From Newsgroup: sci.crypt
## In this issue
1. [2025/2277] Quantum Resource Analysis of Low-Round Keccak/SHA-3 ...
2. [2025/2278] Secure Distributed State Management for Stateful ...
3. [2025/2279] On the representation of self-orthogonal codes and ...
4. [2025/2280] Security Models and Cryptographic Protocols in a ...
5. [2025/2281] UFOs: An Ultra-fast Toolkit for Multiparty ...
6. [2025/2282] When Simple Permutations Mix Poorly: Limited ...
7. [2025/2283] Cryptanalysis of Pseudorandom Error-Correcting Codes
8. [2025/2284] Meta-PBS: Compact High-Precision Programmable ...
9. [2025/2285] Laminate: Succinct SIMD-Friendly Verifiable FHE
10. [2025/2286] Improving the Efficiency of zkSNARKs for Ballot ...
11. [2025/2287] MIOPE: A Modular framework for Input and Output ...
12. [2025/2288] Achieving CPAD security for BFV: a pragmatic approach
13. [2025/2289] Fourier Sparsity of Delta Functions and Matching ...
14. [2025/2290] Towards Practical Multi-Party Hash Chains using ...
15. [2025/2291] Key Recovery Attacks on ZIP Ciphers: Application to ...
16. [2025/2292] FRIVail: A Data Availability Scheme based on FRI Binius
17. [2025/2293] LAKE: Lattice-Code Accelerated Kyber Encapsulation
18. [2025/2294] Fully Distributed Multi-Point Functions for PCGs ...
19. [2025/2295] An Ideal Linear Secret Sharing Scheme for Complete ...
20. [2025/2296] SoK: Verifiable Federated Learning
21. [2025/2297] Yoyo tricks with a BEANIE
22. [2025/2298] ALKAID: Accelerating Three-Party Boolean Circuits ...
23. [2025/2299] Far-Field $Singing$ FPGAs: Repurposing Routing ...
24. [2025/2300] Gravity of the Situation:Security Analysis on ...
25. [2025/2301] High-Performance SIMD Software for Spielman Codes ...
26. [2025/2302] Attacking and Securing Hybrid Homomorphic ...
27. [2025/2303] Suwako: A Logarithmic-Depth Modular Reduction for ...
28. [2025/2304] Streaming Function Secret Sharing and Its Applications
29. [2025/2305] A New Approach to Large Party Beaver-Style MPC with ...
30. [2025/2306] On Delegation of Verifiable Presentations from mdoc ...
## 2025/2277
* Title: Quantum Resource Analysis of Low-Round Keccak/SHA-3 Preimage Attack: From Classical 2^ 57.8 to Quantum 2 ^28.9 using Qiskit Modeling
* Authors: Ramin Rezvani Gilkolaei, Reza Ebrahimi
* [Permalink](
https://eprint.iacr.org/2025/2277)
* [Download](
https://eprint.iacr.org/2025/2277.pdf)
### Abstract
This paper presents a hardware-conscious analysis of the quantum acceleration of the
classical 3-round Keccak-256 preimage attack using GroverrCOs Algorithm. While the theo-
retical quantum speed-up from T cl ree 2 ^57.8 (classical) to T qu ree 2 ^28.9 (quantum) is mathe-
matically sound, the practical implementation overhead is so extreme that attacks remain
wholly infeasible in both resource and runtime dimensions. Using Qiskit-based circuit
synthesis, we derive that a 3-round Keccak quantum oracle requires:
rCo 9,600 Toffoli gates (with uncomputation for reversibility)
rCo 3,200 logical qubits (1,600 state + 1,600 auxiliary)
rCo 7.47 |u 10 13 total 2-qubit gates (full Grover search)
rCo 3.2 million physical qubits (with quantum error correction) rCo PROHIBITIVE rCo 0.12 years (43 days) to 2,365+ years execution time, depending on machine assumptions
These barriersrCoparticularly the physical qubit requirements, circuit depth, and error
accumulationrCorender the quantum attack infeasible for any foreseeable quantum computer.
Consequently, SHA-3 security is not threatened by quantum computers for preimage attacks.
We emphasize the critical importance of hardware-aware complexity analysis in quantum
cryptanalysis: the elegant asymptotic theory of GroverrCOs Algorithm hides an engineering
overhead so prohibitive that the quantum approach becomes infeasible from both resource
and implementation perspectives.
## 2025/2278
* Title: Secure Distributed State Management for Stateful Signatures with a Practical and Universally Composable Protocol
* Authors: Johannes Bl||mer, Henrik Br||cher, Volker Krummel, Laurens Porzenheim
* [Permalink](
https://eprint.iacr.org/2025/2278)
* [Download](
https://eprint.iacr.org/2025/2278.pdf)
### Abstract
Stateful signatures like the NIST standardized signature schemes LMS and XMSS provide an efficient and mature realization of post-quantum secure signature schemes. They are recommended for long-term use cases like e.g. firmware signing. However, stateful signature schemes require to properly manage a so-called state. In stateful signature schemes like LMS and XMSS, signing keys consist of a set of keys of a one-time signature scheme and it has to be guaranteed that each one-time key is used only once. This is done by updating a state in each signature computation, basically recording which one-time keys have already been used. While this is straightforward in centralized systems, in distributed systems like secure enclaves consisting of e.g. multiple hardware security modules (HSMs) with limited communication keeping a distributed state that at any point in time is consistent among all parties involved presents a challenge. This challenge is not addressed by the current standardization processes.
In this paper we present a security model for the distributed key management of post-quantum secure stateful signatures like XMSS and LMS. We also present a simple, efficient, and easy to implement protocol proven secure in this security model, i.e. the protocol guarantees at any point in time a consistent state among the parties in a distributed system, like a distributed security enclave. The security model is defined in the universal composabilty (UC) framework by Ran Canetti by providing an ideal functionality for the distributed key management for stateful signatures. Hence our protocol remains secure even if arbitrarily composed with other instances of the same or other protocols, a necessity for the security of distributed key management protocols. Our main application are security enclaves consisting of HSMs, but the model and the protocol can easily be adapted to other scenarios of distributed key management of stateful signature schemes.
