[digest] 2025 Week 11

## In this issue

1. [2025/370] Simple Public Key Anamorphic Encryption and ...
2. [2025/377] HiAE: A High-Throughput Authenticated Encryption ...
3. [2025/445] A proof of P≠NP (New symmetric encryption algorithm ...
4. [2025/446] Disincentivize Collusion in Verifiable Secret Sharing
5. [2025/447] Protecting Computations Against Continuous Bounded- ...
6. [2025/448] Ciphertext-Ciphertext Matrix Multiplication: Fast ...
7. [2025/449] Concretely Efficient Correlated Oblivious Permutation
8. [2025/450] Verifiable Decapsulation: Recognizing Faulty ...
9. [2025/451] Analysis of the Telegram Key Exchange
10. [2025/452] Polar Lattice Cryptography
11. [2025/453] Verifiable Secret Sharing Based on Fully Batchable ...
12. [2025/454] Quantum circuit for implementing AES S-box with low ...
13. [2025/455] StaMAC: Fault Protection via Stable-MAC Tags
14. [2025/456] A Democratic Distributed Post-Quantum ...
15. [2025/457] A 10-bit S-box generated by Feistel construction ...
16. [2025/458] CAKE requires programming - On the provable post- ...
17. [2025/459] Privacy and Security of FIDO2 Revisited
18. [2025/460] Achieving Data Reconstruction Hardness and ...
19. [2025/461] Machine-checking Multi-Round Proofs of Shuffle: ...
20. [2025/462] Practical Key Collision on AES and Kiasu-BC
21. [2025/463] Multi-Party Computation in Corporate Data ...
22. [2025/464] SoK: Efficient Design and Implementation of ...
23. [2025/465] zkAML: Zero-knowledge Anti Money Laundering in ...
24. [2025/466] Algebraic Cryptanalysis of Small-Scale Variants of ...
25. [2025/467] PMNS arithmetic for elliptic curve cryptography
26. [2025/468] Optimized Frobenius and Cyclotomic Cubing for ...
27. [2025/469] Practical Semi-Open Chat Groups for Secure ...
28. [2025/470] On Deniable Authentication against Malicious Verifiers
29. [2025/471] A Practical Tutorial on Deep Learning-based Side- ...
30. [2025/472] Quantum Attacks on Sum of Even-Mansour Construction ...
31. [2025/473] Cross-Platform Benchmarking of the FHE Libraries: ...
32. [2025/474] Black-Box Constant-Round Secure 2PC with Succinct ...
33. [2025/475] HammR: A ZKP Protocol for Fixed Hamming-Weight ...
34. [2025/476] A note on "industrial blockchain threshold ...
35. [2025/477] A Note on the Advanced Use of the Tate Pairing
36. [2025/478] Attacking Single-Cycle Ciphers on Modern FPGAs ...
37. [2025/479] Post Quantum Migration of Tor
38. [2025/480] Worst-case Analysis of Lattice Enumeration ...
39. [2025/481] RHQC: post-quantum ratcheted key exchange from ...
40. [2025/482] An Efficient Sequential Aggregate Signature Scheme ...
41. [2025/483] Adaptively Secure Threshold Blind BLS Signatures ...
42. [2025/484] EvoLUTe+: Fine-Grained Look-Up-Table-based RTL IP ...
43. [2025/485] Key reconstruction for QC-MDPC McEliece from ...
44. [2025/486] On One-Shot Signatures, Quantum vs Classical ...
45. [2025/487] webSPDZ: Versatile MPC on the Web
46. [2025/488] Exploring General Cyclotomic Rings in Torus-Based ...
47. [2025/489] Translating Between the Common Haar Random State ...
48. [2025/490] PREAMBLE: Private and Efficient Aggregation of ...
49. [2025/491] Blind Brother: Attribute-Based Selective Video ...
50. [2025/492] Endorser Peer Anonymization in Hyperledger Fabric ...
51. [2025/493] Tighter Concrete Security for the Simplest OT
52. [2025/494] Electromagnetic Side-Channel Analysis of PRESENT ...
53. [2025/495] A Security-Enhanced Pairing-Free Certificateless ...
54. [2025/496] Shortcut2Secrets: A Table-based Differential Fault ...
55. [2025/497] Fast Scloud+: A Fast Hardware Implementation for ...
56. [2025/498] Scoop: An Optimizer for Profiling Attacks against ...
57. [2025/499] SCAPEgoat: Side-channel Analysis Library
58. [2025/500] SecurED: Secure Multiparty Edit Distance for ...

## 2025/370

* Title: Simple Public Key Anamorphic Encryption and Signature using Multi-Message Extensions
* Authors: Shalini Banerjee, Tapas Pal, Andy Rupp, Daniel Slamanig
* [Permalink](https://eprint.iacr.org/2025/370)
* [Download](https://eprint.iacr.org/2025/370.pdf)

### Abstract

Anamorphic encryption (AE) considers secure communication in the presence of a powerful surveillant (typically called a ''dictator'') who only allows certain cryptographic primitives and knows all the secret keys in a system. The basic idea is that there is a second (anamorphic) mode of encryption that allows to transmit an anamorphic message using a double key to a receiver that can decrypt this message using a double key. From the point of view of the dictator the encryption keys as well as the ciphertexts in the regular and anamorphic mode are indistinguishable. The most recent works in this field consider public key anamorphic encryption (PKAE), i.e., the sender of an anamorphic message requires an encryption double key (or no key at all) and the receiver requires a decryption double key. Known constructions, however, either work only for schemes that are mostly of theoretical interest or come with conceptual limitations.

In this paper we ask whether we can design such PKAE schemes without such limitations and being closer to PKE schemes used in practice. In fact, such schemes are more likely to be allowed by a cognizant dictator. Moreover, we initiate the study of identity-based anamorphic encryption (IBAE), as the IBE setting seems to be a natural choice for a dictator. For both PKAE and IBAE, we show how well-known IND-CPA and IND-CCA secure primitives can be extended by an anamorphic encryption channel. In contrast to previous work, we additionally consider CCA (rather than just CPA) security notions for the anamorphic channel and also build upon CPA (rather than just CCA) secure PKE.

Finally, we ask whether it is possible to port the recent concept of anamorphic signatures, which considers constructing symmetric anamorphic channels in case only signature schemes are allowed by the dictator, to the asymmetric setting, which we denote by public-key anamorphic signatures (PKAS). Also here we consider security beyond IND-CPA for the anamorphic channel.



## 2025/377

* Title: HiAE: A High-Throughput Authenticated Encryption Algorithm for Cross-Platform Efficiency
* Authors: Han Chen, Tao Huang, Phuong Pham, Shuang Wu
* [Permalink](https://eprint.iacr.org/2025/377)
* [Download](https://eprint.iacr.org/2025/377.pdf)

### Abstract

This paper addresses the critical challenges in designing cryptographic algorithms that achieve both high performance and cross-platform efficiency on ARM and x86 architectures, catering to the demanding requirements of next-generation communication systems, such as 6G and GPU/NPU interconnections. We propose HiAE, a high-throughput authenticated encryption algorithm optimized for performance exceeding 100 Gbps and designed to meet the stringent security requirements of future communication networks. HiAE leverages the stream cipher structure, integrating the AES round function for non-linear diffusion.

Our design achieves exceptional efficiency, with benchmark results from software implementations across various platforms showing over 340 Gbps on x86 processors and 180 Gbps on ARM devices in AEAD mode, making it the fastest AEAD solution on ARM chips and setting a new performance record on the latest x86 processors.



