CINXE.COM
All papers
<!DOCTYPE html> <html lang="en"> <head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no"> <link href="/css/dist/css/bootstrap.min.css" rel="stylesheet"> <title>All papers</title> <link rel="stylesheet" href="/css/eprint.css?v=10"> <meta name="robots" content="noindex,nofollow" /> <style> div.summaryauthors { font-style: italic; } a.abstract-open:after { content:' -'; font-weight: 800; } a.abstract-closed:after { content: " ›"; font-weight: 800; } .paper-abstract { max-height: 0; overflow-y: hidden; transition: max-height 0.2s ease-out; white-space: pre-wrap; } </style> <script> function toggleAbstract(elem) { console.dir(elem); let target = document.getElementById(elem.dataset.target); if (target.style.maxHeight) { target.style.maxHeight = null; elem.text = 'Show abstract'; elem.classList.add('abstract-closed'); elem.classList.remove('abstract-open'); } else { target.style.maxHeight = target.scrollHeight + "px"; elem.text = 'Hide abstract'; elem.classList.remove('abstract-closed'); elem.classList.add('abstract-open'); } } </script> <script> MathJax = { tex: { inlineMath: [['$', '$'], ['\\(', '\\)']], displayMath: [ ['$$','$$'], ["\\[","\\]"] ], processEnvironments: false }, loader: { load: [ "ui/safe", "ui/lazy", ], }, options: { safeOptions: { allow: { URLs: "none", classes: "safe", cssIDs: "safe", styles: "safe", }, }, } }; </script> <script id="MathJax-script" async src="/js/mathjax/tex-chtml.js"></script> </head> <body> <noscript> <h1 class="text-center">What a lovely hat</h1> <h4 class="text-center">Is it made out of <a href="https://iacr.org/tinfoil.html">tin foil</a>?</h4> </noscript> <div class="fixed-top" id="topNavbar"> <nav class="navbar navbar-custom navbar-expand-lg"> <div class="container px-0 justify-content-between justify-content-lg-evenly"> <div class="order-0 align-items-center d-flex"> <button class="navbar-toggler btnNoOutline" type="button" data-bs-toggle="collapse" data-bs-target="#navbarContent" aria-controls="navbarContent" aria-expanded="false"> <span class="icon-bar top-bar"></span> <span class="icon-bar middle-bar"></span> <span class="icon-bar bottom-bar"></span> </button> <a class="d-none me-5 d-lg-inline" href="https://iacr.org/"><img class="iacrlogo" src="/img/iacrlogo_small.png" alt="IACR Logo" style="max-width:6rem;"></a> </div> <a class="ePrintname order-1" href="/"> <span class="longNavName">Cryptology ePrint Archive</span> </a> <div class="collapse navbar-collapse order-3" id="navbarContent"> <ul class="navbar-nav me-auto ms-2 mb-2 mb-lg-0 justify-content-end w-100"> <li class="ps-md-3 nav-item dropdown"> <a class="nav-link dropdown-toggle" href="#" id="navbarDropdown" role="button" data-bs-toggle="dropdown" aria-expanded="false"> Papers </a> <ul class="dropdown-menu me-3" aria-labelledby="navbarDropdown"> <span class="text-dark mx-3" style="white-space:nowrap;">Updates from the last:</span> <li><a class="dropdown-item ps-custom" href="/days/7">7 days</a></li> <li><a class="dropdown-item ps-custom" href="/days/31">31 days</a></li> <li><a class="dropdown-item ps-custom" href="/days/183">6 months</a></li> <li><a class="dropdown-item ps-custom" href="/days/365">365 days</a></li> <li><hr class="dropdown-divider"></li> <li><a class="dropdown-item" href="/byyear">Listing by year</a></li> <li><a class="dropdown-item" href="/complete">All papers</a></li> <li><a class="dropdown-item" href="/complete/compact">Compact view</a></li> <li><a class="dropdown-item" href="https://www.iacr.org/news/subscribe">Subscribe</a></li> <li><hr class="dropdown-divider"></li> <li><a class="dropdown-item" href="/citation.html">How to cite</a></li> <li><hr class="dropdown-divider"></li> <li><a class="dropdown-item" href="/rss">Harvesting metadata</a></li> </ul> </li> <li class="ps-md-3 nav-item dropdown"> <a class="nav-link dropdown-toggle" href="#" id="submissionsDropdown" role="button" data-bs-toggle="dropdown" aria-expanded="false"> Submissions </a> <ul class="dropdown-menu me-3" aria-labelledby="submissionsDropdown"> <li><a class="dropdown-item" href="/submit">Submit a paper</a></li> <li><a class="dropdown-item" href="/revise">Revise or withdraw a paper</a></li> <li><a class="dropdown-item" href="/operations.html">Acceptance and publishing conditions</a></li> </ul> </li> <li class="ps-md-3 nav-item dropdown"> <a class="nav-link dropdown-toggle" href="#" id="aboutDropdown" role="button" data-bs-toggle="dropdown" aria-expanded="false"> About </a> <ul class="dropdown-menu me-3" aria-labelledby="aboutDropdown"> <li><a class="dropdown-item" href="/about.html">Goals and history</a></li> <li><a class="dropdown-item" href="/news.html">News</a></li> <li><a class="dropdown-item" href="/stats">Statistics</a></li> <li><a class="dropdown-item" href="/contact.html">Contact</a></li> </ul> </li> </ul> </div> <div class="dropdown ps-md-2 text-right order-2 order-lg-last"> <button class="btn btnNoOutline" type="button" id="dropdownMenuButton1" data-bs-toggle="dropdown" aria-expanded="false"> <img src="/img/search.svg" class="searchIcon" alt="Search Button"/> </button> <div id="searchDd" class="dropdown-menu dropdown-menu-end p-0" aria-labelledby="dropdownMenuButton1"> <form action="/search" method="GET"> <div class="input-group"> <input id="searchbox" name="q" type="search" class="form-control" autocomplete="off"> <button class="btn btn-secondary border input-group-append ml-2"> Search </button> </div> </form> <div class="ms-2 p-1 d-none"><a href="/search">Advanced search</a></div> </div> </div> </div> </nav> </div> <main id="eprintContent" class="container px-3 py-4 p-md-4"> <script> function scrollToTop() { window.scrollTo({ top: 0, behavior: 'smooth' }); } </script> <h2 class="mt-2 mb-3 px-1 px-lg-4">All papers (23896 results)</h2> <div id="scrollButtons" style="position:sticky;height:30px;top:90vh;left:25%"> <div id="buttonContainer" class="d-none d-md-block"> <img src="/img/arrow-up-circle-outline.svg" style="height:30px;width:30px;" title="Scroll to top" onclick="scrollToTop()"> </div> </div> <div class="paperList ms-lg-4 me-lg-4"> <div class="d-flex mb-1"> <div class="flex-grow-1"><a href="/2025/526">2025/526</a> <a class="ms-2" href="/2025/526.pdf">(PDF)</a> </div> <div><small>Last updated: 2025-03-20</small></div> </div> <div class="ms-3 ms-md-5 mb-3"> <div class="d-flex justify-content-between"> <div class="papertitle">AI Agents in Cryptoland: Practical Attacks and No Silver Bullet</div> <div class="ms-3 d-none d-md-block"> <a href="/search?category=APPLICATIONS"><small class="badge category category-APPLICATIONS">Applications</small></a> </div> </div> <div class="summaryauthors">Atharv Singh Patlan, Peiyao Sheng, S. Ashwin Hebbar, Prateek Mittal, and Pramod Viswanath</div> <div class="d-flex justify-content-between align-items-start"> <div> <a class="abstract-closed" data-target="abstract-2025-526" onclick="toggleAbstract(this)">Show abstract</a> </div> <div class="d-block d-md-none"> <a href="/search?category=APPLICATIONS"><small class="badge category category-APPLICATIONS">Applications</small></a> </div> </div> <div> <div id="abstract-2025-526" class="paper-abstract">The integration of AI agents with Web3 ecosystems harnesses their complementary potential for autonomy and openness, yet also introduces underexplored security risks, as these agents dynamically interact with financial protocols and immutable smart contracts. This paper investigates the vulnerabilities of AI agents within blockchain-based financial ecosystems when exposed to adversarial threats in real-world scenarios. We introduce the concept of context manipulation -- a comprehensive attack vector that exploits unprotected context surfaces, including input channels, memory modules, and external data feeds. Through empirical analysis of ElizaOS, a decentralized AI agent framework for automated Web3 operations, we demonstrate how adversaries can manipulate context by injecting malicious instructions into prompts or historical interaction records, leading to unintended asset transfers and protocol violations which could be financially devastating. Our findings indicate that prompt-based defenses are insufficient, as malicious inputs can corrupt an agent's stored context, creating cascading vulnerabilities across interactions and platforms. This research highlights the urgent need to develop AI agents that are both secure and fiduciarily responsible.</div> </div> </div> <div class="d-flex mb-1"> <div class="flex-grow-1"><a href="/2025/525">2025/525</a> <a class="ms-2" href="/2025/525.pdf">(PDF)</a> </div> <div><small>Last updated: 2025-03-20</small></div> </div> <div class="ms-3 ms-md-5 mb-3"> <div class="d-flex justify-content-between"> <div class="papertitle">Deniable Secret Sharing</div> <div class="ms-3 d-none d-md-block"> <a href="/search?category=FOUNDATIONS"><small class="badge category category-FOUNDATIONS">Foundations</small></a> </div> </div> <div class="summaryauthors">Ran Canetti, Ivan Damgård, Sebastian Kolby, Divya Ravi, and Sophia Yakoubov</div> <div class="d-flex justify-content-between align-items-start"> <div> <a class="abstract-closed" data-target="abstract-2025-525" onclick="toggleAbstract(this)">Show abstract</a> </div> <div class="d-block d-md-none"> <a href="/search?category=FOUNDATIONS"><small class="badge category category-FOUNDATIONS">Foundations</small></a> </div> </div> <div> <div id="abstract-2025-525" class="paper-abstract">We introduce deniable secret sharing (DSS), which, analogously to deniable encryption, enables shareholders to produce fake shares that are consistent with a target “fake message”, regardless of the original secret. In contrast to deniable encryption, in a DSS scheme an adversary sees multiple shares, some of which might be real, and some fake. This makes DSS a more difficult task, especially in situations where the fake shares need to be generated by individual shareholders, without coordination with other shareholders. We define several desirable properties for DSS, and show both positive and negative results for each. The strongest property is fake hiding, which is a natural analogy of deniability for encryption: given a complete set of shares, an adversary cannot determine whether any shares are fake. We show a construction based on Shamir secret sharing that achieves fake hiding as long as (1) the fakers are qualified (number $t$ or more), and (2) the set of real shares which the adversary sees is unqualified. Next we show a construction based on indistinguishability obfuscation that relaxes condition (1) and achieves fake hiding even when the fakers are unqualified (as long as they comprise more than half of the shareholders). We also extend the first construction to provide the weaker property of faker anonymity for all thresholds. (Faker anonymity requires that given some real shares and some fake shares, an adversary should not be able to tell which are fake, even if it can tell that some fake shares are present.) All of these constructions require the fakers to coordinate in order to produce fake shares. On the negative side, we first show that fake hiding is unachievable when the fakers are a minority, even if the fakers coordinate. Further, if the fakers do not coordinate, then even faker anonymity is unachievable as soon as $t < n$ (namely the reconstruction threshold is smaller than the number of parties).</div> </div> </div> <div class="d-flex mb-1"> <div class="flex-grow-1"><a href="/2025/524">2025/524</a> <a class="ms-2" href="/2025/524.pdf">(PDF)</a> </div> <div><small>Last updated: 2025-03-20</small></div> </div> <div class="ms-3 ms-md-5 mb-3"> <div class="d-flex justify-content-between"> <div class="papertitle">Ring Referral: Efficient Publicly Verifiable Ad hoc Credential Scheme with Issuer and Strong User Anonymity for Decentralized Identity and More</div> <div class="ms-3 d-none d-md-block"> <a href="/search?category=PROTOCOLS"><small class="badge category category-PROTOCOLS">Cryptographic protocols</small></a> </div> </div> <div class="summaryauthors">The-Anh Ta, Xiangyu Hui, and Sid Chi-Kin Chau</div> <div class="d-flex justify-content-between align-items-start"> <div> <a class="abstract-closed" data-target="abstract-2025-524" onclick="toggleAbstract(this)">Show abstract</a> </div> <div class="d-block d-md-none"> <a href="/search?category=PROTOCOLS"><small class="badge category category-PROTOCOLS">Cryptographic protocols</small></a> </div> </div> <div> <div id="abstract-2025-524" class="paper-abstract">In this paper, we present a ring referral scheme, by which a user can publicly prove her knowledge of a valid signature for a private message that is signed by one of an ad hoc set of authorized issuers, without revealing the signing issuer. Ring referral is a natural extension to traditional ring signature by allowing a prover to obtain a signature from a third-party signer. Our scheme is useful for diverse applications, such as certificate-hiding decentralized identity, privacy-enhancing federated authentication, anonymous endorsement and privacy -preserving referral marketing. In contrast with prior issuer-hiding credential schemes, our ring referral scheme supports more distinguishing features, such as (1) public verifiability over an ad hoc ring, (2) strong user anonymity against collusion among the issuers and verifier to track a user, (3) transparent setup, (4) message hiding, (5) efficient multi-message logarithmic verifiability, (6) threshold scheme for requiring multiple co-signing issuers. Finally, we implemented our ring referral scheme with extensive empirical evaluation</div> </div> </div> <div class="d-flex mb-1"> <div class="flex-grow-1"><a href="/2025/523">2025/523</a> <a class="ms-2" href="/2025/523.pdf">(PDF)</a> </div> <div><small>Last updated: 2025-03-19</small></div> </div> <div class="ms-3 ms-md-5 mb-3"> <div class="d-flex justify-content-between"> <div class="papertitle">Assembly optimised Curve25519 and Curve448 implementations for ARM Cortex-M4 and Cortex-M33</div> <div class="ms-3 d-none d-md-block"> <a href="/search?category=IMPLEMENTATION"><small class="badge category category-IMPLEMENTATION">Implementation</small></a> </div> </div> <div class="summaryauthors">Emil Lenngren</div> <div class="d-flex justify-content-between align-items-start"> <div> <a class="abstract-closed" data-target="abstract-2025-523" onclick="toggleAbstract(this)">Show abstract</a> </div> <div class="d-block d-md-none"> <a href="/search?category=IMPLEMENTATION"><small class="badge category category-IMPLEMENTATION">Implementation</small></a> </div> </div> <div> <div id="abstract-2025-523" class="paper-abstract">Since the introduction of TLS 1.3, which includes X25519 and X448 as key exchange algorithms, one could expect that high efficient implementations for these two algorithms become important as the need for power efficient and secure IoT devices increases. Assembly optimised X25519 implementations for low end processors such as Cortex-M4 have existed for some time but there has only been scarce progress on optimised X448 implementations for low end ARM processors such as Cortex-M4 and Cortex-M33. This work attempts to fill this gap by demonstrating how to design a constant time X448 implementation that runs in 2 273 479 cycles on Cortex-M4 and 2 170 710 cycles on Cortex-M33 with DSP. An X25519 implementation is also presented that runs in 441 116 cycles on Cortex-M4 and 411 061 cycles on Cortex-M33 with DSP.</div> </div> </div> <div class="d-flex mb-1"> <div class="flex-grow-1"><a href="/2025/522">2025/522</a> <a class="ms-2" href="/2025/522.pdf">(PDF)</a> </div> <div><small>Last updated: 2025-03-19</small></div> </div> <div class="ms-3 ms-md-5 mb-3"> <div class="d-flex justify-content-between"> <div class="papertitle">New Techniques for Analyzing Fully Secure Protocols: A Case Study of Solitary Output Secure Computation</div> <div class="ms-3 d-none d-md-block"> <a href="/search?category=PROTOCOLS"><small class="badge category category-PROTOCOLS">Cryptographic protocols</small></a> </div> </div> <div class="summaryauthors">Bar Alon, Benjamin Saldman, and Eran Omri</div> <div class="d-flex justify-content-between align-items-start"> <div> <a class="abstract-closed" data-target="abstract-2025-522" onclick="toggleAbstract(this)">Show abstract</a> </div> <div class="d-block d-md-none"> <a href="/search?category=PROTOCOLS"><small class="badge category category-PROTOCOLS">Cryptographic protocols</small></a> </div> </div> <div> <div id="abstract-2025-522" class="paper-abstract">Solitary output secure computation allows a set of mutually distrustful parties to compute a function of their inputs such that only a designated party obtains the output. Such computations should satisfy various security properties such as correctness, privacy, independence of inputs, and even guaranteed output delivery. We are interested in full security, which captures all of these properties. Solitary output secure computation has been the study of many papers in recent years, as it captures many real-world scenarios. A systematic study of fully secure solitary output computation was initiated by Halevi et al. [TCC 2019]. They showed several positive and negative results, however, they did not characterize what functions can be computed with full security. Alon et al. [EUROCRYPT 2024] considered the special, yet important case, of three parties with Boolean output, where the output-receiving party has no input. They completely characterized the set of such functionalities that can be computed with full security. Interestingly, they also showed a possible connection with the seemingly unrelated notion of fairness, where either all parties obtain the output or none of them do. We continue this line of investigation and study the set of three-party solitary output Boolean functionalities where all parties hold private inputs. Our main contribution is defining and analyzing a family of ``special-round'' protocols, which generalizes the set of previously proposed protocols. Our techniques allow us to identify which special-round protocols securely compute a given functionality (if such exists). Interestingly, our analysis can also be applied in the two-party setting (where fairness is an issue). Thus, we believe that our techniques may prove useful in additional settings and deepen our understanding of the connections between the various settings.</div> </div> </div> <div class="d-flex mb-1"> <div class="flex-grow-1"><a href="/2025/521">2025/521</a> <a class="ms-2" href="/2025/521.pdf">(PDF)</a> </div> <div><small>Last updated: 2025-03-19</small></div> </div> <div class="ms-3 ms-md-5 mb-3"> <div class="d-flex justify-content-between"> <div class="papertitle">Division polynomials for arbitrary isogenies</div> <div class="ms-3 d-none d-md-block"> <a href="/search?category=PUBLICKEY"><small class="badge category category-PUBLICKEY">Public-key cryptography</small></a> </div> </div> <div class="summaryauthors">Katherine E. Stange</div> <div class="d-flex justify-content-between align-items-start"> <div> <a class="abstract-closed" data-target="abstract-2025-521" onclick="toggleAbstract(this)">Show abstract</a> </div> <div class="d-block d-md-none"> <a href="/search?category=PUBLICKEY"><small class="badge category category-PUBLICKEY">Public-key cryptography</small></a> </div> </div> <div> <div id="abstract-2025-521" class="paper-abstract">Following work of Mazur-Tate and Satoh, we extend the definition of division polynomials to arbitrary isogenies of elliptic curves, including those whose kernels do not sum to the identity. In analogy to the classical case of division polynomials for multiplication-by-n, we demonstrate recurrence relations, identities relating to classical elliptic functions, the chain rule describing relationships between division polynomials on source and target curve, and generalizations to higher dimension (i.e., elliptic nets).</div> </div> </div> <div class="d-flex mb-1"> <div class="flex-grow-1"><a href="/2025/520">2025/520</a> <a class="ms-2" href="/2025/520.pdf">(PDF)</a> </div> <div><small>Last updated: 2025-03-19</small></div> </div> <div class="ms-3 ms-md-5 mb-3"> <div class="d-flex justify-content-between"> <div class="papertitle">Masking-Friendly Post-Quantum Signatures in the Threshold-Computation-in-the-Head Framework</div> <div class="ms-3 d-none d-md-block"> <a href="/search?category=PROTOCOLS"><small class="badge category category-PROTOCOLS">Cryptographic protocols</small></a> </div> </div> <div class="summaryauthors">Thibauld Feneuil, Matthieu Rivain, and Auguste Warmé-Janville</div> <div class="d-flex justify-content-between align-items-start"> <div> <a class="abstract-closed" data-target="abstract-2025-520" onclick="toggleAbstract(this)">Show abstract</a> </div> <div class="d-block d-md-none"> <a href="/search?category=PROTOCOLS"><small class="badge category category-PROTOCOLS">Cryptographic protocols</small></a> </div> </div> <div> <div id="abstract-2025-520" class="paper-abstract">Side-channel attacks pose significant threats to cryptographic implementations, which require the inclusion of countermeasures to mitigate these attacks. In this work, we study the masking of state-of-the-art post-quantum signatures based on the MPC-in-the-head paradigm. More precisely, we focus on the recent threshold-computation-in-the-head (TCitH) framework that applies to some NIST candidates of the post-quantum standardization process. We first provide an analysis of side-channel attack paths in the signature algorithms based on the TCitH framework. We then explain how to apply standard masking to achieve a $d$-probing secure implementation of such schemes, with performance scaling in $O(d^{2})$, for $d$ the masking order. Our main contribution is to introduce different ways to tweak those signature schemes towards their masking friendliness. While the TCitH framework comes in two variants, the GGM variant and the Merkle tree variant, we introduce a specific tweak for each of these variants. These tweaks allow us to achieve complexities of $O(d)$ and $O(d \log d)$ at the cost of non-constant signature size, caused by the inclusion of additional seeds in the signature. We also propose a third tweak that takes advantage of the threshold secret sharing used in TCitH. With the right choice of parameters, we show how, by design, some parts of the TCitH algorithms satisfy probing security without additional countermeasures. While this approach can substantially reduce the cost of masking in some part of the signature algorithm, it degrades the soundness of the core zero-knowledge proof, hence slightly increasing the size of the signature. We analyze the complexity of the masked implementations of our tweaked TCitH signatures and provide benchmarks on a RISC-V platform with built-in hash accelerator. We use a modular benchmarking approach, allowing to estimate the performance of diverse signature instances with different tweaks and parameters. Our results illustrate how the different variants scale for an increasing masking order. For instance, for a masking order $d = 3$, we obtain signatures of around $14$ kB that run in $0.67$ second on a the target RISC-V CPU with a $250$MHz frequency. This is to be compared with the $4.7$ seconds required by the original signature scheme masked at the same order on the same platform. For a masking order $d=7$, we obtain a signature of $17.5$ kB running in $1.75$ second, to be compared with $16$ seconds for the stardard masked signature. Finally, we discuss the extension of our techniques to signature schemes based on the VOLE-in-the-Head framework, which shares similarities with the GGM variant of TCitH. One key takeaway of our work is that the Merkle tree variant of TCitH is inherently more amenable to efficient masking than frameworks based on GGM trees, such as TCitH-GGM or VOLE-in-the-Head.</div> </div> </div> <div class="d-flex mb-1"> <div class="flex-grow-1"><a href="/2025/519">2025/519</a> <a class="ms-2" href="/2025/519.pdf">(PDF)</a> </div> <div><small>Last updated: 2025-03-19</small></div> </div> <div class="ms-3 ms-md-5 mb-3"> <div class="d-flex justify-content-between"> <div class="papertitle">mid-pSquare: Leveraging the Strong Side-Channel Security of Prime-Field Masking in Software</div> <div class="ms-3 d-none d-md-block"> <a href="/search?category=IMPLEMENTATION"><small class="badge category category-IMPLEMENTATION">Implementation</small></a> </div> </div> <div class="summaryauthors">Brieuc Balon, Lorenzo Grassi, Pierrick Méaux, Thorben Moos, François-Xavier Standaert, and Matthias Johann Steiner</div> <div class="d-flex justify-content-between align-items-start"> <div> <a class="abstract-closed" data-target="abstract-2025-519" onclick="toggleAbstract(this)">Show abstract</a> </div> <div class="d-block d-md-none"> <a href="/search?category=IMPLEMENTATION"><small class="badge category category-IMPLEMENTATION">Implementation</small></a> </div> </div> <div> <div id="abstract-2025-519" class="paper-abstract">Efficiently protecting embedded software implementations of standard symmetric cryptographic primitives against side-channel attacks has been shown to be a considerable challenge in practice. This is, in part, due to the most natural countermeasure for such ciphers, namely Boolean masking, not amplifying security well in the absence of sufficient physical noise in the measurements. So-called prime-field masking has been demonstrated to provide improved theoretical guarantees in this context, and the Feistel for Prime Masking (FPM) family of Tweakable Block Ciphers (TBCs) has been recently introduced (Eurocrypt’24) to efficiently leverage these advantages. However, it was so far only instantiated for and empirically evaluated in a hardware implementation context, by using a small (7-bit) prime modulus. In this paper, we build on the theoretical incentive to increase the field size to obtain improved side-channel (Eurocrypt’24) and fault resistance (CHES’24), as well as on the practical incentive to instantiate an FPM instance with optimized performance on 32-bit software platforms. We introduce mid-pSquare for this purpose, a lightweight TBC operating over a 31-bit Mersenne prime field. We first provide an in-depth black box security analysis with a particular focus on algebraic attacks – which, contrary to the cryptanalysis of instances over smaller primes, are more powerful than statistical ones in our setting. We also design a strong tweak schedule to account for potential related-tweak algebraic attacks which, so far, are almost unknown in the literature. We then demonstrate that mid-pSquare implementations deliver very competitive performance results on the target platform compared to analogous binary TBCs regardless of masked or unmasked implementation (we use fix-sliced SKINNY for our comparisons). Finally, we experimentally establish the side-channel security improvements that masked mid-pSquare can lead to, reaching unmatched resistance to profiled horizontal attacks on lightweight 32-bit processors (ARM Cortex-M4).</div> </div> </div> <div class="d-flex mb-1"> <div class="flex-grow-1"><a href="/2025/518">2025/518</a> <a class="ms-2" href="/2025/518.pdf">(PDF)</a> </div> <div><small>Last updated: 2025-03-19</small></div> </div> <div class="ms-3 ms-md-5 mb-3"> <div class="d-flex justify-content-between"> <div class="papertitle">Secret-Sharing Schemes for General Access Structures: An Introduction</div> <div class="ms-3 d-none d-md-block"> <a href="/search?category=FOUNDATIONS"><small class="badge category category-FOUNDATIONS">Foundations</small></a> </div> </div> <div class="summaryauthors">Amos Beimel</div> <div class="d-flex justify-content-between align-items-start"> <div> <a class="abstract-closed" data-target="abstract-2025-518" onclick="toggleAbstract(this)">Show abstract</a> </div> <div class="d-block d-md-none"> <a href="/search?category=FOUNDATIONS"><small class="badge category category-FOUNDATIONS">Foundations</small></a> </div> </div> <div> <div id="abstract-2025-518" class="paper-abstract">A secret-sharing scheme is a method by which a dealer distributes shares to parties such that only authorized subsets of parties can reconstruct the secret. Secret-sharing schemes are an important tool in cryptography and they are used as a building block in many secure protocols, e.g., secure multiparty computation protocols for arbitrary functionalities, Byzantine agreement, threshold cryptography, access control, attribute-based encryption, and weighted cryptography (e.g., stake-based blockchains). The collection of authorized sets that should be able to reconstruct the secret is called an access structure. The main goal in secret sharing is to minimize the share size in a scheme realizing an access structure. In most of this monograph, we will consider secret-sharing schemes with information-theoretic security, i.e., schemes in which unauthorized sets cannot deduce any information on the secret even when the set has unbounded computational power. Although research on secret-sharing schemes has been conducted for nearly 40 years, we still do not know what the optimal share size required to realize an arbitrary 𝑛-party access structure is; there is an exponential gap between the best known upper bounds and the best known lower bounds on the share size. In this monograph, we review the most important topics on secret sharing. We start by discussing threshold secret-sharing schemes in which the authorized sets are all sets whose size is at least some threshold 𝑡; these are the most useful secret-sharing schemes. We then describe efficient constructions of secret-sharing schemes for general access structures; in particular, we describe constructions of linear secret-sharing schemes from monotone formulas and monotone span programs and provide a simple construction for arbitrary 𝑛-party access structures with share size 2𝑐𝑛 for some constant 𝑐 < 1. To demonstrate the importance of secret-sharing schemes, we show how they are used to construct secure multi-party computation protocols for arbitrary functions. We next discuss the main problem with known secret-sharing schemes – the large share size, which is exponential in the number of parties. We present the known lower bounds on the share size. These lower bounds are fairly weak, and there is a big gap between the lower and upper bounds. For linear secret-sharing schemes, which are a class of schemes based on linear algebra that contains most known schemes, exponential lower bounds on the share size are known. We then turn to study ideal secret-sharing schemes in which the share size of each party is the same as the size of the secret; these schemes are the most efficient secret-sharing schemes. We describe a characterization of the access structures that have ideal schemes via matroids. Finally, we discuss computational secret-sharing schemes, i.e., secret-sharing schemes that are secure only against polynomial-time adversaries. We show computational schemes for monotone and non-monotone circuits; these constructions are more efficient than the best known schemes with information-theoretic security.