CINXE.COM
Papers updated in last 365 days
<!DOCTYPE html> <html lang="en"> <head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no"> <link href="/css/dist/css/bootstrap.min.css" rel="stylesheet"> <title>Papers updated in last 365 days</title> <link rel="stylesheet" href="/css/eprint.css?v=10"> <meta name="robots" content="noindex,nofollow" /> <style> div.summaryauthors { font-style: italic; } a.abstract-open:after { content:' -'; font-weight: 800; } a.abstract-closed:after { content: " ›"; font-weight: 800; } .paper-abstract { max-height: 0; overflow-y: hidden; transition: max-height 0.2s ease-out; white-space: pre-wrap; } </style> <script> function toggleAbstract(elem) { console.dir(elem); let target = document.getElementById(elem.dataset.target); if (target.style.maxHeight) { target.style.maxHeight = null; elem.text = 'Show abstract'; elem.classList.add('abstract-closed'); elem.classList.remove('abstract-open'); } else { target.style.maxHeight = target.scrollHeight + "px"; elem.text = 'Hide abstract'; elem.classList.remove('abstract-closed'); elem.classList.add('abstract-open'); } } </script> <script> MathJax = { tex: { inlineMath: [['$', '$'], ['\\(', '\\)']], displayMath: [ ['$$','$$'], ["\\[","\\]"] ], processEnvironments: false }, loader: { load: [ "ui/safe", "ui/lazy", ], }, options: { safeOptions: { allow: { URLs: "none", classes: "safe", cssIDs: "safe", styles: "safe", }, }, } }; </script> <script id="MathJax-script" async src="/js/mathjax/tex-chtml.js"></script> </head> <body> <noscript> <h1 class="text-center">What a lovely hat</h1> <h4 class="text-center">Is it made out of <a href="https://iacr.org/tinfoil.html">tin foil</a>?</h4> </noscript> <div class="fixed-top" id="topNavbar"> <nav class="navbar navbar-custom navbar-expand-lg"> <div class="container px-0 justify-content-between justify-content-lg-evenly"> <div class="order-0 align-items-center d-flex"> <button class="navbar-toggler btnNoOutline" type="button" data-bs-toggle="collapse" data-bs-target="#navbarContent" aria-controls="navbarContent" aria-expanded="false"> <span class="icon-bar top-bar"></span> <span class="icon-bar middle-bar"></span> <span class="icon-bar bottom-bar"></span> </button> <a class="d-none me-5 d-lg-inline" href="https://iacr.org/"><img class="iacrlogo" src="/img/iacrlogo_small.png" alt="IACR Logo" style="max-width:6rem;"></a> </div> <a class="ePrintname order-1" href="/"> <span class="longNavName">Cryptology ePrint Archive</span> </a> <div class="collapse navbar-collapse order-3" id="navbarContent"> <ul class="navbar-nav me-auto ms-2 mb-2 mb-lg-0 justify-content-end w-100"> <li class="ps-md-3 nav-item dropdown"> <a class="nav-link dropdown-toggle" href="#" id="navbarDropdown" role="button" data-bs-toggle="dropdown" aria-expanded="false"> Papers </a> <ul class="dropdown-menu me-3" aria-labelledby="navbarDropdown"> <span class="text-dark mx-3" style="white-space:nowrap;">Updates from the last:</span> <li><a class="dropdown-item ps-custom" href="/days/7">7 days</a></li> <li><a class="dropdown-item ps-custom" href="/days/31">31 days</a></li> <li><a class="dropdown-item ps-custom" href="/days/183">6 months</a></li> <li><a class="dropdown-item ps-custom" href="/days/365">365 days</a></li> <li><hr class="dropdown-divider"></li> <li><a class="dropdown-item" href="/byyear">Listing by year</a></li> <li><a class="dropdown-item" href="/complete">All papers</a></li> <li><a class="dropdown-item" href="/complete/compact">Compact view</a></li> <li><a class="dropdown-item" href="https://www.iacr.org/news/subscribe">Subscribe</a></li> <li><hr class="dropdown-divider"></li> <li><a class="dropdown-item" href="/citation.html">How to cite</a></li> <li><hr class="dropdown-divider"></li> <li><a class="dropdown-item" href="/rss">Harvesting metadata</a></li> </ul> </li> <li class="ps-md-3 nav-item dropdown"> <a class="nav-link dropdown-toggle" href="#" id="submissionsDropdown" role="button" data-bs-toggle="dropdown" aria-expanded="false"> Submissions </a> <ul class="dropdown-menu me-3" aria-labelledby="submissionsDropdown"> <li><a class="dropdown-item" href="/submit">Submit a paper</a></li> <li><a class="dropdown-item" href="/revise">Revise or withdraw a paper</a></li> <li><a class="dropdown-item" href="/operations.html">Acceptance and publishing conditions</a></li> </ul> </li> <li class="ps-md-3 nav-item dropdown"> <a class="nav-link dropdown-toggle" href="#" id="aboutDropdown" role="button" data-bs-toggle="dropdown" aria-expanded="false"> About </a> <ul class="dropdown-menu me-3" aria-labelledby="aboutDropdown"> <li><a class="dropdown-item" href="/about.html">Goals and history</a></li> <li><a class="dropdown-item" href="/news.html">News</a></li> <li><a class="dropdown-item" href="/stats">Statistics</a></li> <li><a class="dropdown-item" href="/contact.html">Contact</a></li> </ul> </li> </ul> </div> <div class="dropdown ps-md-2 text-right order-2 order-lg-last"> <button class="btn btnNoOutline" type="button" id="dropdownMenuButton1" data-bs-toggle="dropdown" aria-expanded="false"> <img src="/img/search.svg" class="searchIcon" alt="Search Button"/> </button> <div id="searchDd" class="dropdown-menu dropdown-menu-end p-0" aria-labelledby="dropdownMenuButton1"> <form action="/search" method="GET"> <div class="input-group"> <input id="searchbox" name="q" type="search" class="form-control" autocomplete="off"> <button class="btn btn-secondary border input-group-append ml-2"> Search </button> </div> </form> <div class="ms-2 p-1 d-none"><a href="/search">Advanced search</a></div> </div> </div> </div> </nav> </div> <main id="eprintContent" class="container px-3 py-4 p-md-4"> <script> function scrollToTop() { window.scrollTo({ top: 0, behavior: 'smooth' }); } </script> <h2 class="mt-2 mb-3 px-1 px-lg-4">Papers updated in last 365 days (2931 results)</h2> <div id="scrollButtons" style="position:sticky;height:30px;top:90vh;left:25%"> <div id="buttonContainer" class="d-none d-md-block"> <img src="/img/arrow-up-circle-outline.svg" style="height:30px;width:30px;" title="Scroll to top" onclick="scrollToTop()"> </div> </div> <div class="paperList ms-lg-4 me-lg-4"> <div class="d-flex mb-1"> <div class="flex-grow-1"><a href="/2024/1041">2024/1041</a> <a class="ms-2" href="/2024/1041.pdf">(PDF)</a> </div> <div><small>Last updated: 2025-03-19</small></div> </div> <div class="ms-3 ms-md-5 mb-3"> <div class="d-flex justify-content-between"> <div class="papertitle">Embedding Integer Lattices as Ideals into Polynomial Rings</div> <div class="ms-3 d-none d-md-block"> <a href="/search?category=ATTACKS"><small class="badge category category-ATTACKS">Attacks and cryptanalysis</small></a> </div> </div> <div class="summaryauthors">Yihang Cheng, Yansong Feng, and Yanbin Pan</div> <div class="d-flex justify-content-between align-items-start"> <div> <a class="abstract-closed" data-target="abstract-2024-1041" onclick="toggleAbstract(this)">Show abstract</a> </div> <div class="d-block d-md-none"> <a href="/search?category=ATTACKS"><small class="badge category category-ATTACKS">Attacks and cryptanalysis</small></a> </div> </div> <div> <div id="abstract-2024-1041" class="paper-abstract">Many lattice-based crypstosystems employ ideal lattices for high efficiency. However, the additional algebraic structure of ideal lattices usually makes us worry about the security, and it is widely believed that the algebraic structure will help us solve the hard problems in ideal lattices more efficiently. In this paper, we study the additional algebraic structure of ideal lattices further and find that a given ideal lattice in a polynomial ring can be embedded as an ideal into infinitely many different polynomial rings by the coefficient embedding. We design an algorithm to verify whether a given full-rank lattice in $\mathbb{Z}^n$ is an ideal lattice and output all the polynomial rings that the given lattice can be embedded into as an ideal with bit operations $\mathcal{O}(n^3(\log n + B)^2(\log n)^2)$, where $n$ is the dimension of the lattice and $B$ is the upper bound of the bit length of the entries of the input lattice basis. We would like to point out that Ding and Lindner proposed an algorithm for identifying ideal lattices and outputting a single polynomial ring of which the input lattice can be regarded as an ideal with bit operations $\mathcal{O}(n^5B^2)$ in 2007. However, we find a flaw in Ding and Lindner's algorithm, and it causes some ideal lattices can't be identified by their algorithm.</div> </div> </div> <div class="d-flex mb-1"> <div class="flex-grow-1"><a href="/2024/039">2024/039</a> <a class="ms-2" href="/2024/039.pdf">(PDF)</a> </div> <div><small>Last updated: 2025-03-19</small></div> </div> <div class="ms-3 ms-md-5 mb-3"> <div class="d-flex justify-content-between"> <div class="papertitle">X-Wing: The Hybrid KEM You’ve Been Looking For</div> <div class="ms-3 d-none d-md-block"> <a href="/search?category=PUBLICKEY"><small class="badge category category-PUBLICKEY">Public-key cryptography</small></a> </div> </div> <div class="summaryauthors">Manuel Barbosa, Deirdre Connolly, João Diogo Duarte, Aaron Kaiser, Peter Schwabe, Karolin Varner, and Bas Westerbaan</div> <div class="d-flex justify-content-between align-items-start"> <div> <a class="abstract-closed" data-target="abstract-2024-039" onclick="toggleAbstract(this)">Show abstract</a> </div> <div class="d-block d-md-none"> <a href="/search?category=PUBLICKEY"><small class="badge category category-PUBLICKEY">Public-key cryptography</small></a> </div> </div> <div> <div id="abstract-2024-039" class="paper-abstract">X-Wing is a hybrid key-encapsulation mechanism based on X25519 and ML-KEM-768. It is designed to be the sensible choice for most applications. The concrete choice of X25519 and ML-KEM-768 allows X-Wing to achieve improved efficiency compared to using a generic KEM combiner. In this paper, we introduce the X-Wing hybrid KEM construction and provide a proof of security. We show (1) that X-Wing is a classically IND-CCA secure KEM if the strong Diffie-Hellman assumption holds in the X25519 nominal group, and (2) that X-Wing is a post-quantum IND-CCA secure KEM if ML-KEM-768 is itself an IND-CCA secure KEM and SHA3-256 is secure when used as a pseudorandom function. The first result is proved in the ROM, whereas the second one holds in the standard model. Loosely speaking, this means X-Wing is secure if either X25519 or ML-KEM-768 is secure. We stress that these security gaurantees and optimizations are only possible due to the concrete choices that were made, and it may not apply in the general case.</div> </div> </div> <div class="d-flex mb-1"> <div class="flex-grow-1"><a href="/2025/467">2025/467</a> <a class="ms-2" href="/2025/467.pdf">(PDF)</a> </div> <div><small>Last updated: 2025-03-19</small></div> </div> <div class="ms-3 ms-md-5 mb-3"> <div class="d-flex justify-content-between"> <div class="papertitle">PMNS arithmetic for elliptic curve cryptography</div> <div class="ms-3 d-none d-md-block"> <a href="/search?category=IMPLEMENTATION"><small class="badge category category-IMPLEMENTATION">Implementation</small></a> </div> </div> <div class="summaryauthors">Fangan Yssouf Dosso, Sylvain Duquesne, Nadia El Mrabet, and Emma Gautier</div> <div class="d-flex justify-content-between align-items-start"> <div> <a class="abstract-closed" data-target="abstract-2025-467" onclick="toggleAbstract(this)">Show abstract</a> </div> <div class="d-block d-md-none"> <a href="/search?category=IMPLEMENTATION"><small class="badge category category-IMPLEMENTATION">Implementation</small></a> </div> </div> <div> <div id="abstract-2025-467" class="paper-abstract">We show that using a polynomial representation of prime field elements (PMNS) can be relevant for real-world cryptographic applications even in terms of performance. More specifically, we consider elliptic curves for cryptography when pseudo-Mersenne primes cannot be used to define the base field (e.g. Brainpool standardized curves, JubJub curves in the zkSNARK context, pairing-friendly curves). All these primitives make massive use of the Montgomery reduction algorithm and well-known libraries such as GMP or OpenSSL for base field arithmetic. We show how this arithmetic can be replaced by a polynomial representation of the number that can be easily parallelized, avoids carry propagation, and allows randomization process. We provide good PMNS basis in the cryptographic context mentioned above, together with a C-implementation that is competitive with GMP and OpenSSL for performing basic operations in the base fields considered. We also integrate this arithmetic into the Rust reference implementation of elliptic curve scalar multiplication for Zero-knowledge applications, and achieve better practical performances for such protocols. This shows that PMNS is an attractive alternative for the base field arithmetic layer in cryptographic primitives using elliptic curves or pairings.</div> </div> </div> <div class="d-flex mb-1"> <div class="flex-grow-1"><a href="/2025/485">2025/485</a> <a class="ms-2" href="/2025/485.pdf">(PDF)</a> </div> <div><small>Last updated: 2025-03-19</small></div> </div> <div class="ms-3 ms-md-5 mb-3"> <div class="d-flex justify-content-between"> <div class="papertitle">Key reconstruction for QC-MDPC McEliece from imperfect distance spectrum</div> <div class="ms-3 d-none d-md-block"> <a href="/search?category=PUBLICKEY"><small class="badge category category-PUBLICKEY">Public-key cryptography</small></a> </div> </div> <div class="summaryauthors">Motonari Ohtsuka, Takahiro Ishimaru, Rei Iseki, Shingo Kukita, and Kohtaro Watanabe</div> <div class="d-flex justify-content-between align-items-start"> <div> <a class="abstract-closed" data-target="abstract-2025-485" onclick="toggleAbstract(this)">Show abstract</a> </div> <div class="d-block d-md-none"> <a href="/search?category=PUBLICKEY"><small class="badge category category-PUBLICKEY">Public-key cryptography</small></a> </div> </div> <div> <div id="abstract-2025-485" class="paper-abstract">McEliece cryptosystems, based on code-based cryptography, is a candidate in Round 4 of NIST's post-quantum cryptography standardization process. The QC-MDPC (quasi-cyclic moderate-density parity-check) variant is particularly noteworthy due to its small key length. The Guo-Johansson-Stankovski (GJS) attack against the QC-MDPC McEliece cryptosystem was recently proposed and has intensively been studied. This attack reconstructs the secret key using information on decoding error rate (DER). However, in practice, obtaining complete DER information is presumed to be time-consuming. This paper proposes two algorithms to reconstruct the secret key under imperfection in the DER information and evaluates the relationship between the imperfection and efficiency of key reconstruction. This will help us to increase the efficacy of the GJS attack.</div> </div> </div> <div class="d-flex mb-1"> <div class="flex-grow-1"><a href="/2024/1264">2024/1264</a> <a class="ms-2" href="/2024/1264.pdf">(PDF)</a> </div> <div><small>Last updated: 2025-03-19</small></div> </div> <div class="ms-3 ms-md-5 mb-3"> <div class="d-flex justify-content-between"> <div class="papertitle">Succinct Non-Subsequence Arguments</div> <div class="ms-3 d-none d-md-block"> <a href="/search?category=PUBLICKEY"><small class="badge category category-PUBLICKEY">Public-key cryptography</small></a> </div> </div> <div class="summaryauthors">San Ling, Khai Hanh Tang, Khu Vu, Huaxiong Wang, and Yingfei Yan</div> <div class="d-flex justify-content-between align-items-start"> <div> <a class="abstract-closed" data-target="abstract-2024-1264" onclick="toggleAbstract(this)">Show abstract</a> </div> <div class="d-block d-md-none"> <a href="/search?category=PUBLICKEY"><small class="badge category category-PUBLICKEY">Public-key cryptography</small></a> </div> </div> <div> <div id="abstract-2024-1264" class="paper-abstract">Lookup arguments have recently attracted a lot of developments due to their applications in the constructions of succinct non-interactive arguments of knowledge (SNARKs). A closely related topic is subsequence arguments in which one can prove that string $\mathbf{s}$ is a subsequence of another string $\mathbf{t}$, i.e., deleting some characters in $\mathbf{t}$ can achieve $\mathbf{s}$. A dual notion, namely, non-subsequence arguments, is to prove that $\mathbf{s}$ is not a subsequence of $\mathbf{t}$. These problems have a lot of important applications in DNA sequence analysis, internet of things, blockchains, natural language processing, speech recognition, etc. However, despite their applications, they are not well-studied in cryptography, especially succinct arguments for non-subsequences with efficient proving time and sublinear verification time. In this work, we propose the first succinct non-subsequence argument. Our solution applies the sumcheck protocol and is instantiable by any multivariate polynomial commitment schemes (PCSs). We achieve an efficient prover whose running time is linear in the size of sequences $\mathbf{s}$, $\mathbf{t}$ and their respective alphabet $\Sigma$. Our proof is succinct and the verifier time is sublinear assuming the employed PCS has succinct commitments and sublinear verification time. When instantiating with Sona PCS (EUROCRYPT'24), we achieve proof size $\mathcal{O}(\log_2|\mathbf{s}| + \log_2|\mathbf{t}|+\log_2|\Sigma|)$, prover time $\mathcal{O}(|\mathbf{s}|+|\mathbf{t}|+|\Sigma|)$ and verifier time $\mathcal{O}(\sqrt{|\mathbf{s}|}+\sqrt{|\mathbf{t}|}+\sqrt{|\Sigma|})$. Extending our technique, we can achieve a batch subsequence argument for proving in batch $k$ interleaving subsequence and non-subsequence arguments without proof size suffering a linear blow-up in $k$.</div> </div> </div> <div class="d-flex mb-1"> <div class="flex-grow-1"><a href="/2025/384">2025/384</a> <a class="ms-2" href="/2025/384.pdf">(PDF)</a> </div> <div><small>Last updated: 2025-03-18</small></div> </div> <div class="ms-3 ms-md-5 mb-3"> <div class="d-flex justify-content-between"> <div class="papertitle">Optimizing Final Exponentiation for Pairing-Friendly Elliptic Curves with Odd Embedding Degrees Divisible by 3</div> <div class="ms-3 d-none d-md-block"> <a href="/search?category=FOUNDATIONS"><small class="badge category category-FOUNDATIONS">Foundations</small></a> </div> </div> <div class="summaryauthors">Loubna Ghammam, Nadia El Mrabet, Walid Haddaji, and Leila Ben Abdelghani</div> <div class="d-flex justify-content-between align-items-start"> <div> <a class="abstract-closed" data-target="abstract-2025-384" onclick="toggleAbstract(this)">Show abstract</a> </div> <div class="d-block d-md-none"> <a href="/search?category=FOUNDATIONS"><small class="badge category category-FOUNDATIONS">Foundations</small></a> </div> </div> <div> <div id="abstract-2025-384" class="paper-abstract">In pairing-based cryptography, the final exponentiation with a large fixed exponent is essential to ensure unique outputs in both Tate and optimal ate pairings. While significant progress has been made in optimizing elliptic curves with even embedding degrees, advancements for curves with odd embedding degrees, particularly those divisible by 3, have been more limited. This paper introduces new optimization techniques for computing the final exponentiation of the optimal ate pairing on these curves. The first technique takes advantage of some existing seeds' forms, which enable cyclotomic cubing, and extends this approach to generate new seeds with a similar structure. The second technique involves generating new seeds with sparse ternary representations, replacing squaring operations with cyclotomic cubing. The first technique improves efficiency by $1.7\%$ and $1.5\%$ compared to the square and multiply (\textbf{SM}) method for existing seeds at $192-$bit and $256-$bit security levels, respectively. For newly generated seeds, it achieves efficiency gains of $3.4\%$ at $128-$bit, $5\%$ at $192-$bit, and $8.6\%$ at $256-$bit security levels. The second technique improves efficiency by $3.3\%$ at $128-$bit, $19.5\%$ at $192-$bit, and $4.3\%$ at $256-$bit security levels.</div> </div> </div> <div class="d-flex mb-1"> <div class="flex-grow-1"><a href="/2023/1875">2023/1875</a> <a class="ms-2" href="/2023/1875.pdf">(PDF)</a> </div> <div><small>Last updated: 2025-03-18</small></div> </div> <div class="ms-3 ms-md-5 mb-3"> <div class="d-flex justify-content-between"> <div class="papertitle">The Blockwise Rank Syndrome Learning problem and its applications to cryptography</div> <div class="ms-3 d-none d-md-block"> <a href="/search?category=PROTOCOLS"><small class="badge category category-PROTOCOLS">Cryptographic protocols</small></a> </div> </div> <div class="summaryauthors">Nicolas Aragon, Pierre Briaud, Victor Dyseryn, Philippe Gaborit, and Adrien Vinçotte</div> <div class="d-flex justify-content-between align-items-start"> <div> <a class="abstract-closed" data-target="abstract-2023-1875" onclick="toggleAbstract(this)">Show abstract</a> </div> <div class="d-block d-md-none"> <a href="/search?category=PROTOCOLS"><small class="badge category category-PROTOCOLS">Cryptographic protocols</small></a> </div> </div> <div> <div id="abstract-2023-1875" class="paper-abstract">This paper is an extended version of [8] published in PQCrypto 2024, in which we combine two approaches, blockwise errors and multi-syndromes, in a unique approach which leads to very efficient generalized RQC and LRPC schemes. The notion of blockwise error in a context of rank based cryptography has been recently introduced in [31]. This notion of error, very close to the notion of sum-rank metric [27], permits, by decreasing the weight of the decoded error, to greatly improve parameters for the LRPC and RQC cryptographic schemes. A little before, the multi-syndromes approach introduced for LRPC and RQC schemes in [3,18] also allowed to considerably decrease parameters sizes for LRPC and RQC schemes, through in particular the introduction of Augmented Gabidulin codes. In order to combine these approaches, we introduced in [8] the Blockwise Rank Support Learning problem. It consists of guessing the support of the errors when several syndromes are given in input, with blockwise structured errors. The new schemes we introduced have very interesting features since for 128 bits security they permit to obtain generalized schemes for which the sum of public key and ciphertext is only 1.4 kB for the generalized RQC scheme and 1.7 kB for the generalized LRPC scheme. In this extended version we give the following new features. First, we propose a new optimization on the main protocol which consists in considering 1 in the support of an error, allowing to deduce a subspace of the error to decode and improve the decoding capacity of our LRPC code, while maintaining an equal level of security. The approach of the original paper permits to reach a $40\%$ gain in terms of parameters size when compared to previous results [18,31], and this optimization allows to reduce the parameters by another $4\%$ for higher security level. We obtain better results in terms of size than the KYBER scheme whose total sum is 1.5 kB. Second we give a more detailed analysis of the algebraic attacks on the $\ell$-RD problem we proposed in [8], which allowed to cryptanalyze all blockwise LRPC parameters proposed in [31] (with an improvement of more than 40 bits in the case of structural attacks). And at last, third, we propose a more detailed introduction to the historical background about rank metric, especially on the RQC and LRPC cryptosystems and their recent improvements and we add some parameters for the case of classical RQC (the case of only one given syndrome, that is a special case of our scheme, for which we could achieve 1.5 kB for the sum of the public key and the ciphertext), which compares very well to the previous version of classical RQC.</div> </div> </div> <div class="d-flex mb-1"> <div class="flex-grow-1"><a href="/2024/1599">2024/1599</a> <a class="ms-2" href="/2024/1599.pdf">(PDF)</a> </div> <div><small>Last updated: 2025-03-18</small></div> </div> <div class="ms-3 ms-md-5 mb-3"> <div class="d-flex justify-content-between"> <div class="papertitle">Simplified PIR and CDS Protocols and Improved Linear Secret-Sharing Schemes</div> <div class="ms-3 d-none d-md-block"> <a href="/search?category=PROTOCOLS"><small class="badge category category-PROTOCOLS">Cryptographic protocols</small></a> </div> </div> <div class="summaryauthors">Bar Alon, Amos Beimel, and Or Lasri</div> <div class="d-flex justify-content-between align-items-start"> <div> <a class="abstract-closed" data-target="abstract-2024-1599" onclick="toggleAbstract(this)">Show abstract</a> </div> <div class="d-block d-md-none"> <a href="/search?category=PROTOCOLS"><small class="badge category category-PROTOCOLS">Cryptographic protocols</small></a> </div> </div> <div> <div id="abstract-2024-1599" class="paper-abstract">We consider 3 related cryptographic primitives, private information retrieval (PIR) protocols, conditional disclosure of secrets (CDS) protocols, and secret-sharing schemes; these primitives have many applications in cryptography. We study these primitives requiring information-theoretic security. The complexity of these primitives has been dramatically improved in the last few years are they are closely related, i.e., the the 2-server PIR protocol of Dvir and Gopi (J. ACM 2016) was transformed to construct the CDS protocols of Liu, Vaikuntanathan, and Wee (CRYPTO 2017, Eurocrypt 2018) and these CDS protocols are the main ingredient in the construction of the best known secret-sharing schemes. To date, the messages size required in PIR and CDS protocols and the share size required in secret-sharing schemes is not understood and there are big gaps between their upper bounds and lower bounds. The goal of this paper is to try to better understand the upper bounds by simplifying current constructions and improving their complexity. We obtain the following two independent results: - We simplify, abstract, and generalize the 2-server PIR protocol of Dvir and Gopi (J. ACM 2016) and the 2-server and multi-server CDS protocols of Liu et al. (CRYPTO 2017, Eurocrypt 2018) and Beimel, Farr`as, and Lasri (TCC 2023). This is done by considering a new variant of matching vectors and by using a general share conversion. In addition to simplifying previous protocols, our protocols can use matching vectors over any $m$ that is product of two distinct primes. Our construction does not improve the communication complexity of PIR and CDS protocols; however, construction of better matching vectors over any $m$ that is product of two distinct primes will improve their communication complexity. - In many applications of secret-sharing schemes it is important that the scheme is linear, e.g., by using the fact that parties can locally add shares of two secrets and obtain shares of the sum of the secrets. We provide a construction of linear secret-sharing schemes for $n$-party access structures with improved share size of $2^{0.7563n}$. Previously, the best share size for linear secret- sharing schemes was $2^{0.7576n}$ and it is known that for most $n$-party access structures the shares size is at least $2^{0.5n}$. This results is achieved by a reduction to unbalanced CDS protocols (compared to balanced CDS protocols in previous constructions).</div> </div> </div> <div class="d-flex mb-1"> <div class="flex-grow-1"><a href="/2025/388">2025/388</a> <a class="ms-2" href="/2025/388.pdf">(PDF)</a> </div> <div><small>Last updated: 2025-03-18</small></div> </div> <div class="ms-3 ms-md-5 mb-3"> <div class="d-flex justify-content-between"> <div class="papertitle">Fair Exchange for Decentralized Autonomous Organizations via Threshold Adaptor Signatures</div> <div class="ms-3 d-none d-md-block"> <a href="/search?category=APPLICATIONS"><small class="badge category category-APPLICATIONS">Applications</small></a> </div> </div> <div class="summaryauthors">Ruben Baecker, Paul Gerhart, Jonathan Katz, and Dominique Schröder</div> <div class="d-flex justify-content-between align-items-start"> <div> <a class="abstract-closed" data-target="abstract-2025-388" onclick="toggleAbstract(this)">Show abstract</a> </div> <div class="d-block d-md-none"> <a href="/search?category=APPLICATIONS"><small class="badge category category-APPLICATIONS">Applications</small></a> </div> </div> <div> <div id="abstract-2025-388" class="paper-abstract">A Decentralized Autonomous Organization (DAO) enables multiple parties to collectively manage digital assets in a blockchain setting. We focus on achieving fair exchange between DAOs using a cryptographic mechanism that operates with minimal blockchain assumptions and, crucially, does not rely on smart contracts. Specifically, we consider a setting where a DAO consisting of $n_\mathsf{S}$ sellers holding shares of a witness $w$ interacts with a DAO comprising $n_\mathsf{B}$ buyers holding shares of a signing key $sk$; the goal is for the sellers to exchange $w$ for a signature under $sk$ transferring a predetermined amount of funds. Fairness is required to hold both between DAOs (i.e., ensuring that each DAO receives its asset if and only if the other does) as well as within each DAO (i.e., ensuring that all members of a DAO receive their asset if and only if every other member does). We formalize these fairness properties and present an efficient protocol for DAO-based fair exchange under standard cryptographic assumptions. Our protocol leverages certified witness encryption and threshold adaptor signatures, two primitives of independent interest that we introduce and show how to construct efficiently.