## In this issue
1. [2025/81] Integer Commitments, Old and New Tools
2. [2025/82] Meet-in-the-Middle Attack on Primitives with Binary ...
3. [2025/83] Recover from Excessive Faults in Partially- ...
4. [2025/84] Arbitrary-Threshold Fully Homomorphic Encryption ...
5. [2025/85] Enhancing Threshold Group Action Signature Schemes: ...
6. [2025/86] Artificial Results From Hardware Synthesis
7. [2025/87] On Gaussian Sampling for $q$-ary Lattices and ...
8. [2025/88] ICT: Insured Cryptocurrency Transactions
9. [2025/89] An Introduction to Protein Cryptography
10. [2025/90] Friendly primes for efficient modular arithmetic ...
11. [2025/91] poqeth: Efficient, post-quantum signature ...
12. [2025/92] Public-Key Quantum Money From Standard Assumptions ...
13. [2025/93] A Survey on Transciphering and Symmetric Ciphers ...
14. [2025/94] Multi-Key Homomorphic Secret Sharing
15. [2025/95] Non-Interactive Distributed Point Functions
16. [2025/96] Simultaneous-Message and Succinct Secure Computation
17. [2025/97] Available Attestation: Towards a Reorg-Resilient ...
18. [2025/98] Fast, private and regulated payments in ...
19. [2025/99] Adaptive Hardcore Bit and Quantum Key Leasing over ...
20. [2025/100] Zero-Knowledge Proofs of Quantumness
21. [2025/101] Unveiling Privacy Risks in Quantum Optimization ...
22. [2025/102] A practical distinguisher on the full Skyscraper ...
23. [2025/103] Technology-Dependent Synthesis and Optimization of ...
24. [2025/104] Additive Randomized Encodings from Public Key ...
25. [2025/105] Twist and Shout: Faster memory checking arguments ...
26. [2025/106] NTRU+Sign: Compact NTRU-Based Signatures Using ...
27. [2025/107] dCTIDH: Fast & Deterministic CTIDH
28. [2025/108] Subset sum, a new insight
29. [2025/109] A Formal Treatment of Homomorphic Encryption Based ...
30. [2025/110] Verification-efficient Homomorphic Signatures for ...
31. [2025/111] On the structure of the Schur squares of Twisted ...
32. [2025/112] Post-Quantum Stealth Address Protocols
33. [2025/113] Post-Quantum Threshold Ring Signature Applications ...
34. [2025/114] Better Codes for the HQC Cryptosystem
35. [2025/115] Signatures with Tight Adaptive Corruptions from ...
36. [2025/116] A Horizontal Attack on the Codes and Restricted ...
37. [2025/117] Post-Quantum Online/Offline Signatures
38. [2025/118] How to Prove False Statements: Practical Attacks on ...
39. [2025/119] SoK: PQC PAKEs - Cryptographic Primitives, Design ...
40. [2025/120] Module Learning with Errors with Truncated Matrices
41. [2025/121] On symbolic computations over arbitrary commutative ...
42. [2025/122] Qelect: Lattice-based Single Secret Leader Election ...
43. [2025/123] Falcon on ARM Cortex-M4: an Update
44. [2025/124] GPU Implementations of Three Different Key- ...
45. [2025/125] A Privacy Model for Classical & Learned Bloom Filters
## 2025/81
* Title: Integer Commitments, Old and New Tools
* Authors: Iftach Haitner, Yehuda Lindell, Nikolaos Makriyannis
* [Permalink](
https://eprint.iacr.org/2025/081)
* [Download](
https://eprint.iacr.org/2025/081.pdf)
### Abstract
This self-contained and detailed tutorial covers RSA-based integer commitments and related protocols. It also presents a new, highly efficient setup protocol for sampling commitment parameters.
## 2025/82
* Title: Meet-in-the-Middle Attack on Primitives with Binary Matrix Linear Layer
* Authors: Qingliang Hou, Kuntong Li, Guoyan Zhang, Yanzhao Shen, Qidi You, Xiaoyang Dong
* [Permalink](
https://eprint.iacr.org/2025/082)
* [Download](
https://eprint.iacr.org/2025/082.pdf)
### Abstract
Meet-in-the-middle (MitM) is a powerful approach for the cryptanalysis of symmetric primitives. In recent years, MitM has led to many improved records about key recovery, preimage and collision attacks with the help of automated tools. However, most of the previous work target $\texttt{AES}$-like hashing where the linear layer is an MDS matrix. And we observe that their automatic model for MDS matrix is not suitable for primitives using a binary matrix as their linear layer.
In this paper, we propose the $\texttt{n-XOR}$ model to describe the $\texttt{XOR}$ operation with an arbitrary number of inputs. And it can be applied to primitives with a binary matrix of arbitrary size. Then, we propose a check model to eliminate the possible inaccuracies caused by $\texttt{n-XOR}$. But the check model is limited by the input size (not greater than 4). Combined with the two new models, we find a MitM key recovery attack on 11-round $\texttt{Midori64}$. When the whitening keys are excluded, a MitM key recovery attack can be mounted on the 12-round $\texttt{Midori64}$. Compared with the previous best work, both of the above results have distinct advantages in terms of reducing memory and data complexity.
At last, we apply the $\texttt{n-XOR}$ model to the hashing modes of primitives with large size binary matrix. The preimage attack on weakened $\texttt{camellia}-{\tt MMO}$ (without $FL/FL^{-1}$ and whitening layers) and $\texttt{Aria}-{\tt DM}$ are both improved by 1 round.
## 2025/83
* Title: Recover from Excessive Faults in Partially-Synchronous BFT SMR
* Authors: Tiantian Gong, Gustavo Franco Camilo, Kartik Nayak, Andrew Lewis-Pye, Aniket Kate
* [Permalink](
https://eprint.iacr.org/2025/083)
* [Download](
https://eprint.iacr.org/2025/083.pdf)
### Abstract
Byzantine fault-tolerant (BFT) state machine replication (SMR) protocols form the basis of modern blockchains as they maintain a consistent state across all blockchain nodes while tolerating a bounded number of Byzantine faults. We analyze BFT SMR in the excessive fault setting where the actual number of Byzantine faults surpasses a protocol's tolerance.
We start by devising the very first repair algorithm for linearly chained and quorum-based partially synchronous SMR to recover from faulty states caused by excessive faults. Such a procedure can be realized using any commission fault detection module -- an algorithm that identifies the faulty replicas without falsely locating any correct replica. We achieve this with a slightly weaker liveness guarantee, as the original security notion is impossible to satisfy given excessive faults.
We implement recoverable HotStuff in Rust. The throughput resumes to the normal level (without excessive faults) after recovery routines terminate for $7$ replicas and is slightly reduced by $\leq 4.3\%$ for $30$ replicas. On average, it increases the latency by $12.87\%$ for $7$ replicas \usenix{and $8.85\%$ for $30$ replicas}.
Aside from adopting existing detection modules, we also establish the sufficient condition for a general BFT SMR protocol to allow for complete and sound fault detection when up to $(n-2)$ Byzantine replicas (out of $n$ total replicas) attack safety. We start by providing the first closed-box fault detection algorithm for any SMR protocol without any extra rounds of communication. We then describe open-box instantiations of our fault detection routines in Tendermint and Hotstuff, further reducing the overhead, both asymptotically and concretely.
## 2025/84
* Title: Arbitrary-Threshold Fully Homomorphic Encryption with Lower Complexity
* Authors: Yijia Chang, Songze Li
* [Permalink](
https://eprint.iacr.org/2025/084)
* [Download](
https://eprint.iacr.org/2025/084.pdf)
### Abstract
Threshold fully homomorphic encryption (ThFHE) enables multiple parties to compute functions over their sensitive data without leaking data privacy. Most of existing ThFHE schemes are restricted to full threshold and require the participation of all parties to output computing results. Compared with these full-threshold schemes, arbitrary threshold (ATh)-FHE schemes are robust to non-participants and can be a promising solution to many real-world applications. However, existing AThFHE schemes are either inefficient to be applied with a large number of parties $N$ and a large data size $K$, or insufficient to tolerate all types of non-participants. In this paper, we propose an AThFHE scheme to handle all types of non-participants with lower complexity over existing schemes. At the core of our scheme is the reduction from AThFHE construction to the design of a new primitive called approximate secret sharing (ApproxSS). Particularly, we formulate ApproxSS and prove the correctness and security of AThFHE on top of arbitrary-threshold (ATh)-ApproxSS's properties. Such a reduction reveals that existing AThFHE schemes implicitly design ATh-ApproxSS following a similar idea called ``noisy share''. Nonetheless, their ATh-ApproxSS design has high complexity and become the performance bottleneck. By developing ATASSES, an ATh-ApproxSS scheme based on a novel ``encrypted share'' idea, we reduce the computation (resp. communication) complexity from $\mathcal{O}(N^2K)$ to $\mathcal{O}(N^2+K)$ (resp. from $\mathcal{O}(NK)$ to $\mathcal{O}(N+K)$). We not only theoretically prove the (approximate) correctness and security of ATASSES, but also empirically evaluate its efficiency against existing baselines. Particularly, when applying to a system with one thousand parties, ATASSES achieves a speedup of $3.83\times$ -- $15.4\times$ over baselines.