## 2025/2279
* Title: On the representation of self-orthogonal codes and applications to cryptography
* Authors: Marco Baldi, Rahmi El Mechri, Paolo Santini, Riccardo Schiavoni
* [Permalink](
https://eprint.iacr.org/2025/2279)
* [Download](
https://eprint.iacr.org/2025/2279.pdf)
### Abstract
The hull of a linear code is the intersection between the code and its dual. When the hull is equal to the code (i.e., the code is contained in the dual), the code is called self-orthogonal (or weakly self-dual); if, moreover, the code is equal to its dual, then we speak of a self-dual code.
For problems such as the Permutation Equivalence Problem (PEP) and (special instances of) the Lattice Isomorphism Problem (LIP) over $q$-ary lattices, codes with a sufficiently large hull provide hard-to-solve instances.
In this paper we describe a technique to compress the representation of a self-orthogonal code.
Namely, we propose an efficient compression (and decompression) technique that allows representing the generator matrix of a self-orthogonal code with slightly more than $k(n-k)-\binom{k+1}{2}$ finite field elements.
The rationale consists in exploiting the relationships deriving from self-orthogonality to reconstruct part of the generator matrix entries from the others, thus reducing the amount of entries one needs to uniquely represent the code.
For instance, for self-dual codes, this almost halves the amount of finite field elements required to represent the code.
We first present a basic version of our algorithm and show that it runs in polynomial time and, moreover, its communication cost asymptotically approaches the lower bound set by Shannon's source coding theorem.
Then, we provide an improved version which reduces both the size of the representation and the time complexity, essentially making the representation technique as costly as Gaussian elimination.
As concrete applications, we show that our technique can be used to reduce the public key size in cryptosystems based on PEP such as LESS and SPECK (achieving approximately a 50% reduction in the public key size), as well as in the Updatable Public Key Encryption Scheme recently proposed by Albrecht, Ben-iina and Lai, which is based on LIP.
## 2025/2280
* Title: Security Models and Cryptographic Protocols in a Quantum World
* Authors: C|-line Chevalier, Paul Hermouet, Quoc-Huy Vu
* [Permalink](
https://eprint.iacr.org/2025/2280)
* [Download](
https://eprint.iacr.org/2025/2280.pdf)
### Abstract
The emergence of quantum computing has provided new paradigms for cryptography. On the one hand, it poses significant new threats to existing classically cryptographic systems, requiring the community to define new security models that capture what a quantum adversary can do. On the other hand, it gives us new tools to design cryptographic protocols, with weaker assumptions than in the classical world, or even protocols that are impossible classically.
In this survey, we first give an overview of new security definitions for classical cryptography, considering quantum adversaries who can either only use local quantum computation (post-quantum security), or even send quantum messages and in particular have access to oracle in superposition (quantum security). We explore these new notions through the examples of commitments, zero-knowledge proofs, encryption, and signatures. Then, we present what is arguably the most famous application of quantum cryptography: quantum key distribution (QKD) protocols that take advantage of unique properties of quantum mechanics to provide secure communication unconditionally. We also explore cryptography beyond QKD, focusing on unclonable cryptography: a family of cryptographic functionalities, built with quantum states, and designed to be resistant to counterfeit by leveraging the rCLno-cloningrCY theorem. We examine in particular quantum money, but also the recent notions of unclonable encryption and copy-protection, including related variants.
By presenting a comprehensive survey of these topics, this paper aims to provide a thorough understanding of the current landscape and future potential of quantum cryptography.
## 2025/2281
* Title: UFOs: An Ultra-fast Toolkit for Multiparty Computation of Small Elements
* Authors: Jiacheng Gao, Moyang Xie, Yuan Zhang, Sheng Zhong
* [Permalink](
https://eprint.iacr.org/2025/2281)
* [Download](
https://eprint.iacr.org/2025/2281.pdf)
### Abstract
In most secure multiparty computation (MPC) scenarios, the data to be processed are much smaller than the underlying field size. The field is typically chosen to be large enough to guarantee security, e.g., a 128-bit prime field for 128-bit security, while the data can be as small as several bits, e.g. $4$ bits for a $16$-category classification task. This size gap can result in significant waste of communication and computation in existing MPC protocols, which often treat data of different ranges indiscriminately.
We introduce UFO$_\mathrm{s}$, an ultra-fast toolkit for multiparty computation (MPC) on small elements. UFO$_\mathrm{s}$ provides highly optimized protocols for three fundamental tasks: one-hot encoding, comparison and digit decomposition. While these protocols are designed specifically for small elements, as a demonstration of their power, we construct a radix sort protocol that sorts large field elements. Our experiments show significant performance improvements over state-of-the-art MPC implementations. In particular, our sorting protocol achieves up to a $58\times$ speedup in the online phase when sorting $2^{16}$ elements among $5$ parties.
## 2025/2282
* Title: When Simple Permutations Mix Poorly: Limited Independence Does Not Imply Pseudorandomness
* Authors: Jesko Dujmovic, Angelos Pelecanos, Stefano Tessaro
* [Permalink](
https://eprint.iacr.org/2025/2282)
* [Download](
https://eprint.iacr.org/2025/2282.pdf)
### Abstract
Over the past two decades, several works have used (almost) $k$-wise independence as a proxy for pseudorandomness in block ciphers, since it guarantees resistance against broad classes of statistical attacks. For example, even the case $k = 2$ already implies security against differential and linear cryptanalysis.
Hoory, Magen, Myers, and Rackoff (ICALP rCO04; TCS rCO05) formulated an appealing conjecture: if the sequential composition of $T$ independent local randomized permutations is (close to) four-wise independent, then it should also be a pseudorandom permutation. Here, "local" means that each output bit depends on only a constant number of input bits. This conjecture offers a potential strong justification for analyses of block ciphers that establish (almost) $k$-wise independence of this type of constructions.
In this work, we disprove the conjecture in full generality by presenting an explicit local randomized permutation whose sequential composition is four-wise independent, but not a pseudorandom permutation. Our counterexample in fact extends to $k$-wise independence for any constant $k$.