</div> </div> </div> <div class="d-flex mb-1"> <div class="flex-grow-1"><a href="/2024/1953">2024/1953</a> <a class="ms-2" href="/2024/1953.pdf">(PDF)</a> </div> <div><small>Last updated: 2025-03-18</small></div> </div> <div class="ms-3 ms-md-5 mb-3"> <div class="d-flex justify-content-between"> <div class="papertitle">Truncation Untangled: Scaling Fixed-Point Arithmetic for Privacy-Preserving Machine Learning to Large Models and Datasets</div> <div class="ms-3 d-none d-md-block"> <a href="/search?category=PROTOCOLS"><small class="badge category category-PROTOCOLS">Cryptographic protocols</small></a> </div> </div> <div class="summaryauthors">Christopher Harth-Kitzerow, Ajith Suresh, and Georg Carle</div> <div class="d-flex justify-content-between align-items-start"> <div> <a class="abstract-closed" data-target="abstract-2024-1953" onclick="toggleAbstract(this)">Show abstract</a> </div> <div class="d-block d-md-none"> <a href="/search?category=PROTOCOLS"><small class="badge category category-PROTOCOLS">Cryptographic protocols</small></a> </div> </div> <div> <div id="abstract-2024-1953" class="paper-abstract">Fixed Point Arithmetic (FPA) is widely used in Privacy-Preserving Machine Learning (PPML) to efficiently handle decimal values. However, repeated multiplications in FPA can lead to overflow, as the fractional part doubles in size with each multiplication. To address this, truncation is applied post-multiplication to maintain precision. Various truncation schemes based on Secure Multiparty Computation (MPC) exist, but trade-offs between accuracy and efficiency in PPML models and datasets remain underexplored. In this work, we analyze and consolidate different truncation approaches from the MPC literature, focusing on their slack sizes---extra bits required per secret share to ensure correctness. We present improved constructions for these truncation methods in state-of-the-art three-party semi-honest (3PC) and four-party malicious (4PC) settings, achieving up to a threefold reduction in communication and round complexity over existing schemes. Additionally, we introduce optimizations tailored for PPML, such as strategically fusing different neural network layers. This leads to a mixed-truncation scheme that balances truncation costs with accuracy, eliminating communication overhead in the online phase while maintaining the accuracy of plaintext floating-point PyTorch inference for VGG-16 on the ImageNet dataset. We conduct the first large-scale systematic evaluation of PPML inference accuracy across truncation schemes, ring sizes, neural network architectures, and datasets. Our study provides clear guidelines for selecting the optimal truncation scheme for PPML inference. All evaluations are implemented in the open-source HPMPC MPC framework, facilitating future research and adoption.</div> </div> </div> <div class="d-flex mb-1"> <div class="flex-grow-1"><a href="/2024/1395">2024/1395</a> <a class="ms-2" href="/2024/1395.pdf">(PDF)</a> </div> <div><small>Last updated: 2025-03-18</small></div> </div> <div class="ms-3 ms-md-5 mb-3"> <div class="d-flex justify-content-between"> <div class="papertitle">A Formal Analysis of Apple’s iMessage PQ3 Protocol</div> <div class="ms-3 d-none d-md-block"> <a href="/search?category=PROTOCOLS"><small class="badge category category-PROTOCOLS">Cryptographic protocols</small></a> </div> </div> <div class="summaryauthors">Felix Linker, Ralf Sasse, and David Basin</div> <div class="d-flex justify-content-between align-items-start"> <div> <a class="abstract-closed" data-target="abstract-2024-1395" onclick="toggleAbstract(this)">Show abstract</a> </div> <div class="d-block d-md-none"> <a href="/search?category=PROTOCOLS"><small class="badge category category-PROTOCOLS">Cryptographic protocols</small></a> </div> </div> <div> <div id="abstract-2024-1395" class="paper-abstract">We present the formal verification of Apple’s iMessage PQ3, a highly performant, device-to-device messaging protocol offering strong security guarantees even against an adversary with quantum computing capabilities. PQ3 leverages Apple’s identity services together with a custom, post-quantum secure initialization phase and afterwards it employs a double ratchet construction in the style of Signal, extended to provide post-quantum, post-compromise security. We present a detailed formal model of PQ3, a precise specification of its fine-grained security properties, and machine-checked security proofs using the TAMARIN prover. Particularly novel is the integration of post-quantum secure key encapsulation into the relevant protocol phases and the detailed security claims along with their complete formal analysis. Our analysis covers both key ratchets, including unbounded loops, which was believed by some to be out of scope of symbolic provers like TAMARIN (it is not!).</div> </div> </div> <div class="d-flex mb-1"> <div class="flex-grow-1"><a href="/2024/2019">2024/2019</a> <a class="ms-2" href="/2024/2019.pdf">(PDF)</a> </div> <div><small>Last updated: 2025-03-18</small></div> </div> <div class="ms-3 ms-md-5 mb-3"> <div class="d-flex justify-content-between"> <div class="papertitle">Key-Insulated and Privacy-Preserving Signature Scheme with Publicly Derived Public Key, Revisited: Consistency, Outsider Strong Unforgeability, and Generic Construction</div> <div class="ms-3 d-none d-md-block"> <a href="/search?category=PROTOCOLS"><small class="badge category category-PROTOCOLS">Cryptographic protocols</small></a> </div> </div> <div class="summaryauthors">Keita Emura</div> <div class="d-flex justify-content-between align-items-start"> <div> <a class="abstract-closed" data-target="abstract-2024-2019" onclick="toggleAbstract(this)">Show abstract</a> </div> <div class="d-block d-md-none"> <a href="/search?category=PROTOCOLS"><small class="badge category category-PROTOCOLS">Cryptographic protocols</small></a> </div> </div> <div> <div id="abstract-2024-2019" class="paper-abstract">Liu et al. (EuroS&P 2019) introduced Key-Insulated and Privacy-Preserving Signature Scheme with Publicly Derived Public Key (PDPKS) to enhance the security of stealth address and deterministic wallet. In this paper, we point out that the current security notions are insufficient in practice, and introduce a new security notion which we call consistency. Moreover, we explore the unforgeability to provide strong unforgeability for outsider which captures the situation that nobody, except the payer and the payee, can produce a valid signature. From the viewpoint of cryptocurrency functionality, it allows us to implement a refund functionality. Currently, basically there is no way to refund a coin when one mistakenly spends a coin to an address. This functionality rescues the case, even in the stealth environment that hides information of the payer. Note that the refund functionality only works before the payee transfers a coin to own wallet, and it prevents a double spending issue. Finally, we propose a generic construction of PDPKS that provides consistency and outsider strong unforgeability. The design is conceptually much simpler than known PDPKS constructions. It is particularly note that the underlying strongly unforgeable signature scheme is required to provide the strong conservative exclusive ownership (S-CEO) security (Cremers et al., IEEE S&P 2021). Since we explicitly require the underlying signature scheme to be S-CEO secure, our security proof introduces a new insight of exclusive ownership security which may be of independent interest.</div> </div> </div> <div class="d-flex mb-1"> <div class="flex-grow-1"><a href="/2025/500">2025/500</a> <a class="ms-2" href="/2025/500.pdf">(PDF)</a> </div> <div><small>Last updated: 2025-03-18</small></div> </div> <div class="ms-3 ms-md-5 mb-3"> <div class="d-flex justify-content-between"> <div class="papertitle">SecurED: Secure Multiparty Edit Distance for Genomic Sequences</div> <div class="ms-3 d-none d-md-block"> <a href="/search?category=PROTOCOLS"><small class="badge category category-PROTOCOLS">Cryptographic protocols</small></a> </div> </div> <div class="summaryauthors">Jiahui Gao, Yagaagowtham Palanikuma, Dimitris Mouris, Duong Tung Nguyen, and Ni Trieu</div> <div class="d-flex justify-content-between align-items-start"> <div> <a class="abstract-closed" data-target="abstract-2025-500" onclick="toggleAbstract(this)">Show abstract</a> </div> <div class="d-block d-md-none"> <a href="/search?category=PROTOCOLS"><small class="badge category category-PROTOCOLS">Cryptographic protocols</small></a> </div> </div> <div> <div id="abstract-2025-500" class="paper-abstract">DNA edit distance (ED) measures the minimum number of single nucleotide insertions, substitutions, or deletions required to convert a DNA sequence into another. ED has broad applications in healthcare such as sequence alignment, genome assembly, functional annotation, and drug discovery. Privacy-preserving computation is essential in this context to protect sensitive genomic data. Nonetheless, the existing secure DNA edit distance solutions lack efficiency when handling large data sequences or resort to approximations and fail to accurately compute the metric. In this work, we introduce secureED, a protocol that tackles these limitations, resulting in a significant performance enhancement of approximately $2-24\times$ compared to existing methods. Our protocol computes a secure ED between two genomes, each comprising $1,000$ letters, in just a few seconds. The underlying technique of our protocol is a novel approach that transforms the established approximate matching technique (i.e., the Ukkonen algorithm) into exact matching, exploiting the inherent similarity in human DNA to achieve cost-effectiveness. Furthermore, we introduce various optimizations tailored for secure computation in scenarios with a limited input domain, such as DNA sequences composed solely of the four nucleotide letters.</div> </div> </div> <div class="d-flex mb-1"> <div class="flex-grow-1"><a href="/2025/505">2025/505</a> <a class="ms-2" href="/2025/505.pdf">(PDF)</a> </div> <div><small>Last updated: 2025-03-17</small></div> </div> <div class="ms-3 ms-md-5 mb-3"> <div class="d-flex justify-content-between"> <div class="papertitle">Capitalized Bitcoin Fork for National Strategic Reserve</div> <div class="ms-3 d-none d-md-block"> <a href="/search?category=PROTOCOLS"><small class="badge category category-PROTOCOLS">Cryptographic protocols</small></a> </div> </div> <div class="summaryauthors">Charanjit Singh Jutla and Arnab Roy</div> <div class="d-flex justify-content-between align-items-start"> <div> <a class="abstract-closed" data-target="abstract-2025-505" onclick="toggleAbstract(this)">Show abstract</a> </div> <div class="d-block d-md-none"> <a href="/search?category=PROTOCOLS"><small class="badge category category-PROTOCOLS">Cryptographic protocols</small></a> </div> </div> <div> <div id="abstract-2025-505" class="paper-abstract">We describe a strategy for a nation to acquire majority stake in Bitcoin with zero cost to the taxpayers of the nation. We propose a bitcoin fork sponsored by the the government of the nation, and backed by the full faith of treasury of the nation, such that the genesis block of this fork attributes fixed large amount of new kinds of tokens called strategic-reserve-bitcoin tokens (SRBTC) to the nation's treasury, which is some multiple (greater than one) of the amount of all Bitcoin tokens (BTC) currently set in the Bitcoin protocol. The BTC tokens continue to be treated 1:1 as SRBTC tokens in the forked chain. The only capital that the nation puts up is its explicit guarantee that the SRBTC tokens of the fork will be accepted as legal tender, such as payment of tax to the treasury. We suggest that this is a better approach than starting a new blockchain that mimics Bitcoin, as it will be partially fair to the current holders of Bitcoin, which in turn would make it competitive in the space of other such possible forks by other powerful nations. Moreover, such a proof-of-work blockchain retains its egalitarian and democratic nature, which competitively deters the said nation from any dilutions in the future. To justify our proposal we setup three competitive games, and show strategies for different players that are in Nash equilibrium and which throw further light on these claims. In particular, 1. The first game shows that if the only two alternatives for investors is to invest in BTC or SRBTC, then individuals who have a certain fraction $\theta$ of their wealth already invested in BTC, will invest new money in the original chain, whereas the individuals whose current wealth invested in BTC is less than the $\theta$ fraction will invest new money in SRBTC. 2. The second game shows that if there is a third alternative for investment, which is cash that is losing value (inflation-adjusted) by a percentage $d$, then the investors who had less than $\theta$ fraction of wealth in Bitcoin, will invest in SRBTC only if the dilution of SRBTC is large enough (as an increasing (linear) function of $1/d$). Here by dilution we mean the new SRBTC tokens that are allowed to be eventually mined in the fork. 3. The third game shows that investors would prefer a fork of Bitcoin over a replica of Bitcoin that doesn't value original BTC, when both are available and even if both are backed similarly by one or more nations.</div> </div> </div> <div class="d-flex mb-1"> <div class="flex-grow-1"><a href="/2025/504">2025/504</a> <a class="ms-2" href="/2025/504.pdf">(PDF)</a> </div> <div><small>Last updated: 2025-03-17</small></div> </div> <div class="ms-3 ms-md-5 mb-3"> <div class="d-flex justify-content-between"> <div class="papertitle">Ideal Compartmented Secret Sharing Scheme Based on the Chinese Remainder Theorem for Polynomial Rings</div> <div class="ms-3 d-none d-md-block"> <a href="/search?category=PROTOCOLS"><small class="badge category category-PROTOCOLS">Cryptographic protocols</small></a> </div> </div> <div class="summaryauthors">Alexandru-Valentin Basaga and Sorin Iftene</div> <div class="d-flex justify-content-between align-items-start"> <div> <a class="abstract-closed" data-target="abstract-2025-504" onclick="toggleAbstract(this)">Show abstract</a> </div> <div class="d-block d-md-none"> <a href="/search?category=PROTOCOLS"><small class="badge category category-PROTOCOLS">Cryptographic protocols</small></a> </div> </div> <div> <div id="abstract-2025-504" class="paper-abstract">A secret sharing scheme starts with a secret and then derives from it certain shares (or shadows) which are distributed to users. The secret may be recovered only by certain predetermined groups. In case of compartmented secret sharing, the set of users is partitioned into compartments and the secret can be recovered only if the number of participants from any compartment is greater than or equal to a fixed compartment threshold and the total number of participants is greater than or equal to a global threshold. In this paper we use the Chinese Remainder Theorem for Polynomial Rings in order to construct an ideal compartmented secret sharing scheme, inspired by the work from [20].</div> </div> </div> <div class="d-flex mb-1"> <div class="flex-grow-1"><a href="/2025/503">2025/503</a> <a class="ms-2" href="/2025/503.pdf">(PDF)</a> </div> <div><small>Last updated: 2025-03-17</small></div> </div> <div class="ms-3 ms-md-5 mb-3"> <div class="d-flex justify-content-between"> <div class="papertitle">Max Bias Analysis: A New Approach on Computing the Entropy of Free Ring-Oscillator</div> <div class="ms-3 d-none d-md-block"> <a href="/search?category=IMPLEMENTATION"><small class="badge category category-IMPLEMENTATION">Implementation</small></a> </div> </div> <div class="summaryauthors">Nicolas David and Eric Garrido</div> <div class="d-flex justify-content-between align-items-start"> <div> <a class="abstract-closed" data-target="abstract-2025-503" onclick="toggleAbstract(this)">Show abstract</a> </div> <div class="d-block d-md-none"> <a href="/search?category=IMPLEMENTATION"><small class="badge category category-IMPLEMENTATION">Implementation</small></a> </div> </div> <div> <div id="abstract-2025-503" class="paper-abstract">This work introduce a new approach called Max bias analysis for the entropy computation of structures of Free Ring Oscillator-based Physical Random Number Generator. It employs the stochastic model based on the well-established Wiener process, specifically adapted to only capture thermal noise contributions while accounting for potential non-zero bias in the duty cycle. Our analysis is versatile, applicable to combinations of multiple sampled Ring Oscillator (RO) filtering by any function. The entropy computation takes as inputs the parameters of the thermal stochastic model and delivers directly a proven bound for both Shannon entropy and min-entropy to fulfill AIS31 and NIST SP 800-90 B. As an example, we apply the new methodology on an enhanced structure of TRNG combining several free-running Ring Oscillators filtered by a vectorial function built from a linear error correcting code that optimizes the functional performance in terms of [entropy rate/silicium area used] and that maintains the mathematical proof of the entropy lower bound as simple as possible.</div> </div> </div> <div class="d-flex mb-1"> <div class="flex-grow-1"><a href="/2025/142">2025/142</a> <a class="ms-2" href="/2025/142.pdf">(PDF)</a> </div> <div><small>Last updated: 2025-03-17</small></div> </div> <div class="ms-3 ms-md-5 mb-3"> <div class="d-flex justify-content-between"> <div class="papertitle">hax: Verifying Security-Critical Rust Software using Multiple Provers</div> <div class="ms-3 d-none d-md-block"> <a href="/search?category=IMPLEMENTATION"><small class="badge category category-IMPLEMENTATION">Implementation</small></a> </div> </div> <div class="summaryauthors">Karthikeyan Bhargavan, Maxime Buyse, Lucas Franceschino, Lasse Letager Hansen, Franziskus Kiefer, Jonas Schneider-Bensch, and Bas Spitters</div> <div class="d-flex justify-content-between align-items-start"> <div> <a class="abstract-closed" data-target="abstract-2025-142" onclick="toggleAbstract(this)">Show abstract</a> </div> <div class="d-block d-md-none"> <a href="/search?category=IMPLEMENTATION"><small class="badge category category-IMPLEMENTATION">Implementation</small></a> </div> </div> <div> <div id="abstract-2025-142" class="paper-abstract">We present hax, a verification toolchain for Rust targeted at security-critical software such as cryptographic libraries, protocol imple- mentations, authentication and authorization mechanisms, and parsing and sanitization code. The key idea behind hax is the pragmatic observation that different verification tools are better at handling different kinds of verification goals. Consequently, hax supports multiple proof backends, including domain-specific security analysis tools like ProVerif and SSProve, as well as general proof assistants like Coq and F*. In this paper, we present the hax toolchain and show how we use it to translate Rust code to the input languages of different provers. We describe how we systematically test our translated models and our models of the Rust system libraries to gain confidence in their correctness. Finally, we briefly overview various ongoing verification projects that rely on hax.</div> </div> </div> <div class="d-flex mb-1"> <div class="flex-grow-1"><a href="/2025/502">2025/502</a> <a class="ms-2" href="/2025/502.pdf">(PDF)</a> </div> <div><small>Last updated: 2025-03-17</small></div> </div> <div class="ms-3 ms-md-5 mb-3"> <div class="d-flex justify-content-between"> <div class="papertitle">Registration-Based Encryption in the Plain Model</div> <div class="ms-3 d-none d-md-block"> <a href="/search?category=PUBLICKEY"><small class="badge category category-PUBLICKEY">Public-key cryptography</small></a> </div> </div> <div class="summaryauthors">Jesko Dujmovic, Giulio Malavolta, and Wei Qi</div> <div class="d-flex justify-content-between align-items-start"> <div> <a class="abstract-closed" data-target="abstract-2025-502" onclick="toggleAbstract(this)">Show abstract</a> </div> <div class="d-block d-md-none"> <a href="/search?category=PUBLICKEY"><small class="badge category category-PUBLICKEY">Public-key cryptography</small></a> </div> </div> <div> <div id="abstract-2025-502" class="paper-abstract">Registration-based encryption (RBE) is a recently developed alternative to identity-based encryption, that mitigates the well-known key-escrow problem by letting each user sample its own key pair. In RBE, the key authority is substituted by a key curator, a completely transparent entity whose only job is to reliably aggregate users' keys. However, one limitation of all known RBE scheme is that they all rely on one-time trusted setup, that must be computed honestly. In this work, we ask whether this limitation is indeed inherent and we initiate the systematic study of RBE in the plain model, without any common reference string. We present the following main results: - (Definitions) We show that the standard security definition of RBE is unachievable without a trusted setup and we propose a slight weakening, where one honest user is required to be registered in the system. - (Constructions) We present constructions of RBE in the plain model, based on standard cryptographic assumptions. Along the way, we introduce the notions of non-interactive witness indistinguishable (NIWI) proofs secure against chosen statements attack and re-randomizable RBE, which may be of independent interest. A major limitation of our constructions, is that users must be updated upon every new registration. - (Lower Bounds) We show that this limitation is in some sense inherent. We prove that any RBE in the plain model that satisfies a certain structural requirement, which holds for all known RBE constructions, must update all but a vanishing fraction of the users, upon each new registration. This is in contrast with the standard RBE settings, where users receive a logarithmic amount of updates throughout the lifetime of the system.</div> </div> </div> <div class="d-flex mb-1"> <div class="flex-grow-1"><a href="/2023/1108">2023/1108</a> <a class="ms-2" href="/2023/1108.pdf">(PDF)</a> </div> <div><small>Last updated: 2025-03-17</small></div> </div> <div class="ms-3 ms-md-5 mb-3"> <div class="d-flex justify-content-between"> <div class="papertitle">It's a Kind of Magic: A Novel Conditional GAN Framework for Efficient Profiling Side-channel Analysis (Extended Version)</div> <div class="ms-3 d-none d-md-block"> <a href="/search?category=ATTACKS"><small class="badge category category-ATTACKS">Attacks and cryptanalysis</small></a> </div> </div> <div class="summaryauthors">Sengim Karayalcin, Marina Krcek, Lichao Wu, Stjepan Picek, and Guilherme Perin</div> <div class="d-flex justify-content-between align-items-start"> <div> <a class="abstract-closed" data-target="abstract-2023-1108" onclick="toggleAbstract(this)">Show abstract</a> </div> <div class="d-block d-md-none"> <a href="/search?category=ATTACKS"><small class="badge category category-ATTACKS">Attacks and cryptanalysis</small></a> </div> </div> <div> <div id="abstract-2023-1108" class="paper-abstract">Profiling side-channel analysis (SCA) is widely used to evaluate the security of cryptographic implementations under worst-case attack scenarios. This method assumes a strong adversary with a fully controlled device clone, known as a profiling device, with full access to the internal state of the target algorithm, including the mask shares. However, acquiring such a profiling device in the real world is challenging, as secure products enforce strong life cycle protection, particularly on devices that allow the user partial (e.g., debug mode) or full (e.g., test mode) control. This enforcement restricts access to profiling devices, significantly reducing the effectiveness of profiling SCA. To address this limitation, this paper introduces a novel framework that allows an attacker to create and learn from their own white-box reference design without needing privileged access on the profiling device. Specifically, the attacker first implements the target algorithm on a different type of device with full control. Since this device is a white box to the attacker, they can access all internal states and mask shares. A novel conditional generative adversarial network (CGAN) framework is then introduced to mimic the feature extraction procedure from the reference device and transfer this experience to extract high-order leakages from the target device. These extracted features then serve as inputs for profiled SCA. Experiments show that our approach significantly enhances the efficacy of black-box profiling SCA, matching or potentially exceeding the results of worst-case security evaluations. Compared with conventional profiling SCA, which has strict requirements on the profiling device, our framework relaxes this threat model and, thus, can be better adapted to real-world attacks.</div> </div> </div> <div class="d-flex mb-1"> <div class="flex-grow-1"><a href="/2024/812">2024/812</a> <a class="ms-2" href="/2024/812.pdf">(PDF)</a> </div> <div><small>Last updated: 2025-03-17</small></div> </div> <div class="ms-3 ms-md-5 mb-3"> <div class="d-flex justify-content-between"> <div class="papertitle">Relations among new CCA security notions for approximate FHE</div> <div class="ms-3 d-none d-md-block"> <a href="/search?category=PUBLICKEY"><small class="badge category category-PUBLICKEY">Public-key cryptography</small></a> </div> </div> <div class="summaryauthors">Chris Brzuska, Sébastien Canard, Caroline Fontaine, Duong Hieu Phan, David Pointcheval, Marc Renard, and Renaud Sirdey</div> <div class="d-flex justify-content-between align-items-start"> <div> <a class="abstract-closed" data-target="abstract-2024-812" onclick="toggleAbstract(this)">Show abstract</a> </div> <div class="d-block d-md-none"> <a href="/search?category=PUBLICKEY"><small class="badge category category-PUBLICKEY">Public-key cryptography</small></a> </div> </div> <div> <div id="abstract-2024-812" class="paper-abstract">In a recent Eurocrypt'24 paper, Manulis and Nguyen have proposed a new CCA security notion, vCCA, and associated construction blueprints to leverage both CPA-secure and correct FHE beyond the CCA1 security barrier. However, because their approach is only valid under the correctness assumption, it leaves a large part of the FHE spectrum uncovered as many FHE schemes used in practice turn out to be approximate and, as such, do not satisfy the correctness assumption. In this paper, we improve their work by defining and investigating a variant of their security notion which is suitable for a more general case where approximate FHE are included. As the passive security of approximate FHE schemes is more appropriately captured by CPAD rather than CPA security, we start from the former notion to define our vCCAD new security notion. Although, we show that vCCA and vCCAD are equivalent when the correctness assumption holds, we establish that vCCAD security is strictly stronger than vCCA security in the general case. In doing so, we interestingly establish several new separation results between variants of CPAD security of increasing strength. This allows us to clarify the relationship between vCCA security and CPAD security, and to reveal that the security notions landscape is much simpler for correct FHE than when approximate ones are included --- in which case, for example, we establish that multiple challenges security notions are strictly stronger than single-challenge ones for both CPAD and vCCAD security. Lastly, we also give concrete construction blueprints, showing how to leverage some of the blueprints proposed by Manulis and Nguyen to achieve vCCAD security. As a result, vCCAD security is the strongest CCA security notion so far known to be achievable by both correct and approximate FHE schemes.</div> </div> </div> <div class="d-flex mb-1"> <div class="flex-grow-1"><a href="/2016/164">2016/164</a> <a class="ms-2" href="/2016/164.pdf">(PDF)</a> </div> <div><small>Last updated: 2025-03-17</small></div> </div> <div class="ms-3 ms-md-5 mb-3"> <div class="d-flex justify-content-between"> <div class="papertitle">Sanitization of FHE Ciphertexts</div> <div class="ms-3 d-none d-md-block"> <a href="/search?category=PUBLICKEY"><small class="badge category category-PUBLICKEY">Public-key cryptography</small></a> </div> </div> <div class="summaryauthors">Léo Ducas and Damien Stehlé</div> <div class="d-flex justify-content-between align-items-start"> <div> <a class="abstract-closed" data-target="abstract-2016-164" onclick="toggleAbstract(this)">Show abstract</a> </div> <div class="d-block d-md-none"> <a href="/search?category=PUBLICKEY"><small class="badge category category-PUBLICKEY">Public-key cryptography</small></a> </div> </div> <div> <div id="abstract-2016-164" class="paper-abstract">By definition, fully homomorphic encryption (FHE) schemes support homomorphic decryption, and all known FHE constructions are bootstrapped from a Somewhat Homomorphic Encryption (SHE) scheme via this technique. Additionally, when a public key is provided, ciphertexts are also re-randomizable, e.g., by adding to them fresh encryptions of 0. From those two operations we devise an algorithm to sanitize a ciphertext, by making its distribution canonical. In particular, the distribution of the ciphertext does not depend on the circuit that led to it via homomorphic evaluation, thus providing circuit privacy in the honest-but-curious model. Unlike the previous approach based on noise flooding, our approach does not degrade much the security/efficiency trade-off of the underlying FHE. The technique can be applied to all lattice-based FHE proposed so far, without substantially affecting their concrete parameters.</div> </div> </div> <div class="d-flex mb-1"> <div class="flex-grow-1"><a href="/2024/761">2024/761</a> <a class="ms-2" href="/2024/761.pdf">(PDF)</a> </div> <div><small>Last updated: 2025-03-17</small></div> </div> <div class="ms-3 ms-md-5 mb-3"> <div class="d-flex justify-content-between"> <div class="papertitle">Enabling Lattice-based Authentication Encrypted Search with Ciphertext Broadcast for Cloud Storage</div> <div class="ms-3 d-none d-md-block"> <a href="/search?category=PUBLICKEY"><small class="badge category category-PUBLICKEY">Public-key cryptography</small></a> </div> </div> <div class="summaryauthors">Yibo Cao, Shiyuan Xu, Xiu-Bo Chen, Gang Xu, Siu-Ming Yiu, and Zongpeng Li</div> <div class="d-flex justify-content-between align-items-start"> <div> <a class="abstract-closed" data-target="abstract-2024-761" onclick="toggleAbstract(this)">Show abstract</a> </div> <div class="d-block d-md-none"> <a href="/search?category=PUBLICKEY"><small class="badge category category-PUBLICKEY">Public-key cryptography</small></a> </div> </div> <div> <div id="abstract-2024-761" class="paper-abstract">The development of cloud computing facilitates data outsourced sharing and storage, but also brings up several security issues. Public key authenticated encryption with keyword search (PAEKS) enables the encrypted search over cloud data while resisting the insider keyword guessing attacks (IKGAs). However, existing PAEKS schemes are limited to a single receiver, restricting application prospects in cloud storage. In addition, quantum computing attacks and key leakage issues further threaten the data security, which attracted extensive attention from researchers. Therefore, designing an encrypted search scheme to resist the above-mentioned attacks is still far-reaching. In this paper, we first propose BroSearch, a lattice-based authentication encrypted search with ciphertext broadcast. It utilizes lattice sampling algorithms to authenticate the keyword and offers searchability over broadcasting ciphertext while enjoying IKGAs-resistant in a quantum setting. To get around key leakage issues, we then incorporate the minimal cover set technique and lattice basis extension algorithm to construct FS-BroSearch, as an enhanced version. Furthermore, we give rigorous security analysis (IND-CKA and IND-IKGA) and comprehensive performance evaluation of both schemes. Specifically, the time cost of BroSearch is at least 0.61, 0.82, and 0.83 times compared to prior arts in terms of ciphertext calculation, trapdoor generation, and search procedures, which is practical and effective for cloud storage.