## 2025/85
* Title: Enhancing Threshold Group Action Signature Schemes: Adaptive Security and Scalability Improvements
* Authors: Michele Battagliola, Giacomo Borin, Giovanni Di Crescenzo, Alessio Meneghetti, Edoardo Persichetti
* [Permalink](
https://eprint.iacr.org/2025/085)
* [Download](
https://eprint.iacr.org/2025/085.pdf)
### Abstract
Designing post-quantum digital signatures is a very active research area at present, with several protocols being developed, based on a variety of mathematical assumptions. Many of these signatures schemes can be used as a basis to define more advanced schemes, such as ring or threshold signatures, where multiple parties are involved in the signing process. Unfortunately, the majority of these protocols only considers a static adversary, that must declare which parties to corrupt at the beginning of the execution. However, a stronger security notion can be achieved, namely security against adaptive adversaries, that can corrupt parties at any times.
In this paper we tackle the challenges of designing a post-quantum adap- tively secure threshold signature scheme: starting from the GRASS sig- nature scheme, which is only static secure, we show that it is possible to turn it into an adaptive secure threshold signature that we call GRASS+. In particular, we introduce two variants of the classical GAIP problem and discuss their security. We prove that our protocol is adaptively secure in the Random Oracle Model, if the adversary corrupts only t 2 parties. We are also able to prove that GRASS+ achieves full adaptive security, with a corruption threshold of t, in the Black Box Group Action Model with Random Oracle. Finally, we improve the performance of the scheme by exploiting a better secret sharing, inspired from the work of Desmedt, Di Crescenzo, and Burmester from ASIACRYPT’94.
## 2025/86
* Title: Artificial Results From Hardware Synthesis
* Authors: Ahmed Alharbi, Charles Bouillaguet
* [Permalink](
https://eprint.iacr.org/2025/086)
* [Download](
https://eprint.iacr.org/2025/086.pdf)
### Abstract
In this paper, we revisit venerable lower-bounds on the $AT$ or $AT^2$
performance metric of hardware circuits. A series of works started in the late 1970's has established that if a hardware circuit of area $A$ computes a function $f : \{0, 1\}^n \rightarrow \{0, 1\}^m$ in $T$ clock cycles, then $AT^2$ is asymptotically larger than (a form of) the communication complexity of $f$. These lower-bounds ignore the active component of the circuit such as the logic gates and only take into account the area of the wiring.
However, it seems that it is common practice to report the performance
characteristics of hardware designs after synthesis, namely after having
``compiled'' the design into the topological description of a hardware circuit made of standard cells. The area of the cells can be be determined with certainty, whereas the area occupied by the wires cannot. This may leads to optimistic performance figures, that may even violate the old lower-bounds.
In this paper, we take the case of the Möbius transform as a case study, following the work of Banik and Regazzoni in TCHES, 2024(2) who presented hardware designs that implement it. We first determine the communication complexity of the Möbius transform. Then, following the old methodology, we derive lower-bounds on the area (in $\mu m^2$) of any circuit that implement the operation using several open Process Design Kits for ASIC production. For large enough instances, the wires provably occupy more area than the logic gates themselves. This invalidate previous theoretical claims about the performance of circuits implementing the Möbius transform.
Fundamentally, the root cause of the contradiction between ``VLSI-era''
lower-bounds and current performance claims is that the lower-bounds apply to a geometric description of the circuit where the length of wiring is known, while it is common to report performance results on the basis of hardware synthesis alone, where a topological description of the circuit has been obtained but the actual length of wires is unknown.
## 2025/87
* Title: On Gaussian Sampling for $q$-ary Lattices and Linear Codes with Lee Weight
* Authors: Maiara F. Bollauf, Maja Lie, Cong Ling
* [Permalink](
https://eprint.iacr.org/2025/087)
* [Download](
https://eprint.iacr.org/2025/087.pdf)
### Abstract
We show that discrete Gaussian sampling for a $q$-ary lattice is equivalent to codeword sampling for a linear code over $\mathbb{Z}_q$ with the Lee weight.. This insight allows us to derive the theta series of a $q$-ary lattice from the Lee weight distribution of the associated code. We design a novel Gaussian sampler for $q$-ary lattices assuming an oracle that computes the symmetrized weight enumerator of the associated code.
We apply this sampler to well-known lattices, such as the $E_8$, Barnes-Wall, and Leech lattice, highlighting both its advantages and limitations, which depend on the underlying code properties. For certain root lattices, we show that the sampler is indeed efficient, forgoing the need to assume an oracle. We also discuss applications of our results in digital signature schemes and the Lattice Isomorphism Problem. In many cases, our sampler achieves a significant speed-up compared to state-of-the-art sampling algorithms in cryptographic applications.
## 2025/88
* Title: ICT: Insured Cryptocurrency Transactions
* Authors: Aydin Abadi, Amirreza Sarencheh, Henry Skeoch, Thomas Zacharias
* [Permalink](
https://eprint.iacr.org/2025/088)
* [Download](
https://eprint.iacr.org/2025/088.pdf)
### Abstract
Cryptocurrencies have emerged as a critical medium for digital financial transactions, driving widespread adoption while simultaneously exposing users to escalating fraud risks. The irreversible nature of cryptocurrency transactions, combined with the absence of consumer protection mechanisms, leaves users vulnerable to substantial financial losses and emotional distress. To address these vulnerabilities, we introduce Insured Cryptocurrency Transactions (ICT), a novel decentralized insurance framework designed to ensure financial recovery for honest users affected by fraudulent cryptocurrency transactions. We rigorously formalize the ICT framework, establishing strong security guarantees to protect against malicious adversaries. Furthermore, we present Insured Cryptocurrency Exchange (ICE), a concrete instantiation of ICT tailored for centralized cryptocurrency exchanges. ICE relies primarily on a standard smart contract and provides a robust mechanism to compensate users in cases of security breaches, insolvency, or fraudulent activities affecting the exchange. We have implemented ICE’s smart contract and evaluated its on-chain costs. The evaluation results demonstrate ICE’s low operational overhead. To our knowledge, ICT and ICE represent the first formal approaches to decentralized insurance frameworks in the cryptocurrency domain.
## 2025/89
* Title: An Introduction to Protein Cryptography
* Authors: Hayder Tirmazi, Tien Phuoc Tran
* [Permalink](
https://eprint.iacr.org/2025/089)
* [Download](
https://eprint.iacr.org/2025/089.pdf)
### Abstract
We introduce protein cryptography, a recently proposed method that encodes data into the amino acid sequences of proteins. Unlike traditional digital encryption, this approach relies on the inherent diversity, complexity, and replication resistance of biological macromolecules, making them highly secure against duplication or tampering. The experimental realization of protein cryptography remains an open problem. To accelerate experimental progress in this area, we provide an accessible and self-contained introduction to the fundamentals of cryptography for biologists with limited mathematical and computational backgrounds. Furthermore, we outline a framework for encoding, synthesizing, and decoding information using proteins. By enabling biologists to actively engage in the development of protein cryptography, this work bridges disciplinary boundaries and paves the way for applications in secure data storage.
## 2025/90
* Title: Friendly primes for efficient modular arithmetic using the Polynomial Modular Number System
* Authors: Fangan Yssouf Dosso, Nadia El Mrabet, Nicolas Méloni, François Palma, Pascal Véron
* [Permalink](
https://eprint.iacr.org/2025/090)
* [Download](
https://eprint.iacr.org/2025/090.pdf)
### Abstract
The Polynomial Modular Number System (PMNS) is a non-positional number system designed for modular arithmetic. Its efficiency, both in software and hardware, has been demonstrated for integers commonly used in Elliptic Curve Cryptography. In recent papers, some authors introduce specific prime forms that are particularly well-suited for PMNS arithmetic. In this work, we extend their results to a broader class of prime numbers. In practice, our approach yields performance that is competitive with, and in some cases superior to, Pseudo-Mersenne arithmetic. As a result, we expand the set of prime numbers that are well-suited for modular arithmetic. Furthermore, we contribute a database of proof of concept Elliptic Curves constructed with those primes that verify the Brainpool Standard.