## 2025/445

* Title: A proof of P≠NP (New symmetric encryption  algorithm against any linear attacks and  differential attacks)
* Authors: Gao Ming
* [Permalink](https://eprint.iacr.org/2025/445)
* [Download](https://eprint.iacr.org/2025/445.pdf)

### Abstract

P  vs  NP  problem  is  the   most  important  unresolved  problem  in  the  field  of computational complexity. Its impact has penetrated into all aspects of algorithm design,  especially  in  the  field  of  cryptography.  The  security  of  cryptographic algorithms  based  on  short  keys  depends  on  whether  P  is  equal  to  NP.  In  fact, Shannon  strictly  proved  that  the  one-time-pad  system  meets  unconditional security, but because the one-time-pad system requires the length of key to be at least the length of plaintext, how to transfer the key is a troublesome problem that restricts the use of the one-time-pad system in practice. Cryptography algorithms used  in  practice  are  all  based  on  short  key,  and  the  security  of  the  short  key mechanism is ultimately based on one-way assumption. In fact, the existence of one-way function can directly lead to the important conclusion P≠NP.
In this paper, we originally constructed a short-key block cipher algorithm. The core feature of this algorithm is that for any block, when a plaintext-ciphertext pair is known, any key in the key space is valid, that is, for each block, the plaintext-ciphertext pair and the key are independence, and the independence between blocks is also easy to construct. This feature is completely different from all existing short-key cipher algorithms.
Based on the above feature, we construct a problem and theoretically prove that the  problem  satisfies  the  properties  of  one-way  functions,  thereby  solving  the problem of the existence of one-way functions, that is, directly proving that P≠NP.



## 2025/446

* Title: Disincentivize Collusion in Verifiable Secret Sharing
* Authors: Tiantian Gong, Aniket Kate, Hemanta K. Maji, Hai H. Nguyen
* [Permalink](https://eprint.iacr.org/2025/446)
* [Download](https://eprint.iacr.org/2025/446.pdf)

### Abstract

In verifiable secret sharing (VSS), a dealer shares a secret input among several parties, ensuring each share is verifiable. Motivated by its applications in the blockchain space, we focus on a VSS where parties holding shares are not allowed to reconstruct the dealer's secret (even partially) on their own terms, which we address as privacy-targeted collusion if attempted.

    In this context, our work investigates mechanisms deterring such collusion in VSS among rational and malicious parties. For this problem, we make both algorithmic and combinatorial contributions:
    1. We provide two collusion-deterrent mechanisms to discourage parties from colluding and recovering the dealer's secret. Notably, when it is desired to achieve fairness---where non-colluding parties are not at a loss---while allowing for the best achievable malicious fault tolerance, we define ``trackable access structures'' (TAS) and design a deterrence mechanism tailored for VSS on these structures.
    2. We estimate the size of the optimal TAS, construct them from Steiner systems, provide highly robust TAS using partial Steiner systems, and present efficient secret sharing schemes for the latter close-to-optimal TAS for various parameter regimes.
    3. We demonstrate that trackability in access structures is connected to combinatorial objects like (partial) Steiner systems, uniform subsets with restricted intersections, and appropriate binary codes. The robustness of access structures is equivalent to the minimum vertex cover of hypergraphs.

    We believe these connections between cryptography, game theory, and discrete mathematics will be of broader interest.



## 2025/447

* Title: Protecting Computations Against Continuous Bounded-Communication Leakage
* Authors: Yuval Ishai, Yifan Song
* [Permalink](https://eprint.iacr.org/2025/447)
* [Download](https://eprint.iacr.org/2025/447.pdf)

### Abstract

We consider the question of protecting a general computation device, modeled by a stateful Boolean circuit, against leakage of partial information about its internal wires. Goyal et al. (FOCS 2016) obtained a solution for the case of bounded-communication leakage, where the wires are partitioned into two parts and the leakage can be any function computed using $t$ bits of communication between the parts. However, this solution suffers from two major limitations: (1) it only applies to a one-shot (stateless) computation, mapping an encoded input to an encoded output, and (2) the leakage-resilient circuit consumes fresh random bits, whose number scales linearly with the circuit complexity of the computed function.

In this work, we eliminate the first limitation and make progress on the second. Concretely:
- We present the first construction of stateful circuits that offer information-theoretic protection against continuous bounded-communication leakage. As an application, we extend a two-party ``malware-resilient'' protocol of Goyal et al. to the continuous-leakage case.
- For simple types of bounded-communication leakage, which leak $t$ parities or $t$ disjunctions of circuit wires or their negations, we obtain a deterministic variant that does not require any fresh randomness beyond the randomness in the initial state. Here we get computational security based on a subexponentially secure one-way function. This is the first deterministic leakage-resilient circuit construction for any nontrivial class of global leakage.



## 2025/448

* Title: Ciphertext-Ciphertext Matrix Multiplication: Fast for Large Matrices
* Authors: Jai Hyun Park
* [Permalink](https://eprint.iacr.org/2025/448)
* [Download](https://eprint.iacr.org/2025/448.pdf)

### Abstract

Matrix multiplication of two encrypted matrices (CC-MM) is a key challenge for privacy-preserving machine learning applications. As modern machine learning models focus on scalability, fast CC-MM on large datasets is increasingly in demand.

In this work, we present a CC-MM algorithm for large matrices. The algorithm consists of plaintext matrix multiplications (PP-MM) and ciphertext matrix transpose algorithms (C-MT). We propose a fast C-MT algorithm, which is computationally inexpensive compared to PP-MM. By leveraging high-performance BLAS libraries to optimize PP-MM, we implement large-scale CC-MM with substantial performance improvements. Furthermore, we propose lightweight algorithms, significantly reducing the key size from $1\ 960$ MB to $1.57$ MB for CC-MM with comparable efficiency.

In a single-thread implementation, the C-MT algorithm takes $0.76$ seconds to transpose a $2\ 048\times 2\ 048$ encrypted matrix. The CC-MM algorithm requires $85.2$ seconds to multiply two $4\ 096\times 4\ 096$ encrypted matrices. For large matrices, our algorithm outperforms the state-of-the-art CC-MM method from Jiang-Kim-Lauter-Song [CCS'18] by a factor of over $800$.



## 2025/449

* Title: Concretely Efficient Correlated Oblivious Permutation
* Authors: Feng Han, Xiao Lan, Weiran Liu, Lei Zhang, Hao Ren, Lin Qu, Yuan Hong
* [Permalink](https://eprint.iacr.org/2025/449)
* [Download](https://eprint.iacr.org/2025/449.pdf)

### Abstract

Oblivious permutation (OP) enables two parties, a sender with a private data vector $x$ and a receiver with a private permutation π, to securely obtain the shares of π(x). OP has been used to construct many important MPC primitives and applications such as secret shuffle, oblivious sorting, private set operations, secure database analysis, and privacy-preserving machine learning. Due to its high complexity, OP has become a performance bottleneck in several practical applications, and many efforts have been devoted to enhancing its concrete efficiency. Chase et al. (Asiacrypt'20) proposed an offline-online OP paradigm leveraging a pre-computable resource termed Share Translation. While this paradigm significantly reduces online costs, the substantial offline cost of generating Share Translation remains an area for further investigation.

In this work, we redefine the pre-computable resource as a cryptographic primitive known as Correlated Oblivious Permutation (COP) and conduct in-depth analyses and optimizations of the two COP generation solutions: network-based solution and matrix-based solution. The optimizations for the network-based solution halve the communication/computation cost of constructing a switch (the basic unit of the permutation network) and reduce the number of switches in the permutation network. The optimizations for the matrix-based solution halve the communication cost of small-size COP generation and reduce the cost of large-size COP generation with in-outside permutation decomposition.

We implement our two COP generation protocols and conduct comprehensive evaluations. Taking commonly used 128-bit input data as an example, our network-based and matrix-based solutions are up to 1.7x and 1.6x faster than baseline protocols, respectively.
 We further facilitate the state-of-the-art (SOTA) PSU protocols with our optimized COP, achieving over 25% reduction in communication cost and 35% decrease in execution time. This shows that our COP optimizations bring significant improvements for real-world MPC primitives.



## 2025/450

* Title: Verifiable Decapsulation: Recognizing Faulty Implementations of Post-Quantum KEMs
* Authors: Lewis Glabush, Felix Günther, Kathrin Hövelmanns, Douglas Stebila
* [Permalink](https://eprint.iacr.org/2025/450)
* [Download](https://eprint.iacr.org/2025/450.pdf)

### Abstract

Cryptographic schemes often contain verification steps that are essential for security. Yet, faulty implementations missing these steps can easily go unnoticed, as the schemes might still function correctly. A prominent instance of such a verification step is the re-encryption check in the Fujisaki-Okamoto (FO) transform that plays a prominent role in the post-quantum key encapsulation mechanisms (KEMs) considered in NIST's PQC standardization process. In KEMs built from FO, decapsulation performs a re-encryption check that is essential for security, but not for functionality. In other words, it will go unnoticed if this essential step is omitted or wrongly implemented, opening the door for key recovery attacks. Notably, such an implementation flaw was present in HQC's reference implementation and was only noticed after 19 months.

