CINXE.COM

<?xml version="1.0" encoding="utf-8" ?> <rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom"> <channel> <atom:link href="https://iacr.org/news/rss" rel="self" type="application/rss+xml" /> <title>IACR News</title> <link>https://www.iacr.org/news/</link> <description></description> <language>en</language> <copyright>Copyright IACR</copyright> <pubDate>Fri, 11 Apr 25 15:33:38 +0000</pubDate> <ttl>10</ttl> <image> <url>https://iacr.org/img/logo/iacrlogo_bg.png</url> <link>https://www.iacr.org/news/</link> <width>144</width> <height>144</height> <description>IACR</description> <title>IACR News</title> </image> <item> <guid>https://iacr.org/news/item/25477</guid> <title>Impossible Differential Attack on SAND-64</title> <link>https://iacr.org/news/item/25477</link> <pubDate>Fri, 11 Apr 2025 07:06:04 GMT</pubDate> <description><![CDATA[ePrint Report: Impossible Differential Attack on SAND-64 Nobuyuki Sugio SAND is an AND-RX-based lightweight block cipher proposed by Chen et al. There are two variants of SAND, namely SAND-64 and SAND-128, due to structural differences. In this paper, we search for impossible differential distinguishers of SAND-64 using the Constraint Programming (CP) and reveal 56 types of impossible differential distinguishers up to 11 rounds. Furthermore, we demonstrate a key recovery attack on 17-round SAND-64. The complexities for the attack require $2^{56}$ data, $2^{127}$ encryptions, and $2^{60}$ bytes of memory, respectively. Although this result currently achieves the best attack on round-reduced SAND-64, this attack does not threaten the security of SAND-64 against impossible differential attack. ]]> </description> <category>ePrint Report</category> </item> <item> <guid>https://iacr.org/news/item/25476</guid> <title>Towards Scalable YOSO MPC via Packed Secret-Sharing</title> <link>https://iacr.org/news/item/25476</link> <pubDate>Fri, 11 Apr 2025 07:06:04 GMT</pubDate> <description><![CDATA[ePrint Report: Towards Scalable YOSO MPC via Packed Secret-Sharing Daniel Escudero, Elisaweta Masserova, Antigoni Polychroniadou The YOSO (You Only Speak Once) model, introduced by Gentry et al. (CRYPTO 2021), helps to achieve strong security guarantees in cryptographic protocols for distributed settings, like blockchains, with large number of parties. YOSO protocols typically employ smaller anonymous committees to execute individual rounds of the protocol instead of having all parties execute the entire protocol. After completing their tasks, parties encrypt protocol messages for the next anonymous committee and erase their internal state before publishing ciphertexts, thereby enhancing security in dynamically changing environments. In this work, we consider the problem of secure multi-party computation (MPC), a fundamental problem in cryptography and distributed computing. We assume honest majority among the committee members, and work in the online-offline, i.e., preprocessing, setting. In this context, we present the first YOSO MPC protocol where efficiency---measured as communication complexity---improves as the number of parties increases. Specifically, for $0<\epsilon<1/2$ and an adversary corrupting $t0$, the sizes of the committees are only marginally increased, while online communication is significantly reduced. Furthermore, we explicitly consider fail-stop adversaries, i.e., honest participants who may inadvertently fail due to reasons such as denial of service or software/hardware errors. In prior YOSO work, these adversaries were grouped with fully malicious parties. Adding explicit support for them allows us to achieve even better scalability. ]]> </description> <category>ePrint Report</category> </item> <item> <guid>https://iacr.org/news/item/25475</guid> <title>Cryptography based on 2D Ray Tracing</title> <link>https://iacr.org/news/item/25475</link> <pubDate>Fri, 11 Apr 2025 07:06:04 GMT</pubDate> <description><![CDATA[ePrint Report: Cryptography based on 2D Ray Tracing Sneha Mohanty, Christian Schindelhauer We introduce a novel symmetric key cryptographic scheme involving a light ray's interaction with a 2D cartesian coordinate setup, several smaller boxes within this setup, of either reflection or refraction type and $1^{st}$, $2^{nd}$ or $3^{rd}$ degree polynomial curves inside each of these smaller boxes. We also incorporate boolean logic gates of types XOR, NOT-Shift and Permutation which get applied to the light ray after each interaction with a reflecting or refracting polynomial curve. This alternating interaction between Optical gates (polynomial curves) and Non-optical gates creates a complex and secure cryptographic system. Furthermore, we design and launch customized attacks on our cryptographic system and discuss the robustness of it against these. ]]> </description> <category>ePrint Report</category> </item> <item> <guid>https://iacr.org/news/item/25474</guid> <title>Hybrid-query bounds with partial input control - framework and application to tight M-eTCR</title> <link>https://iacr.org/news/item/25474</link> <pubDate>Fri, 11 Apr 2025 07:00:06 GMT</pubDate> <description><![CDATA[ePrint Report: Hybrid-query bounds with partial input control - framework and application to tight M-eTCR Andreas Hülsing, Mikhail Kudinov, Christian Majenz In this paper, we present an improved framework for proving query bounds in the Quantum Random Oracle Model (QROM) for algorithms with both quantum and classical query interfaces, where the classical input is partially controlled by the adversary. By extending existing techniques, we develop a method to bound the progress an adversary can make with such partial-control classical queries. While this framework is applicable to different hash function properties, we decided to demonstrate the impact of the new techniques by giving an analysis of the multi-target extended target collision resistance property (m-eTCR). This new approach allows us to achieve an improved bound that significantly reduces the required function key size. Our proof is tight in terms of query complexity and has significant implications for cryptographic applications, especially for signature schemes in the hash & sign paradigm, enabling more efficient instantiations with reduced salt sizes and smaller signature lengths. For an example of multiple signatures aggregation, we achieve a signature size of 30 kB smaller. ]]> </description> <category>ePrint Report</category> </item> <item> <guid>https://iacr.org/news/item/25473</guid> <title>On breaking McEliece keys using brute force</title> <link>https://iacr.org/news/item/25473</link> <pubDate>Fri, 11 Apr 2025 07:00:06 GMT</pubDate> <description><![CDATA[ePrint Report: On breaking McEliece keys using brute force Lorenz Panny In the McEliece public-key encryption scheme, a private key is almost always not determined uniquely by its associated public key. This paper gives a structural characterization of equivalent private keys, generalizing a result known for the more approachable special case $\lvert L\rvert=q$. These equivalences reduce the cost estimate for a simple private-key search using the support-splitting algorithm (SSA) by a polynomial but practically very substantial factor. We provide an optimized software implementation of the SSA for this kind of key search and demonstrate its capabilities in practice by solving a key-recovery challenge with a naïve a‑priori cost estimate of $2^{83}$ bit operations in just ${\approx}\,1400$ core days, testing ${\approx}\,9400$ private-key candidates per core and second in the process. We stress that the speedup from those equivalences is merely polynomial and does not indicate any weakness in realistic instantiations of the McEliece cryptosystem, whose parameter choices are primarily constrained by decoding attacks rather than ludicrously more expensive key-recovery attacks. ]]> </description> <category>ePrint Report</category> </item> <item> <guid>https://iacr.org/news/item/25472</guid> <title>Dyna-hinTS: Silent Threshold Signatures for Dynamic Committees</title> <link>https://iacr.org/news/item/25472</link> <pubDate>Fri, 11 Apr 2025 07:00:06 GMT</pubDate> <description><![CDATA[ePrint Report: Dyna-hinTS: Silent Threshold Signatures for Dynamic Committees Aniket Kate, Pratyay Mukherjee, Samipa Samanta, Pratik Sarkar The works of Garg et al. [S&P'24] (aka hinTS) and Das et al. [CCS'23] introduced the notion of silent threshold signatures (STS) - where a set of signers silently perform local computation to generate a public verification key. To sign a message, any set of $t$ signers sign the message non-interactively and these are aggregated into a constant-sized signature. This paradigm avoids performing expensive Distributed Key Generation procedure for each set of signers while keeping the public verification key constant-sized. In this work, we propose the notion of committee-based silent threshold signature (c-STS) scheme. In a c-STS scheme, a set of signers initially perform a one-time setup to generate the verification key, and then a subset of signers are randomly chosen for an epoch to perform the threshold signing while the other signers are not authorized to sign during that epoch. This captures existing systems like Ethereum Altair and Dfinity where only a specific committee is authorized to sign in a designated epoch. The existing STS schemes cannot be extended to the committee setting because the signature verification only attests to the number of signing parties, not which committee they belong to. So, we upgrade hinTS to the committee setting by proposing Dyna-hinTS. It is the $first$ c-STS scheme and it requires a one-time silent setup and generates a one-time public verification key that does not vary with the committee. Assuming a set of 1024 signers (with corrupt 682 signers), hinTS generates an aggregated signature in 1.7s whereas Dyna-hinTS generates it in $0.35$s within a committee of $80$ signers. This yields a $4.9\times$ improvement over hinTS for signature generation at the cost of increasing signature verification time by $4\%$ over hinTS. Dyna-hinTS supports general access structure, weighted signatures and improves existing multiverse threshold signatures. ]]> </description> <category>ePrint Report</category> </item> <item> <guid>https://iacr.org/news/item/25471</guid> <title>Charge Your Clients: Payable Secure Computation and Its Applications</title> <link>https://iacr.org/news/item/25471</link> <pubDate>Fri, 11 Apr 2025 07:00:06 GMT</pubDate> <description><![CDATA[ePrint Report: Charge Your Clients: Payable Secure Computation and Its Applications Cong Zhang, Liqiang Peng, Weiran Liu, Shuaishuai Li, Meng Hao, Lei Zhang, Dongdai Lin The online realm has witnessed a surge in the buying and selling of data, prompting the emergence of dedicated data marketplaces. These platforms cater to servers (sellers), enabling them to set prices for access to their data, and clients (buyers), who can subsequently purchase these data, thereby streamlining and facilitating such transactions. However, the current data market is primarily confronted with the following issues. Firstly, they fail to protect client privacy, presupposing that clients submit their queries in plaintext. Secondly, these models are susceptible to being impacted by malicious client behavior, for example, enabling clients to potentially engage in arbitrage activities. To address the aforementioned issues, we propose payable secure computation, a novel secure computation paradigm specifically designed for data pricing scenarios. It grants the server the ability to securely procure essential pricing information while protecting the privacy of client queries. Additionally, it fortifies the server's privacy against potential malicious client activities. As specific applications, we have devised customized payable protocols for two distinct secure computation scenarios: Keyword Private Information Retrieval (KPIR) and Private Set Intersection (PSI). We implement our two payable protocols and compare them with the state-of-the-art related protocols that do not support pricing as a baseline. Since our payable protocols are more powerful in the data pricing setting, the experiment results show that they do not introduce much overhead over the baseline protocols. Our payable KPIR achieves the same online cost as baseline, while the setup is about $1.3-1.6\times$ slower than it. Our payable PSI needs about $2\times$ more communication cost than that of baseline protocol, while the runtime is $1.5-3.2\times$ slower than it depending on the network setting. ]]> </description> <category>ePrint Report</category> </item> <item> <guid>https://iacr.org/news/item/25470</guid> <title>Audience Injection Attacks: A New Class of Attacks on Web-Based Authorization and Authentication Standards</title> <link>https://iacr.org/news/item/25470</link> <pubDate>Fri, 11 Apr 2025 07:00:06 GMT</pubDate> <description><![CDATA[ePrint Report: Audience Injection Attacks: A New Class of Attacks on Web-Based Authorization and Authentication Standards Pedram Hosseyni, Ralf Kuesters, Tim Würtele We introduce audience injection attacks, a novel class of vulnerabilities that impact widely used Web-based authentication and authorization protocols, including OAuth 2.0, OpenID Connect, FAPI, CIBA, the Device Authorization Grant, and various well-established extensions, such as Pushed Authorization Requests, Token Revocation, Token Introspection, and their numerous combinations. These protocols underpin services for billions of users across diverse ecosystems worldwide, spanning low-risk applications like social logins to high-risk domains such as open banking, insurance, and healthcare. Audience injection attacks exploit a critical weakness in a core security mechanism of these protocols - the handling of so-called audiences in signature-based client authentication mechanisms. This vulnerability allows attackers to compromise fundamental security objectives whenever these mechanisms are utilized across two or more server endpoints. They enable the attacker to impersonate users and gain unauthorized access to their resources, even in high-security protocol families specifically designed for sensitive applications. We responsibly disclosed