## 2025/2283
* Title: Cryptanalysis of Pseudorandom Error-Correcting Codes
* Authors: Tianrui Wang, Anyu Wang, Tianshuo Cong, Delong Ran, Jinyuan Liu, Xiaoyun Wang
* [Permalink](
https://eprint.iacr.org/2025/2283)
* [Download](
https://eprint.iacr.org/2025/2283.pdf)
### Abstract
Pseudorandom error-correcting codes (PRC) is a novel cryptographic primitive proposed at CRYPTO 2024. Due to the dual capability of pseudorandomness and error correction, PRC has been recognized as a promising foundational component for watermarking AI-generated content. However, the security of PRC has not been thoroughly analyzed, especially with concrete parameters or even in the face of cryptographic attacks. To fill this gap, we present the first cryptanalysis of PRC. We first propose three attacks to challenge the undetectability and robustness assumptions of PRC. Among them, two attacks aim to distinguish PRC-based codewords from plain vectors, and one attack aims to compromise the decoding process of PRC. Our attacks successfully undermine the claimed security guarantees across all parameter configurations. Notably, our attack can detect the presence of a watermark with overwhelming probability at a cost of $2^{22}$ operations. We also validate our approach by attacking real-world large generative models such as DeepSeek and Stable Diffusion. To mitigate our attacks, we further propose three defenses to enhance the security of PRC, including parameter suggestions, implementation suggestions, and constructing a revised key generation algorithm. Our proposed revised key generation function effectively prevents the occurrence of weak keys. However, we highlight that the current PRC-based watermarking scheme still cannot achieve a 128-bit security under our parameter suggestions due to the inherent configurations of large generative models, such as the maximum output length of large language models.
## 2025/2284
* Title: Meta-PBS: Compact High-Precision Programmable Bootstrapping
* Authors: Shihe Ma, Tairong Huang, Anyu Wang, Changtong Xu, Tao Wei, Xiaoyun Wang
* [Permalink](
https://eprint.iacr.org/2025/2284)
* [Download](
https://eprint.iacr.org/2025/2284.pdf)
### Abstract
Currently, most FHE schemes realize bootstrapping through the linear-decrypt-then-round paradigm. For the programmable bootstrapping (PBS) of TFHE, this means the lookup table (LUT) needs a redundancy of $O(\sqrt{N})$ to be able to remove the modulus switching noise, which limits the plaintext modulus of PBS to $O(\sqrt{N})$. We remove this requirement for redundancy by proposing the Meta-PBS framework, which allows us to start with under-redundant or non-redundant LUTs. Meta-PBS iteratively blind-rotates the LUT, during which the LUT redundancy gradually increases. The bootstrapping outputs the correct result when the redundancy eventually exceeds the noise bound. Asymptotically, Meta-PBS requires $O(1)$ blind rotations in dimension $N$ to evaluate a negacyclic function modulo $2N$, whereas PBS needs $O(\sqrt{N})$ blind rotations. Meta-PBS also enjoys an additive noise growth, allowing for more homomorphic arithmetic on bootstrapped ciphertext. We modified Meta-PBS to support the simultaneous evaluation of multiple LUTs on the same ciphertext and/or arbitrary LUTs. According to our implementation, when evaluating a 12-bit negacyclic function, Meta-PBS outperforms EBS (PKC'23) by 79 times. When evaluating an arbitrary function on an 8-bit LWE ciphertext, Meta-PBS reduces the running time of the Refined LHE (CCS'25) by half while allowing for a 27 times larger post-bootstrap linear combination.
## 2025/2285
* Title: Laminate: Succinct SIMD-Friendly Verifiable FHE
* Authors: Kabir Peshawaria, Zeyu Liu, Ben Fisch, Eran Tromer
* [Permalink](
https://eprint.iacr.org/2025/2285)
* [Download](
https://eprint.iacr.org/2025/2285.pdf)
### Abstract
In outsourcing computation to untrusted servers, one can cryptographically ensure privacy using Fully Homomorphic Encryption (FHE) or ensure integrity using Verifiable Computation (VC) such as SNARK proofs. While each is practical for some applications in isolation, efficiently composing FHE and VC into Verifiable Computing on Encrypted Data (VCoED) remains an open problem.
We introduce Laminate, the first practical method for adding integrity to BGV-style FHE, thereby achieving VCoED. Our approach combines the blind interactive proof framework with a tailored variant of the GKR proof system that avoids committing to intermediate computation states. We further introduce variants employing transcript packing and folding techniques. The resulting encrypted proofs are concretely succinct: 270kB, compared to 1TB in prior work, to evaluate a batch of $B=2^{14}$ instances of size $n=2^{20}$ and depth $d=32$. Asymptotically, the proof size and verifier work is $O(d \log (Bn))$, compared to $\Omega(BN\log n)$ in prior work (for ring dimension $N$).
Unlike prior schemes, Laminate utilizes the full SIMD capabilities of FHE for both the payload circuit evaluation and proof generation; adds only constant multiplicative depth on top of payload evaluation while performing $\tilde{O}(n)$ FHE operations; eliminates the need for witness reduction; and is field-agnostic. The resulting cost of adding integrity to FHE, compared to assuming honest evaluation, is ${\sim}12\times$ to ${\sim}36\times$ overhead (for deep multiplication-heavy circuits of size $2^{20}$), which is $>500\times$ faster than the state-of-the-art.
## 2025/2286
* Title: Improving the Efficiency of zkSNARKs for Ballot Validity
* Authors: Felix R||hr, Nicolas Huber, Ralf K|+sters
* [Permalink](
https://eprint.iacr.org/2025/2286)
* [Download](
https://eprint.iacr.org/2025/2286.pdf)
### Abstract
Homomorphic tallying in secure e-voting protocols enables privacy-preserving vote aggregation. For this approach, zero-knowledge proofs (ZKPs) for ensuring the validity of encrypted ballots are an essential component.
While it has been common to construct tailored ZKPs for every kind of ballot and voting method at hand, recently Huber et al. demonstrated that also general-purpose ZKPs (GPZKPs), such as Groth16 zkSNARKs, are suited for checking ballot validity. Unlike tailored solutions, GPZKPs provide a unified, generic, and flexible framework for this task. In this work, we improve on the initial GPZKPs for ballot validity proposed by Huber et al. Specifically, we present several circuit-level optimizations that significantly reduce proving costs for exponential ElGamal-encrypted ballots. We provide an independent, ready-to-use Circom implementation along with concrete benchmarks, demonstrating substantial improvements in performance and practical usability over prior implementations.