</div> </div> </div> <div class="d-flex mb-1"> <div class="flex-grow-1"><a href="/2025/517">2025/517</a> <a class="ms-2" href="/2025/517.pdf">(PDF)</a> </div> <div><small>Last updated: 2025-03-19</small></div> </div> <div class="ms-3 ms-md-5 mb-3"> <div class="d-flex justify-content-between"> <div class="papertitle">Designated-Verifier SNARGs with One Group Element</div> <div class="ms-3 d-none d-md-block"> <a href="/search?category=PROTOCOLS"><small class="badge category category-PROTOCOLS">Cryptographic protocols</small></a> </div> </div> <div class="summaryauthors">Gal Arnon, Jesko Dujmovic, and Yuval Ishai</div> <div class="d-flex justify-content-between align-items-start"> <div> <a class="abstract-closed" data-target="abstract-2025-517" onclick="toggleAbstract(this)">Show abstract</a> </div> <div class="d-block d-md-none"> <a href="/search?category=PROTOCOLS"><small class="badge category category-PROTOCOLS">Cryptographic protocols</small></a> </div> </div> <div> <div id="abstract-2025-517" class="paper-abstract">We revisit the question of minimizing the proof length of designated-verifier succinct non-interactive arguments (dv-SNARGs) in the generic group model. Barta et al. (Crypto 2020) constructed such dv-SNARGs with inverse-polynomial soundness in which the proof consists of only two group elements. For negligible soundness, all previous constructions required a super-constant number of group elements. We show that one group element suffices for negligible soundness. Concretely, we obtain dv-SNARGs (in fact, dv-SNARKs) with $2^{-\tau}$ soundness where proofs consist of one element of a generic group $\mathbb G$ and $O(\tau)$ additional bits. In particular, the proof length in group elements is constant even with $1/|\mathbb G|$ soundness error. In more concrete terms, compared to the best known SNARGs using bilinear groups, we get dv-SNARGs with roughly $2$x shorter proofs (with $2^{-80}$ soundness at a $128$-bit security level). We are not aware of any practically feasible proof systems that achieve similar succinctness, even fully interactive or heuristic ones. Our technical approach is based on a novel combination of techniques for trapdoor hash functions and group-based homomorphic secret sharing with linear multi-prover interactive proofs.</div> </div> </div> <div class="d-flex mb-1"> <div class="flex-grow-1"><a href="/2025/516">2025/516</a> <a class="ms-2" href="/2025/516.pdf">(PDF)</a> </div> <div><small>Last updated: 2025-03-21</small></div> </div> <div class="ms-3 ms-md-5 mb-3"> <div class="d-flex justify-content-between"> <div class="papertitle">Don't Use It Twice: Reloaded! On the Lattice Isomorphism Group Action</div> <div class="ms-3 d-none d-md-block"> <a href="/search?category=ATTACKS"><small class="badge category category-ATTACKS">Attacks and cryptanalysis</small></a> </div> </div> <div class="summaryauthors">Alessandro Budroni, Jesús-Javier Chi-Domínguez, and Ermes Franch</div> <div class="d-flex justify-content-between align-items-start"> <div> <a class="abstract-closed" data-target="abstract-2025-516" onclick="toggleAbstract(this)">Show abstract</a> </div> <div class="d-block d-md-none"> <a href="/search?category=ATTACKS"><small class="badge category category-ATTACKS">Attacks and cryptanalysis</small></a> </div> </div> <div> <div id="abstract-2025-516" class="paper-abstract">Group actions have emerged as a powerful framework in post-quantum cryptography, serving as the foundation for various cryptographic primitives. The Lattice Isomorphism Problem (LIP) has recently gained attention as a promising hardness assumption for designing quantum-resistant protocols. Its formulation as a group action has opened the door to new cryptographic applications, including a commitment scheme and a linkable ring signature. In this work, we analyze the security properties of the LIP group action and present new findings. Specifically, we demonstrate that it fails to satisfy the weak unpredictability and weak pseudorandomness properties when the adversary has access to as few as three and two instances with the same secret, respectively. This significantly improves upon prior analysis by Budroni et al. (PQCrypto 2024). As a direct consequence of our findings, we reveal a vulnerability in the linkable ring signature scheme proposed by Khuc et al. (SPACE 2024), demonstrating that the hardness assumption underlying the linkable anonymity property does not hold.</div> </div> </div> <div class="d-flex mb-1"> <div class="flex-grow-1"><a href="/2025/515">2025/515</a> <a class="ms-2" href="/2025/515.pdf">(PDF)</a> </div> <div><small>Last updated: 2025-03-19</small></div> </div> <div class="ms-3 ms-md-5 mb-3"> <div class="d-flex justify-content-between"> <div class="papertitle">Compressed Sigma Protocols: New Model and Aggregation Techniques</div> <div class="ms-3 d-none d-md-block"> <a href="/search?category=PROTOCOLS"><small class="badge category category-PROTOCOLS">Cryptographic protocols</small></a> </div> </div> <div class="summaryauthors">Yuxi Xue, Tianyu Zheng, Shang Gao, Bin Xiao, and Man Ho Au</div> <div class="d-flex justify-content-between align-items-start"> <div> <a class="abstract-closed" data-target="abstract-2025-515" onclick="toggleAbstract(this)">Show abstract</a> </div> <div class="d-block d-md-none"> <a href="/search?category=PROTOCOLS"><small class="badge category category-PROTOCOLS">Cryptographic protocols</small></a> </div> </div> <div> <div id="abstract-2025-515" class="paper-abstract">Sigma protocols ($\Sigma$-protocols) provide a foundational paradigm for constructing secure algorithms in privacy-preserving applications. To enhance efficiency, several extended models [BG18], [BBB+18], [AC20] incorporating various optimization techniques have been proposed as ``replacements'' for the original $\Sigma$-protocol. However, these models often lack the expressiveness needed to handle complex relations and hinder designers from applying appropriate instantiation and optimization strategies. In this paper, we introduce a novel compressed $\Sigma$-protocol model that effectively addresses these limitations by providing concrete constructions for relations involving non-linear constraints. Our approach is sufficiently expressive to encompass a wide range of relations. Central to our model is the definition of doubly folded commitments, which, along with a proposed Argument of Knowledge, generalizes the compression and amortization processes found in previous models. Despite the ability to express more relations, this innovation also provides a foundation to discuss a general aggregation technique, optimizing the proof size of instantiated schemes. To demonstrate the above statements, we provide a brief review of several existing protocols that can be instantiated using our model to demonstrate the versatility of our construction. We also present use cases where our generalized model enhances applications traditionally considered ``less compact'', such as binary proofs [BCC+15] and $k$-out-of-$n$ proofs [ACF21]. In conclusion, our new model offers a more efficient and expressive alternative to the current use of $\Sigma$-protocols, paving the way for broader applicability and optimization in cryptographic applications.</div> </div> </div> <div class="d-flex mb-1"> <div class="flex-grow-1"><a href="/2025/514">2025/514</a> <a class="ms-2" href="/2025/514.pdf">(PDF)</a> </div> <div><small>Last updated: 2025-03-19</small></div> </div> <div class="ms-3 ms-md-5 mb-3"> <div class="d-flex justify-content-between"> <div class="papertitle">On Extractability of the KZG Family of Polynomial Commitment Schemes</div> <div class="ms-3 d-none d-md-block"> <a href="/search?category=PROTOCOLS"><small class="badge category category-PROTOCOLS">Cryptographic protocols</small></a> </div> </div> <div class="summaryauthors">Juraj Belohorec, Pavel Dvořák, Charlotte Hoffmann, Pavel Hubáček, Kristýna Mašková, and Martin Pastyřík</div> <div class="d-flex justify-content-between align-items-start"> <div> <a class="abstract-closed" data-target="abstract-2025-514" onclick="toggleAbstract(this)">Show abstract</a> </div> <div class="d-block d-md-none"> <a href="/search?category=PROTOCOLS"><small class="badge category category-PROTOCOLS">Cryptographic protocols</small></a> </div> </div> <div> <div id="abstract-2025-514" class="paper-abstract">We present a unifying framework for proving the knowledge-soundness of KZG-like polynomial commitment schemes, encompassing both univariate and multivariate variants. By conceptualizing the proof technique of Lipmaa, Parisella, and Siim for the univariate KZG scheme (EUROCRYPT 2024), we present tools and falsifiable hardness assumptions that permit black-box extraction of the multivariate KZG scheme. Central to our approach is the notion of a canonical Proof-of-Knowledge of a Polynomial (PoKoP) of a polynomial commitment scheme, which we use to capture the extractability notion required in constructions of practical zk-SNARKs. We further present an explicit polynomial decomposition lemma for multivariate polynomials, enabling a more direct analysis of interpolating extractors and bridging the gap between univariate and multivariate commitments. Our results provide the first standard-model proofs of extractability for the multivariate KZG scheme and many of its variants under falsifiable assumptions.</div> </div> </div> <div class="d-flex mb-1"> <div class="flex-grow-1"><a href="/2025/513">2025/513</a> <a class="ms-2" href="/2025/513.pdf">(PDF)</a> </div> <div><small>Last updated: 2025-03-19</small></div> </div> <div class="ms-3 ms-md-5 mb-3"> <div class="d-flex justify-content-between"> <div class="papertitle">Server-Aided Anonymous Credentials</div> <div class="ms-3 d-none d-md-block"> <a href="/search?category=PROTOCOLS"><small class="badge category category-PROTOCOLS">Cryptographic protocols</small></a> </div> </div> <div class="summaryauthors">Rutchathon Chairattana-Apirom, Franklin Harding, Anna Lysyanskaya, and Stefano Tessaro</div> <div class="d-flex justify-content-between align-items-start"> <div> <a class="abstract-closed" data-target="abstract-2025-513" onclick="toggleAbstract(this)">Show abstract</a> </div> <div class="d-block d-md-none"> <a href="/search?category=PROTOCOLS"><small class="badge category category-PROTOCOLS">Cryptographic protocols</small></a> </div> </div> <div> <div id="abstract-2025-513" class="paper-abstract">This paper formalizes the notion of server-aided anonymous credentials (SAACs), a new model for anonymous credentials (ACs) where, in the process of showing a credential, the holder is helped by additional auxiliary information generated in an earlier (anonymous) interaction with the issuer. This model enables lightweight instantiations of 'publicly verifiable and multi-use' ACs from pairing-free elliptic curves, which is important for compliance with existing national standards. A recent candidate for the EU Digital Identity Wallet, BBS#, roughly adheres to the SAAC model we have developed; however, it lacks formal security definitions and proofs. In this paper, we provide rigorous definitions of security for SAACs, and show how to realize SAACs from the weaker notion of keyed-verification ACs (KVACs) and special types of oblivious issuance protocols for zero-knowledge proofs. We instantiate this paradigm to obtain two constructions: one achieves statistical anonymity with unforgeability under the Gap $q$-SDH assumption, and the other achieves computational anonymity and unforgeability under the DDH assumption.</div> </div> </div> <div class="d-flex mb-1"> <div class="flex-grow-1"><a href="/2025/512">2025/512</a> <a class="ms-2" href="/2025/512.pdf">(PDF)</a> </div> <div><small>Last updated: 2025-03-19</small></div> </div> <div class="ms-3 ms-md-5 mb-3"> <div class="d-flex justify-content-between"> <div class="papertitle">Optimizing AES-GCM on ARM Cortex-M4: A Fixslicing and FACE-Based Approach</div> <div class="ms-3 d-none d-md-block"> <a href="/search?category=IMPLEMENTATION"><small class="badge category category-IMPLEMENTATION">Implementation</small></a> </div> </div> <div class="summaryauthors">Hyunjun Kim and Hwajeong Seo</div> <div class="d-flex justify-content-between align-items-start"> <div> <a class="abstract-closed" data-target="abstract-2025-512" onclick="toggleAbstract(this)">Show abstract</a> </div> <div class="d-block d-md-none"> <a href="/search?category=IMPLEMENTATION"><small class="badge category category-IMPLEMENTATION">Implementation</small></a> </div> </div> <div> <div id="abstract-2025-512" class="paper-abstract">The Advanced Encryption Standard (AES) in Galois/Counter Mode (GCM) delivers both confidentiality and integrity yet poses performance and security challenges on resource-limited microcontrollers. In this paper, we present an optimized AES-GCM implementation for the ARM Cortex-M4 that combines Fixslicing AES with the FACE (Fast AES-CTR Encryption) strategy, significantly reducing redundant computations in AES-CTR. We further examine two GHASH implementations—a 4-bit Table-based approach and a Karatsuba-based constant-time variant—to balance speed, memory usage, and resistance to timing attacks. Our evaluations on an STM32F4 microcontroller show that Fixslicing+FACE reduces AES-128 GCTR cycle counts by up to 19.41\%, while the Table-based GHASH achieves nearly double the speed of its Karatsuba counterpart. These results confirm that, with the right mix of bitslicing optimizations, counter-mode caching, and lightweight polynomial multiplication, secure and efficient AES-GCM can be attained even on low-power embedded devices.</div> </div> </div> <div class="d-flex mb-1"> <div class="flex-grow-1"><a href="/2025/511">2025/511</a> <a class="ms-2" href="/2025/511.pdf">(PDF)</a> </div> <div><small>Last updated: 2025-03-19</small></div> </div> <div class="ms-3 ms-md-5 mb-3"> <div class="d-flex justify-content-between"> <div class="papertitle">VeriSSO: A Privacy-Preserving Legacy-Compatible Single Sign-On Protocol Using Verifiable Credentials</div> <div class="ms-3 d-none d-md-block"> <a href="/search?category=APPLICATIONS"><small class="badge category category-APPLICATIONS">Applications</small></a> </div> </div> <div class="summaryauthors">Ifteher Alom, Sudip Bhujel, and Yang Xiao</div> <div class="d-flex justify-content-between align-items-start"> <div> <a class="abstract-closed" data-target="abstract-2025-511" onclick="toggleAbstract(this)">Show abstract</a> </div> <div class="d-block d-md-none"> <a href="/search?category=APPLICATIONS"><small class="badge category category-APPLICATIONS">Applications</small></a> </div> </div> <div> <div id="abstract-2025-511" class="paper-abstract">Single Sign-On (SSO) is a popular authentication mechanism enabling users to access multiple web services with a single set of credentials. Despite its convenience, SSO faces outstanding privacy challenges. The Identity Provider (IdP) represents a single point of failure and can track users across different Relying Parties (RPs). Multiple colluding RPs may track users through common identity attributes. In response, anonymous credential-based SSO solutions have emerged to offer privacy-preserving authentication without revealing unnecessary user information. However, these solutions face two key challenges: supporting RP authentication without compromising user unlinkability and maintaining compatibility with the predominant Authorization Code Flow (ACF). This paper introduces VeriSSO, a novel SSO protocol based on verifiable credentials (VC) that supports RP authentication while preserving privacy and avoiding single points of failure. VeriSSO employs an independent authentication server committee to manage RP and user authentication, binding RP authentication with credential-based anonymous user authentication. This approach ensures user unlinkability while supporting RP authentication and allows RPs to continue using their existing verification routines with identity tokens as in the ACF workflow. VeriSSO's design also supports lawful de-anonymization, ensuring user accountability for misbehavior during anonymity. Experimental evaluations of VeriSSO demonstrate its efficiency and practicality, with authentication processes completed within 100 milliseconds.</div> </div> </div> <div class="d-flex mb-1"> <div class="flex-grow-1"><a href="/2025/510">2025/510</a> <a class="ms-2" href="/2025/510.pdf">(PDF)</a> </div> <div><small>Last updated: 2025-03-21</small></div> </div> <div class="ms-3 ms-md-5 mb-3"> <div class="d-flex justify-content-between"> <div class="papertitle">Adaptive Adversaries in Byzantine-Robust Federated Learning: A survey.</div> <div class="ms-3 d-none d-md-block"> <a href="/search?category=PROTOCOLS"><small class="badge category category-PROTOCOLS">Cryptographic protocols</small></a> </div> </div> <div class="summaryauthors">Jakub Kacper Szeląg, Ji-Jian Chin, and Sook-Chin Yip</div> <div class="d-flex justify-content-between align-items-start"> <div> <a class="abstract-closed" data-target="abstract-2025-510" onclick="toggleAbstract(this)">Show abstract</a> </div> <div class="d-block d-md-none"> <a href="/search?category=PROTOCOLS"><small class="badge category category-PROTOCOLS">Cryptographic protocols</small></a> </div> </div> <div> <div id="abstract-2025-510" class="paper-abstract">Federated Learning (FL) has recently emerged as one of the leading paradigms for collaborative machine learning, serving as a tool for model computation without a need to expose one’s privately stored data. However, despite its advantages, FL systems face severe challenges within its own security solutions that address both privacy and robustness of models. This paper focuses on vulnerabilities within the domain of FL security with emphasis on model-robustness. Identifying critical gaps in current defences, particularly against adaptive adversaries which modify their attack strategies after being disconnected and rejoin systems to continue attacks. To our knowledge, other surveys in this domain do not cover the concept of adaptive adversaries, this along with the significance of their impact serves as the main motivation for this work. Our contributions are fivefold: (1) we present a comprehensive overview of FL systems, presenting a complete summary of its fundamental building blocks, (2) an extensive overview of existing vulnerabilities that target FL systems in general, (3) highlight baseline attack vectors as well as state-of-the-art approaches to development of attack methods and defence mechanisms, (4) introduces a novel baseline method of attack leveraging reconnecting malicious clients, and (5) identifies future research directions to address and counter adaptive attacks. We demonstrate through experimental results that existing baseline secure aggregation rules used in other works for comparison such as Krum and Trimmed Mean are insufficient against those attacks. Further, works improving upon those algorithms do not address this concern either. Our findings serve as a basis for redefining FL security paradigms in the direction of adaptive adversaries.</div> </div> </div> <div class="d-flex mb-1"> <div class="flex-grow-1"><a href="/2025/509">2025/509</a> <a class="ms-2" href="/2025/509.pdf">(PDF)</a> </div> <div><small>Last updated: 2025-03-18</small></div> </div> <div class="ms-3 ms-md-5 mb-3"> <div class="d-flex justify-content-between"> <div class="papertitle">Almost Optimal KP and CP-ABE for Circuits from Succinct LWE</div> <div class="ms-3 d-none d-md-block"> <a href="/search?category=PUBLICKEY"><small class="badge category category-PUBLICKEY">Public-key cryptography</small></a> </div> </div> <div class="summaryauthors">Hoeteck Wee</div> <div class="d-flex justify-content-between align-items-start"> <div> <a class="abstract-closed" data-target="abstract-2025-509" onclick="toggleAbstract(this)">Show abstract</a> </div> <div class="d-block d-md-none"> <a href="/search?category=PUBLICKEY"><small class="badge category category-PUBLICKEY">Public-key cryptography</small></a> </div> </div> <div> <div id="abstract-2025-509" class="paper-abstract">We present almost-optimal lattice-based attribute-based encryption (ABE) and laconic function evaluation (LFE). For depth d circuits over $\ell$-bit inputs, we obtain * key-policy (KP) and ciphertext-policy (CP) ABE schemes with ciphertext, secret key and public key size $O(1)$; * LFE with ciphertext size $\ell + O(1)$ as well as CRS and digest size $O(1)$; where O(·) hides poly(d, λ) factors. The parameter sizes are optimal, up to the poly(d) dependencies. The security of our schemes rely on succinct LWE (Wee, CRYPTO 2024). Our results constitute a substantial improvement over the state of the art; none of our results were known even under the stronger evasive LWE assumption.</div> </div> </div> <div class="d-flex mb-1"> <div class="flex-grow-1"><a href="/2025/508">2025/508</a> <a class="ms-2" href="/2025/508.pdf">(PDF)</a> </div> <div><small>Last updated: 2025-03-18</small></div> </div> <div class="ms-3 ms-md-5 mb-3"> <div class="d-flex justify-content-between"> <div class="papertitle">Towards Building Scalable Constant-Round MPC from Minimal Assumptions via Round Collapsing</div> <div class="ms-3 d-none d-md-block"> <a href="/search?category=PROTOCOLS"><small class="badge category category-PROTOCOLS">Cryptographic protocols</small></a> </div> </div> <div class="summaryauthors">Vipul Goyal, Junru Li, Rafail Ostrovsky, and Yifan Song</div> <div class="d-flex justify-content-between align-items-start"> <div> <a class="abstract-closed" data-target="abstract-2025-508" onclick="toggleAbstract(this)">Show abstract</a> </div> <div class="d-block d-md-none"> <a href="/search?category=PROTOCOLS"><small class="badge category category-PROTOCOLS">Cryptographic protocols</small></a> </div> </div> <div> <div id="abstract-2025-508" class="paper-abstract">In this work, we study the communication complexity of constant-round secure multiparty computation (MPC) against a fully malicious adversary and consider both the honest majority setting and the dishonest majority setting. In the (strong) honest majority setting (where $t=(1/2-\epsilon)n$ for a constant $\epsilon$), the best-known result without relying on FHE is given by Beck et al. (CCS 2023) based on the LPN assumption that achieves $O(|C|\kappa)$ communication, where $\kappa$ is the security parameter and the achieved communication complexity is independent of the number of participants. In the dishonest majority setting, the best-known result is achieved by Goyal et al. (ASIACRYPT 2024), which requires $O(|C|n\kappa)$ bits of communication and is based on the DDH and LPN assumptions. In this work, we achieve the following results: (1) For any constant $\epsilon<1$, we give the first constant-round MPC in the dishonest majority setting for corruption threshold $t<(1-\epsilon)n$ with $O(|C|\kappa+D (n+\kappa)^2\kappa)$ communication assuming random oracles and oblivious transfers, where $D$ is the circuit depth. (2) We give the first constant-round MPC in the standard honest majority setting (where $t=(n-1)/2$) with $O(|C|\kappa+D (n+\kappa)^2\kappa)$ communication only assuming random oracles. Unlike most of the previous constructions of constant-round MPCs that are based on multiparty garbling, we achieve our result by letting each party garble his local computation in a non-constant-round MPC that meets certain requirements. We first design a constant-round MPC that achieves $O(|C|\kappa + Dn^2\kappa)$ communication assuming random oracles in the strong honest majority setting of $t=n/4$. Then, we combine the party virtualization technique and the idea of MPC-in-the-head to boost the corruption threshold to $t<(1-\epsilon)n$ for any constant $\epsilon<1$ assuming oblivious transfers to achieve our first result. Finally, our second result is obtained by instantiating oblivious transfers using a general honest-majority MPC and the OT extension technique built on random oracles.</div> </div> </div> <div class="d-flex mb-1"> <div class="flex-grow-1"><a href="/2025/507">2025/507</a> <a class="ms-2" href="/2025/507.pdf">(PDF)</a> </div> <div><small>Last updated: 2025-03-18</small></div> </div> <div class="ms-3 ms-md-5 mb-3"> <div class="d-flex justify-content-between"> <div class="papertitle">Scalable Zero-knowledge Proofs for Non-linear Functions in Machine Learning</div> <div class="ms-3 d-none d-md-block"> <a href="/search?category=PROTOCOLS"><small class="badge category category-PROTOCOLS">Cryptographic protocols</small></a> </div> </div> <div class="summaryauthors">Meng Hao, Hanxiao Chen, Hongwei Li, Chenkai Weng, Yuan Zhang, Haomiao Yang, and Tianwei Zhang</div> <div class="d-flex justify-content-between align-items-start"> <div> <a class="abstract-closed" data-target="abstract-2025-507" onclick="toggleAbstract(this)">Show abstract</a> </div> <div class="d-block d-md-none"> <a href="/search?category=PROTOCOLS"><small class="badge category category-PROTOCOLS">Cryptographic protocols</small></a> </div> </div> <div> <div id="abstract-2025-507" class="paper-abstract">Zero-knowledge (ZK) proofs have been recently explored for the integrity of machine learning (ML) inference. However, these protocols suffer from high computational overhead, with the primary bottleneck stemming from the evaluation of non-linear functions. In this paper, we propose the first systematic ZK proof framework for non-linear mathematical functions in ML using the perspective of table lookup. The key challenge is that table lookup cannot be directly applied to non-linear functions in ML since it would suffer from inefficiencies due to the intolerably large table. Therefore, we carefully design several important building blocks, including digital decomposition, comparison, and truncation, such that they can effectively utilize table lookup with a quite small table size while ensuring the soundness of proofs. Based on these blocks, we implement complex mathematical operations and further construct ZK proofs for current mainstream non-linear functions in ML such as ReLU, sigmoid, and normalization. The extensive experimental evaluation shows that our framework achieves 50 ∼ 179× runtime improvement compared to the state-of-the-art work, while maintaining a similar level of communication efficiency.</div> </div> </div> <div class="d-flex mb-1"> <div class="flex-grow-1"><a href="/2025/506">2025/506</a> <a class="ms-2" href="/2025/506.pdf">(PDF)</a> </div> <div><small>Last updated: 2025-03-17</small></div> </div> <div class="ms-3 ms-md-5 mb-3"> <div class="d-flex justify-content-between"> <div class="papertitle">On the Estonian Internet Voting System, IVXV, SoK and Suggestions</div> <div class="ms-3 d-none d-md-block"> <a href="/search?category=ATTACKS"><small class="badge category category-ATTACKS">Attacks and cryptanalysis</small></a> </div> </div> <div class="summaryauthors">Shymaa M. Arafat</div> <div class="d-flex justify-content-between align-items-start"> <div> <a class="abstract-closed" data-target="abstract-2025-506" onclick="toggleAbstract(this)">Show abstract</a> </div> <div class="d-block d-md-none"> <a href="/search?category=ATTACKS"><small class="badge category category-ATTACKS">Attacks and cryptanalysis</small></a> </div> </div> <div> <div id="abstract-2025-506" class="paper-abstract">The Estonian i-voting experience is probably the richest to analyze; a country that is considered a pioneer in digitizing both the government and private sector since 2001, and hence digital voting in 2005, yet there are still some complaints submitted, critics and remarks to consider about the IVXV system. In this paper, we introduce a Systemization of Knowledge of the Estonian IVXV i-voting system and propose some added security enhancements. The presented SoK includes applications implemented by election observers in 2023 & 2024 elections, which, to our knowledge, has never been mentioned and/or analyzed in the academic literature before. The paper also updates the general knowledge about an extra right given to auditors (but not observers) in the June 2024 European election, recent complaints, and about newer solutions suggested by academia in 2024. Finally, we discuss the current system status in 2024 EP elections and propose our own suggestions to some problems stated in the OSCE-ODIHR 2023 report that are still there.</div> </div> </div> <div class="d-flex mb-1"> <div class="flex-grow-1"><a href="/2025/505">2025/505</a> <a class="ms-2" href="/2025/505.pdf">(PDF)</a> </div> <div><small>Last updated: 2025-03-17</small></div> </div> <div class="ms-3 ms-md-5 mb-3"> <div class="d-flex justify-content-between"> <div class="papertitle">Capitalized Bitcoin Fork for National Strategic Reserve</div> <div class="ms-3 d-none d-md-block"> <a href="/search?category=PROTOCOLS"><small class="badge category category-PROTOCOLS">Cryptographic protocols</small></a> </div> </div> <div class="summaryauthors">Charanjit Singh Jutla and Arnab Roy</div> <div class="d-flex justify-content-between align-items-start"> <div> <a class="abstract-closed" data-target="abstract-2025-505" onclick="toggleAbstract(this)">Show abstract</a> </div> <div class="d-block d-md-none"> <a href="/search?category=PROTOCOLS"><small class="badge category category-PROTOCOLS">Cryptographic protocols</small></a> </div> </div> <div> <div id="abstract-2025-505" class="paper-abstract">We describe a strategy for a nation to acquire majority stake in Bitcoin with zero cost to the taxpayers of the nation. We propose a bitcoin fork sponsored by the the government of the nation, and backed by the full faith of treasury of the nation, such that the genesis block of this fork attributes fixed large amount of new kinds of tokens called strategic-reserve-bitcoin tokens (SRBTC) to the nation's treasury, which is some multiple (greater than one) of the amount of all Bitcoin tokens (BTC) currently set in the Bitcoin protocol. The BTC tokens continue to be treated 1:1 as SRBTC tokens in the forked chain. The only capital that the nation puts up is its explicit guarantee that the SRBTC tokens of the fork will be accepted as legal tender, such as payment of tax to the treasury. We suggest that this is a better approach than starting a new blockchain that mimics Bitcoin, as it will be partially fair to the current holders of Bitcoin, which in turn would make it competitive in the space of other such possible forks by other powerful nations. Moreover, such a proof-of-work blockchain retains its egalitarian and democratic nature, which competitively deters the said nation from any dilutions in the future. To justify our proposal we setup three competitive games, and show strategies for different players that are in Nash equilibrium and which throw further light on these claims. In particular, 1. The first game shows that if the only two alternatives for investors is to invest in BTC or SRBTC, then individuals who have a certain fraction $\theta$ of their wealth already invested in BTC, will invest new money in the original chain, whereas the individuals whose current wealth invested in BTC is less than the $\theta$ fraction will invest new money in SRBTC. 