## 2025/91
* Title: poqeth: Efficient, post-quantum signature verification on Ethereum
* Authors: Ruslan Kysil, István András Seres, Péter Kutas, Nándor Kelecsényi
* [Permalink](
https://eprint.iacr.org/2025/091)
* [Download](
https://eprint.iacr.org/2025/091.pdf)
### Abstract
This work explores the application and efficient deployment of (standardized) post-quantum (PQ) digital signature algorithms in the blockchain environment.. Specifically, we implement and evaluate four PQ signatures in the Ethereum Virtual Machine: W-OTS$^{+}$, XMSS, SPHINCS+, and MAYO. We focus on optimizing the gas costs of the verification algorithms as that is the signature schemes' only algorithm executed on-chain, thus incurring financial costs (transaction fees) for the users. Hence, the verification algorithm is the signature schemes' main bottleneck for decentralized applications.
We examine two methods to verify post-quantum digital signatures on-chain. Our practical performance evaluation shows that full on-chain verification is often prohibitively costly. Naysayer proofs (FC'24) allow a novel optimistic verification mode. We observe that the Naysayer verification mode is generally the cheapest, at the cost of additional trust assumptions. We release our implementation called poqeth as an open-source library.
## 2025/92
* Title: Public-Key Quantum Money From Standard Assumptions (In The Generic Model)
* Authors: Jake Doliskani
* [Permalink](
https://eprint.iacr.org/2025/092)
* [Download](
https://eprint.iacr.org/2025/092.pdf)
### Abstract
Our main result is a quantum polynomial-time reduction from the group action discrete logarithm (DLP) problem to a specific cloning problem. A consequence of this result is that the public-key quantum money scheme proposed by Zhandry (2024), based on abelian group actions, is secure in the generic group action model. Specifically, our result shows that breaking the quantum money scheme is equivalent, under quantum polynomial-time reductions, to solving the group action DLP. Two immediate implications of our results are: i) A separation between quantum money and quantum lightning. This separation arises because our reduction is non-uniform, and quantum lightning is not secure against non-uniform adversaries. ii) Cloning vs. preparing Fourier states. Our main theorem shows that the problem of cloning group action Fourier states is equivalent to the problem of preparing these states.
## 2025/93
* Title: A Survey on Transciphering and Symmetric Ciphers for Homomorphic Encryption
* Authors: Indranil Thakur, Angshuman Karmakar, Chaoyun Li, Bart Preneel
* [Permalink](
https://eprint.iacr.org/2025/093)
* [Download](
https://eprint.iacr.org/2025/093.pdf)
### Abstract
Data privacy concerns are sharply rising in the current digital era, hyperdriven by cloud computing, big data analytics, and the Internet of Things. Homomorphic Encryption (HE) has emerged as an ideal technique for computing on encrypted data, but current schemes suffer from slow encryption speed and large ciphertext expansion. Practical implementation is hindered, especially when the client has limited bandwidth, memory, and computing power. In 2011, Naehrig et al. proposed transciphering, reducing computational and communication overload on the client side. This involves symmetric ciphers with minimized multiplicative complexity,
referred to as HE-Friendly Ciphers (HEFCs).
In this work, we present a detailed study of transciphering for HE by systematizing existing knowledge and crystallizing research challenges. Particularly we conduct a comprehensive study on state-of-the-art HEFC constructions. Our work highlights gaps, open problems, and directions for future research.
## 2025/94
* Title: Multi-Key Homomorphic Secret Sharing
* Authors: Geoffroy Couteau, Lalita Devadas, Aditya Hegde, Abhishek Jain, Sacha Servan-Schreiber
* [Permalink](
https://eprint.iacr.org/2025/094)
* [Download](
https://eprint.iacr.org/2025/094.pdf)
### Abstract
Homomorphic secret sharing (HSS) is a distributed analogue of fully homomorphic encryption (FHE) where following an input-sharing phase, two or more parties can locally compute a function over their private inputs to obtain shares of the function output.
Over the last decade, HSS schemes have been constructed from an array of different assumptions. However, all existing HSS schemes, except ones based on assumptions known to imply multi-key FHE, require a public-key infrastructure (PKI) or a correlated setup between parties. This limitation carries over to many applications of HSS.
In this work, we construct multi-key homomorphic secret sharing (MKHSS), where given only a common reference string (CRS), two parties can secret share their inputs to each other and then perform local computations as in HSS. We present the first MKHSS schemes supporting all NC1 computations from either the decisional Diffie-Hellman (DDH), decisional composite residuosity (DCR), or class group assumptions.
Our constructions imply the following applications in the CRS model:
- Succinct two-round secure computation. Under the same assumptions as our MKHSS schemes, we construct succinct, two-round secure two-party computation for NC1 circuits. Previously, such a result was only known from the learning with errors assumption.
- Attribute-based NIKE. Under DCR or class group assumptions, we construct non-interactive key exchange (NIKE) protocols where two parties agree on a key if and only if their secret attributes satisfy a public NC1 predicate. This significantly generalizes the existing notion of password-based NIKE.
- Public-key PCFs. Under DCR or class group assumptions, we construct public-key pseudorandom correlation functions (PCFs) for any NC1 correlation. This yields the first public-key PCFs for Beaver triples (and more) from non-lattice assumptions.
- Silent MPC. Under DCR or class group assumptions, we construct a p-party secure computation protocol in the silent preprocessing model where the preprocessing phase has communication O(p), ignoring polynomial factors. All prior protocols that do not rely on spooky encryption require $Ω(p^2)$ communication.
## 2025/95
* Title: Non-Interactive Distributed Point Functions
* Authors: Elette Boyle, Lalita Devadas, Sacha Servan-Schreiber
* [Permalink](
https://eprint.iacr.org/2025/095)
* [Download](
https://eprint.iacr.org/2025/095.pdf)
### Abstract
Distributed Point Functions (DPFs) are a useful cryptographic primitive enabling a dealer to distribute short keys to two parties, such that the keys encode additive secret shares of a secret point function. However, in many applications of DPFs, no single dealer entity has full knowledge of the secret point function, necessitating the parties to run an interactive protocol to emulate the setup. Prior works have aimed to minimize complexity metrics of such distributed setup protocols, e.g., round complexity, while remaining black-box in the underlying cryptography.
We construct Non-Interactive DPFs (NIDPF), which have a one-round (simultaneous-message, semi-honest) setup protocol, removing the need for a trusted dealer. Specifically, our construction allows each party to publish a special "public key" to a public channel or bulletin board, where the public key encodes the party's secret function parameters. Using the public key of another party, any pair of parties can locally derive a DPF key for the point function parameterized by the two parties' joint inputs.
We realize NIDPF from an array of standard assumptions, including DCR, SXDH, QR, and LWE. Each party's public key is of size $O(N^{2/3})$, for point functions with a domain of size $N$, which leads to a sublinear communication setup protocol. The only prior approach to realizing such a non-interactive setup required using multi-key fully-homomorphic encryption or indistinguishability obfuscation.
As immediate applications of our construction, we get "public-key setups" for several existing constructions of pseudorandom correlation generators and round-efficient protocols for secure comparisons.
## 2025/96
* Title: Simultaneous-Message and Succinct Secure Computation
* Authors: Elette Boyle, Abhishek Jain, Sacha Servan-Schreiber, Akshayaram Srinivasan
* [Permalink](
https://eprint.iacr.org/2025/096)
* [Download](
https://eprint.iacr.org/2025/096.pdf)
### Abstract
We put forth and instantiate a new primitive we call simultaneous-message and succinct (SMS) secure computation. An SMS scheme enables a minimal communication pattern for secure computation in the following scenario: Alice has a large private input X, Bob has a small private input y, and Charlie wants to learn $f(X, y)$ for some public function $f$.
Given a common reference string (CRS) setup phase, an SMS scheme for a function f is instantiated with two parties holding inputs $X$ and $y$, and has the following structure:
- The parties simultaneously exchange a single message.
- Communication is succinct, scaling sublinearly in the size of $X$ and the output $f(X, y)$.
