IACR News

<!DOCTYPE html> <html lang="en"> <head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no"> <link href="https://iacr.org/libs/css/bootstrap/dist/css/bootstrap.min.css" rel="stylesheet"> <title>IACR News</title> <link rel="stylesheet" href="/css/iacr.css"> <link rel="stylesheet" href="https://iacr.org/libs/js/easy-autocomplete/easy-autocomplete.css"> <style> div.newsItemBox { margin-bottom: 1.5em; } h6.newsCardSubtitle { font-style: italic; } img.newsCategoryIcon { height: 1.6em; } span.priority1 { background-color: #FF0000; /* original #FF0000, filtered through #102A83 at about 50% */ height: 1.15rem; margin-top: 0.2rem; margin-left: 0.5rem; } span.priority2 { background-color: #FF6F00; /* original #FF9500, filtered through #102A83 at about 50% */ height: 1.15rem; margin-top: 0.2rem; margin-left: 0.5rem; } span.priority3 { background-color: #F5FF00; /* original #F8FF00, filtered through #102A83 at about 50% */ height: 1.15rem; margin-top: 0.2rem; margin-left: 0.5rem; color: black; } span.priority4 { background-color: #00FF07; /* original #00FF07, filtered through #102A83 at about 50% */ height: 1.15rem; margin-top: 0.2rem; margin-left: 0.5rem; color:black; } span.priority5 { background-color: #0048FF; /* original #0070FF, filtered through #102A83 at about 50% */ height: 1.15rem; margin-top: 0.2rem; margin-left: 0.5rem; } span.body-expand::after { content: ' ▼'; } span.body-collapse::after { content: ' ▲'; } div.item-body { /* This is also in the script at the bottom of the template. If the content is oversize, then an expand button is shown and the max-height is recalculated. */ max-height: 100px; overflow: hidden; -moz-transition: 0.4s ease; -ms-transition: 0.4s ease; -o-transition: 0.4s ease; -webkit-transition: 0.4s ease; transition: 0.4s ease; } </style> <script type="text/javascript" async src="/libs/js/MathJax/MathJax.js?config=TeX-AMS_CHTML"></script> <script type="text/x-mathjax-config"> MathJax.Hub.Config({ tex2jax: {inlineMath: [['$$', '$$'], ['$', '$'], ['\$','\$']]} }); </script> <script> // This handler is added to every expand button upon load. // It may be called if the body before the button is too large. function expandHandler() { if (this.classList.contains('body-expand')) { var newHeight = this.previousSibling.scrollHeight; this.previousSibling.style.maxHeight = newHeight + 'px'; this.classList.remove('body-expand'); this.classList.add('body-collapse'); this.innerHTML = 'Collapse'; } else { this.previousSibling.style.maxHeight = '100px'; this.classList.add('body-expand'); this.classList.remove('body-collapse'); this.innerHTML = 'Expand'; } } // We keep this list around since it doesn't change after page load. var _expandButtons; // This is called to hide or show the expand button on all body // elements according to their size. You should probably use a // debounce construction to call it, because it is expensive. function resizeAll() { for (var i = 0 ; i < _expandButtons.length; i++) { var butt = _expandButtons[i]; var body = butt.previousSibling; if (body.scrollHeight > body.clientHeight) { butt.style.display = 'block'; } else { butt.style.display = 'none'; } } } // Returns a function, that, as long as it continues to be invoked, will not // be triggered. The function will be called after it stops being called for // N milliseconds. If `immediate` is passed, trigger the function on the // leading edge, instead of the trailing. function debounce(func, waitMS, immediate) { var timeout; return function() { var context = this, args = arguments; var later = function() { timeout = null; if (!immediate) func.apply(context, args); }; var callNow = immediate && !timeout; clearTimeout(timeout); timeout = setTimeout(later, waitMS); if (callNow) func.apply(context, args); }; }; function addHandlers() { _expandButtons = document.getElementsByClassName('expand-button'); for (var i = 0 ; i < _expandButtons.length; i++) { var butt = _expandButtons[i]; butt.addEventListener('click', expandHandler); } resizeAll(); } window.addEventListener('load', addHandlers); var maybeResize = debounce(function() { resizeAll(); }, 500); window.addEventListener('resize', maybeResize); </script> <style> img.newsPageTopIcon { height: 3.5em; } </style> </head> <body> <noscript> <h1 class="text-center">What a lovely hat</h1> <h4 class="text-center">Is it made out of <a href="/tinfoil.html">tin foil</a>?</h4> </noscript> <div id="pageHeaderAndNav"> <div id="iacrMain-header" class="container d-none d-lg-block"> <div class="row align-items-center pt-2 d-none d-md-flex justify-content-between"> <div class="col-2 pb-2"> <a href="/"> <img id="iacrLogo" src="/img/logo/iacrlogo_small.png" class="img-fluid" alt="IACR logo" /> </a> </div> <div class="col-10 mx-auto"> <h2 class="d-none d-xl-block">International Association for Cryptologic Research</h2> <h1 class="d-none d-xl-none d-md-block">International Association<br>for Cryptologic Research</h1> </div> </div> </div> <div id="iacrMain-navbar" class="container-fluid"> <nav class="container navbar navbar-expand-lg px-0 py-0"> <button class="navbar-toggler mt-1 collapsed nofocus" type="button" data-toggle="collapse" data-target="#navbarSupportedContent" aria-controls="navbarSupportedContent" aria-expanded="false" aria-label="Toggle navigation"> <span class="icon-bar top-bar"></span> <span class="icon-bar middle-bar"></span> <span class="icon-bar bottom-bar"></span> </button> <div id="navbarIacrAcronym" class="navbar-text d-inline-block d-lg-none mx-auto"> <a href="/">IACR</a> </div> <div class="collapse navbar-collapse" id="navbarSupportedContent"> <ul id="iacrMainMenu" class="navbar-nav justify-content-between flex-grow-1"> <li class="nav-item dropdown"> <a class="nav-link iacrMain-navLink dropdown-toggle" href="/meetings/" id="eventsDropdownLink" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false">Events</a> <div class="dropdown-menu border-0" aria-labelledby="eventsDropdownLink"> <a class="dropdown-item" href="/meetings/">All IACR events</a> <div class="dropdown-divider"></div> <a class="dropdown-item" href="/meetings/asiacrypt/">Asiacrypt</a> <a class="dropdown-item" href="/meetings/crypto/">Crypto</a> <a class="dropdown-item" href="/meetings/eurocrypt/">Eurocrypt</a> <div class="dropdown-divider"></div> <a class="dropdown-item" href="/meetings/ches/">CHES</a> <a class="dropdown-item" href="/meetings/fse/">FSE</a> <a class="dropdown-item" href="/meetings/pkc/">PKC</a> <a class="dropdown-item" href="/meetings/tcc/">TCC</a> <a class="dropdown-item" href="https://rwc.iacr.org/">RWC</a> <div class="dropdown-divider"></div> <a class="dropdown-item" href="/schools/">Cryptology Schools</a> <a class="dropdown-item" href="/icw/">In cooperation with IACR</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link iacrMain-navLink dropdown-toggle" href="/publications/" id="pubsDropdownLink" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false">Publications</a> <div class="dropdown-menu border-0" aria-labelledby="pubsDropdownLink"> <a class="dropdown-item" href="/publications/">All IACR