In this work, we develop a modified FO transform that binds re-encryption to functionality, ensuring that a faulty implementation which skips re-encryption will be exposed through basic correctness tests. We do so by adapting the "verifiable verification" methodology of Fischlin and Günther (CCS 2023) to the context of FO-based KEMs. More concretely, by exporting an unpredictable confirmation code from the public key encryption and embedding it into the key derivation function, we can confirm that (most of) the re-encryption step was indeed performed during decapsulation. We formalize this concept, establish modified FO transforms, and prove how unpredictable PKE confirmation codes turn into noticeable correctness errors for faulty implementations. We show how to apply this technique to ML-KEM and HQC, both with negligible overhead, by leveraging the entropy lost through ciphertext compression or truncation. We confirm that our approach works through mathematical proofs, as well as experimental data. Our experiments show that the implementation flaw in HQC's reference implementation indeed makes basic test cases when following our approach.



## 2025/451

* Title: Analysis of the Telegram Key Exchange
* Authors: Martin R. Albrecht, Lenka Mareková, Kenneth G. Paterson, Eyal Ronen, Igors Stepanovs
* [Permalink](https://eprint.iacr.org/2025/451)
* [Download](https://eprint.iacr.org/2025/451.pdf)

### Abstract

We describe, formally model, and prove the security of Telegram's key exchange protocols for client-server communications. To achieve this, we develop a suitable multi-stage key exchange security model along with pseudocode descriptions of the Telegram protocols that are based on analysis of Telegram's specifications and client source code. We carefully document how our descriptions differ from reality and justify our modelling choices. Our security proofs reduce the security of the protocols to that of their cryptographic building blocks, but the subsequent analysis of those building blocks requires the introduction of a number of novel security assumptions, reflecting many design decisions made by Telegram that are suboptimal from the perspective of formal analysis. Along the way, we provide a proof of  IND-CCA security for the variant of RSA-OEAP+ used in Telegram and identify a hypothetical attack exploiting current Telegram server behaviour (which is not captured in our protocol descriptions). Finally, we reflect on the broader lessons about protocol design that can be taken from our work.



## 2025/452

* Title: Polar Lattice Cryptography
* Authors: Gideon Samid
* [Permalink](https://eprint.iacr.org/2025/452)
* [Download](https://eprint.iacr.org/2025/452.pdf)

### Abstract

Presenting a protocol that builds a cryptographic solution which shifts security responsibility from the cipher designer to the cipher user.  The Polar Lattice is a pattern-devoid cryptographic cipher. It is based on a geometric construct -- a polar lattice, on which the letters of a plaintext alphabet A, are presented as two points each letter, so that to transmit a letter the transmitter transmits a randomized pathway, a trail, (ciphertext) that begins at the first point of the transmitted letter and ends at the second point of the transmitted letter; the transmitted pathway is a set of steps on the lattice.. Once a letter is transmitted the next bits on the ciphertext mark the beginning of the pathway that points to the next letter. The size and the geometric construction of the polar lattice are randomized and kept secret. The randomized pathways may be long or short, the attacker does not know how to parcel the ciphertext to individual trails pointing to distinct letters in the plaintext alphabet A. The polar lattice may be implemented algebraically, or geometrically; the lattice may be a physical nano-construct. The polar lattice is very power efficient, very fast. It claims all the attributes associated with pattern devoid cryptography: it allows for only brute force cryptanalysis, which in turn can be defeated through increased ciphertext size, unlimited key size and structure complexity.



## 2025/453

* Title: Verifiable Secret Sharing Based on Fully Batchable Polynomial Commitment for Privacy-Preserving Distributed Computation
* Authors: Xiangyu Kong, Min Zhang, Yu Chen
* [Permalink](https://eprint.iacr.org/2025/453)
* [Download](https://eprint.iacr.org/2025/453.pdf)

### Abstract

Privacy-preserving distributed computation enables a resource-limited client to securely delegate computations on sensitive data to multiple servers by distributing shares of the data.  In such systems, verifiable secret sharing (VSS) is a fundamental component, ensuring secure data distribution and directly impacting the overall performance. The most practical approach to construct VSS is through polynomial commitment (PC), with two main research directions to improve the VSS efficiency. The first focuses on improving the dealer time by designing PC that supports batch evaluation, i.e., generating multiple evaluation$\&$proof pairs in one shot. The second  aims to reduce the broadcast cost by designing PC that supports batch opening, i.e., producing a compact proof for multiple evaluations.

Recently, Zhang et al. (Usenix Security 2022) proposed a transparent PC that supports batch evaluation and obtained a transparent VSS with optimal dealer time. However, their scheme does not support batch opening, leading to high broadcast costs in VSS. To the best of our knowledge, no transparent PC currently supports both batch evaluation and batch opening, thus limiting the performance of existing VSS schemes.

In this paper, we propose a transparent fully batchable polynomial commitment (TFB-PC), that simultaneously supports batch evaluation  and batch opening. Leveraging TFB-PC, we present a VSS scheme with optimal complexity: $O(n\log n)$ dealer time, $O(n)$ participant time and $O(n)$ communication cost. Furthermore, we implement our VSS scheme and compare its performance with Zhang et al.’s VSS
(the naive approach). Results show that our scheme achieves $954\text{-}27,595\times$ reduction in communication cost and a $1,028\text{-}1,155,106\times$ speed up in participant time for $2^{11}$-$2^{21}$ parties.



## 2025/454

* Title: Quantum circuit for implementing AES S-box with low costs
* Authors: Huinan Chen, Binbin Cai, Fei Gao, Song Lin
* [Permalink](https://eprint.iacr.org/2025/454)
* [Download](https://eprint.iacr.org/2025/454.pdf)

### Abstract

Advanced Encryption Standard (AES) is one of the most widely used and extensively studied encryption algorithms globally, which is renowned for its efficiency and robust resistance to attacks. In this paper, three quantum circuits are designed to implement the S-box, which is the sole nonlinear component in AES. By incorporating a linear key schedule, we achieve a quantum circuit for implementing AES with the minimum number of qubits used. As a consequence, only 264/328/398 qubits are needed to implement the quantum circuits for AES-128/192/256. Furthermore, through quantum circuits of the S-box and key schedule, the overall size of the quantum circuit required for Grover's algorithm to attack AES is significantly decreased. This enhancement improves both the security and resource efficiency of AES in a quantum computing environment.



## 2025/455

* Title: StaMAC: Fault Protection via Stable-MAC Tags
* Authors: Siemen Dhooghe, Artemii Ovchinnikov, Dilara Toprakhisar
* [Permalink](https://eprint.iacr.org/2025/455)
* [Download](https://eprint.iacr.org/2025/455.pdf)

### Abstract

Fault attacks pose a significant threat to cryptographic implementations, motivating the development of countermeasures, primarily based on a combination of redundancy and masking techniques. Redundancy, in these countermeasures, is often implemented via duplication or linear codes. However, their inherent structure remains susceptible to strategic fault injections bypassing error checks. To address this, the CAPA countermeasure from CRYPTO 2018 leveraged information-theoretic MAC tags for protection against fault and combined attacks. However, a recent attack has shown that CAPA can only protect against either side-channel analysis or fault attacks, but not both simultaneously, and with significant hardware costs. Its successor, M&M, improves efficiency but lacks protection against ineffective faults.