</div> </div> </div> <div class="d-flex mb-1"> <div class="flex-grow-1"><a href="/2025/501">2025/501</a> <a class="ms-2" href="/2025/501.pdf">(PDF)</a> </div> <div><small>Last updated: 2025-03-17</small></div> </div> <div class="ms-3 ms-md-5 mb-3"> <div class="d-flex justify-content-between"> <div class="papertitle">Quantum Key-Recovery Attacks on Permutation-Based Pseudorandom Functions</div> <div class="ms-3 d-none d-md-block"> <a href="/search?category=ATTACKS"><small class="badge category category-ATTACKS">Attacks and cryptanalysis</small></a> </div> </div> <div class="summaryauthors">Hong-Wei Sun</div> <div class="d-flex justify-content-between align-items-start"> <div> <a class="abstract-closed" data-target="abstract-2025-501" onclick="toggleAbstract(this)">Show abstract</a> </div> <div class="d-block d-md-none"> <a href="/search?category=ATTACKS"><small class="badge category category-ATTACKS">Attacks and cryptanalysis</small></a> </div> </div> <div> <div id="abstract-2025-501" class="paper-abstract">Due to their simple security assessments, permutation-based pseudo-random functions (PRFs) have become widely used in cryptography. It has been shown that PRFs using a single $n$-bit permutation achieve $n/2$ bits of security, while those using two permutation calls provide $2n/3$ bits of security in the classical setting. This paper studies the security of permutation-based PRFs within the Q1 model, where attackers are restricted to classical queries and offline quantum computations. We present improved quantum-time/classical-data tradeoffs compared with the previous attacks. Specifically, under the same assumptions/hardware as Grover's exhaustive search attack, i.e. the offline Simon algorithm, we can recover keys in quantum time $\tilde{O}(2^{n/3})$, with $O(2^{n/3})$ classical queries and $O(n^2)$ qubits. Furthermore, we enhance previous superposition attacks by reducing the data complexity from exponential to polynomial, while maintaining the same time complexity. This implies that permutation-based PRFs become vulnerable when adversaries have access to quantum computing resources. It is pointed out that the above quantum attack can be used to quite a few cryptography, including SoEM, PDMMAC, pEDM, as well as general instantiations like XopEM, EDMEM, EDMDEM, and others.</div> </div> </div> <div class="d-flex mb-1"> <div class="flex-grow-1"><a href="/2024/1956">2024/1956</a> <a class="ms-2" href="/2024/1956.pdf">(PDF)</a> </div> <div><small>Last updated: 2025-03-17</small></div> </div> <div class="ms-3 ms-md-5 mb-3"> <div class="d-flex justify-content-between"> <div class="papertitle">MultiReg-FE: Registered FE for Unbounded Inner-Product and Attribute-Weighted Sums</div> <div class="ms-3 d-none d-md-block"> <a href="/search?category=PUBLICKEY"><small class="badge category category-PUBLICKEY">Public-key cryptography</small></a> </div> </div> <div class="summaryauthors">Qiuyan Du, Qiaohan Chu, Jie Chen, Man Ho Au, and Debiao He</div> <div class="d-flex justify-content-between align-items-start"> <div> <a class="abstract-closed" data-target="abstract-2024-1956" onclick="toggleAbstract(this)">Show abstract</a> </div> <div class="d-block d-md-none"> <a href="/search?category=PUBLICKEY"><small class="badge category category-PUBLICKEY">Public-key cryptography</small></a> </div> </div> <div> <div id="abstract-2024-1956" class="paper-abstract">Recently, Francati et al. (Asiacrypt 2023) provided the first registered functional encryption (Reg-FE) beyond predicates. Reg-FE addresses the key escrow problem in functional encryption by allowing users to generate their own key pairs, effectively replacing the traditional private-key generator with a key curator. The key curator holds no secret information and runs deterministic algorithms to generate master public key for encryption and helper keys for decryption. However, existing Reg-FE schemes under standard assumptions require fixed data sizes, which limits their practicality in real-world applications. In this work, we introduce Multi-Function Registered Functional Encryption for Inner-Product (MultiReg-FE for IP), a novel extension of Reg-FE. It enables users to register multiple functions under a single public key. With MultiReg-FE, we achieve both Reg-FE for Unbounded Inner-Product (Unbounded IP), which removes the need to predetermine vector lengths, and Reg-FE for Attribute-Weighted Sums with Inner-Product (AWSw/IP), allowing computations over arbitrary numbers of attribute-value pairs. Specifically, we present: -MultiReg-FE for Inner-Product, which supports unbounded number of function vectors from each user and achieves adaptive-IND-security; - Reg-FE for Unbounded Inner-Product, removing the need for preset vector lengths and achieves adaptive-IND-security; - The first Reg-FE for AWSw/IP in public-key settings with weekly security.</div> </div> </div> <div class="d-flex mb-1"> <div class="flex-grow-1"><a href="/2025/377">2025/377</a> <a class="ms-2" href="/2025/377.pdf">(PDF)</a> </div> <div><small>Last updated: 2025-03-17</small></div> </div> <div class="ms-3 ms-md-5 mb-3"> <div class="d-flex justify-content-between"> <div class="papertitle">HiAE: A High-Throughput Authenticated Encryption Algorithm for Cross-Platform Efficiency</div> <div class="ms-3 d-none d-md-block"> <a href="/search?category=SECRETKEY"><small class="badge category category-SECRETKEY">Secret-key cryptography</small></a> </div> </div> <div class="summaryauthors">Han Chen, Tao Huang, Phuong Pham, and Shuang Wu</div> <div class="d-flex justify-content-between align-items-start"> <div> <a class="abstract-closed" data-target="abstract-2025-377" onclick="toggleAbstract(this)">Show abstract</a> </div> <div class="d-block d-md-none"> <a href="/search?category=SECRETKEY"><small class="badge category category-SECRETKEY">Secret-key cryptography</small></a> </div> </div> <div> <div id="abstract-2025-377" class="paper-abstract">This paper addresses the critical challenges in designing cryptographic algorithms that achieve both high performance and cross-platform efficiency on ARM and x86 architectures, catering to the demanding requirements of next-generation communication systems, such as 6G and GPU/NPU interconnections. We propose HiAE, a high-throughput authenticated encryption algorithm optimized for performance exceeding 100 Gbps and designed to meet the stringent security requirements of future communication networks. HiAE leverages the stream cipher structure, integrating the AES round function for non-linear diffusion. Our design achieves exceptional efficiency, with benchmark results from software implementations across various platforms showing over 340 Gbps on x86 processors and 180 Gbps on ARM devices in AEAD mode, making it the fastest AEAD solution on ARM chips and setting a new performance record on the latest x86 processors.</div> </div> </div> <div class="d-flex mb-1"> <div class="flex-grow-1"><a href="/2024/1848">2024/1848</a> <a class="ms-2" href="/2024/1848.pdf">(PDF)</a> </div> <div><small>Last updated: 2025-03-16</small></div> </div> <div class="ms-3 ms-md-5 mb-3"> <div class="d-flex justify-content-between"> <div class="papertitle">Non-Interactive Zero-Knowledge Proofs with Certified Deletion</div> <div class="ms-3 d-none d-md-block"> <a href="/search?category=FOUNDATIONS"><small class="badge category category-FOUNDATIONS">Foundations</small></a> </div> </div> <div class="summaryauthors">Kasra Abbaszadeh and Jonathan Katz</div> <div class="d-flex justify-content-between align-items-start"> <div> <a class="abstract-closed" data-target="abstract-2024-1848" onclick="toggleAbstract(this)">Show abstract</a> </div> <div class="d-block d-md-none"> <a href="/search?category=FOUNDATIONS"><small class="badge category category-FOUNDATIONS">Foundations</small></a> </div> </div> <div> <div id="abstract-2024-1848" class="paper-abstract">We introduce the notion of non-interactive zero-knowledge (NIZK) proofs with certified deletion. Our notion enables the recipient of a (quantum) NIZK proof to delete the proof and obtain a (classical) certificate proving such deletion. We define this notion and propose two candidate constructions from standard cryptographic assumptions. Our first construction is based on classical NIZK proofs and quantum-hard one-way functions but needs both the prover and verifier to run quantum algorithms. We then present an extension that allows the prover to be classical; this is based on the learning with errors problem and requires an instance-independent interactive setup between the prover and verifier. Our results have applications to revocable signatures of knowledge and revocable anonymous credentials, which we also define and construct.</div> </div> </div> <div class="d-flex mb-1"> <div class="flex-grow-1"><a href="/2025/413">2025/413</a> <a class="ms-2" href="/2025/413.pdf">(PDF)</a> </div> <div><small>Last updated: 2025-03-16</small></div> </div> <div class="ms-3 ms-md-5 mb-3"> <div class="d-flex justify-content-between"> <div class="papertitle">Garblet: Multi-party Computation for Protecting Chiplet-based Systems</div> <div class="ms-3 d-none d-md-block"> <a href="/search?category=APPLICATIONS"><small class="badge category category-APPLICATIONS">Applications</small></a> </div> </div> <div class="summaryauthors">Mohammad Hashemi, Shahin Tajik, and Fatemeh Ganji</div> <div class="d-flex justify-content-between align-items-start"> <div> <a class="abstract-closed" data-target="abstract-2025-413" onclick="toggleAbstract(this)">Show abstract</a> </div> <div class="d-block d-md-none"> <a href="/search?category=APPLICATIONS"><small class="badge category category-APPLICATIONS">Applications</small></a> </div> </div> <div> <div id="abstract-2025-413" class="paper-abstract">The introduction of shared computation architectures assembled from heterogeneous chiplets introduces new security threats. Due to the shared logical and physical resources, an untrusted chiplet can act maliciously to surreptitiously probe the data communication between chiplets or sense the computation shared between them. This paper presents Garblet, the first framework to leverage the flexibility offered by chiplet technology and Garbled Circuits (GC)-based MPC to enable efficient, secure computation even in the presence of potentially compromised chiplets. Our approach integrates a customized hardware Oblivious Transfer (OT) module and an optimized evaluator engine into chiplet-based platforms. This configuration distributes the tasks of garbling and evaluating circuits across two chiplets, reducing communication costs and enhancing computation speed. We implement this framework on an AMD/Xilinx UltraScale+ multi-chip module and demonstrate its effectiveness using benchmark functions. Additionally, we introduce a novel circuit decomposition technique that allows for parallel processing across multiple chiplets to further improve computational efficiency. Our results highlight the potential of chiplet systems for accelerating GC (e.g., the time complexity of garbled AES is 0.0226ms) in order to guarantee the security and privacy of the computation on chiplets.</div> </div> </div> <div class="d-flex mb-1"> <div class="flex-grow-1"><a href="/2025/499">2025/499</a> <a class="ms-2" href="/2025/499.pdf">(PDF)</a> </div> <div><small>Last updated: 2025-03-16</small></div> </div> <div class="ms-3 ms-md-5 mb-3"> <div class="d-flex justify-content-between"> <div class="papertitle">SCAPEgoat: Side-channel Analysis Library</div> <div class="ms-3 d-none d-md-block"> <a href="/search?category=ATTACKS"><small class="badge category category-ATTACKS">Attacks and cryptanalysis</small></a> </div> </div> <div class="summaryauthors">Dev Mehta, Trey Marcantino, Mohammad Hashemi, Sam Karkache, Dillibabu Shanmugam, Patrick Schaumont, and Fatemeh Ganji</div> <div class="d-flex justify-content-between align-items-start"> <div> <a class="abstract-closed" data-target="abstract-2025-499" onclick="toggleAbstract(this)">Show abstract</a> </div> <div class="d-block d-md-none"> <a href="/search?category=ATTACKS"><small class="badge category category-ATTACKS">Attacks and cryptanalysis</small></a> </div> </div> <div> <div id="abstract-2025-499" class="paper-abstract">Side-channel analysis (SCA) is a growing field in hardware security where adversaries extract secret information from embedded devices by measuring physical observables like power consumption and electromagnetic emanation. SCA is a security assessment method used by governmental labs, standardization bodies, and researchers, where testing is not just limited to standardized cryptographic circuits, but it is expanded to AI accelerators, Post Quantum circuits, systems, etc. Despite its importance, SCA is performed on an ad hoc basis in the sense that its flow is not systematically optimized and unified among labs. As a result, the current solutions do not account for fair comparisons between analyses. Furthermore, neglecting the need for interoperability between datasets and SCA metric computation increases students’ barriers to entry. To address this, we introduce SCAPEgoat, a Python-based SCA library with three key modules devoted to defining file format, capturing interfaces, and metric calculation. The custom file framework organizes side-channel traces using JSON for metadata, offering a hierarchical structure similar to HDF5 commonly applied in SCA, but more flexible and human-readable. The metadata can be queried with regular expressions, a feature unavailable in HDF5. Secondly, we incorporate memory-efficient SCA metric computations, which allow using our functions on resource-restricted machines. This is accomplished by partitioning datasets and leveraging statistics-based optimizations on the metrics. In doing so, SCAPEgoat makes the SCA more accessible to newcomers so that they can learn techniques and conduct experiments faster and with the possibility to expand on in the future.</div> </div> </div> <div class="d-flex mb-1"> <div class="flex-grow-1"><a href="/2025/498">2025/498</a> <a class="ms-2" href="/2025/498.pdf">(PDF)</a> </div> <div><small>Last updated: 2025-03-16</small></div> </div> <div class="ms-3 ms-md-5 mb-3"> <div class="d-flex justify-content-between"> <div class="papertitle">Scoop: An Optimizer for Profiling Attacks against Higher-Order Masking</div> <div class="ms-3 d-none d-md-block"> <a href="/search?category=IMPLEMENTATION"><small class="badge category category-IMPLEMENTATION">Implementation</small></a> </div> </div> <div class="summaryauthors">Nathan Rousselot, Karine Heydemann, Loïc Masure, and Vincent Migairou</div> <div class="d-flex justify-content-between align-items-start"> <div> <a class="abstract-closed" data-target="abstract-2025-498" onclick="toggleAbstract(this)">Show abstract</a> </div> <div class="d-block d-md-none"> <a href="/search?category=IMPLEMENTATION"><small class="badge category category-IMPLEMENTATION">Implementation</small></a> </div> </div> <div> <div id="abstract-2025-498" class="paper-abstract">In this paper we provide new theoretical and empirical evidences that gradient-based deep learning profiling attacks (DL-SCA) suffer from masking schemes. This occurs through an initial stall of the learning process: the so-called plateau effect. To understand why, we derive an analytical expression of a DL-SCA model targeting simulated traces which enables us to study an analytical expression of the loss. By studying the loss landscape of this model, we show that not only do the magnitudes of the gradients decrease as the order of masking increases, but the loss landscape also exhibits a prominent saddle point interfering with the optimization process. From these observations, we (1) propose the usage of a second-order optimization algorithm mitigating the impact of low-gradient areas. In addition, we show how to leverage the intrinsic sparsity of valuable information in SCA traces to better pose the DL-SCA problem. To do so, we (2) propose to use the implicit regularization properties of the sparse mirror descent. These propositions are gathered in a new publicly available optimization algorithm, Scoop. Scoop combines second-order derivative of the loss function in the optimization process, with a sparse stochastic mirror descent. We experimentally show that Scoop pushes further the current limitations of DL-SCA against simulated traces, and outperforms the state-of-the-art on the ASCADv1 dataset in terms of number of traces required to retrieve the key, perceived information and plateau length. Scoop also performs the first non-worst-case attack on the ASCADv2 dataset. On simulated traces, we show that using Scoop reduces the DL-SCA time complexity by the equivalent of one masking order.</div> </div> </div> <div class="d-flex mb-1"> <div class="flex-grow-1"><a href="/2025/497">2025/497</a> <a class="ms-2" href="/2025/497.pdf">(PDF)</a> </div> <div><small>Last updated: 2025-03-16</small></div> </div> <div class="ms-3 ms-md-5 mb-3"> <div class="d-flex justify-content-between"> <div class="papertitle">Fast Scloud+: A Fast Hardware Implementation for the Unstructured LWE-based KEM - Scloud+</div> <div class="ms-3 d-none d-md-block"> <a href="/search?category=IMPLEMENTATION"><small class="badge category category-IMPLEMENTATION">Implementation</small></a> </div> </div> <div class="summaryauthors">Jing Tian, Yaodong Wei, Dejun Xu, Kai Wang, Anyu Wang, Zhiyuan Qiu, Fu Yao, and Guang Zeng</div> <div class="d-flex justify-content-between align-items-start"> <div> <a class="abstract-closed" data-target="abstract-2025-497" onclick="toggleAbstract(this)">Show abstract</a> </div> <div class="d-block d-md-none"> <a href="/search?category=IMPLEMENTATION"><small class="badge category category-IMPLEMENTATION">Implementation</small></a> </div> </div> <div> <div id="abstract-2025-497" class="paper-abstract">Scloud+ is an unstructured LWE-based key encapsulation mechanism (KEM) with conservative quantum security, in which ternary secrets and lattice coding are incorporated for higher computational and communication efficiency. However, its efficiencies are still much inferior to those of the structured LWE-based KEM, like ML-KEM (standardized by NIST). In this paper, we present a configurable hardware architecture for Scloud+.KEM to improve the computational efficiency. Many algorithmic and architectural co-optimizations are proposed to reduce the complexity and increase the degree of parallelism. Specially, the matrix multiplications are computed by a block in serial and the block is calculated in one cycle, without using any multipliers. In addition, the random bits all are generated by an unfolded Keccak core, well matched with the data flow required by the block matrix multiplier. The proposed design is coded in Verilog and implemented under the SMIC 40nm LP CMOS technology. The synthesized results show that Scloud+.KEM-128 only costs 23.0 $us$, 24.3 $us$, and 24.6 $us$ in the KeyGen, Encaps, and Decaps stages, respectively, with an area consumption of 0.69 $mm^2$, significantly narrowing the gap with the state-of-the-art of Kyber hardware implementation.</div> </div> </div> <div class="d-flex mb-1"> <div class="flex-grow-1"><a href="/2025/496">2025/496</a> <a class="ms-2" href="/2025/496.pdf">(PDF)</a> </div> <div><small>Last updated: 2025-03-16</small></div> </div> <div class="ms-3 ms-md-5 mb-3"> <div class="d-flex justify-content-between"> <div class="papertitle">Shortcut2Secrets: A Table-based Differential Fault Attack Framework</div> <div class="ms-3 d-none d-md-block"> <a href="/search?category=ATTACKS"><small class="badge category category-ATTACKS">Attacks and cryptanalysis</small></a> </div> </div> <div class="summaryauthors">Weizhe Wang, Pierrick Méaux, and Deng Tang</div> <div class="d-flex justify-content-between align-items-start"> <div> <a class="abstract-closed" data-target="abstract-2025-496" onclick="toggleAbstract(this)">Show abstract</a> </div> <div class="d-block d-md-none"> <a href="/search?category=ATTACKS"><small class="badge category category-ATTACKS">Attacks and cryptanalysis</small></a> </div> </div> <div> <div id="abstract-2025-496" class="paper-abstract">Recently, Differential Fault Attacks (DFAs) have proven highly effective against stream ciphers designed for Hybrid Homomorphic Encryption (HHE). In this work, we present a table-based DFA framework called the \textit{shortcut attack}, which generalizes the attack proposed by Wang and Tang on the cipher \textsf{Elisabeth}. The framework applies to a broad sub-family of ciphers following the Group Filter Permutator (GFP) paradigm and enhances previous DFAs by improving both the fault identification and path generation steps. Notably, the shortcut attack circumvents the issue of function representation, allowing successful attacks even when the cipher's filter function cannot be represented over the ring it is defined on. Additionally, we provide complexity estimates for the framework and apply the shortcut attack to \textsf{Elisabeth-4} and its patches. As a result, we optimize the DFA on \textsf{Elisabeth-4}, requiring fewer keystreams and running faster than previous methods. Specifically, we achieve a DFA that requires only $3000$ keystreams, which is one-fifth of the previous best result. We also successfully mount a practical DFA on \textsf{Gabriel-4} and provide a theoretical DFA for \textsf{Elisabeth-b4}. For the latest patch, \textsf{Margrethe-18-4}, which follows the more general Mixed Filter Permutator (MFP) paradigm, we present a DFA in a stronger model. To the best of our knowledge, these are the first DFA results on the patches of \textsf{Elisabeth-4}. Finally, we derive security margins to prevent shortcut attacks on a broad sub-family of MFP ciphers, which can serve as parameter recommendations for designers.</div> </div> </div> <div class="d-flex mb-1"> <div class="flex-grow-1"><a href="/2025/495">2025/495</a> <a class="ms-2" href="/2025/495.pdf">(PDF)</a> </div> <div><small>Last updated: 2025-03-16</small></div> </div> <div class="ms-3 ms-md-5 mb-3"> <div class="d-flex justify-content-between"> <div class="papertitle">A Security-Enhanced Pairing-Free Certificateless Aggregate Signature for Vehicular Ad-Hoc Networks, Revisited</div> <div class="ms-3 d-none d-md-block"> <a href="/search?category=ATTACKS"><small class="badge category category-ATTACKS">Attacks and cryptanalysis</small></a> </div> </div> <div class="summaryauthors">Zhengjun Cao and Lihua Liu</div> <div class="d-flex justify-content-between align-items-start"> <div> <a class="abstract-closed" data-target="abstract-2025-495" onclick="toggleAbstract(this)">Show abstract</a> </div> <div class="d-block d-md-none"> <a href="/search?category=ATTACKS"><small class="badge category category-ATTACKS">Attacks and cryptanalysis</small></a> </div> </div> <div> <div id="abstract-2025-495" class="paper-abstract">We show that the aggregate signature scheme [IEEE Syst. J., 2023, 17(3), 3822-3833] is insecure against forgery attack. This flaw is due to that the ephemeral key or ephemeral value chosen in the signing phase is not indeed bound to the final signature. An adversary can sign any message while the verifier cannot find the fraud. We also suggest a revising method to frustrate this attack.</div> </div> </div> <div class="d-flex mb-1"> <div class="flex-grow-1"><a href="/2024/1371">2024/1371</a> <a class="ms-2" href="/2024/1371.pdf">(PDF)</a> </div> <div><small>Last updated: 2025-03-15</small></div> </div> <div class="ms-3 ms-md-5 mb-3"> <div class="d-flex justify-content-between"> <div class="papertitle">PIGEON: A High Throughput Framework for Private Inference of Neural Networks using Secure Multiparty Computation</div> <div class="ms-3 d-none d-md-block"> <a href="/search?category=PROTOCOLS"><small class="badge category category-PROTOCOLS">Cryptographic protocols</small></a> </div> </div> <div class="summaryauthors">Christopher Harth-Kitzerow, Yongqin Wang, Rachit Rajat, Georg Carle, and Murali Annavaram</div> <div class="d-flex justify-content-between align-items-start"> <div> <a class="abstract-closed" data-target="abstract-2024-1371" onclick="toggleAbstract(this)">Show abstract</a> </div> <div class="d-block d-md-none"> <a href="/search?category=PROTOCOLS"><small class="badge category category-PROTOCOLS">Cryptographic protocols</small></a> </div> </div> <div> <div id="abstract-2024-1371" class="paper-abstract">Privacy-Preserving Machine Learning (PPML) is one of the most relevant use cases for Secure Multiparty Computation (MPC). While private training of large neural networks such as VGG-16 or ResNet-50 on state-of-the-art datasets such as ImageNet is still out of reach, given the performance overhead of MPC, GPU-based MPC frameworks are starting to achieve practical runtimes for private inference. However, we show that, unlike plaintext machine learning, using GPU acceleration for both linear (e.g., convolutions) and nonlinear neural network layers (e.g., ReLU) is actually counterproductive in PPML. While GPUs effectively accelerate linear layers compared to CPU-based MPC implementations, the MPC circuits required to evaluate nonlinear layers introduce memory overhead and frequent data movement between the GPU and the CPU to handle network communication. This results in slow ReLU performance and high GPU memory requirements in state-of-the-art GPU-based PPML frameworks, hindering them from scaling to multiple images per second inference throughput and more than eight images per batch on ImageNet. To overcome these limitations, we propose PIGEON, an open-source framework for Private Inference of Neural Networks. PIGEON employs a novel ABG programming model that switches between Arithmetic Vectorization and Bitslicing on the CPU for nonlinear layers depending on the MPC-specific computation required while offloading linear layers to the GPU. Compared to the state-of-the-art PPML framework Piranha, PIGEON improves ReLU throughput by two orders of magnitude, reduces peak GPU memory utilization by one order of magnitude, and scales better with large batch sizes. This translates to one to two orders of magnitude improvements in throughput for large ImageNet batch sizes (e.g., 192) and more than 70% saturation of a 25 Gbit/s network.</div> </div> </div> <div class="d-flex mb-1"> <div class="flex-grow-1"><a href="/2025/494">2025/494</a> <a class="ms-2" href="/2025/494.pdf">(PDF)</a> </div> <div><small>Last updated: 2025-03-15</small></div> </div> <div class="ms-3 ms-md-5 mb-3"> <div class="d-flex justify-content-between"> <div class="papertitle">Electromagnetic Side-Channel Analysis of PRESENT Lightweight Cipher</div> <div class="ms-3 d-none d-md-block"> <a href="/search?category=ATTACKS"><small class="badge category category-ATTACKS">Attacks and cryptanalysis</small></a> </div> </div> <div class="summaryauthors">Nilupulee A Gunathilake, Owen Lo, William J Buchanan, and Ahmed Al-Dubai</div> <div class="d-flex justify-content-between align-items-start"> <div> <a class="abstract-closed" data-target="abstract-2025-494" onclick="toggleAbstract(this)">Show abstract</a> </div> <div class="d-block d-md-none"> <a href="/search?category=ATTACKS"><small class="badge category category-ATTACKS">Attacks and cryptanalysis</small></a> </div> </div> <div> <div id="abstract-2025-494" class="paper-abstract">Side-channel vulnerabilities pose an increasing threat to cryptographically protected devices. Consequently, it is crucial to observe information leakages through physical parameters such as power consumption and electromagnetic (EM) radiation to reduce susceptibility during interactions with cryptographic functions. EM side-channel attacks are becoming more prevalent. PRESENT is a promising lightweight cryptographic algorithm expected to be incorporated into Internet-of-Things (IoT) devices in the future. This research investigates the EM side-channel robustness of PRESENT using a correlation attack model. This work extends our previous Correlation EM Analysis (CEMA) of PRESENT with improved results. The attack targets the Substitution box (S-box) and can retrieve 8 bytes of the 10-byte encryption key with a minimum of 256 EM waveforms. This paper presents the process of EM attack modelling, encompassing both simple and correlation attacks, followed by a critical analysis.</div> </div> </div> <div class="d-flex mb-1"> <div class="flex-grow-1"><a href="/2024/536">2024/536</a> <a class="ms-2" href="/2024/536.pdf">(PDF)</a> </div> <div><small>Last updated: 2025-03-15</small></div> </div> <div class="ms-3 ms-md-5 mb-3"> <div class="d-flex justify-content-between"> <div class="papertitle">Public-Algorithm Substitution Attacks: Subverting Hashing and Verification</div> <div class="ms-3 d-none d-md-block"> <a href="/search?category=APPLICATIONS"><small class="badge category category-APPLICATIONS">Applications</small></a> </div> </div> <div class="summaryauthors">Mihir Bellare, Doreen Riepel, and Laura Shea</div> <div class="d-flex justify-content-between align-items-start"> <div> <a class="abstract-closed" data-target="abstract-2024-536" onclick="toggleAbstract(this)">Show abstract</a> </div> <div class="d-block d-md-none"> <a href="/search?category=APPLICATIONS"><small class="badge category category-APPLICATIONS">Applications</small></a> </div> </div> <div> <div id="abstract-2024-536" class="paper-abstract">Algorithm Substitution Attacks (ASAs) have traditionally targeted secretly-keyed algorithms (for example, symmetric encryption or signing) with the goal of undetectably exfiltrating the underlying key. We initiate work in a new direction, namely ASAs on algorithms that are public, meaning contain no secret-key material. Examples are hash functions, and verification algorithms of signature schemes or non-interactive arguments. In what we call a PA-SA (Public-Algorithm Substitution Attack), the big-brother adversary replaces the public algorithm $f$ with a subverted algorithm, while retaining a backdoor to the latter. Since there is no secret key to exfiltrate, one has to ask what a PA-SA aims to do. We answer this with definitions that consider big-brother's goal for the PA-SA to be three-fold: it desires utility (it can break an $f$-using scheme or application), undetectability (outsiders can't detect the substitution) and exclusivity (nobody other than big-brother can exploit the substitution). We start with a general setting in which $f$ is arbitrary, formalizing strong definitions for the three goals, and then give a construction of a PA-SA that we prove meets them. We use this to derive, as applications, PA-SAs on hash functions, signature verification and verification of non-interactive arguments, exhibiting new and effective ways to subvert these. As a further application of the first two, we give a PA-SA on X.509 TLS certificates. Our constructions serve to help defenders and developers identify potential attacks by illustrating how they might be built.