Publications</a> <div class="dropdown-divider"></div> <a class="dropdown-item" href="/jofc/">Journal of Cryptology</a> <a class="dropdown-item" href="/transactions/tosc/">Transactions on Symmetric Cryptology</a> <a class="dropdown-item" href="https://tches.iacr.org/">Transactions on CHES</a> <a class="dropdown-item" href="https://cic.iacr.org/">Communications in Cryptology</a> <div class="dropdown-divider"></div> <a class="dropdown-item" href="https://eprint.iacr.org">Cryptology ePrint Archive</a> <a class="dropdown-item" href="https://artifacts.iacr.org/">Artifact Archive</a> <div class="dropdown-divider"></div> <a class="dropdown-item" href="/publications/access.php">Access IACR Publications</a> <div class="dropdown-divider"></div> <a class="dropdown-item" href="/museum/">Museum of Historic Papers</a> <a class="dropdown-item" href="/cryptodb/data/acceptance.php">Publication Statistics</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link iacrMain-navLink dropdown-toggle" href="/news" id="newsDropdownLink" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> News </a> <div class="dropdown-menu border-0" aria-labelledby="newsDropdownLink"> <a class="dropdown-item" href="/news">All News</a> <a class="dropdown-item" href="/awards/">Awards</a> <a class="dropdown-item" href="/elections/">Elections</a> <a class="dropdown-item" href="/petitions/">Petitions & Statements</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link iacrMain-navLink dropdown-toggle" href="/services/" id="servicesDropdownLink" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> Services </a> <div class="dropdown-menu border-0" aria-labelledby="servicesDropdownLink"> <a class="dropdown-item" href="/jobs/">Jobs</a> <div class="dropdown-divider"></div> <a class="dropdown-item" href="/cryptodb/">CryptoDB</a> <a class="dropdown-item" href="/events/">Calendar of Events</a> <a class="dropdown-item" href="/cryptodb/data/videos.php">Videos</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link iacrMain-navLink dropdown-toggle" href="/membership.php" id="membersDropdownLink" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> Members </a> <div class="dropdown-menu border-0" aria-labelledby="membersDropdownLink"> <a class="dropdown-item" href="/membership.php">How to Join</a> <a class="dropdown-item" href="https://register.iacr.org/membership/members/">Update Membership Information</a> <a class="dropdown-item" href="/publications/access.php">Access IACR Publications</a> <a class="dropdown-item" href="/news/subscribe">Subscribe to News Updates</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link iacrMain-navLink dropdown-toggle" href="/about/" id="aboutDropdownLink" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> About </a> <div class="dropdown-menu border-0" aria-labelledby="aboutDropdownLink"> <a class="dropdown-item" href="/about">About IACR</a> <a class="dropdown-item" href="/bod.html">Board of Directors</a> <a class="dropdown-item" href="/committees.html">Committees</a> <a class="dropdown-item" href="/docs/">Documents</a> <a class="dropdown-item" href="/privacy.html">Privacy Policy</a> </div> </li> <li class="nav-item dropdown position-static d-none d-lg-inline"> <a role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false" id="searchLink" data-offset="10,20"> <button class="btn searchButtons border mt-1" aria-haspopup="true" aria-expanded="false" type="button"> <img src="/img/icons/search.svg" class="searchIcon" alt="Search Button"/> </button> </a> <div id="searchDropdown" class="border-0 dropdown-menu dropdown-menu-right iacrMain-search px-2 w-100 mt-0" aria-labelledby="searchLink"> <p class="small text-white mb-1">Suggestions from <a class="localSearchLink" href="/asearch">local search</a> as you type. Hit enter to search with Google.</p> <form action="/search" method="GET"> <div class="input-group"> <input id="searchbox" name="q" type="search" class="form-control border searchBoxes" placeholder="Search IACR" width="100"> <button class="btn searchButtons border input-group-append ml-2"> Search </button> </div> </form> </div> </li> </ul> </div> <div id="searchDropdownParent" class="dropdown pb-3 d-lg-none"> <a id="mobileSearchLink" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false" data-offset="0,20"> <img src="/img/icons/search.svg" class="searchIcon" alt="Search Button"> </a> <div id="searchDropdownMobile" class="border-0 dropdown-menu dropdown-menu-right iacrMain-search px-2 mt-0" aria-labelledby="mobileSearchLink"> <p class="small text-white mb-1">Suggestions from <a class="localSearchLink" href="/asearch">local search</a> as you type. Hit enter to search with Google.</p> <form action="/search" method="GET"> <input id="searchboxMobile" name="q" type="search" class="form-control border searchBoxes" placeholder="Search IACR"/> </form> </div> </div> </nav> </div>  </div> <main id="iacrMain-contentBox" class="container px-md-4 py-3"> <section class="row"> <div class="col-12"> <h2> IACR News </h2> <p> Here you can see all recent updates to the IACR webpage. These updates are also available: </p> <div class="d-flex justify-content-around px-md-5 mb-3"> <figure class="figure"> <a href="/news/subscribe"> <img src="/img/icons/email.svg" class="figure-img newsPageTopIcon ml-1" alt="email icon"> </a> <figcaption class="figure-caption text-center">via email</figcaption> </figure> <figure class="figure"> <a href="/news/rss"> <img src="/img/icons/news/rss.svg" class="figure-img newsPageTopIcon ml-3" alt="RSS symbol icon"> </a> <figcaption class="figure-caption text-center">via RSS feed</figcaption> </figure>  </div> <form class="form-inline" action="" method="GET"> <div class="form-group mb-4"> <label for="filterNews mx-3">Filter news by</label> <select name="channel" id="filterNews" class="custom-select mx-3" onchange="this.form.submit()"> <option value="" selected>All news</option> <option value="1" >Announcement</option> <option value="2" >Election</option> <option value="15" >Award</option> <option value="3" >Crypto</option> <option value="4" >Eurocrypt</option> <option value="5" >Asiacrypt</option> <option value="18" >CHES</option> <option value="7" >FSE</option> <option value="8" >PKC</option> <option value="6" >TCC</option> <option value="21" >Real World Crypto</option> <option value="9" >Journal of Cryptology</option> <option value="22" >Communications in Cryptology</option> <option value="10" >ePrint report</option> <option value="12" >Job posting</option> <option value="13" >Event calendar</option> <option value="19" >Schools</option> </select> </div> </form> </div> </section> <section id="allNewsItems"> <hr> <h4 class="mb-3"> 08 April 2025 </h4> <div class="card newsItemBox" id="item-25453"> <div class="card-header pb-1"> <a id="item-url-25453" href="https://eprint.iacr.org/2025/612"> <h5 id="item-headline-25453"> More NTRU+Sign Signatures from Cyclotomic Trinomials </h5> </a> </div> <div class="card-body"> <div class="d-flex"> <h6 class="card-title newsCardSubtitle mt-1 mr-auto" id="item-subheadline-25453"> Ga Hee Hong, Joo Woo, Jonghyun