, Takashi Yamakawa
* [Permalink](
https://eprint.iacr.org/2025/1264)
* [Download](
https://eprint.iacr.org/2025/1264.pdf)
### Abstract
We present improved definitions and constructions for copy-protected digital signatures and pseudorandom functions (PRFs). Our new security definitions support challenge messages or inputs chosen from arbitrary high min-entropy distributions and allow signing or evaluation queries. This extends prior definitions, which assumed uniformly random challenges and did not consider oracle access. We construct schemes that satisfy these stronger definitions using only polynomially secure indistinguishability obfuscation (iO) and one-way functions (OWFs), avoiding the subexponential assumptions and the Learning with Errors (LWE) assumption used in previous constructions, even in the uniform-challenge and query-free setting. Moreover, our constructions and security proofs are arguably simpler than existing ones.
We also propose a new security notion for unclonable puncturable obfuscation (UPO), which primarily extends prior definitions to support challenge inputs drawn from arbitrary high min-entropy distributions, along with some additional refinements. We construct a UPO satisfying this notion from polynomially secure iO and the LWE assumption, thereby avoiding the subexponential assumptions and unproven conjectures required in previous constructions, even in the uniform-challenge setting. In fact, in the uniform-challenge case, we show that iO and OWFs alone suffice, further removing the need for LWE. Again, our constructions and security proofs are arguably simpler than existing ones. As applications, we show that a UPO satisfying this notion is sufficient to copy-protect a variety of puncturable functionalities beyond those studied in the prior work.
## 2025/1265
* Title: A note on a recent attack against SPEEDY-7-192
* Authors: Christina Boura, Patrick Derbez, Baptiste Germon, Rachelle Heim Boissier, Mar|!a Naya-Plasencia
* [Permalink](
https://eprint.iacr.org/2025/1265)
* [Download](
https://eprint.iacr.org/2025/1265.pdf)
### Abstract
Recently, two independent differential attacks on SPEEDY-7-192 were proposed by Boura et al. and by Beyne and Neyt. Both works present, for the first time, a valid differential attack on SPEEDY-7-192 with time complexities of $2^{186.36}$ and $2^{185}$ respectively. In this note, by extending the search space for 1-round trails, we propose a new differential attack on SPEEDY-7-192 with both data and time complexity of $2^{174.80}$. This improves upon both previous attacks by more than a factor of $2^{10}$.
## 2025/1266
* Title: Efficiently parsing existing eID documents for zero-knowledge proofs
* Authors: Tom Godden, Ruben De Smet, Kris Steenhaut, An Braeken
* [Permalink](
https://eprint.iacr.org/2025/1266)
* [Download](
https://eprint.iacr.org/2025/1266.pdf)
### Abstract
Online services increasingly require users to verify their identity or parts of it, often by law. This verification is usually performed by processing data from official identity documents, like national identity cards. However, these documents often contain significantly more information than the verifying party needs to know, including information that should stay private. Disclosing this information is a significant privacy and security risk for the user.
Traditional work has designed selective disclosure and zero-knowledge proof protocols for such use cases.
However, because these require a complete reimplementation, recall and redistribution of existing identity documents, they have never been adopted on a large scale. More recent work has focused on creating zero-knowledge proofs from existing identity documents like the US passport or specific US driver licenses. In this article, we propose an R1CS protocol to efficiently parse and extract fields from existing European National Identity Cards, with an implementation for the Belgian BeID.
The protocol is able to prove correct extraction of a date-of-birth field in 22 seconds on a consumer device, with verification taking 230 milliseconds. With this, we aim to provide EU citizens with a practical solution to the privacy and security risks that arise when one has to prove their authenticity or authority to a third party.