these vulnerabilities to the relevant standardization bodies, which recognized their severity. In collaboration with these organizations, we developed fixes and supported a coordinated response, leading to an ongoing effort to update a dozen of standards, numerous major implementations, and far-reaching ecosystems. ]]> </description> <category>ePrint Report</category> </item> <item> <guid>https://iacr.org/news/item/25469</guid> <title>Improving the Masked Division for the FALCON Signature</title> <link>https://iacr.org/news/item/25469</link> <pubDate>Fri, 11 Apr 2025 07:00:06 GMT</pubDate> <description><![CDATA[ePrint Report: Improving the Masked Division for the FALCON Signature Pierre-Augustin Berthet, Justine Paillet, Cédric Tavernier, Lilian Bossuet, Brice Colombier FALCON is a post-quantum signature selected by the National Institute of Standards and Technology (NIST). Although its side-channel resilience has been studied and a masking countermeasure proposed, the division is a major performance bottleneck. This work proposes a different approach to the masked FALCON division. We use the Newton method and a convergent sequence to approximate this operation. The performance of the masked division is improved by a factor 6.7 for two shares and 6.98 for three shares. For the Gaussian sampler, the improvements are of a factor 1.45 for two shares and 1.43 for three shares. Formal security proofs using the MIMO-SNI criteria are also provided. ]]> </description> <category>ePrint Report</category> </item> <item> <guid>https://iacr.org/news/item/25468</guid> <title>Everlasting Fully Dynamic Group Signatures</title> <link>https://iacr.org/news/item/25468</link> <pubDate>Fri, 11 Apr 2025 07:00:06 GMT</pubDate> <description><![CDATA[ePrint Report: Everlasting Fully Dynamic Group Signatures Yimeng He, San Ling, Khai Hanh Tang, Huaxiong Wang Group signatures allow a user to sign anonymously on behalf of a group of users while allowing a tracing authority to trace the signer's identity in case of misuse. In Chaum and van Heyst's original model (EUROCRYPT'91), the group needs to stay fixed. Throughout various attempts, including partially dynamic group signatures and revocations, Bootle et al. (ACNS'16, J. Cryptol.) formalized the notion of fully dynamic group signatures (FDGS), enabling both enrolling and revoking users of the group. However, in their scheme, the verification process needs to take into account the latest system information, and a previously generated signature will be invalidated as soon as, for example, there is a change in the group. We therefore raise a research question: Is it possible to construct an FDGS under which the validity of a signature can survive future changes in the system information? In this paper, we propose Everlasting Fully Dynamic Group Signatures (EFDGS) that allow signers to generate signatures that do not require verification with any specific epoch. Specifically, once the signatures are created, they are valid forever. It also guarantees that the signer can only output such a signature when she is a valid user of the system. We realize the above new model by constructing a plausibly post-quantum standard-lattice-based EFDGS. ]]> </description> <category>ePrint Report</category> </item> <item> <guid>https://iacr.org/news/item/25467</guid> <title>Tree-based Quantum Carry-Save Adder</title> <link>https://iacr.org/news/item/25467</link> <pubDate>Fri, 11 Apr 2025 06:54:04 GMT</pubDate> <description><![CDATA[ePrint Report: Tree-based Quantum Carry-Save Adder Hyunjun Kim, Sejin Lim, Kyungbae Jang, Siyi Wang, Anubhab Baksi, Anupam Chattopadhyay, Hwajeong Seo Quantum computing is regarded as one of the most significant upcoming advancements in computer science. Although fully operational quantum computers have yet to be realized, they are expected to solve specific problems that are difficult to solve using classical computers. Given the limitations of quantum computing resources, it is crucial to design compact quantum circuits for core operations, such as quantum arithmetic. In this paper, we focus on optimizing the circuit depth of quantum multi-operand addition, which is a fundamental component in quantum implementations (as an example, SHA-2). Building on the foundational quantum carry-save approach by Phil Gossett, we introduce a tree-based quantum carry-save adder. Our design integrates the Wallace and Dadda trees to optimize carry handling during multi-operand additions. To further reduce circuit depth, we utilize additional ancilla qubits for parallel operations and introduce an efficient technique for reusing these ancilla qubits. Our tree-based carry-save adder achieves the lowest circuit depth ($T$-depth) and provides an improvement of over 82% (up to 99%) in the qubit count–circuit depth product for multi-operand addition. Furthermore, we apply our method to multiplication, achieving the lowest circuit depth and an improvement of up to 87% in the qubit count–circuit depth product. ]]> </description> <category>ePrint Report</category> </item> <item> <guid>https://iacr.org/news/item/25466</guid> <title>FHECAP: An Encrypted Control System with Piecewise Continuous Actuation</title> <link>https://iacr.org/news/item/25466</link> <pubDate>Fri, 11 Apr 2025 06:54:04 GMT</pubDate> <description><![CDATA[ePrint Report: FHECAP: An Encrypted Control System with Piecewise Continuous Actuation Song Bian, Yunhao Fu, Dong Zhao, Haowen Pan, Yuexiang Jin, Jiayue Sun, Hui Qiao, Zhenyu Guan We propose an encrypted controller framework for linear time-invariant systems with actuator non-linearity based on fully homomorphic encryption (FHE). While some existing works explore the use of partially homomorphic encryption (PHE) in implementing linear control systems, the impacts of the non-linear behaviors of the actuators on the systems are often left unconcerned. In particular, when the inputs to the controller become too small or too large, actuators may burn out due to unstable system state oscillations. To solve this dilemma, we design and implement FHECAP, an FHE-based controller framework that can homomorphically apply non-linear functions to the actuators to rectify the system inputs. In FHECAP, we first design a novel data encoding scheme tailored for efficient gain matrix evaluation. Then, we propose a high-precision homomorphic algorithm to apply non-arithmetic piecewise function to realize the actuator normalization. In the experiments, compared with the existing state-of-the-art encrypted controllers, FHECAP achieves $4\times$--$1000\times$ reduction in computational latency. We evaluate the effectiveness of FHECAP in the real-world application of encrypted control for spacecraft rendezvous. The simulation results show that the FHECAP achieves real-time spacecraft rendezvous with negligible accuracy loss. ]]> </description> <category>ePrint Report</category> </item> <item> <guid>https://iacr.org/news/item/25465</guid> <title>Trapdoor one-way functions from tensors</title> <link>https://iacr.org/news/item/25465</link> <pubDate>Fri, 11 Apr 2025 06:54:04 GMT</pubDate> <description><![CDATA[ePrint Report: Trapdoor one-way functions from tensors Anand Kumar Narayanan Weyman and Zelevinsky generalised Vandermonde matrices to higher dimensions, which we call Vandermonde-Weyman-Zelevinsky tensors. We generalise Lagrange interpolation to higher dimensions by devising a nearly linear time algorithm that given a Vandermonde-Weyman-Zelevinsky tensor and a sparse target vector, finds a tuple of vectors that hit the target under tensor evaluation. Tensor evaluation to us means evaluating the usual multilinear form associated with the tensor in all but one chosen dimension. Yet, this interpolation problem phrased with respect to a random tensor appears to be a hard multilinear system. Leveraging this dichotomy, we propose preimage sampleable trapdoor one-way functions in the spirit of Gentry-Peikert-Vaikuntanathan (GPV) lattice trapdoors. We design and analyse ``Hash-and-Sign'' digital signatures from such trapdoor one-way functions, yielding short signatures whose lengths scale nearly linearly in the security parameter. We also describe an encryption scheme. Our trapdoor is a random Vandermonde-Weyman-Zelevinsky tensor over a finite field and a random basis change. We hide the Vandermonde-Weyman-Zelevinsky tensor under the basis change and publish the resulting pseudorandom tensor. The one way function is the tensor evaluation derived from the public tensor, restricted so as to only map to sparse vectors. We then design the domain sampler and preimage sampler demanded by the GPV framework. The former samples inputs that map to uniform images under the one-way function. The latter samples preimages given supplementary knowledge of the trapdoor. Preimage sampling is a randomised version of interpolation and knowing the basis change allows efficient translation between interpolation corresponding to the public and trapdoor tensors. An adversary seeking a preimage must solve a pseudorandom multilinear system, which seems cryptographically hard. ]]> </description> <category>ePrint Report</category> </item> <item> <guid>https://iacr.org/news/item/25464</guid> <title>CertainSync: Rateless Set Reconciliation with Certainty</title> <link>https://iacr.org/news/item/25464</link> <pubDate>Fri, 11 Apr 2025 06:54:04 GMT</pubDate> <description><![CDATA[ePrint Report: CertainSync: Rateless Set Reconciliation with Certainty Tomer Keniagin, Eitan Yaakobi, Ori Rottenstreich Set reconciliation is a fundamental task in distributed systems, particularly in blockchain networks, where it enables the synchronization of transaction pools among peers and facilitates block dissemination. Existing traditional set reconciliation schemes are either statistical, providing success probability as a function of the communication overhead and the size of the symmetric difference, or require parametrization and estimation of the size of the symmetric difference, which can be prone to error. In this paper, we present CertainSync, a novel reconciliation framework that, to the best of our knowledge, is the first to guarantee successful set reconciliation without any parametrization or estimators in use. The framework is rateless and adapts to the unknown symmetric difference size. The set reconciliation is guaranteed to be completed successfully whenever the communication overhead reaches a lower bound derived from the symmetric difference size and the universe size. Our framework is based on recent constructions of Invertible Bloom Lookup Tables (IBLTs) ensuring successful element listing as long as the number of elements is bounded. We provide a theoretical analysis to prove the certainty in the set reconciliation for multiple constructions. The approach is also validated by simulations, showing the ability to synchronize sets with efficient communication costs while maintaining reconciliation guarantees compared to other baseline schemes for set reconciliation. To further improve communication overhead for large universes as blockchain networks, CertainSync is extended with a universe reduction technique to minimize communication overhead. We compare and validate the extended framework UniverseReduceSync against the basic CertainSync framework through simulations using real blockchain transaction hash data from the Ethereum blockchain network. The results illustrate a trade-off between improved communication costs and maintaining reconciliation guarantees without relying on parametrization or estimators, offering a comprehensive solution for set reconciliation in diverse scenarios. ]]> </description> <category>ePrint Report</category> </item> <item> <guid>https://iacr.org/news/item/25463</guid> <title>Byzantine Reliable Broadcast and Tendermint Consensus with trusted components</title> <link>https://iacr.org/news/item/25463</link> <pubDate>Fri, 11 Apr 2025 06:48:05 GMT</pubDate> <description><![CDATA[ePrint Report: Byzantine Reliable Broadcast and Tendermint Consensus with trusted components Yackolley Amoussou-Guenou, Lionel Beltrando, Maurice Herlihy, Maria Potop-Butucaru Byzantine Reliable Broadcast is one of the most popular communication primitives in distributed systems. Byzantine reliable broadcast ensures that processes agree to deliver a message from an initiator, even if some processes (possibly including the initiator) are Byzantine. In asynchronous settings, it is known since the prominent work of Bracha \cite{Bracha87} that Byzantine reliable broadcast can be implemented deterministically if the total number of processes, denoted by $n$, satisfies $n \geq 3t+1$ where $t$ is an upper bound on the number of Byzantine processes. Here, we study Byzantine Reliable Broadcast when processes are equipped with \emph{trusted components}, special software or hardware designed to prevent equivocation. Our contribution is threefold. First, we show that, despite common belief, when each process is equipped with a trusted component, Bracha's algorithm still needs $n \geq 3t+1$. Second, we present a novel algorithm that uses a single trusted component (at the initiator) that implements Byzantine Reliable Asynchronous Broadcast with $n \geq 2t+1$. \yag{Lastly, building on our broadcast algorithm, we present TenderTee, a transformation of the Tendermint consensus algorithm by using trusted component, giving better Byzantine resilience. Tendertee works with $n \geq 2t+1$, where Tendermint needed $n=3t+1$.