2. The second game shows that if there is a third alternative for investment, which is cash that is losing value (inflation-adjusted) by a percentage $d$, then the investors who had less than $\theta$ fraction of wealth in Bitcoin, will invest in SRBTC only if the dilution of SRBTC is large enough (as an increasing (linear) function of $1/d$). Here by dilution we mean the new SRBTC tokens that are allowed to be eventually mined in the fork. 3. The third game shows that investors would prefer a fork of Bitcoin over a replica of Bitcoin that doesn't value original BTC, when both are available and even if both are backed similarly by one or more nations.</div> </div> </div> <div class="d-flex mb-1"> <div class="flex-grow-1"><a href="/2025/504">2025/504</a> <a class="ms-2" href="/2025/504.pdf">(PDF)</a> </div> <div><small>Last updated: 2025-03-17</small></div> </div> <div class="ms-3 ms-md-5 mb-3"> <div class="d-flex justify-content-between"> <div class="papertitle">Ideal Compartmented Secret Sharing Scheme Based on the Chinese Remainder Theorem for Polynomial Rings</div> <div class="ms-3 d-none d-md-block"> <a href="/search?category=PROTOCOLS"><small class="badge category category-PROTOCOLS">Cryptographic protocols</small></a> </div> </div> <div class="summaryauthors">Alexandru-Valentin Basaga and Sorin Iftene</div> <div class="d-flex justify-content-between align-items-start"> <div> <a class="abstract-closed" data-target="abstract-2025-504" onclick="toggleAbstract(this)">Show abstract</a> </div> <div class="d-block d-md-none"> <a href="/search?category=PROTOCOLS"><small class="badge category category-PROTOCOLS">Cryptographic protocols</small></a> </div> </div> <div> <div id="abstract-2025-504" class="paper-abstract">A secret sharing scheme starts with a secret and then derives from it certain shares (or shadows) which are distributed to users. The secret may be recovered only by certain predetermined groups. In case of compartmented secret sharing, the set of users is partitioned into compartments and the secret can be recovered only if the number of participants from any compartment is greater than or equal to a fixed compartment threshold and the total number of participants is greater than or equal to a global threshold. In this paper we use the Chinese Remainder Theorem for Polynomial Rings in order to construct an ideal compartmented secret sharing scheme, inspired by the work from [20].</div> </div> </div> <div class="d-flex mb-1"> <div class="flex-grow-1"><a href="/2025/503">2025/503</a> <a class="ms-2" href="/2025/503.pdf">(PDF)</a> </div> <div><small>Last updated: 2025-03-17</small></div> </div> <div class="ms-3 ms-md-5 mb-3"> <div class="d-flex justify-content-between"> <div class="papertitle">Max Bias Analysis: A New Approach on Computing the Entropy of Free Ring-Oscillator</div> <div class="ms-3 d-none d-md-block"> <a href="/search?category=IMPLEMENTATION"><small class="badge category category-IMPLEMENTATION">Implementation</small></a> </div> </div> <div class="summaryauthors">Nicolas David and Eric Garrido</div> <div class="d-flex justify-content-between align-items-start"> <div> <a class="abstract-closed" data-target="abstract-2025-503" onclick="toggleAbstract(this)">Show abstract</a> </div> <div class="d-block d-md-none"> <a href="/search?category=IMPLEMENTATION"><small class="badge category category-IMPLEMENTATION">Implementation</small></a> </div> </div> <div> <div id="abstract-2025-503" class="paper-abstract">This work introduce a new approach called Max bias analysis for the entropy computation of structures of Free Ring Oscillator-based Physical Random Number Generator. It employs the stochastic model based on the well-established Wiener process, specifically adapted to only capture thermal noise contributions while accounting for potential non-zero bias in the duty cycle. Our analysis is versatile, applicable to combinations of multiple sampled Ring Oscillator (RO) filtering by any function. The entropy computation takes as inputs the parameters of the thermal stochastic model and delivers directly a proven bound for both Shannon entropy and min-entropy to fulfill AIS31 and NIST SP 800-90 B. As an example, we apply the new methodology on an enhanced structure of TRNG combining several free-running Ring Oscillators filtered by a vectorial function built from a linear error correcting code that optimizes the functional performance in terms of [entropy rate/silicium area used] and that maintains the mathematical proof of the entropy lower bound as simple as possible.</div> </div> </div> <div class="d-flex mb-1"> <div class="flex-grow-1"><a href="/2025/502">2025/502</a> <a class="ms-2" href="/2025/502.pdf">(PDF)</a> </div> <div><small>Last updated: 2025-03-21</small></div> </div> <div class="ms-3 ms-md-5 mb-3"> <div class="d-flex justify-content-between"> <div class="papertitle">Registration-Based Encryption in the Plain Model</div> <div class="ms-3 d-none d-md-block"> <a href="/search?category=PUBLICKEY"><small class="badge category category-PUBLICKEY">Public-key cryptography</small></a> </div> </div> <div class="summaryauthors">Jesko Dujmovic, Giulio Malavolta, and Wei Qi</div> <div class="d-flex justify-content-between align-items-start"> <div> <a class="abstract-closed" data-target="abstract-2025-502" onclick="toggleAbstract(this)">Show abstract</a> </div> <div class="d-block d-md-none"> <a href="/search?category=PUBLICKEY"><small class="badge category category-PUBLICKEY">Public-key cryptography</small></a> </div> </div> <div> <div id="abstract-2025-502" class="paper-abstract">Registration-based encryption (RBE) is a recently developed alternative to identity-based encryption, that mitigates the well-known key-escrow problem by letting each user sample its own key pair. In RBE, the key authority is substituted by a key curator, a completely transparent entity whose only job is to reliably aggregate users' keys. However, one limitation of all known RBE scheme is that they all rely on one-time trusted setup, that must be computed honestly. In this work, we ask whether this limitation is indeed inherent and we initiate the systematic study of RBE in the plain model, without any common reference string. We present the following main results: - (Definitions) We show that the standard security definition of RBE is unachievable without a trusted setup and we propose a slight weakening, where one honest user is required to be registered in the system. - (Constructions) We present constructions of RBE in the plain model, based on standard cryptographic assumptions. Along the way, we introduce the notions of non-interactive witness indistinguishable (NIWI) proofs secure against chosen statements attack and re-randomizable RBE, which may be of independent interest. A major limitation of our constructions, is that users must be updated upon every new registration. - (Lower Bounds) We show that this limitation is in some sense inherent. We prove that any RBE in the plain model that satisfies a certain structural requirement, which holds for all known RBE constructions, must update all but a vanishing fraction of the users, upon each new registration. This is in contrast with the standard RBE settings, where users receive a logarithmic amount of updates throughout the lifetime of the system.</div> </div> </div> <div class="d-flex mb-1"> <div class="flex-grow-1"><a href="/2025/501">2025/501</a> <a class="ms-2" href="/2025/501.pdf">(PDF)</a> </div> <div><small>Last updated: 2025-03-20</small></div> </div> <div class="ms-3 ms-md-5 mb-3"> <div class="d-flex justify-content-between"> <div class="papertitle">Quantum Key-Recovery Attacks on Permutation-Based Pseudorandom Functions</div> <div class="ms-3 d-none d-md-block"> <a href="/search?category=ATTACKS"><small class="badge category category-ATTACKS">Attacks and cryptanalysis</small></a> </div> </div> <div class="summaryauthors">Hong-Wei Sun, Fei Gao, Rong-Xue Xu, Dan-Dan Li, Zhen-Qiang Li, and Ke-Jia Zhang</div> <div class="d-flex justify-content-between align-items-start"> <div> <a class="abstract-closed" data-target="abstract-2025-501" onclick="toggleAbstract(this)">Show abstract</a> </div> <div class="d-block d-md-none"> <a href="/search?category=ATTACKS"><small class="badge category category-ATTACKS">Attacks and cryptanalysis</small></a> </div> </div> <div> <div id="abstract-2025-501" class="paper-abstract">Due to their simple security assessments, permutation-based pseudo-random functions (PRFs) have become widely used in cryptography. It has been shown that PRFs using a single $n$-bit permutation achieve $n/2$ bits of security, while those using two permutation calls provide $2n/3$ bits of security in the classical setting. This paper studies the security of permutation-based PRFs within the Q1 model, where attackers are restricted to classical queries and offline quantum computations. We present improved quantum-time/classical-data tradeoffs compared with the previous attacks. Specifically, under the same assumptions/hardware as Grover's exhaustive search attack, i.e. the offline Simon algorithm, we can recover keys in quantum time $\tilde{O}(2^{n/3})$, with $O(2^{n/3})$ classical queries and $O(n^2)$ qubits. Furthermore, we enhance previous superposition attacks by reducing the data complexity from exponential to polynomial, while maintaining the same time complexity. This implies that permutation-based PRFs become vulnerable when adversaries have access to quantum computing resources. It is pointed out that the above quantum attack can be used to quite a few cryptography, including PDMMAC and pEDM, as well as general instantiations like XopEM, EDMEM, EDMDEM, and others.</div> </div> </div> <div class="d-flex mb-1"> <div class="flex-grow-1"><a href="/2025/500">2025/500</a> <a class="ms-2" href="/2025/500.pdf">(PDF)</a> </div> <div><small>Last updated: 2025-03-18</small></div> </div> <div class="ms-3 ms-md-5 mb-3"> <div class="d-flex justify-content-between"> <div class="papertitle">SecurED: Secure Multiparty Edit Distance for Genomic Sequences</div> <div class="ms-3 d-none d-md-block"> <a href="/search?category=PROTOCOLS"><small class="badge category category-PROTOCOLS">Cryptographic protocols</small></a> </div> </div> <div class="summaryauthors">Jiahui Gao, Yagaagowtham Palanikuma, Dimitris Mouris, Duong Tung Nguyen, and Ni Trieu</div> <div class="d-flex justify-content-between align-items-start"> <div> <a class="abstract-closed" data-target="abstract-2025-500" onclick="toggleAbstract(this)">Show abstract</a> </div> <div class="d-block d-md-none"> <a href="/search?category=PROTOCOLS"><small class="badge category category-PROTOCOLS">Cryptographic protocols</small></a> </div> </div> <div> <div id="abstract-2025-500" class="paper-abstract">DNA edit distance (ED) measures the minimum number of single nucleotide insertions, substitutions, or deletions required to convert a DNA sequence into another. ED has broad applications in healthcare such as sequence alignment, genome assembly, functional annotation, and drug discovery. Privacy-preserving computation is essential in this context to protect sensitive genomic data. Nonetheless, the existing secure DNA edit distance solutions lack efficiency when handling large data sequences or resort to approximations and fail to accurately compute the metric. In this work, we introduce secureED, a protocol that tackles these limitations, resulting in a significant performance enhancement of approximately $2-24\times$ compared to existing methods. Our protocol computes a secure ED between two genomes, each comprising $1,000$ letters, in just a few seconds. The underlying technique of our protocol is a novel approach that transforms the established approximate matching technique (i.e., the Ukkonen algorithm) into exact matching, exploiting the inherent similarity in human DNA to achieve cost-effectiveness. Furthermore, we introduce various optimizations tailored for secure computation in scenarios with a limited input domain, such as DNA sequences composed solely of the four nucleotide letters.</div> </div> </div> <div class="d-flex mb-1"> <div class="flex-grow-1"><a href="/2025/499">2025/499</a> <a class="ms-2" href="/2025/499.pdf">(PDF)</a> </div> <div><small>Last updated: 2025-03-16</small></div> </div> <div class="ms-3 ms-md-5 mb-3"> <div class="d-flex justify-content-between"> <div class="papertitle">SCAPEgoat: Side-channel Analysis Library</div> <div class="ms-3 d-none d-md-block"> <a href="/search?category=ATTACKS"><small class="badge category category-ATTACKS">Attacks and cryptanalysis</small></a> </div> </div> <div class="summaryauthors">Dev Mehta, Trey Marcantino, Mohammad Hashemi, Sam Karkache, Dillibabu Shanmugam, Patrick Schaumont, and Fatemeh Ganji</div> <div class="d-flex justify-content-between align-items-start"> <div> <a class="abstract-closed" data-target="abstract-2025-499" onclick="toggleAbstract(this)">Show abstract</a> </div> <div class="d-block d-md-none"> <a href="/search?category=ATTACKS"><small class="badge category category-ATTACKS">Attacks and cryptanalysis</small></a> </div> </div> <div> <div id="abstract-2025-499" class="paper-abstract">Side-channel analysis (SCA) is a growing field in hardware security where adversaries extract secret information from embedded devices by measuring physical observables like power consumption and electromagnetic emanation. SCA is a security assessment method used by governmental labs, standardization bodies, and researchers, where testing is not just limited to standardized cryptographic circuits, but it is expanded to AI accelerators, Post Quantum circuits, systems, etc. Despite its importance, SCA is performed on an ad hoc basis in the sense that its flow is not systematically optimized and unified among labs. As a result, the current solutions do not account for fair comparisons between analyses. Furthermore, neglecting the need for interoperability between datasets and SCA metric computation increases students’ barriers to entry. To address this, we introduce SCAPEgoat, a Python-based SCA library with three key modules devoted to defining file format, capturing interfaces, and metric calculation. The custom file framework organizes side-channel traces using JSON for metadata, offering a hierarchical structure similar to HDF5 commonly applied in SCA, but more flexible and human-readable. The metadata can be queried with regular expressions, a feature unavailable in HDF5. Secondly, we incorporate memory-efficient SCA metric computations, which allow using our functions on resource-restricted machines. This is accomplished by partitioning datasets and leveraging statistics-based optimizations on the metrics. In doing so, SCAPEgoat makes the SCA more accessible to newcomers so that they can learn techniques and conduct experiments faster and with the possibility to expand on in the future.</div> </div> </div> <div class="d-flex mb-1"> <div class="flex-grow-1"><a href="/2025/498">2025/498</a> <a class="ms-2" href="/2025/498.pdf">(PDF)</a> </div> <div><small>Last updated: 2025-03-16</small></div> </div> <div class="ms-3 ms-md-5 mb-3"> <div class="d-flex justify-content-between"> <div class="papertitle">Scoop: An Optimizer for Profiling Attacks against Higher-Order Masking</div> <div class="ms-3 d-none d-md-block"> <a href="/search?category=IMPLEMENTATION"><small class="badge category category-IMPLEMENTATION">Implementation</small></a> </div> </div> <div class="summaryauthors">Nathan Rousselot, Karine Heydemann, Loïc Masure, and Vincent Migairou</div> <div class="d-flex justify-content-between align-items-start"> <div> <a class="abstract-closed" data-target="abstract-2025-498" onclick="toggleAbstract(this)">Show abstract</a> </div> <div class="d-block d-md-none"> <a href="/search?category=IMPLEMENTATION"><small class="badge category category-IMPLEMENTATION">Implementation</small></a> </div> </div> <div> <div id="abstract-2025-498" class="paper-abstract">In this paper we provide new theoretical and empirical evidences that gradient-based deep learning profiling attacks (DL-SCA) suffer from masking schemes. This occurs through an initial stall of the learning process: the so-called plateau effect. To understand why, we derive an analytical expression of a DL-SCA model targeting simulated traces which enables us to study an analytical expression of the loss. By studying the loss landscape of this model, we show that not only do the magnitudes of the gradients decrease as the order of masking increases, but the loss landscape also exhibits a prominent saddle point interfering with the optimization process. From these observations, we (1) propose the usage of a second-order optimization algorithm mitigating the impact of low-gradient areas. In addition, we show how to leverage the intrinsic sparsity of valuable information in SCA traces to better pose the DL-SCA problem. To do so, we (2) propose to use the implicit regularization properties of the sparse mirror descent. These propositions are gathered in a new publicly available optimization algorithm, Scoop. Scoop combines second-order derivative of the loss function in the optimization process, with a sparse stochastic mirror descent. We experimentally show that Scoop pushes further the current limitations of DL-SCA against simulated traces, and outperforms the state-of-the-art on the ASCADv1 dataset in terms of number of traces required to retrieve the key, perceived information and plateau length. Scoop also performs the first non-worst-case attack on the ASCADv2 dataset. On simulated traces, we show that using Scoop reduces the DL-SCA time complexity by the equivalent of one masking order.</div> </div> </div> <div class="d-flex mb-1"> <div class="flex-grow-1"><a href="/2025/497">2025/497</a> <a class="ms-2" href="/2025/497.pdf">(PDF)</a> </div> <div><small>Last updated: 2025-03-16</small></div> </div> <div class="ms-3 ms-md-5 mb-3"> <div class="d-flex justify-content-between"> <div class="papertitle">Fast Scloud+: A Fast Hardware Implementation for the Unstructured LWE-based KEM - Scloud+</div> <div class="ms-3 d-none d-md-block"> <a href="/search?category=IMPLEMENTATION"><small class="badge category category-IMPLEMENTATION">Implementation</small></a> </div> </div> <div class="summaryauthors">Jing Tian, Yaodong Wei, Dejun Xu, Kai Wang, Anyu Wang, Zhiyuan Qiu, Fu Yao, and Guang Zeng</div> <div class="d-flex justify-content-between align-items-start"> <div> <a class="abstract-closed" data-target="abstract-2025-497" onclick="toggleAbstract(this)">Show abstract</a> </div> <div class="d-block d-md-none"> <a href="/search?category=IMPLEMENTATION"><small class="badge category category-IMPLEMENTATION">Implementation</small></a> </div> </div> <div> <div id="abstract-2025-497" class="paper-abstract">Scloud+ is an unstructured LWE-based key encapsulation mechanism (KEM) with conservative quantum security, in which ternary secrets and lattice coding are incorporated for higher computational and communication efficiency. However, its efficiencies are still much inferior to those of the structured LWE-based KEM, like ML-KEM (standardized by NIST). In this paper, we present a configurable hardware architecture for Scloud+.KEM to improve the computational efficiency. Many algorithmic and architectural co-optimizations are proposed to reduce the complexity and increase the degree of parallelism. Specially, the matrix multiplications are computed by a block in serial and the block is calculated in one cycle, without using any multipliers. In addition, the random bits all are generated by an unfolded Keccak core, well matched with the data flow required by the block matrix multiplier. The proposed design is coded in Verilog and implemented under the SMIC 40nm LP CMOS technology. The synthesized results show that Scloud+.KEM-128 only costs 23.0 $us$, 24.3 $us$, and 24.6 $us$ in the KeyGen, Encaps, and Decaps stages, respectively, with an area consumption of 0.69 $mm^2$, significantly narrowing the gap with the state-of-the-art of Kyber hardware implementation.</div> </div> </div> <div class="d-flex mb-1"> <div class="flex-grow-1"><a href="/2025/496">2025/496</a> <a class="ms-2" href="/2025/496.pdf">(PDF)</a> </div> <div><small>Last updated: 2025-03-16</small></div> </div> <div class="ms-3 ms-md-5 mb-3"> <div class="d-flex justify-content-between"> <div class="papertitle">Shortcut2Secrets: A Table-based Differential Fault Attack Framework</div> <div class="ms-3 d-none d-md-block"> <a href="/search?category=ATTACKS"><small class="badge category category-ATTACKS">Attacks and cryptanalysis</small></a> </div> </div> <div class="summaryauthors">Weizhe Wang, Pierrick Méaux, and Deng Tang</div> <div class="d-flex justify-content-between align-items-start"> <div> <a class="abstract-closed" data-target="abstract-2025-496" onclick="toggleAbstract(this)">Show abstract</a> </div> <div class="d-block d-md-none"> <a href="/search?category=ATTACKS"><small class="badge category category-ATTACKS">Attacks and cryptanalysis</small></a> </div> </div> <div> <div id="abstract-2025-496" class="paper-abstract">Recently, Differential Fault Attacks (DFAs) have proven highly effective against stream ciphers designed for Hybrid Homomorphic Encryption (HHE). In this work, we present a table-based DFA framework called the \textit{shortcut attack}, which generalizes the attack proposed by Wang and Tang on the cipher \textsf{Elisabeth}. The framework applies to a broad sub-family of ciphers following the Group Filter Permutator (GFP) paradigm and enhances previous DFAs by improving both the fault identification and path generation steps. Notably, the shortcut attack circumvents the issue of function representation, allowing successful attacks even when the cipher's filter function cannot be represented over the ring it is defined on. Additionally, we provide complexity estimates for the framework and apply the shortcut attack to \textsf{Elisabeth-4} and its patches. As a result, we optimize the DFA on \textsf{Elisabeth-4}, requiring fewer keystreams and running faster than previous methods. Specifically, we achieve a DFA that requires only $3000$ keystreams, which is one-fifth of the previous best result. We also successfully mount a practical DFA on \textsf{Gabriel-4} and provide a theoretical DFA for \textsf{Elisabeth-b4}. For the latest patch, \textsf{Margrethe-18-4}, which follows the more general Mixed Filter Permutator (MFP) paradigm, we present a DFA in a stronger model. To the best of our knowledge, these are the first DFA results on the patches of \textsf{Elisabeth-4}. Finally, we derive security margins to prevent shortcut attacks on a broad sub-family of MFP ciphers, which can serve as parameter recommendations for designers.</div> </div> </div> <div class="d-flex mb-1"> <div class="flex-grow-1"><a href="/2025/495">2025/495</a> <a class="ms-2" href="/2025/495.pdf">(PDF)</a> </div> <div><small>Last updated: 2025-03-16</small></div> </div> <div class="ms-3 ms-md-5 mb-3"> <div class="d-flex justify-content-between"> <div class="papertitle">A Security-Enhanced Pairing-Free Certificateless Aggregate Signature for Vehicular Ad-Hoc Networks, Revisited</div> <div class="ms-3 d-none d-md-block"> <a href="/search?category=ATTACKS"><small class="badge category category-ATTACKS">Attacks and cryptanalysis</small></a> </div> </div> <div class="summaryauthors">Zhengjun Cao and Lihua Liu</div> <div class="d-flex justify-content-between align-items-start"> <div> <a class="abstract-closed" data-target="abstract-2025-495" onclick="toggleAbstract(this)">Show abstract</a> </div> <div class="d-block d-md-none"> <a href="/search?category=ATTACKS"><small class="badge category category-ATTACKS">Attacks and cryptanalysis</small></a> </div> </div> <div> <div id="abstract-2025-495" class="paper-abstract">We show that the aggregate signature scheme [IEEE Syst. J., 2023, 17(3), 3822-3833] is insecure against forgery attack. This flaw is due to that the ephemeral key or ephemeral value chosen in the signing phase is not indeed bound to the final signature. An adversary can sign any message while the verifier cannot find the fraud. We also suggest a revising method to frustrate this attack.</div> </div> </div> <div class="d-flex mb-1"> <div class="flex-grow-1"><a href="/2025/494">2025/494</a> <a class="ms-2" href="/2025/494.pdf">(PDF)</a> </div> <div><small>Last updated: 2025-03-15</small></div> </div> <div class="ms-3 ms-md-5 mb-3"> <div class="d-flex justify-content-between"> <div class="papertitle">Electromagnetic Side-Channel Analysis of PRESENT Lightweight Cipher</div> <div class="ms-3 d-none d-md-block"> <a href="/search?category=ATTACKS"><small class="badge category category-ATTACKS">Attacks and cryptanalysis</small></a> </div> </div> <div class="summaryauthors">Nilupulee A Gunathilake, Owen Lo, William J Buchanan, and Ahmed Al-Dubai</div> <div class="d-flex justify-content-between align-items-start"> <div> <a class="abstract-closed" data-target="abstract-2025-494" onclick="toggleAbstract(this)">Show abstract</a> </div> <div class="d-block d-md-none"> <a href="/search?category=ATTACKS"><small class="badge category category-ATTACKS">Attacks and cryptanalysis</small></a> </div> </div> <div> <div id="abstract-2025-494" class="paper-abstract">Side-channel vulnerabilities pose an increasing threat to cryptographically protected devices. Consequently, it is crucial to observe information leakages through physical parameters such as power consumption and electromagnetic (EM) radiation to reduce susceptibility during interactions with cryptographic functions. EM side-channel attacks are becoming more prevalent. PRESENT is a promising lightweight cryptographic algorithm expected to be incorporated into Internet-of-Things (IoT) devices in the future. This research investigates the EM side-channel robustness of PRESENT using a correlation attack model. This work extends our previous Correlation EM Analysis (CEMA) of PRESENT with improved results. The attack targets the Substitution box (S-box) and can retrieve 8 bytes of the 10-byte encryption key with a minimum of 256 EM waveforms. This paper presents the process of EM attack modelling, encompassing both simple and correlation attacks, followed by a critical analysis.</div> </div> </div> <div class="d-flex mb-1"> <div class="flex-grow-1"><a href="/2025/493">2025/493</a> <a class="ms-2" href="/2025/493.pdf">(PDF)</a> </div> <div><small>Last updated: 2025-03-15</small></div> </div> <div class="ms-3 ms-md-5 mb-3"> <div class="d-flex justify-content-between"> <div class="papertitle">Tighter Concrete Security for the Simplest OT</div> <div class="ms-3 d-none d-md-block"> <a href="/search?category=PUBLICKEY"><small class="badge category category-PUBLICKEY">Public-key cryptography</small></a> </div> </div> <div class="summaryauthors">Iftach Haitner and Gil Segev</div> <div class="d-flex justify-content-between align-items-start"> <div> <a class="abstract-closed" data-target="abstract-2025-493" onclick="toggleAbstract(this)">Show abstract</a> </div> <div class="d-block d-md-none"> <a href="/search?category=PUBLICKEY"><small class="badge category category-PUBLICKEY">Public-key cryptography</small></a> </div> </div> <div> <div id="abstract-2025-493" class="paper-abstract">The Chou-Orlandi batch oblivious transfer (OT) protocol is a particularly attractive OT protocol that bridges the gap between practical efficiency and strong security guarantees and is especially notable due to its simplicity. The security analysis provided by Chou and Orlandi bases the security of their protocol on the hardness of the computational Diffie-Hellman ($\mathsf{CDH}$) problem in prime-order groups. Concretely, in groups in which no better-than-generic algorithms are known for the $\mathsf{CDH}$ problem, their security analysis yields that an attacker running in time $t$ and issuing $q$ random-oracle queries breaks the security of their protocol with probability at most $\epsilon \leq q^2 \cdot t / 2^{\kappa/2}$, where $\kappa$ is the bit-length of the group's order. This concrete bound, however, is somewhat insufficient for 256-bit groups (e.g., for $\kappa = 256$, it does not provide any guarantee already for $t = 2^{48}$ and $q = 2^{40}$). In this work, we establish a tighter concrete security bound for the Chou-Orlandi protocol. First, we introduce the list square Diffie-Hellman ($\ell\text{-}\mathsf{sqDH}$) problem and present a tight reduction from the security of the protocol to the hardness of solving $\ell\text{-}\mathsf{sqDH}$. That is, we completely shift the task of analyzing the concrete security of the protocol to that of analyzing the concrete hardness of the $\ell\text{-}\mathsf{sqDH}$ problem. Second, we reduce the hardness of the $\ell\text{-}\mathsf{sqDH}$ problem to that of the decisional Diffie-Hellman ($\mathsf{DDH}$) problem without incurring a multiplicative loss. Our key observation is that although $\mathsf{CDH}$ and $\mathsf{DDH}$ have the same assumed concrete hardness, relying on the hardness of $\mathsf{DDH}$ enables our reduction to efficiently test the correctness of the solutions it produces. Concretely, in groups in which no better-than-generic algorithms are known for the $\mathsf{DDH}$ problem, our analysis yields that an attacker running in time $t$ and issuing $q \leq t$ random-oracle queries breaks the security of the Chou-Orlandi protocol with probability at most $\epsilon \leq t / 2^{\kappa/2}$ (i.e., we eliminate the above multiplicative $q^2$ term). We prove our results within the standard real-vs-ideal framework considering static corruptions by malicious adversaries, and provide a concrete security treatment by accounting for the statistical distance between a real-model execution and an ideal-model execution.