## 2025/1267
* Title: SMOOTHIE: (Multi-)Scalar Multiplication Optimizations On TFHE
* Authors: Xander Pottier, Jan-Pieter D'Anvers, Thomas de Ruijter, Ingrid Verbauwhede
* [Permalink](
https://eprint.iacr.org/2025/1267)
* [Download](
https://eprint.iacr.org/2025/1267.pdf)
### Abstract
The (Multi-)Scalar multiplication is a crucial operation during FHE-related
AI applications, and its performance has a significant impact on the overall efficiency of these applications. In this paper we introduce SMOOTHIE: (Multi-)Scalar Multiplication Optimizations On TFHE, introducing new techniques to improve the performance of single- and multi-scalar multiplications in TFHE. We show that by taking the bucket method, known from the Elliptic Curve field, significant improvements can be made. However, as the characteristics between TFHE and Elliptic Curves differ, we need to adapt this method and introduce novel optimizations. We propose a new negation with offset technique that eliminates direct carry propagation after ciphertext negation. Additionally, we introduce powershift aggregation and bucket merging techniques for the bucket aggregation step, which exploit TFHE properties to substantially reduce bootstrap operations. Specifically, in the multi-scalar multiplication case, we implement a bucket doubling method that eliminates the need for precomputation on each input ciphertext. Our implementation is integrated in the TFHE-rs library and achieves up to |u2.05 speedup for single-scalar multiplication compared to the current state-of-the-art, with multi-scalar multiplication improvements up to |u7.51, depending on the problem size.
## 2025/1268
* Title: WhatrCOs the Matter? An In-Depth Security Analysis of the Matter Protocol
* Authors: Sayon Duttagupta, Arman Kolozyan, Georgio Nicolas, Bart Preneel, Dave Singelee
* [Permalink](
https://eprint.iacr.org/2025/1268)
* [Download](
https://eprint.iacr.org/2025/1268.pdf)
### Abstract
The Matter protocol has emerged as a leading standard for secure IoT interoperability, backed by major vendors such as Apple, Google, Amazon, Samsung, and others. With millions of Matter-certified devices already deployed, its security assurances are critical to the safety of global IoT ecosystems. This paper presents the first in-depth security evaluation and formal analysis of MatterrCOs core protocols, focusing on its Passcode-Authenticated Session Establishment (PASE) and Certificate Authenticated Session Establishment (CASE) mechanisms. While these are based on the well-studied SPAKE2+ and SIGMA respectively, Matter introduces modifications that compromise the original security guarantees. Our analysis reveals multiple cryptographic design flaws, including low-entropy passcodes, static salts, and weak PBKDF2 parameters rCo all of which contradict MatterrCOs own threat model and stated security goals. We highlight cases where Matter delegates critical security decisions to vendors, rather than enforcing robust cryptographic practices in the specification, thereby making the system more fragile and susceptible to exploitation. We formally model both standard and Matter-adapted variants of these protocols in ProVerif, confirming several of MatterrCOs security goals, but disproving others. Our findings go as far as rendering some of MatterrCOs own mitigations insufficient, exposing all Matter-certified devices to threats classified as rCLHigh RiskrCY in their own documentation. As part of our study, we also discovered previously unknown vulnerabilities in MatterrCOs public codebase, which we responsibly disclosed to the developers, leading to updates in the codebase.
## 2025/1269
* Title: Linear Prover IOPs in Log Star Rounds
* Authors: Noor Athamnah, Noga Ron-Zewi, Ron D. Rothblum
* [Permalink](
https://eprint.iacr.org/2025/1269)
* [Download](
https://eprint.iacr.org/2025/1269.pdf)
### Abstract
Interactive Oracle Proofs (IOPs) form the backbone of some of the most efficient general-purpose cryptographic proof-systems. In an IOP, the prover can interact with the verifier over multiple rounds, where in each round the prover sends a long message, from which the verifier only queries a few symbols.
State-of-the-art IOPs achieve a linear-size prover and a poly-logarithmic verifier but require a relatively large, logarithmic, number of rounds. While the Fiat-Shamir heuristic can be used to eliminate the need for actual interaction, in modern highly-parallelizable computer architectures such as GPUs, the large number of rounds still translates into a major bottleneck for the prover, since it needs to alternate between computing the IOP messages and the Fiat-Shamir hashes. Motivated by this fact, in this work we study the round complexity of linear-prover IOPs.
Our main result is an IOP for a large class of Boolean circuits, with only $O(\log^*(S))$ rounds, where $\log^*$ denotes the iterated logarithm function (and $S$ is the circuit size). The prover has linear size $O(S)$ and the verifier runs in time $\mathrm{polylog}(S)$ and has query complexity $O(\log^*(S))$. The protocol is both conceptually simpler, and strictly more efficient, than prior linear prover IOPs for Boolean circuits.