} ]]> </description> <category>ePrint Report</category> </item> <item> <guid>https://iacr.org/news/item/25462</guid> <title>SPHINCSLET: An Area-Efficient Accelerator for the Full SPHINCS+ Digital Signature Algorithm</title> <link>https://iacr.org/news/item/25462</link> <pubDate>Fri, 11 Apr 2025 06:48:05 GMT</pubDate> <description><![CDATA[ePrint Report: SPHINCSLET: An Area-Efficient Accelerator for the Full SPHINCS+ Digital Signature Algorithm Sanjay Deshpande, Yongseok Lee, Cansu Karakuzu, Jakub Szefer, Yunheung Paek This work presents SPHINCSLET, the first fully standard-compliant and area-efficient hardware implementation of the SLH-DSA algorithm, formerly known as SPHINCS+, a post-quantum digital signature scheme. SPHINCSLET is designed to be parameterizable across different security levels and hash functions, offering a balanced trade-off between area efficiency and performance. Existing hardware implementations either feature a large area footprint to achieve fast signing and verification or adopt a coprocessor-based approach that significantly slows down these operations. SPHINCSLET addresses this gap by delivering a 4.7$\times$ reduction in area compared to high-speed designs while achieving a 2.5$\times$ to 5$\times$ improvement in signing time over the most efficient coprocessor-based designs for a SHAKE256-based SPHINCS+ implementation. The SHAKE256-based SPHINCS+ FPGA implementation targeting the AMD Artix-7 requires fewer than 10.8K LUTs for any security level of SLH-DSA. Furthermore, the SHA-2-based SPHINCS+ implementation achieves a 2$\times$ to 4$\times$ speedup in signature generation across various security levels compared to existing SLH-DSA hardware, all while maintaining a compact area footprint of 6K to 15K LUTs. This makes it the fastest SHA-2-based SLH-DSA implementation to date. With an optimized balance of area and performance, SPHINCSLET can assist resource-constrained devices in transitioning to post-quantum cryptography. ]]> </description> <category>ePrint Report</category> </item> <item> <guid>https://iacr.org/news/item/25461</guid> <title>Need for zkSpeed: Accelerating HyperPlonk for Zero-Knowledge Proofs</title> <link>https://iacr.org/news/item/25461</link> <pubDate>Fri, 11 Apr 2025 06:48:05 GMT</pubDate> <description><![CDATA[ePrint Report: Need for zkSpeed: Accelerating HyperPlonk for Zero-Knowledge Proofs Alhad Daftardar, Jianqiao Mo, Joey Ah-kiow, Benedikt Bünz, Ramesh Karri, Siddharth Garg, Brandon Reagen (Preprint) Zero-Knowledge Proofs (ZKPs) are rapidly gaining importance in privacy-preserving and verifiable computing. ZKPs enable a proving party to prove the truth of a statement to a verifying party without revealing anything else. ZKPs have applications in blockchain technologies, verifiable machine learning, and electronic voting, but have yet to see widespread adoption due to the computational complexity of the proving process.Recent works have accelerated the key primitives of state-of-the-art ZKP protocols on GPU and ASIC. However, the protocols accelerated thus far face one of two challenges: they either require a trusted setup for each application, or they generate larger proof sizes with higher verification costs, limiting their applicability in scenarios with numerous verifiers or strict verification time constraints. This work presents an accelerator, zkSpeed, for HyperPlonk, a state-of-the-art ZKP protocol that supports both one-time, universal setup and small proof sizes for typical ZKP applications in publicly verifiable, consensus-based systems. We accelerate the entire protocol, including two major primitives: SumCheck and Multi-scalar Multiplications (MSMs). We develop a full-chip architecture using 366.46 mm$^2$ and 2 TB/s of bandwidth to accelerate the entire proof generation process, achieving geometric mean speedups of 801$\times$ over CPU baselines. ]]> </description> <category>ePrint Report</category> </item> <item> <guid>https://iacr.org/news/item/25460</guid> <title>Making BBS Anonymous Credentials eIDAS 2.0 Compliant</title> <link>https://iacr.org/news/item/25460</link> <pubDate>Fri, 11 Apr 2025 06:48:05 GMT</pubDate> <description><![CDATA[ePrint Report: Making BBS Anonymous Credentials eIDAS 2.0 Compliant Nicolas Desmoulins, Antoine Dumanois, Seyni Kane, Jacques Traoré eIDAS 2.0 (electronic IDentification, Authentication and trust Services) is a very ambitious regulation aimed at equipping European citizens with a personal digital identity wallet (EU Digital Identity Wallet) on a mobile phone that not only needs to achieve a high level of security, but also needs to be available as soon as possible for a large number of citizens and respect their privacy (as per GDPR - General Data Protection Regulation). In this paper, we introduce the foundations of a digital identity wallet solution that could help move closer to this objective by leveraging the proven anonymous credentials system BBS (Eurocrypt 2023), also known as BBS+, but modifying it to avoid the limitations that have hindered its widespread adoption, especially in certified infrastructures requiring trusted hardware implementation. In particular, the solution we propose, which we call BBS#, does not rely, contrary to BBS/BBS +, on bilinear maps and pairing-friendly curves (which are not supported by existing hardware) and only depends on the hardware implementation of well-known digital signature schemes such as ECDSA (ISO/IEC 14888-3) or ECSDSA (also known as ECSchnorr, ISO/IEC 14888-3) using classical elliptic curves. More precisely, BBS# can be rolled out without requiring any change in existing hardware or the algorithms that hardware supports. BBS# , which is proven secure in the random oracle model, retains the well-known security property (unforgeability of the credentials under the (gap) q-SDH assumption) and anonymity properties (multi-show full unlinkability and statistical anonymity of presentation proofs) of BBS/BBS+. By implementing BBS# on several smartphones using different secure execution environments, we show that it is possible to achieve eIDAS 2.0 transactions which are not only efficient (around 70 ms on Android StrongBox), secure and certifiable at the highest level but also provide strong (optimal) privacy protection for all European ID Wallet users. ]]> </description> <category>ePrint Report</category> </item> <item> <guid>https://iacr.org/news/item/25459</guid> <title>Anonymous Self-Credentials and their Application to Single-Sign-On</title> <link>https://iacr.org/news/item/25459</link> <pubDate>Fri, 11 Apr 2025 06:48:05 GMT</pubDate> <description><![CDATA[ePrint Report: Anonymous Self-Credentials and their Application to Single-Sign-On Jayamine Alupotha, Mariarosaria Barbaraci, Ioannis Kaklamanis, Abhimanyu Rawat, Christian Cachin, Fan Zhang Modern life makes having a digital identity no longer optional, whether one needs to manage a bank account or subscribe to a newspaper. As the number of online services increases, it is fundamental to safeguard user privacy and equip service providers (SP) with mechanisms enforcing Sybil resistance, i.e., preventing a single entity from showing as many. Current approaches, such as anonymous credentials and self-sovereign identities, typically rely on identity providers or identity registries trusted not to track users' activities. However, this assumption of trust is no longer appropriate in a world where user data is considered a valuable asset. To address this challenge, we introduce a new cryptographic notion, Anonymous Self-Credentials (ASC) along with two implementations. This approach enables users to maintain their privacy within an anonymity set while allowing SPs to obtain Sybil resistance. Then, we present a User-issued Unlinkable Single Sign-On (U2SSO) implemented from ASC that solely relies on an identity registry to immutably store identities. A U2SSO solution allows users to generate unlinkable child credentials for each SP using only one set of master credentials. We demonstrate the practicality and efficiency of our U2SSO solution by providing a complete proof-of-concept. ]]> </description> <category>ePrint Report</category> </item> <item> <guid>https://iacr.org/news/item/25458</guid> <title>Multi-Screaming-Channel Attacks: Frequency Diversity for Enhanced Attacks</title> <link>https://iacr.org/news/item/25458</link> <pubDate>Fri, 11 Apr 2025 06:48:05 GMT</pubDate> <description><![CDATA[ePrint Report: Multi-Screaming-Channel Attacks: Frequency Diversity for Enhanced Attacks Jeremy Guillaume, Maxime Pelcat, Amor Nafkha, Ruben Salvador Side-channel attacks consist of retrieving internal data from a victim system by analyzing its leakage, which usually requires proximity to the victim in the range of a few millimetres. Screaming channels are EM side channels transmitted at a distance of a few meters. They appear on mixed-signal devices integrating an RF module on the same silicon die as the digital part. Consequently, the side channels are modulated by legitimate RF signal carriers and appear at the harmonics of the digital clock frequency. While initial works have only considered collecting leakage at these harmonics, late work has demonstrated that the leakage is also present at frequencies other than these harmonics. This result significantly increases the number of available frequencies to perform a screaming-channel attack, which can be convenient in an environment where multiple harmonics are polluted. This work studies how this diversity of frequencies carrying leakage can be used to improve attack performance. We first study how to combine multiple frequencies. Second, we demonstrate that frequency combination can improve attack performance and evaluate this improvement according to the performance of the combined frequencies. Finally, we demonstrate the interest of frequency combination in attacks at $15$ and, for the first time to the best of our knowledge, at $30$ meters. One last important observation is that this frequency combination divides by $2$ the number of traces needed to reach a given attack performance. ]]> </description> <category>ePrint Report</category> </item> <item> <guid>https://iacr.org/news/item/25457</guid> <title>State Machine Replication Without Borders</title> <link>https://iacr.org/news/item/25457</link> <pubDate>Fri, 11 Apr 2025 06:42:05 GMT</pubDate> <description><![CDATA[ePrint Report: State Machine Replication Without Borders Juan Garay, Aggelos Kiayias, Yu Shen A set of unacquainted parties, some of which may misbehave, communicate with each other over an unauthenticated and unreliable gossip network. They wish to jointly replicate a state machine $\Pi$ so that each one of them has fair access to its operation. Specifically, assuming parties' computational power is measured as queries to an oracle machine $H(\cdot)$, parties can issue symbols to the state machine in proportion to their queries to $H(\cdot)$ at a given fixed rate. Moreover, if such access to the state machine is provided continuously in expected constant time installments we qualify it as fast fairness. A state machine replication (SMR) protocol in this permissionless setting is expected to offer consistency across parties and reliably process all symbols that honest parties wish to add to it in a timely manner despite continuously fluctuating participation and in the presence of an adversary who commands less than half of the total queries to $H(\cdot)$ per unit of time. A number of protocols strive to offer the above guarantee together with fast settlement — notably, the Bitcoin blockchain offers a protocol that settles against Byzantine adversaries in polylogarithmic rounds, while fairness only holds in a fail-stop adversarial model (due to the fact that Byzantine behavior can bias access to the state machine in the adversary's favor). In this work, we put forth the first Byzantine-resilient protocol solving SMR in this setting with both expected-constant-time settlement and fast fairness. In addition, our protocol is self-sufficient in the sense of performing its own time keeping while tolerating an adaptively fluctuating set of parties. ]]> </description> <category>ePrint Report</category> </item> <item> <guid>https://iacr.org/news/item/25456</guid> <title>From at Least $n/3$ to at Most $3\sqrt{n}$: Correcting the Algebraic Immunity of the Hidden Weight Bit Function</title> <link>https://iacr.org/news/item/25456</link> <pubDate>Fri, 11 Apr 2025 06:42:05 GMT</pubDate> <description><![CDATA[ePrint Report: From at Least $n/3$ to at Most $3\sqrt{n}$: Correcting the Algebraic Immunity of the Hidden Weight Bit Function Pierrick Méaux Weightwise degree-$d$ functions are Boolean functions that, on each set of fixed Hamming weight, coincide with a function of degree at most $d$. They generalize both symmetric functions and the Hidden Weight Bit Function (HWBF), which has been studied in cryptography for its favorable properties. In this work, we establish a general upper bound on the algebraic immunity of such functions, a key security parameter against algebraic attacks on stream ciphers like filtered Linear Feedback Shift Registers (LFSRs). We construct explicit low-degree annihilators for WWdd functions with small $d$, and show how to generalize these constructions. As an application, we prove that the algebraic immunity of the HWBF is upper bounded by $3\sqrt{n}$ disproving a result from 2011 that claimed a lower bound of $n/3$. We then apply our technique to several generalizations of the HWBF proposed since 2021 for homomorphically friendly constructions and LFSR-based ciphers, refining or refuting results from six prior works. ]]> </description> <category>ePrint Report</category> </item> <item> <guid>https://iacr.org/news/item/25455</guid> <title>Highly Efficient Actively Secure Two-Party Computation with One-Bit Advantage Bound</title> <link>https://iacr.org/news/item/25455</link> <pubDate>Fri, 11 Apr 2025 06:42:05 GMT</pubDate> <description><![CDATA[ePrint Report: Highly Efficient Actively Secure Two-Party Computation with One-Bit Advantage Bound Yi Liu, Junzuo Lai, Peng Yang, Anjia Yang, Qi Wang, Siu-Ming Yiu, Jian Weng Secure two-party computation (2PC) enables two parties to jointly evaluate a function while maintaining input privacy. Despite recent significant progress, a notable efficiency gap remains between actively secure and passively secure protocols. In S\&P'12, Huang, Katz, and Evans formalized the notion of \emph{active security with one-bit leakage}, providing a promising approach to bridging this gap. Protocols derived from this notion have become foundational in designing highly efficient actively secure 2PC protocols. However, a critical challenge identified by Huang, Katz, and Evans remains unexplored: these protocols face significant weaknesses in ensuring fairness for honest parties when employed in standalone settings rather than as components within larger protocols. While the authors proposed two potential solutions to mitigate this issue, both