</div> </div> </div> <div class="d-flex mb-1"> <div class="flex-grow-1"><a href="/2025/493">2025/493</a> <a class="ms-2" href="/2025/493.pdf">(PDF)</a> </div> <div><small>Last updated: 2025-03-15</small></div> </div> <div class="ms-3 ms-md-5 mb-3"> <div class="d-flex justify-content-between"> <div class="papertitle">Tighter Concrete Security for the Simplest OT</div> <div class="ms-3 d-none d-md-block"> <a href="/search?category=PUBLICKEY"><small class="badge category category-PUBLICKEY">Public-key cryptography</small></a> </div> </div> <div class="summaryauthors">Iftach Haitner and Gil Segev</div> <div class="d-flex justify-content-between align-items-start"> <div> <a class="abstract-closed" data-target="abstract-2025-493" onclick="toggleAbstract(this)">Show abstract</a> </div> <div class="d-block d-md-none"> <a href="/search?category=PUBLICKEY"><small class="badge category category-PUBLICKEY">Public-key cryptography</small></a> </div> </div> <div> <div id="abstract-2025-493" class="paper-abstract">The Chou-Orlandi batch oblivious transfer (OT) protocol is a particularly attractive OT protocol that bridges the gap between practical efficiency and strong security guarantees and is especially notable due to its simplicity. The security analysis provided by Chou and Orlandi bases the security of their protocol on the hardness of the computational Diffie-Hellman ($\mathsf{CDH}$) problem in prime-order groups. Concretely, in groups in which no better-than-generic algorithms are known for the $\mathsf{CDH}$ problem, their security analysis yields that an attacker running in time $t$ and issuing $q$ random-oracle queries breaks the security of their protocol with probability at most $\epsilon \leq q^2 \cdot t / 2^{\kappa/2}$, where $\kappa$ is the bit-length of the group's order. This concrete bound, however, is somewhat insufficient for 256-bit groups (e.g., for $\kappa = 256$, it does not provide any guarantee already for $t = 2^{48}$ and $q = 2^{40}$). In this work, we establish a tighter concrete security bound for the Chou-Orlandi protocol. First, we introduce the list square Diffie-Hellman ($\ell\text{-}\mathsf{sqDH}$) problem and present a tight reduction from the security of the protocol to the hardness of solving $\ell\text{-}\mathsf{sqDH}$. That is, we completely shift the task of analyzing the concrete security of the protocol to that of analyzing the concrete hardness of the $\ell\text{-}\mathsf{sqDH}$ problem. Second, we reduce the hardness of the $\ell\text{-}\mathsf{sqDH}$ problem to that of the decisional Diffie-Hellman ($\mathsf{DDH}$) problem without incurring a multiplicative loss. Our key observation is that although $\mathsf{CDH}$ and $\mathsf{DDH}$ have the same assumed concrete hardness, relying on the hardness of $\mathsf{DDH}$ enables our reduction to efficiently test the correctness of the solutions it produces. Concretely, in groups in which no better-than-generic algorithms are known for the $\mathsf{DDH}$ problem, our analysis yields that an attacker running in time $t$ and issuing $q \leq t$ random-oracle queries breaks the security of the Chou-Orlandi protocol with probability at most $\epsilon \leq t / 2^{\kappa/2}$ (i.e., we eliminate the above multiplicative $q^2$ term). We prove our results within the standard real-vs-ideal framework considering static corruptions by malicious adversaries, and provide a concrete security treatment by accounting for the statistical distance between a real-model execution and an ideal-model execution.</div> </div> </div> <div class="d-flex mb-1"> <div class="flex-grow-1"><a href="/2025/492">2025/492</a> <a class="ms-2" href="/2025/492.pdf">(PDF)</a> </div> <div><small>Last updated: 2025-03-15</small></div> </div> <div class="ms-3 ms-md-5 mb-3"> <div class="d-flex justify-content-between"> <div class="papertitle">Endorser Peer Anonymization in Hyperledger Fabric for Consortium of Organizations</div> <div class="ms-3 d-none d-md-block"> <a href="/search?category=APPLICATIONS"><small class="badge category category-APPLICATIONS">Applications</small></a> </div> </div> <div class="summaryauthors">Dharani J, Sundarakantham K, Kunwar Singh, and Mercy Shalinie S</div> <div class="d-flex justify-content-between align-items-start"> <div> <a class="abstract-closed" data-target="abstract-2025-492" onclick="toggleAbstract(this)">Show abstract</a> </div> <div class="d-block d-md-none"> <a href="/search?category=APPLICATIONS"><small class="badge category category-APPLICATIONS">Applications</small></a> </div> </div> <div> <div id="abstract-2025-492" class="paper-abstract">Hyperledger Fabric is a unique permissioned platform for implementing blockchain in a consortium. It has a distinct transaction flow of execute-order-validate. During the execution phase, a pre-determined set of endorsing peers execute a transaction and sign the transaction response. This process is termed endorsement. In the validation phase, peers validate the transaction with reference to an endorsement policy. The identity of the endorsing organizations is obtainable to all the nodes in the network through the endorser signature and endorsement policy. Knowing this has led to serious vulnerabilities in the blockchain network. In this paper, we propose a privacy-preserving endorsement system which conceals both endorser signature and endorsement policy. Endorser is anonymized by replacing the signature scheme with a scoped-linkable threshold ring signature scheme. Endorsement policy is secured using Pedersen commitments and non-interactive proof of knowledge of integer vector. We also achieve efficiency in the computation by employing non-interactive proof of co-prime roots. We provide the necessary security analysis to prove that the proposed work guarantees anonymity and unlinkability properties. A comparative analysis of our work with an existing framework is provided which shows that the proposed scheme offers higher level of security and it is optimal in terms of efficiency.</div> </div> </div> <div class="d-flex mb-1"> <div class="flex-grow-1"><a href="/2025/491">2025/491</a> <a class="ms-2" href="/2025/491.pdf">(PDF)</a> </div> <div><small>Last updated: 2025-03-15</small></div> </div> <div class="ms-3 ms-md-5 mb-3"> <div class="d-flex justify-content-between"> <div class="papertitle">Blind Brother: Attribute-Based Selective Video Encryption</div> <div class="ms-3 d-none d-md-block"> <a href="/search?category=APPLICATIONS"><small class="badge category category-APPLICATIONS">Applications</small></a> </div> </div> <div class="summaryauthors">Eugene Frimpong, Bin Liu, Camille Nuoskala, and Antonis Michalas</div> <div class="d-flex justify-content-between align-items-start"> <div> <a class="abstract-closed" data-target="abstract-2025-491" onclick="toggleAbstract(this)">Show abstract</a> </div> <div class="d-block d-md-none"> <a href="/search?category=APPLICATIONS"><small class="badge category category-APPLICATIONS">Applications</small></a> </div> </div> <div> <div id="abstract-2025-491" class="paper-abstract">The emergence of video streams as a primary medium for communication and the demand for high-quality video sharing over the internet have given rise to several security and privacy issues, such as unauthorized access and data breaches. To address these limitations, various Selective Video Encryption (SVE) schemes have been proposed, which encrypt specific portions of a video while leaving others unencrypted. The SVE approach balances security and usability, granting unauthorized users access to certain parts while encrypting sensitive content. However, existing SVE schemes adopt an all-or-nothing coarse-grain encryption approach, where a user with a decryption key can access all the contents of a given video stream. This paper proposes and designs a fine-grained access control-based selective video encryption scheme, ABSVE, and a use-case protocol called \protocol. Our scheme encrypts different identified Regions of Interest (ROI) with a unique symmetric key and applies a Ciphertext Policy Attribute Based Encryption (CP-ABE) scheme to tie these keys to specific access policies. This method provides multiple access levels for a single encrypted video stream. Crucially, we provide a formal syntax and security definitions for ABSVE, allowing for rigorous security analysis of this and similar schemes -- which is absent in prior works. Finally, we provide an implementation and evaluation of our protocol in the Kvazaar HEVC encoder. Overall, our constructions enhance security and privacy while allowing controlled access to video content and achieve comparable efficiency to compression without encryption.</div> </div> </div> <div class="d-flex mb-1"> <div class="flex-grow-1"><a href="/2024/1680">2024/1680</a> <a class="ms-2" href="/2024/1680.pdf">(PDF)</a> </div> <div><small>Last updated: 2025-03-15</small></div> </div> <div class="ms-3 ms-md-5 mb-3"> <div class="d-flex justify-content-between"> <div class="papertitle">Sunfish: Reading Ledgers with Sparse Nodes</div> <div class="ms-3 d-none d-md-block"> <a href="/search?category=PROTOCOLS"><small class="badge category category-PROTOCOLS">Cryptographic protocols</small></a> </div> </div> <div class="summaryauthors">Giulia Scaffino, Karl Wüst, Deepak Maram, Alberto Sonnino, and Lefteris Kokoris-Kogias</div> <div class="d-flex justify-content-between align-items-start"> <div> <a class="abstract-closed" data-target="abstract-2024-1680" onclick="toggleAbstract(this)">Show abstract</a> </div> <div class="d-block d-md-none"> <a href="/search?category=PROTOCOLS"><small class="badge category category-PROTOCOLS">Cryptographic protocols</small></a> </div> </div> <div> <div id="abstract-2024-1680" class="paper-abstract">The increased throughput offered by modern blockchains, such as Sui, Aptos, and Solana, enables processing thousands of transactions per second, but it also introduces higher costs for decentralized application (dApp) developers who need to track and verify changes in the state of their application. This is true because dApp developers run full nodes, which download and re-execute every transaction to track the global state of the chain. However, this becomes prohibitively expensive for high-throughput chains due to high bandwidth, computational, and storage requirements. A common alternative is to use light nodes. However, light nodes only verify the inclusion of a set of transactions and have no guarantees that the set is complete, i.e., that includes all relevant transactions. Under a dishonest majority, light nodes can also be tricked into accepting invalid transactions. To bridge the gap between full and light nodes, we propose and formalize a new type of blockchain node: the sparse node. A sparse node tracks only a subset of the blockchain’s state: it verifies that the received set of transactions touching the substate is complete, and re-executes those transactions to assess their validity. A sparse node retains important security properties even under adversarial majorities, and requires an amount of resources proportional to the number of transactions in the substate and to the size of the substate itself. We further present Sunfish, an instantiation of a sparse node protocol. Our analysis and evaluation show that Sunfish reduces the bandwidth consumption and, in turn, the computational and storage resources, of real blockchain applications by several orders of magnitude when compared to a full node.</div> </div> </div> <div class="d-flex mb-1"> <div class="flex-grow-1"><a href="/2024/1712">2024/1712</a> <a class="ms-2" href="/2024/1712.pdf">(PDF)</a> </div> <div><small>Last updated: 2025-03-15</small></div> </div> <div class="ms-3 ms-md-5 mb-3"> <div class="d-flex justify-content-between"> <div class="papertitle">Efficient Updatable PSI from Asymmetric PSI and PSU</div> <div class="ms-3 d-none d-md-block"> <a href="/search?category=PROTOCOLS"><small class="badge category category-PROTOCOLS">Cryptographic protocols</small></a> </div> </div> <div class="summaryauthors">Guowei Ling, Peng Tang, and Weidong Qiu</div> <div class="d-flex justify-content-between align-items-start"> <div> <a class="abstract-closed" data-target="abstract-2024-1712" onclick="toggleAbstract(this)">Show abstract</a> </div> <div class="d-block d-md-none"> <a href="/search?category=PROTOCOLS"><small class="badge category category-PROTOCOLS">Cryptographic protocols</small></a> </div> </div> <div> <div id="abstract-2024-1712" class="paper-abstract">Private Set Intersection (PSI) allows two mutually untrusted parties to compute the intersection of their private sets without revealing additional information. In general, PSI operates in a static setting, where the computation is performed only once on the input sets of both parties. Badrinarayanan et al. initiated the study of Updatable PSI (UPSI), which extends this capability to dynamically updating sets, enabling both parties to securely compute the intersection as their sets are modified while incurring significantly less overhead than re-executing a conventional PSI. However, existing UPSI protocols either do not support arbitrary deletion of elements or incur high computational and communication overhead. This work combines asymmetric PSI with Private Set Union (PSU) to present a novel UPSI protocol, which supports arbitrary additions and deletions of elements, offering a flexible approach to update sets. Furthermore, our protocol enjoys efficient performance compared to previous work. Specifically, we implement our protocol and compare it against state-of-the-art conventional PSI and UPSI protocols. Experimental results demonstrate that our UPSI protocol achieves up to three orders of magnitude reduction in computational overhead and incurs $190 \sim 707 \times$ less communication overhead than the state-of-the-art UPSI protocol that supports arbitrary additions and deletions. Our implementation is available at: \url{https://github.com/ShallMate/upsi}.</div> </div> </div> <div class="d-flex mb-1"> <div class="flex-grow-1"><a href="/2025/459">2025/459</a> <a class="ms-2" href="/2025/459.pdf">(PDF)</a> </div> <div><small>Last updated: 2025-03-15</small></div> </div> <div class="ms-3 ms-md-5 mb-3"> <div class="d-flex justify-content-between"> <div class="papertitle">Privacy and Security of FIDO2 Revisited</div> <div class="ms-3 d-none d-md-block"> <a href="/search?category=PROTOCOLS"><small class="badge category category-PROTOCOLS">Cryptographic protocols</small></a> </div> </div> <div class="summaryauthors">Manuel Barbosa, Alexandra Boldyreva, Shan Chen, Kaishuo Cheng, and Luís Esquível</div> <div class="d-flex justify-content-between align-items-start"> <div> <a class="abstract-closed" data-target="abstract-2025-459" onclick="toggleAbstract(this)">Show abstract</a> </div> <div class="d-block d-md-none"> <a href="/search?category=PROTOCOLS"><small class="badge category category-PROTOCOLS">Cryptographic protocols</small></a> </div> </div> <div> <div id="abstract-2025-459" class="paper-abstract">We revisit the privacy and security analyses of FIDO2, a widely deployed standard for passwordless authentication on the Web. We discuss previous works and conclude that each of them has at least one of the following limitations: (i) impractical trusted setup assumptions, (ii) security models that are inadequate in light of state of the art of practical attacks, (iii) not analyzing FIDO2 as a whole, especially for its privacy guarantees. Our work addresses these gaps and proposes revised security models for privacy and authentication. Equipped with our new models, we analyze FIDO2 modularly and focus on its component protocols, WebAuthn and CTAP2, clarifying their exact security guarantees. In particular, our results, for the first time, establish privacy guarantees for FIDO2 as a whole. Furthermore, we suggest minor modifications that can help FIDO2 provably meet stronger privacy and authentication definitions and withstand known and novel attacks.</div> </div> </div> <div class="d-flex mb-1"> <div class="flex-grow-1"><a href="/2025/472">2025/472</a> <a class="ms-2" href="/2025/472.pdf">(PDF)</a> </div> <div><small>Last updated: 2025-03-15</small></div> </div> <div class="ms-3 ms-md-5 mb-3"> <div class="d-flex justify-content-between"> <div class="papertitle">Quantum Attacks on Sum of Even-Mansour Construction Utilizing Online Classical Queries</div> <div class="ms-3 d-none d-md-block"> <a href="/search?category=ATTACKS"><small class="badge category category-ATTACKS">Attacks and cryptanalysis</small></a> </div> </div> <div class="summaryauthors">Zhenqiang Li, Shuqin Fan, Fei Gao, Yonglin Hao, Hongwei Sun, Xichao Hu, and Dandan Li</div> <div class="d-flex justify-content-between align-items-start"> <div> <a class="abstract-closed" data-target="abstract-2025-472" onclick="toggleAbstract(this)">Show abstract</a> </div> <div class="d-block d-md-none"> <a href="/search?category=ATTACKS"><small class="badge category category-ATTACKS">Attacks and cryptanalysis</small></a> </div> </div> <div> <div id="abstract-2025-472" class="paper-abstract">The Sum of Even-Mansour (SoEM) construction, proposed by Chen et al. at Crypto 2019, has become the basis for designing some symmetric schemes, such as the nonce-based MAC scheme $\text{nEHtM}_{p}$ and the nonce-based encryption scheme $\text{CENCPP}^{\ast}$. In this paper, we make the first attempt to study the quantum security of SoEM under the Q1 model where the targeted encryption oracle can only respond to classical queries rather than quantum ones. Firstly, we propose a quantum key recovery attack on SoEM21 with a time complexity of $\tilde{O}(2^{n/3})$ along with $O(2^{n/3})$ online classical queries. Compared with the current best classical result which requires $O(2^{2n/3})$, our method offers a quadratic time speedup while maintaining the same number of queries. The time complexity of our attack is less than that observed for quantum exhaustive search by a factor of $2^{n/6}$. We further propose classical and quantum key recovery attacks on the generalized SoEMs1 construction (consisting of $s\geq 2$ independent public permutations), revealing that the application of quantum algorithms can provide a quadratic acceleration over the pure classical methods. Our results also imply that the quantum security of SoEM21 cannot be strengthened merely by increasing the number of permutations.</div> </div> </div> <div class="d-flex mb-1"> <div class="flex-grow-1"><a href="/2024/719">2024/719</a> <a class="ms-2" href="/2024/719.pdf">(PDF)</a> </div> <div><small>Last updated: 2025-03-14</small></div> </div> <div class="ms-3 ms-md-5 mb-3"> <div class="d-flex justify-content-between"> <div class="papertitle">Client-Efficient Online-Offline Private Information Retrieval</div> <div class="ms-3 d-none d-md-block"> <a href="/search?category=PROTOCOLS"><small class="badge category category-PROTOCOLS">Cryptographic protocols</small></a> </div> </div> <div class="summaryauthors">Hoang-Dung Nguyen, Jorge Guajardo, and Thang Hoang</div> <div class="d-flex justify-content-between align-items-start"> <div> <a class="abstract-closed" data-target="abstract-2024-719" onclick="toggleAbstract(this)">Show abstract</a> </div> <div class="d-block d-md-none"> <a href="/search?category=PROTOCOLS"><small class="badge category category-PROTOCOLS">Cryptographic protocols</small></a> </div> </div> <div> <div id="abstract-2024-719" class="paper-abstract">Private Information Retrieval (PIR) permits clients to query data entries from a public database hosted on untrusted servers while preserving client privacy. Traditional PIR models suffer from high computation and/or bandwidth overhead due to linear database processing for privacy. Recently, Online-Offline PIR (OO-PIR) has been proposed to improve PIR practicality by precomputing query-independent materials to accelerate online access. While state-of-the-art OO-PIR schemes (e.g., S&P’24, CRYPTO’23) successfully reduce online processing cost to sublinear levels, they still impose substantial bandwidth and storage burdens on the client, especially when operating on large databases. In this paper, we propose Pirex, a new two-server OO-PIR with semi-honest security that offers minimal client inbound bandwidth and storage cost while retaining the sublinear processing efficiency. The Pirex design is simple with most operations are naturally low-cost and streamlined (e.g., XOR, PRF, modular arithmetic). We have fully implemented Pirex and evaluated its real-world performance using commodity hardware. Our results showed that Pirex outperforms existing OO-PIR schemes by at least two orders of magnitude. With a 1 TB database, Pirex takes 55ms to retrieve a 4 KB entry, compared with 9-30s by state-of-the-art. For practical databases with billions of 4 KB entries, Pirex only takes 16 KB of inbound bandwidth, which is up to three orders of magnitude more efficient.</div> </div> </div> <div class="d-flex mb-1"> <div class="flex-grow-1"><a href="/2025/038">2025/038</a> <a class="ms-2" href="/2025/038.pdf">(PDF)</a> </div> <div><small>Last updated: 2025-03-14</small></div> </div> <div class="ms-3 ms-md-5 mb-3"> <div class="d-flex justify-content-between"> <div class="papertitle">Cauchyproofs: Batch-Updatable Vector Commitment with Easy Aggregation and Application to Stateless Blockchains</div> <div class="ms-3 d-none d-md-block"> <a href="/search?category=PROTOCOLS"><small class="badge category category-PROTOCOLS">Cryptographic protocols</small></a> </div> </div> <div class="summaryauthors">Zhongtang Luo, Yanxue Jia, Alejandra Victoria Ospina Gracia, and Aniket Kate</div> <div class="d-flex justify-content-between align-items-start"> <div> <a class="abstract-closed" data-target="abstract-2025-038" onclick="toggleAbstract(this)">Show abstract</a> </div> <div class="d-block d-md-none"> <a href="/search?category=PROTOCOLS"><small class="badge category category-PROTOCOLS">Cryptographic protocols</small></a> </div> </div> <div> <div id="abstract-2025-038" class="paper-abstract">Stateless blockchain designs have emerged to address the challenge of growing blockchain size using succinct global states. Previous works have developed vector commitments that support proof updates and aggregation to be used as such states. However, maintaining proofs for multiple users still demands significant computational resources, particularly to update proofs with every transaction. This paper introduces Cauchyproofs, a batch-updatable vector commitment that enables proof-serving nodes to efficiently update proofs in quasi-linear time relative to the number of users and transactions, utilizing an optimized KZG scheme to achieve complexity $O\left(\left(\left|\vec{\alpha}\right| + \left|\vec{\beta}\right|\right) \log^2 \left(\left|\vec{\alpha}\right| + \left|\vec{\beta}\right|\right)\right)$ for $\left|\alpha\right|$ users and $\left|\beta\right|$ transactions, compared to the previous $O\left(\left|\vec{\alpha}\right|\cdot\left|\vec{\beta}\right|\right)$ approaches. This advancement reduces the computational burden on proof-serving nodes, allowing efficient proof maintenance across large user groups. We demonstrate that our approach is approximately eight times faster than the naive approach at the Ethereum-level transaction throughput if we perform batch update every hour. Additionally, we present a novel matrix representation for KZG proofs utilizing Cauchy matrices, enabling faster all-proof computations with reduced elliptic curve operations. Finally, we propose an algorithm for history proof query, supporting retrospective proof generation with high efficiency. Our contributions substantially enhance the scalability and practicality of proof-serving nodes in stateless blockchain frameworks.</div> </div> </div> <div class="d-flex mb-1"> <div class="flex-grow-1"><a href="/2025/490">2025/490</a> <a class="ms-2" href="/2025/490.pdf">(PDF)</a> </div> <div><small>Last updated: 2025-03-14</small></div> </div> <div class="ms-3 ms-md-5 mb-3"> <div class="d-flex justify-content-between"> <div class="papertitle">PREAMBLE: Private and Efficient Aggregation of Block Sparse Vectors and Applications</div> <div class="ms-3 d-none d-md-block"> <a href="/search?category=PROTOCOLS"><small class="badge category category-PROTOCOLS">Cryptographic protocols</small></a> </div> </div> <div class="summaryauthors">Hilal Asi, Vitaly Feldman, Hannah Keller, Guy N. Rothblum, and Kunal Talwar</div> <div class="d-flex justify-content-between align-items-start"> <div> <a class="abstract-closed" data-target="abstract-2025-490" onclick="toggleAbstract(this)">Show abstract</a> </div> <div class="d-block d-md-none"> <a href="/search?category=PROTOCOLS"><small class="badge category category-PROTOCOLS">Cryptographic protocols</small></a> </div> </div> <div> <div id="abstract-2025-490" class="paper-abstract">We revisit the problem of secure aggregation of high-dimensional vectors in a two-server system such as Prio. These systems are typically used to aggregate vectors such as gradients in private federated learning, where the aggregate itself is protected via noise addition to ensure differential privacy. Existing approaches require communication scaling with the dimensionality, and thus limit the dimensionality of vectors one can efficiently process in this setup. We propose PREAMBLE: Private Efficient Aggregation Mechanism for Block-sparse Euclidean Vectors. PREAMBLE is a novel extension of distributed point functions that enables communication- and computation-efficient aggregation of block-sparse vectors, which are sparse vectors where the non-zero entries occur in a small number of clusters of consecutive coordinates. We then show that PREAMBLE can be combined with random sampling and privacy amplification by sampling results, to allow asymptotically optimal privacy-utility trade-offs for vector aggregation, at a fraction of the communication cost. When coupled with recent advances in numerical privacy accounting, our approach incurs a negligible overhead in noise variance, compared to the Gaussian mechanism used with Prio.</div> </div> </div> <div class="d-flex mb-1"> <div class="flex-grow-1"><a href="/2025/489">2025/489</a> <a class="ms-2" href="/2025/489.pdf">(PDF)</a> </div> <div><small>Last updated: 2025-03-14</small></div> </div> <div class="ms-3 ms-md-5 mb-3"> <div class="d-flex justify-content-between"> <div class="papertitle">Translating Between the Common Haar Random State Model and the Unitary Model</div> <div class="ms-3 d-none d-md-block"> <a href="/search?category=FOUNDATIONS"><small class="badge category category-FOUNDATIONS">Foundations</small></a> </div> </div> <div class="summaryauthors">Eli Goldin and Mark Zhandry</div> <div class="d-flex justify-content-between align-items-start"> <div> <a class="abstract-closed" data-target="abstract-2025-489" onclick="toggleAbstract(this)">Show abstract</a> </div> <div class="d-block d-md-none"> <a href="/search?category=FOUNDATIONS"><small class="badge category category-FOUNDATIONS">Foundations</small></a> </div> </div> <div> <div id="abstract-2025-489" class="paper-abstract">Black-box separations are a cornerstone of cryptography, indicating barriers to various goals. A recent line of work has explored black-box separations for quantum cryptographic primitives. Namely, a number of separations are known in the Common Haar Random State (CHRS) model, though this model is not considered a complete separation, but rather a starting point. A few very recent works have attempted to lift these separations to a unitary separation, which are considered complete separations. Unfortunately, we find significant errors in some of these lifting results. We prove general conditions under which CHRS separations can be generically lifted, thereby giving simple, modular, and bug-free proofs of complete unitary separations between various quantum primitives. Our techniques allow for simpler proofs of existing separations as well as new separations that were previously only known in the CHRS model.</div> </div> </div> <div class="d-flex mb-1"> <div class="flex-grow-1"><a href="/2025/060">2025/060</a> <a class="ms-2" href="/2025/060.pdf">(PDF)</a> </div> <div><small>Last updated: 2025-03-14</small></div> </div> <div class="ms-3 ms-md-5 mb-3"> <div class="d-flex justify-content-between"> <div class="papertitle">SoK: Multiparty Computation in the Preprocessing Model</div> <div class="ms-3 d-none d-md-block"> <a href="/search?category=PROTOCOLS"><small class="badge category category-PROTOCOLS">Cryptographic protocols</small></a> </div> </div> <div class="summaryauthors">Shuang Sun and Eleftheria Makri</div> <div class="d-flex justify-content-between align-items-start"> <div> <a class="abstract-closed" data-target="abstract-2025-060" onclick="toggleAbstract(this)">Show abstract</a> </div> <div class="d-block d-md-none"> <a href="/search?category=PROTOCOLS"><small class="badge category category-PROTOCOLS">Cryptographic protocols</small></a> </div> </div> <div> <div id="abstract-2025-060" class="paper-abstract">Multiparty computation (MPC) allows a set of mutually distrusting parties to compute a function over their inputs, while keeping those inputs private. Most recent MPC protocols that are ready for real-world applications are based on the so-called preprocessing model, where the MPC is split into two phases: a preprocessing phase, where raw material, independent of the inputs, is produced; and an online phase, which can be efficiently computed, consuming this preprocessed material, when the inputs become available. However, the sheer number of protocols following this paradigm, makes it difficult to navigate through the literature. Our work aims at systematizing existing literature, (1) to make it easier for protocol developers to choose the most suitable preprocessing protocol for their application scenario; and (2) to identify research gaps, so as to give pointers for future work. We devise two main categories for the preprocessing model, which we term traditional and special preprocessing, where the former refers to preprocessing for general purpose functions, and the latter refers to preprocessing for specific functions. We further systematize the protocols based on the underlying cryptographic primitive they use, the mathematical structure they are based on, and for special preprocessing protocols also their target function. For each of the 41 presented protocols, we give the intuition behind their main technical contribution, and we analyze their security properties and relative performance.