## 2025/1270
* Title: Key Recovery from Side-Channel Power Analysis Attacks on Non-SIMD HQC Decryption
* Authors: Nathan Maillet, Cyrius Nugier, Vincent Migliore, Jean-Christophe Deneuville
* [Permalink](
https://eprint.iacr.org/2025/1270)
* [Download](
https://eprint.iacr.org/2025/1270.pdf)
### Abstract
HQC is a code-based cryptosystem that has recently been announced for standardization after the fourth round of the NIST post-quantum cryptography standardization process. During this process, the NIST specifically required submitters to provide two kinds of implementation: a reference one, meant to serve lisibility and compliance with the specifications; and an optimized one, aimed at showing the performance of the scheme alongside other desirable properties such as resilience against implementation misuse or side-channel analysis.
While most side-channel attacks regarding PQC candidates running in this process were mounted over reference implementations, very few consider the optimized, allegedly side-channel resistant (at least, constant-time), implementations. Unfortunately, HQC optimized version only targets x86-64 with Single Instruction Multiple Data (SIMD) support, which reduces the code portability, especially for non-generalist computers.
In this work, we present two power side-channel attacks on the optimized HQC implementation with just the SIMD support deactivated. We show that the power leaks enough information to recover the private key, assuming the adversary can ask the target to replay a legitimate decryption with the same inputs.
Under this assumption, we first present a key-recovery attack targeting standard Instruction Set Architectures (ARM T32, RISC-V, x86-64) and compiler optimization levels. It is based on the well known Hamming Distance model of power consumption leakage, and exposes the key from a single oracle call.
During execution on a real target, we show that a different leakage, stemming from to the micro-architecture, simplifies the recovery of the private key. This more direct second attack, succeeds with a 99% chance from 83 executions of the same legitimate decryption. While the weakness leveraged in this work seems quite devastating, we discuss simple yet effective and efficient countermeasures to prevent such a key-recovery.
## 2025/1271
* Title: Applications Of Zero-Knowledge Proofs On Bitcoin
* Authors: Yusuf Ozmi+f
* [Permalink](
https://eprint.iacr.org/2025/1271)
* [Download](
https://eprint.iacr.org/2025/1271.pdf)
### Abstract
This paper explores how zero-knowledge proofs can enhance Bitcoin's functionality and privacy. First, we consider Proof-of-Reserve schemes: by using zk-STARKs, a custodian can prove its Bitcoin holdings are more than a predefined threshold X, without revealing addresses or actual balances. We outline a STARK-based protocol for Bitcoin UTXOs and discuss its efficiency. Second, we examine ZK Light Clients, where a mobile or lightweight device verifies Bitcoin's proof-of-work chain using succinct proofs. We propose a protocol for generating and verifying a STARK-based proof of a chain of block headers, enabling trust-minimized client operation. Third, we explore Privacy-Preserving Rollups via BitVM: leveraging BitVM, we design a conceptual rollup that keeps transaction data confidential using zero-knowledge proofs. In each case, we analyze security, compare with existing approaches, and discuss implementation considerations. Our contributions include the design of concrete protocols adapted to Bitcoin's UTXO model and an assessment of their practicality. The results suggest that while ZK proofs can bring powerful features (e.g., on-chain reserve audits, trustless light clients, and private layer-2 execution) to Bitcoin, each application requires careful trade-offs in efficiency and trust assumptions.
## 2025/1272
* Title: EinHops: Einsum Notation for Expressive Homomorphic Operations on RNS-CKKS Tensors
* Authors: Karthik Garimella, Austin Ebel, Brandon Reagen
* [Permalink](
https://eprint.iacr.org/2025/1272)
* [Download](
https://eprint.iacr.org/2025/1272.pdf)
### Abstract
Fully Homomorphic Encryption (FHE) is an encryption scheme that allows for computation to be performed directly on encrypted data. FHE effectively closes the loop on secure and outsourced computing; data is encrypted not only during rest and transit, but also during processing. Moreover, modern FHE schemes such as RNS-CKKS (with the canonical slot encoding) encrypt one-dimensional floating-point vectors, which makes such a scheme an ideal candidate for building private machine learning systems. However, RNS-CKKS provides a limited instruction set: SIMD addition, SIMD multiplication, and cyclic rotation of these encrypted vectors. This restriction makes performing multi-dimensional tensor operations (such as those used in machine learning) challenging. Practitioners must pack multi-dimensional tensors into 1-D vectors and map tensor operations onto this one-dimensional layout rather than their traditional nested structure. And while prior systems have made significant strides in automating this process, they often hide critical packing decisions behind layers of abstraction, making debugging, optimizing, and building on top of these systems difficult.