## 2025/2287
* Title: MIOPE: A Modular framework for Input and Output Privacy in Ensemble inference
* Authors: Kyrian Maat, Gareth T. Davies, Zolt|in |Ud|im Mann, Joppe W. Bos, Francesco Regazzoni
* [Permalink](
https://eprint.iacr.org/2025/2287)
* [Download](
https://eprint.iacr.org/2025/2287.pdf)
### Abstract
We introduce a simple yet novel framework for privacy-preserving machine learning inference that allows a client to query multiple models without a trusted third party aggregator by leveraging homomorphically encrypted model evaluation and multi-party computation. This setting allows for dispersed training of models such that a client can query each separately, and aggregate the results of this `ensemble inference'; this avoids the data leakage inherent to techniques that train collectively such as federated learning. Our framework, which we call MIOPE, allows the data providers to keep the training phase local to provide tighter control over these models, and additionally provides the benefit of easily retraining to improve inference of the ensemble. MIOPE uses homomorphic encryption to keep the querying client's data private and multi-party computation to hide the individual model outputs. We illustrate the design and trade-offs of input- and output-hiding ensemble inference as provided by MIOPE and compare performance to a centralized approach.We evaluate our approach with a standard dataset and various regression models and observe that the MIOPE framework can lead to accuracy scores that are only marginally lower than centralized learning. The modular design of our approach allows the system to adapt to new data, better models, or security requirements of the involved parties.
## 2025/2288
* Title: Achieving CPAD security for BFV: a pragmatic approach
* Authors: Jean-Paul Bultel, Marina Checri, Caroline Fontaine, Marc Renard, Renaud Sirdey, Oana Stan
* [Permalink](
https://eprint.iacr.org/2025/2288)
* [Download](
https://eprint.iacr.org/2025/2288.pdf)
### Abstract
Fully Homomorphic Encryption (FHE) aims at ensuring privacy of sensitive data while taking advantage of external computations and services. However, using FHE in real-world scenarios reveals new kinds of security issues. In particular, following Li&Micciancio Eurocrypt'21 seminal paper, CPAD security has emerged as a fundamental notion for FHE, unveiling a subtle interplay between security and correctness. For correct (F)HE schemes, CPA security already implies CPAD. However, all known practical FHE schemes are (R)LWE-based and, as such, are prone to decryption errors; and even if it is possible to ensure statistical correctness by selecting appropriate parameters, achieving this while maintaining malleability --- the mainspring of FHE --- still remains challenging. Moreover, practical CPAD attacks have recently been designed against most known FHE schemes. We propose in this paper a complete, simple and rigorous framework to reach CPAD security for one of them, BFV.
Our approach relies on a combination of alternate average-case/worst-case noise variance monitoring --- based on dependencies tracking during the homomorphic calculations --- and on smudging. It comes with an automated parameters setting methodology, which connects it to the recently proposed Application-Aware HE paradigm while relieving libraries end-users from the burden of enforcing the paradigm's constraints by hand.
## 2025/2289
* Title: Fourier Sparsity of Delta Functions and Matching Vector PIRs
* Authors: Fatemeh Ghasemi, Swastik Kopparty
* [Permalink](
https://eprint.iacr.org/2025/2289)
* [Download](
https://eprint.iacr.org/2025/2289.pdf)
### Abstract
In this paper we study a basic and natural question about Fourier analysis of Boolean functions, which has applications to the study of Matching Vector based Private Information Retrieval (PIR) schemes.
For integers $m,r$, define a delta function on $\{0,1\}^r \subseteq \mathbb{Z}_m^r$ to be a function $f: \mathbb{Z}_m^r \to \mathbb C$ if $f(0) = 1$ and $f(x) = 0$ for all nonzero Boolean $x$.
The basic question that we study is how small can the Fourier sparsity of a delta function be; namely, how sparse can such an $f$ be in the Fourier basis?
In addition to being intrinsically interesting and natural, such questions arise naturally while studying "$S$-decoding polynomials" for the known matching vector families. Finding $S$-decoding polynomials of reduced sparsity -- which corresponds to finding delta functions with low Fourier sparsity -- would improve the current best PIR schemes.
We show nontrivial upper and lower bounds on the Fourier sparsity of delta functions.
Our proofs are elementary and clean. These results imply limitations on improvements to the Matching Vector PIR schemes simply by finding better $S$-decoding polynomials. In particular, there are no $S$-decoding polynomials which can make Matching Vector PIRs based on the known matching vector families achieve polylogarithmic communication for constantly many servers.
Many interesting questions remain open.
## 2025/2290
* Title: Towards Practical Multi-Party Hash Chains using Arithmetization-Oriented Primitives - With Applications to Threshold Hash-Based Signatures
* Authors: Alexandre Adomnic-ai
* [Permalink](
https://eprint.iacr.org/2025/2290)
* [Download](
https://eprint.iacr.org/2025/2290.pdf)
### Abstract
Despite their simplicity and quantum-resistant security properties, the deployment of hash chains in distributed settings through secure multi-party computation (MPC) has been demonstrated to be impractical when employing traditional hash functions (i.e., SHA2/SHA3) due to their high number of non-linear gates which lead to heavy computational costs. In this work, we present a comprehensive evaluation of hash chain computations over MPC using arithmetization-oriented (AO) primitives, specifically focusing on the Poseidon2 family of hash functions. We systematically analyze the MPC-friendliness of various Poseidon2 instantiations across different prime fields and parameter choices to minimize both multiplicative depth and preprocessing requirements. We conduct extensive benchmarks using the MP-SPDZ framework across three state-of-the-art MPC protocols under varying network conditions and adversarial models. We further explore practical applications to threshold cryptography, presenting optimized implementations of threshold hash-based signatures that achieve signing times less than 1 second in a 3-party setting for practical parameter sets.
Specifically, we demonstrate how structural parallelism in hash-based signatures can be exploited to batch independent hash chains within a single MPC execution, and introduce a time-memory trade-off that enables non-interactive online signature generation through systematic precomputation of all chain intermediates. Our work suggests the practical viability of moderate length AO-based hash chains for MPC applications.