approaches are prohibitively expensive and lack formalization of security guarantees. In this paper, we first formally define an enhanced notion called \emph{active security with one-bit-advantage bound}, in which the adversaries' advantages are strictly bounded to at most one bit beyond what honest parties obtain. This bound is enforced through a \emph{progressive revelation} mechanism, where the evaluation result is disclosed incrementally bit by bit. In addition, we propose a novel approach leveraging label structures within garbled circuits to design a highly efficient constant-round 2PC protocol that achieves active security with one-bit advantage bound. Our protocol demonstrates \emph{runtime performance nearly identical to that of passively secure garbled-circuit counterparts} in duplex networks (\eg $1.033\times$ for the {\tt SHA256} circuit in LAN), with \emph{low overhead} for output progressive revelation (only $80$ communicated bytes per bit release). With its strengthened security guarantees and minimal overhead, our protocol is highly suitable for practical 2PC applications. ]]> </description> <category>ePrint Report</category> </item> <item> <guid>https://iacr.org/news/item/25454</guid> <title>Low-Latency Rate-Distortion-Perception Trade-off: A Randomized Distributed Function Computation Application</title> <link>https://iacr.org/news/item/25454</link> <pubDate>Fri, 11 Apr 2025 06:42:05 GMT</pubDate> <description><![CDATA[ePrint Report: Low-Latency Rate-Distortion-Perception Trade-off: A Randomized Distributed Function Computation Application Onur Gunlu, Maciej Skorski, H. Vincent Poor Semantic communication systems, which focus on transmitting the semantics of data rather than its exact reconstruction, redefine the design of communication networks for transformative efficiency in bandwidth-limited and latency-critical applications. Addressing these goals, we tackle the rate-distortion-perception (RDP) problem for image compression, a critical challenge in achieving perceptually realistic reconstructions under rate constraints. Formulated within the randomized distributed function computation (RDFC) framework, we establish an achievable non-asymptotic RDP region, providing finite blocklength trade-offs between rate, distortion, and perceptual quality, aligning with semantic communication objectives. We extend this region to also include a secrecy constraint, providing strong secrecy guarantees against eavesdroppers via physical-layer security methods, ensuring resilience against quantum attacks. Our contributions include (i) establishing achievable bounds for non-asymptotic RDP regions under realism and distortion constraints; (ii) extending these bounds to provide strong secrecy guarantees; (iii) characterizing the asymptotic secure RDP region under a perfect realism constraint; and (iv) illustrating significant reductions in rates and the effects of secrecy constraints and finite blocklengths. Our results provide actionable insights for designing low-latency, high-fidelity, and secure image compression systems with realistic outputs, advancing applications, e.g., in privacy-critical domains. ]]> </description> <category>ePrint Report</category> </item> <item> <guid>https://iacr.org/news/item/25453</guid> <title>More NTRU+Sign Signatures from Cyclotomic Trinomials</title> <link>https://iacr.org/news/item/25453</link> <pubDate>Tue, 08 Apr 2025 05:00:05 GMT</pubDate> <description><![CDATA[ePrint Report: More NTRU+Sign Signatures from Cyclotomic Trinomials Ga Hee Hong, Joo Woo, Jonghyun Kim, Minku Kim, Hochang Lee, Jong Hwan Park Recently, $\mathsf{NTRU}$+$\mathsf{Sign}$ was proposed as a new compact signature scheme, following `Fiat-Shamir with Aborts' (FSwA) framework. Its compactness is mainly based on their novel NTRU-based key structure that fits well with bimodal distributions in the FSwA framework. However, despite its compactness, $\mathsf{NTRU}$+$\mathsf{Sign}$ fails to provide a diverse set of parameters that can meet some desired security levels. This limitation stems from its reliance on a ring $\mathbb{Z}_q[x]/\langle x^n+1 \rangle$, where $n$ is restricted to powers of two, limiting the flexibility in selecting appropriate security levels. To overcome this limitation, we propose a revised version of $\mathsf{NTRU}$+$\mathsf{Sign}$ by adopting a ring $\mathbb{Z}_q[x]/\langle x^n-x^{n/2}+1\rangle$ from cyclotomic trinomials, where $n=2^{i}3^{j}$ for some positive integers $i$ and $j$. Our parameterization offers three distinct security levels: approximately $120$, $190$, and $260$ bits, while preserving the compactness in $\mathbb{Z}_q[x]/\langle x^n+1 \rangle$. We implement these re-parameterized $\mathsf{NTRU}$+$\mathsf{Sign}$ schemes, showing that the performance of $\mathsf{NTRU}$+$\mathsf{Sign}$ from cyclotomic trinomials is still comparable to previous lattice-based signature schemes such as $\mathsf{Dilithium}$ and $\mathsf{HAETAE}$. ]]> </description> <category>ePrint Report</category> </item> <item> <guid>https://iacr.org/news/item/25452</guid> <title>Proving CPU Executions in Small Space</title> <link>https://iacr.org/news/item/25452</link> <pubDate>Tue, 08 Apr 2025 05:00:05 GMT</pubDate> <description><![CDATA[ePrint Report: Proving CPU Executions in Small Space Vineet Nair, Justin Thaler, Michael Zhu zkVMs are SNARKs for verifying CPU execution. They allow an untrusted prover to show that it correctly ran a specified program on a witness, where the program is given as bytecode conforming to an instruction set architecture like RISC-V. Existing zkVMs still struggle with high prover resource costs, notably large runtime and memory usage. We show how to implement Jolt—an advanced, sum-check- based zkVM—with a significantly reduced memory footprint, without relying on SNARK recursion, and with only modest runtime overhead (potentially well below a factor of two). We discuss benefits of this approach compared to prevailing recursive techniques. ]]> </description> <category>ePrint Report</category> </item> <item> <guid>https://iacr.org/news/item/25451</guid> <title>Clubcards for the WebPKI: smaller certificate revocation tests in theory and practice</title> <link>https://iacr.org/news/item/25451</link> <pubDate>Tue, 08 Apr 2025 05:00:05 GMT</pubDate> <description><![CDATA[ePrint Report: Clubcards for the WebPKI: smaller certificate revocation tests in theory and practice John M. Schanck CRLite is a low-bandwidth, low-latency, privacy-preserving mechanism for distributing certificate revocation data. A CRLite aggregator periodically encodes revocation data into a compact static hash set, or membership test, which can can be downloaded by clients and queried privately. We present a novel data-structure for membership tests, which we call a clubcard, and we evaluate the encoding efficiency of clubcards using data from Mozilla's CRLite infrastructure. As of November 2024, the WebPKI contains over 900 million valid certificates and over 8 million revoked certificates. We describe an instantiation of CRLite that encodes the revocation status of these certificates in a 6.7 MB package. This is $54\%$ smaller than the original instantiation of CRLite presented at the 2017 IEEE Symposium on Security and Privacy, and it is $21\%$ smaller than the lower bound claimed in that work. A sequence of clubcards can encode a dynamic dataset like the WebPKI revocation set. Using data from late 2024 again, we find that clubcards encoding 6 hour delta updates to the WebPKI can be compressed to 26.8 kB on average---a size that makes CRLite truly practical. We have extended Mozilla's CRLite infrastructure so that it can generate clubcards, and we have added client-side support for this system to Firefox. We report on some performance aspects of our implementation, which is currently the default revocation checking mechanism in Firefox Nightly, and we propose strategies for further reducing the bandwidth requirements of CRLite. ]]> </description> <category>ePrint Report</category> </item> <item> <guid>https://iacr.org/news/item/25450</guid> <title>Random Oracle Combiners: Merkle-Damgård Style</title> <link>https://iacr.org/news/item/25450</link> <pubDate>Tue, 08 Apr 2025 04:54:05 GMT</pubDate> <description><![CDATA[ePrint Report: Random Oracle Combiners: Merkle-Damgård Style Yevgeniy Dodis, Eli Goldin, Peter Hall A Random Oracle Combiner (ROC), introduced by Dodis et al. (CRYPTO ’22), takes two hash functions $h_1, h_2$ from m bits to n bits and outputs a new hash function $C$ from $m$' to $n$' bits. This function C is guaranteed to be indifferentiable from a fresh random oracle as long as one of $h_1$ and $h_2$ (say, $h_1$) is a random oracle, while the other h2 can “arbitrarily depend” on $h_1$. The work of Dodis et al. also built the first length-preserving ROC, where $n$′ = $n$. Unfortunately, despite this feasibility result, this construction has several deficiencies. From the practical perspective, it could not be directly applied to existing Merkle-Damgård-based hash functions, such as SHA2 or SHA3. From the theoretical perspective, it required $h_1$ and $h_2$ to have input length $m$ > 3λ, where λ is the security parameter. To overcome these limitations, Dodis et al. conjectured — and left as the main open question — that the following (salted) construction is a length-preserving ROC: $C^{h1,h2}_{\mathcal{Z}_1,\mathcal{Z}_2} (M ) = h_1^*(M, \mathcal{Z}_1) \oplus h^*_2(M,\mathcal{Z}_2),$ where $\mathcal{Z}_1, \mathcal{Z}_2$ are random salts of appropriate length, and $f^*$ denotes the Merkle-Damgård-extension of a given compression function $f$. As our main result, we resolve this conjecture in the affirmative. For practical use, this makes the resulting combiner applicable to existing, Merkle-Damgård-based hash functions. On the theory side, it shows the existence of ROCs only requiring optimal input length $m$ = λ+O(1). ]]> </description> <category>ePrint Report</category> </item> <item> <guid>https://iacr.org/news/item/25449</guid> <title>On some non-linear recurrences over finite fields linked to isogeny graphs</title> <link>https://iacr.org/news/item/25449</link> <pubDate>Tue, 08 Apr 2025 04:54:05 GMT</pubDate> <description><![CDATA[ePrint Report: On some non-linear recurrences over finite fields linked to isogeny graphs Juan Jesús León, Vicente Muñoz This paper presents new results that establish connections between isogeny graphs and nonlinear recurrences over finite fields. Specifically, we prove several theorems that link these two areas, offering deeper insights into the structure of isogeny graphs and their relationship with nonlinear recurrence sequences. We further provide two related conjectures which may be worth of further research. These findings contribute to a better understanding of the endomorphism ring of a curve, advancing progress toward the resolution of the Endomorphism Ring Problem, which aims to provide a computational characterization of the endomorphism ring of a supersingular elliptic curve. ]]> </description> <category>ePrint Report</category> </item> <item> <guid>https://iacr.org/news/item/25448</guid> <title>Analytic and Simulation Results of a Gaussian Physically Unclonable Constant Based on Resistance Dispersion</title> <link>https://iacr.org/news/item/25448</link> <pubDate>Tue, 08 Apr 2025 04:54:05 GMT</pubDate> <description><![CDATA[ePrint Report: Analytic and Simulation Results of a Gaussian Physically Unclonable Constant Based on Resistance Dispersion Riccardo Bernardini Physically Unclonable Constants (PUCs) are a special type of Physically Unclonable Constants and they can be used to embed secret bit-strings in chips. Most PUCs are an array of cells where each cell is a digital circuit that evolve spontaneously toward one of two states, the chosen state being function of random manufacturing process variations. In this paper we propose an Analog Physically Unclonable Constant (APUC) whose output is an analog value to be transformed in digital by a digitizer circuit. The ratio behind this proposal is that an APUC cell has the potential of providing more than one bit, reducing the required footprint. Preliminary theoretical analysis and simulation results are presented. The proposed APUC has interesting performances (e.g., it can provide up to 5 bits per cell) that grant for further investigation. ]]> </description> <category>ePrint Report</category> </item> <item> <guid>https://iacr.org/news/item/25447</guid> <title>An attack on ML-DSA using an implicit hint</title> <link>https://iacr.org/news/item/25447</link> <pubDate>Tue, 08 Apr 2025 04:54:05 GMT</pubDate> <description><![CDATA[ePrint Report: An attack on ML-DSA using an implicit hint Paco Azevedo-Oliveira, Jordan Beraud, Louis Goubin The security of ML-DSA, like most signature schemes, is partially based on the fact that the nonce used to generate the signature is unknown to any attacker. In this work, we exhibit a lattice-based attack that is possible if the nonces share implicit or explicit information. From a collection of signatures whose nonces share certain coefficients, it is indeed possible to build a collection of non full-rank lattices. Intersecting them, we show how to create a low-rank lattice that contains one of the polynomials of the secret key, which in turn can be recovered using lattice reduction techniques. There are several interpretations of this result: firstly, it can be seen as a generalization of a fault-based attack on BLISS presented at SAC'16 by Thomas Espitau et al. Alternatively, it can be understood as a side-channel attack on ML-DSA, in the case where an attacker is able to recover only one of the coefficients of the nonce used during the generation of the signature. For ML-DSA-II, we show that $4 \times 160$ signatures and few hours of computation are sufficient to recover the secret key on a desktop computer. Lastly, our result shows that simple countermeasures, such as permuting the generation of the nonce coefficients, are not sufficient. ]]> </description> <category>ePrint Report</category> </item> <item> <guid>https://iacr.org/news/item/25446</guid> <title>Laconic Cryptography with Preprocessing</title> <link>https://iacr.org/news/item/25446</link> <pubDate>Tue, 08 Apr 2025 04:54:05 