</div> </div> </div> <div class="d-flex mb-1"> <div class="flex-grow-1"><a href="/2024/1683">2024/1683</a> <a class="ms-2" href="/2024/1683.pdf">(PDF)</a> </div> <div><small>Last updated: 2025-03-14</small></div> </div> <div class="ms-3 ms-md-5 mb-3"> <div class="d-flex justify-content-between"> <div class="papertitle">Unclonable Functional Encryption</div> <div class="ms-3 d-none d-md-block"> <a href="/search?category=FOUNDATIONS"><small class="badge category category-FOUNDATIONS">Foundations</small></a> </div> </div> <div class="summaryauthors">Arthur Mehta and Anne Müller</div> <div class="d-flex justify-content-between align-items-start"> <div> <a class="abstract-closed" data-target="abstract-2024-1683" onclick="toggleAbstract(this)">Show abstract</a> </div> <div class="d-block d-md-none"> <a href="/search?category=FOUNDATIONS"><small class="badge category category-FOUNDATIONS">Foundations</small></a> </div> </div> <div> <div id="abstract-2024-1683" class="paper-abstract">In a functional encryption (FE) scheme, a user that holds a ciphertext and a function-key can learn the result of applying the function to the plaintext message. Security requires that the user does not learn anything beyond the function evaluation. We extend this notion to the quantum setting by providing definitions and a construction for a quantum functional encryption (QFE) scheme which allows for the evaluation of polynomialy-sized circuits on arbitrary quantum messages. Our construction is built upon quantum garbled circuits [BY22]. We also investigate the relationship of QFE to the seemingly unrelated notion of unclonable encryption (UE) and find that any QFE scheme universally achieves the property of unclonable functional encryption (UFE). In particular we assume the existence of an unclonable encryption scheme with quantum decryption keys which was recently constructed by [AKY24]. Our UFE guarantees that two parties cannot simultaneously recover the correct function outputs using two independently sampled function secret keys. As an application we give the first construction for public-key UE with variable decryption keys. Lastly, we establish a connection between quantum indistinguishability obfuscation (qiO) and quantum functional encryption (QFE); Showing that any multi-input indistinguishability-secure quantum functional encryption scheme unconditionally implies the existence of qiO.</div> </div> </div> <div class="d-flex mb-1"> <div class="flex-grow-1"><a href="/2025/488">2025/488</a> <a class="ms-2" href="/2025/488.pdf">(PDF)</a> </div> <div><small>Last updated: 2025-03-14</small></div> </div> <div class="ms-3 ms-md-5 mb-3"> <div class="d-flex justify-content-between"> <div class="papertitle">Exploring General Cyclotomic Rings in Torus-Based Fully Homomorphic Encryption: Part I - Prime Power Instances</div> <div class="ms-3 d-none d-md-block"> <a href="/search?category=PUBLICKEY"><small class="badge category category-PUBLICKEY">Public-key cryptography</small></a> </div> </div> <div class="summaryauthors">Philippe Chartier, Michel Koskas, and Mohammed Lemou</div> <div class="d-flex justify-content-between align-items-start"> <div> <a class="abstract-closed" data-target="abstract-2025-488" onclick="toggleAbstract(this)">Show abstract</a> </div> <div class="d-block d-md-none"> <a href="/search?category=PUBLICKEY"><small class="badge category category-PUBLICKEY">Public-key cryptography</small></a> </div> </div> <div> <div id="abstract-2025-488" class="paper-abstract">In the realm of fully homomorphic encryption on the torus, we investigate the algebraic manipulations essential for handling polynomials within cyclotomic rings characterized by prime power indices. This includes operations such as modulo reduction, computation of the trace operator, extraction, and the blind rotation integral to the bootstrapping procedure, all of which we reformulate within this mathematical framework.</div> </div> </div> <div class="d-flex mb-1"> <div class="flex-grow-1"><a href="/2025/405">2025/405</a> <a class="ms-2" href="/2025/405.pdf">(PDF)</a> </div> <div><small>Last updated: 2025-03-14</small></div> </div> <div class="ms-3 ms-md-5 mb-3"> <div class="d-flex justify-content-between"> <div class="papertitle">Withdrawable signatures in Fiat-Shamir with aborts constructions</div> <div class="ms-3 d-none d-md-block"> <a href="/search?category=PUBLICKEY"><small class="badge category category-PUBLICKEY">Public-key cryptography</small></a> </div> </div> <div class="summaryauthors">Ramses Fernandez</div> <div class="d-flex justify-content-between align-items-start"> <div> <a class="abstract-closed" data-target="abstract-2025-405" onclick="toggleAbstract(this)">Show abstract</a> </div> <div class="d-block d-md-none"> <a href="/search?category=PUBLICKEY"><small class="badge category category-PUBLICKEY">Public-key cryptography</small></a> </div> </div> <div> <div id="abstract-2025-405" class="paper-abstract">This article presents an extension of the work performed by Liu, Baek and Susilo on withdrawable signatures to the Fiat-Shamir with aborts paradigm. We introduce an abstract construction, and provide security proofs for this proposal. As an instantiation, we provide a concrete construction for a withdrawable signature scheme based on Dilithium.</div> </div> </div> <div class="d-flex mb-1"> <div class="flex-grow-1"><a href="/2025/473">2025/473</a> <a class="ms-2" href="/2025/473.pdf">(PDF)</a> </div> <div><small>Last updated: 2025-03-14</small></div> </div> <div class="ms-3 ms-md-5 mb-3"> <div class="d-flex justify-content-between"> <div class="papertitle">Cross-Platform Benchmarking of the FHE Libraries: Novel Insights into SEAL and OpenFHE</div> <div class="ms-3 d-none d-md-block"> <a href="/search?category=PUBLICKEY"><small class="badge category category-PUBLICKEY">Public-key cryptography</small></a> </div> </div> <div class="summaryauthors">Faneela, Jawad Ahmad, Baraq Ghaleb, Sana Ullah Jan, and William J Buchanan</div> <div class="d-flex justify-content-between align-items-start"> <div> <a class="abstract-closed" data-target="abstract-2025-473" onclick="toggleAbstract(this)">Show abstract</a> </div> <div class="d-block d-md-none"> <a href="/search?category=PUBLICKEY"><small class="badge category category-PUBLICKEY">Public-key cryptography</small></a> </div> </div> <div> <div id="abstract-2025-473" class="paper-abstract">The rapid growth of cloud computing and data-driven applications has amplified privacy concerns, driven by the increasing demand to process sensitive data securely. Homomorphic encryption (HE) has become a vital solution for addressing these concerns by enabling computations on encrypted data without revealing its contents. This paper provides a comprehensive evaluation of two leading HE libraries, SEAL and OpenFHE, examining their performance, usability, and support for prominent HE schemes such as BGV and CKKS. Our analysis highlights computational efficiency, memory usage, and scalability across Linux and Windows platforms, emphasizing their applicability in real-world scenarios. Results reveal that Linux outperforms Windows in computation efficiency, with OpenFHE emerging as the optimal choice across diverse cryptographic settings. This paper provides valuable insights for researchers and practitioners to advance privacy-preserving applications using FHE.</div> </div> </div> <div class="d-flex mb-1"> <div class="flex-grow-1"><a href="/2025/487">2025/487</a> <a class="ms-2" href="/2025/487.pdf">(PDF)</a> </div> <div><small>Last updated: 2025-03-14</small></div> </div> <div class="ms-3 ms-md-5 mb-3"> <div class="d-flex justify-content-between"> <div class="papertitle">webSPDZ: Versatile MPC on the Web</div> <div class="ms-3 d-none d-md-block"> <a href="/search?category=IMPLEMENTATION"><small class="badge category category-IMPLEMENTATION">Implementation</small></a> </div> </div> <div class="summaryauthors">Thomas Buchsteiner, Karl W. Koch, Dragos Rotaru, and Christian Rechberger</div> <div class="d-flex justify-content-between align-items-start"> <div> <a class="abstract-closed" data-target="abstract-2025-487" onclick="toggleAbstract(this)">Show abstract</a> </div> <div class="d-block d-md-none"> <a href="/search?category=IMPLEMENTATION"><small class="badge category category-IMPLEMENTATION">Implementation</small></a> </div> </div> <div> <div id="abstract-2025-487" class="paper-abstract">Multi-party computation (MPC) has become increasingly practical in the last two decades, solving privacy and security issues in various domains, such as healthcare, finance, and machine learning. One big caveat is that MPC sometimes lacks usability since the knowledge barrier for regular users can be high. Users have to deal with, e.g., various CLI tools, private networks, and sometimes even must install many dependencies, which are often hardware-dependent. A solution to improve the usability of MPC is to build browser-based MPC engines where each party runs within a browser window. Two examples of such an MPC web engine are JIFF and the web variant of MPyC. Both support an honest majority with passive corruptions. $\texttt{webSPDZ}$: Our work brings one of the most performant and versatile general-purpose MPC engines, MP-SPDZ, to the web. MP-SPDZ supports ≥40 MPC protocols with different security models, enabling many security models on the web. To port MP-SPDZ to the web, we use Emscripten to compile MP-SPDZ’s C++ BackEnd to WebAssembly and upgrade the party communication for the browser (WebRTC or WebSockets). We call the new MPC web engine webSPDZ. As with the native versions of the mentioned MPC web engines, MPyC-Web and JIFF, webSPDZ outperforms them in our end-to-end experiments. We believe that webSPDZ brings forth many interesting and practically relevant use cases. Thus, webSPDZ pushes the boundaries of practical MPC: making MPC more usable and enabling it for a broader community.</div> </div> </div> <div class="d-flex mb-1"> <div class="flex-grow-1"><a href="/2025/486">2025/486</a> <a class="ms-2" href="/2025/486.pdf">(PDF)</a> </div> <div><small>Last updated: 2025-03-14</small></div> </div> <div class="ms-3 ms-md-5 mb-3"> <div class="d-flex justify-content-between"> <div class="papertitle">On One-Shot Signatures, Quantum vs Classical Binding, and Obfuscating Permutations</div> <div class="ms-3 d-none d-md-block"> <a href="/search?category=FOUNDATIONS"><small class="badge category category-FOUNDATIONS">Foundations</small></a> </div> </div> <div class="summaryauthors">Omri Shmueli and Mark Zhandry</div> <div class="d-flex justify-content-between align-items-start"> <div> <a class="abstract-closed" data-target="abstract-2025-486" onclick="toggleAbstract(this)">Show abstract</a> </div> <div class="d-block d-md-none"> <a href="/search?category=FOUNDATIONS"><small class="badge category category-FOUNDATIONS">Foundations</small></a> </div> </div> <div> <div id="abstract-2025-486" class="paper-abstract">One-shot signatures (OSS) were defined by Amos, Georgiou, Kiayias, and Zhandry (STOC'20). These allow for signing exactly one message, after which the signing key self-destructs, preventing a second message from ever being signed. While such an object is impossible classically, Amos et al observe that OSS may be possible using quantum signing keys by leveraging the no-cloning principle. OSS has since become an important conceptual tool with many applications in decentralized settings and for quantum cryptography with classical communication. OSS are also closely related to separations between classical-binding and collapse-binding for post-quantum hashing and commitments. Unfortunately, the only known OSS construction due to Amos et al. was only justified in a classical oracle model, and moreover their justification was ultimately found to contain a fatal bug. Thus, the existence of OSS, even in a classical idealized model, has remained open. We give the first standard-model OSS, with provable security assuming (sub-exponential) indistinguishability obfuscation (iO) and LWE. This also gives the first standard-model separation between classical and collapse-binding post-quantum commitments/hashing, solving a decade-old open problem. Along the way, we also give the first construction with unconditional security relative to a classical oracle. To achieve our standard-model construction, we develop a notion of permutable pseudorandom permutations (permutable PRPs), and show how they are useful for translating oracle proofs involving random permutations into obfuscation-based proofs. In particular, obfuscating permutable PRPs gives a trapdoor one-way permutation that is $\textit{full-domain}$, solving another decade-old-problem of constructing this object from (sub-exponential) iO and one-way functions.</div> </div> </div> <div class="d-flex mb-1"> <div class="flex-grow-1"><a href="/2025/484">2025/484</a> <a class="ms-2" href="/2025/484.pdf">(PDF)</a> </div> <div><small>Last updated: 2025-03-14</small></div> </div> <div class="ms-3 ms-md-5 mb-3"> <div class="d-flex justify-content-between"> <div class="papertitle">EvoLUTe+: Fine-Grained Look-Up-Table-based RTL IP Redaction</div> <div class="ms-3 d-none d-md-block"> <a href="/search?category=ATTACKS"><small class="badge category category-ATTACKS">Attacks and cryptanalysis</small></a> </div> </div> <div class="summaryauthors">Rui Guo, M Sazadur Rahman, Jingbo Zhou, Hadi M Kamali, Fahim Rahman, Farimah Farahmandi, and Mark Tehranipoor</div> <div class="d-flex justify-content-between align-items-start"> <div> <a class="abstract-closed" data-target="abstract-2025-484" onclick="toggleAbstract(this)">Show abstract</a> </div> <div class="d-block d-md-none"> <a href="/search?category=ATTACKS"><small class="badge category category-ATTACKS">Attacks and cryptanalysis</small></a> </div> </div> <div> <div id="abstract-2025-484" class="paper-abstract">Hardware obfuscation is an active trustworthy design technique targeting threats in the IC supply chain, such as IP piracy and overproduction. Recent research on Intellectual Property (IP) protection technologies suggests that using embedded reconfigurable components (e.g., eFPGA redaction) could be a promising approach to hide the functional and structural information of security-critical designs. However, such techniques suffer from almost prohibitive overhead in terms of area, power, delay, and testability. This paper proposes an obfuscation technique called EvoLUTe+, which is a unique and more fine-grained redaction approach using smaller reconfigurable components (e.g., Look-Up Tables (LUTs)). EvoLUTe+ achieves fine-grained partitioning, sub-circuit coloring, and scoring of IP, and then encrypts the original IP through the substitution of some sub-circuits. Different attacks are used to test the robustness of EvoLUTe+, including structural and machine learning attacks, as well as Bounded Model Checking (BMC) attacks. The overhead of the obfuscation design is also analyzed. Experimental results demonstrate that EvoLUTe+ exhibits robustness with acceptable overhead while resisting such threat models.</div> </div> </div> <div class="d-flex mb-1"> <div class="flex-grow-1"><a href="/2025/483">2025/483</a> <a class="ms-2" href="/2025/483.pdf">(PDF)</a> </div> <div><small>Last updated: 2025-03-14</small></div> </div> <div class="ms-3 ms-md-5 mb-3"> <div class="d-flex justify-content-between"> <div class="papertitle">Adaptively Secure Threshold Blind BLS Signatures and Threshold Oblivious PRF</div> <div class="ms-3 d-none d-md-block"> <a href="/search?category=PROTOCOLS"><small class="badge category category-PROTOCOLS">Cryptographic protocols</small></a> </div> </div> <div class="summaryauthors">Stanislaw Jarecki and Phillip Nazarian</div> <div class="d-flex justify-content-between align-items-start"> <div> <a class="abstract-closed" data-target="abstract-2025-483" onclick="toggleAbstract(this)">Show abstract</a> </div> <div class="d-block d-md-none"> <a href="/search?category=PROTOCOLS"><small class="badge category category-PROTOCOLS">Cryptographic protocols</small></a> </div> </div> <div> <div id="abstract-2025-483" class="paper-abstract">We show the first threshold blind signature scheme and threshold Oblivious PRF (OPRF) scheme which remain secure in the presence of an adaptive adversary, who can adaptively decide which parties to corrupt throughout the lifetime of the scheme. Moreover, our adaptively secure schemes preserve the minimal round complexity and add only a small computational overhead over prior solutions that offered security only for a much less realistic static adversary, who must choose the subset of corrupted parties before initializing the protocol. Our threshold blind signature scheme computes standard BLS signatures while our threshold OPRF computes a very efficient "2HashDH" OPRF [JKK14]. We prove adaptive security of both schemes in the Algebraic Group Model (AGM). Our adaptively secure threshold schemes are as practical as the underlying standard single-server BLS blind signature and 2HashDH OPRF, and they can be used to add cryptographic fault-tolerance and decentralize trust in any system that relies on blind signatures, like anonymous credentials and e-cash, or on OPRF, like the OPAQUE password authentication and the Privacy Pass anonymous authentication scheme, among many others.</div> </div> </div> <div class="d-flex mb-1"> <div class="flex-grow-1"><a href="/2025/482">2025/482</a> <a class="ms-2" href="/2025/482.pdf">(PDF)</a> </div> <div><small>Last updated: 2025-03-13</small></div> </div> <div class="ms-3 ms-md-5 mb-3"> <div class="d-flex justify-content-between"> <div class="papertitle">An Efficient Sequential Aggregate Signature Scheme with Lazy Verification</div> <div class="ms-3 d-none d-md-block"> <a href="/search?category=PUBLICKEY"><small class="badge category category-PUBLICKEY">Public-key cryptography</small></a> </div> </div> <div class="summaryauthors">Arinjita Paul, Sabyasachi Dutta, Kouichi Sakurai, and C. Pandu Rangan</div> <div class="d-flex justify-content-between align-items-start"> <div> <a class="abstract-closed" data-target="abstract-2025-482" onclick="toggleAbstract(this)">Show abstract</a> </div> <div class="d-block d-md-none"> <a href="/search?category=PUBLICKEY"><small class="badge category category-PUBLICKEY">Public-key cryptography</small></a> </div> </div> <div> <div id="abstract-2025-482" class="paper-abstract">A sequential aggregate signature scheme (SAS) allows multiple potential signers to sequentially aggregate their respective signatures into a single compact signature. Typically, verification of a SAS signatures requires access to all messages and public key pairs utilized in the aggregate generation. However, efficiency is crucial for cryptographic protocols to facilitate their practical implementation. To this end, we propose a sequential aggregate signature scheme with lazy verification for a set of user-message pairs, allowing the verification algorithm to operate without requiring access to all messages and public key pairs in the sequence. This construction is based on the RSA assumption in the random oracle model and is particularly beneficial in resource constrained applications that involve forwarding of authenticated information between parties, such as certificate chains. As an extension of this work, we introduce the notion of sequentially aggregatable proxy re-signatures that enables third parties or proxies to transform aggregatable signatures under one public key to another, useful in applications such as sharing web certificates and authentication of network paths. We also present a construction of a sequential aggregate proxy re-signature scheme, secure in the random oracle model, based on the RSA assumption, which may be of independent interest.</div> </div> </div> <div class="d-flex mb-1"> <div class="flex-grow-1"><a href="/2025/481">2025/481</a> <a class="ms-2" href="/2025/481.pdf">(PDF)</a> </div> <div><small>Last updated: 2025-03-13</small></div> </div> <div class="ms-3 ms-md-5 mb-3"> <div class="d-flex justify-content-between"> <div class="papertitle">RHQC: post-quantum ratcheted key exchange from coding assumptions</div> <div class="ms-3 d-none d-md-block"> <a href="/search?category=PUBLICKEY"><small class="badge category category-PUBLICKEY">Public-key cryptography</small></a> </div> </div> <div class="summaryauthors">Julien Juaneda , Marina Dehez-Clementi, Jean-Christophe Deneuville, and Jérôme Lacan</div> <div class="d-flex justify-content-between align-items-start"> <div> <a class="abstract-closed" data-target="abstract-2025-481" onclick="toggleAbstract(this)">Show abstract</a> </div> <div class="d-block d-md-none"> <a href="/search?category=PUBLICKEY"><small class="badge category category-PUBLICKEY">Public-key cryptography</small></a> </div> </div> <div> <div id="abstract-2025-481" class="paper-abstract">Key Exchange mechanisms (KE or KEMs) such as the Diffie-Hellman protocol have proved to be a cornerstone conciliating the efficiency of symmetric encryption and the practicality of public key primitives. Such designs however assume the non-compromission of the long term asymmetric key in use. To relax this strong security assumption, and allow for modern security features such as Perfect Forward Secrecy (PFS) or Post Compromise Security (PCS), Ratcheted-KE (RKE) have been proposed. This work proposes to turn the Hamming Quasi-Cyclic (HQC) cryptosystem into such a Ratcheted-KE, yielding the first code-based such construction. Interestingly, our design allows indifferently one party to update the key on-demand rather than the other, yielding a construction called bi-directional RKE, which compares favorably to generic transformations. Finally, we prove that the resulting scheme satisfies the usual correctness and key-indistinguishability properties, and suggest concrete sets of parameters, assuming different real-life use cases.</div> </div> </div> <div class="d-flex mb-1"> <div class="flex-grow-1"><a href="/2025/480">2025/480</a> <a class="ms-2" href="/2025/480.pdf">(PDF)</a> </div> <div><small>Last updated: 2025-03-13</small></div> </div> <div class="ms-3 ms-md-5 mb-3"> <div class="d-flex justify-content-between"> <div class="papertitle">Worst-case Analysis of Lattice Enumeration Algorithm over Modules</div> <div class="ms-3 d-none d-md-block"> <a href="/search?category=FOUNDATIONS"><small class="badge category category-FOUNDATIONS">Foundations</small></a> </div> </div> <div class="summaryauthors">Jiseung Kim, Changmin Lee, and Yongha Son</div> <div class="d-flex justify-content-between align-items-start"> <div> <a class="abstract-closed" data-target="abstract-2025-480" onclick="toggleAbstract(this)">Show abstract</a> </div> <div class="d-block d-md-none"> <a href="/search?category=FOUNDATIONS"><small class="badge category category-FOUNDATIONS">Foundations</small></a> </div> </div> <div> <div id="abstract-2025-480" class="paper-abstract">This paper presents a systematic study of module lattices. We extend the lattice enumeration algorithm from Euclidean lattices to module lattices, providing a generalized framework. To incorporate the refined analysis by Hanrot and Stehlè (CRYPTO'07), we adapt key definitions from Euclidean lattices, such as HKZ-reduced bases and quasi-HKZ-reduced bases, adapting them to the pseudo-basis of modules. Furthermore, we revisit the lattice profile, a crucial aspect of enumeration algorithm analysis, and extend its analysis to module lattices. As a result, we improve the asymptotic performance of the module lattice enumeration algorithm and module-SVP. For instance, let $K = \mathbb{Q}[x]/\langle x^d + 1\rangle$ be a number field with a power-of-two integer $d$, and suppose that $n\ln n = o(\ln d)$. Then, the nonzero shortest vector in $M \subset K^n$ can be found in time $d^{\frac{d}{2e} + o(d)}$, improving upon the previous lattice enumeration bound of $(nd)^{\frac{nd}{2e}+ o(nd)}$. Our algorithm naturally extends to solving ideal-SVP. Given an ideal $I \subset R$, where $R = \mathbb{Z}[x]/\langle x^t + 1 \rangle$ with a power-of-two integer $t = nd$, we can find the nonzero shortest element of $I$ in time $\exp(O(\frac{t}{2e} \ln \ln t))$, improving upon the previous enumeration bound of $\exp(O(\frac{t}{2e} \ln t))$.</div> </div> </div> <div class="d-flex mb-1"> <div class="flex-grow-1"><a href="/2025/370">2025/370</a> <a class="ms-2" href="/2025/370.pdf">(PDF)</a> </div> <div><small>Last updated: 2025-03-13</small></div> </div> <div class="ms-3 ms-md-5 mb-3"> <div class="d-flex justify-content-between"> <div class="papertitle">Simple Public Key Anamorphic Encryption and Signature using Multi-Message Extensions</div> <div class="ms-3 d-none d-md-block"> <a href="/search?category=PUBLICKEY"><small class="badge category category-PUBLICKEY">Public-key cryptography</small></a> </div> </div> <div class="summaryauthors">Shalini Banerjee, Tapas Pal, Andy Rupp, and Daniel Slamanig</div> <div class="d-flex justify-content-between align-items-start"> <div> <a class="abstract-closed" data-target="abstract-2025-370" onclick="toggleAbstract(this)">Show abstract</a> </div> <div class="d-block d-md-none"> <a href="/search?category=PUBLICKEY"><small class="badge category category-PUBLICKEY">Public-key cryptography</small></a> </div> </div> <div> <div id="abstract-2025-370" class="paper-abstract">Anamorphic encryption (AE) considers secure communication in the presence of a powerful surveillant (typically called a ''dictator'') who only allows certain cryptographic primitives and knows all the secret keys in a system. The basic idea is that there is a second (anamorphic) mode of encryption that allows to transmit an anamorphic message using a double key to a receiver that can decrypt this message using a double key. From the point of view of the dictator the encryption keys as well as the ciphertexts in the regular and anamorphic mode are indistinguishable. The most recent works in this field consider public key anamorphic encryption (PKAE), i.e., the sender of an anamorphic message requires an encryption double key (or no key at all) and the receiver requires a decryption double key. Known constructions, however, either work only for schemes that are mostly of theoretical interest or come with conceptual limitations. In this paper we ask whether we can design such PKAE schemes without such limitations and being closer to PKE schemes used in practice. In fact, such schemes are more likely to be allowed by a cognizant dictator. Moreover, we initiate the study of identity-based anamorphic encryption (IBAE), as the IBE setting seems to be a natural choice for a dictator. For both PKAE and IBAE, we show how well-known IND-CPA and IND-CCA secure primitives can be extended by an anamorphic encryption channel. In contrast to previous work, we additionally consider CCA (rather than just CPA) security notions for the anamorphic channel and also build upon CPA (rather than just CCA) secure PKE. Finally, we ask whether it is possible to port the recent concept of anamorphic signatures, which considers constructing symmetric anamorphic channels in case only signature schemes are allowed by the dictator, to the asymmetric setting, which we denote by public-key anamorphic signatures (PKAS). Also here we consider security beyond IND-CPA for the anamorphic channel.</div> </div> </div> <div class="d-flex mb-1"> <div class="flex-grow-1"><a href="/2025/385">2025/385</a> <a class="ms-2" href="/2025/385.pdf">(PDF)</a> </div> <div><small>Last updated: 2025-03-13</small></div> </div> <div class="ms-3 ms-md-5 mb-3"> <div class="d-flex justify-content-between"> <div class="papertitle">MERCURY: A multilinear Polynomial Commitment Scheme with constant proof size and no prover FFTs</div> <div class="ms-3 d-none d-md-block"> <a href="/search?category=PROTOCOLS"><small class="badge category category-PROTOCOLS">Cryptographic protocols</small></a> </div> </div> <div class="summaryauthors">Liam Eagen and Ariel Gabizon</div> <div class="d-flex justify-content-between align-items-start"> <div> <a class="abstract-closed" data-target="abstract-2025-385" onclick="toggleAbstract(this)">Show abstract</a> </div> <div class="d-block d-md-none"> <a href="/search?category=PROTOCOLS"><small class="badge category category-PROTOCOLS">Cryptographic protocols</small></a> </div> </div> <div> <div id="abstract-2025-385" class="paper-abstract">We construct a pairing-based polynomial commitment scheme for multilinear polynomials of size $n$ where constructing an opening proof requires $O(n)$ field operations, and $2n+O(\sqrt n)$ scalar multiplications. Moreover, the opening proof consists of a constant number of field elements. This is a significant improvement over previous works which would require either 1. $O(n\log n)$ field operations; or 2. $O(\log n)$ size opening proof. The main technical component is a new method of verifiably folding a witness via univariate polynomial division. As opposed to previous methods, the proof size and prover time remain constant *regardless of the folding factor*.</div> </div> </div> <div class="d-flex mb-1"> <div class="flex-grow-1"><a href="/2021/1405">2021/1405</a> <a class="ms-2" href="/2021/1405.pdf">(PDF)</a> </div> <div><small>Last updated: 2025-03-13</small></div> </div> <div class="ms-3 ms-md-5 mb-3"> <div class="d-flex justify-content-between"> <div class="papertitle">Leaking Arbitrarily Many Secrets: Any-out-of-Many Proofs and Applications to RingCT Protocols</div> <div class="ms-3 d-none d-md-block"> <a href="/search?category=PROTOCOLS"><small class="badge category category-PROTOCOLS">Cryptographic protocols</small></a> </div> </div> <div class="summaryauthors">Tianyu Zheng, Shang Gao, Yubo Song, and Bin Xiao</div> <div class="d-flex justify-content-between align-items-start"> <div> <a class="abstract-closed" data-target="abstract-2021-1405" onclick="toggleAbstract(this)">Show abstract</a> </div> <div class="d-block d-md-none"> <a href="/search?category=PROTOCOLS"><small class="badge category category-PROTOCOLS">Cryptographic protocols</small></a> </div> </div> <div> <div id="abstract-2021-1405" class="paper-abstract">Ring Confidential Transaction (RingCT) protocol is an effective cryptographic component for preserving the privacy of cryptocurrencies. However, existing RingCT protocols are instantiated from one-out-of-many proofs with only one secret, leading to low efficiency and weak anonymity when handling transactions with multiple inputs. Additionally, current partial knowledge proofs with multiple secrets are neither secure nor efficient to be applied in a RingCT protocol. In this paper, we propose a novel \emph{any-out-of-many proof}, a logarithmic-sized zero-knowledge proof scheme for showing the knowledge of arbitrarily many secrets out of a public list. Unlike other partial knowledge proofs that have to reveal the number of secrets [ACF21], our approach proves the knowledge of multiple secrets without leaking the exact number of them. Furthermore, we improve the efficiency of our method with a generic inner-product transformation to adopt the Bulletproofs compression [BBB+18], which reduces the proof size to $2 \lceil \log_2(N) \rceil \! + \! 