Kim, Minku Kim, Hochang Lee, Jong Hwan Park </h6> <img id="item-icon-25453" src="/img/icons/news/channel_10.svg" class="pl-1 newsCategoryIcon d-none d-md-block" title="ePrint Report channel" alt="ePrint Report" /> <span id="item-priority-25453" class="badge badge-dark priority5" title="ePrint Report channel">ePrint Report</span> </div> <div id="item-body-25453" class="card-text item-body"> Recently, $\mathsf{NTRU}$+$\mathsf{Sign}$ was proposed as a new compact signature scheme, following `Fiat-Shamir with Aborts' (FSwA) framework. Its compactness is mainly based on their novel NTRU-based key structure that fits well with bimodal distributions in the FSwA framework. However, despite its compactness, $\mathsf{NTRU}$+$\mathsf{Sign}$ fails to provide a diverse set of parameters that can meet some desired security levels. This limitation stems from its reliance on a ring $\mathbb{Z}_q[x]/\langle x^n+1 \rangle$, where $n$ is restricted to powers of two, limiting the flexibility in selecting appropriate security levels. To overcome this limitation, we propose a revised version of $\mathsf{NTRU}$+$\mathsf{Sign}$ by adopting a ring $\mathbb{Z}_q[x]/\langle x^n-x^{n/2}+1\rangle$ from cyclotomic trinomials, where $n=2^{i}3^{j}$ for some positive integers $i$ and $j$. Our parameterization offers three distinct security levels: approximately $120$, $190$, and $260$ bits, while preserving the compactness in $\mathbb{Z}_q[x]/\langle x^n+1 \rangle$. We implement these re-parameterized $\mathsf{NTRU}$+$\mathsf{Sign}$ schemes, showing that the performance of $\mathsf{NTRU}$+$\mathsf{Sign}$ from cyclotomic trinomials is still comparable to previous lattice-based signature schemes such as $\mathsf{Dilithium}$ and $\mathsf{HAETAE}$. </div><span class="btn-link text-right expand-button body-expand">Expand</span> </div> </div> <div class="card newsItemBox" id="item-25452"> <div class="card-header pb-1"> <a id="item-url-25452" href="https://eprint.iacr.org/2025/611"> <h5 id="item-headline-25452"> Proving CPU Executions in Small Space </h5> </a> </div> <div class="card-body"> <div class="d-flex"> <h6 class="card-title newsCardSubtitle mt-1 mr-auto" id="item-subheadline-25452"> Vineet Nair, Justin Thaler, Michael Zhu </h6> <img id="item-icon-25452" src="/img/icons/news/channel_10.svg" class="pl-1 newsCategoryIcon d-none d-md-block" title="ePrint Report channel" alt="ePrint Report" /> <span id="item-priority-25452" class="badge badge-dark priority5" title="ePrint Report channel">ePrint Report</span> </div> <div id="item-body-25452" class="card-text item-body"> zkVMs are SNARKs for verifying CPU execution. They allow an untrusted prover to show that it correctly ran a specified program on a witness, where the program is given as bytecode conforming to an instruction set architecture like RISC-V. Existing zkVMs still struggle with high prover resource costs, notably large runtime and memory usage. We show how to implement Jolt—an advanced, sum-check- based zkVM—with a significantly reduced memory footprint, without relying on SNARK recursion, and with only modest runtime overhead (potentially well below a factor of two). We discuss benefits of this approach compared to prevailing recursive techniques. </div><span class="btn-link text-right expand-button body-expand">Expand</span> </div> </div> <div class="card newsItemBox" id="item-25451"> <div class="card-header pb-1"> <a id="item-url-25451" href="https://eprint.iacr.org/2025/610"> <h5 id="item-headline-25451"> Clubcards for the WebPKI: smaller certificate revocation tests in theory and practice </h5> </a> </div> <div class="card-body"> <div class="d-flex"> <h6 class="card-title newsCardSubtitle mt-1 mr-auto" id="item-subheadline-25451"> John M. Schanck </h6> <img id="item-icon-25451" src="/img/icons/news/channel_10.svg" class="pl-1 newsCategoryIcon d-none d-md-block" title="ePrint Report channel" alt="ePrint Report" /> <span id="item-priority-25451" class="badge badge-dark priority5" title="ePrint Report channel">ePrint Report</span> </div> <div id="item-body-25451" class="card-text item-body"> CRLite is a low-bandwidth, low-latency, privacy-preserving mechanism for distributing certificate revocation data. A CRLite aggregator periodically encodes revocation data into a compact static hash set, or membership test, which can can be downloaded by clients and queried privately. We present a novel data-structure for membership tests, which we call a clubcard, and we evaluate the encoding efficiency of clubcards using data from Mozilla's CRLite infrastructure.<br><br> As of November 2024, the WebPKI contains over 900 million valid certificates and over 8 million revoked certificates. We describe an instantiation of CRLite that encodes the revocation status of these certificates in a 6.7 MB package. This is $54\%$ smaller than the original instantiation of CRLite presented at the 2017 IEEE Symposium on Security and Privacy, and it is $21\%$ smaller than the lower bound claimed in that work.<br><br> A sequence of clubcards can encode a dynamic dataset like the WebPKI revocation set. Using data from late 2024 again, we find that clubcards encoding 6 hour delta updates to the WebPKI can be compressed to 26.8 kB on average---a size that makes CRLite truly practical.<br><br> We have extended Mozilla's CRLite infrastructure so that it can generate clubcards, and we have added client-side support for this system to Firefox. We report on some performance aspects of our implementation, which is currently the default revocation checking mechanism in Firefox Nightly, and we propose strategies for further reducing the bandwidth requirements of CRLite. </div><span class="btn-link text-right expand-button body-expand">Expand</span> </div> </div> <div class="card newsItemBox" id="item-25450"> <div class="card-header pb-1"> <a id="item-url-25450" href="https://eprint.iacr.org/2025/609"> <h5 id="item-headline-25450"> Random Oracle Combiners: Merkle-Damgård Style </h5> </a> </div> <div class="card-body"> <div class="d-flex"> <h6 class="card-title newsCardSubtitle mt-1 mr-auto" id="item-subheadline-25450"> Yevgeniy Dodis, Eli Goldin, Peter Hall </h6> <img id="item-icon-25450" src="/img/icons/news/channel_10.svg" class="pl-1 newsCategoryIcon d-none d-md-block" title="ePrint Report channel" alt="ePrint Report" /> <span id="item-priority-25450" class="badge badge-dark priority5" title="ePrint Report channel">ePrint Report</span> </div> <div id="item-body-25450" class="card-text item-body"> A Random Oracle Combiner (ROC), introduced by Dodis et al. (CRYPTO ’22), takes two hash functions $h_1, h_2$ from m bits to n bits and outputs a new hash function $C$ from $m$' to $n$' bits. This function C is guaranteed to be indifferentiable from a fresh random oracle as long as one of $h_1$ and $h_2$ (say, $h_1$) is a random oracle, while the other h2 can “arbitrarily depend” on $h_1$.