GMT</pubDate> <description><![CDATA[ePrint Report: Laconic Cryptography with Preprocessing Rishabh Bhadauria, Nico Döttling, Carmit Hazay, Chuanwei Lin Laconic cryptography focuses on designing two-message protocols that allow secure computation on large datasets while minimizing communication costs. While laconic cryptography protocols achieve asymptotically optimal communication complexity for many tasks, their concrete efficiency is prohibitively expensive due to the heavy use of public-key techniques or the non-black-box of cryptographic primitives. In this work, we initiate the study of "laconic cryptography with preprocessing", introducing a model that includes an offline phase to generate database-dependent correlations, which are then used in a lightweight online phase. These correlations are conceptually simple, relying on linear-algebraic techniques. This enables us to develop a protocol for private laconic vector oblivious linear evaluation (plvOLE). In such a protocol, the receiver holds a large database $\mathsf{DB}$, and the sender has two messages $v$ and $w$, along with an index $i$. The receiver learns the value $v \cdot \mathsf{DB}_i + w$ without revealing other information. Our protocol, which draws from ideas developed in the context of private information retrieval with preprocessing, serves as the backbone for two applications of interest: laconic private set intersection (lPSI) for large universes and laconic function evaluation for RAM-programs (RAM-LFE). Based our plvOLE protocol, we provide efficient instantiations of these two primitives in the preprocessing model. ]]> </description> <category>ePrint Report</category> </item> <item> <guid>https://iacr.org/news/item/25445</guid> <title>Postdocs on Cryptology</title> <link>https://iacr.org/news/item/25445</link> <pubDate>Mon, 07 Apr 2025 17:12:05 GMT</pubDate> <description><![CDATA[Job Posting: Postdocs on Cryptology Wuhan University and Nanyang Technological University Wuhan University in China and Nanyang Technological University in Singapore are jointly seeking for candidates to fill several post-doctoral research fellow positions on cryptography. Topics include but are not limited to the following sub-areas: <ul> <li>Public-key cryptography</li> <li>Lattice-based cryptography</li> <li>Cryptography-based privacy-preserving</li> <li>Cryptanalysis </li> <li>Cryptography and AI</li> </ul> Candidates will have the chance to spend part of the time with Prof Jie Chen at Wuhan University, China and part with Assoc Prof Jian Guo at Nanyang Technological University in Singapore. Candidates with strong record of publications in lACR conferences (Asiacrypt, Crypto, Eurocrypt, CHES, FSE, PKC, TCC) are encouraged to apply. Competitive salary package will be provided for qualified candidates. These positions are available immediately until filled. Closing date for applications: Contact: Prof Jie Chen via jchen2024@whu.edu.cn ]]> </description> <category>Job Posting</category> </item> <item> <guid>https://iacr.org/news/item/25444</guid> <title>Post-docs on the Provable Security of Symmetric Cryptography</title> <link>https://iacr.org/news/item/25444</link> <pubDate>Mon, 07 Apr 2025 10:24:05 GMT</pubDate> <description><![CDATA[Job Posting: Post-docs on the Provable Security of Symmetric Cryptography Xiamen University, Xiamen, China Located in Xiamen, which is one of China’s top ten livable cities, Xiamen University is generally acknowledged as one of the most beautiful universities in China. It has been perennially regarded as one of the top academic institutions in Southern China. With its lovely campus, profound cultural foundation, and great research atmosphere, Xiamen University provides an ideal environment for academic research and professional development. Xiamen University is now seeking candidates to fill two post-doc positions on the provable security of symmetric-key cryptography, with a tentative duration of 2 years. Potential research topics include, but are not limited to, the following directions: <ul> <li>Authenticated encryption and message authentication codes with new security features, e.g., leakage-resistance, key-committing, high security.</li> <li>Provable security and generic attacks of hash functions.</li> <li>Security analysis and proofs of more general modes of operation in real-world applications/standards.</li> </ul> Candidates with proven records of publications in established venues in cryptography/security are encouraged to apply. Candidates are invited to send a resume and motivation letter to Dr. Yaobin Shen (yaobin.shen [at] xmu.edu.cn). Closing date for applications: Contact: Dr. Yaobin Shen (yaobin.shen [at] xmu.edu.cn) ]]> </description> <category>Job Posting</category> </item> <item> <guid>https://iacr.org/news/item/25443</guid> <title>Reseach Scientist</title> <link>https://iacr.org/news/item/25443</link> <pubDate>Mon, 07 Apr 2025 10:24:05 GMT</pubDate> <description><![CDATA[Job Posting: Reseach Scientist Nokia Bell Labs, Belgium Nokia Bell Labs has an open position for a Research Scientist in Privacy Enhancing Technologies (PETS). Note: <ul> <li>Our lab is looking for a technical researcher who is highly skilled in programming and willing to build systems based on their research results.</li> <li>Interests and experience in ZK, FHE, and/or MPC are a plus.</li> <li>The position is based in Antwerp, Belgium (not remote).</li> </ul> Please directly apply here or contact me by email if you have a question: https://jobs.nokia.com/en/sites/CX_1/ Closing date for applications: Contact: emad.heydari_beni@nokia-bell-labs.com More information: <a href="https://jobs.nokia.com/en/sites/CX_1/job/18559">https://jobs.nokia.com/en/sites/CX_1/job/18559</a> ]]> </description> <category>Job Posting</category> </item> <item> <guid>https://iacr.org/news/item/25442</guid> <title>FSE 2026: Fast Software Encryption</title> <link>https://iacr.org/news/item/25442</link> <pubDate>Mon, 07 Apr 2025 08:36:05 GMT</pubDate> <description><![CDATA[FSE: FSE 2026: Fast Software Encryption Singapore, Singapore, 23 March - 27 March 2026 Event date: 23 March to 27 March 2026 ]]> </description> <category>FSE</category> </item> <item> <guid>https://iacr.org/news/item/25441</guid> <title>The Mathematics of Post-quantum Cryptography</title> <link>https://iacr.org/news/item/25441</link> <pubDate>Mon, 07 Apr 2025 08:36:05 GMT</pubDate> <description><![CDATA[Event Calendar: The Mathematics of Post-quantum Cryptography Zurich, Switzerland, 2 June - 6 June 2025 Event date: 2 June to 6 June 2025 ]]> </description> <category>Event Calendar</category> </item> <item> <guid>https://iacr.org/news/item/25440</guid> <title>On the success rate of simple side-channel attacks against masking with unlimited attack traces</title> <link>https://iacr.org/news/item/25440</link> <pubDate>Fri, 04 Apr 2025 05:36:05 GMT</pubDate> <description><![CDATA[ePrint Report: On the success rate of simple side-channel attacks against masking with unlimited attack traces Aymeric Hiltenbrand, Julien Eynard, Romain Poussier Side-channel attacks following a classical differential power analysis (DPA) style are well understood, along with the effect the mask- ing countermeasure has on them. However, simple attacks (SPA) where the target variable does not vary thanks to a known value, such as the plaintext, are less studied. In this paper, we investigate how the masking countermeasure affects the success rate of simple attacks. To this end, we provide theoretical, simulated, and practical experiments. Interestingly, we will see that masking can allow us to asymptotically recover more information on the secret than in the case of an unprotected implemen- tation, depending on the masking type. We will see that this is true for masking encodings that add non-linearity with respect to the leakages, such as arithmetic masking, while it is not for Boolean masking. We be- lieve this context provides interesting results, as the average information of arithmetic encoding is proven less informative than the Boolean one. ]]> </description> <category>ePrint Report</category> </item> <item> <guid>https://iacr.org/news/item/25439</guid> <title>Mobile Byzantine Agreement in a Trusted World</title> <link>https://iacr.org/news/item/25439</link> <pubDate>Fri, 04 Apr 2025 05:36:05 GMT</pubDate> <description><![CDATA[ePrint Report: Mobile Byzantine Agreement in a Trusted World Bo Pan, Maria Potop Butucaru In this paper, we address the Byzantine Agreement problem in synchronous systems where Byzantine agents can move from process to process, corrupting their host. We focus on three representative models: \emph{Garay's}, \emph{Bonnet's} and \emph{Buhrman's} models. In \emph{Garay's model} when a process has been left by the Byzantine, it is in the \emph{cured} state and it is aware of its condition and thus can remain silent for a round to prevent the dissemination of wrong information. In \emph{Bonnet's model} a cured process may send messages (based on a state corrupted by the malicious agent), however it will behave correctly in the way it sends those messages: i.e., send messages according to the algorithm. In \emph{Buhrman's model} Byzantine agents move together with the message. It has been shown that in order to solve Byzantine Agreement in the \emph{Garay's model} at least $4t+1$ processors are needed, for \emph{Bonnet's model} at least $5t+1$ processors are needed, while for \emph{Buhrman's model} at least $3t+1$ processors are needed. In this paper we target to increase the tolerance to mobile Byzantines by integrating a trusted counter abstraction to the above models. This abstraction prevents nodes to equivocate. In the new models we prove that at least $3t+1$, respectively $4t+1$, and $2t+1$ processors are needed to tolerate $t$ mobile Byzantine agents. Furthermore, we propose novel Mobile Byzantine Agreement algorithms that match these new lower bounds for \emph{Garay's}, \emph{Bonnet's} and \emph{Buhrman's} models. ]]> </description> <category>ePrint Report</category> </item> <item> <guid>https://iacr.org/news/item/25438</guid> <title>Lattice-Based Sanitizable Signature Schemes: Chameleon Hash Functions and More</title> <link>https://iacr.org/news/item/25438</link> <pubDate>Fri, 04 Apr 2025 05:30:05 GMT</pubDate> <description><![CDATA[ePrint Report: Lattice-Based Sanitizable Signature Schemes: Chameleon Hash Functions and More Sebastian Clermont, Samed Düzlü, Christian Janson, Laurens Porzenheim, Patrick Struck Sanitizable Signature Schemes (SSS) enable a designated party, the sanitizer, to modify predefined parts of a signed message without invalidating the signature, making them useful for applications like pseudonymization and redaction. Since their introduction by Ateniese et al. (ESORICS'05), several classical SSS constructions have been proposed, but none have been instantiated from quantum-resistant assumptions. In this work, we develop the first quantum-secure sanitizable signature schemes based on lattice assumptions. Our primary focus is on SSS constructions that rely on chameleon hash functions (CHFs), a key component for enabling the controlled modification of messages. While lattice-based CHFs exist, they do not meet the required security guarantees for SSS, becoming insecure under adversarial access to an adapt oracle. To address this, we construct a novel lattice-based CHF that achieves collision resistance even in such settings, called full collision resistance. However, our CHF lacks the uniqueness property, a limitation we show to be inherent in lattice-based CHFs. As a result, our SSS constructions initially fall short of achieving the critical security property of accountability. To overcome this, we apply a transformation based on verifiable ring signatures (VRS), for which we present the first lattice-based instantiation. Additionally, we provide a comprehensive analysis of existing classical SSS constructions, explore their potential for post-quantum instantiations, and present new attacks on previously assumed secure SSS schemes. Our work closes the gap in constructing quantum-secure SSS and lays the groundwork for further research into advanced cryptographic primitives based on lattice assumptions. ]]> </description> <category>ePrint Report</category> </item> <item> <guid>https://iacr.org/news/item/25437</guid> <title>PHOENIX: Crypto-Agile Hardware Sharing for ML-KEM and HQC</title> <link>https://iacr.org/news/item/25437</link> <pubDate>Fri, 04 Apr 2025 04:00:04 GMT</pubDate> <description><![CDATA[ePrint Report: PHOENIX: Crypto-Agile Hardware Sharing for ML-KEM and HQC Antonio Ras, Antoine Loiseau, Mikaël Carmona, Simon Pontié, Guénaël Renault, Benjamin Smith, Emanuele Valea The transition to quantum-safe public-key cryptography has begun: for key agreement, NIST has standardized ML-KEM and selected HQC for future standardization. The relative immaturity of these schemes encourages crypto-agile implementations, to facilitate easy transitions between them. Intelligent crypto-agility requires efficient sharing strategies to compute operations from different cryptosystems using the same resources. This is particularly challenging for cryptosystems with distinct mathematical foundations, like lattice-based ML-KEM and code-based HQC. We introduce PHOENIX, the first crypto-agile hardware coprocessor for lattice- and code-based cryptosystems--specifically, ML-KEM and HQC, at all three NIST security levels--with an effective agile sharing strategy. PHOENIX accelerates polynomial multiplication, which is the main operation in both cryptosystems, and the current bottleneck of HQC. To maximise sharing, we replace HQC's Karatsuba-based polynomial multiplication with the Frobenius Additive FFT (FAFFT), which is similar on an abstract level to ML-KEM's Number Theoretic Transform (NTT). We show that the FAFFT already brings substantial performance improvements in software. In hardware, our sharing strategy for the FAFFT and NTT is based on a new SuperButterfly unit that seamlessly switches between these two FFT variants over completely different rings. This is, to our knowledge, the first FAFFT hardware accelerator of any kind. We have integrated PHOENIX in a real System-on-Chip FPGA scenario, where