## 2025/2291
* Title: Key Recovery Attacks on ZIP Ciphers: Application to ZIP-AES and ZIP-GIFT
* Authors: Marcel Nageler, Debasmita Chakraborty, Simon Scherer, Maria Eichlseder
* [Permalink](
https://eprint.iacr.org/2025/2291)
* [Download](
https://eprint.iacr.org/2025/2291.pdf)
### Abstract
The construction of building beyond-birthday-bound secure pseudorandom functions (PRFs) from the Xor-sum of 2 pseudorandom permutations (PRPs) has been known since EUROCRYPT 1998. However, the first concrete instance was only published recently at FSE 2022: the low latency PRF Orthros. Subsequently, at ASIACRYPT 2024, Fl||rez-Guti|-rrez et al. proposed the general framework of ZIP ciphers, where a block cipher $E_{1} \circ E_{0}$ is used to construct the PRF $E_{0} \oplus E_{1}^{-1}$. This allows re-using some of the cryptanalysis of the underlying block cipher. They propose the PRF ZIP-AES, as the Xor sum of 5 AES encryption rounds and 5 decryption rounds. They discuss differential, linear, and integral distinguishers for this construction, but provide no concrete key recovery attacks. Furthermore, they propose ZIP-GIFT as a 64-bit PRF but leave cryptanalysis as future work. In this work, we provide the first third-party analysis of ZIP-AES and ZIP-GIFT. We focus our efforts on the unique challenges of performing key recovery attacks for ZIP ciphers and propose new techniques to overcome these challenges. We show differential, linear, and integral key recovery attacks for both PRFs. We develop new techniques for integral key recovery attacks and show how to extend differential characteristics by some rounds for key recovery.
## 2025/2292
* Title: FRIVail: A Data Availability Scheme based on FRI Binius
* Authors: Rachit Anand Srivastava
* [Permalink](
https://eprint.iacr.org/2025/2292)
* [Download](
https://eprint.iacr.org/2025/2292.pdf)
### Abstract
Data Availability Sampling (DAS) has emerged as a key scalability technique for blockchain systems, enabling light clients to verify that block data have been fully published without downloading them in their entirety. We introduce FRIVail, a new DAS construction built on top of the FRI-Binius polynomial commitment scheme, designed for datasets composed of many independent single-row payloads that together form a blockrCOs data blob. FRIVail exploits the intrinsic ReedrCoSolomon structure of FRI, wherein each commitment naturally encodes a codeword that light clients can sample directly.
Each row of the blob is assigned an independent FRI proof. These row-level proofs are then combined into a global availability certificate using one of three aggregation strategies. The first constructs a succinct zero-knowledge proof attesting to the correct verification of all row-level FRI proofs, yielding a compact ZK proof of proofs that enables succinct global verification while preserving row independence. The second is a fully post-quantum construction that recursively applies FRI-Binius to build a proof of proofs. In this setting, global verification relies on FRI proximity checks, but reconstruction of the aggregated proof polynomial is required to recover embedded row-level information. The third is a hybrid aggregation based on KZG polynomial commitments, where the aggregated polynomial admits direct algebraic openings but relies on pairing-based assumptions and a trusted setup, and is therefore not post-quantum.
In all variants, light clients verify availability via a small number of local opening checks against the header commitment, without downloading entire rows or the full blob. We formalize DAS security in this multi-row, multi-proof setting and show that FRIVail achieves sublinear verification complexity, robustness against adversarial availability equivocation at the row level, and resistance to correlated sampling attacks. FRIVail provides a modular foundation for next-generation blockchain data availability protocols, supporting zero-knowledge-based, fully post-quantum, and hybrid cryptographic deployments.
## 2025/2293
* Title: LAKE: Lattice-Code Accelerated Kyber Encapsulation
* Authors: Hassan Nasiraee
* [Permalink](
https://eprint.iacr.org/2025/2293)
* [Download](
https://eprint.iacr.org/2025/2293.pdf)
### Abstract
The standardization of CRYSTALS-Kyber (ML-KEM) by NIST represents a milestone in post-quantum security, yet its substantial communication overhead remains a critical bottleneck for resource-constrained environments. This paper introduces <i>LAKE (Lattice-Code Accelerated Kyber Encapsulation)</i>, a novel cryptographic framework that symbiotically integrates coding theory into the Module-LWE structure. Unlike previous concatenation approaches, LAKE embeds density-optimized Construction-A lattices derived from Polar codes directly into the public matrix generation. This structural innovation yields a <i>15rCo25% reduction in ciphertext size</i> while simultaneously improving the Decryption Failure Rate (DFR) from \(2^{-139}\) to <i>\(2^{-156}\)</i>, leveraging innate coding gains to suppress noise. We provide a rigorous reduction of LAKE's IND-CCA2 security to the hardness of the Structured Module-LWE problem. Although LAKE introduces a modest 8rCo15% computational overhead, it optimizes the critical "Compute-for-Bandwidth" trade-off, exploiting the asymmetry between low-cost local processing and high-cost transmission. Consequently, LAKE significantly enhances deployment viability in high-latency, energy-sensitive domains such as Satellite Communications (SatCom), Narrowband-IoT (NB-IoT), and tactical edge networks, where transmission efficiency is the dominant performance metric.
## 2025/2294
* Title: Fully Distributed Multi-Point Functions for PCGs and Beyond
* Authors: Amit Agarwal, Srinivasan Raghuraman, Peter Rindal
* [Permalink](
https://eprint.iacr.org/2025/2294)
* [Download](
https://eprint.iacr.org/2025/2294.pdf)
### Abstract
We introduce new {Distributed Multi-Point Function} (DMPF) constructions that make multi-point sharing as practical as the classic single-point (DPF) case. Our main construction, {Reverse Cuckoo}, replaces the ``theoretical'' cuckoo insertions approach to DMPFs with a MPC-friendly linear solver that circumvents the concrete inefficiencies. Combined with our new sparse DPF construction, we obtain the first fully distributed and efficient DMPF key generation that avoids trusted dealers and integrates cleanly with standard two-party MPC.
Applied to pseudorandom correlation generators (PCGs), our DMPFs remove the dominant rCLsum of $t$ DPFs'' bottleneck. In Ring-LPN and Stationary-LPN pipelines (Crypto 2020, 2025), this translates to {an order of magnitude more Beaver triples per second} with {an order of magnitude less communication} compared to the status quo by Keller et al (Eurocrypt 2018). The gains persist across fields and rings ($\mathbb{F}_{p^k}$, $\mathbb{Z}_{2^k}$ for $k\geq 1$) and are complementary to existing PCG frameworks: our constructions drop in as a black-box replacement for their sparse multi-point steps, accelerating {all} PCGs that rely on such encodings.