In this paper, we propose StaMAC, a framework aimed at securely incorporating MAC tags against both side-channel and fault adversaries in a non-combined scenario. We extend the security notions outlined in StaTI from TCHES 2024, and propose the notion of MAC-stability, ensuring fault propagation in masked and MACed circuits, necessitating only a single error check at the end of the computation. Additionally, we show that the stability notion from StaTI is arbitrarily composable (whereas it was previously thought to be only serially composable), making it the first arbitrary composable fault security notion which does not require intermediate error checks or correction. Then, we establish the improved protection of masking combined with MAC tags compared to linear encoding techniques by showing bounds on the advantage considering several fault adversaries: a gate/register faulting adversary, an arbitrary register faulting adversary, and a random register faulting adversary. Then, we show how to transform any probing secure circuit to protect against fault attacks using the proposed MAC-stable gadgets implementing field operations. Finally, we demonstrate StaMAC on an AES implementation, evaluating its security and hardware costs compared to the countermeasures using MAC tags.



## 2025/456

* Title: A Democratic Distributed Post-Quantum Certificateless Encryption Scheme
* Authors: Thomas Prévost, Bruno Martin, Olivier Alibart
* [Permalink](https://eprint.iacr.org/2025/456)
* [Download](https://eprint.iacr.org/2025/456.pdf)

### Abstract

We propose a post-quantum certificateless encryption scheme based on a web of trust instead of a centralized Key Generation Center. Our scheme allows nodes to communicate securely. It is the nodes already present in the network that vote on the acceptance of new nodes, and agree on the shared key. The threshold required for the acceptance of a new node is configurable. Our protocol thus allows to completely operate without the Key Generation Center (or Key Distribution Center).

Our scheme is based on Quasi-Cyclic Moderate Density Parity Check Code McEliece, which is resistant to quantum computer attacks. The voting system uses Shamir secret sharing, coupled with the Kabatianskii-Krouk-Smeets signature scheme, both are also resistant to quantum computer attacks.

We provide a security analysis of our protocol, as well as a formal verification and a proof of concept code.



## 2025/457

* Title: A 10-bit S-box generated by Feistel construction from cellular automata
* Authors: Thomas Prévost, Bruno Martin
* [Permalink](https://eprint.iacr.org/2025/457)
* [Download](https://eprint.iacr.org/2025/457.pdf)

### Abstract

In this paper, we propose a new 10-bit S-box generated from a Feistel construction. The subpermutations are generated by a 5-cell cellular automaton based on a unique well-chosen rule and bijective affine transformations. In particular, the cellular automaton rule is chosen based on empirical tests of its ability to generate good pseudorandom output on a ring cellular automaton. Similarly, Feistel's network layout is based on empirical data regarding the quality of the output S-box.

We perform cryptanalysis of the generated 10-bit S-box: we test the properties of algebraic degree, algebraic complexity, nonlinearity, strict avalanche criterion, bit independence criterion, linear approximation probability, differential approximation probability, differential uniformity and boomerang uniformity of our S-box, and relate them to those of the AES S-box. We find security properties comparable to or sometimes even better than those of the standard AES S-box. We believe that our S-box could be used to replace the 5-bit substitution of ciphers like ASCON.



## 2025/458

* Title: CAKE requires programming - On the provable post-quantum security of (O)CAKE
* Authors: Kathrin Hövelmanns, Andreas Hülsing, Mikhail Kudinov, Silvia Ritsch
* [Permalink](https://eprint.iacr.org/2025/458)
* [Download](https://eprint.iacr.org/2025/458.pdf)

### Abstract

In this work we revisit the post-quantum security of KEM-based password-authenticated key exchange (PAKE), specifically that of (O)CAKE. So far, these schemes evaded a security proof considering quantum adversaries. We give a detailed analysis of why this is the case, determining the missing proof techniques. To this end, we first provide a proof of security in the post-quantum setting, up to a single gap. This proof already turns out to be technically involved, requiring advanced techniques to reason in the QROM, including the compressed oracle and the extractable QROM. To pave the way towards closing the gap, we then further identify an efficient simulator for the ideal cipher. This provides certain programming abilities as a necessary and sufficient condition to close the gap in the proof: we demonstrate that we can close the gap using the simulator, and give a meta-reduction based on KEM-anonymity that shows the impossibility of a non-programming reduction that covers a class of KEMs that includes Kyber / ML-KEM.



## 2025/459

* Title: Privacy and Security of FIDO2 Revisited
* Authors: Manuel Barbosa, Alexandra Boldyreva, Shan Chen, Kaishuo Cheng, Luís Esquível
* [Permalink](https://eprint.iacr.org/2025/459)
* [Download](https://eprint.iacr.org/2025/459.pdf)

### Abstract

We revisit the privacy and security analyses of FIDO2, a widely deployed standard for passwordless authentication on the Web.
We discuss previous works
and conclude that each of them has at least one of the following limitations:
(i) impractical trusted setup assumptions,
(ii) security models that are inadequate in light of state of the art of practical attacks,
(iii) not analyzing FIDO2 as a whole, especially for its privacy guarantees.
Our work addresses these gaps and proposes revised security models for privacy and authentication. Equipped with our new models, we analyze FIDO2 modularly and focus on its component protocols, WebAuthn and CTAP2, clarifying their exact security guarantees.
In particular, our results, for the first time, establish privacy guarantees for FIDO2 as a whole.
Furthermore, we suggest minor modifications that can help FIDO2 provably meet stronger privacy and authentication definitions and withstand known and novel attacks.



## 2025/460

* Title: Achieving Data Reconstruction Hardness and Efficient Computation in Multiparty Minimax Training
* Authors: Truong Son Nguyen, Yi Ren, Guangyu Nie, Ni Trieu
* [Permalink](https://eprint.iacr.org/2025/460)
* [Download](https://eprint.iacr.org/2025/460.pdf)

### Abstract

Generative models have achieved remarkable success in a wide range of applications. Training such models using proprietary data from multiple parties has been studied in the realm of federated learning. Yet recent studies showed that reconstruction of authentic training data can be achieved in such settings..
On the other hand, multiparty computation (MPC) guarantees standard data privacy, yet scales poorly for training generative models.
In this paper, we focus on improving reconstruction hardness during Generative Adversarial Network (GAN) training while keeping the training cost tractable. To this end, we explore two training protocols that use a public generator and an MPC discriminator: Protocol 1 (P1) uses a fully private discriminator, while Protocol 2 (P2) privatizes the first three discriminator layers. We prove reconstruction hardness for P1 and P2 by showing that (1) a public generator does not allow recovery of authentic training data, as long as the first two layers of the discriminator are private; and through an existing approximation hardness result on ReLU networks, (2) a discriminator with at least three private layers does not allow authentic data reconstruction with algorithms polynomial in network depth and size. We show empirically that compared with fully MPC training, P1 reduces the training time by $2\times$ and P2 further by $4-16\times$.



## 2025/461

* Title: Machine-checking Multi-Round Proofs of Shuffle: Terelius-Wikstrom and Bayer-Groth
* Authors: Thomas Haines, Rajeev Goré, Mukesh Tiwari
* [Permalink](https://eprint.iacr.org/2025/461)
* [Download](https://eprint.iacr.org/2025/461.pdf)

### Abstract

Shuffles are used in electronic voting in much the same way physical ballot boxes are used in paper systems: (encrypted) ballots are input into the shuffle and (encrypted) ballots are output in a random order, thereby breaking the link between voter identities and ballots. To guarantee that no ballots are added, omitted or altered, zero-knowledge proofs, called proofs of shuffle, are used to provide publicly verifiable transcripts that prove that the outputs are a re-encrypted permutation of the inputs. The most prominent proofs of shuffle, in practice, are those due to Terelius and
Wikström (TW), and Bayer and Groth (BG). TW is simpler whereas BG is more efficient, both in terms of bandwidth and computation. Security for the simpler (TW) proof of shuffle has already been machine-checked but several prominent vendors insist on using the more complicated BG proof of shuffle. Here, we machine-check the security of the Bayer-Groth proof of shuffle via the Coq proof-assistant. We then extract the verifier (software) required to check the transcripts produced by Bayer-Groth implementations and use it to check transcripts from the Swiss Post evoting
system under development for national elections in Switzerland.