9$. Based on our proposed proof scheme, we further construct a compact RingCT protocol for privacy cryptocurrencies, which can provide a logarithmic-sized communication complexity for transactions with multiple inputs. More importantly, as the only known RingCT protocol instantiated from the partial knowledge proofs, our protocol can achieve the highest anonymity level compared with other approaches like Omniring [LRR+19]. For other applications, such as multiple ring signatures, our protocol can also be applied with some modifications. We believe our techniques are also applicable in other privacy-preserving scenarios, such as multiple ring signatures and coin-mixing in the blockchain.</div> </div> </div> <div class="d-flex mb-1"> <div class="flex-grow-1"><a href="/2025/479">2025/479</a> <a class="ms-2" href="/2025/479.pdf">(PDF)</a> </div> <div><small>Last updated: 2025-03-13</small></div> </div> <div class="ms-3 ms-md-5 mb-3"> <div class="d-flex justify-content-between"> <div class="papertitle">Post Quantum Migration of Tor</div> <div class="ms-3 d-none d-md-block"> <a href="/search?category=IMPLEMENTATION"><small class="badge category category-IMPLEMENTATION">Implementation</small></a> </div> </div> <div class="summaryauthors">Denis Berger, Mouad Lemoudden, and William J Buchanan</div> <div class="d-flex justify-content-between align-items-start"> <div> <a class="abstract-closed" data-target="abstract-2025-479" onclick="toggleAbstract(this)">Show abstract</a> </div> <div class="d-block d-md-none"> <a href="/search?category=IMPLEMENTATION"><small class="badge category category-IMPLEMENTATION">Implementation</small></a> </div> </div> <div> <div id="abstract-2025-479" class="paper-abstract">Shor's and Grover's algorithms' efficiency and the advancement of quantum computers imply that the cryptography used until now to protect one's privacy is potentially vulnerable to retrospective decryption, also known as harvest now, decrypt later attack in the near future. This dissertation proposes an overview of the cryptographic schemes used by Tor, highlighting the non-quantum-resistant ones and introducing theoretical performance assessment methods of a local Tor network. The measurement is divided into three phases. We will start with benchmarking a local Tor network simulation on constrained devices to isolate the time taken by classical cryptography processes. Secondly, the analysis incorporates existing benchmarks of quantum-secure algorithms and compares these performances on the devices. Lastly, the estimation of overhead is calculated by replacing the measured times of traditional cryptography with the times recorded for Post Quantum Cryptography (PQC) execution within the specified Tor environment. By focusing on the replaceable cryptographic components, using theoretical estimations, and leveraging existing benchmarks, valuable insights into the potential impact of PQC can be obtained without needing to implement it fully.</div> </div> </div> <div class="d-flex mb-1"> <div class="flex-grow-1"><a href="/2022/084">2022/084</a> <a class="ms-2" href="/2022/084.pdf">(PDF)</a> </div> <div><small>Last updated: 2025-03-13</small></div> </div> <div class="ms-3 ms-md-5 mb-3"> <div class="d-flex justify-content-between"> <div class="papertitle">Token meets Wallet: Formalizing Privacy and Revocation for FIDO2</div> <div class="ms-3 d-none d-md-block"> <a href="/search?category=PROTOCOLS"><small class="badge category category-PROTOCOLS">Cryptographic protocols</small></a> </div> </div> <div class="summaryauthors">Lucjan Hanzlik, Julian Loss, and Benedikt Wagner</div> <div class="d-flex justify-content-between align-items-start"> <div> <a class="abstract-closed" data-target="abstract-2022-084" onclick="toggleAbstract(this)">Show abstract</a> </div> <div class="d-block d-md-none"> <a href="/search?category=PROTOCOLS"><small class="badge category category-PROTOCOLS">Cryptographic protocols</small></a> </div> </div> <div> <div id="abstract-2022-084" class="paper-abstract">The FIDO2 standard is a widely-used class of challenge-response type protocols that allows to authenticate to an online service using a hardware token. Barbosa et al. (CRYPTO `21) provided the first formal security model and analysis for the FIDO2 standard. However, their model has two shortcomings: (1) It does not include privacy, one of the key features claimed by FIDO2. (2) It only covers tokens that store {all secret keys locally}. In contrast, due to limited memory, most existing FIDO2 tokens either derive all secret keys from a common seed or store keys on the server (the latter approach is also known as {key wrapping}). In this paper, we revisit the security of the WebAuthn component of FIDO2 as implemented in practice. Our contributions are as follows. (1) We adapt the model of Barbosa et al. so as to capture authentication tokens using key derivation or key wrapping. (2) We provide the {first formal definition of privacy for the WebAuthn component of FIDO2}. We then prove the privacy of this component in common FIDO2 token implementations if the underlying building blocks are chosen appropriately. (3) We address the unsolved problem of {global key revocation} in FIDO2. To this end, we introduce and analyze a simple revocation procedure that builds on the popular BIP32 standard used in cryptocurrency wallets and can efficiently be implemented with existing FIDO2 servers.</div> </div> </div> <div class="d-flex mb-1"> <div class="flex-grow-1"><a href="/2025/478">2025/478</a> <a class="ms-2" href="/2025/478.pdf">(PDF)</a> </div> <div><small>Last updated: 2025-03-13</small></div> </div> <div class="ms-3 ms-md-5 mb-3"> <div class="d-flex justify-content-between"> <div class="papertitle">Attacking Single-Cycle Ciphers on Modern FPGAs featuring Explainable Deep Learning</div> <div class="ms-3 d-none d-md-block"> <a href="/search?category=IMPLEMENTATION"><small class="badge category category-IMPLEMENTATION">Implementation</small></a> </div> </div> <div class="summaryauthors">Mustafa Khairallah and Trevor Yap</div> <div class="d-flex justify-content-between align-items-start"> <div> <a class="abstract-closed" data-target="abstract-2025-478" onclick="toggleAbstract(this)">Show abstract</a> </div> <div class="d-block d-md-none"> <a href="/search?category=IMPLEMENTATION"><small class="badge category category-IMPLEMENTATION">Implementation</small></a> </div> </div> <div> <div id="abstract-2025-478" class="paper-abstract">In this paper, we revisit the question of key recovery using side-channel analysis for unrolled, single-cycle block ciphers. In particular, we study the Princev2 cipher. While it has been shown vulnerable in multiple previous studies, those studies were performed on side-channel friendly ASICs or older FPGAs (e.g., Xilinx Virtex II on the SASEBO-G board), and using mostly expensive equipment. We start with the goal of exploiting a cheap modern FPGA and board using power traces from a cheap oscilloscope. Particularly, we use Xilinx Artix 7 on the Chipwhisperer CW305 board and PicoScope 5000A, respectively. We split our study into three parts. First, we show that the new set-up still exhibits easily detectable leakage, using a non-specific t-test. Second, we replicate attacks from older FPGAs. Namely, we start with the attack by Yli-Mäyry et al., which is a simple chosen plaintext correlation power analysis attack using divide and conquer. However, we demonstrate that even this simple, powerful attack does not work, demonstrating a peculiar behavior. We study this behavior using a stochastic attack that attempts to extract the leakage model, and we show that models over a small part of the state are inconsistent and depend on more key bits than what is expected. We also attempt classical template attacks and get similar results. To further exploit the leakage, we employ deep learning techniques and succeed in key recovery, albeit using a large number of traces. We perform the explainability technique called Key Guessing Occlusion (KGO) to detect which points the neural networks exploit. When we use these points as features for the classical template attack, although it did not recover the secret key, its performance improves compared to other feature selection techniques.</div> </div> </div> <div class="d-flex mb-1"> <div class="flex-grow-1"><a href="/2025/477">2025/477</a> <a class="ms-2" href="/2025/477.pdf">(PDF)</a> </div> <div><small>Last updated: 2025-03-13</small></div> </div> <div class="ms-3 ms-md-5 mb-3"> <div class="d-flex justify-content-between"> <div class="papertitle">A Note on the Advanced Use of the Tate Pairing</div> <div class="ms-3 d-none d-md-block"> <a href="/search?category=PUBLICKEY"><small class="badge category category-PUBLICKEY">Public-key cryptography</small></a> </div> </div> <div class="summaryauthors">Krijn Reijnders</div> <div class="d-flex justify-content-between align-items-start"> <div> <a class="abstract-closed" data-target="abstract-2025-477" onclick="toggleAbstract(this)">Show abstract</a> </div> <div class="d-block d-md-none"> <a href="/search?category=PUBLICKEY"><small class="badge category category-PUBLICKEY">Public-key cryptography</small></a> </div> </div> <div> <div id="abstract-2025-477" class="paper-abstract">This short note explains how the Tate pairing can be used to efficiently sample torsion points with precise requirements, and other applications. These applications are most clearly explained on Montgomery curves, using the Tate pairing of degree 2, but hold more generally for any degree or abelian variety, or even generalized Tate pairings. This note is explanatory in nature; it does not contain new results, but aims to provide a clear and concise explanation of results in the literature that are somewhat hidden, yet are extremely useful in practical isogeny-based cryptography.</div> </div> </div> <div class="d-flex mb-1"> <div class="flex-grow-1"><a href="/2024/1915">2024/1915</a> <a class="ms-2" href="/2024/1915.pdf">(PDF)</a> </div> <div><small>Last updated: 2025-03-13</small></div> </div> <div class="ms-3 ms-md-5 mb-3"> <div class="d-flex justify-content-between"> <div class="papertitle">MUTLISS: a protocol for long-term secure distributed storage over multiple remote QKD networks</div> <div class="ms-3 d-none d-md-block"> <a href="/search?category=PROTOCOLS"><small class="badge category category-PROTOCOLS">Cryptographic protocols</small></a> </div> </div> <div class="summaryauthors">Thomas Prévost, Olivier Alibart, Anne Marin, and Marc Kaplan</div> <div class="d-flex justify-content-between align-items-start"> <div> <a class="abstract-closed" data-target="abstract-2024-1915" onclick="toggleAbstract(this)">Show abstract</a> </div> <div class="d-block d-md-none"> <a href="/search?category=PROTOCOLS"><small class="badge category category-PROTOCOLS">Cryptographic protocols</small></a> </div> </div> <div> <div id="abstract-2024-1915" class="paper-abstract">We introduce MULTISS, a new distributed storage protocol over multiple remote Quantum Key Distribution (QKD) networks that ensures long-term data confidentiality. Our protocol extends LINCOS, a secure storage protocol that uses Shamir secret sharing to distribute data in a single QKD network. Instead MULTISS uses a hierarchical secret scheme that makes certain shares mandatory for the reconstruction of the original secret. We prove that MULTISS ensures that the stored data remain secure even if an eavesdropper (1) gets full access to all storage servers of some of the QKD networks or (2) stores and breaks later all the classical communication between the QKD networks. We demonstrate that this is strictly more secure than LINCOS which is broken as soon as one QKD network is compromised. Our protocol, like LINCOS, has a procedure to update the shares stored in each QKD network without reconstructing the original data. In addition, we provide a procedure to recover from a full compromission of one of the QKD network. In particular, we introduce a version of the protocol that can only be implemented over a restricted network topologies, but minimizes the communication required in the recovery procedure. In practice, the MULTISS protocol is designed for the case of several QKD networks at the metropolitan scale connected to each other through channels secured by classical cryptography. Hence, MULTISS offers a secure distributed storage solution in a scenario that is compatible with the current deployment of quantum networks.</div> </div> </div> <div class="d-flex mb-1"> <div class="flex-grow-1"><a href="/2025/225">2025/225</a> <a class="ms-2" href="/2025/225.pdf">(PDF)</a> </div> <div><small>Last updated: 2025-03-13</small></div> </div> <div class="ms-3 ms-md-5 mb-3"> <div class="d-flex justify-content-between"> <div class="papertitle">“Check-Before-you-Solve”: Verifiable Time-lock Puzzles</div> <div class="ms-3 d-none d-md-block"> <a href="/search?category=PROTOCOLS"><small class="badge category category-PROTOCOLS">Cryptographic protocols</small></a> </div> </div> <div class="summaryauthors">Jiajun Xin and Dimitrios Papadopoulos</div> <div class="d-flex justify-content-between align-items-start"> <div> <a class="abstract-closed" data-target="abstract-2025-225" onclick="toggleAbstract(this)">Show abstract</a> </div> <div class="d-block d-md-none"> <a href="/search?category=PROTOCOLS"><small class="badge category category-PROTOCOLS">Cryptographic protocols</small></a> </div> </div> <div> <div id="abstract-2025-225" class="paper-abstract">Time-lock puzzles are cryptographic primitives that guarantee to the generator that the puzzle cannot be solved in less than $\mathcal{T}$ sequential computation steps. They have recently found numerous applications, e.g., in fair contract signing and seal-bid auctions. However, solvers have no a priori guarantee about the solution they will reveal, e.g., about its ``usefulness'' within a certain application scenario. In this work, we propose verifiable time-lock puzzles (VTLPs) that address this by having the generator publish a succinct proof that the solution satisfies certain properties (without revealing anything else about it). Hence solvers are now motivated to ``commit'' resources into solving the puzzle. We propose VTLPs that support proving arbitrary NP relations $\mathcal{R}$ about the puzzle solution. At a technical level, to overcome the performance hurdles of the ``naive'' approach of simply solving the puzzle within a SNARK that also checks $\mathcal{R}$, our scheme combines the ``classic'' RSA time-lock puzzle of Rivest, Shamir, and Wagner, with novel building blocks for ``offloading'' expensive modular group exponentiations and multiplications from the SNARK circuit. We then propose a second VTLP specifically for checking RSA-based signatures and verifiable random functions (VRFs). Our second scheme does not rely on a SNARK and can have several applications, e.g., in the context of distributed randomness generation. Along the road, we propose new constant-size proofs for modular exponent relations over hidden-order groups that may be of independent interest. Finally, we experimentally evaluate the performance of our schemes and report the findings and comparisons with prior approaches.</div> </div> </div> <div class="d-flex mb-1"> <div class="flex-grow-1"><a href="/2025/476">2025/476</a> <a class="ms-2" href="/2025/476.pdf">(PDF)</a> </div> <div><small>Last updated: 2025-03-13</small></div> </div> <div class="ms-3 ms-md-5 mb-3"> <div class="d-flex justify-content-between"> <div class="papertitle">A note on "industrial blockchain threshold signatures in federated learning for unified space-air-ground-sea model training"</div> <div class="ms-3 d-none d-md-block"> <a href="/search?category=ATTACKS"><small class="badge category category-ATTACKS">Attacks and cryptanalysis</small></a> </div> </div> <div class="summaryauthors">Zhengjun Cao and Lihua Liu</div> <div class="d-flex justify-content-between align-items-start"> <div> <a class="abstract-closed" data-target="abstract-2025-476" onclick="toggleAbstract(this)">Show abstract</a> </div> <div class="d-block d-md-none"> <a href="/search?category=ATTACKS"><small class="badge category category-ATTACKS">Attacks and cryptanalysis</small></a> </div> </div> <div> <div id="abstract-2025-476" class="paper-abstract">We show that the threshold signature scheme [J. Ind. Inf. Integr. 39: 100593 (2024)] is insecure against forgery attack. An adversary can find an efficient signing algorithm functionally equivalent to the valid signing algorithm, so as to convert the legitimate signature $(sig, s, r_x)$ of message $m$ into a valid signature $(sig, s, r_x')$ of any message $m'$.</div> </div> </div> <div class="d-flex mb-1"> <div class="flex-grow-1"><a href="/2025/445">2025/445</a> <a class="ms-2" href="/2025/445.pdf">(PDF)</a> </div> <div><small>Last updated: 2025-03-13</small></div> </div> <div class="ms-3 ms-md-5 mb-3"> <div class="d-flex justify-content-between"> <div class="papertitle">A proof of P≠NP (New symmetric encryption algorithm against any linear attacks and differential attacks)</div> <div class="ms-3 d-none d-md-block"> <a href="/search?category=FOUNDATIONS"><small class="badge category category-FOUNDATIONS">Foundations</small></a> </div> </div> <div class="summaryauthors">Gao Ming</div> <div class="d-flex justify-content-between align-items-start"> <div> <a class="abstract-closed" data-target="abstract-2025-445" onclick="toggleAbstract(this)">Show abstract</a> </div> <div class="d-block d-md-none"> <a href="/search?category=FOUNDATIONS"><small class="badge category category-FOUNDATIONS">Foundations</small></a> </div> </div> <div> <div id="abstract-2025-445" class="paper-abstract">P vs NP problem is the most important unresolved problem in the field of computational complexity. Its impact has penetrated into all aspects of algorithm design, especially in the field of cryptography. The security of cryptographic algorithms based on short keys depends on whether P is equal to NP. In fact, Shannon strictly proved that the one-time-pad system meets unconditional security, but because the one-time-pad system requires the length of key to be at least the length of plaintext, how to transfer the key is a troublesome problem that restricts the use of the one-time-pad system in practice. Cryptography algorithms used in practice are all based on short key, and the security of the short key mechanism is ultimately based on one-way assumption. In fact, the existence of one-way function can directly lead to the important conclusion P≠NP. In this paper, we originally constructed a short-key block cipher algorithm. The core feature of this algorithm is that for any block, when a plaintext-ciphertext pair is known, any key in the key space is valid, that is, for each block, the plaintext-ciphertext pair and the key are independence, and the independence between blocks is also easy to construct. This feature is completely different from all existing short-key cipher algorithms. Based on the above feature, we construct a problem and theoretically prove that the problem satisfies the properties of one-way functions, thereby solving the problem of the existence of one-way functions, that is, directly proving that P≠NP.</div> </div> </div> <div class="d-flex mb-1"> <div class="flex-grow-1"><a href="/2024/1776">2024/1776</a> <a class="ms-2" href="/2024/1776.pdf">(PDF)</a> </div> <div><small>Last updated: 2025-03-13</small></div> </div> <div class="ms-3 ms-md-5 mb-3"> <div class="d-flex justify-content-between"> <div class="papertitle">An efficient collision attack on Castryck-Decru-Smith’s hash function</div> <div class="ms-3 d-none d-md-block"> <a href="/search?category=ATTACKS"><small class="badge category category-ATTACKS">Attacks and cryptanalysis</small></a> </div> </div> <div class="summaryauthors">Ryo Ohashi and Hiroshi Onuki</div> <div class="d-flex justify-content-between align-items-start"> <div> <a class="abstract-closed" data-target="abstract-2024-1776" onclick="toggleAbstract(this)">Show abstract</a> </div> <div class="d-block d-md-none"> <a href="/search?category=ATTACKS"><small class="badge category category-ATTACKS">Attacks and cryptanalysis</small></a> </div> </div> <div> <div id="abstract-2024-1776" class="paper-abstract">In 2020, Castryck-Decru-Smith constructed a hash function using the (2,2)-isogeny graph of superspecial principally polarized abelian surfaces. In their construction, the initial surface was chosen from vertices quite "close" to the square of a supersingular elliptic curve with a known endomorphism ring. In this paper, we propose an algorithm for recovering a collision on their hash function. Under some heuristic assumptions, the time complexity and space complexity of our algorithm are estimated to be $\widetilde{O}(p^{3/10})$ which is smaller than the complexity $\widetilde{O}(p^{3/2})$ the authors had claimed necessary to recover such a collision, where $p$ is the characteristic of the base field. In particular case where $p$ has a special form, then both the time and space complexities of our algorithm are polynomial in $\log{p}$. We implemented our algorithm in MAGMA, and succeeded in recovering a collision in 17 hours (using 64 parallel computations) under a parameter setting the authors had claimed to be 384-bit secure. Finally, we propose a simple countermeasure against our attack, which is expected to restore the complexity required to recover a collision to $\widetilde{O}(p)$ currently.</div> </div> </div> <div class="d-flex mb-1"> <div class="flex-grow-1"><a href="/2025/078">2025/078</a> <a class="ms-2" href="/2025/078.pdf">(PDF)</a> </div> <div><small>Last updated: 2025-03-13</small></div> </div> <div class="ms-3 ms-md-5 mb-3"> <div class="d-flex justify-content-between"> <div class="papertitle">Triple Ratchet: A Bandwidth Efficient Hybrid-Secure Signal Protocol</div> <div class="ms-3 d-none d-md-block"> <a href="/search?category=PROTOCOLS"><small class="badge category category-PROTOCOLS">Cryptographic protocols</small></a> </div> </div> <div class="summaryauthors">Yevgeniy Dodis, Daniel Jost, Shuichi Katsumata, Thomas Prest, and Rolfe Schmidt</div> <div class="d-flex justify-content-between align-items-start"> <div> <a class="abstract-closed" data-target="abstract-2025-078" onclick="toggleAbstract(this)">Show abstract</a> </div> <div class="d-block d-md-none"> <a href="/search?category=PROTOCOLS"><small class="badge category category-PROTOCOLS">Cryptographic protocols</small></a> </div> </div> <div> <div id="abstract-2025-078" class="paper-abstract">Secure Messaging apps have seen growing adoption, and are used by billions of people daily. However, due to imminent threat of a "Harvest Now, Decrypt Later" attack, secure messaging providers must react know in order to make their protocols $\textit{hybrid-secure}$: at least as secure as before, but now also post-quantum (PQ) secure. Since many of these apps are internally based on the famous Signal's Double-Ratchet (DR) protocol, making Signal hybrid-secure is of great importance. In fact, Signal and Apple already put in production various Signal-based variants with certain levels of hybrid security: PQXDH (only on the initial handshake), and PQ3 (on the entire protocol), by adding a $\textit{PQ-ratchet}$ to the DR protocol. Unfortunately, due to the large communication overheads of the $\mathsf{Kyber}$ scheme used by PQ3, real-world PQ3 performs this PQ-ratchet approximately every 50 messages. As we observe, the effectiveness of this amortization, while reasonable in the best-case communication scenario, quickly deteriorates in other still realistic scenarios; causing $\textit{many consecutive}$ (rather than $1$ in $50$) re-transmissions of the same $\mathsf{Kyber}$ public keys and ciphertexts (of combined size 2272 bytes!). In this work we design a new Signal-based, hybrid-secure secure messaging protocol, which significantly reduces the communication complexity of PQ3. We call our protocol "the $\textit{Triple Ratchet}$" (TR) protocol. First, TR uses $\textit{em erasure codes}$ to make the communication inside the PQ-ratchet provably balanced. This results in much better $\textit{worst-case}$ communication guarantees of TR, as compared to PQ3. Second, we design a novel "variant" of $\mathsf{Kyber}$, called $\mathsf{Katana}$, with significantly smaller combined length of ciphertext and public key (which is the relevant efficiency measure for "PQ-secure ratchets"). For 192 bits of security, $\mathsf{Katana}$ improves this key efficiency measure by over 37%: from 2272 to 1416 bytes. In doing so, we identify a critical security flaw in prior suggestions to optimize communication complexity of lattice-based PQ-ratchets, and fix this flaw with a novel proof relying on the recently introduced hint MLWE assumption. During the development of this work we have been in discussion with the Signal team, and they are actively evaluating bringing a variant of it into production in a future iteration of the Signal protocol.</div> </div> </div> <div class="d-flex mb-1"> <div class="flex-grow-1"><a href="/2025/309">2025/309</a> <a class="ms-2" href="/2025/309.pdf">(PDF)</a> </div> <div><small>Last updated: 2025-03-13</small></div> </div> <div class="ms-3 ms-md-5 mb-3"> <div class="d-flex justify-content-between"> <div class="papertitle">A Unified Treatment of Anamorphic Encryption</div> <div class="ms-3 d-none d-md-block"> <a href="/search?category=PUBLICKEY"><small class="badge category category-PUBLICKEY">Public-key cryptography</small></a> </div> </div> <div class="summaryauthors">Wonseok Choi, Daniel Collins, Xiangyu Liu, and Vassilis Zikas</div> <div class="d-flex justify-content-between align-items-start"> <div> <a class="abstract-closed" data-target="abstract-2025-309" onclick="toggleAbstract(this)">Show abstract</a> </div> <div class="d-block d-md-none"> <a href="/search?category=PUBLICKEY"><small class="badge category category-PUBLICKEY">Public-key cryptography</small></a> </div> </div> <div> <div id="abstract-2025-309" class="paper-abstract">Receiver anamorphic encryption (hereafter anamorphic encryption), introduced by Persiano et al. at Eurocrypt 2022, allows for a double message to be symmetrically hidden in a public-key encryption ciphertext via a pre-shared -double key-. In anamorphic encryption, confidentiality must be preserved even if the adversary (or the -dictator-) has access to all regular keys. It has been the subject of several works since its introduction that explore tweaks and extensions to the core primitive. However, this study has not been systematic, and so disparate security notions have been proposed, for which their relationships are not clear. Moreover, there are clear gaps in the literature, including in the treatment of chosen-ciphertext attacks. In this work, we conduct a systematic study of receiver anamorphic encryption. We unify existing security notions and propose several new ones, and prove implications and separations between them. Our main findings are as follows. First, we identify gaps in previous security notions against an anamorphic -sender-, namely an adversary who is given the double key, and propose three new security notions to bridge these gaps. We also identify several gaps in the treatment of chosen-ciphertext attacks, a setting only very recently considered in anamorphic cryptography (Jaeger and Stracovsky, Asiacrypt 2024). Moreover, observing that no previous construction achieves all desirable security properties in this setting, we propose a suitable construction that does. Finally, we propose several security notions for -asymmetric- anamorphic encryption, and explore the case here where the dictator and the anamorphic sender collude.</div> </div> </div> <div class="d-flex mb-1"> <div class="flex-grow-1"><a href="/2024/1988">2024/1988</a> <a class="ms-2" href="/2024/1988.pdf">(PDF)</a> </div> <div><small>Last updated: 2025-03-12</small></div> </div> <div class="ms-3 ms-md-5 mb-3"> <div class="d-flex justify-content-between"> <div class="papertitle">BitGC: Garbled Circuits with 1 Bit per Gate</div> <div class="ms-3 d-none d-md-block"> <a href="/search?category=PROTOCOLS"><small class="badge category category-PROTOCOLS">Cryptographic protocols</small></a> </div> </div> <div class="summaryauthors">Hanlin Liu, Xiao Wang, Kang Yang, and Yu Yu</div> <div class="d-flex justify-content-between align-items-start"> <div> <a class="abstract-closed" data-target="abstract-2024-1988" onclick="toggleAbstract(this)">Show abstract</a> </div> <div class="d-block d-md-none"> <a href="/search?category=PROTOCOLS"><small class="badge category category-PROTOCOLS">Cryptographic protocols</small></a> </div> </div> <div> <div id="abstract-2024-1988" class="paper-abstract">We present BitGC, a garbling scheme for Boolean circuits with 1 bit per gate communication based on either ring learning with errors (RLWE) or NTRU assumption, with key-dependent message security. The garbling consists of 1) a homomorphically encrypted seed that can be expanded to encryption of many pseudo-random bits and 2) one-bit stitching information per gate to reconstruct garbled tables from the expanded ciphertexts. By using low-complexity PRGs, both the garbling and evaluation of each gate require only O(1) homomorphic addition/multiplication operations without bootstrapping.</div> </div> </div> <div class="d-flex mb-1"> <div class="flex-grow-1"><a href="/2025/475">2025/475</a> <a class="ms-2" href="/2025/475.pdf">(PDF)</a> </div> <div><small>Last updated: 2025-03-12</small></div> </div> <div class="ms-3 ms-md-5 mb-3"> <div class="d-flex justify-content-between"> <div class="papertitle">HammR: A ZKP Protocol for Fixed Hamming-Weight Restricted-Entry Vectors</div> <div class="ms-3 d-none d-md-block"> <a href="/search?category=PROTOCOLS"><small class="badge category category-PROTOCOLS">Cryptographic protocols</small></a> </div> </div> <div class="summaryauthors">Felice Manganiello and Freeman Slaughter</div> <div class="d-flex justify-content-between align-items-start"> <div> <a class="abstract-closed" data-target="abstract-2025-475" onclick="toggleAbstract(this)">Show abstract</a> </div> <div class="d-block d-md-none"> <a href="/search?category=PROTOCOLS"><small class="badge category category-PROTOCOLS">Cryptographic protocols</small></a> </div> </div> <div> <div id="abstract-2025-475" class="paper-abstract">In this paper, we introduce $\mathsf{HammR}$, a generic Zero-Knowledge Proof (ZKP) protocol demonstrating knowledge of a secret vector that has a fixed Hamming weight with entries taken from a shifted multiplicative group. As special cases, we are able to directly apply this protocol to restricted vectors and to rank-1 vectors, which are vectors with entries that lie in a dimension one subspace of $\mathbb{F}_q$. We show that these proofs can be batched with low computational overhead, and further prove that this general framework is complete, sound, and zero-knowledge, thus truly a genuine ZKP. Finally, we present applications of $\mathsf{HammR}$ to various Syndrome Decoding Problems, including the Regular and Restricted SDPs, as well as other implementations such as lookup instances, proof of proximity, and electronic voting protocols.