our performance measurements show that efficient crypto-agility for lattice- and code-based KEMs can be achieved with low overhead. ]]> </description> <category>ePrint Report</category> </item> <item> <guid>https://iacr.org/news/item/25436</guid> <title>Improved Round-by-round Soundness IOPs via Reed-Muller Codes</title> <link>https://iacr.org/news/item/25436</link> <pubDate>Fri, 04 Apr 2025 04:00:04 GMT</pubDate> <description><![CDATA[ePrint Report: Improved Round-by-round Soundness IOPs via Reed-Muller Codes Dor Minzer, Kai Zhe Zheng We give an IOPP (interactive oracle proof of proximity) for trivariate Reed-Muller codes that achieves the best known query complexity in some range of security parameters. Specifically, for degree $d$ and security parameter $\lambda\leq \frac{\log^2 d}{\log\log d}$ , our IOPP has $2^{-\lambda}$ round-by-round soundness, $O(\lambda)$ queries, $O(\log\log d)$ rounds and $O(d)$ length. This improves upon the FRI [Ben-Sasson, Bentov, Horesh, Riabzev, ICALP 2018] and the STIR [Arnon, Chiesa, Fenzi, Yogev, Crypto 2024] IOPPs for Reed-Solomon codes, that have larger query and round complexity standing at $O(\lambda \log d)$ and $O(\log d+\lambda\log\log d)$ respectively. We use our IOPP to give an IOP for the NP-complete language Rank-1-Constraint-Satisfaction with the same parameters. Our construction is based on the line versus point test in the low-soundness regime. Compared to the axis parallel test (which is used in all prior works), the general affine lines test has improved soundness, which is the main source of our improved soundness. Using this test involves several complications, most significantly that projection to affine lines does not preserve individual degrees, and we show how to overcome these difficulties. En route, we extend some existing machinery to more general settings. Specifically, we give proximity generators for Reed-Muller codes, show a more systematic way of handling "side conditions" in IOP constructions, and generalize the compiling procedure of [Arnon, Chiesa, Fenzi, Yogev, Crypto 2024] to general codes. ]]> </description> <category>ePrint Report</category> </item> <item> <guid>https://iacr.org/news/item/25435</guid> <title>Insecurity of One Decentralized Attribute-based Signature Scheme for Social Co-governance</title> <link>https://iacr.org/news/item/25435</link> <pubDate>Fri, 04 Apr 2025 03:54:05 GMT</pubDate> <description><![CDATA[ePrint Report: Insecurity of One Decentralized Attribute-based Signature Scheme for Social Co-governance Zhengjun Cao, Lihua Liu We show that the attribute-based signature scheme [Information Sciences, 654(2024), 119839] is insecure, because an adversary can generate valid signatures for any message even though he cannot access the signer's secret key. The four components of signature $\{\delta_1, \delta_2, \delta_3, \delta_4\}$ are not tightly bound to the target message $M$ and the signer's public key. The dependency between the signer's public key and secret key is not properly used to construct any intractable problem. The inherent flaw results in that the adversary can find an efficient signing algorithm functionally equivalent to the valid signing algorithm. ]]> </description> <category>ePrint Report</category> </item> <item> <guid>https://iacr.org/news/item/25434</guid> <title>Nominal State-Separating Proofs</title> <link>https://iacr.org/news/item/25434</link> <pubDate>Fri, 04 Apr 2025 03:54:05 GMT</pubDate> <description><![CDATA[ePrint Report: Nominal State-Separating Proofs Markus Krabbe Larsen, Carsten Schürmann State-separting proofs are a powerful tool to structure cryptographic arguments, so that they are amenable for mechanization, as has been shown through implementations, such as SSProve. However, the treatment of separation for heaps has never been satisfactorily addressed. In this work, we present the first comprehensive treatment of nominal state separation in state-separating proofs using nominal sets. We provide a Coq library, called Nominal-SSProve, that builds on nominal state separation supporting mechanized proofs that appear more concise and arguably more elegant. ]]> </description> <category>ePrint Report</category> </item> <item> <guid>https://iacr.org/news/item/25433</guid> <title>SoK: Self-Generated Nudes over Private Chats: How Can Technology Contribute to a Safer Sexting?</title> <link>https://iacr.org/news/item/25433</link> <pubDate>Fri, 04 Apr 2025 03:54:05 GMT</pubDate> <description><![CDATA[ePrint Report: SoK: Self-Generated Nudes over Private Chats: How Can Technology Contribute to a Safer Sexting? Joel Samper, Bernardo Ferreira More and more people take advantage of mobile apps to strike up relationships and casual contacts. This sometimes results in the sharing of self-generated nudes. While this opens a way for sexual exploration, it also raises concerns. In this paper, we review existing technology-assisted permissive proposals/features that provide security or privacy benefits when sharing nudes online. To do so, we performed a systematic literature review combing through 10,026 search results and cross-references, and we identified real-world solutions by surveying OS features and 52 dating, messaging and social network apps. We systematized knowledge by defining a sexting threat model, deriving a taxonomy of the proposals/features, discussing some of their shortcomings, organizing privacy-related concepts, and providing take-aways with some directions for future research and development. Our study found a very diverse ecosystem of academic proposals and app features, showing that safer sexting goes far beyond nude detection. None of the techniques represents the ultimate solution for all threats, but each contributes to safer sexting in a different way. ]]> </description> <category>ePrint Report</category> </item> <item> <guid>https://iacr.org/news/item/25432</guid> <title>Highway to Hull: An Algorithm for Solving the General Matrix Code Equivalence Problem</title> <link>https://iacr.org/news/item/25432</link> <pubDate>Fri, 04 Apr 2025 03:54:05 GMT</pubDate> <description><![CDATA[ePrint Report: Highway to Hull: An Algorithm for Solving the General Matrix Code Equivalence Problem Alain Couvreur, Christophe Levrat The matrix code equivalence problem consists, given two matrix spaces $\mathcal{C},\mathcal{D}\subset \mathbb{F}_q^{m\times n}$ of dimension $k$, in finding invertible matrices $P\in\textrm{GL}_m(\mathbb{F}_q)$ and $Q\in\textrm{GL}_n(\mathbb{F}_q)$ such that $\mathcal{D} =P\mathcal{C} Q^{-1}$. Recent signature schemes such as MEDS and ALTEQ relate their security to the hardness of this problem. Naranayan et. al. recently published an algorithm solving this problem in the case $k = n =m$ in $\widetilde{\mathcal{O}}(q^{\frac k 2})$ operations. We present a different algorithm which solves the problem in the general case. Our approach consists in reducing the problem to the matrix code conjugacy problem, i.e. the case $P=Q$. For the latter problem, similarly to the permutation code equivalence problem in Hamming metric, a natural invariant based on the \emph{Hull} of the code can be used. Next, the equivalence of codes can be deduced using a usual list collision argument. For $k=m=n$, our algorithm achieves the same complexity as in the aforementioned reference. However, it extends to a much broader range of parameters. ]]> </description> <category>ePrint Report</category> </item> <item> <guid>https://iacr.org/news/item/25431</guid> <title>Partial Key Exposure Attacks on UOV and Its Variants</title> <link>https://iacr.org/news/item/25431</link> <pubDate>Fri, 04 Apr 2025 03:54:05 GMT</pubDate> <description><![CDATA[ePrint Report: Partial Key Exposure Attacks on UOV and Its Variants Yuki Seto, Hiroki Furue, Atsushi Takayasu In CRYPTO 2022, Esser et al. proposed a partial key exposure attack on several post-quantum cryptographic schemes including Rainbow which is a variant of UOV. The task of the attack is to recover a full secret key from its partial information such as a secret key with symmetric/asymmetric bit errors. One of the techniques Esser et al. developed is a partial enumeration that combines the standard algorithms to solve the MQ problem with enumeration. Although an efficient attack on Rainbow was proposed, UOV and its variants have still been paid much attention since UOV and its three variants, i.e., MAYO, QR-UOV and SNOVA, were selected as the Round 2 candidates of the additional call for digital signature schemes proposal by NIST. In this paper, we analyze partial key exposure attacks on UOV, MAYO, and QR-UOV. Although our proposed attacks use the partial enumeration, we refine their enumeration strategy. We employ two enumeration strategies and analyze the complexity of the proposed attacks. Then, we find a structural difference between UOV and its variants to resist partial enumeration. Specifically, the partial enumeration is effective if the number of vinegar variables is smaller than the number of equations and the order of a finite field is small. As a result, the proposed attack is the most effective on MAYO. While our attacks on UOV and QR-UOV are effective only when the symmetric error probabilities are 0.11 and 0.05, respectively, that on MAYO is effective even when the probability is close to 0.5. ]]> </description> <category>ePrint Report</category> </item> <item> <guid>https://iacr.org/news/item/25430</guid> <title>Efficient SNARKs for Boolean Circuits via Sumcheck over Tower Fields</title> <link>https://iacr.org/news/item/25430</link> <pubDate>Fri, 04 Apr 2025 03:54:05 GMT</pubDate> <description><![CDATA[ePrint Report: Efficient SNARKs for Boolean Circuits via Sumcheck over Tower Fields Tianyi LIu, Yupeng Zhang In this paper, we present efficient SNARKs for Boolean circuits, achieving significant improvements in the prover efficiency. The core of our technique is a novel tower sumcheck protocol and a tower zero-check protocol tailored for tower fields, which enable this efficiency boost. When instantiated with Wiedemann's binary tower fields with the base field of $GF(2)$ and the top-level field $GF(2^{2^\ell})$, assuming the quadratic complexity of multiplications $O(2^{2\ell})$ in the top-level field with $2^\ell$ bits, the prover time of our sumcheck protocol is $O(2^{1.5\ell}N)$. It is faster than the standard sumcheck protocol over the large field with the complexity of $O(2^{2\ell}N)$. To achieve a reasonable security level, $2^\ell$ is usually set to $128$. Leveraging this advancement, we improve the efficiency of IOP protocols over the binary or small characteristic fields for Plonkish, CCS, and GKR-based constraint systems. Moreover, to further improve the prover efficiency of the SNARKs, we introduce a basis-switching mechanism that efficiently transforms polynomial evaluations on the base-field polynomial to evaluations on the tower-field polynomial. With the basis-switching, we are able to compile the binary-field IOPs to SNARKs using large-field polynomial commitment schemes (PCS) that batch the witness over the base field. The size of the large-field PCS is only $\frac{1}{2^\ell}$ of the size of the witness over the base field. Combining the IOP and the PCS, the overall prover time of our SNARKs for Boolean circuits significantly faster than the naive approach of encoding Boolean values in a large field. ]]> </description> <category>ePrint Report</category> </item> <item> <guid>https://iacr.org/news/item/25429</guid> <title>Oblivious Immutable Memory</title> <link>https://iacr.org/news/item/25429</link> <pubDate>Fri, 04 Apr 2025 03:54:05 GMT</pubDate> <description><![CDATA[ePrint Report: Oblivious Immutable Memory Ananya Appan, David Heath An oblivious RAM (ORAM) compiler is a cryptographic tool that transforms a program $P$ running in time $n$ into an equivalent program $\tilde P$, with the property that the sequence of memory addresses read from/written to by $\tilde P$ reveal nothing about $\tilde P$'s data (Goldreich and Ostrovsky, JACM'96). An efficient ORAM compiler $C$ should achieve some combination of the following: - Low bandwidth blow-up: $\tilde P$ should read/write a similar amount of data as does P. - Low latency: $\tilde P$ should incur a similar number of roundtrips to the memory as does P. - Low space complexity: $\tilde P$ should run in as few words of local memory as possible. It is well known that for a generic compiler (i.e. one that works for any RAM program $P$), certain combinations of efficiencies are impossible. Any generic ORAM compiler must incur $\Omega(\log n)$ bandwidth blow-up, and any ORAM compiler with no latency blow-up must incur either $\Omega(\sqrt n)$ bandwidth blow-up and/or local space. Moreover, while a $O(\log n)$ bandwidth blow-up compiler is known, it requires the assumption that one-way functions exist and incurs enormous constant factors. To circumvent the above problems and improve efficiency of particular ORAM programs, we develop a compiler for a specific class of programs. Let $P$ be a program that interacts with an immutable memory. Namely, $P$ may write values to memory, then read them back, but it cannot change values that were already written. Using only information-theoretic techniques, we compile any such $P$ into an oblivious form $\tilde P$ with a combination of efficiencies that no generic ORAM compiler can achieve: - $\tilde P$ incurs $\Theta(\log n)$ amortized bandwidth blow-up. - $\tilde P$ incurs $O(1)$ amortized latency blow-up. - $\tilde P$ runs in $O(\lambda)$ words of local space ($\tilde P$ incurs an error with probability $2^{-\Omega(\lambda)}$). We show that this, for instance, implies that any pure functional program can be compiled with the same asymptotics. Our work builds on and is compatible with prior work (Appan et al., CCS'24) that showed similar results for pointer machine programs that manipulate objects with constant in-degree (i.e., the program may only maintain a constant number of pointers to any one memory cell; our immutable memory approach does not have this limitation). By combining techniques, we can consider programs that interact with a mixed memory that allows each memory cell to be updated until it is frozen, after which it becomes immutable, allowing