<br><br> The work of Dodis et al. also built the first length-preserving ROC, where $n$′ = $n$. Unfortunately, despite this feasibility result, this construction has several deficiencies. From the practical perspective, it could not be directly applied to existing Merkle-Damgård-based hash functions, such as SHA2 or SHA3. From the theoretical perspective, it required $h_1$ and $h_2$ to have input length $m$ > 3λ, where λ is the security parameter.<br><br> To overcome these limitations, Dodis et al. conjectured — and left as the main open question — that the following (salted) construction is a length-preserving ROC:<br><br> $C^{h1,h2}_{\mathcal{Z}_1,\mathcal{Z}_2} (M ) = h_1^*(M, \mathcal{Z}_1) \oplus h^*_2(M,\mathcal{Z}_2),$<br><br> where $\mathcal{Z}_1, \mathcal{Z}_2$ are random salts of appropriate length, and $f^*$ denotes the Merkle-Damgård-extension of a given compression function $f$. As our main result, we resolve this conjecture in the affirmative. For practical use, this makes the resulting combiner applicable to existing, Merkle-Damgård-based hash functions. On the theory side, it shows the existence of ROCs only requiring optimal input length $m$ = λ+O(1). </div><span class="btn-link text-right expand-button body-expand">Expand</span> </div> </div> <div class="card newsItemBox" id="item-25449"> <div class="card-header pb-1"> <a id="item-url-25449" href="https://eprint.iacr.org/2025/608"> <h5 id="item-headline-25449"> On some non-linear recurrences over finite fields linked to isogeny graphs </h5> </a> </div> <div class="card-body"> <div class="d-flex"> <h6 class="card-title newsCardSubtitle mt-1 mr-auto" id="item-subheadline-25449"> Juan Jesús León, Vicente Muñoz </h6> <img id="item-icon-25449" src="/img/icons/news/channel_10.svg" class="pl-1 newsCategoryIcon d-none d-md-block" title="ePrint Report channel" alt="ePrint Report" /> <span id="item-priority-25449" class="badge badge-dark priority5" title="ePrint Report channel">ePrint Report</span> </div> <div id="item-body-25449" class="card-text item-body"> This paper presents new results that establish connections between isogeny graphs and nonlinear recurrences over finite fields. Specifically, we prove several theorems that link these two areas, offering deeper insights into the structure of isogeny graphs and their relationship with nonlinear recurrence sequences. We further provide two related conjectures which may be worth of further research. These findings contribute to a better understanding of the endomorphism ring of a curve, advancing progress toward the resolution of the Endomorphism Ring Problem, which aims to provide a computational characterization of the endomorphism ring of a supersingular elliptic curve. </div><span class="btn-link text-right expand-button body-expand">Expand</span> </div> </div> <div class="card newsItemBox" id="item-25448"> <div class="card-header pb-1"> <a id="item-url-25448" href="https://eprint.iacr.org/2025/607"> <h5 id="item-headline-25448"> Analytic and Simulation Results of a Gaussian Physically Unclonable Constant Based on Resistance Dispersion </h5> </a> </div> <div class="card-body"> <div class="d-flex"> <h6 class="card-title newsCardSubtitle mt-1 mr-auto" id="item-subheadline-25448"> Riccardo Bernardini </h6> <img id="item-icon-25448" src="/img/icons/news/channel_10.svg" class="pl-1 newsCategoryIcon d-none d-md-block" title="ePrint Report channel" alt="ePrint Report" /> <span id="item-priority-25448" class="badge badge-dark priority5" title="ePrint Report channel">ePrint Report</span> </div> <div id="item-body-25448" class="card-text item-body"> Physically Unclonable Constants (PUCs) are a special type of Physically Unclonable Constants and they can be used to embed secret bit-strings in chips. Most PUCs are an array of cells where each cell is a digital circuit that evolve spontaneously toward one of two states, the chosen state being function of random manufacturing process variations. In this paper we propose an Analog Physically Unclonable Constant (APUC) whose output is an analog value to be transformed in digital by a digitizer circuit. The ratio behind this proposal is that an APUC cell has the potential of providing more than one bit, reducing the required footprint. Preliminary theoretical analysis and simulation results are presented. The proposed APUC has interesting performances (e.g., it can provide up to 5 bits per cell) that grant for further investigation. </div><span class="btn-link text-right expand-button body-expand">Expand</span> </div> </div> <div class="card newsItemBox" id="item-25447"> <div class="card-header pb-1"> <a id="item-url-25447" href="https://eprint.iacr.org/2025/606"> <h5 id="item-headline-25447"> An attack on ML-DSA using an implicit hint </h5> </a> </div> <div class="card-body"> <div class="d-flex"> <h6 class="card-title newsCardSubtitle mt-1 mr-auto" id="item-subheadline-25447"> Paco Azevedo-Oliveira, Jordan Beraud, Louis Goubin </h6> <img id="item-icon-25447" src="/img/icons/news/channel_10.svg" class="pl-1 newsCategoryIcon d-none d-md-block" title="ePrint Report channel" alt="ePrint Report" /> <span id="item-priority-25447" class="badge badge-dark priority5" title="ePrint Report channel">ePrint Report</span> </div> <div id="item-body-25447" class="card-text item-body"> The security of ML-DSA, like most signature schemes, is partially based on the fact that the nonce used to generate the signature is unknown to any attacker. In this work, we exhibit a lattice-based attack that is possible if the nonces share implicit or explicit information. From a collection of signatures whose nonces share certain coefficients, it is indeed possible to build a collection of non full-rank lattices. Intersecting them, we show how to create a low-rank lattice that contains one of the polynomials of the secret key, which in turn can be recovered using lattice reduction techniques. <br><br> There are several interpretations of this result: firstly, it can be seen as a generalization of a fault-based attack on BLISS presented at SAC'16 by Thomas Espitau et al. Alternatively, it can be understood as a side-channel attack on ML-DSA, in the case where an attacker is able to recover only one of the coefficients of the nonce used during the generation of the signature. For ML-DSA-II, we show that $4 \times 160$ signatures and few hours of computation are sufficient to recover the secret key on a desktop computer. Lastly, our result shows that simple countermeasures, such as permuting the generation of the nonce coefficients, are not sufficient. </div><span class="btn-link text-right expand-button body-expand">Expand</span> </div> </div> <div class="card newsItemBox" id="item-25446"> <div class="card-header pb-1"> <a id="item-url-25446" href="https://eprint.iacr.org/2025/605"> <h5 id="item-headline-25446"> Laconic Cryptography with Preprocessing </h5> </a> </div> <div class="card-body"> <div class="d-flex"> <h6 class="card-title newsCardSubtitle mt-1 mr-auto" id="item-subheadline-25446"> Rishabh Bhadauria, Nico Döttling, Carmit Hazay, Chuanwei Lin </h6> <img id="item-icon-25446" src="/img/icons/news/channel_10.svg" class="pl-1 newsCategoryIcon d-none d-md-block" title="ePrint Report channel" alt="ePrint Report" /> <span id="item-priority-25446" class="badge badge-dark priority5" title="ePrint Report channel">ePrint Report</span> </div> <div id="item-body-25446" class="card-text item-body"> Laconic cryptography focuses on designing two-message protocols that allow secure computation on large datasets while minimizing communication costs. While laconic cryptography protocols achieve asymptotically optimal communication complexity for many tasks, their concrete efficiency is prohibitively expensive due to the heavy use of public-key techniques or the non-black-box of cryptographic primitives.