In this work we ask: can we build an FHE tensor system with a straightforward and transparent packing strategy regardless of the tensor operation? We answer affirmatively and develop a packing strategy based on Einstein summation (einsum) notation. We find einsum notation to be ideal for our approach since the notation itself explicitly encodes the dimensional structure and operation directly into its syntax, naturally exposing how tensors should be packed and manipulated in FHE. We make use of einsum's explicit language to decompose einsum expressions into a fixed set of FHE-friendly operations: dimension expanding and broadcasting, element-wise multiplication, and a reduction along the contraction dimensions.
We implement our design and present EinHops, which stands for Einsum Notation for Homomorphic Tensor Operations. EinHops is a minimalist system that factors einsum expressions into a fixed sequence of FHE operations, enabling developers to perform complex tensor operations using RNS-CKKS while maintaining full visibility into the underlying packing strategy. We evaluate EinHops on a range of tensor operations from a simple transpose to complex multi-dimensional contractions. We show that the explicit nature of einsum notation allows us to build an FHE tensor system that is simple, general, and interpretable. We open-source EinHops at the following repository:
https://github.com/baahl-nyu/einhops.
## 2025/1273
* Title: Threshold Structure-Preserving Signatures with Randomizable Key
* Authors: Ahmet Ramazan A-f-#rta+f, Emircan |celik, O-fuz Yayla
* [Permalink](
https://eprint.iacr.org/2025/1273)
* [Download](
https://eprint.iacr.org/2025/1273.pdf)
### Abstract
While digital signatures serve to confirm message integrity
and the identity of the signer, the inherent link between the public key
and the signerrCOs identity can pose challenges in anonymized networks or applications focused on preserving privacy. Signatures with randomiz-
able keys aim to disentangle the signerrCOs identity from their public key, thus preserving the signaturerCOs validity. This approach ensures that the signature, even with a randomized key, maintains its verifiability without linking it to the signerrCOs identity.
Although signatures with randomizable keys effectively maintain privacy, additional structural improvements are necessary in specialized signature schemes for complex cryptographic frameworks. Threshold structure-
preserving signatures offer a way to construct modular protocols while retaining the benefits of structure-preserving properties. Thus, the ran- domizable key version of it is essential for a wide range of applications, making it the foundation of this work. In this study, signatures with ran- domizable key principles combined with threshold structure-preserving signatures to build a strong cryptographic base for privacy-preserving applications. This foundation makes sure that signatures are valid while
also being modular and unlinkable.
An earlier version of this work appeared in the 22nd International Con-
ference on Security and Cryptography(SECRYPT 2025) [6]; the present
article extends that study by adding the formal security proofs of the introduced protocols.
## 2025/1274
* Title: Improved Matrix Inversion with Packed Ciphertexts using Fully Homomorphic Encryption
* Authors: Seunghu Kim, Seongbong Choi, Hyung Tae Lee
* [Permalink](
https://eprint.iacr.org/2025/1274)
* [Download](
https://eprint.iacr.org/2025/1274.pdf)
### Abstract
Matrix inversion is a fundamental operation, but performing it over encrypted matrices remains a significant challenge.
This is mainly due to the fact that conventional inversion algorithmsrCosuch as Gaussian eliminationrCodepend heavily on comparison and division operations, which are computationally expensive to perform under homomorphic encryption.
To mitigate this, Ahn et al. (ESORICS 2023) introduced an inversion method based on iterative matrix multiplications. However, their approach encrypts matrices entry-wise, leading to poor scalability. A key limitation of prior work stems from the absence of an efficient matrix multiplication technique for matrix-packed ciphertexts, particularly one with low multiplicative depth.