- Without further interaction, the parties can locally derive additive secret shares of $f(X, y)$.
Indeed, Alice and Bob simultaneously send each other a message using the CRS and their private inputs. Using the transcript and their private state, the parties locally derive additive secret shares of $f(X, y)$, which they can send to Charlie. As such, an SMS scheme incurs a communication cost to Charlie that is only twice that of the function output length. Importantly, the size of Alice’s message does not grow with the size of her input $X$, and both Alice’s and Bob’s first-round messages grow sublinearly in the size of the output. Additionally, Alice’s or Bob’s view provides no information about the other party’s input besides the output of $f(X, y)$, even if colluding with Charlie.
We obtain the following results:
- Assuming Learning With Errors (LWE), we build an SMS scheme supporting evaluation of depth-$d$ circuits, where Alice's message is of size $|f(X, y)|^{(2/3)}$· poly(λ, d), Bob's message is of size $(|y| + |f(X, y)|^{(2/3)})$ · poly(λ, d), and λ is the security parameter. We can further extend this to support all functions by assuming the circular security of LWE.
- Assuming sub-exponentially secure indistinguishability obfuscation, in conjunction with other standard assumptions, we build an SMS scheme supporting arbitrary polynomial-sized batch functions of the form $(f(x_1, y), ..., f(x_L, y))$, for $X = (x_1, ..., x_L)$. The size of Alice's and Bob's messages in this construction is poly(λ) and poly(λ, |f|, log L), respectively.
We show that SMS schemes have several immediate applications. An SMS scheme gives:
- A direct construction of trapdoor hash functions (TDH) (Döttling et al.., Crypto'19) for the same class of functions as the one supported by the SMS scheme.
- A simple and generic compiler for obtaining compact, rate-1 fully homomorphic encryption (FHE) from any non-compact FHE scheme.
- A simple and generic compiler for obtaining correlation-intractable (CI) hash functions that are secure against all efficiently-searchable relations.
In turn, under the LWE assumption, we obtain the first construction of TDH for all functions and generic approaches for obtaining rate-1 FHE and CI hashing. We also show that our iO-based construction gives an alternative approach for two-round secure computation with communication succinctness in the output length (Hubáček and Wichs, ITCS'15).
## 2025/97
* Title: Available Attestation: Towards a Reorg-Resilient Solution for Ethereum Proof-of-Stake
* Authors: Mingfei Zhang, Rujia Li, Xueqian Lu, Sisi Duan
* [Permalink](
https://eprint.iacr.org/2025/097)
* [Download](
https://eprint.iacr.org/2025/097.pdf)
### Abstract
Ethereum transitioned from Proof-of-Work consensus to Proof-of-Stake (PoS) consensus in September 2022. While this upgrade brings significant improvements (e.g., lower energy costs and higher throughput), it also introduces new vulnerabilities. One notable example is the so-called malicious \textit{reorganization attack}. Malicious reorganization denotes an attack in which the Byzantine faulty validators intentionally manipulate the canonical chain so the blocks by honest validators are discarded. By doing so, the faulty validators can gain benefits such as higher rewards, lower chain quality, or even posing a liveness threat to the system.
In this work, we show that the majority of the known attacks on Ethereum PoS are some form of reorganization attacks. In practice, most of these attacks can be launched even if the network is synchronous (there exists a known upper bound for message transmission and processing). Different from existing studies that mitigate the attacks in an ad-hoc way, we take a systematic approach and provide an elegant yet efficient solution to reorganization attacks. Our solution is provably secure such that no reorganization attacks can be launched in a synchronous network. In a partially synchronous network, our approach achieves the conventional safety and liveness properties of the consensus protocol. Our evaluation results show that our solution is resilient to five types of reorganization attacks and also highly efficient.
## 2025/98
* Title: Fast, private and regulated payments in asynchronous networks
* Authors: Maxence Brugeres, Victor Languille, Petr Kuznetsov, Hamza Zarfaoui
* [Permalink](
https://eprint.iacr.org/2025/098)
* [Download](
https://eprint.iacr.org/2025/098.pdf)
### Abstract
We propose a decentralized asset-transfer system that enjoys full privacy: no party can learn the details of a transaction, except for its issuer and its recipient. Furthermore, the recipient is only aware of the amount of the transaction. Our system does not rely on consensus or synchrony assumptions, and therefore, it is responsive, since it runs at the actual network speed. Under the hood, every transaction creates a consumable coin equipped with a non-interactive zero-knowledge proof (NIZK) that confirms that the issuer has sufficient funds without revealing any information about her identity, the recipient's identity, or the payment amount. Moreover, we equip our system with a regulatory enforcement mechanism that can be used to regulate transfer limits or restrict specific addresses from sending or receiving funds, while preserving the system's privacy guarantees.
Finally, we report on Paxpay, our implementation of Fully Private Asset Transfer (FPAT) that uses the Gnark library for the NIZKs. In our benchmark, Paxpay exhibits better performance than earlier proposals that either ensure only partial privacy, require some kind of network synchrony or do not implement regulation features. Our system thus reconciles privacy, responsiveness, regulation enforcement and performance.
## 2025/99
* Title: Adaptive Hardcore Bit and Quantum Key Leasing over Classical Channel from LWE with Polynomial Modulus
* Authors: Duong Hieu Phan, Weiqiang Wen, Xingyu Yan, Jinwei Zheng
* [Permalink](
https://eprint.iacr.org/2025/099)
* [Download](
https://eprint.iacr.org/2025/099.pdf)
### Abstract
Quantum key leasing, also known as public key encryption with secure key leasing (PKE-SKL),
allows a user to lease a (quantum) secret key to a server for decryption purpose, with the capability of revoking the key afterwards.
In the pioneering work by Chardouvelis et al (arXiv:2310.14328), a PKE-SKL scheme utilizing classical channels was successfully built upon the noisy trapdoor claw-free (NTCF) family. This approach, however, relies on the superpolynomial hardness of learning with errors (LWE) problem, which could affect both efficiency and security of the scheme.
In our work, we demonstrate that the reliance on superpolynomial hardness is unnecessary, and that LWE with polynomial-size modulus is sufficient to achieve the same goal.
Our approach enhances both efficiency and security, thereby improving the practical feasibility of the scheme on near-term quantum devices.
To accomplish this, we first construct a \textit{noticeable} NTCF (NNTCF) family with the adaptive hardcore bit property, based on LWE with polynomial-size modulus. To the best of our knowledge, this is the first demonstration of the adaptive hardcore bit property based on LWE with polynomial-size modulus, which may be of independent interest.
Building on this foundation, we address additional challenges in prior work to construct the first PKE-SKL scheme satisfying the following properties:
(\textit{i}) the entire protocol utilizes only classical communication, and can also be lifted to support homomorphism.
(\textit{ii}) the security is solely based on LWE assumption with polynomial-size modulus.
As a demonstration of the versatility of our noticeable NTCF, we show that an efficient proof of quantumness protocol can be built upon it. Specifically, our protocol enables a classical verifier to test the quantumness while relying exclusively on the LWE assumption with polynomial-size modulus.
## 2025/100
* Title: Zero-Knowledge Proofs of Quantumness
* Authors: Duong Hieu Phan, Weiqiang Wen, Xingyu Yan, Jinwei Zheng
* [Permalink](
https://eprint.iacr.org/2025/100)
* [Download](
https://eprint.iacr.org/2025/100.pdf)
### Abstract
With the rapid development of quantum computers, proofs of quantumness have recently become an interesting and intriguing research direction. However, in all current schemes for proofs of quantumness, quantum provers almost invariably face the risk of being maliciously exploited by classical verifiers. In fact, through malicious strategies in interaction with quantum provers, classical verifiers could solve some instances of hard problems that arise from the specific scheme in use. In other words, malicious verifiers can break some schemes (that quantum provers are not aware of) through interaction with quantum provers. All this is due to the lack of formalization that prevents malicious verifiers from extracting useful information in proofs of quantumness.
To address this issue, we formalize zero-knowledge proofs of quantumness. Intuitively, the zero-knowledge property necessitates that the information gained by the classical verifier from interactions with the quantum prover should not surpass what can be simulated using a simulated classical prover interacting with the same verifier. As a result, the new zero-knowledge notion can prevent any malicious verifier from exploiting quantum advantage.
Interestingly, we find that the classical zero-knowledge proof is sufficient to compile some existing proofs of quantumness schemes into zero-knowledge proofs of quantumness schemes.