We provide a complete protocol suite (deduplication, hashing, linear solver, sparse DPF instantiation) with a semi-honest security proof via a straight-line simulator that reveals only hash descriptors and aborts with negligible (cuckoo-style) probability. A prototype implementation validates the asymptotics with strong concrete performance improvements.
## 2025/2295
* Title: An Ideal Linear Secret Sharing Scheme for Complete $t$-Partite $k$-Uniform Hypergraph Access Structures
* Authors: Chunming Tang, Zheng Chen, Haonan Fu, Hongwei Zhu
* [Permalink](
https://eprint.iacr.org/2025/2295)
* [Download](
https://eprint.iacr.org/2025/2295.pdf)
### Abstract
Secret sharing schemes represent a crucial cryptographic protocol, with linear codes serving as a primary tool for their construction. This paper systematically investigates the construction of ideal secret sharing schemes for complete $t$-partite $k$-uniform hypergraph access structures using linear codes as the tool. First, it is proved that the generator matrix $G$ of an ideal linear code realizing a complete $t$-partite $2$-uniform hypergraph access structure must have a rank of $2$. Simultaneously, a novel method for constructing an ideal secret sharing scheme that realizes such access structures is proposed. Building on this foundation, the case of complete $t$-partite $2$-uniform hypergraphs is extended to complete $t$-partite $k$-uniform hypergraphs, and a method for constructing ideal secret sharing schemes to realize them is provided. Compared with existing approaches, both ShamirrCOs method and the scheme proposed by Brickell et al. are special cases of our proposed approach.
## 2025/2296
* Title: SoK: Verifiable Federated Learning
* Authors: Francesco Bruschi, Marco Esposito, Tommaso Gagliardoni, Andrea Rizzini
* [Permalink](
https://eprint.iacr.org/2025/2296)
* [Download](
https://eprint.iacr.org/2025/2296.pdf)
### Abstract
Federated Learning (FL) is an advancement in Machine Learning motivated by the need to preserve the privacy of the data used to train models. While it effectively addresses this issue, the multi-participant paradigm on which it is based introduces several challenges. Among these are the risks that participating entities may behave dishonestly and fail to perform their tasks correctly. Moreover, due to the distributed nature of the architecture, attacks such as Sybil and collusion are possible. Recently, with advances in Verifiable Computation (VC) and Zero-Knowledge Proofs (ZKP), researchers have begun exploring how to apply these technologies to Federated Learning aiming to mitigate such problems. In this Systematization of Knowledge, we analyze the first, very recent works that attempt to integrate verifiability features into classical FL tasks, comparing their approaches and highlighting what is achievable with the current state of VC methods.
## 2025/2297
* Title: Yoyo tricks with a BEANIE
* Authors: Xavier Bonnetain, S|-bastien Duval, Virginie Lallemand, Thierno Mamoudou Sabaly, Thomas Sagot, Thibault Sanvoisin
* [Permalink](
https://eprint.iacr.org/2025/2297)
* [Download](
https://eprint.iacr.org/2025/2297.pdf)
### Abstract
BEANIE is a 32-bit tweakable block cipher, published in ToSC 2025.4, designed for memory encryption of microcontroller units. In this paper, we propose its first third-party analysis and present a key recovery against the full 5+5 rounds of BEANIE using a yoyo distinguisher. The attack has a cost close to the security claim of $2^{80}$ time and $2^{40}$ data.
## 2025/2298
* Title: ALKAID: Accelerating Three-Party Boolean Circuits by Mixing Correlations and Redundancy
* Authors: Ye Dong, Xudong Chen, Xiangfu Song, Yaxi Yang, Wen-jie Lu, Tianwei Zhang, Jianying Zhou, Jin-Song Dong
* [Permalink](
https://eprint.iacr.org/2025/2298)
* [Download](
https://eprint.iacr.org/2025/2298.pdf)
### Abstract
Secure three-party computation (3PC) with semi-honest security under an honest majority offers notable efficiency in computation and communication; for Boolean circuits, each party sends a single bit for every AND gate, and nothing for XOR. However, round complexity remains a significant challenge, especially in high-latency networks. Some works can support multi-input AND and thereby reduce online round complexity, but they require \textit{exponential} communication for generating the correlations in either preprocessing or online phase. How to extend the AND gate to multi-input while maintaining high correlation generation efficiency is still not solved.
To address this problem, we propose a round-efficient 3PC framework ALKAID for Boolean circuits through improved multi-input AND gate. By mixing correlations and redundancy, we propose a concretely efficient correlation generation approach for small input bits $N<4$ and shift the correlation generation to the preprocessing phase. Building on this, we create a round-efficient AND protocol for general cases with $N>4$. Exploiting the improved multi-input AND gates, we design fast depth-optimized parallel prefix adder and share conversion primitives in 3PC, achieved with new techniques and optimizations for better concrete efficiency. We further apply these optimized primitives to enhance the efficiency of secure non-linear functions in machine learning. We implement ALKAID and extensively evaluate its performance. Compared to state of the arts like ABY3 (CCS'2018), Trifecta (PoPETs'2023), and METEOR (WWW'2023), ALKAID enjoys $1.5\times$--$2.5\times$ efficiency improvements for boolean primitives and non-linear functions, with better or comparable communication.