</div> </div> </div> <div class="d-flex mb-1"> <div class="flex-grow-1"><a href="/2025/492">2025/492</a> <a class="ms-2" href="/2025/492.pdf">(PDF)</a> </div> <div><small>Last updated: 2025-03-15</small></div> </div> <div class="ms-3 ms-md-5 mb-3"> <div class="d-flex justify-content-between"> <div class="papertitle">Endorser Peer Anonymization in Hyperledger Fabric for Consortium of Organizations</div> <div class="ms-3 d-none d-md-block"> <a href="/search?category=APPLICATIONS"><small class="badge category category-APPLICATIONS">Applications</small></a> </div> </div> <div class="summaryauthors">Dharani J, Sundarakantham K, Kunwar Singh, and Mercy Shalinie S</div> <div class="d-flex justify-content-between align-items-start"> <div> <a class="abstract-closed" data-target="abstract-2025-492" onclick="toggleAbstract(this)">Show abstract</a> </div> <div class="d-block d-md-none"> <a href="/search?category=APPLICATIONS"><small class="badge category category-APPLICATIONS">Applications</small></a> </div> </div> <div> <div id="abstract-2025-492" class="paper-abstract">Hyperledger Fabric is a unique permissioned platform for implementing blockchain in a consortium. It has a distinct transaction flow of execute-order-validate. During the execution phase, a pre-determined set of endorsing peers execute a transaction and sign the transaction response. This process is termed endorsement. In the validation phase, peers validate the transaction with reference to an endorsement policy. The identity of the endorsing organizations is obtainable to all the nodes in the network through the endorser signature and endorsement policy. Knowing this has led to serious vulnerabilities in the blockchain network. In this paper, we propose a privacy-preserving endorsement system which conceals both endorser signature and endorsement policy. Endorser is anonymized by replacing the signature scheme with a scoped-linkable threshold ring signature scheme. Endorsement policy is secured using Pedersen commitments and non-interactive proof of knowledge of integer vector. We also achieve efficiency in the computation by employing non-interactive proof of co-prime roots. We provide the necessary security analysis to prove that the proposed work guarantees anonymity and unlinkability properties. A comparative analysis of our work with an existing framework is provided which shows that the proposed scheme offers higher level of security and it is optimal in terms of efficiency.</div> </div> </div> <div class="d-flex mb-1"> <div class="flex-grow-1"><a href="/2025/491">2025/491</a> <a class="ms-2" href="/2025/491.pdf">(PDF)</a> </div> <div><small>Last updated: 2025-03-15</small></div> </div> <div class="ms-3 ms-md-5 mb-3"> <div class="d-flex justify-content-between"> <div class="papertitle">Blind Brother: Attribute-Based Selective Video Encryption</div> <div class="ms-3 d-none d-md-block"> <a href="/search?category=APPLICATIONS"><small class="badge category category-APPLICATIONS">Applications</small></a> </div> </div> <div class="summaryauthors">Eugene Frimpong, Bin Liu, Camille Nuoskala, and Antonis Michalas</div> <div class="d-flex justify-content-between align-items-start"> <div> <a class="abstract-closed" data-target="abstract-2025-491" onclick="toggleAbstract(this)">Show abstract</a> </div> <div class="d-block d-md-none"> <a href="/search?category=APPLICATIONS"><small class="badge category category-APPLICATIONS">Applications</small></a> </div> </div> <div> <div id="abstract-2025-491" class="paper-abstract">The emergence of video streams as a primary medium for communication and the demand for high-quality video sharing over the internet have given rise to several security and privacy issues, such as unauthorized access and data breaches. To address these limitations, various Selective Video Encryption (SVE) schemes have been proposed, which encrypt specific portions of a video while leaving others unencrypted. The SVE approach balances security and usability, granting unauthorized users access to certain parts while encrypting sensitive content. However, existing SVE schemes adopt an all-or-nothing coarse-grain encryption approach, where a user with a decryption key can access all the contents of a given video stream. This paper proposes and designs a fine-grained access control-based selective video encryption scheme, ABSVE, and a use-case protocol called \protocol. Our scheme encrypts different identified Regions of Interest (ROI) with a unique symmetric key and applies a Ciphertext Policy Attribute Based Encryption (CP-ABE) scheme to tie these keys to specific access policies. This method provides multiple access levels for a single encrypted video stream. Crucially, we provide a formal syntax and security definitions for ABSVE, allowing for rigorous security analysis of this and similar schemes -- which is absent in prior works. Finally, we provide an implementation and evaluation of our protocol in the Kvazaar HEVC encoder. Overall, our constructions enhance security and privacy while allowing controlled access to video content and achieve comparable efficiency to compression without encryption.</div> </div> </div> <div class="d-flex mb-1"> <div class="flex-grow-1"><a href="/2025/490">2025/490</a> <a class="ms-2" href="/2025/490.pdf">(PDF)</a> </div> <div><small>Last updated: 2025-03-14</small></div> </div> <div class="ms-3 ms-md-5 mb-3"> <div class="d-flex justify-content-between"> <div class="papertitle">PREAMBLE: Private and Efficient Aggregation of Block Sparse Vectors and Applications</div> <div class="ms-3 d-none d-md-block"> <a href="/search?category=PROTOCOLS"><small class="badge category category-PROTOCOLS">Cryptographic protocols</small></a> </div> </div> <div class="summaryauthors">Hilal Asi, Vitaly Feldman, Hannah Keller, Guy N. Rothblum, and Kunal Talwar</div> <div class="d-flex justify-content-between align-items-start"> <div> <a class="abstract-closed" data-target="abstract-2025-490" onclick="toggleAbstract(this)">Show abstract</a> </div> <div class="d-block d-md-none"> <a href="/search?category=PROTOCOLS"><small class="badge category category-PROTOCOLS">Cryptographic protocols</small></a> </div> </div> <div> <div id="abstract-2025-490" class="paper-abstract">We revisit the problem of secure aggregation of high-dimensional vectors in a two-server system such as Prio. These systems are typically used to aggregate vectors such as gradients in private federated learning, where the aggregate itself is protected via noise addition to ensure differential privacy. Existing approaches require communication scaling with the dimensionality, and thus limit the dimensionality of vectors one can efficiently process in this setup. We propose PREAMBLE: Private Efficient Aggregation Mechanism for Block-sparse Euclidean Vectors. PREAMBLE is a novel extension of distributed point functions that enables communication- and computation-efficient aggregation of block-sparse vectors, which are sparse vectors where the non-zero entries occur in a small number of clusters of consecutive coordinates. We then show that PREAMBLE can be combined with random sampling and privacy amplification by sampling results, to allow asymptotically optimal privacy-utility trade-offs for vector aggregation, at a fraction of the communication cost. When coupled with recent advances in numerical privacy accounting, our approach incurs a negligible overhead in noise variance, compared to the Gaussian mechanism used with Prio.</div> </div> </div> <div class="d-flex mb-1"> <div class="flex-grow-1"><a href="/2025/489">2025/489</a> <a class="ms-2" href="/2025/489.pdf">(PDF)</a> </div> <div><small>Last updated: 2025-03-14</small></div> </div> <div class="ms-3 ms-md-5 mb-3"> <div class="d-flex justify-content-between"> <div class="papertitle">Translating Between the Common Haar Random State Model and the Unitary Model</div> <div class="ms-3 d-none d-md-block"> <a href="/search?category=FOUNDATIONS"><small class="badge category category-FOUNDATIONS">Foundations</small></a> </div> </div> <div class="summaryauthors">Eli Goldin and Mark Zhandry</div> <div class="d-flex justify-content-between align-items-start"> <div> <a class="abstract-closed" data-target="abstract-2025-489" onclick="toggleAbstract(this)">Show abstract</a> </div> <div class="d-block d-md-none"> <a href="/search?category=FOUNDATIONS"><small class="badge category category-FOUNDATIONS">Foundations</small></a> </div> </div> <div> <div id="abstract-2025-489" class="paper-abstract">Black-box separations are a cornerstone of cryptography, indicating barriers to various goals. A recent line of work has explored black-box separations for quantum cryptographic primitives. Namely, a number of separations are known in the Common Haar Random State (CHRS) model, though this model is not considered a complete separation, but rather a starting point. A few very recent works have attempted to lift these separations to a unitary separation, which are considered complete separations. Unfortunately, we find significant errors in some of these lifting results. We prove general conditions under which CHRS separations can be generically lifted, thereby giving simple, modular, and bug-free proofs of complete unitary separations between various quantum primitives. Our techniques allow for simpler proofs of existing separations as well as new separations that were previously only known in the CHRS model.</div> </div> </div> <div class="d-flex mb-1"> <div class="flex-grow-1"><a href="/2025/488">2025/488</a> <a class="ms-2" href="/2025/488.pdf">(PDF)</a> </div> <div><small>Last updated: 2025-03-14</small></div> </div> <div class="ms-3 ms-md-5 mb-3"> <div class="d-flex justify-content-between"> <div class="papertitle">Exploring General Cyclotomic Rings in Torus-Based Fully Homomorphic Encryption: Part I - Prime Power Instances</div> <div class="ms-3 d-none d-md-block"> <a href="/search?category=PUBLICKEY"><small class="badge category category-PUBLICKEY">Public-key cryptography</small></a> </div> </div> <div class="summaryauthors">Philippe Chartier, Michel Koskas, and Mohammed Lemou</div> <div class="d-flex justify-content-between align-items-start"> <div> <a class="abstract-closed" data-target="abstract-2025-488" onclick="toggleAbstract(this)">Show abstract</a> </div> <div class="d-block d-md-none"> <a href="/search?category=PUBLICKEY"><small class="badge category category-PUBLICKEY">Public-key cryptography</small></a> </div> </div> <div> <div id="abstract-2025-488" class="paper-abstract">In the realm of fully homomorphic encryption on the torus, we investigate the algebraic manipulations essential for handling polynomials within cyclotomic rings characterized by prime power indices. This includes operations such as modulo reduction, computation of the trace operator, extraction, and the blind rotation integral to the bootstrapping procedure, all of which we reformulate within this mathematical framework.</div> </div> </div> <div class="d-flex mb-1"> <div class="flex-grow-1"><a href="/2025/487">2025/487</a> <a class="ms-2" href="/2025/487.pdf">(PDF)</a> </div> <div><small>Last updated: 2025-03-14</small></div> </div> <div class="ms-3 ms-md-5 mb-3"> <div class="d-flex justify-content-between"> <div class="papertitle">webSPDZ: Versatile MPC on the Web</div> <div class="ms-3 d-none d-md-block"> <a href="/search?category=IMPLEMENTATION"><small class="badge category category-IMPLEMENTATION">Implementation</small></a> </div> </div> <div class="summaryauthors">Thomas Buchsteiner, Karl W. Koch, Dragos Rotaru, and Christian Rechberger</div> <div class="d-flex justify-content-between align-items-start"> <div> <a class="abstract-closed" data-target="abstract-2025-487" onclick="toggleAbstract(this)">Show abstract</a> </div> <div class="d-block d-md-none"> <a href="/search?category=IMPLEMENTATION"><small class="badge category category-IMPLEMENTATION">Implementation</small></a> </div> </div> <div> <div id="abstract-2025-487" class="paper-abstract">Multi-party computation (MPC) has become increasingly practical in the last two decades, solving privacy and security issues in various domains, such as healthcare, finance, and machine learning. One big caveat is that MPC sometimes lacks usability since the knowledge barrier for regular users can be high. Users have to deal with, e.g., various CLI tools, private networks, and sometimes even must install many dependencies, which are often hardware-dependent. A solution to improve the usability of MPC is to build browser-based MPC engines where each party runs within a browser window. Two examples of such an MPC web engine are JIFF and the web variant of MPyC. Both support an honest majority with passive corruptions. $\texttt{webSPDZ}$: Our work brings one of the most performant and versatile general-purpose MPC engines, MP-SPDZ, to the web. MP-SPDZ supports ≥40 MPC protocols with different security models, enabling many security models on the web. To port MP-SPDZ to the web, we use Emscripten to compile MP-SPDZ’s C++ BackEnd to WebAssembly and upgrade the party communication for the browser (WebRTC or WebSockets). We call the new MPC web engine webSPDZ. As with the native versions of the mentioned MPC web engines, MPyC-Web and JIFF, webSPDZ outperforms them in our end-to-end experiments. We believe that webSPDZ brings forth many interesting and practically relevant use cases. Thus, webSPDZ pushes the boundaries of practical MPC: making MPC more usable and enabling it for a broader community.</div> </div> </div> <div class="d-flex mb-1"> <div class="flex-grow-1"><a href="/2025/486">2025/486</a> <a class="ms-2" href="/2025/486.pdf">(PDF)</a> </div> <div><small>Last updated: 2025-03-14</small></div> </div> <div class="ms-3 ms-md-5 mb-3"> <div class="d-flex justify-content-between"> <div class="papertitle">On One-Shot Signatures, Quantum vs Classical Binding, and Obfuscating Permutations</div> <div class="ms-3 d-none d-md-block"> <a href="/search?category=FOUNDATIONS"><small class="badge category category-FOUNDATIONS">Foundations</small></a> </div> </div> <div class="summaryauthors">Omri Shmueli and Mark Zhandry</div> <div class="d-flex justify-content-between align-items-start"> <div> <a class="abstract-closed" data-target="abstract-2025-486" onclick="toggleAbstract(this)">Show abstract</a> </div> <div class="d-block d-md-none"> <a href="/search?category=FOUNDATIONS"><small class="badge category category-FOUNDATIONS">Foundations</small></a> </div> </div> <div> <div id="abstract-2025-486" class="paper-abstract">One-shot signatures (OSS) were defined by Amos, Georgiou, Kiayias, and Zhandry (STOC'20). These allow for signing exactly one message, after which the signing key self-destructs, preventing a second message from ever being signed. While such an object is impossible classically, Amos et al observe that OSS may be possible using quantum signing keys by leveraging the no-cloning principle. OSS has since become an important conceptual tool with many applications in decentralized settings and for quantum cryptography with classical communication. OSS are also closely related to separations between classical-binding and collapse-binding for post-quantum hashing and commitments. Unfortunately, the only known OSS construction due to Amos et al. was only justified in a classical oracle model, and moreover their justification was ultimately found to contain a fatal bug. Thus, the existence of OSS, even in a classical idealized model, has remained open. We give the first standard-model OSS, with provable security assuming (sub-exponential) indistinguishability obfuscation (iO) and LWE. This also gives the first standard-model separation between classical and collapse-binding post-quantum commitments/hashing, solving a decade-old open problem. Along the way, we also give the first construction with unconditional security relative to a classical oracle. To achieve our standard-model construction, we develop a notion of permutable pseudorandom permutations (permutable PRPs), and show how they are useful for translating oracle proofs involving random permutations into obfuscation-based proofs. In particular, obfuscating permutable PRPs gives a trapdoor one-way permutation that is $\textit{full-domain}$, solving another decade-old-problem of constructing this object from (sub-exponential) iO and one-way functions.</div> </div> </div> <div class="d-flex mb-1"> <div class="flex-grow-1"><a href="/2025/485">2025/485</a> <a class="ms-2" href="/2025/485.pdf">(PDF)</a> </div> <div><small>Last updated: 2025-03-19</small></div> </div> <div class="ms-3 ms-md-5 mb-3"> <div class="d-flex justify-content-between"> <div class="papertitle">Key reconstruction for QC-MDPC McEliece from imperfect distance spectrum</div> <div class="ms-3 d-none d-md-block"> <a href="/search?category=PUBLICKEY"><small class="badge category category-PUBLICKEY">Public-key cryptography</small></a> </div> </div> <div class="summaryauthors">Motonari Ohtsuka, Takahiro Ishimaru, Rei Iseki, Shingo Kukita, and Kohtaro Watanabe</div> <div class="d-flex justify-content-between align-items-start"> <div> <a class="abstract-closed" data-target="abstract-2025-485" onclick="toggleAbstract(this)">Show abstract</a> </div> <div class="d-block d-md-none"> <a href="/search?category=PUBLICKEY"><small class="badge category category-PUBLICKEY">Public-key cryptography</small></a> </div> </div> <div> <div id="abstract-2025-485" class="paper-abstract">McEliece cryptosystems, based on code-based cryptography, is a candidate in Round 4 of NIST's post-quantum cryptography standardization process. The QC-MDPC (quasi-cyclic moderate-density parity-check) variant is particularly noteworthy due to its small key length. The Guo-Johansson-Stankovski (GJS) attack against the QC-MDPC McEliece cryptosystem was recently proposed and has intensively been studied. This attack reconstructs the secret key using information on decoding error rate (DER). However, in practice, obtaining complete DER information is presumed to be time-consuming. This paper proposes two algorithms to reconstruct the secret key under imperfection in the DER information and evaluates the relationship between the imperfection and efficiency of key reconstruction. This will help us to increase the efficacy of the GJS attack.</div> </div> </div> <div class="d-flex mb-1"> <div class="flex-grow-1"><a href="/2025/484">2025/484</a> <a class="ms-2" href="/2025/484.pdf">(PDF)</a> </div> <div><small>Last updated: 2025-03-14</small></div> </div> <div class="ms-3 ms-md-5 mb-3"> <div class="d-flex justify-content-between"> <div class="papertitle">EvoLUTe+: Fine-Grained Look-Up-Table-based RTL IP Redaction</div> <div class="ms-3 d-none d-md-block"> <a href="/search?category=ATTACKS"><small class="badge category category-ATTACKS">Attacks and cryptanalysis</small></a> </div> </div> <div class="summaryauthors">Rui Guo, M Sazadur Rahman, Jingbo Zhou, Hadi M Kamali, Fahim Rahman, Farimah Farahmandi, and Mark Tehranipoor</div> <div class="d-flex justify-content-between align-items-start"> <div> <a class="abstract-closed" data-target="abstract-2025-484" onclick="toggleAbstract(this)">Show abstract</a> </div> <div class="d-block d-md-none"> <a href="/search?category=ATTACKS"><small class="badge category category-ATTACKS">Attacks and cryptanalysis</small></a> </div> </div> <div> <div id="abstract-2025-484" class="paper-abstract">Hardware obfuscation is an active trustworthy design technique targeting threats in the IC supply chain, such as IP piracy and overproduction. Recent research on Intellectual Property (IP) protection technologies suggests that using embedded reconfigurable components (e.g., eFPGA redaction) could be a promising approach to hide the functional and structural information of security-critical designs. However, such techniques suffer from almost prohibitive overhead in terms of area, power, delay, and testability. This paper proposes an obfuscation technique called EvoLUTe+, which is a unique and more fine-grained redaction approach using smaller reconfigurable components (e.g., Look-Up Tables (LUTs)). EvoLUTe+ achieves fine-grained partitioning, sub-circuit coloring, and scoring of IP, and then encrypts the original IP through the substitution of some sub-circuits. Different attacks are used to test the robustness of EvoLUTe+, including structural and machine learning attacks, as well as Bounded Model Checking (BMC) attacks. The overhead of the obfuscation design is also analyzed. Experimental results demonstrate that EvoLUTe+ exhibits robustness with acceptable overhead while resisting such threat models.</div> </div> </div> <div class="d-flex mb-1"> <div class="flex-grow-1"><a href="/2025/483">2025/483</a> <a class="ms-2" href="/2025/483.pdf">(PDF)</a> </div> <div><small>Last updated: 2025-03-14</small></div> </div> <div class="ms-3 ms-md-5 mb-3"> <div class="d-flex justify-content-between"> <div class="papertitle">Adaptively Secure Threshold Blind BLS Signatures and Threshold Oblivious PRF</div> <div class="ms-3 d-none d-md-block"> <a href="/search?category=PROTOCOLS"><small class="badge category category-PROTOCOLS">Cryptographic protocols</small></a> </div> </div> <div class="summaryauthors">Stanislaw Jarecki and Phillip Nazarian</div> <div class="d-flex justify-content-between align-items-start"> <div> <a class="abstract-closed" data-target="abstract-2025-483" onclick="toggleAbstract(this)">Show abstract</a> </div> <div class="d-block d-md-none"> <a href="/search?category=PROTOCOLS"><small class="badge category category-PROTOCOLS">Cryptographic protocols</small></a> </div> </div> <div> <div id="abstract-2025-483" class="paper-abstract">We show the first threshold blind signature scheme and threshold Oblivious PRF (OPRF) scheme which remain secure in the presence of an adaptive adversary, who can adaptively decide which parties to corrupt throughout the lifetime of the scheme. Moreover, our adaptively secure schemes preserve the minimal round complexity and add only a small computational overhead over prior solutions that offered security only for a much less realistic static adversary, who must choose the subset of corrupted parties before initializing the protocol. Our threshold blind signature scheme computes standard BLS signatures while our threshold OPRF computes a very efficient "2HashDH" OPRF [JKK14]. We prove adaptive security of both schemes in the Algebraic Group Model (AGM). Our adaptively secure threshold schemes are as practical as the underlying standard single-server BLS blind signature and 2HashDH OPRF, and they can be used to add cryptographic fault-tolerance and decentralize trust in any system that relies on blind signatures, like anonymous credentials and e-cash, or on OPRF, like the OPAQUE password authentication and the Privacy Pass anonymous authentication scheme, among many others.</div> </div> </div> <div class="d-flex mb-1"> <div class="flex-grow-1"><a href="/2025/482">2025/482</a> <a class="ms-2" href="/2025/482.pdf">(PDF)</a> </div> <div><small>Last updated: 2025-03-13</small></div> </div> <div class="ms-3 ms-md-5 mb-3"> <div class="d-flex justify-content-between"> <div class="papertitle">An Efficient Sequential Aggregate Signature Scheme with Lazy Verification</div> <div class="ms-3 d-none d-md-block"> <a href="/search?category=PUBLICKEY"><small class="badge category category-PUBLICKEY">Public-key cryptography</small></a> </div> </div> <div class="summaryauthors">Arinjita Paul, Sabyasachi Dutta, Kouichi Sakurai, and C. Pandu Rangan</div> <div class="d-flex justify-content-between align-items-start"> <div> <a class="abstract-closed" data-target="abstract-2025-482" onclick="toggleAbstract(this)">Show abstract</a> </div> <div class="d-block d-md-none"> <a href="/search?category=PUBLICKEY"><small class="badge category category-PUBLICKEY">Public-key cryptography</small></a> </div> </div> <div> <div id="abstract-2025-482" class="paper-abstract">A sequential aggregate signature scheme (SAS) allows multiple potential signers to sequentially aggregate their respective signatures into a single compact signature. Typically, verification of a SAS signatures requires access to all messages and public key pairs utilized in the aggregate generation. However, efficiency is crucial for cryptographic protocols to facilitate their practical implementation. To this end, we propose a sequential aggregate signature scheme with lazy verification for a set of user-message pairs, allowing the verification algorithm to operate without requiring access to all messages and public key pairs in the sequence. This construction is based on the RSA assumption in the random oracle model and is particularly beneficial in resource constrained applications that involve forwarding of authenticated information between parties, such as certificate chains. As an extension of this work, we introduce the notion of sequentially aggregatable proxy re-signatures that enables third parties or proxies to transform aggregatable signatures under one public key to another, useful in applications such as sharing web certificates and authentication of network paths. We also present a construction of a sequential aggregate proxy re-signature scheme, secure in the random oracle model, based on the RSA assumption, which may be of independent interest.</div> </div> </div> <div class="d-flex mb-1"> <div class="flex-grow-1"><a href="/2025/481">2025/481</a> <a class="ms-2" href="/2025/481.pdf">(PDF)</a> </div> <div><small>Last updated: 2025-03-13</small></div> </div> <div class="ms-3 ms-md-5 mb-3"> <div class="d-flex justify-content-between"> <div class="papertitle">RHQC: post-quantum ratcheted key exchange from coding assumptions</div> <div class="ms-3 d-none d-md-block"> <a href="/search?category=PUBLICKEY"><small class="badge category category-PUBLICKEY">Public-key cryptography</small></a> </div> </div> <div class="summaryauthors">Julien Juaneda , Marina Dehez-Clementi, Jean-Christophe Deneuville, and Jérôme Lacan</div> <div class="d-flex justify-content-between align-items-start"> <div> <a class="abstract-closed" data-target="abstract-2025-481" onclick="toggleAbstract(this)">Show abstract</a> </div> <div class="d-block d-md-none"> <a href="/search?category=PUBLICKEY"><small class="badge category category-PUBLICKEY">Public-key cryptography</small></a> </div> </div> <div> <div id="abstract-2025-481" class="paper-abstract">Key Exchange mechanisms (KE or KEMs) such as the Diffie-Hellman protocol have proved to be a cornerstone conciliating the efficiency of symmetric encryption and the practicality of public key primitives. Such designs however assume the non-compromission of the long term asymmetric key in use. To relax this strong security assumption, and allow for modern security features such as Perfect Forward Secrecy (PFS) or Post Compromise Security (PCS), Ratcheted-KE (RKE) have been proposed. This work proposes to turn the Hamming Quasi-Cyclic (HQC) cryptosystem into such a Ratcheted-KE, yielding the first code-based such construction. Interestingly, our design allows indifferently one party to update the key on-demand rather than the other, yielding a construction called bi-directional RKE, which compares favorably to generic transformations. Finally, we prove that the resulting scheme satisfies the usual correctness and key-indistinguishability properties, and suggest concrete sets of parameters, assuming different real-life use cases.</div> </div> </div> <div class="d-flex mb-1"> <div class="flex-grow-1"><a href="/2025/480">2025/480</a> <a class="ms-2" href="/2025/480.pdf">(PDF)</a> </div> <div><small>Last updated: 2025-03-13</small></div> </div> <div class="ms-3 ms-md-5 mb-3"> <div class="d-flex justify-content-between"> <div class="papertitle">Worst-case Analysis of Lattice Enumeration Algorithm over Modules</div> <div class="ms-3 d-none d-md-block"> <a href="/search?category=FOUNDATIONS"><small class="badge category category-FOUNDATIONS">Foundations</small></a> </div> </div> <div class="summaryauthors">Jiseung Kim, Changmin Lee, and Yongha Son</div> <div class="d-flex justify-content-between align-items-start"> <div> <a class="abstract-closed" data-target="abstract-2025-480" onclick="toggleAbstract(this)">Show abstract</a> </div> <div class="d-block d-md-none"> <a href="/search?category=FOUNDATIONS"><small class="badge category category-FOUNDATIONS">Foundations</small></a> </div> </div> <div> <div id="abstract-2025-480" class="paper-abstract">This paper presents a systematic study of module lattices. We extend the lattice enumeration algorithm from Euclidean lattices to module lattices, providing a generalized framework. To incorporate the refined analysis by Hanrot and Stehlè (CRYPTO'07), we adapt key definitions from Euclidean lattices, such as HKZ-reduced bases and quasi-HKZ-reduced bases, adapting them to the pseudo-basis of modules. Furthermore, we revisit the lattice profile, a crucial aspect of enumeration algorithm analysis, and extend its analysis to module lattices. As a result, we improve the asymptotic performance of the module lattice enumeration algorithm and module-SVP. For instance, let $K = \mathbb{Q}[x]/\langle x^d + 1\rangle$ be a number field with a power-of-two integer $d$, and suppose that $n\ln n = o(\ln d)$. Then, the nonzero shortest vector in $M \subset K^n$ can be found in time $d^{\frac{d}{2e} + o(d)}$, improving upon the previous lattice enumeration bound of $(nd)^{\frac{nd}{2e}+ o(nd)}$. Our algorithm naturally extends to solving ideal-SVP. Given an ideal $I \subset R$, where $R = \mathbb{Z}[x]/\langle x^t + 1 \rangle$ with a power-of-two integer $t = nd$, we can find the nonzero shortest element of $I$ in time $\exp(O(\frac{t}{2e} \ln \ln t))$, improving upon the previous enumeration bound of $\exp(O(\frac{t}{2e} \ln t))$.