<br><br> In this work, we initiate the study of "laconic cryptography with preprocessing", introducing a model that includes an offline phase to generate database-dependent correlations, which are then used in a lightweight online phase. These correlations are conceptually simple, relying on linear-algebraic techniques. This enables us to develop a protocol for private laconic vector oblivious linear evaluation (plvOLE). In such a protocol, the receiver holds a large database $\mathsf{DB}$, and the sender has two messages $v$ and $w$, along with an index $i$. The receiver learns the value $v \cdot \mathsf{DB}_i + w$ without revealing other information.<br><br> Our protocol, which draws from ideas developed in the context of private information retrieval with preprocessing, serves as the backbone for two applications of interest: laconic private set intersection (lPSI) for large universes and laconic function evaluation for RAM-programs (RAM-LFE). Based our plvOLE protocol, we provide efficient instantiations of these two primitives in the preprocessing model. </div><span class="btn-link text-right expand-button body-expand">Expand</span> </div> </div> <hr> <h4 class="mb-3"> 07 April 2025 </h4> <div class="card newsItemBox" id="item-25445"> <div class="card-header pb-1"> <a id="item-url-25445" href="https://www.iacr.org/jobs/item/3947"> <h5 id="item-headline-25445"> Postdocs on Cryptology </h5> </a> </div> <div class="card-body"> <div class="d-flex"> <h6 class="card-title newsCardSubtitle mt-1 mr-auto" id="item-subheadline-25445"> Wuhan University and Nanyang Technological University </h6> <img id="item-icon-25445" src="/img/icons/news/channel_12.svg" class="pl-1 newsCategoryIcon d-none d-md-block" title="Job Posting channel" alt="Job Posting" /> <span id="item-priority-25445" class="badge badge-dark priority5" title="Job Posting channel">Job Posting</span> </div> <div id="item-body-25445" class="card-text item-body"> Wuhan University in China and Nanyang Technological University in Singapore are jointly seeking for candidates to fill several post-doctoral research fellow positions on cryptography. Topics include but are not limited to the following sub-areas: <ul> <li>Public-key cryptography</li> <li>Lattice-based cryptography</li> <li>Cryptography-based privacy-preserving</li> <li>Cryptanalysis </li> <li>Cryptography and AI</li> </ul> Candidates will have the chance to spend part of the time with Prof Jie Chen at Wuhan University, China and part with Assoc Prof Jian Guo at Nanyang Technological University in Singapore. Candidates with strong record of publications in lACR conferences (Asiacrypt, Crypto, Eurocrypt, CHES, FSE, PKC, TCC) are encouraged to apply. Competitive salary package will be provided for qualified candidates. These positions are available immediately until filled. <p><b>Closing date for applications:</b> </p> <p><b>Contact:</b> Prof Jie Chen via jchen2024@whu.edu.cn </p> </div><span class="btn-link text-right expand-button body-expand">Expand</span> </div> </div> <div class="card newsItemBox" id="item-25444"> <div class="card-header pb-1"> <a id="item-url-25444" href="https://www.iacr.org/jobs/item/3946"> <h5 id="item-headline-25444"> Post-docs on the Provable Security of Symmetric Cryptography </h5> </a> </div> <div class="card-body"> <div class="d-flex"> <h6 class="card-title newsCardSubtitle mt-1 mr-auto" id="item-subheadline-25444"> Xiamen University, Xiamen, China </h6> <img id="item-icon-25444" src="/img/icons/news/channel_12.svg" class="pl-1 newsCategoryIcon d-none d-md-block" title="Job Posting channel" alt="Job Posting" /> <span id="item-priority-25444" class="badge badge-dark priority5" title="Job Posting channel">Job Posting</span> </div> <div id="item-body-25444" class="card-text item-body"> <p> Located in Xiamen, which is one of China’s top ten livable cities, Xiamen University is generally acknowledged as one of the most beautiful universities in China. It has been perennially regarded as one of the top academic institutions in Southern China. With its lovely campus, profound cultural foundation, and great research atmosphere, Xiamen University provides an ideal environment for academic research and professional development. </p> <p> Xiamen University is now seeking candidates to fill two post-doc positions on the provable security of symmetric-key cryptography, with a tentative duration of 2 years. Potential research topics include, but are not limited to, the following directions: </p> <ul> <li>Authenticated encryption and message authentication codes with new security features, e.g., leakage-resistance, key-committing, high security.</li> <li>Provable security and generic attacks of hash functions.</li> <li>Security analysis and proofs of more general modes of operation in real-world applications/standards.</li> </ul> <p> Candidates with proven records of publications in established venues in cryptography/security are encouraged to apply. Candidates are invited to send a resume and motivation letter to Dr. Yaobin Shen (yaobin.shen [at] xmu.edu.cn). </p> <p><b>Closing date for applications:</b> </p> <p><b>Contact:</b> Dr. Yaobin Shen (yaobin.shen [at] xmu.edu.cn)</p> </div><span class="btn-link text-right expand-button body-expand">Expand</span> </div> </div> <div class="card newsItemBox" id="item-25443"> <div class="card-header pb-1"> <a id="item-url-25443" href="https://www.iacr.org/jobs/item/3945"> <h5 id="item-headline-25443"> Reseach Scientist </h5> </a> </div> <div class="card-body"> <div class="d-flex"> <h6 class="card-title newsCardSubtitle mt-1 mr-auto" id="item-subheadline-25443"> Nokia Bell Labs, Belgium </h6> <img id="item-icon-25443" src="/img/icons/news/channel_12.svg" class="pl-1 newsCategoryIcon d-none d-md-block" title="Job Posting channel" alt="Job Posting" /> <span id="item-priority-25443" class="badge badge-dark priority5" title="Job Posting channel">Job Posting</span> </div> <div id="item-body-25443" class="card-text item-body"> Nokia Bell Labs has an open position for a Research Scientist in Privacy Enhancing Technologies (PETS). <br /><br /> Note:<br /> <ul> <li>Our lab is looking for a technical researcher who is highly skilled in programming and willing to build systems based on their research results.</li> <li>Interests and experience in ZK, FHE, and/or MPC are a plus.</li> <li>The position is based in Antwerp, Belgium (not remote).