In this paper, we present a novel homomorphic matrix multiplication algorithm optimized for matrix-packed ciphertexts, requiring only a multiplicative depth of two.
Building on this foundation, we propose an efficient algorithm for homomorphic matrix inversion.
Experimental results show that our method outperforms the state-of-the-art: for $8\times 8$ matrices, it achieves a $6.8\times$ speedup over the method by Ahn et al., and enables inversion of larger matrices that were previously infeasible.
We further compare our homomorphic matrix multiplication technique against existing matrix-packed homomorphic matrix multiplication algorithms.
When used for iterative inversion, our method consistently outperforms prior approaches.
In particular, for $16\times 16$ and $32\times 32$ matrices, it achieves $1.88\times$ and $1.43\times$ speedups, respectively, over the algorithm by Aikata and Roy.
Finally, we demonstrate the practical benefits of our method by applying it to privacy-preserving linear regression. For a dataset of $64$ samples with $8$ features, our approach achieves a $1.13\times$ speedup in training time compared to the state-of-the-art homomorphic matrix inversion solution.
## 2025/1275
* Title: Improving the Fault Robustness of Polynomial Masking
* Authors: Paula Arnold, Sebastian Berndt, Thomas Eisenbarth, Sebastian Faust, Marc Gourjon, Elena Micheli, Maximilian Orlt, Pajam Pauls, Kathrin Wirschem, Liang Zhao
* [Permalink](
https://eprint.iacr.org/2025/1275)
* [Download](
https://eprint.iacr.org/2025/1275.pdf)
### Abstract
Rigorous protection against physical attacks which simultaneously and adaptively combine passive side-channel observations with active fault injections is an active and recent area of research. At CRYPTO 2023, Berndt et al. presented the rCLLaOlarCY scheme for protecting arbitrary circuits against said attacks. Their constructions use polynomial masking in an optimal least number of shares and come with security proofs based on formal notions of security.
In this work, we improve the security of this construction significantly by adapting it. We present a new refresh gadget designed specifically for combined attacks. This gadget does not only counteract passive side-channel attacks but additionally randomizes the effect of faults in a detectable but secret-independent manner. We introduce sufficient and attainable security definitions which are stronger than in the work of Berndt et al. to achieve this. Further, we apply the principle to the LaOla construction and prove the stronger
security notions for the adapted multiplication gadget, as well as the original properties of composability and strong security against adaptive attacks combining side-channel and faults.
## 2025/1276
* Title: On Weak NIZKs, One-way Functions and Amplification
* Authors: Suvradip Chakraborty, James Hulett, Dakshita Khurana
* [Permalink](
https://eprint.iacr.org/2025/1276)
* [Download](
https://eprint.iacr.org/2025/1276.pdf)
### Abstract
An $(\epsilon_\mathsf{s},\epsilon_{\mathsf{zk}})$-weak non-interactive zero knowledge (NIZK) argument has soundness error at most $\epsilon_\mathsf{s}$ and zero-knowledge error at most $\epsilon_{\mathsf{zk}}$. We show that as long as $\mathsf{NP}$ is hard in the worst case, the existence of an $(\epsilon_\mathsf{s}, \epsilon_{\mathsf{zk}})$-weak NIZK proof or argument for $\mathsf{NP}$ with $\epsilon_{\mathsf{zk}} + \sqrt{\epsilon_\mathsf{s}} < 1$ implies the existence of one-way functions. To obtain this result, we introduce and analyze a strong version of universal approximation that may be of independent interest.
As an application, we obtain NIZK amplification theorems based on very mild worst-case complexity assumptions. Specifically, [Bitansky-Geier, CRYPTO'24] showed that $(\epsilon_\mathsf{s}, \epsilon_{\mathsf{zk}})$-weak NIZK proofs (with $\epsilon_\mathsf{s}$ and $\epsilon_{\mathsf{zk}}$ constants such that $\epsilon_\mathsf{s} + \epsilon_{\mathsf{zk}} < 1$) can be amplified to make their errors negligible, but needed to assume the existence of one-way functions. Our results can be used to remove the additional one-way function assumption and obtain NIZK amplification theorems that are (almost) unconditional; only requiring the mild worst-case assumption that if $\mathsf{NP} \subseteq \mathsf{ioP/poly}$, then $\mathsf{NP} \subseteq \mathsf{BPP}$.