Due to some technical reasons, it appears to be more general to require zero-knowledge proof on the verifier side instead of the prover side. Intuitively, this helps to regulate the verifier's behavior from malicious to be honest-but-curious. As a result, both parties will play not only one role in the proofs of quantumness but also the dual role in the classical zero-knowledge proof.
Specifically, the two principle proofs of quantumness schemes: Shor's factoring-based scheme and learning with errors-based scheme in [Brakerski et al, FOCS, 2018], can be transformed into zero-knowledge proofs of quantumness by requiring an extractable non-interactive zero-knowledge argument on the verifier side.
Notably, the zero-knowledge proofs of quantumness can be viewed as an enhanced security notion for proofs of quantumness. To prevent malicious verifiers from exploiting the quantum device's capabilities or knowledge, it is advisable to transition existing proofs of quantumness schemes to this framework whenever feasible.
## 2025/101
* Title: Unveiling Privacy Risks in Quantum Optimization Services
* Authors: Mateusz Leśniak, Michał Wroński, Ewa Syta, Mirosław Kutyłowski
* [Permalink](
https://eprint.iacr.org/2025/101)
* [Download](
https://eprint.iacr.org/2025/101.pdf)
### Abstract
As cloud-based quantum computing services, such as those offered by D-Wave, become more popular for practical applications, privacy-preserving methods (such as obfuscation) are essential to address data security, privacy, and legal compliance concerns.
Several efficient obfuscation methods have been proposed, which do not increase the time complexity of solving the obfuscated problem, for quantum optimization problems. These include {\em sign reversing}, {\em variable permutation}, and the combination of both methods assumed to provide greater protection. Unfortunately, sign reversing has already been shown to be insecure.
We present two attacks on variable permutation and the combined method, where it is possible to efficiently recover the deobfuscated problem, particularly when given access to the obfuscated problem and its obfuscated solution, as a cloud-based quantum provider would have.
Our attacks are in the context of an optimization problem of cryptanalysis of the Trivium cipher family, but our approach generalizes to other similarly structured problems.
Our attacks are efficient and practical.
Deobfuscating an optimization problem with \( n \) variables obfuscated with the combined method has a complexity of $O(n^2)$ compared to the complexity of $O\left( n \cdot n! \cdot 2^n \right)$ of the brute force attack.
We provide an implementation of our attack; using a commodity laptop, our attack using the full Trivium cipher takes less than two minutes if optimized.
We also present possible countermeasures to mitigate our attacks and bring attention to the need for further development in this area.
## 2025/102
* Title: A practical distinguisher on the full Skyscraper permutation
* Authors: Antoine Bak
* [Permalink](
https://eprint.iacr.org/2025/102)
* [Download](
https://eprint.iacr.org/2025/102.pdf)
### Abstract
Skyscraper is a cryptographic permutation published in TCHES 2025, optimized for use in proof systems such as PlonK. This primitive is based on a 10-round Feistel network combining $x^2$ monomials and lookup-based functions to achieve competitive plain performances and efficiency in proof systems supporting lookups. In terms of security, the $x^2$ monomials are supposed to provide security against statistical attacks, while lookups are supposed to provide security against algebraic attacks.
In this note, we show that this primitive has a much lower security margin than expected. Using a rebound attack, we find practical truncated differentials on the full permutation. As a corollary, we also find a practical collision attack on the compression function based on a 9-round Skyscraper permutation, which significantly reduces the security margin of the primitive. All of these attacks have been implemented and work in practice.
## 2025/103
* Title: Technology-Dependent Synthesis and Optimization of Circuits for Small S-boxes
* Authors: Zihao Wei, Siwei Sun, Fengmei Liu, Lei Hu, Zhiyu Zhang
* [Permalink](
https://eprint.iacr.org/2025/103)
* [Download](
https://eprint.iacr.org/2025/103.pdf)
### Abstract
Boolean formula minimization is a notoriously hard problem that is known to be $\varSigma_2^P$-complete. Circuit minimization, typically studied in the context of a much broader subject known as synthesis and optimization of circuits, introduces another layer of complexity since ultimately those technology-independent epresentations (e.g., Boolean formulas and truth tables) has to be transformed into a netlist of cells of the target technology library. To manage those complexities, the industrial community typically separates the synthesis process into two steps: technology-independent optimization and technology mapping. In each step, this approach only tries to find the local optimal solution and relies heavily on heuristics rather than a systematic search. However, for small S-boxes, a more systematic exploration of the design space is possible. Aiming at the global optimum, we propose a method which can synthesize a truth table for a small S-box directly into a netlist of the cells of a given technology library. Compared with existing technology-dependent synthesis tools like LIGHTER and PEIGEN, our method produces improved results for many S-boxes with respect to circuit area. In particular, by applying our method to the $\mathbb{F}_{2^4}$-inverter involved in the tower field implementation of the AES S-box, we obtain the currently known lightest implementation of the AES S-box. The search framework can be tweaked to take circuit delay into account. As a result, we find implementations for certain S-boxes with both latency and area improved.
## 2025/104
* Title: Additive Randomized Encodings from Public Key Encryption
* Authors: Nir Bitansky, Saroja Erabelli, Rachit Garg
* [Permalink](
https://eprint.iacr.org/2025/104)
* [Download](
https://eprint.iacr.org/2025/104.pdf)
### Abstract
Introduced by Halevi, Ishai, Kushilevitz, and Rabin (CRYPTO 2023), Additive randomized encodings (ARE) reduce the computation of a $k$-party function $f(x_1,\dots,x_k)$ to locally computing encodings $\hat x_i$ of each input $x_i$ and then adding them together over some Abelian group into an output encoding $\hat y = \sum \hat x_i$, which reveals nothing but the result. The appeal of ARE comes from the simplicity of the non-local computation, involving only addition. This gives rise for instance to non-interactive secure function evaluation in the shuffle model where messages from different parties are anonymously shuffled before reaching their destination. Halevi, Ishai, Kushilevitz, and Rabin constructed ARE based on Diffie-Hellman type assumptions in bilinear groups.
We construct ARE assuming public-key encryption. The key insight behind our construction is that one-sided ARE, which only guarantees privacy for one of the parties, are relatively easy to construct, and yet can be lifted to full-fledged ARE. We also give a more efficient black-box construction from the CDH assumption.
## 2025/105
* Title: Twist and Shout: Faster memory checking arguments via one-hot addressing and increments
* Authors: Srinath Setty, Justin Thaler
* [Permalink](
https://eprint.iacr.org/2025/105)
* [Download](
https://eprint.iacr.org/2025/105.pdf)
### Abstract
A memory checking argument enables a prover to prove to a verifier that it is correctly processing reads and writes to memory. They are used widely in modern SNARKs, especially in zkVMs, where the prover proves the correct execution of a CPU including the correctness of memory operations.
We describe a new approach for memory checking, which we call the method of one-hot addressing and increments. We instantiate this method via two different families of protocols, called Twist and Shout. Twist supports read/write memories, while Shout targets read-only memories (also known as lookup arguments). Both Shout and Twist have logarithmic verifier costs. Unlike prior works, these protocols do not invoke "grand product" or "grand sum" arguments.
Twist and Shout significantly improve the prover costs of prior works across the full range of realistic memory sizes, from tiny memories (e.g., 32 registers as in RISC-V), to memories that are so large they cannot be explicitly materialized (e.g., structured lookup tables of size $2^{64}$ or larger, which arise in Lasso and the Jolt zkVM). Detailed cost analysis shows that Twist and Shout are well over 10x cheaper for the prover than state-of-the-art memory-checking procedures configured to have logarithmic proof length.
Prior memory-checking procedures can also be configured to have larger proofs.. Even then, we estimate that Twist and Shout are at least 2--4x faster for the prover in key applications.
Finally, using Shout, we provide two fast-prover SNARKs for non-uniform constraint systems, both of which achieve minimal commitment costs (the prover commits only to the witness): (1) SpeedySpartan applies to Plonkish constraints, substantially improving the previous state-of-the-art protocol, BabySpartan; and (2)Spartan++ applies to CCS (a generalization of Plonkish and R1CS), improving prover times over the previous state-of-the-art protocol, Spartan, by 6x.