</li> </ul> <br /> Please directly apply here or contact me by email if you have a question: https://jobs.nokia.com/en/sites/CX_1/ <br /><br /> <p><b>Closing date for applications:</b> </p> <p><b>Contact:</b> emad.heydari_beni@nokia-bell-labs.com</p> <p><b>More information:</b> <a href="https://jobs.nokia.com/en/sites/CX_1/job/18559">https://jobs.nokia.com/en/sites/CX_1/job/18559</a></p> </div><span class="btn-link text-right expand-button body-expand">Expand</span> </div> </div> <div class="card newsItemBox" id="item-25442"> <div class="card-header pb-1"> <a id="item-url-25442" href="https://fse.iacr.org/2026/"> <h5 id="item-headline-25442"> FSE 2026: Fast Software Encryption </h5> </a> </div> <div class="card-body"> <div class="d-flex"> <h6 class="card-title newsCardSubtitle mt-1 mr-auto" id="item-subheadline-25442"> Singapore, Singapore, 23 March - 27 March 2026 </h6> <img id="item-icon-25442" src="/img/icons/news/channel_7.svg" class="pl-1 newsCategoryIcon d-none d-md-block" title="FSE channel" alt="FSE" /> <span id="item-priority-25442" class="badge badge-dark priority3" title="FSE channel">FSE</span> </div> <div id="item-body-25442" class="card-text item-body"> Event date: 23 March to 27 March 2026<br> </div><span class="btn-link text-right expand-button body-expand">Expand</span> </div> </div> <div class="card newsItemBox" id="item-25441"> <div class="card-header pb-1"> <a id="item-url-25441" href="https://www.math.uzh.ch/konferenzdetails0?key1=818"> <h5 id="item-headline-25441"> The Mathematics of Post-quantum Cryptography </h5> </a> </div> <div class="card-body"> <div class="d-flex"> <h6 class="card-title newsCardSubtitle mt-1 mr-auto" id="item-subheadline-25441"> Zurich, Switzerland, 2 June - 6 June 2025 </h6> <img id="item-icon-25441" src="/img/icons/news/channel_13.svg" class="pl-1 newsCategoryIcon d-none d-md-block" title="Event Calendar channel" alt="Event Calendar" /> <span id="item-priority-25441" class="badge badge-dark priority5" title="Event Calendar channel">Event Calendar</span> </div> <div id="item-body-25441" class="card-text item-body"> Event date: 2 June to 6 June 2025<br> </div><span class="btn-link text-right expand-button body-expand">Expand</span> </div> </div> <hr> <h4 class="mb-3"> 04 April 2025 </h4> <div class="card newsItemBox" id="item-25440"> <div class="card-header pb-1"> <a id="item-url-25440" href="https://eprint.iacr.org/2025/604"> <h5 id="item-headline-25440"> On the success rate of simple side-channel attacks against masking with unlimited attack traces </h5> </a> </div> <div class="card-body"> <div class="d-flex"> <h6 class="card-title newsCardSubtitle mt-1 mr-auto" id="item-subheadline-25440"> Aymeric Hiltenbrand, Julien Eynard, Romain Poussier </h6> <img id="item-icon-25440" src="/img/icons/news/channel_10.svg" class="pl-1 newsCategoryIcon d-none d-md-block" title="ePrint Report channel" alt="ePrint Report" /> <span id="item-priority-25440" class="badge badge-dark priority5" title="ePrint Report channel">ePrint Report</span> </div> <div id="item-body-25440" class="card-text item-body"> Side-channel attacks following a classical differential power analysis (DPA) style are well understood, along with the effect the mask- ing countermeasure has on them. However, simple attacks (SPA) where the target variable does not vary thanks to a known value, such as the plaintext, are less studied. In this paper, we investigate how the masking countermeasure affects the success rate of simple attacks. To this end, we provide theoretical, simulated, and practical experiments. Interestingly, we will see that masking can allow us to asymptotically recover more information on the secret than in the case of an unprotected implemen- tation, depending on the masking type. We will see that this is true for masking encodings that add non-linearity with respect to the leakages, such as arithmetic masking, while it is not for Boolean masking. We be- lieve this context provides interesting results, as the average information of arithmetic encoding is proven less informative than the Boolean one. </div><span class="btn-link text-right expand-button body-expand">Expand</span> </div> </div> <div class="card newsItemBox" id="item-25439"> <div class="card-header pb-1"> <a id="item-url-25439" href="https://eprint.iacr.org/2025/603"> <h5 id="item-headline-25439"> Mobile Byzantine Agreement in a Trusted World </h5> </a> </div> <div class="card-body"> <div class="d-flex"> <h6 class="card-title newsCardSubtitle mt-1 mr-auto" id="item-subheadline-25439"> Bo Pan, Maria Potop Butucaru </h6> <img id="item-icon-25439" src="/img/icons/news/channel_10.svg" class="pl-1 newsCategoryIcon d-none d-md-block" title="ePrint Report channel" alt="ePrint Report" /> <span id="item-priority-25439" class="badge badge-dark priority5" title="ePrint Report channel">ePrint Report</span> </div> <div id="item-body-25439" class="card-text item-body"> In this paper, we address the Byzantine Agreement problem in synchronous systems where Byzantine agents can move from process to process, corrupting their host. We focus on three representative models: \emph{Garay's}, \emph{Bonnet's} and \emph{Buhrman's} models. In \emph{Garay's model} when a process has been left by the Byzantine, it is in the \emph{cured} state and it is aware of its condition and thus can remain silent for a round to prevent the dissemination of wrong information. In \emph{Bonnet's model} a cured process may send messages (based on a state corrupted by the malicious agent), however it will behave correctly in the way it sends those messages: i.e., send messages according to the algorithm. In \emph{Buhrman's model} Byzantine agents move together with the message. It has been shown that in order to solve Byzantine Agreement in the \emph{Garay's model} at least $4t+1$ processors are needed, for \emph{Bonnet's model} at least $5t+1$ processors are needed, while for \emph{Buhrman's model} at least $3t+1$ processors are needed. In this paper we target to increase the tolerance to mobile Byzantines by integrating a trusted counter abstraction to the above models. This abstraction prevents nodes to equivocate. In the new models we prove that at least $3t+1$, respectively $4t+1$, and $2t+1$ processors are needed to tolerate $t$ mobile Byzantine agents. Furthermore, we propose novel Mobile Byzantine Agreement algorithms that match these new lower bounds for \emph{Garay's}, \emph{Bonnet's} and \emph{Buhrman's} models. </div><span class="btn-link text-right expand-button body-expand">Expand</span> </div> </div> <div class="card newsItemBox" id="item-25438"> <div class="card-header pb-1"> <a id="item-url-25438" href="https://eprint.iacr.org/2025/602"> <h5 id="item-headline-25438"> Lattice-Based Sanitizable Signature Schemes: Chameleon Hash Functions and More </h5> </a> </div> <div class="card-body"> <div class="d-flex"> <h6 class="card-title newsCardSubtitle mt-1 mr-auto" id="item-subheadline-25438"> Sebastian Clermont, Samed Düzlü, Christian Janson, Laurens Porzenheim, Patrick Struck </h6> <img id="item-icon-25438" src="/img/icons/news/channel_10.svg" class="pl-1 