## 2025/462

* Title: Practical Key Collision on AES and Kiasu-BC
* Authors: Jianqiang Ni, Yingxin Li, Fukang Liu, Gaoli Wang
* [Permalink](https://eprint.iacr.org/2025/462)
* [Download](https://eprint.iacr.org/2025/462.pdf)

### Abstract

The key collision attack was proposed as an open problem in key-committing security in Authenticated Encryption (AE) schemes like $\texttt{AES-GCM}$ and $\texttt{ChaCha20Poly1305}$. In ASIACRYPT 2024, Taiyama et al. introduce a novel type of key collision—target-plaintext key collision ($\texttt{TPKC}$) for $\texttt{AES}$. Depending on whether the plaintext is fixed, $\texttt{TPKC}$ can be divided into $\texttt{fixed-TPKC}$ and $\texttt{free-TPKC}$, which can be directly converted into collision attacks and semi-free-start collision attacks on the Davies-Meyer ($\texttt{DM}$) hashing mode.
  In this paper, we propose a new rebound attack framework leveraging a time-memory tradeoff strategy, enabling practical key collision attacks with optimized complexity. We also present an improved automatic method for finding \textit{rebound-friendly} differential characteristics by controlling the probabilities in the inbound and outbound phases, allowing the identified characteristics to be directly used in $\textit{rebound-based}$ key collision attacks. Through our analysis, we demonstrate that the 2-round $\texttt{AES-128}$ $\texttt{fixed-TPKC}$ attack proposed by Taiyama et al. is a $\texttt{free-TPKC}$ attack in fact, while $\texttt{fixed-TPKC}$ attacks are considerably more challenging than $\texttt{free-TPKC}$ attacks. By integrating our improved automatic method with a new rebound attack framework, we successfully identify a new differential characteristic for the 2-round $\texttt{AES-128}$ $\texttt{fixed-TPKC}$ attack and develope the first practical $\texttt{fixed-TPKC}$ attack against 2-round $\texttt{AES-128}$. Additionally, we present practical $\texttt{fixed-TPKC}$ attacks against 5-round $\texttt{AES-192}$ and 3-round $\texttt{Kiasu-BC}$, along with a practical $\texttt{free-TPKC}$ attack against 6-round $\texttt{Kiasu-BC}$. Furthermore, we reduce time complexities for $\texttt{free-TPKC}$ and $\texttt{fixed-TPKC}$ attacks on other $\texttt{AES}$ variants.



## 2025/463

* Title: Multi-Party Computation in Corporate Data Processing: Legal and Technical Insights
* Authors: Sebastian Becker, Christoph Bösch, Benjamin Hettwer, Thomas Hoeren, Merlin Rombach, Sven Trieflinger, Hossein Yalame
* [Permalink](https://eprint.iacr.org/2025/463)
* [Download](https://eprint.iacr.org/2025/463.pdf)

### Abstract

This paper examines the deployment of Multi-Party Computation (MPC) in corporate data processing environments, focusing on its legal and technical implications under the European Union’s General Data Protection Regulation (GDPR). By combining expertise in cryptography and legal analysis, we address critical questions necessary for assessing the suitability of MPC for real-world applications. Our legal evaluation explores the conditions under which MPC qualifies as an anonymizing approach under GDPR, emphasizing the architectural requirements, such as the distribution of control among compute parties, to minimize re-identification risks effectively. The assertions put forth in the legal opinion are validated by two distinct assessments conducted independently.

We systematically answer key regulatory questions, demonstrating that a structured legal assessment is indispensable for organizations aiming to adopt MPC while ensuring compliance with privacy laws. In addition, we complement this analysis with a practical implementation of privacy-preserving analytics using Carbyne Stack, a cloud-native open-source platform for scalable MPC applications, which integrates the MP-SPDZ framework as its backend. We benchmark SQL queries under various security models to evaluate scalability and efficiency.



## 2025/464

* Title: SoK: Efficient Design and Implementation of Polynomial Hash Functions over Prime Fields
* Authors: Jean Paul Degabriele, Jan Gilcher, Jérôme Govinden, Kenneth G. Paterson
* [Permalink](https://eprint.iacr.org/2025/464)
* [Download](https://eprint.iacr.org/2025/464.pdf)

### Abstract

Poly1305 is a widely-deployed polynomial hash function. The rationale behind its design was laid out in a series of papers by Bernstein, the last of which dates back to 2005. As computer architectures evolved, some of its design features became less relevant, but implementers found new ways of exploiting these features to boost its performance. However, would we still converge to this same design if we started afresh with today's computer architectures and applications? To answer this question, we gather and systematize a body of knowledge concerning polynomial hash design and implementation that is spread across research papers, cryptographic libraries, and developers' blogs. We develop a framework to automate the validation and benchmarking of the ideas that we collect. This approach leads us to five new candidate designs for polynomial hash functions. Using our framework, we generate and evaluate different implementations and optimization strategies for each candidate. We obtain substantial improvements over Poly1305 in terms of security and performance. Besides laying out the rationale behind our new designs, our paper serves as a reference for efficiently implementing polynomial hash functions, including Poly1305.



## 2025/465

* Title: zkAML: Zero-knowledge Anti Money Laundering in Smart Contracts with whitelist approach
* Authors: Donghwan Oh, Semin Han, Jihye Kim, Hyunok Oh, Jiyeal Chung, Jieun Lee, Hee-jun Yoo, Tae wan Kim
* [Permalink](https://eprint.iacr.org/2025/465)
* [Download](https://eprint.iacr.org/2025/465.pdf)

### Abstract

In the interconnected global financial system, anti-money laundering (AML) and combating the financing of terrorism (CFT) regulations are indispensable for safeguarding financial integrity. However, while illicit transactions constitute only a small fraction of overall financial activities, traditional AML/CFT frameworks impose uniform compliance burdens on all users, resulting in inefficiencies, transaction delays, and privacy concerns.
These issues stem from the institution-centric model, where financial entities independently conduct compliance checks, resulting in repeated exposure of personally identifiable information (PII) and operational bottlenecks.
To address these challenges, we introduce \textsf{zkAML}, a cryptographic framework that offers a novel approach to AML/CFT compliance. By leveraging zero-knowledge Succinct Non-Interactive Argument of Knowledge (zk-SNARK) proofs, \textsf{zkAML}~enables users to cryptographically demonstrate their regulatory compliance without revealing sensitive personal information. This approach eliminates redundant identity checks, streamlines compliance procedures, and enhances transaction efficiency while preserving user privacy.
We implement and evaluate \textsf{zkAML}~on a blockchain network to demonstrate its practicality. Our experimental results show that \textsf{zkAML}~achieves 55 transactions per second (TPS) on a public network and 324 TPS on a private network. The zk-SNARK proof generation times are $226.59$ms for senders and $215.76$ms for receivers, with a constant verification time of $1.47$ms per transaction. These findings highlight \textsf{zkAML}'s potential as a privacy-preserving and regulation-compliant solution for modern financial systems.



## 2025/466

* Title: Algebraic Cryptanalysis of Small-Scale Variants of Stream Cipher E0
* Authors: Jan Dolejš, Martin Jureček
* [Permalink](https://eprint.iacr.org/2025/466)
* [Download](https://eprint.iacr.org/2025/466.pdf)

### Abstract

This study explores the algebraic cryptanalysis of small-scale variants of the E0 stream cipher, a legacy cipher used in the Bluetooth protocol. By systematically reducing the size of the linear feedback shift registers (LFSRs) while preserving the cipher’s core structure, we investigate the relationship between the number of unknowns and the number of consecutive keystream bits required to recover the internal states of the LFSRs. Our work demonstrates an approximately linear relationship between the number of consecutive keystream bits and the size of small-scale E0 variants, as indicated by our experimental results. To this end, we utilize two approaches: the computation of Gröbner bases using Magma’s F4 algorithm and the application of CryptoMiniSat’s SAT solver. Our experimental results show that increasing the number of keystream bits significantly improves computational efficiency, with the F4 algorithm achieving a speedup of up to 733× when additional equations are supplied. Furthermore, we verify the non-existence of equations of degree four or lower for up to seven consecutive keystream bits, and the non-existence of equations of degree three or lower for up to eight consecutive keystream bits, extending prior results on the algebraic properties of E0.