further reads to be compiled with the above asymptotics, even when in-degree is high. Many useful algorithms/data structures can be naturally implemented as mixed memory programs, including suffix trees (powerful data structures used in computational biology) and deterministic finite automata (DFAs). ]]> </description> <category>ePrint Report</category> </item> <item> <guid>https://iacr.org/news/item/25428</guid> <title>DSM: Decentralized State Machine - The Missing Trust Layer of the Internet</title> <link>https://iacr.org/news/item/25428</link> <pubDate>Fri, 04 Apr 2025 03:54:05 GMT</pubDate> <description><![CDATA[ePrint Report: DSM: Decentralized State Machine - The Missing Trust Layer of the Internet Brandon Ramsay The modern internet relies heavily on centralized trust systems controlled by corporations, governments, and intermediaries to manage authentication, identity, and value transfer. These models introduce fundamental vulnerabilities, including censorship, fraud, and systemic insecurity. The Decentralized State Machine (DSM) addresses these issues by introducing a mathematically enforced trust layer that eliminates the need for consensus mechanisms, third-party validators, and centralized infrastructure. DSM enables quantum-resistant, deterministic state transitions for digital identity and value exchange—offering immediate finality, offline capability, and tamper-proof forward-only state progression. DSM replaces traditional blockchain execution models with deterministic, pre-committed state transitions, enabling secure, multi-path workflows without requiring Turing-completeness or global consensus. The protocol architecture is based on a straight hash chain with sparse indexing and Sparse Merkle Trees (SMTs), ensuring efficient verification, scalability, and privacy. A bilateral isolation model supports asynchronous, offline operation with built-in consistency guarantees. DSM introduces a sustainable, gas-free economic model based on cryptographic subscription commitments. This paper outlines the architecture, cryptographic foundations, and security guarantees of DSM, and demonstrates how it achieves verifiable, trustless interaction between peers—both online and offline. By decoupling security from consensus and enabling self-validating state transitions, DSM offers a practical and scalable alternative to conventional internet trust models. ]]> </description> <category>ePrint Report</category> </item> <item> <guid>https://iacr.org/news/item/25427</guid> <title>ColliderVM: Stateful Computation on Bitcoin</title> <link>https://iacr.org/news/item/25427</link> <pubDate>Fri, 04 Apr 2025 03:48:05 GMT</pubDate> <description><![CDATA[ePrint Report: ColliderVM: Stateful Computation on Bitcoin Victor I. Kolobov, Avihu M. Levy, Moni Naor Bitcoin script cannot easily access and store state information onchain without an upgrade such as BIP-347 (OP_CAT); this makes performing general (stateful) computation on Bitcoin impossible to do directly. Despite this limitation, several approaches have been proposed to bypass it, with BitVM being by far the most production-ready of them. BitVM enables fraud-proof-based computation on Bitcoin, relying on a $1$-out-of-$n$ honesty assumption. This left the question of whether it is possible to achieve computation under the same honesty assumption without requiring onlookers to ensure validity through fraud proofs. In this note, we answer this question affirmatively by introducing ColliderVM, a new approach for performing computation on Bitcoin today. Crucially, this approach eliminates some capital inefficiency concerns stemming from reliance on fraud proofs. For our construction, a key point is to replace the Lamport or Winternitz signature-based storage component in contemporary protocols with a hash collision-based commitment. With it, we estimate that the Bitcoin script length for STARK proof verification is drastically shorter than that for other pairing-based proof systems used today in applications. ]]> </description> <category>ePrint Report</category> </item> <item> <guid>https://iacr.org/news/item/25426</guid> <title>$\mathsf{emGraph}$: Efficient Multiparty Secure Graph Computation</title> <link>https://iacr.org/news/item/25426</link> <pubDate>Fri, 04 Apr 2025 03:48:05 GMT</pubDate> <description><![CDATA[ePrint Report: $\mathsf{emGraph}$: Efficient Multiparty Secure Graph Computation Siddharth Kapoor, Nishat Koti, Varsha Bhat Kukkala, Arpita Patra, Bhavish Raj Gopal Secure graph computation enables computing on graphs while hiding the graph topology as well as the associated node/edge data. This facilitates collaborative analysis among multiple data owners, who may only hold a private partial view of the global graph. Several works address this problem using the technique of secure multiparty computation (MPC) in the presence of 2 or 3 parties. However, when moving to the multiparty setting, as required for collaborative analysis among multiple data owners, these solutions are no longer scalable. This remains true with respect to the state-of-the-art framework of $\mathsf{Graphiti}$ (Koti et al., CCS 2024) as well. Specifically, $\mathsf{Graphiti}$ incurs a round complexity linear in the number of parties or data owners. This is due to its reliance on secure shuffle protocol, constituting a bottleneck in the multiparty setting. Additionally, $\mathsf{Graphiti}$ has a prohibitively expensive initialisation phase due to its reliance on secure sort, with a round complexity dependent on both the graph size and the number of parties. We propose $\mathsf{emGraph}$, a generic framework for secure graph computation in the multiparty setting that eliminates the need of shuffle and instead, relies on a weaker primitive known as $\mathsf{Permute+Share}$. Further $\mathsf{emGraph}$ is designed to have a lightweight initialisation, that eliminates the need for sorting, making its round complexity independent of the graph size and number of parties. Unlike any of the prior works, achieving a round complexity independent of the number of parties is what makes $\mathsf{emGraph}$ scalable. Finally, we implement and benchmark the performance of $\mathsf{emGraph}$ for the application of PageRank computation and showcase its efficiency and scalability improvements over $\mathsf{Graphiti}$. Concretely, we witness improvements of up to $80\times$ in runtime in comparison to state-of-the-art framework $\mathsf{Graphiti}$. Further, we observe that $\mathsf{emGraph}$ takes under a minute to perform 10 iterations of PageRank computation on a graph of size $10^6$ that is distributed among $25$ parties/data owners, making it highly practical for secure graph computation in the multiparty setting. ]]> </description> <category>ePrint Report</category> </item> <item> <guid>https://iacr.org/news/item/25425</guid> <title>Defeating AutoLock: From Simulation to Real-World Cache-Timing Exploits against TrustZone</title> <link>https://iacr.org/news/item/25425</link> <pubDate>Fri, 04 Apr 2025 03:48:05 GMT</pubDate> <description><![CDATA[ePrint Report: Defeating AutoLock: From Simulation to Real-World Cache-Timing Exploits against TrustZone Quentin Forcioli, Sumanta Chaudhuri, Jean-Luc Danger In this article, we present for the first time a cross-core Prime+Probe attack on ARM TrustZone, which bypasses the AutoLock mechanism. We introduce our simulation- driven methodology based on gem5 for vulnerability analysis. We demonstrate its utility in reverse engineering a SoC platform in order to study its microarchitectural behavior (caches, etc.), inside a simulator, in spite of hardware protection. We present a novel vulnerability analysis technique, which takes into account the cache set occupancy for targeted victim executable. This proves to be essential in identifying information leakage in presence of AutoLock. The above tool also identifies the cache lines leaking a maximum amount of information. A cross-core Prime+Probe attack is then mounted on these max-leakage cache lines both in simulation for fine-tuning, and in real hardware. We validate our analysis and attack method on OP-TEE, an open-source trusted execution environment running on RockPi4 a board based on RK3399 SoC. More specifically we target the RSA subroutine in the MbedTLS library used inside OP-TEE. Despite the presence of AutoLock, multiplier obfuscation, and assuming a cross-core attack, we are able to retrieve 30% of the key bits, which can later be used in Branch-and-Prune methods to recover the full key. ]]> </description> <category>ePrint Report</category> </item> <item> <guid>https://iacr.org/news/item/25424</guid> <title>A Place for Everyone vs Everyone in its Place: Measuring and Attacking the Ethereum Global Network</title> <link>https://iacr.org/news/item/25424</link> <pubDate>Fri, 04 Apr 2025 03:48:05 GMT</pubDate> <description><![CDATA[ePrint Report: A Place for Everyone vs Everyone in its Place: Measuring and Attacking the Ethereum Global Network Chenyu Li, Ren Zhang, Xiaorui Gong The Ethereum Global Network (EGN) is the peer-to-peer (P2P) network underlying Ethereum and thousands of subsequent blockchain services. Deviating from traditional single-service P2P networks, EGN's multi-service architecture has gained widespread acceptance for supposedly improving node discovery efficiency and security. This paper challenges this belief by critically examining EGN's design and its purported benefits. Our analysis reveals significant shortcomings in EGN's node discovery process. EGN nodes struggle to connect with peers offering the desired service: over three-quarters of connection attempts reach nodes of other services. In an extreme case, one node spent an average of $45\,908$ connection attempts to find each neighbor. Moreover, this blended architecture compromises EGN's security. The network demonstrates high susceptibility to DHT pollution and partition attacks. Even with only $300$ malicious nodes in EGN, an attacker can isolate thousands of nodes, significantly hindering recovery. In contrast, such a small number of malicious nodes has minimal impact on every single-service P2P network. We propose solutions to improve EGN's node discovery efficiency and strengthen its resilience against attacks. ]]> </description> <category>ePrint Report</category> </item> <item> <guid>https://iacr.org/news/item/25423</guid> <title>Lifeboats on the Titanic Cryptography</title> <link>https://iacr.org/news/item/25423</link> <pubDate>Fri, 04 Apr 2025 03:48:05 GMT</pubDate> <description><![CDATA[ePrint Report: Lifeboats on the Titanic Cryptography Gideon Samid The Titanic was the ship that "could not sink," fortunately its designers installed lifeboats (not enough) despite having no logical grounding for this waste of space and material. It was out of respect for unforeseen surprises. NIST-Post Quantum Ciphers represent the best and the brightest in world crypto intelligence. They are certified as good for their purpose. And likely so, alas, not surely so. If we could find a crypto equivalent for the Titanic Lifeboats, should not we load them up for our journey? Indeed, pattern-devoid cryptography is the crypto equivalent of the lifeboats that mitigated the Titanic disaster. Pattern-Devoid cryptography (PDC) may be deemed inelegant, inconvenient, and bloated, but it will hold up against quantum computers more powerful than expected, and more importantly, it will hold up against adversarial mathematical talent greater than expected. Which is why we should put up with its negatives, and install it just in case the Titanic story repeats itself in cyberspace. This article elaborates on this proposition. ]]> </description> <category>ePrint Report</category> </item> <item> <guid>https://iacr.org/news/item/25422</guid> <title>Heuristic Algorithm for Solving Restricted SVP and its Applications</title> <link>https://iacr.org/news/item/25422</link> <pubDate>Wed, 02 Apr 2025 23:06:04 GMT</pubDate> <description><![CDATA[ePrint Report: Heuristic Algorithm for Solving Restricted SVP and its Applications Geng Wang, Wenwen Xia, Dawu Gu In lattice-based cryptography, many attacks are performed by finding a short enough vector on a specific lattice. However, it is possible that length is not the only restriction on the vector to be found. A typical example is SVP with infinity norm: since most SVP solving algorithms only aim to find short vector under Euclidean norm, the infinity norm is in fact another restriction on the vector. In the literature, such problems are usually solved by performing exhaustive search on a list of short vectors generated from lattice sieving. However, the sieving list might either be too large or too small to pass the additional restriction, which makes the solving algorithm inefficient in some cases. Our contribution in this work is as follows: (1) We formally define a new lattice hard problem called restricted SVP, and show that it can be used to generalize many lattice hard problems, including SVP with non-Euclidean norm and Kannan's embedding on approximate CVP. (2) We extend the dimension for free technique and the enumerate-then-slice technique into approximate SVP where the goal is to output a list of short vectors with a certain size. (3) We give the heuristic algorithm for solving restricted SVP, and design a hardness estimator for this algorithm, which can be used to estimate the concrete hardness of signature forgery in Dilithium and other lattice-based signatures. Using this estimator, we present a concrete security analysis for Dilithium against signature forgery under the gate-count model for the first time. Our estimation matches well with the security estimation from core-SVP model in the document of Dilithium, and we also combine our estimator with the rescaling technique to generate a tighter estimation. ]]> </description> <category>ePrint Report</category> </item> <item> <guid>https://iacr.org/news/item/25421</guid> <title>Adaptively-Secure Big-Key Identity-Based Encryption</title> <link>https://iacr.org/news/item/25421</link> <pubDate>Wed, 02 Apr 2025 23:06:04 GMT</pubDate> <description><![CDATA[ePrint Report: Adaptively-Secure Big-Key Identity-Based Encryption Jeffrey Champion, Brent Waters, David J. Wu Key-exfiltration