</div> </div> </div> <div class="d-flex mb-1"> <div class="flex-grow-1"><a href="/2025/479">2025/479</a> <a class="ms-2" href="/2025/479.pdf">(PDF)</a> </div> <div><small>Last updated: 2025-03-13</small></div> </div> <div class="ms-3 ms-md-5 mb-3"> <div class="d-flex justify-content-between"> <div class="papertitle">Post Quantum Migration of Tor</div> <div class="ms-3 d-none d-md-block"> <a href="/search?category=IMPLEMENTATION"><small class="badge category category-IMPLEMENTATION">Implementation</small></a> </div> </div> <div class="summaryauthors">Denis Berger, Mouad Lemoudden, and William J Buchanan</div> <div class="d-flex justify-content-between align-items-start"> <div> <a class="abstract-closed" data-target="abstract-2025-479" onclick="toggleAbstract(this)">Show abstract</a> </div> <div class="d-block d-md-none"> <a href="/search?category=IMPLEMENTATION"><small class="badge category category-IMPLEMENTATION">Implementation</small></a> </div> </div> <div> <div id="abstract-2025-479" class="paper-abstract">Shor's and Grover's algorithms' efficiency and the advancement of quantum computers imply that the cryptography used until now to protect one's privacy is potentially vulnerable to retrospective decryption, also known as harvest now, decrypt later attack in the near future. This dissertation proposes an overview of the cryptographic schemes used by Tor, highlighting the non-quantum-resistant ones and introducing theoretical performance assessment methods of a local Tor network. The measurement is divided into three phases. We will start with benchmarking a local Tor network simulation on constrained devices to isolate the time taken by classical cryptography processes. Secondly, the analysis incorporates existing benchmarks of quantum-secure algorithms and compares these performances on the devices. Lastly, the estimation of overhead is calculated by replacing the measured times of traditional cryptography with the times recorded for Post Quantum Cryptography (PQC) execution within the specified Tor environment. By focusing on the replaceable cryptographic components, using theoretical estimations, and leveraging existing benchmarks, valuable insights into the potential impact of PQC can be obtained without needing to implement it fully.</div> </div> </div> <div class="d-flex mb-1"> <div class="flex-grow-1"><a href="/2025/478">2025/478</a> <a class="ms-2" href="/2025/478.pdf">(PDF)</a> </div> <div><small>Last updated: 2025-03-13</small></div> </div> <div class="ms-3 ms-md-5 mb-3"> <div class="d-flex justify-content-between"> <div class="papertitle">Attacking Single-Cycle Ciphers on Modern FPGAs featuring Explainable Deep Learning</div> <div class="ms-3 d-none d-md-block"> <a href="/search?category=IMPLEMENTATION"><small class="badge category category-IMPLEMENTATION">Implementation</small></a> </div> </div> <div class="summaryauthors">Mustafa Khairallah and Trevor Yap</div> <div class="d-flex justify-content-between align-items-start"> <div> <a class="abstract-closed" data-target="abstract-2025-478" onclick="toggleAbstract(this)">Show abstract</a> </div> <div class="d-block d-md-none"> <a href="/search?category=IMPLEMENTATION"><small class="badge category category-IMPLEMENTATION">Implementation</small></a> </div> </div> <div> <div id="abstract-2025-478" class="paper-abstract">In this paper, we revisit the question of key recovery using side-channel analysis for unrolled, single-cycle block ciphers. In particular, we study the Princev2 cipher. While it has been shown vulnerable in multiple previous studies, those studies were performed on side-channel friendly ASICs or older FPGAs (e.g., Xilinx Virtex II on the SASEBO-G board), and using mostly expensive equipment. We start with the goal of exploiting a cheap modern FPGA and board using power traces from a cheap oscilloscope. Particularly, we use Xilinx Artix 7 on the Chipwhisperer CW305 board and PicoScope 5000A, respectively. We split our study into three parts. First, we show that the new set-up still exhibits easily detectable leakage, using a non-specific t-test. Second, we replicate attacks from older FPGAs. Namely, we start with the attack by Yli-Mäyry et al., which is a simple chosen plaintext correlation power analysis attack using divide and conquer. However, we demonstrate that even this simple, powerful attack does not work, demonstrating a peculiar behavior. We study this behavior using a stochastic attack that attempts to extract the leakage model, and we show that models over a small part of the state are inconsistent and depend on more key bits than what is expected. We also attempt classical template attacks and get similar results. To further exploit the leakage, we employ deep learning techniques and succeed in key recovery, albeit using a large number of traces. We perform the explainability technique called Key Guessing Occlusion (KGO) to detect which points the neural networks exploit. When we use these points as features for the classical template attack, although it did not recover the secret key, its performance improves compared to other feature selection techniques.</div> </div> </div> <div class="d-flex mb-1"> <div class="flex-grow-1"><a href="/2025/477">2025/477</a> <a class="ms-2" href="/2025/477.pdf">(PDF)</a> </div> <div><small>Last updated: 2025-03-13</small></div> </div> <div class="ms-3 ms-md-5 mb-3"> <div class="d-flex justify-content-between"> <div class="papertitle">A Note on the Advanced Use of the Tate Pairing</div> <div class="ms-3 d-none d-md-block"> <a href="/search?category=PUBLICKEY"><small class="badge category category-PUBLICKEY">Public-key cryptography</small></a> </div> </div> <div class="summaryauthors">Krijn Reijnders</div> <div class="d-flex justify-content-between align-items-start"> <div> <a class="abstract-closed" data-target="abstract-2025-477" onclick="toggleAbstract(this)">Show abstract</a> </div> <div class="d-block d-md-none"> <a href="/search?category=PUBLICKEY"><small class="badge category category-PUBLICKEY">Public-key cryptography</small></a> </div> </div> <div> <div id="abstract-2025-477" class="paper-abstract">This short note explains how the Tate pairing can be used to efficiently sample torsion points with precise requirements, and other applications. These applications are most clearly explained on Montgomery curves, using the Tate pairing of degree 2, but hold more generally for any degree or abelian variety, or even generalized Tate pairings. This note is explanatory in nature; it does not contain new results, but aims to provide a clear and concise explanation of results in the literature that are somewhat hidden, yet are extremely useful in practical isogeny-based cryptography.</div> </div> </div> <div class="d-flex mb-1"> <div class="flex-grow-1"><a href="/2025/476">2025/476</a> <a class="ms-2" href="/2025/476.pdf">(PDF)</a> </div> <div><small>Last updated: 2025-03-13</small></div> </div> <div class="ms-3 ms-md-5 mb-3"> <div class="d-flex justify-content-between"> <div class="papertitle">A note on "industrial blockchain threshold signatures in federated learning for unified space-air-ground-sea model training"</div> <div class="ms-3 d-none d-md-block"> <a href="/search?category=ATTACKS"><small class="badge category category-ATTACKS">Attacks and cryptanalysis</small></a> </div> </div> <div class="summaryauthors">Zhengjun Cao and Lihua Liu</div> <div class="d-flex justify-content-between align-items-start"> <div> <a class="abstract-closed" data-target="abstract-2025-476" onclick="toggleAbstract(this)">Show abstract</a> </div> <div class="d-block d-md-none"> <a href="/search?category=ATTACKS"><small class="badge category category-ATTACKS">Attacks and cryptanalysis</small></a> </div> </div> <div> <div id="abstract-2025-476" class="paper-abstract">We show that the threshold signature scheme [J. Ind. Inf. Integr. 39: 100593 (2024)] is insecure against forgery attack. An adversary can find an efficient signing algorithm functionally equivalent to the valid signing algorithm, so as to convert the legitimate signature $(sig, s, r_x)$ of message $m$ into a valid signature $(sig, s, r_x')$ of any message $m'$.</div> </div> </div> <div class="d-flex mb-1"> <div class="flex-grow-1"><a href="/2025/475">2025/475</a> <a class="ms-2" href="/2025/475.pdf">(PDF)</a> </div> <div><small>Last updated: 2025-03-12</small></div> </div> <div class="ms-3 ms-md-5 mb-3"> <div class="d-flex justify-content-between"> <div class="papertitle">HammR: A ZKP Protocol for Fixed Hamming-Weight Restricted-Entry Vectors</div> <div class="ms-3 d-none d-md-block"> <a href="/search?category=PROTOCOLS"><small class="badge category category-PROTOCOLS">Cryptographic protocols</small></a> </div> </div> <div class="summaryauthors">Felice Manganiello and Freeman Slaughter</div> <div class="d-flex justify-content-between align-items-start"> <div> <a class="abstract-closed" data-target="abstract-2025-475" onclick="toggleAbstract(this)">Show abstract</a> </div> <div class="d-block d-md-none"> <a href="/search?category=PROTOCOLS"><small class="badge category category-PROTOCOLS">Cryptographic protocols</small></a> </div> </div> <div> <div id="abstract-2025-475" class="paper-abstract">In this paper, we introduce $\mathsf{HammR}$, a generic Zero-Knowledge Proof (ZKP) protocol demonstrating knowledge of a secret vector that has a fixed Hamming weight with entries taken from a shifted multiplicative group. As special cases, we are able to directly apply this protocol to restricted vectors and to rank-1 vectors, which are vectors with entries that lie in a dimension one subspace of $\mathbb{F}_q$. We show that these proofs can be batched with low computational overhead, and further prove that this general framework is complete, sound, and zero-knowledge, thus truly a genuine ZKP. Finally, we present applications of $\mathsf{HammR}$ to various Syndrome Decoding Problems, including the Regular and Restricted SDPs, as well as other implementations such as lookup instances, proof of proximity, and electronic voting protocols.</div> </div> </div> <div class="d-flex mb-1"> <div class="flex-grow-1"><a href="/2025/474">2025/474</a> <a class="ms-2" href="/2025/474.pdf">(PDF)</a> </div> <div><small>Last updated: 2025-03-12</small></div> </div> <div class="ms-3 ms-md-5 mb-3"> <div class="d-flex justify-content-between"> <div class="papertitle">Black-Box Constant-Round Secure 2PC with Succinct Communication</div> <div class="ms-3 d-none d-md-block"> <a href="/search?category=PROTOCOLS"><small class="badge category category-PROTOCOLS">Cryptographic protocols</small></a> </div> </div> <div class="summaryauthors">Michele Ciampi, Ankit Kumar Misra, Rafail Ostrovsky, and Akash Shah</div> <div class="d-flex justify-content-between align-items-start"> <div> <a class="abstract-closed" data-target="abstract-2025-474" onclick="toggleAbstract(this)">Show abstract</a> </div> <div class="d-block d-md-none"> <a href="/search?category=PROTOCOLS"><small class="badge category category-PROTOCOLS">Cryptographic protocols</small></a> </div> </div> <div> <div id="abstract-2025-474" class="paper-abstract">The most fundamental performance metrics of secure multi-party computation (MPC) protocols are related to the number of messages the parties exchange (i.e., round complexity), the size of these messages (i.e., communication complexity), and the overall computational resources required to execute the protocol (i.e., computational complexity). Another quality metric of MPC protocols is related to the black-box or non-black-box use of the underlying cryptographic primitives. Indeed, the design of black-box MPC protocols, other than being of theoretical interest, usually can lead to protocols that have better computational complexity. In this work, we aim to optimize the round and communication complexity of black-box secure multi-party computation in the plain model, by designing a constant-round two-party computation protocol in the malicious setting, whose communication complexity is only polylogarithmic in the size of the function being evaluated. We successfully design such a protocol, having only black-box access to fully homomorphic encryption, trapdoor permutations, and hash functions. To the best of our knowledge, our protocol is the first to make black-box use of standard cryptographic primitives while achieving almost asymptotically optimal communication and round complexity.</div> </div> </div> <div class="d-flex mb-1"> <div class="flex-grow-1"><a href="/2025/473">2025/473</a> <a class="ms-2" href="/2025/473.pdf">(PDF)</a> </div> <div><small>Last updated: 2025-03-14</small></div> </div> <div class="ms-3 ms-md-5 mb-3"> <div class="d-flex justify-content-between"> <div class="papertitle">Cross-Platform Benchmarking of the FHE Libraries: Novel Insights into SEAL and OpenFHE</div> <div class="ms-3 d-none d-md-block"> <a href="/search?category=PUBLICKEY"><small class="badge category category-PUBLICKEY">Public-key cryptography</small></a> </div> </div> <div class="summaryauthors">Faneela, Jawad Ahmad, Baraq Ghaleb, Sana Ullah Jan, and William J Buchanan</div> <div class="d-flex justify-content-between align-items-start"> <div> <a class="abstract-closed" data-target="abstract-2025-473" onclick="toggleAbstract(this)">Show abstract</a> </div> <div class="d-block d-md-none"> <a href="/search?category=PUBLICKEY"><small class="badge category category-PUBLICKEY">Public-key cryptography</small></a> </div> </div> <div> <div id="abstract-2025-473" class="paper-abstract">The rapid growth of cloud computing and data-driven applications has amplified privacy concerns, driven by the increasing demand to process sensitive data securely. Homomorphic encryption (HE) has become a vital solution for addressing these concerns by enabling computations on encrypted data without revealing its contents. This paper provides a comprehensive evaluation of two leading HE libraries, SEAL and OpenFHE, examining their performance, usability, and support for prominent HE schemes such as BGV and CKKS. Our analysis highlights computational efficiency, memory usage, and scalability across Linux and Windows platforms, emphasizing their applicability in real-world scenarios. Results reveal that Linux outperforms Windows in computation efficiency, with OpenFHE emerging as the optimal choice across diverse cryptographic settings. This paper provides valuable insights for researchers and practitioners to advance privacy-preserving applications using FHE.</div> </div> </div> <div class="d-flex mb-1"> <div class="flex-grow-1"><a href="/2025/472">2025/472</a> <a class="ms-2" href="/2025/472.pdf">(PDF)</a> </div> <div><small>Last updated: 2025-03-15</small></div> </div> <div class="ms-3 ms-md-5 mb-3"> <div class="d-flex justify-content-between"> <div class="papertitle">Quantum Attacks on Sum of Even-Mansour Construction Utilizing Online Classical Queries</div> <div class="ms-3 d-none d-md-block"> <a href="/search?category=ATTACKS"><small class="badge category category-ATTACKS">Attacks and cryptanalysis</small></a> </div> </div> <div class="summaryauthors">Zhenqiang Li, Shuqin Fan, Fei Gao, Yonglin Hao, Hongwei Sun, Xichao Hu, and Dandan Li</div> <div class="d-flex justify-content-between align-items-start"> <div> <a class="abstract-closed" data-target="abstract-2025-472" onclick="toggleAbstract(this)">Show abstract</a> </div> <div class="d-block d-md-none"> <a href="/search?category=ATTACKS"><small class="badge category category-ATTACKS">Attacks and cryptanalysis</small></a> </div> </div> <div> <div id="abstract-2025-472" class="paper-abstract">The Sum of Even-Mansour (SoEM) construction, proposed by Chen et al. at Crypto 2019, has become the basis for designing some symmetric schemes, such as the nonce-based MAC scheme $\text{nEHtM}_{p}$ and the nonce-based encryption scheme $\text{CENCPP}^{\ast}$. In this paper, we make the first attempt to study the quantum security of SoEM under the Q1 model where the targeted encryption oracle can only respond to classical queries rather than quantum ones. Firstly, we propose a quantum key recovery attack on SoEM21 with a time complexity of $\tilde{O}(2^{n/3})$ along with $O(2^{n/3})$ online classical queries. Compared with the current best classical result which requires $O(2^{2n/3})$, our method offers a quadratic time speedup while maintaining the same number of queries. The time complexity of our attack is less than that observed for quantum exhaustive search by a factor of $2^{n/6}$. We further propose classical and quantum key recovery attacks on the generalized SoEMs1 construction (consisting of $s\geq 2$ independent public permutations), revealing that the application of quantum algorithms can provide a quadratic acceleration over the pure classical methods. Our results also imply that the quantum security of SoEM21 cannot be strengthened merely by increasing the number of permutations.</div> </div> </div> <div class="d-flex mb-1"> <div class="flex-grow-1"><a href="/2025/471">2025/471</a> <a class="ms-2" href="/2025/471.pdf">(PDF)</a> </div> <div><small>Last updated: 2025-03-12</small></div> </div> <div class="ms-3 ms-md-5 mb-3"> <div class="d-flex justify-content-between"> <div class="papertitle">A Practical Tutorial on Deep Learning-based Side-channel Analysis</div> <div class="ms-3 d-none d-md-block"> <a href="/search?category=ATTACKS"><small class="badge category category-ATTACKS">Attacks and cryptanalysis</small></a> </div> </div> <div class="summaryauthors">Sengim Karayalcin, Marina Krcek, and Stjepan Picek</div> <div class="d-flex justify-content-between align-items-start"> <div> <a class="abstract-closed" data-target="abstract-2025-471" onclick="toggleAbstract(this)">Show abstract</a> </div> <div class="d-block d-md-none"> <a href="/search?category=ATTACKS"><small class="badge category category-ATTACKS">Attacks and cryptanalysis</small></a> </div> </div> <div> <div id="abstract-2025-471" class="paper-abstract">This tutorial provides a practical introduction to Deep Learning-based Side-Channel Analysis (DLSCA), a powerful approach for evaluating the security of cryptographic implementations. Leveraging publicly available datasets and a Google Colab service, we guide readers through the fundamental steps of DLSCA, offering clear explanations and code snippets. We focus on the core DLSCA framework, providing references for more advanced techniques, and address the growing interest in this field driven by emerging standardization efforts like AIS 46. This tutorial is designed to be accessible to researchers, students, and practitioners seeking to learn practical DLSCA techniques and improve the security of cryptographic systems.</div> </div> </div> <div class="d-flex mb-1"> <div class="flex-grow-1"><a href="/2025/470">2025/470</a> <a class="ms-2" href="/2025/470.pdf">(PDF)</a> </div> <div><small>Last updated: 2025-03-12</small></div> </div> <div class="ms-3 ms-md-5 mb-3"> <div class="d-flex justify-content-between"> <div class="papertitle">On Deniable Authentication against Malicious Verifiers</div> <div class="ms-3 d-none d-md-block"> <a href="/search?category=PUBLICKEY"><small class="badge category category-PUBLICKEY">Public-key cryptography</small></a> </div> </div> <div class="summaryauthors">Rune Fiedler and Roman Langrehr</div> <div class="d-flex justify-content-between align-items-start"> <div> <a class="abstract-closed" data-target="abstract-2025-470" onclick="toggleAbstract(this)">Show abstract</a> </div> <div class="d-block d-md-none"> <a href="/search?category=PUBLICKEY"><small class="badge category category-PUBLICKEY">Public-key cryptography</small></a> </div> </div> <div> <div id="abstract-2025-470" class="paper-abstract">Deniable authentication allows Alice to authenticate a message to Bob, while retaining deniability towards third parties. In particular, not even Bob can convince a third party that Alice authenticated that message. Clearly, in this setting Bob should not be considered trustworthy. Furthermore, deniable authentication is necessary for deniable key exchange, as explicitly desired by Signal and off-the-record (OTR) messaging. In this work we focus on (publicly verifiable) designated verifier signatures (DVS), which are a widely used primitive to achieve deniable authentication. We propose a definition of deniability against malicious verifiers for DVS. We give a construction that achieves this notion in the random oracle (RO) model. Moreover, we show that our notion is not achievable in the standard model with a concrete attack; thereby giving a non-contrived example of the RO heuristic failing. All previous protocols that claim to achieve deniable authentication against malicious verifiers (like Signal's initial handshake protocols X3DH and PQXDH) rely on the Extended Knowledge of Diffie–Hellman (EKDH) assumption. We show that this assumption is broken and that these protocols do not achieve deniability against malicious verifiers.</div> </div> </div> <div class="d-flex mb-1"> <div class="flex-grow-1"><a href="/2025/469">2025/469</a> <a class="ms-2" href="/2025/469.pdf">(PDF)</a> </div> <div><small>Last updated: 2025-03-12</small></div> </div> <div class="ms-3 ms-md-5 mb-3"> <div class="d-flex justify-content-between"> <div class="papertitle">Practical Semi-Open Chat Groups for Secure Messaging Applications</div> <div class="ms-3 d-none d-md-block"> <a href="/search?category=PROTOCOLS"><small class="badge category category-PROTOCOLS">Cryptographic protocols</small></a> </div> </div> <div class="summaryauthors">Alex Davidson, Luiza Soezima, and Fernando Virdia</div> <div class="d-flex justify-content-between align-items-start"> <div> <a class="abstract-closed" data-target="abstract-2025-469" onclick="toggleAbstract(this)">Show abstract</a> </div> <div class="d-block d-md-none"> <a href="/search?category=PROTOCOLS"><small class="badge category category-PROTOCOLS">Cryptographic protocols</small></a> </div> </div> <div> <div id="abstract-2025-469" class="paper-abstract">Chat groups in secure messaging applications such as Signal, Telegram, and Whatsapp are nowadays used for rapid and widespread dissemination of information to large groups of people. This is common even in sensitive contexts, associated with the organisation of protests, activist groups, and internal company dialogues. Manual administration of who has access to such groups quickly becomes infeasible, in the presence of hundreds or thousands of members. We construct a practical, privacy-preserving reputation system, that automates the approval of new group members based on their reputation amongst the existing membership. We demonstrate security against malicious adversaries in a single-server model, with no further trust assumptions required. Furthermore, our protocol supports arbitrary reputation calculations while almost all group members are offline (as is likely). In addition, we demonstrate the practicality of the approach via an open-source implementation. For groups of size 50 (resp. 200), an admission process on a user that received 40 (resp. 80) scores requires 1312.2 KiB (resp. 5239.4 KiB) of communication, and 3.3s (resp. 16.3s) of overall computation on a single core. While our protocol design matches existing secure messaging applications, we believe it can have value in distributed reputation computation beyond this problem setting.</div> </div> </div> <div class="d-flex mb-1"> <div class="flex-grow-1"><a href="/2025/468">2025/468</a> <a class="ms-2" href="/2025/468.pdf">(PDF)</a> </div> <div><small>Last updated: 2025-03-12</small></div> </div> <div class="ms-3 ms-md-5 mb-3"> <div class="d-flex justify-content-between"> <div class="papertitle">Optimized Frobenius and Cyclotomic Cubing for Enhanced Pairing Computation</div> <div class="ms-3 d-none d-md-block"> <a href="/search?category=FOUNDATIONS"><small class="badge category category-FOUNDATIONS">Foundations</small></a> </div> </div> <div class="summaryauthors">Leila Ben Abdelghani, Nadia El Mrabet, Loubna Ghammam, and Lina Mortajine</div> <div class="d-flex justify-content-between align-items-start"> <div> <a class="abstract-closed" data-target="abstract-2025-468" onclick="toggleAbstract(this)">Show abstract</a> </div> <div class="d-block d-md-none"> <a href="/search?category=FOUNDATIONS"><small class="badge category category-FOUNDATIONS">Foundations</small></a> </div> </div> <div> <div id="abstract-2025-468" class="paper-abstract">Efficient implementation of a pairing-based cryptosystem relies on high-performance arithmetic in finite fields $\mathbb{F}_{p}$ and their extensions $\mathbb{F}_{p^k}$, where $k$ is the embedding degree. A small embedding degree is crucial because part of the arithmetic for pairing computation occurs in $\mathbb{F}_{{p}^k}$ and includes operations such as squaring, multiplication, and Frobenius operations. In this paper, we present a fast and efficient method for computing the Frobenius endomorphism and its complexity. Additionally, we introduce an improvement in the efficiency of cyclotomic cubing operations for several pairing-friendly elliptic curves, which are essential for the calculation of Tate pairing and its derivatives.</div> </div> </div> <div class="d-flex mb-1"> <div class="flex-grow-1"><a href="/2025/467">2025/467</a> <a class="ms-2" href="/2025/467.pdf">(PDF)</a> </div> <div><small>Last updated: 2025-03-19</small></div> </div> <div class="ms-3 ms-md-5 mb-3"> <div class="d-flex justify-content-between"> <div class="papertitle">PMNS arithmetic for elliptic curve cryptography</div> <div class="ms-3 d-none d-md-block"> <a href="/search?category=IMPLEMENTATION"><small class="badge category category-IMPLEMENTATION">Implementation</small></a> </div> </div> <div class="summaryauthors">Fangan Yssouf Dosso, Sylvain Duquesne, Nadia El Mrabet, and Emma Gautier</div> <div class="d-flex justify-content-between align-items-start"> <div> <a class="abstract-closed" data-target="abstract-2025-467" onclick="toggleAbstract(this)">Show abstract</a> </div> <div class="d-block d-md-none"> <a href="/search?category=IMPLEMENTATION"><small class="badge category category-IMPLEMENTATION">Implementation</small></a> </div> </div> <div> <div id="abstract-2025-467" class="paper-abstract">We show that using a polynomial representation of prime field elements (PMNS) can be relevant for real-world cryptographic applications even in terms of performance. More specifically, we consider elliptic curves for cryptography when pseudo-Mersenne primes cannot be used to define the base field (e.g. Brainpool standardized curves, JubJub curves in the zkSNARK context, pairing-friendly curves). All these primitives make massive use of the Montgomery reduction algorithm and well-known libraries such as GMP or OpenSSL for base field arithmetic. We show how this arithmetic can be replaced by a polynomial representation of the number that can be easily parallelized, avoids carry propagation, and allows randomization process. We provide good PMNS basis in the cryptographic context mentioned above, together with a C-implementation that is competitive with GMP and OpenSSL for performing basic operations in the base fields considered. We also integrate this arithmetic into the Rust reference implementation of elliptic curve scalar multiplication for Zero-knowledge applications, and achieve better practical performances for such protocols. This shows that PMNS is an attractive alternative for the base field arithmetic layer in cryptographic primitives using elliptic curves or pairings.</div> </div> </div> <div class="d-flex mb-1"> <div class="flex-grow-1"><a href="/2025/466">2025/466</a> <a class="ms-2" href="/2025/466.pdf">(PDF)</a> </div> <div><small>Last updated: 2025-03-12</small></div> </div> <div class="ms-3 ms-md-5 mb-3"> <div class="d-flex justify-content-between"> <div class="papertitle">Algebraic Cryptanalysis of Small-Scale Variants of Stream Cipher E0</div> <div class="ms-3 d-none d-md-block"> <a href="/search?category=ATTACKS"><small class="badge category category-ATTACKS">Attacks and cryptanalysis</small></a> </div> </div> <div class="summaryauthors">Jan Dolejš and Martin Jureček</div> <div class="d-flex justify-content-between align-items-start"> <div> <a class="abstract-closed" data-target="abstract-2025-466" onclick="toggleAbstract(this)">Show abstract</a> </div> <div class="d-block d-md-none"> <a href="/search?category=ATTACKS"><small class="badge category category-ATTACKS">Attacks and cryptanalysis</small></a> </div> </div> <div> <div id="abstract-2025-466" class="paper-abstract">This study explores the algebraic cryptanalysis of small-scale variants of the E0 stream cipher, a legacy cipher used in the Bluetooth protocol. By systematically reducing the size of the linear feedback shift registers (LFSRs) while preserving the cipher’s core structure, we investigate the relationship between the number of unknowns and the number of consecutive keystream bits required to recover the internal states of the LFSRs. Our work demonstrates an approximately linear relationship between the number of consecutive keystream bits and the size of small-scale E0 variants, as indicated by our experimental results. To this end, we utilize two approaches: the computation of Gröbner bases using Magma’s F4 algorithm and the application of CryptoMiniSat’s SAT solver. Our experimental results show that increasing the number of keystream bits significantly improves computational efficiency, with the F4 algorithm achieving a speedup of up to 733× when additional equations are supplied. Furthermore, we verify the non-existence of equations of degree four or lower for up to seven consecutive keystream bits, and the non-existence of equations of degree three or lower for up to eight consecutive keystream bits, extending prior results on the algebraic properties of E0.</div> </div> </div> <div class="d-flex mb-1"> <div class="flex-grow-1"><a href="/2025/465">2025/465</a> <a class="ms-2" href="/2025/465.pdf">(PDF)</a> </div> <div><small>Last updated: 2025-03-12</small></div> </div> <div class="ms-3 ms-md-5 mb-3"> <div class="d-flex justify-content-between"> <div class="papertitle">zkAML: Zero-knowledge Anti Money Laundering in Smart Contracts with whitelist approach</div> <div class="ms-3 d-none d-md-block"> <a href="/search?category=APPLICATIONS"><small class="badge category category-APPLICATIONS">Applications</small></a> </div> </div> <div class="summaryauthors">Donghwan Oh, Semin Han, Jihye Kim, Hyunok Oh, Jiyeal Chung, Jieun Lee, Hee-jun Yoo, and Tae wan Kim</div> <div class="d-flex justify-content-between align-items-start"> <div> <a class="abstract-closed" data-target="abstract-2025-465" onclick="toggleAbstract(this)">Show abstract</a> </div> <div class="d-block d-md-none"> <a href="/search?category=APPLICATIONS"><small class="badge category category-APPLICATIONS">Applications</small></a> </div> </div> <div> <div id="abstract-2025-465" class="paper-abstract">In the interconnected global financial system, anti-money laundering (AML) and combating the financing of terrorism (CFT) regulations are indispensable for safeguarding financial integrity. However, while illicit transactions constitute only a small fraction of overall financial activities, traditional AML/CFT frameworks impose uniform compliance burdens on all users, resulting in inefficiencies, transaction delays, and privacy concerns. These issues stem from the institution-centric model, where financial entities independently conduct compliance checks, resulting in repeated exposure of personally identifiable information (PII) and operational bottlenecks. To address these challenges, we introduce \textsf{zkAML}, a cryptographic framework that offers a novel approach to AML/CFT compliance. By leveraging zero-knowledge Succinct Non-Interactive Argument of Knowledge (zk-SNARK) proofs, \textsf{zkAML}~enables users to cryptographically demonstrate their regulatory compliance without revealing sensitive personal information. This approach eliminates redundant identity checks, streamlines compliance procedures, and enhances transaction efficiency while preserving user privacy. We implement and evaluate \textsf{zkAML}~on a blockchain network to demonstrate its practicality. Our experimental results show that \textsf{zkAML}~achieves 55 transactions per second (TPS) on a public network and 324 TPS on a private network. The zk-SNARK proof generation times are $226.59$ms for senders and $215.76$ms for receivers, with a constant verification time of $1.47$ms per transaction. These findings highlight \textsf{zkAML}'s potential as a privacy-preserving and regulation-compliant solution for modern financial systems.