## 2025/467

* Title: PMNS arithmetic for elliptic curve cryptography
* Authors: Fangan Yssouf Dosso, Sylvain Duquesne, Nadia El Mrabet, Emma Gautier
* [Permalink](https://eprint.iacr.org/2025/467)
* [Download](https://eprint.iacr.org/2025/467.pdf)

### Abstract

We show that using a polynomial representation of prime field elements (PMNS) can be relevant for real-world cryptographic applications even in terms of performance. More specifically, we consider elliptic curves for cryptography when pseudo-Mersenne primes cannot be used to define the base field (e.g. Brainpool standardized curves, JubJub curves in the zkSNARK context, pairing-friendly curves). All these primitives make massive use of the Montgomery reduction algorithm and well-known libraries such as GMP or OpenSSL for base field arithmetic. We show how this arithmetic can be advantageously replaced by a polynomial representation of the number that can be easily parallelized, avoids carry propagation, and allows randomization process. We provide good PMNS basis in the cryptographic context mentioned above, together with a C-implementation that is competitive or faster than GMP and OpenSSL for performing basic operations in the base fields considered. We also integrate this arithmetic into the Rust reference implementation of elliptic curve scalar multiplication for Zero-knowledge applications, and achieve better practical performances for such protocols. This shows that PMNS is an attractive alternative for the base field arithmetic layer in cryptographic primitives using elliptic curves or pairings.



## 2025/468

* Title: Optimized Frobenius and Cyclotomic Cubing for Enhanced Pairing Computation
* Authors: Leila Ben Abdelghani, Nadia El Mrabet, Loubna Ghammam, Lina Mortajine
* [Permalink](https://eprint.iacr.org/2025/468)
* [Download](https://eprint.iacr.org/2025/468.pdf)

### Abstract

Efficient implementation of a pairing-based cryptosystem relies on high-performance arithmetic in finite fields $\mathbb{F}_{p}$ and their extensions $\mathbb{F}_{p^k}$, where $k$ is the embedding degree. A small embedding degree is crucial because part of the arithmetic for pairing computation occurs in $\mathbb{F}_{{p}^k}$ and includes operations such as squaring, multiplication, and Frobenius operations.
In this paper, we present a fast and efficient method for computing the Frobenius endomorphism and its complexity. Additionally, we introduce an improvement in the efficiency of cyclotomic cubing operations for several pairing-friendly elliptic curves, which are essential for the calculation of Tate pairing and its derivatives.



## 2025/469

* Title: Practical Semi-Open Chat Groups for Secure Messaging Applications
* Authors: Alex Davidson, Luiza Soezima, Fernando Virdia
* [Permalink](https://eprint.iacr.org/2025/469)
* [Download](https://eprint.iacr.org/2025/469.pdf)

### Abstract

Chat groups in secure messaging applications such as Signal, Telegram, and Whatsapp are nowadays used for rapid and widespread dissemination of information to large groups of people. This is common even in sensitive contexts, associated with the organisation of protests, activist groups, and internal company dialogues. Manual administration of who has access to such groups quickly becomes infeasible, in the presence of hundreds or thousands of members.

We construct a practical, privacy-preserving reputation system, that automates the approval of new group members based on their reputation amongst the existing membership. We demonstrate security against malicious adversaries in a single-server model, with no further trust assumptions required. Furthermore, our protocol supports arbitrary reputation calculations while almost all group members are offline (as is likely). In addition, we demonstrate the practicality of the approach via an open-source implementation. For groups of size 50 (resp. 200), an admission process on a user that received 40 (resp. 80) scores requires 1312.2 KiB (resp. 5239.4 KiB) of communication, and 3.3s (resp. 16.3s) of overall computation on a single core. While our protocol design matches existing secure messaging applications, we believe it can have value in distributed reputation computation beyond this problem setting.



## 2025/470

* Title: On Deniable Authentication against Malicious Verifiers
* Authors: Rune Fiedler, Roman Langrehr
* [Permalink](https://eprint.iacr.org/2025/470)
* [Download](https://eprint.iacr.org/2025/470.pdf)

### Abstract

Deniable authentication allows Alice to authenticate a message to Bob, while retaining deniability towards third parties. In particular, not even Bob can convince a third party that Alice authenticated that message. Clearly, in this setting Bob should not be considered trustworthy. Furthermore, deniable authentication is necessary for deniable key exchange, as explicitly desired by Signal and off-the-record (OTR) messaging.

In this work we focus on (publicly verifiable) designated verifier signatures (DVS), which are a widely used primitive to achieve deniable authentication. We propose a definition of deniability against malicious verifiers for DVS. We give a construction that achieves this notion in the random oracle (RO) model. Moreover, we show that our notion is not achievable in the standard model with a concrete attack; thereby giving a non-contrived example of the RO heuristic failing.

All previous protocols that claim to achieve deniable authentication against malicious verifiers (like Signal's initial handshake protocols X3DH and PQXDH) rely on the Extended Knowledge of Diffie–Hellman (EKDH) assumption. We show that this assumption is broken and that these protocols do not achieve deniability against malicious verifiers.



## 2025/471

* Title: A Practical Tutorial on Deep Learning-based Side-channel Analysis
* Authors: Sengim Karayalcin, Marina Krcek, Stjepan Picek
* [Permalink](https://eprint.iacr.org/2025/471)
* [Download](https://eprint.iacr.org/2025/471.pdf)

### Abstract

This tutorial provides a practical introduction to Deep Learning-based Side-Channel Analysis (DLSCA), a powerful approach for evaluating the security of cryptographic implementations.
Leveraging publicly available datasets and a Google Colab service, we guide readers through the fundamental steps of DLSCA, offering clear explanations and code snippets.
We focus on the core DLSCA framework, providing references for more advanced techniques, and address the growing interest in this field driven by emerging standardization efforts like AIS 46. This tutorial is designed to be accessible to researchers, students, and practitioners seeking to learn practical DLSCA techniques and improve the security of cryptographic systems.



## 2025/472

* Title: Quantum Attacks on  Sum of Even-Mansour Construction Utilizing Online Classical Queries
* Authors: Zhenqiang Li, Shuqin Fan, Fei Gao, Yonglin Hao, Hongwei Sun, Xichao Hu, Dandan Li
* [Permalink](https://eprint.iacr.org/2025/472)
* [Download](https://eprint.iacr.org/2025/472.pdf)

### Abstract

The Sum of Even-Mansour (SoEM) construction, proposed by Chen et al. at Crypto 2019,  has become the basis for designing some symmetric schemes, such as
 the nonce-based MAC scheme $\text{nEHtM}_{p}$ and the nonce-based encryption scheme $\text{CENCPP}^{\ast}$.  In this paper, we make the first attempt to study the quantum security of SoEM under the Q1  model where the targeted encryption oracle can only respond to classical queries rather than quantum ones.
Firstly, we propose a quantum key recovery attack on SoEM21 with a time complexity of $\tilde{O}(2^{n/3})$ along with $O(2^{n/3})$ online classical queries. Compared with the current best classical result which requires $O(2^{2n/3})$, our method offers a quadratic  time  speedup while maintaining the same number of queries. The time complexity of our attack is less than that observed for quantum exhaustive search by a factor of $2^{n/6}$.  We further propose classical and quantum key recovery attacks on  the generalized SoEMs1 construction (consisting of $s\geq 2$  independent public permutations), revealing that the application of quantum algorithms can provide a quadratic acceleration  over the pure classical methods. Our results also imply that the quantum security of SoEM21 cannot be strengthened merely by increasing  the number of permutations.