</div> </div> </div> <div class="d-flex mb-1"> <div class="flex-grow-1"><a href="/2025/474">2025/474</a> <a class="ms-2" href="/2025/474.pdf">(PDF)</a> </div> <div><small>Last updated: 2025-03-12</small></div> </div> <div class="ms-3 ms-md-5 mb-3"> <div class="d-flex justify-content-between"> <div class="papertitle">Black-Box Constant-Round Secure 2PC with Succinct Communication</div> <div class="ms-3 d-none d-md-block"> <a href="/search?category=PROTOCOLS"><small class="badge category category-PROTOCOLS">Cryptographic protocols</small></a> </div> </div> <div class="summaryauthors">Michele Ciampi, Ankit Kumar Misra, Rafail Ostrovsky, and Akash Shah</div> <div class="d-flex justify-content-between align-items-start"> <div> <a class="abstract-closed" data-target="abstract-2025-474" onclick="toggleAbstract(this)">Show abstract</a> </div> <div class="d-block d-md-none"> <a href="/search?category=PROTOCOLS"><small class="badge category category-PROTOCOLS">Cryptographic protocols</small></a> </div> </div> <div> <div id="abstract-2025-474" class="paper-abstract">The most fundamental performance metrics of secure multi-party computation (MPC) protocols are related to the number of messages the parties exchange (i.e., round complexity), the size of these messages (i.e., communication complexity), and the overall computational resources required to execute the protocol (i.e., computational complexity). Another quality metric of MPC protocols is related to the black-box or non-black-box use of the underlying cryptographic primitives. Indeed, the design of black-box MPC protocols, other than being of theoretical interest, usually can lead to protocols that have better computational complexity. In this work, we aim to optimize the round and communication complexity of black-box secure multi-party computation in the plain model, by designing a constant-round two-party computation protocol in the malicious setting, whose communication complexity is only polylogarithmic in the size of the function being evaluated. We successfully design such a protocol, having only black-box access to fully homomorphic encryption, trapdoor permutations, and hash functions. To the best of our knowledge, our protocol is the first to make black-box use of standard cryptographic primitives while achieving almost asymptotically optimal communication and round complexity.</div> </div> </div> <div class="d-flex mb-1"> <div class="flex-grow-1"><a href="/2025/120">2025/120</a> <a class="ms-2" href="/2025/120.pdf">(PDF)</a> </div> <div><small>Last updated: 2025-03-12</small></div> </div> <div class="ms-3 ms-md-5 mb-3"> <div class="d-flex justify-content-between"> <div class="papertitle">Module Learning with Errors with Truncated Matrices</div> <div class="ms-3 d-none d-md-block"> <a href="/search?category=FOUNDATIONS"><small class="badge category category-FOUNDATIONS">Foundations</small></a> </div> </div> <div class="summaryauthors">Katharina Boudgoust and Hannah Keller</div> <div class="d-flex justify-content-between align-items-start"> <div> <a class="abstract-closed" data-target="abstract-2025-120" onclick="toggleAbstract(this)">Show abstract</a> </div> <div class="d-block d-md-none"> <a href="/search?category=FOUNDATIONS"><small class="badge category category-FOUNDATIONS">Foundations</small></a> </div> </div> <div> <div id="abstract-2025-120" class="paper-abstract">The Module Learning with Errors ($\mathsf{MLWE}$) problem is one of the most commonly used hardness assumption in lattice-based cryptography. In its standard version, a matrix $\mathbf{A}$ is sampled uniformly at random over a quotient ring $R_q$, as well as noisy linear equations in the form of $\mathbf{A} \mathbf{s}+ \mathbf{e} \bmod q$, where $\mathbf{s}$ is the secret, sampled uniformly at random over $R_q$, and $\mathbf{e}$ is the error, coming from a Gaussian distribution. Many previous works have focused on variants of $\mathsf{MLWE}$, where the secret and/or the error are sampled from different distributions. Only few works have focused on different distributions for the matrix $\mathbf{A}$. One variant proposed in the literature is to consider matrix distributions where the low-order bits of a uniform $\mathbf{A}$ are deleted. This seems a natural approach in order to save in bandwidth. We call it truncated $\mathsf{MLWE}$. In this work, we show that the hardness of standard $\mathsf{MLWE}$ implies the hardness of truncated $\mathsf{MLWE}$, both for search and decision versions. Prior works only covered the search variant and relied on the (module) $\mathsf{NTRU}$ assumption, limitations which we are able to overcome. Overall, we provide two approaches, offering different advantages. The first uses a general Rényi divergence argument, applicable to a wide range of secret/error distributions, but which only works for the search variants of (truncated) $\mathsf{MLWE}$. The second applies to the decision versions, by going through an intermediate variant of $\mathsf{MLWE}$, where additional hints on the secret are given to the adversary. However, the reduction makes use of discrete Gaussian distributions.</div> </div> </div> <div class="d-flex mb-1"> <div class="flex-grow-1"><a href="/2025/471">2025/471</a> <a class="ms-2" href="/2025/471.pdf">(PDF)</a> </div> <div><small>Last updated: 2025-03-12</small></div> </div> <div class="ms-3 ms-md-5 mb-3"> <div class="d-flex justify-content-between"> <div class="papertitle">A Practical Tutorial on Deep Learning-based Side-channel Analysis</div> <div class="ms-3 d-none d-md-block"> <a href="/search?category=ATTACKS"><small class="badge category category-ATTACKS">Attacks and cryptanalysis</small></a> </div> </div> <div class="summaryauthors">Sengim Karayalcin, Marina Krcek, and Stjepan Picek</div> <div class="d-flex justify-content-between align-items-start"> <div> <a class="abstract-closed" data-target="abstract-2025-471" onclick="toggleAbstract(this)">Show abstract</a> </div> <div class="d-block d-md-none"> <a href="/search?category=ATTACKS"><small class="badge category category-ATTACKS">Attacks and cryptanalysis</small></a> </div> </div> <div> <div id="abstract-2025-471" class="paper-abstract">This tutorial provides a practical introduction to Deep Learning-based Side-Channel Analysis (DLSCA), a powerful approach for evaluating the security of cryptographic implementations. Leveraging publicly available datasets and a Google Colab service, we guide readers through the fundamental steps of DLSCA, offering clear explanations and code snippets. We focus on the core DLSCA framework, providing references for more advanced techniques, and address the growing interest in this field driven by emerging standardization efforts like AIS 46. This tutorial is designed to be accessible to researchers, students, and practitioners seeking to learn practical DLSCA techniques and improve the security of cryptographic systems.</div> </div> </div> <div class="d-flex mb-1"> <div class="flex-grow-1"><a href="/2025/470">2025/470</a> <a class="ms-2" href="/2025/470.pdf">(PDF)</a> </div> <div><small>Last updated: 2025-03-12</small></div> </div> <div class="ms-3 ms-md-5 mb-3"> <div class="d-flex justify-content-between"> <div class="papertitle">On Deniable Authentication against Malicious Verifiers</div> <div class="ms-3 d-none d-md-block"> <a href="/search?category=PUBLICKEY"><small class="badge category category-PUBLICKEY">Public-key cryptography</small></a> </div> </div> <div class="summaryauthors">Rune Fiedler and Roman Langrehr</div> <div class="d-flex justify-content-between align-items-start"> <div> <a class="abstract-closed" data-target="abstract-2025-470" onclick="toggleAbstract(this)">Show abstract</a> </div> <div class="d-block d-md-none"> <a href="/search?category=PUBLICKEY"><small class="badge category category-PUBLICKEY">Public-key cryptography</small></a> </div> </div> <div> <div id="abstract-2025-470" class="paper-abstract">Deniable authentication allows Alice to authenticate a message to Bob, while retaining deniability towards third parties. In particular, not even Bob can convince a third party that Alice authenticated that message. Clearly, in this setting Bob should not be considered trustworthy. Furthermore, deniable authentication is necessary for deniable key exchange, as explicitly desired by Signal and off-the-record (OTR) messaging. In this work we focus on (publicly verifiable) designated verifier signatures (DVS), which are a widely used primitive to achieve deniable authentication. We propose a definition of deniability against malicious verifiers for DVS. We give a construction that achieves this notion in the random oracle (RO) model. Moreover, we show that our notion is not achievable in the standard model with a concrete attack; thereby giving a non-contrived example of the RO heuristic failing. All previous protocols that claim to achieve deniable authentication against malicious verifiers (like Signal's initial handshake protocols X3DH and PQXDH) rely on the Extended Knowledge of Diffie–Hellman (EKDH) assumption. We show that this assumption is broken and that these protocols do not achieve deniability against malicious verifiers.</div> </div> </div> <div class="d-flex mb-1"> <div class="flex-grow-1"><a href="/2025/185">2025/185</a> <a class="ms-2" href="/2025/185.pdf">(PDF)</a> </div> <div><small>Last updated: 2025-03-12</small></div> </div> <div class="ms-3 ms-md-5 mb-3"> <div class="d-flex justify-content-between"> <div class="papertitle">AutoDiVer: Automatically Verifying Differential Characteristics and Learning Key Conditions</div> <div class="ms-3 d-none d-md-block"> <a href="/search?category=ATTACKS"><small class="badge category category-ATTACKS">Attacks and cryptanalysis</small></a> </div> </div> <div class="summaryauthors">Marcel Nageler, Shibam Ghosh, Marlene Jüttler, and Maria Eichlseder</div> <div class="d-flex justify-content-between align-items-start"> <div> <a class="abstract-closed" data-target="abstract-2025-185" onclick="toggleAbstract(this)">Show abstract</a> </div> <div class="d-block d-md-none"> <a href="/search?category=ATTACKS"><small class="badge category category-ATTACKS">Attacks and cryptanalysis</small></a> </div> </div> <div> <div id="abstract-2025-185" class="paper-abstract">Differential cryptanalysis is one of the main methods of cryptanalysis and has been applied to a wide range of ciphers. While it is very successful, it also relies on certain assumptions that do not necessarily hold in practice. One of these is the hypothesis of stochastic equivalence, which states that the probability of a differential characteristic behaves similarly for all keys. Several works have demonstrated examples where this hypothesis is violated, impacting the attack complexity and sometimes even invalidating the investigated prior attacks. Nevertheless, the hypothesis is still typically taken for granted. In this work, we propose AutoDiVer, an automatic tool that allows to thoroughly verify differential characteristics. First, the tool supports calculating the expected probability of differential characteristics while considering the key schedule of the cipher. Second, the tool supports estimating the size of the space of keys for which the characteristic permits valid pairs, and deducing conditions for these keys. AutoDiVer implements a custom SAT modeling approach and takes advantage of a combination of features of advanced SAT solvers, including approximate model counting and clause learning. To show applicability to many different kinds of block ciphers like strongly aligned, weakly aligned, and ARX ciphers, we apply AutoDiVer to GIFT, PRESENT, RECTANGLE, SKINNY, WARP, SPECK, and SPEEDY.</div> </div> </div> <div class="d-flex mb-1"> <div class="flex-grow-1"><a href="/2024/1984">2024/1984</a> <a class="ms-2" href="/2024/1984.pdf">(PDF)</a> </div> <div><small>Last updated: 2025-03-12</small></div> </div> <div class="ms-3 ms-md-5 mb-3"> <div class="d-flex justify-content-between"> <div class="papertitle">Low Communication Threshold Fully Homomorphic Encryption</div> <div class="ms-3 d-none d-md-block"> <small class="badge category category-uncategorized">Uncategorized</small> </div> </div> <div class="summaryauthors">Alain Passelègue and Damien Stehlé</div> <div class="d-flex justify-content-between align-items-start"> <div> <a class="abstract-closed" data-target="abstract-2024-1984" onclick="toggleAbstract(this)">Show abstract</a> </div> <div class="d-block d-md-none"> <small class="badge category category-uncategorized">Uncategorized</small> </div> </div> <div> <div id="abstract-2024-1984" class="paper-abstract">This work investigates constructions of threshold fully homomorphic encryption with low communication, i.e., with small ciphertexts and small decryption shares. In this context, we discuss in detail the technicalities for achieving full-fledged threshold FHE, and put forward limitations regarding prior works, including an attack against the recent construction of Boudgoust and Scholl [ASIACRYPT 2023]. In light of our observations, we generalize the definition of threshold fully homomorphic encryption by adding an algorithm which allows to introduce additional randomness in ciphertexts before they are decrypted by parties. In this setting, we are able to propose a construction which offers small ciphertexts and small decryption shares.</div> </div> </div> <div class="d-flex mb-1"> <div class="flex-grow-1"><a href="/2025/469">2025/469</a> <a class="ms-2" href="/2025/469.pdf">(PDF)</a> </div> <div><small>Last updated: 2025-03-12</small></div> </div> <div class="ms-3 ms-md-5 mb-3"> <div class="d-flex justify-content-between"> <div class="papertitle">Practical Semi-Open Chat Groups for Secure Messaging Applications</div> <div class="ms-3 d-none d-md-block"> <a href="/search?category=PROTOCOLS"><small class="badge category category-PROTOCOLS">Cryptographic protocols</small></a> </div> </div> <div class="summaryauthors">Alex Davidson, Luiza Soezima, and Fernando Virdia</div> <div class="d-flex justify-content-between align-items-start"> <div> <a class="abstract-closed" data-target="abstract-2025-469" onclick="toggleAbstract(this)">Show abstract</a> </div> <div class="d-block d-md-none"> <a href="/search?category=PROTOCOLS"><small class="badge category category-PROTOCOLS">Cryptographic protocols</small></a> </div> </div> <div> <div id="abstract-2025-469" class="paper-abstract">Chat groups in secure messaging applications such as Signal, Telegram, and Whatsapp are nowadays used for rapid and widespread dissemination of information to large groups of people. This is common even in sensitive contexts, associated with the organisation of protests, activist groups, and internal company dialogues. Manual administration of who has access to such groups quickly becomes infeasible, in the presence of hundreds or thousands of members. We construct a practical, privacy-preserving reputation system, that automates the approval of new group members based on their reputation amongst the existing membership. We demonstrate security against malicious adversaries in a single-server model, with no further trust assumptions required. Furthermore, our protocol supports arbitrary reputation calculations while almost all group members are offline (as is likely). In addition, we demonstrate the practicality of the approach via an open-source implementation. For groups of size 50 (resp. 200), an admission process on a user that received 40 (resp. 80) scores requires 1312.2 KiB (resp. 5239.4 KiB) of communication, and 3.3s (resp. 16.3s) of overall computation on a single core. While our protocol design matches existing secure messaging applications, we believe it can have value in distributed reputation computation beyond this problem setting.</div> </div> </div> <div class="d-flex mb-1"> <div class="flex-grow-1"><a href="/2025/468">2025/468</a> <a class="ms-2" href="/2025/468.pdf">(PDF)</a> </div> <div><small>Last updated: 2025-03-12</small></div> </div> <div class="ms-3 ms-md-5 mb-3"> <div class="d-flex justify-content-between"> <div class="papertitle">Optimized Frobenius and Cyclotomic Cubing for Enhanced Pairing Computation</div> <div class="ms-3 d-none d-md-block"> <a href="/search?category=FOUNDATIONS"><small class="badge category category-FOUNDATIONS">Foundations</small></a> </div> </div> <div class="summaryauthors">Leila Ben Abdelghani, Nadia El Mrabet, Loubna Ghammam, and Lina Mortajine</div> <div class="d-flex justify-content-between align-items-start"> <div> <a class="abstract-closed" data-target="abstract-2025-468" onclick="toggleAbstract(this)">Show abstract</a> </div> <div class="d-block d-md-none"> <a href="/search?category=FOUNDATIONS"><small class="badge category category-FOUNDATIONS">Foundations</small></a> </div> </div> <div> <div id="abstract-2025-468" class="paper-abstract">Efficient implementation of a pairing-based cryptosystem relies on high-performance arithmetic in finite fields $\mathbb{F}_{p}$ and their extensions $\mathbb{F}_{p^k}$, where $k$ is the embedding degree. A small embedding degree is crucial because part of the arithmetic for pairing computation occurs in $\mathbb{F}_{{p}^k}$ and includes operations such as squaring, multiplication, and Frobenius operations. In this paper, we present a fast and efficient method for computing the Frobenius endomorphism and its complexity. Additionally, we introduce an improvement in the efficiency of cyclotomic cubing operations for several pairing-friendly elliptic curves, which are essential for the calculation of Tate pairing and its derivatives.</div> </div> </div> <div class="d-flex mb-1"> <div class="flex-grow-1"><a href="/2025/466">2025/466</a> <a class="ms-2" href="/2025/466.pdf">(PDF)</a> </div> <div><small>Last updated: 2025-03-12</small></div> </div> <div class="ms-3 ms-md-5 mb-3"> <div class="d-flex justify-content-between"> <div class="papertitle">Algebraic Cryptanalysis of Small-Scale Variants of Stream Cipher E0</div> <div class="ms-3 d-none d-md-block"> <a href="/search?category=ATTACKS"><small class="badge category category-ATTACKS">Attacks and cryptanalysis</small></a> </div> </div> <div class="summaryauthors">Jan Dolejš and Martin Jureček</div> <div class="d-flex justify-content-between align-items-start"> <div> <a class="abstract-closed" data-target="abstract-2025-466" onclick="toggleAbstract(this)">Show abstract</a> </div> <div class="d-block d-md-none"> <a href="/search?category=ATTACKS"><small class="badge category category-ATTACKS">Attacks and cryptanalysis</small></a> </div> </div> <div> <div id="abstract-2025-466" class="paper-abstract">This study explores the algebraic cryptanalysis of small-scale variants of the E0 stream cipher, a legacy cipher used in the Bluetooth protocol. By systematically reducing the size of the linear feedback shift registers (LFSRs) while preserving the cipher’s core structure, we investigate the relationship between the number of unknowns and the number of consecutive keystream bits required to recover the internal states of the LFSRs. Our work demonstrates an approximately linear relationship between the number of consecutive keystream bits and the size of small-scale E0 variants, as indicated by our experimental results. To this end, we utilize two approaches: the computation of Gröbner bases using Magma’s F4 algorithm and the application of CryptoMiniSat’s SAT solver. Our experimental results show that increasing the number of keystream bits significantly improves computational efficiency, with the F4 algorithm achieving a speedup of up to 733× when additional equations are supplied. Furthermore, we verify the non-existence of equations of degree four or lower for up to seven consecutive keystream bits, and the non-existence of equations of degree three or lower for up to eight consecutive keystream bits, extending prior results on the algebraic properties of E0.</div> </div> </div> <div class="d-flex mb-1"> <div class="flex-grow-1"><a href="/2024/2048">2024/2048</a> <a class="ms-2" href="/2024/2048.pdf">(PDF)</a> </div> <div><small>Last updated: 2025-03-12</small></div> </div> <div class="ms-3 ms-md-5 mb-3"> <div class="d-flex justify-content-between"> <div class="papertitle">TinyLabels: How to Compress Garbled Circuit Input Labels, Efficiently</div> <div class="ms-3 d-none d-md-block"> <a href="/search?category=FOUNDATIONS"><small class="badge category category-FOUNDATIONS">Foundations</small></a> </div> </div> <div class="summaryauthors">Marian Dietz, Hanjun Li, and Huijia Lin</div> <div class="d-flex justify-content-between align-items-start"> <div> <a class="abstract-closed" data-target="abstract-2024-2048" onclick="toggleAbstract(this)">Show abstract</a> </div> <div class="d-block d-md-none"> <a href="/search?category=FOUNDATIONS"><small class="badge category category-FOUNDATIONS">Foundations</small></a> </div> </div> <div> <div id="abstract-2024-2048" class="paper-abstract">Garbled circuits are a foundational primitive in both theory and practice of cryptography. Given $(\hat{C}, K[x])$, where $\hat{C}$ is the garbling of a circuit C and $K[x] = \{K[i, x_i]\}$ are the input labels for an input $x$, anyone can recover $C(x)$, but nothing else about the input $x$. Most research efforts focus on minimizing the size of the garbled circuit $\hat{C}$. In contrast, the work by Applebaum, Ishai, Kushilevitz, and Waters (CRYPTO' 13) initiated the study of minimizing the cost for transferring the input labels $K[x]$. Later improved in a follow-up by Applebaum et al. (STOC' 23), the state-of-the-art techniques allow compressing the input labels to the optimal rate of $1 + o(1)$. That is, each input label can be transferred by essentially sending 1 bit. However, existing solutions are computationally expensive, requiring large numbers of public-key operations (such as RSA exponentiation). In this work, we present an efficient input label compression technique based on Ring-LWE. We achieve the same optimal rate of $1 + o(1)$, by making use of additional communication in an offline stage (before the input $x$ becomes known), a paradigm that has already been explored in prior works. A novel feature of the offline communication in our scheme is that the information sent is either reusable or compressible using a random oracle, leading to small amortized offline cost $o(|x|)$. We further demonstrate concrete efficiency through an implementation whose online latency out-performs the naive baseline (which sends all of $K[x]$ in the online phase) in a realistic network with a bandwidth of up to 45Mbps. This break-even point could be pushed even further by leveraging the large potential for parallelization of computation. Finally, we apply our techniques to construct maliciously-secure two-party computation protocols with succinct online communication: The online phase starts once the circuit C becomes known, and requires exchanging only $poly(\lambda)$ bits (independent of $|C|$). After inputs $x_A$, $x_B$ arrive, an additional $|x_A| + |x_B | + poly(\lambda)$ bits need to be sent.</div> </div> </div> <div class="d-flex mb-1"> <div class="flex-grow-1"><a href="/2025/285">2025/285</a> <a class="ms-2" href="/2025/285.pdf">(PDF)</a> </div> <div><small>Last updated: 2025-03-12</small></div> </div> <div class="ms-3 ms-md-5 mb-3"> <div class="d-flex justify-content-between"> <div class="papertitle">MicroCrypt Assumptions with Quantum Input Sampling and Pseudodeterminism: Constructions and Separations</div> <div class="ms-3 d-none d-md-block"> <a href="/search?category=PROTOCOLS"><small class="badge category category-PROTOCOLS">Cryptographic protocols</small></a> </div> </div> <div class="summaryauthors">Mohammed Barhoush, Ryo Nishimaki, and Takashi Yamakawa</div> <div class="d-flex justify-content-between align-items-start"> <div> <a class="abstract-closed" data-target="abstract-2025-285" onclick="toggleAbstract(this)">Show abstract</a> </div> <div class="d-block d-md-none"> <a href="/search?category=PROTOCOLS"><small class="badge category category-PROTOCOLS">Cryptographic protocols</small></a> </div> </div> <div> <div id="abstract-2025-285" class="paper-abstract">We investigate two natural relaxations of quantum cryptographic assumptions. First, we examine primitives such as pseudorandom generators (${PRG}$s) and pseudorandom states (${PRS}$s), extended with quantum input sampling, which we term ${PRG}^{qs}$ and ${PRS}^{qs}$. In these primitives, the input is sampled via a quantum algorithm rather than uniformly at random. The second relaxation, $\bot$-pseudodeterminism, allows the generator to output $\bot$ on an inverse-polynomial fraction of inputs. We demonstrate an equivalence between (bounded-query) logarithmic-sized ${PRS}^{qs}$, logarithmic-sized ${PRS}^{qs}$, and ${PRG}^{qs}$. Notably, such an equivalence remains unknown for the uniform key sampling versions of these primitives. Furthermore, we establish that ${PRG}^{qs}$ can be constructed from $\bot$-pseudodeterministic ${PRG}$s ($\bot{-PRG}$s). To further justify our exploration, we present two separation results. First, we examine the relationship between $\bot$-pseudodeterministic notions and their deterministic counterparts. We show that there does not exist a black-box construction of a one-way state generator $({OWSG})$ from a $\bot{-PRG}$, indicating that $\bot$-pseudodeterministic primitives may be inherently weaker than their deterministic counterparts. Second, we explore the distinction between quantum and uniform input sampling. We prove that there does not exist a black-box construction of a $\bot$-psuedodeterministic ${OWSG}$ from a ${PRF}^{qs}$, suggesting that primitives relying on quantum input sampling may be weaker than those using traditional uniform sampling. Given the broad cryptographic applicability of ${PRF}^{qs}$s and $\bot{-PRG}$s, these separation results yield numerous new insights into the hierarchy of primitives within MicroCrypt.</div> </div> </div> <div class="d-flex mb-1"> <div class="flex-grow-1"><a href="/2025/465">2025/465</a> <a class="ms-2" href="/2025/465.pdf">(PDF)</a> </div> <div><small>Last updated: 2025-03-12</small></div> </div> <div class="ms-3 ms-md-5 mb-3"> <div class="d-flex justify-content-between"> <div class="papertitle">zkAML: Zero-knowledge Anti Money Laundering in Smart Contracts with whitelist approach</div> <div class="ms-3 d-none d-md-block"> <a href="/search?category=APPLICATIONS"><small class="badge category category-APPLICATIONS">Applications</small></a> </div> </div> <div class="summaryauthors">Donghwan Oh, Semin Han, Jihye Kim, Hyunok Oh, Jiyeal Chung, Jieun Lee, Hee-jun Yoo, and Tae wan Kim</div> <div class="d-flex justify-content-between align-items-start"> <div> <a class="abstract-closed" data-target="abstract-2025-465" onclick="toggleAbstract(this)">Show abstract</a> </div> <div class="d-block d-md-none"> <a href="/search?category=APPLICATIONS"><small class="badge category category-APPLICATIONS">Applications</small></a> </div> </div> <div> <div id="abstract-2025-465" class="paper-abstract">In the interconnected global financial system, anti-money laundering (AML) and combating the financing of terrorism (CFT) regulations are indispensable for safeguarding financial integrity. However, while illicit transactions constitute only a small fraction of overall financial activities, traditional AML/CFT frameworks impose uniform compliance burdens on all users, resulting in inefficiencies, transaction delays, and privacy concerns. These issues stem from the institution-centric model, where financial entities independently conduct compliance checks, resulting in repeated exposure of personally identifiable information (PII) and operational bottlenecks. To address these challenges, we introduce \textsf{zkAML}, a cryptographic framework that offers a novel approach to AML/CFT compliance. By leveraging zero-knowledge Succinct Non-Interactive Argument of Knowledge (zk-SNARK) proofs, \textsf{zkAML}~enables users to cryptographically demonstrate their regulatory compliance without revealing sensitive personal information. This approach eliminates redundant identity checks, streamlines compliance procedures, and enhances transaction efficiency while preserving user privacy. We implement and evaluate \textsf{zkAML}~on a blockchain network to demonstrate its practicality. Our experimental results show that \textsf{zkAML}~achieves 55 transactions per second (TPS) on a public network and 324 TPS on a private network. The zk-SNARK proof generation times are $226.59$ms for senders and $215.76$ms for receivers, with a constant verification time of $1.47$ms per transaction. These findings highlight \textsf{zkAML}'s potential as a privacy-preserving and regulation-compliant solution for modern financial systems.</div> </div> </div> <div class="d-flex mb-1"> <div class="flex-grow-1"><a href="/2025/464">2025/464</a> <a class="ms-2" href="/2025/464.pdf">(PDF)</a> </div> <div><small>Last updated: 2025-03-12</small></div> </div> <div class="ms-3 ms-md-5 mb-3"> <div class="d-flex justify-content-between"> <div class="papertitle">SoK: Efficient Design and Implementation of Polynomial Hash Functions over Prime Fields</div> <div class="ms-3 d-none d-md-block"> <a href="/search?category=IMPLEMENTATION"><small class="badge category category-IMPLEMENTATION">Implementation</small></a> </div> </div> <div class="summaryauthors">Jean Paul Degabriele, Jan Gilcher, Jérôme Govinden, and Kenneth G. Paterson</div> <div class="d-flex justify-content-between align-items-start"> <div> <a class="abstract-closed" data-target="abstract-2025-464" onclick="toggleAbstract(this)">Show abstract</a> </div> <div class="d-block d-md-none"> <a href="/search?category=IMPLEMENTATION"><small class="badge category category-IMPLEMENTATION">Implementation</small></a> </div> </div> <div> <div id="abstract-2025-464" class="paper-abstract">Poly1305 is a widely-deployed polynomial hash function. The rationale behind its design was laid out in a series of papers by Bernstein, the last of which dates back to 2005. As computer architectures evolved, some of its design features became less relevant, but implementers found new ways of exploiting these features to boost its performance. However, would we still converge to this same design if we started afresh with today's computer architectures and applications? To answer this question, we gather and systematize a body of knowledge concerning polynomial hash design and implementation that is spread across research papers, cryptographic libraries, and developers' blogs. We develop a framework to automate the validation and benchmarking of the ideas that we collect. This approach leads us to five new candidate designs for polynomial hash functions. Using our framework, we generate and evaluate different implementations and optimization strategies for each candidate. We obtain substantial improvements over Poly1305 in terms of security and performance. Besides laying out the rationale behind our new designs, our paper serves as a reference for efficiently implementing polynomial hash functions, including Poly1305.