## 2025/1277
* Title: Scalable Accountable Byzantine Agreement and Beyond
* Authors: Pierre Civit, Daniel Collins, Vincent Gramoli, Rachid Guerraoui, Jovan Komatovic, Manuel Vidigueira, Pouriya Zarbafian
* [Permalink](
https://eprint.iacr.org/2025/1277)
* [Download](
https://eprint.iacr.org/2025/1277.pdf)
### Abstract
No $t$-resilient Byzantine Agreement (or Reliable Broadcast) protocol can guarantee agreement among $n$ correct processes in a non-synchronous network if the actual number of faulty processes $f$ is $\geq n - 2t$. This limitation highlights the need to augment such fragile protocols with mechanisms that detect safety violations, such as forensic support and accountability.
This paper introduces simple and efficient techniques to address this challenge by proposing a new generic transformation, $\mathcal{ABC}^{++}$. The transformation leverages two key primitives: the ratifier and the propagator. By sequentially composing these primitives with any closed-box Byzantine Agreement (or Reliable Broadcast) protocol, $\mathcal{ABC}^{++}$ produces a robust counterpart that provides both (adaptively secure) forensic support and ($1$-delayed adaptively-secure) accountability. The transformation incurs a subquadratic additive communication overhead, with only $1$ round of overhead for decision and forensic support, and $2$ additional rounds for detection in case of a safety violation (or $O\big(\log(n)\big)$ additional rounds with optimized communication).
The generality of $\mathcal{ABC}^{++}$ offers a compelling general alternative to the subquadratic forensic support solution by Sheng et al. (FC'23) tailored to HotStuff-like protocols, while being more efficient than the (strongly-adaptively-secure) quadratic $\mathcal{ABC}$ accountable transformation (IPDPS'22, JPDC'23). Moreover, it provides the first subquadratic accountable Byzantine Agreement (or Reliable Broadcast) protocols against a ($1$-delayed) adaptive adversary.
Finally, any subquadratic accountable Reliable Broadcast protocol can be integrated into the $\tau_{scr}$ transformation (ICDCS'22) to produce an improved variant, $\tau_{scr}^{++}$. This new version compiles any deterministic (and even beyond) protocol into its accountable counterpart with subquadratic multiplicative communication overhead, significantly improving upon the original quadratic overhead in $\tau_{scr}$.
## 2025/1278
* Title: In the Vault, But Not Safe: Exploring the Threat of Covert Password Manager Providers
* Authors: Gildas Avoine, Xavier Carpent, Diane Leblanc-Albarel
* [Permalink](
https://eprint.iacr.org/2025/1278)
* [Download](
https://eprint.iacr.org/2025/1278.pdf)
### Abstract
Password managers have gained significant popularity and are widely recommended as an effective means of enhancing user security. However, current cloud-based architectures assume that password manager providers are trusted entities. This assumption is never questioned because such password managers are operated by their own designers, which are therefore judge and jury. This exposes users to significant risks, as a malicious provider could perform covert actions without being detected to access or alter users' credentials.
This exposes users to significant risks, as a malicious provider could perform covert actions without being detected to access or alter the credentials of users.
Most password managers rely solely on the strength of a user-chosen master password. As a result, a covert adversary could conceivably perform large-scale offline attacks to recover credentials protected by weak master passwords. Even more concerning, some password managers do not encrypt credentials on users' devices, transmitting them in plaintext before encrypting them server-side, e.g., Google, in its default configuration. On the other hand, key-protected password managers, e.g., KeePassXC, are less commonly used, as they lack functionality for synchronizing credentials across multiple devices.
In this paper, we establish a comprehensive set of security properties that should be guaranteed by any cloud-based password manager. We demonstrate that none of the widely deployed mainstream password managers fulfill these fundamental requirements. Nevertheless, we argue that it is feasible to design a solution that is resilient against covert adversaries while allowing users to synchronize their credentials across devices. To support our claims, we propose a password manager design that fulfills all the required properties.
--- Synchronet 3.21a-Linux NewsLink 1.2