newsCategoryIcon d-none d-md-block" title="ePrint Report channel" alt="ePrint Report" /> <span id="item-priority-25438" class="badge badge-dark priority5" title="ePrint Report channel">ePrint Report</span> </div> <div id="item-body-25438" class="card-text item-body"> Sanitizable Signature Schemes (SSS) enable a designated party, the sanitizer, to modify predefined parts of a signed message without invalidating the signature, making them useful for applications like pseudonymization and redaction. Since their introduction by Ateniese et al. (ESORICS'05), several classical SSS constructions have been proposed, but none have been instantiated from quantum-resistant assumptions. In this work, we develop the first quantum-secure sanitizable signature schemes based on lattice assumptions. Our primary focus is on SSS constructions that rely on chameleon hash functions (CHFs), a key component for enabling the controlled modification of messages. While lattice-based CHFs exist, they do not meet the required security guarantees for SSS, becoming insecure under adversarial access to an adapt oracle. To address this, we construct a novel lattice-based CHF that achieves collision resistance even in such settings, called full collision resistance. However, our CHF lacks the uniqueness property, a limitation we show to be inherent in lattice-based CHFs. As a result, our SSS constructions initially fall short of achieving the critical security property of accountability. To overcome this, we apply a transformation based on verifiable ring signatures (VRS), for which we present the first lattice-based instantiation. Additionally, we provide a comprehensive analysis of existing classical SSS constructions, explore their potential for post-quantum instantiations, and present new attacks on previously assumed secure SSS schemes. Our work closes the gap in constructing quantum-secure SSS and lays the groundwork for further research into advanced cryptographic primitives based on lattice assumptions. </div><span class="btn-link text-right expand-button body-expand">Expand</span> </div> </div> <div class="card newsItemBox" id="item-25437"> <div class="card-header pb-1"> <a id="item-url-25437" href="https://eprint.iacr.org/2025/601"> <h5 id="item-headline-25437"> PHOENIX: Crypto-Agile Hardware Sharing for ML-KEM and HQC </h5> </a> </div> <div class="card-body"> <div class="d-flex"> <h6 class="card-title newsCardSubtitle mt-1 mr-auto" id="item-subheadline-25437"> Antonio Ras, Antoine Loiseau, Mikaël Carmona, Simon Pontié, Guénaël Renault, Benjamin Smith, Emanuele Valea </h6> <img id="item-icon-25437" src="/img/icons/news/channel_10.svg" class="pl-1 newsCategoryIcon d-none d-md-block" title="ePrint Report channel" alt="ePrint Report" /> <span id="item-priority-25437" class="badge badge-dark priority5" title="ePrint Report channel">ePrint Report</span> </div> <div id="item-body-25437" class="card-text item-body"> The transition to quantum-safe public-key cryptography has begun: for key agreement, NIST has standardized ML-KEM and selected HQC for future standardization. The relative immaturity of these schemes encourages crypto-agile implementations, to facilitate easy transitions between them. Intelligent crypto-agility requires efficient sharing strategies to compute operations from different cryptosystems using the same resources. This is particularly challenging for cryptosystems with distinct mathematical foundations, like lattice-based ML-KEM and code-based HQC. We introduce PHOENIX, the first crypto-agile hardware coprocessor for lattice- and code-based cryptosystems--specifically, ML-KEM and HQC, at all three NIST security levels--with an effective agile sharing strategy. PHOENIX accelerates polynomial multiplication, which is the main operation in both cryptosystems, and the current bottleneck of HQC. To maximise sharing, we replace HQC's Karatsuba-based polynomial multiplication with the Frobenius Additive FFT (FAFFT), which is similar on an abstract level to ML-KEM's Number Theoretic Transform (NTT). We show that the FAFFT already brings substantial performance improvements in software. In hardware, our sharing strategy for the FAFFT and NTT is based on a new SuperButterfly unit that seamlessly switches between these two FFT variants over completely different rings. This is, to our knowledge, the first FAFFT hardware accelerator of any kind. We have integrated PHOENIX in a real System-on-Chip FPGA scenario, where our performance measurements show that efficient crypto-agility for lattice- and code-based KEMs can be achieved with low overhead. </div><span class="btn-link text-right expand-button body-expand">Expand</span> </div> </div> <div class="card newsItemBox" id="item-25436"> <div class="card-header pb-1"> <a id="item-url-25436" href="https://eprint.iacr.org/2025/600"> <h5 id="item-headline-25436"> Improved Round-by-round Soundness IOPs via Reed-Muller Codes </h5> </a> </div> <div class="card-body"> <div class="d-flex"> <h6 class="card-title newsCardSubtitle mt-1 mr-auto" id="item-subheadline-25436"> Dor Minzer, Kai Zhe Zheng </h6> <img id="item-icon-25436" src="/img/icons/news/channel_10.svg" class="pl-1 newsCategoryIcon d-none d-md-block" title="ePrint Report channel" alt="ePrint Report" /> <span id="item-priority-25436" class="badge badge-dark priority5" title="ePrint Report channel">ePrint Report</span> </div> <div id="item-body-25436" class="card-text item-body"> We give an IOPP (interactive oracle proof of proximity) for trivariate Reed-Muller codes that achieves the best known query complexity in some range of security parameters. Specifically, for degree $d$ and security parameter $\lambda\leq \frac{\log^2 d}{\log\log d}$ , our IOPP has $2^{-\lambda}$ round-by-round soundness, $O(\lambda)$ queries, $O(\log\log d)$ rounds and $O(d)$ length. This improves upon the FRI [Ben-Sasson, Bentov, Horesh, Riabzev, ICALP 2018] and the STIR [Arnon, Chiesa, Fenzi, Yogev, Crypto 2024] IOPPs for Reed-Solomon codes, that have larger query and round complexity standing at $O(\lambda \log d)$ and $O(\log d+\lambda\log\log d)$ respectively. We use our IOPP to give an IOP for the NP-complete language Rank-1-Constraint-Satisfaction with the same parameters.