## 2025/106
* Title: NTRU+Sign: Compact NTRU-Based Signatures Using Bimodal Distributions
* Authors: Joo Woo, Jonghyun Kim, Ga Hee Hong, Seungwoo Lee, Minkyu Kim, Hochang Lee, Jong Hwan Park
* [Permalink](
https://eprint.iacr.org/2025/106)
* [Download](
https://eprint.iacr.org/2025/106.pdf)
### Abstract
We present a new lattice-based signature scheme, called ‘NTRU+Sign’, using the Fiat-Shamir with Aborts framework. The proposed scheme is designed based on a novel NTRU-based key structure that fits well with bimodal distributions, enabling efficiency improvements compared to its predecessor, BLISS. The novel NTRU-based key structure is characterized by: (1) effectively changing a modulus from 2q to q, which is different from the existing usage of 2q for bimodal distributions, and (2) drastically reducing the magnitude of a secret key, which directly leads to compactness of signature sizes. We provide two concrete parameter sets for NTRU+Sign, supporting 93-bit and 211-bit security levels. Using the technique from GALACTICS (that was suggested as the constant-time implementation of BLISS),
our analysis shows that NTRU+Sign achieves a good balance between computational efficiency and signature compactness, with constant-time implementation. For instance, at the NIST-3 security level, NTRU+Sign produces signatures that are significantly smaller than Dilithium and HAETAE, while providing faster verification speeds. These advantages position NTRU+Sign as a competitive and practical
solution for real-world deployments.
## 2025/107
* Title: dCTIDH: Fast & Deterministic CTIDH
* Authors: Fabio Campos, Andreas Hellenbrand, Michael Meyer, Krijn Reijnders
* [Permalink](
https://eprint.iacr.org/2025/107)
* [Download](
https://eprint.iacr.org/2025/107.pdf)
### Abstract
This paper presents dCTIDH, a CSIDH implementation that combines two recent developments into a novel state-of-the-art deterministic implementation. We combine the approach of deterministic variants of CSIDH with the batching strategy of CTIDH, which shows that the full potential of this key space has not yet been explored. This high-level adjustment in itself leads to a significant speed-up. To achieve an effective deterministic evaluation in constant time, we introduce Wombats, a new approach to performing isogenies in batches, specifically tailored to the behavior required for deterministic CSIDH using CTIDH batching.
Furthermore, we explore the two-dimensional space of optimal primes for dCTIDH, with regard to both the performance of dCTIDH in terms of finite-field operations per prime and the efficiency of finite-field operations, determined by the prime shape, in terms of cycles. This allows us to optimize both for choice of prime and scheme parameters simultaneously. Lastly, we implement and benchmark constant-time, deterministic dCTIDH. Our results show that dCTIDH not only outperforms state-of-the-art deterministic CSIDH, but even non-deterministic CTIDH: dCTIDH-2048 is faster than CTIDH-2048 by 17 percent, and is almost five times faster than dCSIDH-2048.
## 2025/108
* Title: Subset sum, a new insight
* Authors: Samir Bouftass
* [Permalink](
https://eprint.iacr.org/2025/108)
* [Download](
https://eprint.iacr.org/2025/108.pdf)
### Abstract
In this paper, we show that subset sum problem consists on finding a solution over $\mathbb{N}_2$ of equation $n = \textbf{A}X \bullet U$ where A and n are given matrix and integer and U = $[(2^0) (2^1) .... (2^{d-2}) (2^{d-1})]$. We show that it can be subdivized into 2 solvable subproblems.
## 2025/109
* Title: A Formal Treatment of Homomorphic Encryption Based Outsourced Computation in the Universal Composability Framework
* Authors: Wasilij Beskorovajnov, Sarai Eilebrecht, Yufan Jiang, Jörn Mueller-Quade
* [Permalink](
https://eprint.iacr.org/2025/109)
* [Download](
https://eprint.iacr.org/2025/109.pdf)
### Abstract
The adoption of Homomorphic Encryption (HE) and Secure
Function Evaluation (SFE) applications in the real world remains lim-
ited, even nearly 50 years after the introduction of HE. This is particu-
larly unfortunate given the strong privacy and confidentiality guarantees
these tools can offer to modern digital life.
While attempting to incorporate a simple straw-man PSI protocol into
a web service for matching individuals based on their profiles, we en-
countered several shortcomings in current outsourcing frameworks. Ex-
isting outsourced protocols either require clients to perform tasks beyond
merely contributing their inputs or rely on a non-collusion assumption
between a server and a client, which appears implausible in standard web
service scenarios.
To address these issues, we present, to the best of our knowledge, the first
general construction for non-interactive outsourced computation based
on black-box homomorphic encryption. This approach relies on a non-
collusion assumption between two dedicated servers, which we consider
more realistic in a web-service setting. Furthermore, we provide a proof
of our construction within the Universal Composability (UC) framework,
assuming semi-honest (i.e., passive) adversaries.
Unlike general one-sided two-party SFE protocols, our construction addi-
tionally requires sender privacy. Specifically, the sender must contribute
its inputs solely in encrypted form. This ensures stronger privacy guar-
antees and broadens the applicability of the protocol.
Overall, the range of applications for our construction includes all one-
sided two-party sender-private SFE protocols as well as server-based
arithmetic computations on encrypted inputs. Finally, we demonstrate
the practical applicability of our general outsourced computation frame-
work by applying it to the specific use case of Outsourced Private Set
Intersection (OPSI) in a real-world scenario, accompanied by a detailed
evaluation of its efficiency.
## 2025/110
* Title: Verification-efficient Homomorphic Signatures for Verifiable Computation over Data Streams
* Authors: Gaspard Anthoine, Daniele Cozzo, Dario Fiore
* [Permalink](
https://eprint.iacr.org/2025/110)
* [Download](
https://eprint.iacr.org/2025/110.pdf)
### Abstract
Homomorphic signatures for NP (HSNP) allow proving that a signed value is the result of a non-deterministic computation on signed inputs. At CCS'22, Fiore and Tucker introduced HSNP, showed how to use them for verifying arbitrary computations on data streams, and proposed a generic HSNP construction obtained by efficiently combining zkSNARKs with linearly homomorphic signatures (LHS), namely those supporting linear functions. Their proposed LHS however suffered from an high verification cost. In this work we propose an efficient LHS that significantly improves on previous work in terms of verification time. Using the modular approach of Fiore and Tucker, this yields a verifier-efficient HSNP. We show that the HSNP instantiated with our LHS is particularly suited to the case when the data is taken from consecutive samples, which captures important use cases including sliding window statistics such as variances, histograms and stock market predictions.
## 2025/111
* Title: On the structure of the Schur squares of Twisted Generalized Reed-Solomon codes and application to cryptanalysis
* Authors: Alain Couvreur, Rakhi Pratihar, Nihan Tanisali, Ilaria Zappatore
* [Permalink](
https://eprint.iacr.org/2025/111)
* [Download](
https://eprint.iacr.org/2025/111.pdf)
### Abstract
Twisted generalized Reed-Solomon (TGRS) codes constitute an interesting family of evaluation codes, containing a large class of maximum distance separable codes non-equivalent to generalized Reed-Solomon (GRS) ones.
Moreover, the Schur squares of TGRS codes may be much larger than those of GRS codes with same dimension.
Exploiting these structural differences, in 2018, Beelen, Bossert, Puchinger and Rosenkilde proposed a subfamily of Maximum Distance Separable (MDS) Twisted Reed--Solomon (TRS) codes over $\mathbb{F}_q$ with $\ell$ twists $q \approx n^{2^{\ell}}$ for McEliece encryption, claiming their resistance to both Sidelnikov Shestakov attack and
Schur products--based attacks. In short, they claimed these codes to resist to classical key recovery attacks on McEliece encryption scheme instantiated with Reed-Solomon (RS) or GRS codes. In 2020, Lavauzelle and Renner presented an original attack on this system based on the computation of the subfield subcode of the public TRS code.
In this paper, we show that the original claim on the resistance of TRS and TGRS codes to Schur products based--attacks is wrong.
We identify a broad class of codes including TRS and TGRS ones that is distinguishable from random by computing the Schur square
of some shortening of the code. Then, we focus on the case of single twist ({i.e.}, $\ell = 1$), which is the most efficient one in terms of decryption complexity, to derive an attack. The technique is similar to the distinguisher-based attacks of RS code-based systems given by Couvreur, Gaborit, Gauthier-Umaña, Otmani, Tillich in 2014.