## 2025/2299
* Title: Far-Field $Singing$ FPGAs: Repurposing Routing Fabrics into 100 m Covert Radiators
* Authors: Udi Alush, Roey Amitay, Erez Danieli, Itamar Levi
* [Permalink](
https://eprint.iacr.org/2025/2299)
* [Download](
https://eprint.iacr.org/2025/2299.pdf)
### Abstract
FPGAs rely on highly dense and symmetric internal
routing networks to interconnect their configurable logic ele-
ments. In standard applications, these interconnects are used
solely for digital signal transfer within the device, leaving many
routing paths idle. We study the surprising ability of configurable
FPGA routing fabrics to act as intentional radiators when struc-
tured and driven coherently. Building on prior near-field demon-
strations (few centimeters), we (i) present a practical toolchain
and methodology for synthesizing rCLfabric-onlyrCY antennas using
constrained placement/routing; (ii) demonstrate reliable far-field
reception for extremely long ranges (ren 100 m) and quantified
bit-error performance at meter-scale ranges using ASK/FSK
modulation and simple ECC; and (iii) analyze the security
implications by formalizing adversary capabilities, enumerating
novel multi-tenant attack vectors, and outlining detection and
mitigation strategies. Our work bridges implementation engineer-
ing, complex physical-layer measurement (with a set of complex
Far-Field measurement apparatus), and security analysis, and
highlights the urgent need for screening and runtime monitoring
in shared FPGA environments. We have systematically shaped
and combined unused paths into a contiguous structure, such as
{Fractal, loop, Dipole, Snake, Spiral, Array}-Antennas, which
required building an automation tool-chain. When energized, this
embedded structure emits measurable electromagnetic energy
that can serve as a stealth communication channel. WerCOve
extended this concept far beyond previous near-field demonstra-
tions, achieving reliable reception in the Far-Field, demonstrated
rigorously with various measurements setups - a first for this
class of long-range FPGA-based antennas without any external
radiating RF hardware from a tiny re+ 1x1 cm2 device. We
further show a Trojan example while triggering it with rare
events attacking a Decryption Oracle model
## 2025/2300
* Title: Gravity of the Situation:Security Analysis on Rocket.Chat E2EE
* Authors: Hayato Kimura, Ryoma Ito, Kazuhiko Minematsu, Takanori Isobe
* [Permalink](
https://eprint.iacr.org/2025/2300)
* [Download](
https://eprint.iacr.org/2025/2300.pdf)
### Abstract
Rocket.Chat is a group chat platform widely deployed in industries and national organizations, with over 15 million users across 150 countries.
One of its main features is an end-to-end encryption (E2EE) protocol; however, no cryptographic security analysis has been conducted.
We conduct an in-depth cryptographic analysis of Rocket.Chat's E2EE protocol and identify multiple significant flaws that allow a malicious server or even an outsider to break the confidentiality and integrity of the group chat.
Specifically, we formally model and analyze the protocol using ProVerif under the Dolev-Yao model, uncovering multiple theoretical weaknesses and verifying that some of them lead to practical attacks.
Furthermore, through meticulous manual analysis, we identify additional vulnerabilities, including implementation flaws and cryptographic weaknesses such as CBC malleability, and demonstrate how they are exploitable in practical attack scenarios.
To validate our findings, we develop Proof-of-Concept implementations, highlighting the real-world feasibility of these attacks.
We also propose mitigation techniques and discuss the implications of our attacks.
## 2025/2301
* Title: High-Performance SIMD Software for Spielman Codes in Zero-Knowledge Proofs
* Authors: Florian Krieger, Christian Dobrouschek, Florian Hirner, Sujoy Sinha Roy
* [Permalink](
https://eprint.iacr.org/2025/2301)
* [Download](
https://eprint.iacr.org/2025/2301.pdf)
### Abstract
We present the first high-performance SIMD software implementation of Spielman codes for their use in polynomial commitment schemes and zero-knowledge proofs. Spielman codes, as used in the Brakedown framework, are attractive alternatives to Reed-Solomon codes and benefit from linear-time complexity and field agnosticism. However, the practical deployment of Spielman codes has been hindered by a lack of research on efficient implementations. The involved costly finite-field arithmetic and random memory accesses operate on large volumes of data, typically exceeding gigabytes; these pose significant challenges for performance gains. To address these challenges, we propose several computational and memory-related optimizations that together reach an order-of-magnitude performance improvement in software. On the computation side, we propose SIMD optimizations using the AVX-512-IFMA instruction set and introduce a lazy reduction method to minimize the modular arithmetic cost. On the memory side, we implement a cache-friendly memory layout and a slicing technique, which exploit the CPU memory hierarchy. Finally, we present our multithreading approach to improve throughput without saturating memory bandwidth. Compared to prior Spielman software, our optimizations achieve speedups of up to 26.7x and 20.6x for single- and multi-threaded execution, respectively. In addition, instantiating our software with 64 threads on a high-end CPU even outperforms a recent FPGA accelerator by up to 4.3x for small and mid-sized polynomials. Our improvements make Spielman codes competitive with well-optimized Reed-Solomon codes on software platforms.
## 2025/2302
* Title: Attacking and Securing Hybrid Homomorphic Encryption Against Power Analysis
* Authors: Aikata Aikata, Maciej Czuprynko, Ned++ma Musovic, Emira Salki-c, Sujoy Sinha Roy
* [Permalink](
https://eprint.iacr.org/2025/2302)
* [Download](
https://eprint.iacr.org/2025/2302.pdf)
### Abstract
We present the first power side-channel analysis of a Hybrid Homomorphic Encryption (HHE) tailored symmetric encryption scheme. HHE combines lightweight client-side Symmetric Encryption (SE) with server-side homomorphic evaluation, enabling efficient privacy-preserving computation for the client and minimizing the communication overhead. Recent integer-based HHE designs such as PASTA, MASTA, HERA, and Rubato rely on prime-field arithmetic, but their side-channel security has
not been studied. This gap is critical, as modular arithmetic and large key spaces in integer-based schemes introduce new leakage vectors distinct from those in conventional Boolean symmetric ciphers. In this work, we close this gap by presenting the first power side-channel analysis of an HHE-tailored scheme - HERA.
Our results demonstrate a successful key recovery from as few as 40 power traces using Correlation Power Analysis. In addition to showing that such attacks are feasible, we develop the first masking framework for integer-based SE schemes to mitigate them. Our design integrates PINI-secure gadgets with assembly-level countermeasures to address transition leakage, and we validate its effectiveness using the Test Vector Leakage
Assessment. Our experiments confirm both the practicality of the attack and the strength of the proposed countermeasures. We also demonstrate that the framework extends to other integer-based HHE schemes, by applying our technique to PASTA. Thus, we provide leakage models, identify relevant attack targets, and define evaluation benchmarks for integer-based HHE-tailored SE schemes, thereby filling a longstanding gap and laying the foundation for side-channel-resilient design in this area.