</div> </div> </div> <div class="d-flex mb-1"> <div class="flex-grow-1"><a href="/2025/463">2025/463</a> <a class="ms-2" href="/2025/463.pdf">(PDF)</a> </div> <div><small>Last updated: 2025-03-12</small></div> </div> <div class="ms-3 ms-md-5 mb-3"> <div class="d-flex justify-content-between"> <div class="papertitle">Multi-Party Computation in Corporate Data Processing: Legal and Technical Insights</div> <div class="ms-3 d-none d-md-block"> <a href="/search?category=FOUNDATIONS"><small class="badge category category-FOUNDATIONS">Foundations</small></a> </div> </div> <div class="summaryauthors">Sebastian Becker, Christoph Bösch, Benjamin Hettwer, Thomas Hoeren, Merlin Rombach, Sven Trieflinger, and Hossein Yalame</div> <div class="d-flex justify-content-between align-items-start"> <div> <a class="abstract-closed" data-target="abstract-2025-463" onclick="toggleAbstract(this)">Show abstract</a> </div> <div class="d-block d-md-none"> <a href="/search?category=FOUNDATIONS"><small class="badge category category-FOUNDATIONS">Foundations</small></a> </div> </div> <div> <div id="abstract-2025-463" class="paper-abstract">This paper examines the deployment of Multi-Party Computation (MPC) in corporate data processing environments, focusing on its legal and technical implications under the European Union’s General Data Protection Regulation (GDPR). By combining expertise in cryptography and legal analysis, we address critical questions necessary for assessing the suitability of MPC for real-world applications. Our legal evaluation explores the conditions under which MPC qualifies as an anonymizing approach under GDPR, emphasizing the architectural requirements, such as the distribution of control among compute parties, to minimize re-identification risks effectively. The assertions put forth in the legal opinion are validated by two distinct assessments conducted independently. We systematically answer key regulatory questions, demonstrating that a structured legal assessment is indispensable for organizations aiming to adopt MPC while ensuring compliance with privacy laws. In addition, we complement this analysis with a practical implementation of privacy-preserving analytics using Carbyne Stack, a cloud-native open-source platform for scalable MPC applications, which integrates the MP-SPDZ framework as its backend. We benchmark SQL queries under various security models to evaluate scalability and efficiency.</div> </div> </div> <div class="d-flex mb-1"> <div class="flex-grow-1"><a href="/2025/462">2025/462</a> <a class="ms-2" href="/2025/462.pdf">(PDF)</a> </div> <div><small>Last updated: 2025-03-12</small></div> </div> <div class="ms-3 ms-md-5 mb-3"> <div class="d-flex justify-content-between"> <div class="papertitle">Practical Key Collision on AES and Kiasu-BC</div> <div class="ms-3 d-none d-md-block"> <a href="/search?category=ATTACKS"><small class="badge category category-ATTACKS">Attacks and cryptanalysis</small></a> </div> </div> <div class="summaryauthors">Jianqiang Ni, Yingxin Li, Fukang Liu, and Gaoli Wang</div> <div class="d-flex justify-content-between align-items-start"> <div> <a class="abstract-closed" data-target="abstract-2025-462" onclick="toggleAbstract(this)">Show abstract</a> </div> <div class="d-block d-md-none"> <a href="/search?category=ATTACKS"><small class="badge category category-ATTACKS">Attacks and cryptanalysis</small></a> </div> </div> <div> <div id="abstract-2025-462" class="paper-abstract">The key collision attack was proposed as an open problem in key-committing security in Authenticated Encryption (AE) schemes like $\texttt{AES-GCM}$ and $\texttt{ChaCha20Poly1305}$. In ASIACRYPT 2024, Taiyama et al. introduce a novel type of key collision—target-plaintext key collision ($\texttt{TPKC}$) for $\texttt{AES}$. Depending on whether the plaintext is fixed, $\texttt{TPKC}$ can be divided into $\texttt{fixed-TPKC}$ and $\texttt{free-TPKC}$, which can be directly converted into collision attacks and semi-free-start collision attacks on the Davies-Meyer ($\texttt{DM}$) hashing mode. In this paper, we propose a new rebound attack framework leveraging a time-memory tradeoff strategy, enabling practical key collision attacks with optimized complexity. We also present an improved automatic method for finding \textit{rebound-friendly} differential characteristics by controlling the probabilities in the inbound and outbound phases, allowing the identified characteristics to be directly used in $\textit{rebound-based}$ key collision attacks. Through our analysis, we demonstrate that the 2-round $\texttt{AES-128}$ $\texttt{fixed-TPKC}$ attack proposed by Taiyama et al. is a $\texttt{free-TPKC}$ attack in fact, while $\texttt{fixed-TPKC}$ attacks are considerably more challenging than $\texttt{free-TPKC}$ attacks. By integrating our improved automatic method with a new rebound attack framework, we successfully identify a new differential characteristic for the 2-round $\texttt{AES-128}$ $\texttt{fixed-TPKC}$ attack and develope the first practical $\texttt{fixed-TPKC}$ attack against 2-round $\texttt{AES-128}$. Additionally, we present practical $\texttt{fixed-TPKC}$ attacks against 5-round $\texttt{AES-192}$ and 3-round $\texttt{Kiasu-BC}$, along with a practical $\texttt{free-TPKC}$ attack against 6-round $\texttt{Kiasu-BC}$. Furthermore, we reduce time complexities for $\texttt{free-TPKC}$ and $\texttt{fixed-TPKC}$ attacks on other $\texttt{AES}$ variants.</div> </div> </div> <div class="d-flex mb-1"> <div class="flex-grow-1"><a href="/2025/461">2025/461</a> <a class="ms-2" href="/2025/461.pdf">(PDF)</a> </div> <div><small>Last updated: 2025-03-11</small></div> </div> <div class="ms-3 ms-md-5 mb-3"> <div class="d-flex justify-content-between"> <div class="papertitle">Machine-checking Multi-Round Proofs of Shuffle: Terelius-Wikstrom and Bayer-Groth</div> <div class="ms-3 d-none d-md-block"> <a href="/search?category=PROTOCOLS"><small class="badge category category-PROTOCOLS">Cryptographic protocols</small></a> </div> </div> <div class="summaryauthors">Thomas Haines, Rajeev Goré, and Mukesh Tiwari</div> <div class="d-flex justify-content-between align-items-start"> <div> <a class="abstract-closed" data-target="abstract-2025-461" onclick="toggleAbstract(this)">Show abstract</a> </div> <div class="d-block d-md-none"> <a href="/search?category=PROTOCOLS"><small class="badge category category-PROTOCOLS">Cryptographic protocols</small></a> </div> </div> <div> <div id="abstract-2025-461" class="paper-abstract">Shuffles are used in electronic voting in much the same way physical ballot boxes are used in paper systems: (encrypted) ballots are input into the shuffle and (encrypted) ballots are output in a random order, thereby breaking the link between voter identities and ballots. To guarantee that no ballots are added, omitted or altered, zero-knowledge proofs, called proofs of shuffle, are used to provide publicly verifiable transcripts that prove that the outputs are a re-encrypted permutation of the inputs. The most prominent proofs of shuffle, in practice, are those due to Terelius and Wikström (TW), and Bayer and Groth (BG). TW is simpler whereas BG is more efficient, both in terms of bandwidth and computation. Security for the simpler (TW) proof of shuffle has already been machine-checked but several prominent vendors insist on using the more complicated BG proof of shuffle. Here, we machine-check the security of the Bayer-Groth proof of shuffle via the Coq proof-assistant. We then extract the verifier (software) required to check the transcripts produced by Bayer-Groth implementations and use it to check transcripts from the Swiss Post evoting system under development for national elections in Switzerland.</div> </div> </div> <div class="d-flex mb-1"> <div class="flex-grow-1"><a href="/2025/460">2025/460</a> <a class="ms-2" href="/2025/460.pdf">(PDF)</a> </div> <div><small>Last updated: 2025-03-11</small></div> </div> <div class="ms-3 ms-md-5 mb-3"> <div class="d-flex justify-content-between"> <div class="papertitle">Achieving Data Reconstruction Hardness and Efficient Computation in Multiparty Minimax Training</div> <div class="ms-3 d-none d-md-block"> <a href="/search?category=APPLICATIONS"><small class="badge category category-APPLICATIONS">Applications</small></a> </div> </div> <div class="summaryauthors">Truong Son Nguyen, Yi Ren, Guangyu Nie, and Ni Trieu</div> <div class="d-flex justify-content-between align-items-start"> <div> <a class="abstract-closed" data-target="abstract-2025-460" onclick="toggleAbstract(this)">Show abstract</a> </div> <div class="d-block d-md-none"> <a href="/search?category=APPLICATIONS"><small class="badge category category-APPLICATIONS">Applications</small></a> </div> </div> <div> <div id="abstract-2025-460" class="paper-abstract">Generative models have achieved remarkable success in a wide range of applications. Training such models using proprietary data from multiple parties has been studied in the realm of federated learning. Yet recent studies showed that reconstruction of authentic training data can be achieved in such settings. On the other hand, multiparty computation (MPC) guarantees standard data privacy, yet scales poorly for training generative models. In this paper, we focus on improving reconstruction hardness during Generative Adversarial Network (GAN) training while keeping the training cost tractable. To this end, we explore two training protocols that use a public generator and an MPC discriminator: Protocol 1 (P1) uses a fully private discriminator, while Protocol 2 (P2) privatizes the first three discriminator layers. We prove reconstruction hardness for P1 and P2 by showing that (1) a public generator does not allow recovery of authentic training data, as long as the first two layers of the discriminator are private; and through an existing approximation hardness result on ReLU networks, (2) a discriminator with at least three private layers does not allow authentic data reconstruction with algorithms polynomial in network depth and size. We show empirically that compared with fully MPC training, P1 reduces the training time by $2\times$ and P2 further by $4-16\times$.</div> </div> </div> <div class="d-flex mb-1"> <div class="flex-grow-1"><a href="/2023/1094">2023/1094</a> <a class="ms-2" href="/2023/1094.pdf">(PDF)</a> </div> <div><small>Last updated: 2025-03-11</small></div> </div> <div class="ms-3 ms-md-5 mb-3"> <div class="d-flex justify-content-between"> <div class="papertitle">Round Optimal Fully Secure Distributed Key Generation</div> <div class="ms-3 d-none d-md-block"> <a href="/search?category=PROTOCOLS"><small class="badge category category-PROTOCOLS">Cryptographic protocols</small></a> </div> </div> <div class="summaryauthors">Jonathan Katz</div> <div class="d-flex justify-content-between align-items-start"> <div> <a class="abstract-closed" data-target="abstract-2023-1094" onclick="toggleAbstract(this)">Show abstract</a> </div> <div class="d-block d-md-none"> <a href="/search?category=PROTOCOLS"><small class="badge category category-PROTOCOLS">Cryptographic protocols</small></a> </div> </div> <div> <div id="abstract-2023-1094" class="paper-abstract">Protocols for distributed (threshold) key generation (DKG) in the discrete-logarithm setting have received a tremendous amount of attention in the past few years. Several synchronous DKG protocols have been proposed, but most such protocols are not fully secure: they either allow corrupted parties to bias the key, or are not robust and allow malicious parties to prevent successful generation of a key. We explore the round complexity of fully secure DKG in the honest-majority setting where it is feasible. We show the impossibility of one-round, unbiased DKG protocols (even satisfying weaker notions of security), regardless of any prior setup. On the positive side, we show various round-optimal protocols for fully secure DKG offering tradeoffs in terms of their efficiency, necessary setup, and required assumptions.</div> </div> </div> <div class="d-flex mb-1"> <div class="flex-grow-1"><a href="/2025/002">2025/002</a> <a class="ms-2" href="/2025/002.pdf">(PDF)</a> </div> <div><small>Last updated: 2025-03-11</small></div> </div> <div class="ms-3 ms-md-5 mb-3"> <div class="d-flex justify-content-between"> <div class="papertitle">Voting with coercion resistance and everlasting privacy using linkable ring signatures</div> <div class="ms-3 d-none d-md-block"> <a href="/search?category=PROTOCOLS"><small class="badge category category-PROTOCOLS">Cryptographic protocols</small></a> </div> </div> <div class="summaryauthors">Panagiotis Grontas, Aris Pagourtzis, and Marianna Spyrakou</div> <div class="d-flex justify-content-between align-items-start"> <div> <a class="abstract-closed" data-target="abstract-2025-002" onclick="toggleAbstract(this)">Show abstract</a> </div> <div class="d-block d-md-none"> <a href="/search?category=PROTOCOLS"><small class="badge category category-PROTOCOLS">Cryptographic protocols</small></a> </div> </div> <div> <div id="abstract-2025-002" class="paper-abstract">We propose an e-voting protocol based on a novel linkable ring signature scheme with unconditional anonymity. In our system, all voters create private credentials and register their public counterparts. To vote, they create a ring (anonymity set) consisting of public credentials together with a proof of knowledge of their secret credential via our signature. Its unconditional anonymity prevents an attacker, no matter how powerful, from deducing the identity of the voter, thus attaining everlasting privacy. Additionally, our protocol provides coercion resistance in the JCJ framework; when an adversary tries to coerce a voter, the attack can be evaded by creating a signature with a fake but indistinguishable credential. During a moment of privacy, they will cast their real vote. Our scheme also provides verifiability and ballot secrecy.</div> </div> </div> <div class="d-flex mb-1"> <div class="flex-grow-1"><a href="/2025/043">2025/043</a> <a class="ms-2" href="/2025/043.pdf">(PDF)</a> </div> <div><small>Last updated: 2025-03-11</small></div> </div> <div class="ms-3 ms-md-5 mb-3"> <div class="d-flex justify-content-between"> <div class="papertitle">SoK: Time to be Selfless?! Demystifying the Landscape of Selfish Mining Strategies and Models</div> <div class="ms-3 d-none d-md-block"> <a href="/search?category=ATTACKS"><small class="badge category category-ATTACKS">Attacks and cryptanalysis</small></a> </div> </div> <div class="summaryauthors">Colin Finkbeiner, Mohamed E. Najd, Julia Guskind, and Ghada Almashaqbeh</div> <div class="d-flex justify-content-between align-items-start"> <div> <a class="abstract-closed" data-target="abstract-2025-043" onclick="toggleAbstract(this)">Show abstract</a> </div> <div class="d-block d-md-none"> <a href="/search?category=ATTACKS"><small class="badge category category-ATTACKS">Attacks and cryptanalysis</small></a> </div> </div> <div> <div id="abstract-2025-043" class="paper-abstract">Selfish mining attacks present a serious threat to Bitcoin security, enabling a miner with less than 51% of the network hashrate to gain higher rewards than their fair share. A growing body of works has studied the impact of such attacks and presented numerous strategies under a variety of model settings. This led to a complex landscape making it hard to comprehend the state of the art and distill insights, gaps, and trade-offs. In this paper, we demystify the landscape of selfish mining in Bitcoin by systematizing existing studies and evaluating more realistic model adaptations. To the best of our knowledge, our work is the first of its kind. We develop a multi-dimensional systematization framework assessing prior works based on their strategy formulation and targeted models. We go on to distill a number of insights and gaps highlighting open questions and understudied areas. Among them, we find that most of the surveyed works target the block-reward setting and do not account for transaction fees, and generally consider only single attackers. To bridge this gap, we evaluate several existing strategies in the transaction-fee regime---so miner's incentives come solely from transaction fees---for both single and multi-attacker scenarios. We also extend their models to include honest-but-rational miners showing how such adaptations could garner more performant strategy variations. Finally, we touch upon defenses proposed in the literature, and discuss connections between selfish mining and relevant incentivized/fee-driven paradigms.</div> </div> </div> <div class="d-flex mb-1"> <div class="flex-grow-1"><a href="/2025/458">2025/458</a> <a class="ms-2" href="/2025/458.pdf">(PDF)</a> </div> <div><small>Last updated: 2025-03-11</small></div> </div> <div class="ms-3 ms-md-5 mb-3"> <div class="d-flex justify-content-between"> <div class="papertitle">CAKE requires programming - On the provable post-quantum security of (O)CAKE</div> <div class="ms-3 d-none d-md-block"> <small class="badge category category-uncategorized">Uncategorized</small> </div> </div> <div class="summaryauthors">Kathrin Hövelmanns, Andreas Hülsing, Mikhail Kudinov, and Silvia Ritsch</div> <div class="d-flex justify-content-between align-items-start"> <div> <a class="abstract-closed" data-target="abstract-2025-458" onclick="toggleAbstract(this)">Show abstract</a> </div> <div class="d-block d-md-none"> <small class="badge category category-uncategorized">Uncategorized</small> </div> </div> <div> <div id="abstract-2025-458" class="paper-abstract">In this work we revisit the post-quantum security of KEM-based password-authenticated key exchange (PAKE), specifically that of (O)CAKE. So far, these schemes evaded a security proof considering quantum adversaries. We give a detailed analysis of why this is the case, determining the missing proof techniques. To this end, we first provide a proof of security in the post-quantum setting, up to a single gap. This proof already turns out to be technically involved, requiring advanced techniques to reason in the QROM, including the compressed oracle and the extractable QROM. To pave the way towards closing the gap, we then further identify an efficient simulator for the ideal cipher. This provides certain programming abilities as a necessary and sufficient condition to close the gap in the proof: we demonstrate that we can close the gap using the simulator, and give a meta-reduction based on KEM-anonymity that shows the impossibility of a non-programming reduction that covers a class of KEMs that includes Kyber / ML-KEM.</div> </div> </div> <div class="d-flex mb-1"> <div class="flex-grow-1"><a href="/2023/670">2023/670</a> <a class="ms-2" href="/2023/670.pdf">(PDF)</a> </div> <div><small>Last updated: 2025-03-11</small></div> </div> <div class="ms-3 ms-md-5 mb-3"> <div class="d-flex justify-content-between"> <div class="papertitle">Behemoth: transparent polynomial commitment scheme with constant opening proof size and verifier time</div> <div class="ms-3 d-none d-md-block"> <a href="/search?category=PROTOCOLS"><small class="badge category category-PROTOCOLS">Cryptographic protocols</small></a> </div> </div> <div class="summaryauthors">István András Seres and Péter Burcsi</div> <div class="d-flex justify-content-between align-items-start"> <div> <a class="abstract-closed" data-target="abstract-2023-670" onclick="toggleAbstract(this)">Show abstract</a> </div> <div class="d-block d-md-none"> <a href="/search?category=PROTOCOLS"><small class="badge category category-PROTOCOLS">Cryptographic protocols</small></a> </div> </div> <div> <div id="abstract-2023-670" class="paper-abstract">Polynomial commitment schemes are fundamental building blocks in numerous cryptographic protocols such as verifiable secret sharing, zero-knowledge succinct non-interactive arguments, and many more. The most efficient polynomial commitment schemes rely on a trusted setup which is undesirable in trust-minimized applications, e.g., cryptocurrencies. However, transparent polynomial commitment schemes are inefficient (polylogarithmic opening proofs and/or verification time) compared to their trusted counterparts. It has been an open problem to devise a transparent, succinct polynomial commitment scheme or prove an impossibility result in the transparent setting. In this work, for the first time, we create a transparent, constant-size polynomial commitment scheme called Behemoth with constant-size opening proofs and a constant-time verifier. The downside of Behemoth is that it employs a cubic prover in the degree of the committed polynomial. We prove the security of our scheme in the generic group model and discuss parameter settings in which it remains practical even for the prover.</div> </div> </div> <div class="d-flex mb-1"> <div class="flex-grow-1"><a href="/2025/457">2025/457</a> <a class="ms-2" href="/2025/457.pdf">(PDF)</a> </div> <div><small>Last updated: 2025-03-11</small></div> </div> <div class="ms-3 ms-md-5 mb-3"> <div class="d-flex justify-content-between"> <div class="papertitle">A 10-bit S-box generated by Feistel construction from cellular automata</div> <div class="ms-3 d-none d-md-block"> <a href="/search?category=FOUNDATIONS"><small class="badge category category-FOUNDATIONS">Foundations</small></a> </div> </div> <div class="summaryauthors">Thomas Prévost and Bruno Martin</div> <div class="d-flex justify-content-between align-items-start"> <div> <a class="abstract-closed" data-target="abstract-2025-457" onclick="toggleAbstract(this)">Show abstract</a> </div> <div class="d-block d-md-none"> <a href="/search?category=FOUNDATIONS"><small class="badge category category-FOUNDATIONS">Foundations</small></a> </div> </div> <div> <div id="abstract-2025-457" class="paper-abstract">In this paper, we propose a new 10-bit S-box generated from a Feistel construction. The subpermutations are generated by a 5-cell cellular automaton based on a unique well-chosen rule and bijective affine transformations. In particular, the cellular automaton rule is chosen based on empirical tests of its ability to generate good pseudorandom output on a ring cellular automaton. Similarly, Feistel's network layout is based on empirical data regarding the quality of the output S-box. We perform cryptanalysis of the generated 10-bit S-box: we test the properties of algebraic degree, algebraic complexity, nonlinearity, strict avalanche criterion, bit independence criterion, linear approximation probability, differential approximation probability, differential uniformity and boomerang uniformity of our S-box, and relate them to those of the AES S-box. We find security properties comparable to or sometimes even better than those of the standard AES S-box. We believe that our S-box could be used to replace the 5-bit substitution of ciphers like ASCON.</div> </div> </div> <div class="d-flex mb-1"> <div class="flex-grow-1"><a href="/2025/456">2025/456</a> <a class="ms-2" href="/2025/456.pdf">(PDF)</a> </div> <div><small>Last updated: 2025-03-11</small></div> </div> <div class="ms-3 ms-md-5 mb-3"> <div class="d-flex justify-content-between"> <div class="papertitle">A Democratic Distributed Post-Quantum Certificateless Encryption Scheme</div> <div class="ms-3 d-none d-md-block"> <a href="/search?category=PROTOCOLS"><small class="badge category category-PROTOCOLS">Cryptographic protocols</small></a> </div> </div> <div class="summaryauthors">Thomas Prévost, Bruno Martin, and Olivier Alibart</div> <div class="d-flex justify-content-between align-items-start"> <div> <a class="abstract-closed" data-target="abstract-2025-456" onclick="toggleAbstract(this)">Show abstract</a> </div> <div class="d-block d-md-none"> <a href="/search?category=PROTOCOLS"><small class="badge category category-PROTOCOLS">Cryptographic protocols</small></a> </div> </div> <div> <div id="abstract-2025-456" class="paper-abstract">We propose a post-quantum certificateless encryption scheme based on a web of trust instead of a centralized Key Generation Center. Our scheme allows nodes to communicate securely. It is the nodes already present in the network that vote on the acceptance of new nodes, and agree on the shared key. The threshold required for the acceptance of a new node is configurable. Our protocol thus allows to completely operate without the Key Generation Center (or Key Distribution Center). Our scheme is based on Quasi-Cyclic Moderate Density Parity Check Code McEliece, which is resistant to quantum computer attacks. The voting system uses Shamir secret sharing, coupled with the Kabatianskii-Krouk-Smeets signature scheme, both are also resistant to quantum computer attacks. We provide a security analysis of our protocol, as well as a formal verification and a proof of concept code.</div> </div> </div> <div class="d-flex mb-1"> <div class="flex-grow-1"><a href="/2025/455">2025/455</a> <a class="ms-2" href="/2025/455.pdf">(PDF)</a> </div> <div><small>Last updated: 2025-03-11</small></div> </div> <div class="ms-3 ms-md-5 mb-3"> <div class="d-flex justify-content-between"> <div class="papertitle">StaMAC: Fault Protection via Stable-MAC Tags</div> <div class="ms-3 d-none d-md-block"> <a href="/search?category=IMPLEMENTATION"><small class="badge category category-IMPLEMENTATION">Implementation</small></a> </div> </div> <div class="summaryauthors">Siemen Dhooghe, Artemii Ovchinnikov, and Dilara Toprakhisar</div> <div class="d-flex justify-content-between align-items-start"> <div> <a class="abstract-closed" data-target="abstract-2025-455" onclick="toggleAbstract(this)">Show abstract</a> </div> <div class="d-block d-md-none"> <a href="/search?category=IMPLEMENTATION"><small class="badge category category-IMPLEMENTATION">Implementation</small></a> </div> </div> <div> <div id="abstract-2025-455" class="paper-abstract">Fault attacks pose a significant threat to cryptographic implementations, motivating the development of countermeasures, primarily based on a combination of redundancy and masking techniques. Redundancy, in these countermeasures, is often implemented via duplication or linear codes. However, their inherent structure remains susceptible to strategic fault injections bypassing error checks. To address this, the CAPA countermeasure from CRYPTO 2018 leveraged information-theoretic MAC tags for protection against fault and combined attacks. However, a recent attack has shown that CAPA can only protect against either side-channel analysis or fault attacks, but not both simultaneously, and with significant hardware costs. Its successor, M&M, improves efficiency but lacks protection against ineffective faults. In this paper, we propose StaMAC, a framework aimed at securely incorporating MAC tags against both side-channel and fault adversaries in a non-combined scenario. We extend the security notions outlined in StaTI from TCHES 2024, and propose the notion of MAC-stability, ensuring fault propagation in masked and MACed circuits, necessitating only a single error check at the end of the computation. Additionally, we show that the stability notion from StaTI is arbitrarily composable (whereas it was previously thought to be only serially composable), making it the first arbitrary composable fault security notion which does not require intermediate error checks or correction. Then, we establish the improved protection of masking combined with MAC tags compared to linear encoding techniques by showing bounds on the advantage considering several fault adversaries: a gate/register faulting adversary, an arbitrary register faulting adversary, and a random register faulting adversary. Then, we show how to transform any probing secure circuit to protect against fault attacks using the proposed MAC-stable gadgets implementing field operations. Finally, we demonstrate StaMAC on an AES implementation, evaluating its security and hardware costs compared to the countermeasures using MAC tags.</div> </div> </div> <div class="d-flex mb-1"> <div class="flex-grow-1"><a href="/2025/454">2025/454</a> <a class="ms-2" href="/2025/454.pdf">(PDF)</a> </div> <div><small>Last updated: 2025-03-11</small></div> </div> <div class="ms-3 ms-md-5 mb-3"> <div class="d-flex justify-content-between"> <div class="papertitle">Quantum circuit for implementing AES S-box with low costs</div> <div class="ms-3 d-none d-md-block"> <a href="/search?category=ATTACKS"><small class="badge category category-ATTACKS">Attacks and cryptanalysis</small></a> </div> </div> <div class="summaryauthors">Huinan Chen, Binbin Cai, Fei Gao, and Song Lin</div> <div class="d-flex justify-content-between align-items-start"> <div> <a class="abstract-closed" data-target="abstract-2025-454" onclick="toggleAbstract(this)">Show abstract</a> </div> <div class="d-block d-md-none"> <a href="/search?category=ATTACKS"><small class="badge category category-ATTACKS">Attacks and cryptanalysis</small></a> </div> </div> <div> <div id="abstract-2025-454" class="paper-abstract">Advanced Encryption Standard (AES) is one of the most widely used and extensively studied encryption algorithms globally, which is renowned for its efficiency and robust resistance to attacks. In this paper, three quantum circuits are designed to implement the S-box, which is the sole nonlinear component in AES. By incorporating a linear key schedule, we achieve a quantum circuit for implementing AES with the minimum number of qubits used. As a consequence, only 264/328/398 qubits are needed to implement the quantum circuits for AES-128/192/256. Furthermore, through quantum circuits of the S-box and key schedule, the overall size of the quantum circuit required for Grover's algorithm to attack AES is significantly decreased. This enhancement improves both the security and resource efficiency of AES in a quantum computing environment.</div> </div> </div> </div> <div class="w-75 mx-auto"> <ul class="pagination mt-5 mb-5"> <li class="page-item active"><span class="page-link">1</span></li> <li class="page-item"><a rel="nofollow" class="page-link" href="/days/365?offset=100">2</a></li> <li class="page-item"><span class="page-link">...</span></li> <li class="page-item"><a rel="nofollow" class="page-link" href="/days/365?offset=2900">30</a></li> <li class="page-item"> <a rel="nofollow" class="page-link" href="/days/365?offset=100">Next »</a> </li> </ul> </div> </main> <div class="container-fluid mt-auto" id="eprintFooter"> <a href="https://iacr.org/"> <img id="iacrlogo" src="/img/iacrlogo_small.png" class="img-fluid d-block mx-auto" alt="IACR Logo"> </a> <div class="colorDiv"></div> <div class="alert alert-success w-75 mx-auto"> Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content. </div> </div> <script src="/css/bootstrap/js/bootstrap.bundle.min.js"></script> <script> var topNavbar = document.getElementById('topNavbar'); if (topNavbar) { document.addEventListener('scroll', function(e) { if (window.scrollY > 100) { topNavbar.classList.add('scrolled'); } else { topNavbar.classList.remove('scrolled'); } }) } </script> </body> </html>