<br><br> Our construction is based on the line versus point test in the low-soundness regime. Compared to the axis parallel test (which is used in all prior works), the general affine lines test has improved soundness, which is the main source of our improved soundness. Using this test involves several complications, most significantly that projection to affine lines does not preserve individual degrees, and we show how to overcome these difficulties. En route, we extend some existing machinery to more general settings. Specifically, we give proximity generators for Reed-Muller codes, show a more systematic way of handling "side conditions" in IOP constructions, and generalize the compiling procedure of [Arnon, Chiesa, Fenzi, Yogev, Crypto 2024] to general codes. </div><span class="btn-link text-right expand-button body-expand">Expand</span> </div> </div> <div class="card newsItemBox" id="item-25435"> <div class="card-header pb-1"> <a id="item-url-25435" href="https://eprint.iacr.org/2025/599"> <h5 id="item-headline-25435"> Insecurity of One Decentralized Attribute-based Signature Scheme for Social Co-governance </h5> </a> </div> <div class="card-body"> <div class="d-flex"> <h6 class="card-title newsCardSubtitle mt-1 mr-auto" id="item-subheadline-25435"> Zhengjun Cao, Lihua Liu </h6> <img id="item-icon-25435" src="/img/icons/news/channel_10.svg" class="pl-1 newsCategoryIcon d-none d-md-block" title="ePrint Report channel" alt="ePrint Report" /> <span id="item-priority-25435" class="badge badge-dark priority5" title="ePrint Report channel">ePrint Report</span> </div> <div id="item-body-25435" class="card-text item-body"> We show that the attribute-based signature scheme [Information Sciences, 654(2024), 119839] is insecure, because an adversary can generate valid signatures for any message even though he cannot access the signer's secret key. The four components of signature $\{\delta_1, \delta_2, \delta_3, \delta_4\}$ are not tightly bound to the target message $M$ and the signer's public key. The dependency between the signer's public key and secret key is not properly used to construct any intractable problem. The inherent flaw results in that the adversary can find an efficient signing algorithm functionally equivalent to the valid signing algorithm. </div><span class="btn-link text-right expand-button body-expand">Expand</span> </div> </div> <div class="card newsItemBox" id="item-25434"> <div class="card-header pb-1"> <a id="item-url-25434" href="https://eprint.iacr.org/2025/598"> <h5 id="item-headline-25434"> Nominal State-Separating Proofs </h5> </a> </div> <div class="card-body"> <div class="d-flex"> <h6 class="card-title newsCardSubtitle mt-1 mr-auto" id="item-subheadline-25434"> Markus Krabbe Larsen, Carsten Schürmann </h6> <img id="item-icon-25434" src="/img/icons/news/channel_10.svg" class="pl-1 newsCategoryIcon d-none d-md-block" title="ePrint Report channel" alt="ePrint Report" /> <span id="item-priority-25434" class="badge badge-dark priority5" title="ePrint Report channel">ePrint Report</span> </div> <div id="item-body-25434" class="card-text item-body"> State-separting proofs are a powerful tool to structure cryptographic arguments, so that they are amenable for mechanization, as has been shown through implementations, such as SSProve. However, the treatment of separation for heaps has never been satisfactorily addressed. In this work, we present the first comprehensive treatment of nominal state separation in state-separating proofs using nominal sets. We provide a Coq library, called Nominal-SSProve, that builds on nominal state separation supporting mechanized proofs that appear more concise and arguably more elegant. </div><span class="btn-link text-right expand-button body-expand">Expand</span> </div> </div> </section> <div class="mt-4"> <a href="index.php?next=25434" class="btn btn-sm btn-outline-dark">Next ►</a> </div> </main> <div id="pageFooter"> <footer class="container-fluid iacrMain-footer pt-4"> <div class="row px-4"> <div class="col-12 col-md-6 col-lg-3 mb-md-3"> <a href="/about/" class="h6 d-none d-md-block"> <strong>About</strong> </a> <p class="d-none d-md-block mt-2"> The <a href="/">International Association for Cryptologic Research (IACR)</a> is a non-profit scientific organization whose purpose is to further research in cryptology and related fields. <a href="/about/">Learn more...</a> </p> <div class="text-center"> <a href="//twitter.com/IACR_News" class="social" title="Twitter Feed"> <img src="/img/icons/twitter.svg" class="socialBtn" alt="Twitter logo"> </a> <a href="//youtube.com/TheIACR" class="social" title="YouTube Channel"> <img src="/img/icons/youtube.svg" class="socialBtn" alt="YouTube logo"> </a> <a href="//www.facebook.com/theiacr/" class="social" title="Facebook Page"> <img src="/img/icons/facebook.svg" class="socialBtn" alt="Facebook logo"> </a> <a href="https://weibo.com/iacr" class="social" title="Weibo"> <img src="/img/icons/weibo.svg" class="socialBtn" alt="Weibo logo"> </a> </div> </div> <div class="col-12 col-md-6 col-lg-3"> <a href="/meetings/" class="h6"> <strong>Events</strong> </a> <ul class="list-unstyled"> <li> <a href="/meetings/asiacrypt/">Asiacrypt</a>  •  <a href="/meetings/crypto/">Crypto</a>  •  <a href="/meetings/eurocrypt/">Eurocrypt</a> </li> <li> <a href="/meetings/ches/" title="Cryptographic Hardware and Embedded Systems">CHES</a>  •  <a href="/meetings/fse/" title="Fast Software Encryption">FSE</a>  •  <a href="/meetings/pkc/" title="Public Key Cryptography">PKC</a>  •  <a href="/meetings/tcc/" title="Theory of Cryptography Conference">TCC</a> </li> <li> <a href="//rwc.iacr.org/"> Real World Crypto </a> </li> <li> <a href="/schools/"> Schools </a> </li> <li> <a href="/events/"> Calendar of events </a> </li> </ul> </div> <div class="col-12 col-md-6 col-lg-3"> <a href="/publications/" class="h6"> <strong>Publications</strong> </a> <ul class="list-unstyled"> <li> <a href="/publications/access.php"> Access to Publications </a> </li> <li> <a href="/jofc/"> Journal of Cryptology </a> </li> <li> <a href="/transactions/tosc/"> Trans. on Symmetric Cryptology </a> </li> <li> <a href="https://tches.iacr.org/"> Trans. on CHES </a> </li> <li> <a href="https://cic.iacr.org/"> Communications in Cryptology </a> </li> <li> <a href="//eprint.iacr.org/"> Cryptology ePrint Archive </a> </li> <li> <a href="/cryptodb/"> Publication database </a> </li> </ul> </div> <div class="col-12 col-md-6 col-lg-3"> <a href="/services/" class="h6"> <strong>Services</strong> </a> <ul class="list-unstyled"> <li> <a href="/news"> News </a> </li> <li> <a href="/awards/"> Awards </a> </li> <li> <a href="/jobs/"> Jobs </a> </li> <li> <a href="https://register.iacr.org/membership/members/">Update your information</a> </li> <li> <a href="/membership.php">How to join</a> </li> <li class="d-block d-md-none"> <a href="/about/"> About the IACR </a> </li> </ul> </div> </div> <div class="row"> <div class="col-12 iacrMain-bottomOfFooter text-center py-2 mt-3"> <span class="align-middle"> <a href="/copyright.html">Copyright © <span id="thisYear"></span> <script>document.getElementById("thisYear").innerHTML = new Date().getFullYear();</script> <span class="d-none d-md-inline">by the </span><span class="d-md-none">IACR</span><span class="d-none d-md-inline">International Association for Cryptologic Research</span></a> <span class="d-none d-md-inline">• </span><br class="d-md-none"> <a href="/privacy.html">Privacy Policy</a> </span> </div> </div> </footer>  </div> <script src="https://iacr.org/libs/js/jquery/3.3.1/jquery.min.js"></script> <script src="https://iacr.org/libs/css/bootstrap/dist/js/bootstrap.bundle.min.js"></script> <script src="https://iacr.org/libs/js/easy-autocomplete/jquery.easy-autocomplete.js"></script>  <script src="/js/search.js"></script> </body> </html>

CINXE.COM

IACR News