</div> </div> </div> <div class="d-flex mb-1"> <div class="flex-grow-1"><a href="/2025/464">2025/464</a> <a class="ms-2" href="/2025/464.pdf">(PDF)</a> </div> <div><small>Last updated: 2025-03-12</small></div> </div> <div class="ms-3 ms-md-5 mb-3"> <div class="d-flex justify-content-between"> <div class="papertitle">SoK: Efficient Design and Implementation of Polynomial Hash Functions over Prime Fields</div> <div class="ms-3 d-none d-md-block"> <a href="/search?category=IMPLEMENTATION"><small class="badge category category-IMPLEMENTATION">Implementation</small></a> </div> </div> <div class="summaryauthors">Jean Paul Degabriele, Jan Gilcher, Jérôme Govinden, and Kenneth G. Paterson</div> <div class="d-flex justify-content-between align-items-start"> <div> <a class="abstract-closed" data-target="abstract-2025-464" onclick="toggleAbstract(this)">Show abstract</a> </div> <div class="d-block d-md-none"> <a href="/search?category=IMPLEMENTATION"><small class="badge category category-IMPLEMENTATION">Implementation</small></a> </div> </div> <div> <div id="abstract-2025-464" class="paper-abstract">Poly1305 is a widely-deployed polynomial hash function. The rationale behind its design was laid out in a series of papers by Bernstein, the last of which dates back to 2005. As computer architectures evolved, some of its design features became less relevant, but implementers found new ways of exploiting these features to boost its performance. However, would we still converge to this same design if we started afresh with today's computer architectures and applications? To answer this question, we gather and systematize a body of knowledge concerning polynomial hash design and implementation that is spread across research papers, cryptographic libraries, and developers' blogs. We develop a framework to automate the validation and benchmarking of the ideas that we collect. This approach leads us to five new candidate designs for polynomial hash functions. Using our framework, we generate and evaluate different implementations and optimization strategies for each candidate. We obtain substantial improvements over Poly1305 in terms of security and performance. Besides laying out the rationale behind our new designs, our paper serves as a reference for efficiently implementing polynomial hash functions, including Poly1305.</div> </div> </div> <div class="d-flex mb-1"> <div class="flex-grow-1"><a href="/2025/463">2025/463</a> <a class="ms-2" href="/2025/463.pdf">(PDF)</a> </div> <div><small>Last updated: 2025-03-12</small></div> </div> <div class="ms-3 ms-md-5 mb-3"> <div class="d-flex justify-content-between"> <div class="papertitle">Multi-Party Computation in Corporate Data Processing: Legal and Technical Insights</div> <div class="ms-3 d-none d-md-block"> <a href="/search?category=FOUNDATIONS"><small class="badge category category-FOUNDATIONS">Foundations</small></a> </div> </div> <div class="summaryauthors">Sebastian Becker, Christoph Bösch, Benjamin Hettwer, Thomas Hoeren, Merlin Rombach, Sven Trieflinger, and Hossein Yalame</div> <div class="d-flex justify-content-between align-items-start"> <div> <a class="abstract-closed" data-target="abstract-2025-463" onclick="toggleAbstract(this)">Show abstract</a> </div> <div class="d-block d-md-none"> <a href="/search?category=FOUNDATIONS"><small class="badge category category-FOUNDATIONS">Foundations</small></a> </div> </div> <div> <div id="abstract-2025-463" class="paper-abstract">This paper examines the deployment of Multi-Party Computation (MPC) in corporate data processing environments, focusing on its legal and technical implications under the European Union’s General Data Protection Regulation (GDPR). By combining expertise in cryptography and legal analysis, we address critical questions necessary for assessing the suitability of MPC for real-world applications. Our legal evaluation explores the conditions under which MPC qualifies as an anonymizing approach under GDPR, emphasizing the architectural requirements, such as the distribution of control among compute parties, to minimize re-identification risks effectively. The assertions put forth in the legal opinion are validated by two distinct assessments conducted independently. We systematically answer key regulatory questions, demonstrating that a structured legal assessment is indispensable for organizations aiming to adopt MPC while ensuring compliance with privacy laws. In addition, we complement this analysis with a practical implementation of privacy-preserving analytics using Carbyne Stack, a cloud-native open-source platform for scalable MPC applications, which integrates the MP-SPDZ framework as its backend. We benchmark SQL queries under various security models to evaluate scalability and efficiency.</div> </div> </div> <div class="d-flex mb-1"> <div class="flex-grow-1"><a href="/2025/462">2025/462</a> <a class="ms-2" href="/2025/462.pdf">(PDF)</a> </div> <div><small>Last updated: 2025-03-12</small></div> </div> <div class="ms-3 ms-md-5 mb-3"> <div class="d-flex justify-content-between"> <div class="papertitle">Practical Key Collision on AES and Kiasu-BC</div> <div class="ms-3 d-none d-md-block"> <a href="/search?category=ATTACKS"><small class="badge category category-ATTACKS">Attacks and cryptanalysis</small></a> </div> </div> <div class="summaryauthors">Jianqiang Ni, Yingxin Li, Fukang Liu, and Gaoli Wang</div> <div class="d-flex justify-content-between align-items-start"> <div> <a class="abstract-closed" data-target="abstract-2025-462" onclick="toggleAbstract(this)">Show abstract</a> </div> <div class="d-block d-md-none"> <a href="/search?category=ATTACKS"><small class="badge category category-ATTACKS">Attacks and cryptanalysis</small></a> </div> </div> <div> <div id="abstract-2025-462" class="paper-abstract">The key collision attack was proposed as an open problem in key-committing security in Authenticated Encryption (AE) schemes like $\texttt{AES-GCM}$ and $\texttt{ChaCha20Poly1305}$. In ASIACRYPT 2024, Taiyama et al. introduce a novel type of key collision—target-plaintext key collision ($\texttt{TPKC}$) for $\texttt{AES}$. Depending on whether the plaintext is fixed, $\texttt{TPKC}$ can be divided into $\texttt{fixed-TPKC}$ and $\texttt{free-TPKC}$, which can be directly converted into collision attacks and semi-free-start collision attacks on the Davies-Meyer ($\texttt{DM}$) hashing mode. In this paper, we propose a new rebound attack framework leveraging a time-memory tradeoff strategy, enabling practical key collision attacks with optimized complexity. We also present an improved automatic method for finding \textit{rebound-friendly} differential characteristics by controlling the probabilities in the inbound and outbound phases, allowing the identified characteristics to be directly used in $\textit{rebound-based}$ key collision attacks. Through our analysis, we demonstrate that the 2-round $\texttt{AES-128}$ $\texttt{fixed-TPKC}$ attack proposed by Taiyama et al. is a $\texttt{free-TPKC}$ attack in fact, while $\texttt{fixed-TPKC}$ attacks are considerably more challenging than $\texttt{free-TPKC}$ attacks. By integrating our improved automatic method with a new rebound attack framework, we successfully identify a new differential characteristic for the 2-round $\texttt{AES-128}$ $\texttt{fixed-TPKC}$ attack and develope the first practical $\texttt{fixed-TPKC}$ attack against 2-round $\texttt{AES-128}$. Additionally, we present practical $\texttt{fixed-TPKC}$ attacks against 5-round $\texttt{AES-192}$ and 3-round $\texttt{Kiasu-BC}$, along with a practical $\texttt{free-TPKC}$ attack against 6-round $\texttt{Kiasu-BC}$. Furthermore, we reduce time complexities for $\texttt{free-TPKC}$ and $\texttt{fixed-TPKC}$ attacks on other $\texttt{AES}$ variants.</div> </div> </div> <div class="d-flex mb-1"> <div class="flex-grow-1"><a href="/2025/461">2025/461</a> <a class="ms-2" href="/2025/461.pdf">(PDF)</a> </div> <div><small>Last updated: 2025-03-11</small></div> </div> <div class="ms-3 ms-md-5 mb-3"> <div class="d-flex justify-content-between"> <div class="papertitle">Machine-checking Multi-Round Proofs of Shuffle: Terelius-Wikstrom and Bayer-Groth</div> <div class="ms-3 d-none d-md-block"> <a href="/search?category=PROTOCOLS"><small class="badge category category-PROTOCOLS">Cryptographic protocols</small></a> </div> </div> <div class="summaryauthors">Thomas Haines, Rajeev Goré, and Mukesh Tiwari</div> <div class="d-flex justify-content-between align-items-start"> <div> <a class="abstract-closed" data-target="abstract-2025-461" onclick="toggleAbstract(this)">Show abstract</a> </div> <div class="d-block d-md-none"> <a href="/search?category=PROTOCOLS"><small class="badge category category-PROTOCOLS">Cryptographic protocols</small></a> </div> </div> <div> <div id="abstract-2025-461" class="paper-abstract">Shuffles are used in electronic voting in much the same way physical ballot boxes are used in paper systems: (encrypted) ballots are input into the shuffle and (encrypted) ballots are output in a random order, thereby breaking the link between voter identities and ballots. To guarantee that no ballots are added, omitted or altered, zero-knowledge proofs, called proofs of shuffle, are used to provide publicly verifiable transcripts that prove that the outputs are a re-encrypted permutation of the inputs. The most prominent proofs of shuffle, in practice, are those due to Terelius and Wikström (TW), and Bayer and Groth (BG). TW is simpler whereas BG is more efficient, both in terms of bandwidth and computation. Security for the simpler (TW) proof of shuffle has already been machine-checked but several prominent vendors insist on using the more complicated BG proof of shuffle. Here, we machine-check the security of the Bayer-Groth proof of shuffle via the Coq proof-assistant. We then extract the verifier (software) required to check the transcripts produced by Bayer-Groth implementations and use it to check transcripts from the Swiss Post evoting system under development for national elections in Switzerland.</div> </div> </div> <div class="d-flex mb-1"> <div class="flex-grow-1"><a href="/2025/460">2025/460</a> <a class="ms-2" href="/2025/460.pdf">(PDF)</a> </div> <div><small>Last updated: 2025-03-11</small></div> </div> <div class="ms-3 ms-md-5 mb-3"> <div class="d-flex justify-content-between"> <div class="papertitle">Achieving Data Reconstruction Hardness and Efficient Computation in Multiparty Minimax Training</div> <div class="ms-3 d-none d-md-block"> <a href="/search?category=APPLICATIONS"><small class="badge category category-APPLICATIONS">Applications</small></a> </div> </div> <div class="summaryauthors">Truong Son Nguyen, Yi Ren, Guangyu Nie, and Ni Trieu</div> <div class="d-flex justify-content-between align-items-start"> <div> <a class="abstract-closed" data-target="abstract-2025-460" onclick="toggleAbstract(this)">Show abstract</a> </div> <div class="d-block d-md-none"> <a href="/search?category=APPLICATIONS"><small class="badge category category-APPLICATIONS">Applications</small></a> </div> </div> <div> <div id="abstract-2025-460" class="paper-abstract">Generative models have achieved remarkable success in a wide range of applications. Training such models using proprietary data from multiple parties has been studied in the realm of federated learning. Yet recent studies showed that reconstruction of authentic training data can be achieved in such settings. On the other hand, multiparty computation (MPC) guarantees standard data privacy, yet scales poorly for training generative models. In this paper, we focus on improving reconstruction hardness during Generative Adversarial Network (GAN) training while keeping the training cost tractable. To this end, we explore two training protocols that use a public generator and an MPC discriminator: Protocol 1 (P1) uses a fully private discriminator, while Protocol 2 (P2) privatizes the first three discriminator layers. We prove reconstruction hardness for P1 and P2 by showing that (1) a public generator does not allow recovery of authentic training data, as long as the first two layers of the discriminator are private; and through an existing approximation hardness result on ReLU networks, (2) a discriminator with at least three private layers does not allow authentic data reconstruction with algorithms polynomial in network depth and size. We show empirically that compared with fully MPC training, P1 reduces the training time by $2\times$ and P2 further by $4-16\times$.</div> </div> </div> <div class="d-flex mb-1"> <div class="flex-grow-1"><a href="/2025/459">2025/459</a> <a class="ms-2" href="/2025/459.pdf">(PDF)</a> </div> <div><small>Last updated: 2025-03-15</small></div> </div> <div class="ms-3 ms-md-5 mb-3"> <div class="d-flex justify-content-between"> <div class="papertitle">Privacy and Security of FIDO2 Revisited</div> <div class="ms-3 d-none d-md-block"> <a href="/search?category=PROTOCOLS"><small class="badge category category-PROTOCOLS">Cryptographic protocols</small></a> </div> </div> <div class="summaryauthors">Manuel Barbosa, Alexandra Boldyreva, Shan Chen, Kaishuo Cheng, and Luís Esquível</div> <div class="d-flex justify-content-between align-items-start"> <div> <a class="abstract-closed" data-target="abstract-2025-459" onclick="toggleAbstract(this)">Show abstract</a> </div> <div class="d-block d-md-none"> <a href="/search?category=PROTOCOLS"><small class="badge category category-PROTOCOLS">Cryptographic protocols</small></a> </div> </div> <div> <div id="abstract-2025-459" class="paper-abstract">We revisit the privacy and security analyses of FIDO2, a widely deployed standard for passwordless authentication on the Web. We discuss previous works and conclude that each of them has at least one of the following limitations: (i) impractical trusted setup assumptions, (ii) security models that are inadequate in light of state of the art of practical attacks, (iii) not analyzing FIDO2 as a whole, especially for its privacy guarantees. Our work addresses these gaps and proposes revised security models for privacy and authentication. Equipped with our new models, we analyze FIDO2 modularly and focus on its component protocols, WebAuthn and CTAP2, clarifying their exact security guarantees. In particular, our results, for the first time, establish privacy guarantees for FIDO2 as a whole. Furthermore, we suggest minor modifications that can help FIDO2 provably meet stronger privacy and authentication definitions and withstand known and novel attacks.</div> </div> </div> <div class="d-flex mb-1"> <div class="flex-grow-1"><a href="/2025/458">2025/458</a> <a class="ms-2" href="/2025/458.pdf">(PDF)</a> </div> <div><small>Last updated: 2025-03-11</small></div> </div> <div class="ms-3 ms-md-5 mb-3"> <div class="d-flex justify-content-between"> <div class="papertitle">CAKE requires programming - On the provable post-quantum security of (O)CAKE</div> <div class="ms-3 d-none d-md-block"> <small class="badge category category-uncategorized">Uncategorized</small> </div> </div> <div class="summaryauthors">Kathrin Hövelmanns, Andreas Hülsing, Mikhail Kudinov, and Silvia Ritsch</div> <div class="d-flex justify-content-between align-items-start"> <div> <a class="abstract-closed" data-target="abstract-2025-458" onclick="toggleAbstract(this)">Show abstract</a> </div> <div class="d-block d-md-none"> <small class="badge category category-uncategorized">Uncategorized</small> </div> </div> <div> <div id="abstract-2025-458" class="paper-abstract">In this work we revisit the post-quantum security of KEM-based password-authenticated key exchange (PAKE), specifically that of (O)CAKE. So far, these schemes evaded a security proof considering quantum adversaries. We give a detailed analysis of why this is the case, determining the missing proof techniques. To this end, we first provide a proof of security in the post-quantum setting, up to a single gap. This proof already turns out to be technically involved, requiring advanced techniques to reason in the QROM, including the compressed oracle and the extractable QROM. To pave the way towards closing the gap, we then further identify an efficient simulator for the ideal cipher. This provides certain programming abilities as a necessary and sufficient condition to close the gap in the proof: we demonstrate that we can close the gap using the simulator, and give a meta-reduction based on KEM-anonymity that shows the impossibility of a non-programming reduction that covers a class of KEMs that includes Kyber / ML-KEM.</div> </div> </div> <div class="d-flex mb-1"> <div class="flex-grow-1"><a href="/2025/457">2025/457</a> <a class="ms-2" href="/2025/457.pdf">(PDF)</a> </div> <div><small>Last updated: 2025-03-11</small></div> </div> <div class="ms-3 ms-md-5 mb-3"> <div class="d-flex justify-content-between"> <div class="papertitle">A 10-bit S-box generated by Feistel construction from cellular automata</div> <div class="ms-3 d-none d-md-block"> <a href="/search?category=FOUNDATIONS"><small class="badge category category-FOUNDATIONS">Foundations</small></a> </div> </div> <div class="summaryauthors">Thomas Prévost and Bruno Martin</div> <div class="d-flex justify-content-between align-items-start"> <div> <a class="abstract-closed" data-target="abstract-2025-457" onclick="toggleAbstract(this)">Show abstract</a> </div> <div class="d-block d-md-none"> <a href="/search?category=FOUNDATIONS"><small class="badge category category-FOUNDATIONS">Foundations</small></a> </div> </div> <div> <div id="abstract-2025-457" class="paper-abstract">In this paper, we propose a new 10-bit S-box generated from a Feistel construction. The subpermutations are generated by a 5-cell cellular automaton based on a unique well-chosen rule and bijective affine transformations. In particular, the cellular automaton rule is chosen based on empirical tests of its ability to generate good pseudorandom output on a ring cellular automaton. Similarly, Feistel's network layout is based on empirical data regarding the quality of the output S-box. We perform cryptanalysis of the generated 10-bit S-box: we test the properties of algebraic degree, algebraic complexity, nonlinearity, strict avalanche criterion, bit independence criterion, linear approximation probability, differential approximation probability, differential uniformity and boomerang uniformity of our S-box, and relate them to those of the AES S-box. We find security properties comparable to or sometimes even better than those of the standard AES S-box. We believe that our S-box could be used to replace the 5-bit substitution of ciphers like ASCON.</div> </div> </div> <div class="d-flex mb-1"> <div class="flex-grow-1"><a href="/2025/456">2025/456</a> <a class="ms-2" href="/2025/456.pdf">(PDF)</a> </div> <div><small>Last updated: 2025-03-11</small></div> </div> <div class="ms-3 ms-md-5 mb-3"> <div class="d-flex justify-content-between"> <div class="papertitle">A Democratic Distributed Post-Quantum Certificateless Encryption Scheme</div> <div class="ms-3 d-none d-md-block"> <a href="/search?category=PROTOCOLS"><small class="badge category category-PROTOCOLS">Cryptographic protocols</small></a> </div> </div> <div class="summaryauthors">Thomas Prévost, Bruno Martin, and Olivier Alibart</div> <div class="d-flex justify-content-between align-items-start"> <div> <a class="abstract-closed" data-target="abstract-2025-456" onclick="toggleAbstract(this)">Show abstract</a> </div> <div class="d-block d-md-none"> <a href="/search?category=PROTOCOLS"><small class="badge category category-PROTOCOLS">Cryptographic protocols</small></a> </div> </div> <div> <div id="abstract-2025-456" class="paper-abstract">We propose a post-quantum certificateless encryption scheme based on a web of trust instead of a centralized Key Generation Center. Our scheme allows nodes to communicate securely. It is the nodes already present in the network that vote on the acceptance of new nodes, and agree on the shared key. The threshold required for the acceptance of a new node is configurable. Our protocol thus allows to completely operate without the Key Generation Center (or Key Distribution Center). Our scheme is based on Quasi-Cyclic Moderate Density Parity Check Code McEliece, which is resistant to quantum computer attacks. The voting system uses Shamir secret sharing, coupled with the Kabatianskii-Krouk-Smeets signature scheme, both are also resistant to quantum computer attacks. We provide a security analysis of our protocol, as well as a formal verification and a proof of concept code.</div> </div> </div> <div class="d-flex mb-1"> <div class="flex-grow-1"><a href="/2025/455">2025/455</a> <a class="ms-2" href="/2025/455.pdf">(PDF)</a> </div> <div><small>Last updated: 2025-03-11</small></div> </div> <div class="ms-3 ms-md-5 mb-3"> <div class="d-flex justify-content-between"> <div class="papertitle">StaMAC: Fault Protection via Stable-MAC Tags</div> <div class="ms-3 d-none d-md-block"> <a href="/search?category=IMPLEMENTATION"><small class="badge category category-IMPLEMENTATION">Implementation</small></a> </div> </div> <div class="summaryauthors">Siemen Dhooghe, Artemii Ovchinnikov, and Dilara Toprakhisar</div> <div class="d-flex justify-content-between align-items-start"> <div> <a class="abstract-closed" data-target="abstract-2025-455" onclick="toggleAbstract(this)">Show abstract</a> </div> <div class="d-block d-md-none"> <a href="/search?category=IMPLEMENTATION"><small class="badge category category-IMPLEMENTATION">Implementation</small></a> </div> </div> <div> <div id="abstract-2025-455" class="paper-abstract">Fault attacks pose a significant threat to cryptographic implementations, motivating the development of countermeasures, primarily based on a combination of redundancy and masking techniques. Redundancy, in these countermeasures, is often implemented via duplication or linear codes. However, their inherent structure remains susceptible to strategic fault injections bypassing error checks. To address this, the CAPA countermeasure from CRYPTO 2018 leveraged information-theoretic MAC tags for protection against fault and combined attacks. However, a recent attack has shown that CAPA can only protect against either side-channel analysis or fault attacks, but not both simultaneously, and with significant hardware costs. Its successor, M&M, improves efficiency but lacks protection against ineffective faults. In this paper, we propose StaMAC, a framework aimed at securely incorporating MAC tags against both side-channel and fault adversaries in a non-combined scenario. We extend the security notions outlined in StaTI from TCHES 2024, and propose the notion of MAC-stability, ensuring fault propagation in masked and MACed circuits, necessitating only a single error check at the end of the computation. Additionally, we show that the stability notion from StaTI is arbitrarily composable (whereas it was previously thought to be only serially composable), making it the first arbitrary composable fault security notion which does not require intermediate error checks or correction. Then, we establish the improved protection of masking combined with MAC tags compared to linear encoding techniques by showing bounds on the advantage considering several fault adversaries: a gate/register faulting adversary, an arbitrary register faulting adversary, and a random register faulting adversary. Then, we show how to transform any probing secure circuit to protect against fault attacks using the proposed MAC-stable gadgets implementing field operations. Finally, we demonstrate StaMAC on an AES implementation, evaluating its security and hardware costs compared to the countermeasures using MAC tags.</div> </div> </div> <div class="d-flex mb-1"> <div class="flex-grow-1"><a href="/2025/454">2025/454</a> <a class="ms-2" href="/2025/454.pdf">(PDF)</a> </div> <div><small>Last updated: 2025-03-11</small></div> </div> <div class="ms-3 ms-md-5 mb-3"> <div class="d-flex justify-content-between"> <div class="papertitle">Quantum circuit for implementing AES S-box with low costs</div> <div class="ms-3 d-none d-md-block"> <a href="/search?category=ATTACKS"><small class="badge category category-ATTACKS">Attacks and cryptanalysis</small></a> </div> </div> <div class="summaryauthors">Huinan Chen, Binbin Cai, Fei Gao, and Song Lin</div> <div class="d-flex justify-content-between align-items-start"> <div> <a class="abstract-closed" data-target="abstract-2025-454" onclick="toggleAbstract(this)">Show abstract</a> </div> <div class="d-block d-md-none"> <a href="/search?category=ATTACKS"><small class="badge category category-ATTACKS">Attacks and cryptanalysis</small></a> </div> </div> <div> <div id="abstract-2025-454" class="paper-abstract">Advanced Encryption Standard (AES) is one of the most widely used and extensively studied encryption algorithms globally, which is renowned for its efficiency and robust resistance to attacks. In this paper, three quantum circuits are designed to implement the S-box, which is the sole nonlinear component in AES. By incorporating a linear key schedule, we achieve a quantum circuit for implementing AES with the minimum number of qubits used. As a consequence, only 264/328/398 qubits are needed to implement the quantum circuits for AES-128/192/256. Furthermore, through quantum circuits of the S-box and key schedule, the overall size of the quantum circuit required for Grover's algorithm to attack AES is significantly decreased. This enhancement improves both the security and resource efficiency of AES in a quantum computing environment.</div> </div> </div> <div class="d-flex mb-1"> <div class="flex-grow-1"><a href="/2025/453">2025/453</a> <a class="ms-2" href="/2025/453.pdf">(PDF)</a> </div> <div><small>Last updated: 2025-03-11</small></div> </div> <div class="ms-3 ms-md-5 mb-3"> <div class="d-flex justify-content-between"> <div class="papertitle">Verifiable Secret Sharing Based on Fully Batchable Polynomial Commitment for Privacy-Preserving Distributed Computation</div> <div class="ms-3 d-none d-md-block"> <a href="/search?category=PROTOCOLS"><small class="badge category category-PROTOCOLS">Cryptographic protocols</small></a> </div> </div> <div class="summaryauthors">Xiangyu Kong, Min Zhang, and Yu Chen</div> <div class="d-flex justify-content-between align-items-start"> <div> <a class="abstract-closed" data-target="abstract-2025-453" onclick="toggleAbstract(this)">Show abstract</a> </div> <div class="d-block d-md-none"> <a href="/search?category=PROTOCOLS"><small class="badge category category-PROTOCOLS">Cryptographic protocols</small></a> </div> </div> <div> <div id="abstract-2025-453" class="paper-abstract">Privacy-preserving distributed computation enables a resource-limited client to securely delegate computations on sensitive data to multiple servers by distributing shares of the data. In such systems, verifiable secret sharing (VSS) is a fundamental component, ensuring secure data distribution and directly impacting the overall performance. The most practical approach to construct VSS is through polynomial commitment (PC), with two main research directions to improve the VSS efficiency. The first focuses on improving the dealer time by designing PC that supports batch evaluation, i.e., generating multiple evaluation$\&$proof pairs in one shot. The second aims to reduce the broadcast cost by designing PC that supports batch opening, i.e., producing a compact proof for multiple evaluations. Recently, Zhang et al. (Usenix Security 2022) proposed a transparent PC that supports batch evaluation and obtained a transparent VSS with optimal dealer time. However, their scheme does not support batch opening, leading to high broadcast costs in VSS. To the best of our knowledge, no transparent PC currently supports both batch evaluation and batch opening, thus limiting the performance of existing VSS schemes. In this paper, we propose a transparent fully batchable polynomial commitment (TFB-PC), that simultaneously supports batch evaluation and batch opening. Leveraging TFB-PC, we present a VSS scheme with optimal complexity: $O(n\log n)$ dealer time, $O(n)$ participant time and $O(n)$ communication cost. Furthermore, we implement our VSS scheme and compare its performance with Zhang et al.’s VSS (the naive approach). Results show that our scheme achieves $954\text{-}27,595\times$ reduction in communication cost and a $1,028\text{-}1,155,106\times$ speed up in participant time for $2^{11}$-$2^{21}$ parties.