## 2025/112
* Title: Post-Quantum Stealth Address Protocols
* Authors: Marija Mikić, Mihajlo Srbakoski, Strahinja Praška
* [Permalink](
https://eprint.iacr.org/2025/112)
* [Download](
https://eprint.iacr.org/2025/112.pdf)
### Abstract
The Stealth Address Protocol (SAP) allows users to receive assets through stealth addresses that are unlinkable to their stealth meta-addresses. The most widely used SAP, Dual-Key SAP (DKSAP), and the most performant SAP, Elliptic Curve Pairing Dual-Key SAP (ECPDKSAP), are based on elliptic curve cryptography, which is vulnerable to quantum attacks. These protocols depend on the elliptic curve discrete logarithm problem, which could be efficiently solved on a sufficiently powerful quantum computer using the Shor algorithm. In this paper three novel post-quantum SAPs based on lattice-based cryptography are presented: LWE SAP, Ring-LWE SAP and Module-LWE SAP. These protocols leverage Learning With Errors (LWE) problem to ensure quantum-resistant privacy. Among them, Module-LWE SAP, which is based on the Kyber key encapsulation mechanism, achieves the best performance and outperforms ECPDKSAP by approximately 66.8% in the scan time of the ephemeral public key registry.
## 2025/113
* Title: Post-Quantum Threshold Ring Signature Applications from VOLE-in-the-Head
* Authors: James Hsin-Yu Chiang, Ivan Damgård, William R. Duro, Sunniva Engan, Sebastian Kolby, Peter Scholl
* [Permalink](
https://eprint.iacr.org/2025/113)
* [Download](
https://eprint.iacr.org/2025/113.pdf)
### Abstract
We propose efficient, post-quantum threshold ring signatures constructed from one-wayness of AES encryption and the VOLE-in-the-Head zero-knowledge proof system. Our scheme scales efficiently to large rings and extends the linkable ring signatures paradigm. We define and construct key-binding deterministic tags for signature linkability, that also enable succinct aggregation with approximate lower bound arguments of knowledge; this allows us to achieve succinct aggregation of our signatures without SNARKs. Finally, we extend our threshold ring signatures to realize post-quantum anonymous ledger transactions in the spirit of Monero. Our constructions assume symmetric key primitives only.
Whilst it is common to build post-quantum signatures from the one-wayness property of AES and a post-quantum NIZK scheme, we extend this paradigm to define and construct novel security properties from AES that are useful for advanced signature applications. We introduce key-binding and pseudorandomness of AES to establish linkability and anonymity of our threshold ring signatures from deterministic tags, and similarly establish binding and hiding properties of block ciphers modeled as ideal permutations to build commitments from AES, a crucial building block for our proposed post-quantum anonymous ledger scheme.
## 2025/114
* Title: Better Codes for the HQC Cryptosystem
* Authors: Cyrius Nugier, Jean-Christophe Deneuville
* [Permalink](
https://eprint.iacr.org/2025/114)
* [Download](
https://eprint.iacr.org/2025/114.pdf)
### Abstract
In the HQC cryptosystem, the length $n$ of the code determines several concrete parameters such as the bandwidth usage, the memory consumption, or the decoding efficiency. In this paper, we show that currently known methods to explicitly generate asymptotically good (especially with high relative distances), binary codes with efficient associated procedures cannot be used to improve $n$. We also show that concatenated codes are currently better suited, and by exhausting small codes, find a closer to optimal concatenated code for HQC, which improves upon currently used codes.
## 2025/115
* Title: Signatures with Tight Adaptive Corruptions from Search Assumptions
* Authors: Keitaro Hashimoto, Wakaha Ogata, Yusuke Sakai
* [Permalink](
https://eprint.iacr.org/2025/115)
* [Download](
https://eprint.iacr.org/2025/115.pdf)
### Abstract
We construct the first tightly secure signature schemes in the multi-user setting with adaptive corruptions from classical discrete logarithm, RSA, factoring, or post-quantum group action discrete logarithm assumption. In contrast to our scheme, the previous tightly secure schemes are based on the decisional assumption (e.g., (group action) DDH) or interactive search assumptions (e..g., one-more CDH).
The security of our schemes is independent of the number of users, signing queries, and RO queries, and forging our signatures is as hard as solving the underlying search problem. Our starting point is an identification scheme with multiple secret keys per public key (e.g., Okamoto identification (CRYPTO'92) and parallel-OR identification (CRYPTO'94)). This property allows a reduction to solve a search problem while answering corruption queries for all users in the signature security game. To convert such an identification scheme into a signature scheme tightly, we employ randomized Fischlin's transformation introduced by Kondi and shelat (Asiacrypt 2022) that provides straight-line extraction. Intuitively, the transformation properties guarantee the tight security of our signature scheme in the programmable random oracle model, but we successfully prove its tight security in the non-programmable random oracle model.
## 2025/116
* Title: A Horizontal Attack on the Codes and Restricted Objects Signature Scheme (CROSS)
* Authors: Jonas Schupp, Georg Sigl
* [Permalink](
https://eprint.iacr.org/2025/116)
* [Download](
https://eprint.iacr.org/2025/116.pdf)
### Abstract
CROSS is a post-quantum secure digital signature scheme submitted to NIST’s Call for Additional Signatures which was recently selected for round 2. It features signature and key sizes in the range of SLH-DSA while providing a substantially faster signing operation. Within this work, we provide the first passive side-channel attack on the scheme. The attack recovers the secret key from all except one parameter sets from a single power trace while requiring at maximum two power traces for the R-SDP(G) 1 Fast instance. To successfully mount the attack, we show how to recover the secret key from side-channel information gained from the syndrome computation in CROSS’ identification protocol. We furthermore show how the hypothesis space for the attack can be restricted using information from the published signature.
## 2025/117
* Title: Post-Quantum Online/Offline Signatures
* Authors: Martin R. Albrecht, Nicolas Gama, James Howe, Anand Kumar Narayanan
* [Permalink](
https://eprint.iacr.org/2025/117)
* [Download](
https://eprint.iacr.org/2025/117.pdf)
### Abstract
Post-quantum signatures have high costs compared to RSA and ECDSA, in particular for smart cards. A line of work originating from Even, Goldreich, and Micali (CRYPTO'89) aimed to reduce digital signature latency by splitting up signing into an online and offline phase. The online/offline paradigm combines an ordinary long-term signature scheme with a fast, generally one-time, signature scheme. We reconsider this paradigm in the context of lattice-based post-quantum signatures in the GPV framework, with an example instantiation based on Falcon.
## 2025/118
* Title: How to Prove False Statements: Practical Attacks on Fiat-Shamir
* Authors: Dmitry Khovratovich, Ron D. Rothblum, Lev Soukhanov
* [Permalink](
https://eprint.iacr.org/2025/118)
* [Download](
https://eprint.iacr.org/2025/118.pdf)
### Abstract
The Fiat-Shamir (FS) transform is a prolific and powerful technique for compiling public-coin interactive protocols into non-interactive ones. Roughly speaking, the idea is to replace the random coins of the verifier with the evaluations of a complex hash function.
The FS transform is known to be sound in the random oracle model (i.e., when the hash function is modeled as a totally random function). However, when instantiating the random oracle using a concrete hash function, there are examples of protocols in which the transformation is not sound. So far all of these examples have been contrived protocols that were specifically designed to fail.
In this work we show such an attack for a standard and popular interactive succinct argument, based on the GKR protocol, for verifying the correctness of a non-determinstic bounded-depth computation. For every choice of FS hash function, we show that a corresponding instantiation of this protocol, which was been widely studied in the literature and used also in practice, is not (adaptively) sound when compiled with the FS transform. Specifically, we construct an explicit circuit for which we can generate an accepting proof for a false statement.
We further extend our attack and show that for every circuit $C$ and desired output $y$, we can construct a functionally equivalent circuit $C^*$, for which we can produce an accepting proof that $C^*$ outputs $y$ (regardless of whether or not this statement is true). This demonstrates that any security guarantee (if such exists) would have to depend on the specific implementation of the circuit $C$, rather than just its functionality.
Lastly, we also demonstrate versions of the attack that violate non-adaptive soundness of the protocol -- that is, we generate an attacking circuit that is independent of the underlying cryptographic objects. However, these versions are either less practical (as the attacking circuit has very large depth) or make some additional (reasonable) assumptions on the underlying cryptographic primitives.