## 2025/473

* Title: Cross-Platform Benchmarking of the FHE Libraries: Novel Insights into SEAL and OpenFHE
* Authors: Faneela, Jawad Ahmad, Baraq Ghaleb, Sana Ullah Jan, William J Buchanan
* [Permalink](https://eprint.iacr.org/2025/473)
* [Download](https://eprint.iacr.org/2025/473.pdf)

### Abstract

The rapid growth of cloud computing and data-driven applications has amplified privacy concerns, driven by the increasing demand to process sensitive data securely. Homomorphic encryption (HE) has become a vital solution for addressing these concerns by enabling computations on encrypted data without revealing its contents. This paper provides a comprehensive evaluation of two leading HE libraries, SEAL and OpenFHE, examining their performance, usability, and support for prominent HE schemes such as BGV and CKKS.   Our analysis highlights computational efficiency, memory usage, and scalability across Linux and Windows platforms, emphasizing their applicability in real-world scenarios. Results reveal that Linux outperforms Windows in computation efficiency, with OpenFHE emerging as the optimal choice across diverse cryptographic settings. This paper provides valuable insights for researchers and practitioners to advance privacy-preserving applications using FHE.



## 2025/474

* Title: Black-Box Constant-Round Secure 2PC with Succinct Communication
* Authors: Michele Ciampi, Ankit Kumar Misra, Rafail Ostrovsky, Akash Shah
* [Permalink](https://eprint.iacr.org/2025/474)
* [Download](https://eprint.iacr.org/2025/474.pdf)

### Abstract

The most fundamental performance metrics of secure multi-party computation (MPC) protocols are related to the number of messages the parties exchange (i.e.., round complexity), the size of these messages (i.e., communication complexity), and the overall computational resources required to execute the protocol (i.e., computational complexity). Another quality metric of MPC protocols is related to the black-box or non-black-box use of the underlying cryptographic primitives. Indeed, the design of black-box MPC protocols, other than being of theoretical interest, usually can lead to protocols that have better computational complexity.
  
   In this work, we aim to optimize the round and communication complexity of black-box secure multi-party computation in the plain model, by designing a constant-round two-party computation protocol in the malicious setting, whose communication complexity is only polylogarithmic in the size of the function being evaluated.
   We successfully design such a protocol, having only black-box access to fully homomorphic encryption, trapdoor permutations, and hash functions. To the best of our knowledge, our protocol is the first to make black-box use of standard cryptographic primitives while achieving almost asymptotically optimal communication and round complexity.



## 2025/475

* Title: HammR: A ZKP Protocol for Fixed Hamming-Weight Restricted-Entry Vectors
* Authors: Felice Manganiello, Freeman Slaughter
* [Permalink](https://eprint.iacr.org/2025/475)
* [Download](https://eprint.iacr.org/2025/475.pdf)

### Abstract

In this paper, we introduce $\mathsf{HammR}$, a generic Zero-Knowledge Proof (ZKP) protocol demonstrating knowledge of a secret vector that has a fixed Hamming weight with entries taken from a shifted multiplicative group.
    As special cases, we are able to directly apply this protocol to restricted vectors and to rank-1 vectors, which are vectors with entries that lie in a dimension one subspace of $\mathbb{F}_q$.
    We show that these proofs can be batched with low computational overhead, and further prove that this general framework is complete, sound, and zero-knowledge, thus truly a genuine ZKP.
    Finally, we present applications of $\mathsf{HammR}$ to various Syndrome Decoding Problems, including the Regular and Restricted SDPs, as well as other implementations such as lookup instances, proof of proximity, and electronic voting protocols.



## 2025/476

* Title: A note on "industrial blockchain threshold signatures in federated learning for unified space-air-ground-sea model training"
* Authors: Zhengjun Cao, Lihua Liu
* [Permalink](https://eprint.iacr.org/2025/476)
* [Download](https://eprint.iacr.org/2025/476.pdf)

### Abstract

We show that the threshold signature scheme [J. Ind. Inf. Integr. 39: 100593 (2024)] is insecure against forgery attack.  An adversary can find an efficient signing algorithm functionally equivalent to the valid signing algorithm, so as to convert the legitimate signature $(sig, s, r_x)$ of message $m$ into a valid signature $(sig, s, r_x')$ of any message $m'$.



## 2025/477

* Title: A Note on the Advanced Use of the Tate Pairing
* Authors: Krijn Reijnders
* [Permalink](https://eprint.iacr.org/2025/477)
* [Download](https://eprint.iacr.org/2025/477.pdf)

### Abstract

This short note explains how the Tate pairing can be used to efficiently sample torsion points with precise requirements, and other applications. These applications are most clearly explained on Montgomery curves, using the Tate pairing of degree 2, but hold more generally for any degree or abelian variety, or even generalized Tate pairings. This note is explanatory in nature; it does not contain new results, but aims to provide a clear and concise explanation of results in the literature that are somewhat hidden, yet are extremely useful in practical isogeny-based cryptography.



## 2025/478

* Title: Attacking Single-Cycle Ciphers on Modern FPGAs featuring Explainable Deep Learning
* Authors: Mustafa Khairallah, Trevor Yap
* [Permalink](https://eprint.iacr.org/2025/478)
* [Download](https://eprint.iacr.org/2025/478.pdf)

### Abstract

In this paper, we revisit the question of key recovery using side-channel analysis for unrolled, single-cycle block ciphers. In particular, we study the Princev2 cipher. While it has been shown vulnerable in multiple previous studies, those studies were performed on side-channel friendly ASICs or older FPGAs (e.g., Xilinx Virtex II on the SASEBO-G board), and using mostly expensive equipment. We start with the goal of exploiting a cheap modern FPGA and board using power traces from a cheap oscilloscope. Particularly, we use Xilinx Artix 7 on the Chipwhisperer CW305 board and PicoScope 5000A, respectively.

We split our study into three parts. First, we show that the new set-up still exhibits easily detectable leakage, using a non-specific t-test. Second, we replicate attacks from older FPGAs. Namely, we start with the attack by Yli-Mäyry et al., which is a simple chosen plaintext correlation power analysis attack using divide and conquer. However, we demonstrate that even this simple, powerful attack does not work, demonstrating a peculiar behavior. We study this behavior using a stochastic attack that attempts to extract the leakage model, and we show that models over a small part of the state are inconsistent and depend on more key bits than what is expected. We also attempt classical template attacks and get similar results.

To further exploit the leakage, we employ deep learning techniques and succeed in key recovery, albeit using a large number of traces. We perform the explainability technique called Key Guessing Occlusion (KGO) to detect which points the neural networks exploit. When we use these points as features for the classical template attack, although it did not recover the secret key, its performance improves compared to other feature selection techniques.



## 2025/479

* Title: Post Quantum Migration of Tor
* Authors: Denis Berger, Mouad Lemoudden, William J Buchanan
* [Permalink](https://eprint.iacr.org/2025/479)
* [Download](https://eprint.iacr.org/2025/479.pdf)

### Abstract

Shor's and Grover's algorithms' efficiency and the advancement of quantum computers imply that the cryptography used until now to protect one's privacy is potentially vulnerable to retrospective decryption, also known as harvest now, decrypt later attack in the near future. This dissertation proposes an overview of the cryptographic schemes used by Tor, highlighting the non-quantum-resistant ones and introducing theoretical performance assessment methods of a local Tor network. The measurement is divided into three phases. We will start with benchmarking a local Tor network simulation on constrained devices to isolate the time taken by classical cryptography processes. Secondly, the analysis incorporates existing benchmarks of quantum-secure algorithms and compares these performances on the devices. Lastly, the estimation of overhead is calculated by replacing the measured times of traditional cryptography with the times recorded for Post Quantum Cryptography (PQC) execution within the specified Tor environment. By focusing on the replaceable cryptographic components, using theoretical estimations, and leveraging existing benchmarks, valuable insights into the potential impact of PQC can be obtained without needing to implement it fully.



## 2025/480

* Title: Worst-case Analysis of Lattice Enumeration Algorithm over Modules
* Authors: Jiseung Kim, Changmin Lee, Yongha Son
* [Permalink](https://eprint.iacr.org/2025/480)
* [Download](https://eprint.iacr.org/2025/480.pdf)

### Abstract

This paper presents a systematic study of module lattices. We extend the lattice enumeration algorithm from Euclidean lattices to module lattices, providing a generalized framework. 
To incorporate the refined analysis by Hanrot and Stehlè (CRYPTO'07), we adapt key definitions from Euclidean lattices, such as HKZ-reduced bases and quasi-HKZ-reduced bases, adapting them to the pseudo-basis of modules. 