## 2025/2303
* Title: Suwako: A Logarithmic-Depth Modular Reduction for Arbitrary Trinomials over $\mathbb{F}_{2^m}$ without Pre-computation
* Authors: Junyu Zhou, Jing Wang, Hao Ren, Si Gao, Xiao Lan
* [Permalink](
https://eprint.iacr.org/2025/2303)
* [Download](
https://eprint.iacr.org/2025/2303.pdf)
### Abstract
Modular reduction over binary extension fields $\mathbb{F}_{2^m}$ is a fundamental operation in cryptographic implementations, including GCM and Elliptic Curve Cryptography. Traditional reduction algorithms (e.g., linear LFSR-based methods) are highly sensitive to the algebraic structure of the defining polynomial. This sensitivity is especially acute for trinomials $P(x) = x^m + x^t + 1$, where cryptographic standards have historically mandated the use of ``friendly'' polynomials (with small $t$) to avoid the linear performance degradation associated with ``random'' or ``unfriendly'' parameters. In this paper, we challenge this constraint by introducing Suwako, a novel reduction algorithm. By exploiting the self-similar algebraic structure of the reduction map, Suwako transforms the reduction process from a serial iterative chain (dependent on the degree gap $\Delta = m-t$) into a logarithmic-depth binary-doubling structure. We theoretically prove that Suwako achieves $O(\log m)$ folding depth for arbitrary trinomials, regardless of the position of the middle term $t$. Furthermore, unlike window-based or Montgomery/Barrett reduction methods, Suwako requires no pre-computation, making it optimal for dynamic environments.
## 2025/2304
* Title: Streaming Function Secret Sharing and Its Applications
* Authors: Xiangfu Song, Jianli Bai, Ye Dong, Yijian Liu, Yu Zhang, Xianhui Lu, Tianwei Zhang
* [Permalink](
https://eprint.iacr.org/2025/2304)
* [Download](
https://eprint.iacr.org/2025/2304.pdf)
### Abstract
Collecting statistics from users of software and online services is crucial to improve service quality, yet obtaining such insights while preserving individual privacy remains a challenge. Recent advances in function secret sharing (FSS) make it possible for scalable privacy-preserving measurement (PPM), which leads to ongoing standardization at the IETF. However, FSS-based solutions still face several challenges for streaming analytics, where messages are continuously sent, and secure computation tasks are repeatedly performed over incoming messages.
We introduce a new cryptographic primitive called streaming function secret sharing (SFSS), a new variant of FSS that is particularly suitable for secure computation over streaming messages. We formalize SFSS and propose concrete constructions, including SFSS for point functions, predicate functions, and feasibility results for generic functions. SFSS powers several promising applications in a simple and modular fashion, including conditional transciphering, policy-hiding aggregation, and attribute-hiding aggregation. In particular, our SFSS formalization and constructions identify security flaws and efficiency bottlenecks in existing solutions, and SFSS-powered solutions achieve the expected security goal with asymptotically and concretely better efficiency and/or enhanced functionality.
## 2025/2305
* Title: A New Approach to Large Party Beaver-Style MPC with Small Computational Overhead
* Authors: Aayush Jain, Huijia Lin, Nuozhou Sun
* [Permalink](
https://eprint.iacr.org/2025/2305)
* [Download](
https://eprint.iacr.org/2025/2305.pdf)
### Abstract
Secure multi-party computation (MPC) enables $N$ parties to jointly evaluate any function over their private inputs while preserving confidentiality. While decades of research have produced concretely efficient protocols for small to moderate numbers of participants, scaling MPC to thousands of parties remains a central challenge. Most of the existing approaches either incur per-party costs linear in $N$, due to pairwise computations, or rely on heavy cryptographic tools such as homomorphic encryption, which introduces prohibitive overheads when evaluating Boolean circuits.
In this work, we introduce a new lightweight approach to designing semi-honest MPC protocols with per-party, per-gate computation and communication costs that are independent of $N$. Our construction leverages the Sparse Learning Parity with Noise (Sparse LPN) assumption in the random oracle model to achieve per-gate costs of $O(k^2 \cdot c(\lambda))$ computation and $O(c(\lambda))$ communication, where $k$ is the sparsity parameter for the Sparse LPN assumption and $c(\lambda)$ is an arbitrarily small super-constant in the security parameter $\lambda$. Assuming Sparse LPN remains hard for any super-constant sparsity, this yields the first semi-honest MPC protocol in the dishonest-majority setting with per-party per-gate costs bounded by an arbitrarily small super-constant overhead in $\lambda$.
Structurally, our MPC instantiates a Beaver style MPC with the required correlations generated efficiently. Departing from prior approaches that generate Beaver triples silently (Boyle et al., 2019; 2020; 2022) or using homomorphic computation (Damg|Nrd et al., 2012) for Beaver style MPC, the focus of this work rests on efficiently generating a weaker correlation. In particular, using Sparse LPN we show that if we relax the correctness requirement in generating random Beaver triples to permit a tunably small inverse-polynomial error probability, such triples can be silently generated with arbitrarily small super-constant per-party computation. We then show that such correlations can be used in an efficient online phase similar to Beaver's protocol (with a tiny super-constant factor blow-up in communication).
## 2025/2306
* Title: On Delegation of Verifiable Presentations from mdoc and BBS Credentials
* Authors: Andrea Flamini, Andrea Gangemi, Enrico Guglielmino, Vincenzo Orabona * [Permalink](
https://eprint.iacr.org/2025/2306)
* [Download](
https://eprint.iacr.org/2025/2306.pdf)
### Abstract
The interest in verifiable credential systems has gained traction as eIDAS 2.0 Regulation has been published. This regulation instructs EU member states to provide their citizens with digital identity wallets (EUDI Wallet) that must store the credentials and enable privacy-preserving presentation of identity information to relying parties. This new digital identity system requires defining new protocols and procedures to perform tasks involving the disclosure of identity information. One of such procedures is the delegation of attestation, as is reported in the EUDI Wallet Reference Implementation Roadmap.
In this work, we address the problem of constructing secure processes for the delegation of verifiable presentations derived from both verifiable and anonymous credentials. Our goal is to enable a credential holder (the delegator) to securely delegate another party (the delegatee) to present a credential on their behalf.
We introduce the notion of a verifiable presentation delegation scheme, formalizing the core algorithms, namely delegation issuance, delegated presentation, and presentation verification, and defining the relevant security properties that such a scheme should satisfy: the correctness, the unforgeability, and, when the scheme is built on top of anonymous credentials, even the unlinkability. We present two concrete instantiations of delegation schemes: the first is built on top of mdoc verifiable credentials, the credential format currently supported by the EUDI Wallet Architecture and Reference Framework (EUDI ARF), while the second is built on top of BBS anonymous credentials. Finally, we discuss and analyze the security of our constructions in terms of the security properties we have introduced.
--- Synchronet 3.21a-Linux NewsLink 1.2