attacks on cryptographic keys are a significant threat to computer security. One proposed defense against such attacks is big-key cryptography which seeks to make cryptographic secrets so large that it is infeasible for an adversary to exfiltrate the key (without being detected). However, this also introduces an inconvenience to the user who must now store the large key on all of their different devices. The work of Döttling, Garg, Sekar and Wang (TCC 2022) introduces an elegant solution to this problem in the form of big-key identity-based encryption (IBE). Here, there is a large master secret key, but very short identity keys. The user can now store the large master secret key as her long-term key, and can provision each of her devices with short ephemeral identity keys (say, corresponding to the current date). In this way, the long-term secret key is protected by conventional big-key cryptography, while the user only needs to distribute short ephemeral keys to their different devices. Döttling et al. introduce and construct big-key IBE from standard pairing-based assumptions. However, their scheme only satisfies selective security where the adversary has to declare its challenge set of identities at the beginning of the security game. The more natural notion of security is adaptive security where the user can adaptively choose which identities it wants to challenge after seeing the public parameters (and part of the master secret key). In this work, we give the first adaptively-secure construction of big-key IBE from standard cryptographic assumptions. Our first construction relies on indistinguishability obfuscation (and one-way functions), while our second construction relies on witness encryption for NP together with standard pairing-based assumptions (i.e., the SXDH assumption). To prove adaptive security, we show how to implement the classic dual-system methodology with indistinguishability obfuscation as well as witness encryption. ]]> </description> <category>ePrint Report</category> </item> <item> <guid>https://iacr.org/news/item/25420</guid> <title>The Singularity Random Number Generator: Bridging Determinism and Unpredictability to Redefine Randomness, Secure Systems, and Adaptive Intelligence</title> <link>https://iacr.org/news/item/25420</link> <pubDate>Wed, 02 Apr 2025 23:06:04 GMT</pubDate> <description><![CDATA[ePrint Report: The Singularity Random Number Generator: Bridging Determinism and Unpredictability to Redefine Randomness, Secure Systems, and Adaptive Intelligence S. P. Prahlad Abstract The Singularity Random Number Generator (SRNG) represents a groundbreaking advancement in the generation of random numbers by integrating two key properties - computational irreducibility and seed independence - into a deterministic algorithm. Unlike conventional pseudorandom number generators (PRNGs) whose randomness is intrinsically linked to seed quality or chaotic sensitivity, SRNG transforms even low-entropy seeds into complex, unpredictable outputs. SRNG demonstrates high-quality randomness can emerge independently of seed entropy or size. This paper explores how SRNG not only challenges classical paradigms of predictability in deterministic systems but also offers transformative applications in cryptography, artificial intelligence (AI), and interdisciplinary research. Furthermore, by drawing parallels with cognitive variability research - such as insights from the Forbes article “Why A ‘Productively Distracted’ Brain Is A Superpower” - we discuss how the emergent unpredictability of SRNG may contribute to enhanced adaptive learning and decision-making processes in AI systems. Ultimately, SRNG is presented as a model that bridges the realms of science and mystery, inviting a new understanding of randomness and the limits of scientific inquiry, thereby expanding the frontiers of interdisciplinary research. ]]> </description> <category>ePrint Report</category> </item> <item> <guid>https://iacr.org/news/item/25419</guid> <title>RWC 2026: Real World Crypto Symposium</title> <link>https://iacr.org/news/item/25419</link> <pubDate>Wed, 02 Apr 2025 11:36:06 GMT</pubDate> <description><![CDATA[Real World Crypto: RWC 2026: Real World Crypto Symposium Taipei, Taiwan, 9 March - 11 March 2026 Event date: 9 March to 11 March 2026 ]]> </description> <category>Real World Crypto</category> </item> <item> <guid>https://iacr.org/news/item/25418</guid> <title>Counter Galois Onion (CGO) for Tor: Fast Non-Malleable Onion Encryption</title> <link>https://iacr.org/news/item/25418</link> <pubDate>Tue, 01 Apr 2025 03:42:05 GMT</pubDate> <description><![CDATA[ePrint Report: Counter Galois Onion (CGO) for Tor: Fast Non-Malleable Onion Encryption Jean Paul Degabriele, Alessandro Melloni, Jean-Pierre Münch, Martijn Stam In 2012, the Tor project expressed the need to upgrade Tor's onion encryption scheme to protect against tagging attacks and thereby strengthen its end-to-end integrity protection. Tor proposal 261, where each encryption layer is processed by a strongly secure, yet relatively expensive tweakable wide-block cipher, is the only concrete candidate replacement to be backed by formal, yet partial, security proofs (Degabriele and Stam, EUROCRYPT 2018, and Rogaway and Zhang, PoPETS 2018). We propose an alternative onion encryption scheme, called Counter Galois Onion (CGO), that follows a minimalistic, modular design and includes several improvements over proposal 261. CGO's underlying primitive is an updatable tweakable split-domain cipher accompanied with a new security notion, that augments the recently introduced rugged pseudorandom permutation (Degabriele and Karadžić, CRYPTO 2022). Thus, we relax the security compared to a tweakable wide-block cipher, allowing for more efficient designs. We suggest a concrete instantiation for the updatable tweakable split-domain cipher and report on our experiments comparing the performance of CGO with Tor's existing onion encryption scheme. ]]> </description> <category>ePrint Report</category> </item> <item> <guid>https://iacr.org/news/item/25417</guid> <title>Release the Power of Rejected Signatures: An Efficient Side-Channel Attack on Dilithium</title> <link>https://iacr.org/news/item/25417</link> <pubDate>Tue, 01 Apr 2025 03:42:05 GMT</pubDate> <description><![CDATA[ePrint Report: Release the Power of Rejected Signatures: An Efficient Side-Channel Attack on Dilithium Zheng Liu, An Wang, Congming Wei, Yaoling Ding, Jingqi Zhang, Annyu Liu, Liehuang Zhu The Module-Lattice-Based Digital Signature Standard (ML-DSA), formerly known as CRYSTALS-Dilithium, is a lattice-based post-quantum cryptographic scheme. In August 2024, the National Institute of Standards and Technology (NIST) officially standardized ML-DSA under FIPS 204. Dilithium generates one valid signature and multiple rejected signatures during the signing process. Most Side-Channel Attacks targeting Dilithium have focused solely on the valid signature, while neglecting the hints contained in rejected signatures. In this paper, we propose a method for recovering the private key by simultaneously leveraging side-channel leakages from both valid signatures and rejected signatures. This approach minimizes the number of signing attempts required for full key recovery. We construct a factor graph incorporating all relevant side-channel leakages and apply the Belief Propagation (BP) algorithm for private key recovery. We conducted a proof-of-concept experiment on a Cortex M4 core chip, where the results demonstrate that utilizing rejected signatures reduces the required number of traces by at least $42\%$ for full key recovery. A minimum of a single trace can recover the private key with a success rate of $30\%$. Our findings highlight that protecting rejected signatures is crucial, as their leakage provides valuable side-channel information. We strongly recommend implementing countermeasures for rejected signatures during the signing process to mitigate potential threats. ]]> </description> <category>ePrint Report</category> </item> <item> <guid>https://iacr.org/news/item/25416</guid> <title>Reusable Dynamic Multi-Party Homomorphic Encryption</title> <link>https://iacr.org/news/item/25416</link> <pubDate>Tue, 01 Apr 2025 03:42:05 GMT</pubDate> <description><![CDATA[ePrint Report: Reusable Dynamic Multi-Party Homomorphic Encryption Jung Hee Cheon, Hyeongmin Choe, Seunghong Kim, Yongdong Yeo Homomorphic Encryption (HE) is a promising primitive for evaluating arbitrary circuits while keeping the user's privacy. We investigate how to use HE in the multi-party setting where data is encrypted with several distinct keys. One may use the Multi-Key Homomorphic Encryption (MKHE) in this setting, but it has space/computation overhead of $\mathcal O(n)$ for the number of users $n$, which makes it impractical when $n$ grows large. On the contrary, Multi-Party Homomorphic Encryption (MPHE) is the other Homomorphic Encryption primitive in the multi-party setting, where the space/computation overhead is $\mathcal O(1)$; however, is limited in terms of ciphertext reusability and dynamicity, that ciphertexts are encrypted just for a group of parties and cannot be reused for other purposes, and that additional parties cannot join the computation dynamically. Contrary to MKHE, where the secret key owners engage only in the decryption phase, we consider a more relaxed situation where the secret key owners can communicate before the computation. In that case, we can reduce the size of a ciphertext and the evaluation complexity from $\mathcal O(n)$ to $\mathcal O(1)$ as in a single-key HE setting. We call this primitive as {\em Reusable Dynamic Multi-Party Homomorphic Encryption}, which is more suitable in real-world scenarios. We show that 1) the procedures before the computation can be done in a very few rounds of communications, 2) the evaluation/space complexities are independent of the number of users, and 3) the functionalities are as efficient as MKHE, with asymptotic analysis and with implementation. ]]> </description> <category>ePrint Report</category> </item> <item> <guid>https://iacr.org/news/item/25415</guid> <title>Efficient Revocable Identity-Based Encryption from Middle-Product LWE</title> <link>https://iacr.org/news/item/25415</link> <pubDate>Tue, 01 Apr 2025 03:36:04 GMT</pubDate> <description><![CDATA[ePrint Report: Efficient Revocable Identity-Based Encryption from Middle-Product LWE Takumi Nishimura, Atsushi Takayasu The Middle-Product Learning with Errors (MPLWE) assumption is a variant of the Learning with Errors (LWE) assumption. The MPLWE assumption reduces the key size of corresponding LWE-based schemes by setting keys as sets of polynomials. Moreover, MPLWE has more robust security than other LWE variants such as Ring-LWE and Module-LWE. Lombardi et al. proposed an identity-based encryption (IBE) scheme (LVV-IBE) based on the MPLWE assumption in the random oracle model (ROM) by following Gentry et al.'s IBE scheme (GPV-IBE) based on LWE. Due to the benefit of MPLWE, LVV-IBE has a shorter master public key and a secret key than GPV-IBE without changing the size of a ciphertext. However, Lombardi et al.'s proof is not tight in the ROM, while Katsumata et al. proved that GPV-IBE achieves tight adaptive anonymity in the quantum ROM (QROM). Revocable IBE (RIBE) is a variant of IBE supporting a key revocation mechanism to remove malicious users from the system. Takayasu proposed the most efficient RIBE scheme (Takayasu-RIBE) based on LWE achieving tight adaptive anonymity in the QROM. Although a concrete RIBE scheme based on MPLWE has not been proposed, we can construct a scheme (LVV-based RIBE) by applying Ma and Lin's generic transformation to LVV-IBE. Due to the benefit of MPLWE, LVV-based RIBE has an asymptotically shorter master public key and a shorter secret key than Takayasu-RIBE although the former has a larger ciphertext than the latter. Moreover, the security proof is not tight and anonymous in the ROM due to security proofs of Ma-Lin and Lombardi et al. In this paper, we propose a concrete RIBE scheme based on MPLWE. Compared with the above RIBE schemes, the proposed RIBE scheme is the most asymptotically efficient since the sizes of a master public key and a secret key (resp. ciphertext) of the proposed scheme are the same as those of LVV-based RIBE scheme (resp. Takayasu-RIBE). Moreover, we prove the tight adaptive anonymity of the proposed RIBE scheme in the QROM. For this purpose, we also prove the tight adaptive anonymity of LVV-IBE in the QROM. ]]> </description> <category>ePrint Report</category> </item> <item> <guid>https://iacr.org/news/item/25414</guid> <title>REGKYC: Supporting Privacy and Compliance Enforcement for KYC in Blockchains</title> <link>https://iacr.org/news/item/25414</link> <pubDate>Tue, 01 Apr 2025 03:36:04 GMT</pubDate> <description><![CDATA[ePrint Report: REGKYC: Supporting Privacy and Compliance Enforcement for KYC in Blockchains Xihan Xiong, Michael Huth, William Knottenbelt Know Your Customer (KYC) is a core component of the Anti-Money Laundering (AML) framework, designed to prevent illicit activities within financial systems. However, enforcing KYC and AML on blockchains remains challenging due to difficulties in establishing accountability and preserving user privacy. This study proposes REGKYC, a privacy-preserving Attribute-Based Access Control (ABAC) framework that balances user privacy with externally mandated KYC and AML requirements. REGKYC leverages a structured ABAC model to support the flexible verification of KYC attributes and the enforcement of compliance policies, providing benefits to multiple stakeholders. First, it enables legitimate users to meet compliance requirements while preserving the privacy of their on-chain activities. Second, it empowers Crypto-asset Service Providers (CASPs) to tailor compliance policies to operational needs, ensuring adaptability to evolving regulations. Finally, it enhances regulatory accountability by enabling authorized deanonymization of malicious actors. We hope this work inspires future research to harmonize user privacy and regulatory compliance in blockchain systems. ]]> </description> <category>ePrint Report</category> </item> </channel> </rss>