## 2025/119
* Title: SoK: PQC PAKEs - Cryptographic Primitives, Design and Security
* Authors: Nouri Alnahawi, David Haas, Erik Mauß, Alexander Wiesmaier
* [Permalink](
https://eprint.iacr.org/2025/119)
* [Download](
https://eprint.iacr.org/2025/119.pdf)
### Abstract
PAKE protocols are used to establish secure communication channels using a relatively short, often human memorable, password for authentication. The currently standardized PAKEs however rely on classical asymmetric (public key) cryptography. Thus, these classical PAKEs may no longer maintain their security, should the expected quantum threat become a reality. Unlike prominent security protocols such as TLS, IKEv2 and VPN, quantum-safe PAKEs did not receive much attention from the ongoing PQC integration efforts. Thus, there is a significant gap in awareness compared to PQC schemes that are subject to the official governmental and institutional standardization processes. In the work at hand, we provide a comprehensive overview of the existing PQC PAKEs focusing on their design rationales, authentication methods and used asymmetric key agreement primitives. We highlight their performance and properties as per their assumed security assurances and practical usage in applications. Moreover, we address PAKE designs that are still non-present in the PQC realm and discuss the possibility of their adaptation. Thus, we offer a detailed reference and derive future work for quantum-safe PAKEs.
## 2025/120
* Title: Module Learning with Errors with Truncated Matrices
* Authors: Katharina Boudgoust, Hannah Keller
* [Permalink](
https://eprint.iacr.org/2025/120)
* [Download](
https://eprint.iacr.org/2025/120.pdf)
### Abstract
The Module Learning with Errors ($\mathsf{MLWE}$) problem is one of the most commonly used hardness assumption in lattice-based cryptography. In its standard version, a matrix $\mathbf{A}$ is sampled uniformly at random over a quotient ring $R_q$, as well as noisy linear equations in the form of $\mathbf{A} \mathbf{s}+ \mathbf{e} \bmod q$, where $\mathbf{s}$ is the secret, sampled uniformly at random over $R_q$, and $\mathbf{e}$ is the error, coming from a Gaussian distribution. Many previous works have focused on variants of $\mathsf{MLWE}$, where the secret and/or the error are sampled from different distributions. Only few works have focused on different distributions for the matrix $\mathbf{A}$. One variant proposed in the literature is to consider matrix distributions where the low-order bits of a uniform $\mathbf{A}$ are deleted.. This seems a natural approach in order to save in bandwidth. We call it truncated $\mathsf{MLWE}$.
In this work, we show that the hardness of standard $\mathsf{MLWE}$ implies the hardness of truncated $\mathsf{MLWE}$, both for search and decision versions. Prior works only covered the search variant and relied on the (module) $\mathsf{NTRU}$ assumption, limitations which we are able to overcome. Overall, we provide two approaches, offering different advantages. The first uses a general Rényi divergence argument, applicable to a wide range of secret/error distributions, but which only works for the search variants of (truncated) $\mathsf{MLWE}$. The second applies to the decision versions, by going through an intermediate variant of $\mathsf{MLWE}$, where additional hints on the secret are given to the adversary. However, the reduction makes use of discrete Gaussian distributions.
## 2025/121
* Title: On symbolic computations over arbitrary commutative rings and cryptography with the temporal Jordan-Gauss graphs.
* Authors: Vasyl Ustimenko
* [Permalink](
https://eprint.iacr.org/2025/121)
* [Download](
https://eprint.iacr.org/2025/121.pdf)
### Abstract
The paper is dedicated to Multivariate Cryptography over general commutative ring K and protocols of symbolic computations for safe delivery of multivariate maps. We consider itera-tive algorithm of generation of multivariate maps of prescribed degree or density with the trapdoor accelerator, i.e. piece of information which allows to compute the reimage of the map in polynomial time.. The concept of Jordan-Gauss temporal graphs is used for the obfus-cation of known graph based public keys and constructions of new cryptosystems. We sug-gest use of the platforms of Noncommutative Cryptography defined in terms of Multivariate Cryptography over K for the conversion of Multivariate Public Keys into El Gamal type Cryptosystems. Some new platforms are introduced.
## 2025/122
* Title: Qelect: Lattice-based Single Secret Leader Election Made Practical
* Authors: Yunhao Wang, Fan Zhang
* [Permalink](
https://eprint.iacr.org/2025/122)
* [Download](
https://eprint.iacr.org/2025/122.pdf)
### Abstract
In a single secret leader election (SSLE) protocol, all parties collectively and obliviously elect one leader. No one else should learn its identity unless it reveals itself as the leader. The problem is first formalized by Boneh \textit{et al.} (AFT'20), which proposes an efficient construction based on the Decision Diffie-Hellman (DDH) assumption. Considering the potential risk of quantum computers, several follow-ups focus on designing a post-quantum secure SSLE protocol based on pure lattices or fully homomorphic encryption. However, no concrete benchmarks demonstrate the feasibility of deploying such heavy cryptographic primitives.
In this work, we present Qelect, the first practical constant-round post-quantum secure SSLE protocol. We first adapt the commitment scheme in Boneh \textit{et al.} (AFT'23) into a \textit{multi-party randomizable commitment} scheme, and propose our novel construction based on an adapted version of ring learning with errors (RLWE) problem. We then use it as a building block and construct a \textit{constant-round} single secret leader election (crSSLE) scheme.. We utilize the single instruction multiple data (SIMD) property of a specific threshold fully homomorphic encryption (tFHE) scheme to evaluate our election circuit efficiently. Finally, we built Qelect from the crSSLE scheme, with performance optimizations including a preprocessing phase to amortize the local computation runtime and a retroactive detection phase to avoid the heavy zero-knowledge proofs during the election phase. Qelect achieves asymptotic improvements and is concretely practical. We implemented a prototype of Qelect and evaluated its performance in a WAN. Qelect is at least two orders of magnitude faster than the state-of-the-art.
## 2025/123
* Title: Falcon on ARM Cortex-M4: an Update
* Authors: Thomas Pornin
* [Permalink](
https://eprint.iacr.org/2025/123)
* [Download](
https://eprint.iacr.org/2025/123.pdf)
### Abstract
This note reports new implementation results for the Falcon signature algorithm on an ARM Cortex-M4 microcontroller. Compared with our previous implementation (in 2019), runtime cost has been about halved.
## 2025/124
* Title: GPU Implementations of Three Different Key-Switching Methods for Homomorphic Encryption Schemes
* Authors: Ali Şah Özcan, Erkay Savaş
* [Permalink](
https://eprint.iacr.org/2025/124)
* [Download](
https://eprint.iacr.org/2025/124.pdf)
### Abstract
In this work, we report on the latest GPU implementations of the three well-known methods for the key switching operation, which is critical for Fully Homomorphic Encryption (FHE). Additionally, for the first time in the literature, we provide implementations of all three methods in GPU for leveled CKKS schemes. To ensure a fair comparison, we employ the most recent GPU implementation of the number-theoretic transform (NTT), which is the most time-consuming operation in key switching, and evaluate the performance across two fully homomorphic schemes: BFV and CKKS. Furthermore, we highlight the advantages and shortcomings of the three methods in the context of leveled HE schemes, and discuss other aspects such as memory requirements. Our GPU implementation is integrated with HEonGPU Library and delivers up to a ×380 improvement in execution time compared to the Microsoft SEAL Library. Since key switching is a specialized form of the external product common in many HE schemes, our results are directly relevant to time-intensive homomorphic operations such as relinearization and rotation. As homomorphic rotation is one of the most dominant operations in bootstrapping, our results are also applicable in bootstrapping algorithms of BFV, BGV and CKKS schemes.
## 2025/125
* Title: A Privacy Model for Classical & Learned Bloom Filters
* Authors: Hayder Tirmazi
* [Permalink](
https://eprint.iacr.org/2025/125)
* [Download](
https://eprint.iacr.org/2025/125.pdf)
### Abstract
The Classical Bloom Filter (CBF) is a class of Probabilistic Data Structures (PDS) for handling Approximate Query Membership (AMQ). The Learned Bloom Filter (LBF) is a recently proposed class of PDS that combines the Classical Bloom Filter with a Learning Model while preserving the Bloom Filter's one-sided error guarantees. Bloom Filters have been used in settings where inputs are sensitive and need to be private in the presence of an adversary with access to the Bloom Filter through an API or in the presence of an adversary who has access to the internal state of the Bloom Filter. Prior work has investigated the privacy of the Classical Bloom Filter providing attacks and defenses under various privacy definitions. In this work, we formulate a stronger differential privacy-based model for the Bloom Filter. We propose constructions of the Classical and Learned Bloom Filter that satisfy $(\epsilon, 0)$-differential privacy. This is also the first work that analyses and addresses the privacy of the Learned Bloom Filter under any rigorous model, which is an open problem.
[digest] 2025 Week 4