</div> </div> </div> <div class="d-flex mb-1"> <div class="flex-grow-1"><a href="/2025/452">2025/452</a> <a class="ms-2" href="/2025/452.pdf">(PDF)</a> </div> <div><small>Last updated: 2025-03-10</small></div> </div> <div class="ms-3 ms-md-5 mb-3"> <div class="d-flex justify-content-between"> <div class="papertitle">Polar Lattice Cryptography</div> <div class="ms-3 d-none d-md-block"> <a href="/search?category=SECRETKEY"><small class="badge category category-SECRETKEY">Secret-key cryptography</small></a> </div> </div> <div class="summaryauthors">Gideon Samid</div> <div class="d-flex justify-content-between align-items-start"> <div> <a class="abstract-closed" data-target="abstract-2025-452" onclick="toggleAbstract(this)">Show abstract</a> </div> <div class="d-block d-md-none"> <a href="/search?category=SECRETKEY"><small class="badge category category-SECRETKEY">Secret-key cryptography</small></a> </div> </div> <div> <div id="abstract-2025-452" class="paper-abstract">Presenting a protocol that builds a cryptographic solution which shifts security responsibility from the cipher designer to the cipher user. The Polar Lattice is a pattern-devoid cryptographic cipher. It is based on a geometric construct -- a polar lattice, on which the letters of a plaintext alphabet A, are presented as two points each letter, so that to transmit a letter the transmitter transmits a randomized pathway, a trail, (ciphertext) that begins at the first point of the transmitted letter and ends at the second point of the transmitted letter; the transmitted pathway is a set of steps on the lattice. Once a letter is transmitted the next bits on the ciphertext mark the beginning of the pathway that points to the next letter. The size and the geometric construction of the polar lattice are randomized and kept secret. The randomized pathways may be long or short, the attacker does not know how to parcel the ciphertext to individual trails pointing to distinct letters in the plaintext alphabet A. The polar lattice may be implemented algebraically, or geometrically; the lattice may be a physical nano-construct. The polar lattice is very power efficient, very fast. It claims all the attributes associated with pattern devoid cryptography: it allows for only brute force cryptanalysis, which in turn can be defeated through increased ciphertext size, unlimited key size and structure complexity.</div> </div> </div> <div class="d-flex mb-1"> <div class="flex-grow-1"><a href="/2025/451">2025/451</a> <a class="ms-2" href="/2025/451.pdf">(PDF)</a> </div> <div><small>Last updated: 2025-03-10</small></div> </div> <div class="ms-3 ms-md-5 mb-3"> <div class="d-flex justify-content-between"> <div class="papertitle">Analysis of the Telegram Key Exchange</div> <div class="ms-3 d-none d-md-block"> <a href="/search?category=PROTOCOLS"><small class="badge category category-PROTOCOLS">Cryptographic protocols</small></a> </div> </div> <div class="summaryauthors">Martin R. Albrecht, Lenka Mareková, Kenneth G. Paterson, Eyal Ronen, and Igors Stepanovs</div> <div class="d-flex justify-content-between align-items-start"> <div> <a class="abstract-closed" data-target="abstract-2025-451" onclick="toggleAbstract(this)">Show abstract</a> </div> <div class="d-block d-md-none"> <a href="/search?category=PROTOCOLS"><small class="badge category category-PROTOCOLS">Cryptographic protocols</small></a> </div> </div> <div> <div id="abstract-2025-451" class="paper-abstract">We describe, formally model, and prove the security of Telegram's key exchange protocols for client-server communications. To achieve this, we develop a suitable multi-stage key exchange security model along with pseudocode descriptions of the Telegram protocols that are based on analysis of Telegram's specifications and client source code. We carefully document how our descriptions differ from reality and justify our modelling choices. Our security proofs reduce the security of the protocols to that of their cryptographic building blocks, but the subsequent analysis of those building blocks requires the introduction of a number of novel security assumptions, reflecting many design decisions made by Telegram that are suboptimal from the perspective of formal analysis. Along the way, we provide a proof of IND-CCA security for the variant of RSA-OEAP+ used in Telegram and identify a hypothetical attack exploiting current Telegram server behaviour (which is not captured in our protocol descriptions). Finally, we reflect on the broader lessons about protocol design that can be taken from our work.</div> </div> </div> <div class="d-flex mb-1"> <div class="flex-grow-1"><a href="/2025/450">2025/450</a> <a class="ms-2" href="/2025/450.pdf">(PDF)</a> </div> <div><small>Last updated: 2025-03-10</small></div> </div> <div class="ms-3 ms-md-5 mb-3"> <div class="d-flex justify-content-between"> <div class="papertitle">Verifiable Decapsulation: Recognizing Faulty Implementations of Post-Quantum KEMs</div> <div class="ms-3 d-none d-md-block"> <a href="/search?category=PUBLICKEY"><small class="badge category category-PUBLICKEY">Public-key cryptography</small></a> </div> </div> <div class="summaryauthors">Lewis Glabush, Felix Günther, Kathrin Hövelmanns, and Douglas Stebila</div> <div class="d-flex justify-content-between align-items-start"> <div> <a class="abstract-closed" data-target="abstract-2025-450" onclick="toggleAbstract(this)">Show abstract</a> </div> <div class="d-block d-md-none"> <a href="/search?category=PUBLICKEY"><small class="badge category category-PUBLICKEY">Public-key cryptography</small></a> </div> </div> <div> <div id="abstract-2025-450" class="paper-abstract">Cryptographic schemes often contain verification steps that are essential for security. Yet, faulty implementations missing these steps can easily go unnoticed, as the schemes might still function correctly. A prominent instance of such a verification step is the re-encryption check in the Fujisaki-Okamoto (FO) transform that plays a prominent role in the post-quantum key encapsulation mechanisms (KEMs) considered in NIST's PQC standardization process. In KEMs built from FO, decapsulation performs a re-encryption check that is essential for security, but not for functionality. In other words, it will go unnoticed if this essential step is omitted or wrongly implemented, opening the door for key recovery attacks. Notably, such an implementation flaw was present in HQC's reference implementation and was only noticed after 19 months. In this work, we develop a modified FO transform that binds re-encryption to functionality, ensuring that a faulty implementation which skips re-encryption will be exposed through basic correctness tests. We do so by adapting the "verifiable verification" methodology of Fischlin and Günther (CCS 2023) to the context of FO-based KEMs. More concretely, by exporting an unpredictable confirmation code from the public key encryption and embedding it into the key derivation function, we can confirm that (most of) the re-encryption step was indeed performed during decapsulation. We formalize this concept, establish modified FO transforms, and prove how unpredictable PKE confirmation codes turn into noticeable correctness errors for faulty implementations. We show how to apply this technique to ML-KEM and HQC, both with negligible overhead, by leveraging the entropy lost through ciphertext compression or truncation. We confirm that our approach works through mathematical proofs, as well as experimental data. Our experiments show that the implementation flaw in HQC's reference implementation indeed makes basic test cases when following our approach.</div> </div> </div> <div class="d-flex mb-1"> <div class="flex-grow-1"><a href="/2025/449">2025/449</a> <a class="ms-2" href="/2025/449.pdf">(PDF)</a> </div> <div><small>Last updated: 2025-03-10</small></div> </div> <div class="ms-3 ms-md-5 mb-3"> <div class="d-flex justify-content-between"> <div class="papertitle">Concretely Efficient Correlated Oblivious Permutation</div> <div class="ms-3 d-none d-md-block"> <a href="/search?category=PROTOCOLS"><small class="badge category category-PROTOCOLS">Cryptographic protocols</small></a> </div> </div> <div class="summaryauthors">Feng Han, Xiao Lan, Weiran Liu, Lei Zhang, Hao Ren, Lin Qu, and Yuan Hong</div> <div class="d-flex justify-content-between align-items-start"> <div> <a class="abstract-closed" data-target="abstract-2025-449" onclick="toggleAbstract(this)">Show abstract</a> </div> <div class="d-block d-md-none"> <a href="/search?category=PROTOCOLS"><small class="badge category category-PROTOCOLS">Cryptographic protocols</small></a> </div> </div> <div> <div id="abstract-2025-449" class="paper-abstract">Oblivious permutation (OP) enables two parties, a sender with a private data vector $x$ and a receiver with a private permutation π, to securely obtain the shares of π(x). OP has been used to construct many important MPC primitives and applications such as secret shuffle, oblivious sorting, private set operations, secure database analysis, and privacy-preserving machine learning. Due to its high complexity, OP has become a performance bottleneck in several practical applications, and many efforts have been devoted to enhancing its concrete efficiency. Chase et al. (Asiacrypt'20) proposed an offline-online OP paradigm leveraging a pre-computable resource termed Share Translation. While this paradigm significantly reduces online costs, the substantial offline cost of generating Share Translation remains an area for further investigation. In this work, we redefine the pre-computable resource as a cryptographic primitive known as Correlated Oblivious Permutation (COP) and conduct in-depth analyses and optimizations of the two COP generation solutions: network-based solution and matrix-based solution. The optimizations for the network-based solution halve the communication/computation cost of constructing a switch (the basic unit of the permutation network) and reduce the number of switches in the permutation network. The optimizations for the matrix-based solution halve the communication cost of small-size COP generation and reduce the cost of large-size COP generation with in-outside permutation decomposition. We implement our two COP generation protocols and conduct comprehensive evaluations. Taking commonly used 128-bit input data as an example, our network-based and matrix-based solutions are up to 1.7x and 1.6x faster than baseline protocols, respectively. We further facilitate the state-of-the-art (SOTA) PSU protocols with our optimized COP, achieving over 25% reduction in communication cost and 35% decrease in execution time. This shows that our COP optimizations bring significant improvements for real-world MPC primitives.</div> </div> </div> <div class="d-flex mb-1"> <div class="flex-grow-1"><a href="/2025/448">2025/448</a> <a class="ms-2" href="/2025/448.pdf">(PDF)</a> </div> <div><small>Last updated: 2025-03-10</small></div> </div> <div class="ms-3 ms-md-5 mb-3"> <div class="d-flex justify-content-between"> <div class="papertitle">Ciphertext-Ciphertext Matrix Multiplication: Fast for Large Matrices</div> <div class="ms-3 d-none d-md-block"> <a href="/search?category=PUBLICKEY"><small class="badge category category-PUBLICKEY">Public-key cryptography</small></a> </div> </div> <div class="summaryauthors">Jai Hyun Park</div> <div class="d-flex justify-content-between align-items-start"> <div> <a class="abstract-closed" data-target="abstract-2025-448" onclick="toggleAbstract(this)">Show abstract</a> </div> <div class="d-block d-md-none"> <a href="/search?category=PUBLICKEY"><small class="badge category category-PUBLICKEY">Public-key cryptography</small></a> </div> </div> <div> <div id="abstract-2025-448" class="paper-abstract">Matrix multiplication of two encrypted matrices (CC-MM) is a key challenge for privacy-preserving machine learning applications. As modern machine learning models focus on scalability, fast CC-MM on large datasets is increasingly in demand. In this work, we present a CC-MM algorithm for large matrices. The algorithm consists of plaintext matrix multiplications (PP-MM) and ciphertext matrix transpose algorithms (C-MT). We propose a fast C-MT algorithm, which is computationally inexpensive compared to PP-MM. By leveraging high-performance BLAS libraries to optimize PP-MM, we implement large-scale CC-MM with substantial performance improvements. Furthermore, we propose lightweight algorithms, significantly reducing the key size from $1\ 960$ MB to $1.57$ MB for CC-MM with comparable efficiency. In a single-thread implementation, the C-MT algorithm takes $0.76$ seconds to transpose a $2\ 048\times 2\ 048$ encrypted matrix. The CC-MM algorithm requires $85.2$ seconds to multiply two $4\ 096\times 4\ 096$ encrypted matrices. For large matrices, our algorithm outperforms the state-of-the-art CC-MM method from Jiang-Kim-Lauter-Song [CCS'18] by a factor of over $800$.</div> </div> </div> <div class="d-flex mb-1"> <div class="flex-grow-1"><a href="/2025/447">2025/447</a> <a class="ms-2" href="/2025/447.pdf">(PDF)</a> </div> <div><small>Last updated: 2025-03-09</small></div> </div> <div class="ms-3 ms-md-5 mb-3"> <div class="d-flex justify-content-between"> <div class="papertitle">Protecting Computations Against Continuous Bounded-Communication Leakage</div> <div class="ms-3 d-none d-md-block"> <a href="/search?category=FOUNDATIONS"><small class="badge category category-FOUNDATIONS">Foundations</small></a> </div> </div> <div class="summaryauthors">Yuval Ishai and Yifan Song</div> <div class="d-flex justify-content-between align-items-start"> <div> <a class="abstract-closed" data-target="abstract-2025-447" onclick="toggleAbstract(this)">Show abstract</a> </div> <div class="d-block d-md-none"> <a href="/search?category=FOUNDATIONS"><small class="badge category category-FOUNDATIONS">Foundations</small></a> </div> </div> <div> <div id="abstract-2025-447" class="paper-abstract">We consider the question of protecting a general computation device, modeled by a stateful Boolean circuit, against leakage of partial information about its internal wires. Goyal et al. (FOCS 2016) obtained a solution for the case of bounded-communication leakage, where the wires are partitioned into two parts and the leakage can be any function computed using $t$ bits of communication between the parts. However, this solution suffers from two major limitations: (1) it only applies to a one-shot (stateless) computation, mapping an encoded input to an encoded output, and (2) the leakage-resilient circuit consumes fresh random bits, whose number scales linearly with the circuit complexity of the computed function. In this work, we eliminate the first limitation and make progress on the second. Concretely: - We present the first construction of stateful circuits that offer information-theoretic protection against continuous bounded-communication leakage. As an application, we extend a two-party ``malware-resilient'' protocol of Goyal et al. to the continuous-leakage case. - For simple types of bounded-communication leakage, which leak $t$ parities or $t$ disjunctions of circuit wires or their negations, we obtain a deterministic variant that does not require any fresh randomness beyond the randomness in the initial state. Here we get computational security based on a subexponentially secure one-way function. This is the first deterministic leakage-resilient circuit construction for any nontrivial class of global leakage.</div> </div> </div> <div class="d-flex mb-1"> <div class="flex-grow-1"><a href="/2025/446">2025/446</a> <a class="ms-2" href="/2025/446.pdf">(PDF)</a> </div> <div><small>Last updated: 2025-03-09</small></div> </div> <div class="ms-3 ms-md-5 mb-3"> <div class="d-flex justify-content-between"> <div class="papertitle">Disincentivize Collusion in Verifiable Secret Sharing</div> <div class="ms-3 d-none d-md-block"> <a href="/search?category=PROTOCOLS"><small class="badge category category-PROTOCOLS">Cryptographic protocols</small></a> </div> </div> <div class="summaryauthors">Tiantian Gong, Aniket Kate, Hemanta K. Maji, and Hai H. Nguyen</div> <div class="d-flex justify-content-between align-items-start"> <div> <a class="abstract-closed" data-target="abstract-2025-446" onclick="toggleAbstract(this)">Show abstract</a> </div> <div class="d-block d-md-none"> <a href="/search?category=PROTOCOLS"><small class="badge category category-PROTOCOLS">Cryptographic protocols</small></a> </div> </div> <div> <div id="abstract-2025-446" class="paper-abstract">In verifiable secret sharing (VSS), a dealer shares a secret input among several parties, ensuring each share is verifiable. Motivated by its applications in the blockchain space, we focus on a VSS where parties holding shares are not allowed to reconstruct the dealer's secret (even partially) on their own terms, which we address as privacy-targeted collusion if attempted. In this context, our work investigates mechanisms deterring such collusion in VSS among rational and malicious parties. For this problem, we make both algorithmic and combinatorial contributions: 1. We provide two collusion-deterrent mechanisms to discourage parties from colluding and recovering the dealer's secret. Notably, when it is desired to achieve fairness---where non-colluding parties are not at a loss---while allowing for the best achievable malicious fault tolerance, we define ``trackable access structures'' (TAS) and design a deterrence mechanism tailored for VSS on these structures. 2. We estimate the size of the optimal TAS, construct them from Steiner systems, provide highly robust TAS using partial Steiner systems, and present efficient secret sharing schemes for the latter close-to-optimal TAS for various parameter regimes. 3. We demonstrate that trackability in access structures is connected to combinatorial objects like (partial) Steiner systems, uniform subsets with restricted intersections, and appropriate binary codes. The robustness of access structures is equivalent to the minimum vertex cover of hypergraphs. We believe these connections between cryptography, game theory, and discrete mathematics will be of broader interest.</div> </div> </div> <div class="d-flex mb-1"> <div class="flex-grow-1"><a href="/2025/445">2025/445</a> <a class="ms-2" href="/2025/445.pdf">(PDF)</a> </div> <div><small>Last updated: 2025-03-13</small></div> </div> <div class="ms-3 ms-md-5 mb-3"> <div class="d-flex justify-content-between"> <div class="papertitle">A proof of P≠NP (New symmetric encryption algorithm against any linear attacks and differential attacks)</div> <div class="ms-3 d-none d-md-block"> <a href="/search?category=FOUNDATIONS"><small class="badge category category-FOUNDATIONS">Foundations</small></a> </div> </div> <div class="summaryauthors">Gao Ming</div> <div class="d-flex justify-content-between align-items-start"> <div> <a class="abstract-closed" data-target="abstract-2025-445" onclick="toggleAbstract(this)">Show abstract</a> </div> <div class="d-block d-md-none"> <a href="/search?category=FOUNDATIONS"><small class="badge category category-FOUNDATIONS">Foundations</small></a> </div> </div> <div> <div id="abstract-2025-445" class="paper-abstract">P vs NP problem is the most important unresolved problem in the field of computational complexity. Its impact has penetrated into all aspects of algorithm design, especially in the field of cryptography. The security of cryptographic algorithms based on short keys depends on whether P is equal to NP. In fact, Shannon strictly proved that the one-time-pad system meets unconditional security, but because the one-time-pad system requires the length of key to be at least the length of plaintext, how to transfer the key is a troublesome problem that restricts the use of the one-time-pad system in practice. Cryptography algorithms used in practice are all based on short key, and the security of the short key mechanism is ultimately based on one-way assumption. In fact, the existence of one-way function can directly lead to the important conclusion P≠NP. In this paper, we originally constructed a short-key block cipher algorithm. The core feature of this algorithm is that for any block, when a plaintext-ciphertext pair is known, any key in the key space is valid, that is, for each block, the plaintext-ciphertext pair and the key are independence, and the independence between blocks is also easy to construct. This feature is completely different from all existing short-key cipher algorithms. Based on the above feature, we construct a problem and theoretically prove that the problem satisfies the properties of one-way functions, thereby solving the problem of the existence of one-way functions, that is, directly proving that P≠NP.</div> </div> </div> <div class="d-flex mb-1"> <div class="flex-grow-1"><a href="/2025/444">2025/444</a> <a class="ms-2" href="/2025/444.pdf">(PDF)</a> </div> <div><small>Last updated: 2025-03-07</small></div> </div> <div class="ms-3 ms-md-5 mb-3"> <div class="d-flex justify-content-between"> <div class="papertitle">Multiparty Garbling from OT with Linear Scaling and RAM Support</div> <div class="ms-3 d-none d-md-block"> <a href="/search?category=PROTOCOLS"><small class="badge category category-PROTOCOLS">Cryptographic protocols</small></a> </div> </div> <div class="summaryauthors">David Heath, Vladimir Kolesnikov, Varun Narayanan, Rafail Ostrovsky, and Akash Shah</div> <div class="d-flex justify-content-between align-items-start"> <div> <a class="abstract-closed" data-target="abstract-2025-444" onclick="toggleAbstract(this)">Show abstract</a> </div> <div class="d-block d-md-none"> <a href="/search?category=PROTOCOLS"><small class="badge category category-PROTOCOLS">Cryptographic protocols</small></a> </div> </div> <div> <div id="abstract-2025-444" class="paper-abstract">State-of-the-art protocols that achieve constant-round secure multiparty computation currently present a trade-off: either consume an amount of communication that scales quadratically in the number of parties, or achieve better asymptotics at the cost of high constant factors (e.g. schemes based on LPN or DDH). We construct a constant-round MPC protocol where communication scales linearly in the number of parties n. Our construction relies only on OT and RO, and it leverages packed secret sharing. Due to building on simple primitives, our protocol offers concrete improvement over asymptotically-efficient LPN-based schemes. We consider security in the presence of a dishonest majority where the malicious (with abort) adversary corrupts an arbitrary constant fraction of parties. By leveraging tri-state circuits (Heath et al. Crypto 2023), we extend our protocol to the RAM model of computation. For a RAM program that halts within $T$ steps, our maliciously-secure protocol communicates $O(n \cdot T \log^3 T \log \log T \cdot \kappa)$ total bits, where $\kappa$ is a security parameter.</div> </div> </div> <div class="d-flex mb-1"> <div class="flex-grow-1"><a href="/2025/443">2025/443</a> <a class="ms-2" href="/2025/443.pdf">(PDF)</a> </div> <div><small>Last updated: 2025-03-07</small></div> </div> <div class="ms-3 ms-md-5 mb-3"> <div class="d-flex justify-content-between"> <div class="papertitle">Homomorphic Signature-based Witness Encryption and Applications</div> <div class="ms-3 d-none d-md-block"> <a href="/search?category=PROTOCOLS"><small class="badge category category-PROTOCOLS">Cryptographic protocols</small></a> </div> </div> <div class="summaryauthors">Alireza Kavousi and István András Seres</div> <div class="d-flex justify-content-between align-items-start"> <div> <a class="abstract-closed" data-target="abstract-2025-443" onclick="toggleAbstract(this)">Show abstract</a> </div> <div class="d-block d-md-none"> <a href="/search?category=PROTOCOLS"><small class="badge category category-PROTOCOLS">Cryptographic protocols</small></a> </div> </div> <div> <div id="abstract-2025-443" class="paper-abstract">Practical signature-based witness encryption (SWE) schemes recently emerged as a viable alternative to instantiate timed-release cryptography in the honest majority setting. In particular, assuming threshold trust in a set of parties that release signatures at a specified time, one can ``encrypt to the future'' using an SWE scheme. Applications of SWE schemes include voting, auctions, distributed randomness beacons, and more. However, the lack of homomorphism in existing SWE schemes reduces efficiency and hinders deployment. In this work, we introduce the notion of homomorphic SWE (HSWE) to improve the practicality of timed-release encryption schemes. We show one can build HSWE using a pair of encryption and signature schemes where the uniqueness of the signature is required when the encryption scheme relies on injective one-way functions. We then build three HSWE schemes in various settings using BLS, RSA, and Rabin signatures and show how to achieve a privacy-preserving variant that only allows extracting the homomorphically aggregated result while keeping the individual plaintexts confidential</div> </div> </div> <div class="d-flex mb-1"> <div class="flex-grow-1"><a href="/2025/442">2025/442</a> <a class="ms-2" href="/2025/442.pdf">(PDF)</a> </div> <div><small>Last updated: 2025-03-07</small></div> </div> <div class="ms-3 ms-md-5 mb-3"> <div class="d-flex justify-content-between"> <div class="papertitle">A Unified Framework for Succinct Garbling from Homomorphic Secret Sharing</div> <div class="ms-3 d-none d-md-block"> <a href="/search?category=FOUNDATIONS"><small class="badge category category-FOUNDATIONS">Foundations</small></a> </div> </div> <div class="summaryauthors">Yuval Ishai, Hanjun Li, and Huijia Lin</div> <div class="d-flex justify-content-between align-items-start"> <div> <a class="abstract-closed" data-target="abstract-2025-442" onclick="toggleAbstract(this)">Show abstract</a> </div> <div class="d-block d-md-none"> <a href="/search?category=FOUNDATIONS"><small class="badge category category-FOUNDATIONS">Foundations</small></a> </div> </div> <div> <div id="abstract-2025-442" class="paper-abstract">A major challenge in cryptography is the construction of succinct garbling schemes that have asymptotically smaller size than Yao’s garbled circuit construction. We present a new framework for succinct garbling that replaces the heavy machinery of most previous constructions by lighter-weight homomorphic secret sharing techniques. Concretely, we achieve 1-bit-per-gate (amortized) garbling size for Boolean circuits under circular variants of standard assumptions in composite-order or prime-order groups, as well as a lattice-based instantiation. We further extend these ideas to layered circuits, improving the per-gate cost below 1 bit, and to arithmetic circuits, eliminating the typical Ω(λ)-factor overhead for garbling mod-p computations. Our constructions also feature “leveled” variants that remove circular-security requirements at the cost of adding a depth-dependent term to the garbling size. Our framework significantly extends a recent technique of Liu, Wang, Yang, and Yu (Eurocrypt 2025) for lattice-based succinct garbling, and opens new avenues toward practical succinct garbling. For moderately large circuits with a few million gates, our garbled circuits can be two orders of magnitude smaller than Yao-style garbling. While our garbling and evaluation algorithms are much slower, they are still practically feasible, unlike previous fully succinct garbling schemes that rely on expensive tools such as iO or a non-black-box combination of FHE and ABE. This trade-off can make our framework appealing when a garbled circuit is used as a functional ciphertext that is broadcast or stored in multiple locations (e.g., on a blockchain), in which case communication and storage may dominate computational cost.</div> </div> </div> <div class="d-flex mb-1"> <div class="flex-grow-1"><a href="/2025/441">2025/441</a> <a class="ms-2" href="/2025/441.pdf">(PDF)</a> </div> <div><small>Last updated: 2025-03-07</small></div> </div> <div class="ms-3 ms-md-5 mb-3"> <div class="d-flex justify-content-between"> <div class="papertitle">High-Order Masking of BIKE</div> <div class="ms-3 d-none d-md-block"> <a href="/search?category=PUBLICKEY"><small class="badge category category-PUBLICKEY">Public-key cryptography</small></a> </div> </div> <div class="summaryauthors">Matthias Trannoy</div> <div class="d-flex justify-content-between align-items-start"> <div> <a class="abstract-closed" data-target="abstract-2025-441" onclick="toggleAbstract(this)">Show abstract</a> </div> <div class="d-block d-md-none"> <a href="/search?category=PUBLICKEY"><small class="badge category category-PUBLICKEY">Public-key cryptography</small></a> </div> </div> <div> <div id="abstract-2025-441" class="paper-abstract">Every cryptographic implementation on embedded device is vulnerable to side-channel attacks. To prevent these attacks, the main countermeasure consists in splitting each sensitive variable in shares and processing them independently. With the upcoming of new algorithms designed to resist quantum computers and the complexity of their operations, this protection represents a real challenge. In this article, we present an attack on an earlier attempt to protect the decoder of BIKE cryptosystem against first-order attack. Additionally, we introduce a new procedure for the high-order masking of the decoder, up-to-date with its latest improvement. We also present the first fully masked implementation of the whole cryptosystem, including the key generation and the encapsulation. Eventually, to assess the correctness of our countermeasures and initiate further comparison, we implemented our countermeasures in C and provide benchmarks of their performance.</div> </div> </div> <div class="d-flex mb-1"> <div class="flex-grow-1"><a href="/2025/440">2025/440</a> <a class="ms-2" href="/2025/440.pdf">(PDF)</a> </div> <div><small>Last updated: 2025-03-07</small></div> </div> <div class="ms-3 ms-md-5 mb-3"> <div class="d-flex justify-content-between"> <div class="papertitle">AI for Code-based Cryptography</div> <div class="ms-3 d-none d-md-block"> <a href="/search?category=ATTACKS"><small class="badge category category-ATTACKS">Attacks and cryptanalysis</small></a> </div> </div> <div class="summaryauthors">Mohamed Malhou, Ludovic Perret, and Kristin Lauter</div> <div class="d-flex justify-content-between align-items-start"> <div> <a class="abstract-closed" data-target="abstract-2025-440" onclick="toggleAbstract(this)">Show abstract</a> </div> <div class="d-block d-md-none"> <a href="/search?category=ATTACKS"><small class="badge category category-ATTACKS">Attacks and cryptanalysis</small></a> </div> </div> <div> <div id="abstract-2025-440" class="paper-abstract">We introduce the use of machine learning in the cryptanalysis of code-based cryptography. Our focus is on distinguishing problems related to the security of NIST round-4 McEliece-like cryptosystems, particularly for Goppa codes used in ClassicMcEliece and Quasi-Cyclic Moderate Density Parity-Check (QC-MDPC) codes used in BIKE. We present DeepDistinguisher, a new algorithm for distinguishing structured codes from random linear codes that uses a transformer. The results show that the new distinguisher achieves a high level of accuracy in distinguishing Goppa codes, suggesting that their structure may be more recognizable by AI models. Our approach outperforms traditional attacks in distinguishing Goppa codes in certain settings and does generalize to larger code lengths without further training using a puncturing technique. We also present the first distinguishing results dedicated to MDPC and QC-MDPC codes.</div> </div> </div> <div class="d-flex mb-1"> <div class="flex-grow-1"><a href="/2025/439">2025/439</a> <a class="ms-2" href="/2025/439.pdf">(PDF)</a> </div> <div><small>Last updated: 2025-03-07</small></div> </div> <div class="ms-3 ms-md-5 mb-3"> <div class="d-flex justify-content-between"> <div class="papertitle">Preimage Attacks on up to 5 Rounds of SHA-3 Using Internal Differentials</div> <div class="ms-3 d-none d-md-block"> <a href="/search?category=ATTACKS"><small class="badge category category-ATTACKS">Attacks and cryptanalysis</small></a> </div> </div> <div class="summaryauthors">Zhongyi Zhang, Chengan Hou, and Meicheng Liu</div> <div class="d-flex justify-content-between align-items-start"> <div> <a class="abstract-closed" data-target="abstract-2025-439" onclick="toggleAbstract(this)">Show abstract</a> </div> <div class="d-block d-md-none"> <a href="/search?category=ATTACKS"><small class="badge category category-ATTACKS">Attacks and cryptanalysis</small></a> </div> </div> <div> <div id="abstract-2025-439" class="paper-abstract">In this paper, we study preimage resistance of the SHA-3 standard. We propose a squeeze meet-in-the-middle attack as a new preimage attack method for the sponge functions. This attack combines the squeeze attack and meet-in-the-middle attack, and is implemented by internal differentials. We analyze the inverse operation of the SHA-3 round function, and develop a new target internal differential algorithm as well as a linearization technique for the Sbox in the backward phase. In addition, we propose the concept of a value-difference distribution table (VDDT) to optimize the attack complexity. These techniques lead to faster preimage attacks on five (out of six) SHA-3 functions reduced to 4 rounds, and also bring preimage attacks on 5 rounds of four SHA-3 instances. The attack techniques are verified by performing practical preimage attack on a small variant of 4-round Keccak.</div> </div> </div> <div class="d-flex mb-1"> <div class="flex-grow-1"><a href="/2025/438">2025/438</a> <a class="ms-2" href="/2025/438.pdf">(PDF)</a> </div> <div><small>Last updated: 2025-03-07</small></div> </div> <div class="ms-3 ms-md-5 mb-3"> <div class="d-flex justify-content-between"> <div class="papertitle">Transmitting Secrets by Transmitting only Plaintext</div> <div class="ms-3 d-none d-md-block"> <a href="/search?category=PROTOCOLS"><small class="badge category category-PROTOCOLS">Cryptographic protocols</small></a> </div> </div> <div class="summaryauthors">Gideon Samid</div> <div class="d-flex justify-content-between align-items-start"> <div> <a class="abstract-closed" data-target="abstract-2025-438" onclick="toggleAbstract(this)">Show abstract</a> </div> <div class="d-block d-md-none"> <a href="/search?category=PROTOCOLS"><small class="badge category category-PROTOCOLS">Cryptographic protocols</small></a> </div> </div> <div> <div id="abstract-2025-438" class="paper-abstract">Presenting a novel use of encryption, not for hiding a secret, but for marking letters. Given a 2n letters plaintext, the transmitter encrypts the first n letters with key K1 to generate corresponding n cipherletters, and encrypts the second n letters with key K2 to generate n corresponding cipherletters. The transmitter sends the 2n cipherletters along with the keys, K1 and K2 The recipient (and any interceptor) will readily decrypt the 2n cipherletters to the original plaintext. This makes the above procedure equivalent to sending out the plaintext. So why bother? When decrypting the 2n cipherletters one will make a note of how the letters that were encrypted with K1 are mixed with the letters encrypted with K2 while keeping the original order of the letters encrypted with each key. There are 2^n possible mixings. Which means that the choice of mixing order can deliver a secret message, S, comprising n bits. So while on the surface a given plaintext is sent out from transmitter to recipient, this plaintext hides a secret. Imagine a text messaging platform that uses this protocol. An adversary will not know which plain innocent message harbors a secret message. This allows residents of cyberspace to communicate secrets without exposing the fact that they communicated a secret. Expect a big impact on the level of cyberspace privacy.</div> </div> </div> <div class="d-flex mb-1"> <div class="flex-grow-1"><a href="/2025/437">2025/437</a> <a class="ms-2" href="/2025/437.pdf">(PDF)</a> </div> <div><small>Last updated: 2025-03-07</small></div> </div> <div class="ms-3 ms-md-5 mb-3"> <div class="d-flex justify-content-between"> <div class="papertitle">Improved Cryptanalysis of ChaCha: Beating PNBs with Bit Puncturing</div> <div class="ms-3 d-none d-md-block"> <a href="/search?category=SECRETKEY"><small class="badge category category-SECRETKEY">Secret-key cryptography</small></a> </div> </div> <div class="summaryauthors">Antonio Flórez-Gutiérrez and Yosuke Todo</div> <div class="d-flex justify-content-between align-items-start"> <div> <a class="abstract-closed" data-target="abstract-2025-437" onclick="toggleAbstract(this)">Show abstract</a> </div> <div class="d-block d-md-none"> <a href="/search?category=SECRETKEY"><small class="badge category category-SECRETKEY">Secret-key cryptography</small></a> </div> </div> <div> <div id="abstract-2025-437" class="paper-abstract">ChaCha is a widely deployed stream cipher and one of the most important symmetric primitives. Due to this practical importance, many cryptanalysis have been proposed. Until now, Probabilistic Neutral Bits (PNBs) have been the most successful. Given differential-linear distinguishers, PNBs are the technique for key recovery relying on an experimental backward correlation obtained through blackbox analysis. A careful theoretical analysis exploiting the round function design may find a better attack and improve our understanding, but the complicated nature of the ARX structure makes such analysis difficult. % We propose a theoretical methodology inspired by bit puncturing, which was recently proposed at Eurocrypt 2024. Our method has a theoretical foundation and is thus fundamentally different from PNBs, to which it is the first effective alternative. As a result, we significantly improved the attack complexity for 6, 7, and 7.5-round ChaCha. The 7-round attack is about $2^{40}$ times faster than the previous best. Furthermore, we propose the first 7.5-round attack with a non-negligible advantage over an exhaustive search.</div> </div> </div> <div class="d-flex mb-1"> <div class="flex-grow-1"><a href="/2025/436">2025/436</a> <a class="ms-2" href="/2025/436.pdf">(PDF)</a> </div> <div><small>Last updated: 2025-03-06</small></div> </div> <div class="ms-3 ms-md-5 mb-3"> <div class="d-flex justify-content-between"> <div class="papertitle">The Algebraic One-More MISIS Problem and Applications to Threshold Signatures</div> <div class="ms-3 d-none d-md-block"> <a href="/search?category=PUBLICKEY"><small class="badge category category-PUBLICKEY">Public-key cryptography</small></a> </div> </div> <div class="summaryauthors">Chenzhi Zhu and Stefano Tessaro</div> <div class="d-flex justify-content-between align-items-start"> <div> <a class="abstract-closed" data-target="abstract-2025-436" onclick="toggleAbstract(this)">Show abstract</a> </div> <div class="d-block d-md-none"> <a href="/search?category=PUBLICKEY"><small class="badge category category-PUBLICKEY">Public-key cryptography</small></a> </div> </div> <div> <div id="abstract-2025-436" class="paper-abstract">This paper introduces a new one-more computational problem for lattice-based cryptography, which we refer to as the Algebraic One-More MISIS problem, or AOM-MISIS for short. It is a modification of the AOM-MLWE problem recently introduced by Espitau et al. (CRYPTO ’24) to prove security of new two-round threshold signatures. Our first main result establishes that the hardness of AOM-MISIS is implied by the hardness of MSIS and MLWE (with suitable parameters), both of which are standard assumptions for efficient lattice-based cryptography. We prove this result via a new generalization of a technique by Tessaro and Zhu (EUROCRYPT ’23) used to prove hardness of a one-more problem for linear hash functions assuming their collision resistance, for which no clear lattice analogue was known. Since the hardness of AOM-MISIS implies the hardness of AOM-MLWE, our result resolves the main open question from the work of Espitau et al., who only provided a similar result for AOM-MLWE restricted to selective adversaries, a class which does not cover the use for threshold signatures. Furthermore, we show that our novel formulation of AOM-MISIS offers a better interface to develop tighter security bounds for state-of-the-art two-round threshold signatures. We exemplify this by providing new proofs of security, assuming the hardness of MLWE and MSIS, for two threshold signatures, the one proposed in the same work by Espitau et al., as well as a recent construction by Chairattana-Apirom et al. (ASIACRYPT 2024). For the former scheme, we also show that it satisfies the strongest security notion (TS-UF-4) in the security hierarchy of Bellare et al. (CRYPTO ’22), as a result of independent interest.</div> </div> </div> <div class="d-flex mb-1"> <div class="flex-grow-1"><a href="/2025/435">2025/435</a> <a class="ms-2" href="/2025/435.pdf">(PDF)</a> </div> <div><small>Last updated: 2025-03-06</small></div> </div> <div class="ms-3 ms-md-5 mb-3"> <div class="d-flex justify-content-between"> <div class="papertitle">Constant-Time Code: The Pessimist Case</div> <div class="ms-3 d-none d-md-block"> <a href="/search?category=IMPLEMENTATION"><small class="badge category category-IMPLEMENTATION">Implementation</small></a> </div> </div> <div class="summaryauthors">Thomas Pornin</div> <div class="d-flex justify-content-between align-items-start"> <div> <a class="abstract-closed" data-target="abstract-2025-435" onclick="toggleAbstract(this)">Show abstract</a> </div> <div class="d-block d-md-none"> <a href="/search?category=IMPLEMENTATION"><small class="badge category category-IMPLEMENTATION">Implementation</small></a> </div> </div> <div> <div id="abstract-2025-435" class="paper-abstract">This note discusses the problem of writing cryptographic implementations in software, free of timing-based side-channels, and many ways in which that endeavour can fail in practice. It is a pessimist view: it highlights why such failures are expected to become more common, and how constant-time coding is, or will soon become, infeasible in all generality.</div> </div> </div> <div class="d-flex mb-1"> <div class="flex-grow-1"><a href="/2025/434">2025/434</a> <a class="ms-2" href="/2025/434.pdf">(PDF)</a> </div> <div><small>Last updated: 2025-03-06</small></div> </div> <div class="ms-3 ms-md-5 mb-3"> <div class="d-flex justify-content-between"> <div class="papertitle">Fine-Grained Verifier NIZK and Its Applications</div> <div class="ms-3 d-none d-md-block"> <a href="/search?category=PUBLICKEY"><small class="badge category category-PUBLICKEY">Public-key cryptography</small></a> </div> </div> <div class="summaryauthors">Shuai Han, Shengli Liu, Xiangyu Liu, and Dawu Gu</div> <div class="d-flex justify-content-between align-items-start"> <div> <a class="abstract-closed" data-target="abstract-2025-434" onclick="toggleAbstract(this)">Show abstract</a> </div> <div class="d-block d-md-none"> <a href="/search?category=PUBLICKEY"><small class="badge category category-PUBLICKEY">Public-key cryptography</small></a> </div> </div> <div> <div id="abstract-2025-434" class="paper-abstract">In this paper, we propose a new type of non-interactive zero-knowledge (NIZK), called Fine-grained Verifier NIZK (FV-NIZK), which provides more flexible and more fine-grained verifiability of proofs than standard NIZK that supports public verifiability and designated-verifier NIZK (DV-NIZK) that supports private verifiability. FV-NIZK has two statistically (or computationally) equivalent verification approaches: --- a master verification using the master secret key $msk$; --- a fine-grained verification using a derived secret key $sk_d$, which is derived from $msk$ w.r.t. $d$ (which may stand for user identity, email address, vector, etc.). We require unbounded simulation soundness (USS) of FV-NIZK to hold, even if an adversary obtains derived secret keys $sk_d$ with $d$ of its choices, and define proof pseudorandomness which stipulates the pseudorandomness of proofs for adversaries that are not given any secret key. We present two instantiations of FV-NIZK for linear subspace languages, based on the matrix decisional Diffie-Hellman (MDDH) assumption. One of the FV-NIZK instantiations is pairing-free and achieves almost tight USS and proof pseudorandomness. We also adapt the two instantiations to support unbounded fine-grained secret key delegations. We illustrate the usefulness of FV-NIZK by showing two applications and obtain the following pairing-free schemes: --- the first almost tightly multi-challenge CCA (mCCA)-secure inner-product functional encryption (IPFE) scheme without pairings; --- the first public-key encryption (PKE) scheme that reconciles the inherent contradictions between public verifiability and anonymity. We formalize such PKE as Fine-grained Verifiable PKE (FV-PKE), which derives a special key from the decryption secret key, such that for those who obtain the derived key, they can check the validity of ciphertexts but the anonymity is lost from their views (CCA-security still holds for them), while for others who do not get the derived key, they cannot do the validity check but the anonymity holds for them. Our FV-PKE scheme achieves almost tight mCCA-security for adversaries who obtain the derived keys, and achieves almost tight ciphertext pseudorandomness (thus anonymity) for others who do not get any derived key.</div> </div> </div> <div class="d-flex mb-1"> <div class="flex-grow-1"><a href="/2025/433">2025/433</a> <a class="ms-2" href="/2025/433.pdf">(PDF)</a> </div> <div><small>Last updated: 2025-03-06</small></div> </div> <div class="ms-3 ms-md-5 mb-3"> <div class="d-flex justify-content-between"> <div class="papertitle">MIDAS: an End-to-end CAD Framework for Automating Combinational Logic Locking</div> <div class="ms-3 d-none d-md-block"> <a href="/search?category=IMPLEMENTATION"><small class="badge category category-IMPLEMENTATION">Implementation</small></a> </div> </div> <div class="summaryauthors">Akashdeep Saha, Siddhartha Chowdhury, Rajat Subhra Chakraborty, and Debdeep Mukhopadhyay</div> <div class="d-flex justify-content-between align-items-start"> <div> <a class="abstract-closed" data-target="abstract-2025-433" onclick="toggleAbstract(this)">Show abstract</a> </div> <div class="d-block d-md-none"> <a href="/search?category=IMPLEMENTATION"><small class="badge category category-IMPLEMENTATION">Implementation</small></a> </div> </div> <div> <div id="abstract-2025-433" class="paper-abstract">Logic locking has surfaced as a notable safeguard against diverse hazards that pose a risk to the integrated circuit (IC) supply chain. Existing literature on logic locking largely encompasses the art of proposing new constructions, on the one hand, and unearthing weaknesses in such algorithms on the other. Somehow, in this race of make and break, the stress on automation of adopting such techniques on real-life circuits has been rather limited. For the first time, we present a generic end-to-end combinational logic locking CAD framework, MIDAS. This framework analyses circuit netlists and generates locked netlists. Due to its generic circuit analysis, it bridges the gap, integrates diverse logic locking techniques, and offers a scope of integration of potential future ones. MIDAS framework’s efficacy has been verified through its application on ISCAS’85 and ISCAS’99 benchmark circuits, locked using six different schemes such as EPIC, Anti-SAT, SFLL-HD, SFLL-fault, CAS-Lock, and LoPher. MIDAS minimizes the hardware overhead requirements of otherwise resource-intensive locking technique LoPher by extracting an influential portion of circuit to lock and utilizing a simple fitness function. We also assess the overhead increase for the aforementioned locking methods, thereby complicating the identification of influential nodes within the locked netlists. Finally, we evaluate MIDAS by selectively locking parts of a commercially-designed open-source RISC-V core.</div> </div> </div> <div class="d-flex mb-1"> <div class="flex-grow-1"><a href="/2025/432">2025/432</a> <a class="ms-2" href="/2025/432.pdf">(PDF)</a> </div> <div><small>Last updated: 2025-03-07</small></div> </div> <div class="ms-3 ms-md-5 mb-3"> <div class="d-flex justify-content-between"> <div class="papertitle">Black-Box (and Fast) Non-Malleable Zero Knowledge</div> <div class="ms-3 d-none d-md-block"> <a href="/search?category=FOUNDATIONS"><small class="badge category category-FOUNDATIONS">Foundations</small></a> </div> </div> <div class="summaryauthors">Vincenzo Botta, Michele Ciampi, Emmanuela Orsini, Luisa Siniscalchi, and Ivan Visconti</div> <div class="d-flex justify-content-between align-items-start"> <div> <a class="abstract-closed" data-target="abstract-2025-432" onclick="toggleAbstract(this)">Show abstract</a> </div> <div class="d-block d-md-none"> <a href="/search?category=FOUNDATIONS"><small class="badge category category-FOUNDATIONS">Foundations</small></a> </div> </div> <div> <div id="abstract-2025-432" class="paper-abstract">Non-malleable zero-knowledge (NMZK), originally introduced in the seminal work of Dolev, Dwork, and Naor (STOC 91), is a fundamental concept for modeling the security of proof systems against man-in-the-middle attacks. Recently, Kim, Liang, and Pandey (CRYPTO 2022) presented the first efficient constant-round NMZK argument system based solely on symmetric-key cryptography. Their construction relies on a non-black-box use of the involved cryptographic primitives and on multiple executions of Ligero (CCS 2017) that affect both the round complexity and the computational efficiency of their protocol. Their work left open the natural important challenge of achieving NMZK using the underlying primitives only in a black-box fashion (regardless of the number of rounds and actual efficiency). In this paper, we solve the aforementioned open problem by presenting the first NMZK argument system based on the black-box use of cryptographic primitives. Our work is optimal in the use of primitives since we only need one-way functions, and asymptotically optimal in the number of rounds since we only require a constant number of rounds. Our argument system is non-malleable with respect to the strong "simulation-extractability" flavor of non-malleability. Furthermore, we also show that our construction can be efficiently instantiated in Minicrypt, significantly improving upon the work of Kim et al., both in terms of round complexity and computational efficiency.</div> </div> </div> <div class="d-flex mb-1"> <div class="flex-grow-1"><a href="/2025/431">2025/431</a> <a class="ms-2" href="/2025/431.pdf">(PDF)</a> </div> <div><small>Last updated: 2025-03-06</small></div> </div> <div class="ms-3 ms-md-5 mb-3"> <div class="d-flex justify-content-between"> <div class="papertitle">Commitment Schemes Based on Module-LIP</div> <div class="ms-3 d-none d-md-block"> <a href="/search?category=PUBLICKEY"><small class="badge category category-PUBLICKEY">Public-key cryptography</small></a> </div> </div> <div class="summaryauthors">Hengyi Luo, Kaijie Jiang, Yanbin Pan, and Anyu Wang</div> <div class="d-flex justify-content-between align-items-start"> <div> <a class="abstract-closed" data-target="abstract-2025-431" onclick="toggleAbstract(this)">Show abstract</a> </div> <div class="d-block d-md-none"> <a href="/search?category=PUBLICKEY"><small class="badge category category-PUBLICKEY">Public-key cryptography</small></a> </div> </div> <div> <div id="abstract-2025-431" class="paper-abstract">Recently, Jiang et al. (EUROCRYPT 2025) proposed a universal framework for constructing commitment schemes using group actions, and instantiated it with the Lattice Isomorphism Problem (LIP). This paper attempts to construct an instantiation based on module-LIP with this framework. More precisely, we first present a reduction from $\mathcal{O}_{\mathbb{L}}^2$-LIP to $\mathcal{O}_{\mathbb{L}}^2$-LAP. Then we develop a re-randomized algorithm based on the self-reduction framework of Module-LIP (Ducas et al. ASIACRYPT 2022), adapting it to the framework to construct commitment schemes.</div> </div> </div> <div class="d-flex mb-1"> <div class="flex-grow-1"><a href="/2025/430">2025/430</a> <a class="ms-2" href="/2025/430.pdf">(PDF)</a> </div> <div><small>Last updated: 2025-03-06</small></div> </div> <div class="ms-3 ms-md-5 mb-3"> <div class="d-flex justify-content-between"> <div class="papertitle">Non-interactive Anonymous Tokens with Private Metadata Bit</div> <div class="ms-3 d-none d-md-block"> <a href="/search?category=PROTOCOLS"><small class="badge category category-PROTOCOLS">Cryptographic protocols</small></a> </div> </div> <div class="summaryauthors">Foteini Baldimtsi, Lucjan Hanzlik, Quan Nguyen, and Aayush Yadav</div> <div class="d-flex justify-content-between align-items-start"> <div> <a class="abstract-closed" data-target="abstract-2025-430" onclick="toggleAbstract(this)">Show abstract</a> </div> <div class="d-block d-md-none"> <a href="/search?category=PROTOCOLS"><small class="badge category category-PROTOCOLS">Cryptographic protocols</small></a> </div> </div> <div> <div id="abstract-2025-430" class="paper-abstract">Anonymous tokens with private metadata bit (ATPM) have received increased interest as a method for anonymous client authentication while also embedding trust signals that are only readable by the authority who holds the issuance secret key and nobody else. A drawback of all existing ATPM constructions is that they require client-issuer interaction during the issuance process. In this work, we build the first non-interactive anonymous tokens (NIAT) with private metadata bit, inspired by the recent work of Hanzlik (Eurocrypt '23) on non-interactive blind signatures. We discuss how the non-interaction property during the issuance process allows for more efficient issuance protocols that avoid the need for online signing. We construct an efficient NIAT scheme based on Structure-preserving Signatures on Equivalence Classes (SPS-EQ) and experimentally evaluate its performance. We also present an extension to our NIAT construction that allows the identification of clients who attempt to double-spend (i.e., present the same token twice).</div> </div> </div> <div class="d-flex mb-1"> <div class="flex-grow-1"><a href="/2025/429">2025/429</a> <a class="ms-2" href="/2025/429.pdf">(PDF)</a> </div> <div><small>Last updated: 2025-03-06</small></div> </div> <div class="ms-3 ms-md-5 mb-3"> <div class="d-flex justify-content-between"> <div class="papertitle">Enhanced CKKS Bootstrapping with Generalized Polynomial Composites Approximation</div> <div class="ms-3 d-none d-md-block"> <a href="/search?category=PUBLICKEY"><small class="badge category category-PUBLICKEY">Public-key cryptography</small></a> </div> </div> <div class="summaryauthors">Seonhong Min, Joon-woo Lee, and Yongsoo Song</div> <div class="d-flex justify-content-between align-items-start"> <div> <a class="abstract-closed" data-target="abstract-2025-429" onclick="toggleAbstract(this)">Show abstract</a> </div> <div class="d-block d-md-none"> <a href="/search?category=PUBLICKEY"><small class="badge category category-PUBLICKEY">Public-key cryptography</small></a> </div> </div> <div> <div id="abstract-2025-429" class="paper-abstract">Bootstrapping in approximate homomorphic encryption involves evaluating the modular reduction function. Traditional methods decompose the modular reduction function into three components: scaled cosine, double-angle formula, and inverse sine. While these approaches offer a strong trade-off between computational cost and level consumption, they lack flexibility in parameterization. In this work, we propose a new method to decompose the modular reduction function with improved parameterization, generalizing prior trigonometric approaches. Numerical experiments demonstrate that our method achieves near-optimal approximation errors. Additionally, we introduce a technique that integrates the rescaling operation into matrix operations during bootstrapping, further reducing computational overhead.</div> </div> </div> <div class="d-flex mb-1"> <div class="flex-grow-1"><a href="/2025/428">2025/428</a> <a class="ms-2" href="/2025/428.pdf">(PDF)</a> </div> <div><small>Last updated: 2025-03-05</small></div> </div> <div class="ms-3 ms-md-5 mb-3"> <div class="d-flex justify-content-between"> <div class="papertitle">On Improved Cryptanalytic Results against ChaCha for Reduced Rounds ≥ 7</div> <div class="ms-3 d-none d-md-block"> <a href="/search?category=ATTACKS"><small class="badge category category-ATTACKS">Attacks and cryptanalysis</small></a> </div> </div> <div class="summaryauthors">Nitin Kumar Sharma, Sabyasachi Dey, Santanu Sarkar, and Subhamoy Maitra</div> <div class="d-flex justify-content-between align-items-start"> <div> <a class="abstract-closed" data-target="abstract-2025-428" onclick="toggleAbstract(this)">Show abstract</a> </div> <div class="d-block d-md-none"> <a href="/search?category=ATTACKS"><small class="badge category category-ATTACKS">Attacks and cryptanalysis</small></a> </div> </div> <div> <div id="abstract-2025-428" class="paper-abstract">In this paper, we analyze the subtle issues of complexity estimates related to state-of-the-art cryptanalytic efforts on ChaCha. In this regard, we demonstrate that the currently best-known cryptanalytic result on $7$-round ChaCha with time $2^{189.7}$ and data $2^{102.63}$ [Xu et al., ToSC 2024] can be estimated as $2^{178.12}$ for time and $2^{101.09}$ for data complexity. We improve the best-known result for the $7.25$ round by obtaining an improved set of Probabilistic Neutral Bits and considering our revised estimation. Our result with time complexity $2^{212.43}$ and data complexity $2^{100.56}$ improves the result of Xu et al., where they could achieve time and data complexity $2^{223.9}$ and $2^{100.80}$, respectively. For both the $7$ and $7.25$ rounds, we can show an improvement of the order of $2^{11}$ in the time complexity. For $7.5$-round, we improve the result of Dey [IEEE-IT 2024], which reports the time and data complexity of $2^{255.24}$ and $2^{32.64}$, respectively. By applying the formula of the same paper and incorporating additional PNBs, we obtain improved time and data complexity of $2^{253.23}$ and $2^{34.47}$, respectively. Thus, this paper describes the currently best-known cryptanalytic results against reduced round ChaCha. Our results do not affect the security claims of the complete algorithm with 20 rounds. Also, we provide a rebuttal of the Work by Wang et al. \cite{wangeprint} and analyze their claim about the error in the ``Divide-and-Conquer'' Approach.</div> </div> </div> <div class="d-flex mb-1"> <div class="flex-grow-1"><a href="/2025/427">2025/427</a> <a class="ms-2" href="/2025/427.pdf">(PDF)</a> </div> <div><small>Last updated: 2025-03-05</small></div> </div> <div class="ms-3 ms-md-5 mb-3"> <div class="d-flex justify-content-between"> <div class="papertitle">BUFFing Threshold Signature Schemes</div> <div class="ms-3 d-none d-md-block"> <a href="/search?category=PROTOCOLS"><small class="badge category category-PROTOCOLS">Cryptographic protocols</small></a> </div> </div> <div class="summaryauthors">Marc Fischlin, Aikaterini Mitrokotsa, and Jenit Tomy</div> <div class="d-flex justify-content-between align-items-start"> <div> <a class="abstract-closed" data-target="abstract-2025-427" onclick="toggleAbstract(this)">Show abstract</a> </div> <div class="d-block d-md-none"> <a href="/search?category=PROTOCOLS"><small class="badge category category-PROTOCOLS">Cryptographic protocols</small></a> </div> </div> <div> <div id="abstract-2025-427" class="paper-abstract">We explore advanced security notions for threshold signature schemes, focusing on Beyond UnForgeability Features (BUFF), introduced by Cremers et al. (S&P’21) in the non-threshold setting. The BUFF properties protect against attacks based on maliciously chosen keys, e.g., expropriating a message-signature pair under a new public key (called exclusive ownership). We first formalize these notions in the threshold setting and examine their relationships. Notably, unlike regular signature schemes, the hierarchy of variants of exclusive ownership notions only holds for threshold schemes if they are also robust. We then present a generic compiler that transforms any threshold signature scheme to satisfy exclusive ownership, and message-bound signature properties with minimal overhead. Furthermore, we modify the threshold BLS signature scheme to achieve these additional properties without increasing the signature size. Lastly, we identify specific structures in threshold signature schemes where BUFF properties can be naturally extended from the underlying standard signature scheme, and we analyze and prove the security properties in some of the existing threshold schemes.</div> </div> </div> </div> <div class="w-75 mx-auto"> <ul class="pagination mt-5 mb-5"> <li class="page-item active"><span class="page-link">1</span></li> <li class="page-item"><a rel="nofollow" class="page-link" href="/complete/?offset=100">2</a></li> <li class="page-item"><span class="page-link">...</span></li> <li class="page-item"><a rel="nofollow" class="page-link" href="/complete/?offset=23800">239</a></li> <li class="page-item"> <a rel="nofollow" class="page-link" href="/complete/?offset=100">Next »</a> </li> </ul> </div> </main> <div class="container-fluid mt-auto" id="eprintFooter"> <a href="https://iacr.org/"> <img id="iacrlogo" src="/img/iacrlogo_small.png" class="img-fluid d-block mx-auto" alt="IACR Logo"> </a> <div class="colorDiv"></div> <div class="alert alert-success w-75 mx-auto"> Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content. </div> </div> <script src="/css/bootstrap/js/bootstrap.bundle.min.js"></script> <script> var topNavbar = document.getElementById('topNavbar'); if (topNavbar) { document.addEventListener('scroll', function(e) { if (window.scrollY > 100) { topNavbar.classList.add('scrolled'); } else { topNavbar.classList.remove('scrolled'); } }) } </script> </body> </html>