Furthermore, we revisit the lattice profile, a crucial aspect of enumeration algorithm analysis, and extend its analysis to module lattices. 
As a result, we improve the asymptotic performance of the module lattice enumeration algorithm and module-SVP. 

For instance, let $K = \mathbb{Q}[x]/\langle x^d + 1\rangle$ be a number field with a power-of-two integer $d$, and suppose that $n\ln n = o(\ln d)$. 
Then, the nonzero shortest vector in $M \subset K^n$ can be found in time $d^{\frac{d}{2e} + o(d)}$, improving upon the previous lattice enumeration bound of $(nd)^{\frac{nd}{2e}+ o(nd)}$. 

Our algorithm naturally extends to solving ideal-SVP. Given an ideal $I \subset R$, where $R = \mathbb{Z}[x]/\langle x^t + 1 \rangle$ with a power-of-two integer $t = nd$, we can find the nonzero shortest element of $I$ in time $\exp(O(\frac{t}{2e} \ln \ln t))$, improving upon the previous enumeration bound of $\exp(O(\frac{t}{2e} \ln t))$.



## 2025/481

* Title: RHQC: post-quantum ratcheted key exchange from coding assumptions
* Authors: Julien Juaneda, Marina Dehez-Clementi, Jean-Christophe Deneuville, Jérôme Lacan
* [Permalink](https://eprint.iacr.org/2025/481)
* [Download](https://eprint.iacr.org/2025/481.pdf)

### Abstract

Key Exchange mechanisms (KE or KEMs) such as the Diffie-Hellman protocol have proved to be a cornerstone conciliating the efficiency of symmetric encryption and the practicality of public key primitives.
    Such designs however assume the non-compromission of the long term asymmetric key in use. To relax this strong security assumption, and allow for modern security features such as Perfect Forward Secrecy (PFS) or Post Compromise Security (PCS), Ratcheted-KE (RKE) have been proposed.
    This work proposes to turn the Hamming Quasi-Cyclic (HQC) cryptosystem into such a Ratcheted-KE, yielding the first code-based such construction.
    Interestingly, our design allows indifferently one party to update the key on-demand rather than the other, yielding a construction called bi-directional RKE, which compares favorably to generic transformations.
    Finally, we prove that the resulting scheme satisfies the usual correctness and key-indistinguishability properties, and suggest concrete sets of parameters, assuming different real-life use cases.



## 2025/482

* Title: An Efficient Sequential Aggregate Signature Scheme with Lazy Verification
* Authors: Arinjita Paul, Sabyasachi Dutta, Kouichi Sakurai, C. Pandu Rangan
* [Permalink](https://eprint.iacr.org/2025/482)
* [Download](https://eprint.iacr.org/2025/482.pdf)

### Abstract

A sequential aggregate signature scheme (SAS) allows multiple potential signers to sequentially aggregate their respective signatures into a single compact signature. Typically, verification of a SAS signatures requires access to all messages and public key pairs utilized in the aggregate generation. However, efficiency is crucial for cryptographic protocols to facilitate their practical implementation. To this end, we propose a sequential aggregate signature scheme with lazy verification for a set of user-message pairs, allowing the verification algorithm to operate without requiring access to all messages and public key pairs in the sequence. This construction is based on the RSA assumption in the random oracle model and is particularly beneficial in resource constrained applications that involve forwarding of authenticated information between parties, such as certificate chains. As an extension of this work, we introduce the notion of sequentially aggregatable proxy re-signatures that enables third parties or proxies to transform aggregatable signatures under one public key to another, useful in applications such as sharing web certificates and authentication of network paths. We also present a construction of a sequential aggregate proxy re-signature scheme, secure in the random oracle model, based on the RSA assumption, which may be of independent interest.



## 2025/483

* Title: Adaptively Secure Threshold Blind BLS Signatures and Threshold Oblivious PRF
* Authors: Stanislaw Jarecki, Phillip Nazarian
* [Permalink](https://eprint.iacr.org/2025/483)
* [Download](https://eprint.iacr.org/2025/483.pdf)

### Abstract

We show the first threshold blind signature scheme and threshold Oblivious PRF (OPRF) scheme which remain secure in the presence of an adaptive adversary, who can adaptively decide which parties to corrupt throughout the lifetime of the scheme.  Moreover, our adaptively secure schemes preserve the minimal round complexity and add only a small computational overhead over prior solutions that offered security only for a much less realistic static adversary, who must choose the subset of corrupted parties before initializing the protocol.

Our threshold blind signature scheme computes standard BLS signatures while our threshold OPRF computes a very efficient "2HashDH" OPRF [JKK14].  We prove adaptive security of both schemes in the Algebraic Group Model (AGM).  Our adaptively secure threshold schemes are as practical as the underlying standard single-server BLS blind signature and 2HashDH OPRF, and they can be used to add cryptographic fault-tolerance and decentralize trust in any system that relies on blind signatures, like anonymous credentials and e-cash, or on OPRF, like the OPAQUE password authentication and the Privacy Pass anonymous authentication scheme, among many others.



## 2025/484

* Title: EvoLUTe+: Fine-Grained Look-Up-Table-based RTL IP Redaction
* Authors: Rui Guo, M Sazadur Rahman, Jingbo Zhou, Hadi M Kamali, Fahim Rahman, Farimah Farahmandi, Mark Tehranipoor
* [Permalink](https://eprint.iacr.org/2025/484)
* [Download](https://eprint.iacr.org/2025/484.pdf)

### Abstract

Hardware obfuscation is an active trustworthy design technique targeting threats in the IC supply chain, such as IP piracy and overproduction. Recent research on Intellectual Property (IP) protection technologies suggests that using embedded reconfigurable components (e.g., eFPGA redaction) could be a promising approach to hide the functional and structural information of security-critical designs. However, such techniques suffer from almost prohibitive overhead in terms of area, power, delay, and testability. This paper proposes an obfuscation technique called EvoLUTe+, which is a unique and more fine-grained redaction approach using smaller reconfigurable components (e.g., Look-Up Tables (LUTs)). EvoLUTe+ achieves fine-grained partitioning, sub-circuit coloring, and scoring of IP, and then encrypts the original IP through the substitution of some sub-circuits. Different attacks are used to test the robustness of EvoLUTe+, including structural and machine learning attacks, as well as Bounded Model Checking (BMC) attacks. The overhead of the obfuscation design is also analyzed. Experimental results demonstrate that EvoLUTe+ exhibits robustness with acceptable overhead while resisting such threat models.



## 2025/485

* Title: Key reconstruction for QC-MDPC McEliece from imperfect distance spectrum
* Authors: Motonari Ohtsuka, Takahiro Ishimaru, Rei Iseki, Shingo Kukita, Kohtaro Watanabe
* [Permalink](https://eprint.iacr.org/2025/485)
* [Download](https://eprint.iacr.org/2025/485.pdf)

### Abstract

McEliece cryptosystems, based on code-based cryptography, is a candidate in Round 4 of NIST's post-quantum cryptography standardization process. The QC-MDPC (quasi-cyclic moderate-density parity-check) variant is particularly noteworthy due to its small key length. The Guo-Johansson-Stankovski (GJS) attack against the QC-MDPC McEliece cryptosystem was recently proposed and has intensively been studied. This attack reconstructs the secret key using information on decoding error rate (DER). However, in practice, obtaining complete DER information is presumed to be time-consuming. This paper proposes two algorithms to reconstruct the secret key under imperfection in the DER information and evaluates the relationship between the imperfection and efficiency of key reconstruction. This will help us to increase the efficacy of the GJS attack.



## 2025/486

* Title: On One-Shot Signatures, Quantum vs Classical Binding, and Obfuscating Permutations
* Authors: Omri Shmueli, Mark Zhandry
* [Permalink](https://eprint.iacr.org/2025/486)
* [Download](https://eprint.iacr.org/2025/486.pdf)

### Abstract

One-shot signatures (OSS) were defined by Amos, Georgiou, Kiayias, and Zhandry (STOC'20). These allow for signing exactly one message, after which the signing key self-destructs, preventing a second message from ever being signed. While such an object is impossible classically, Amos et al observe that OSS may be possible using quantum signing keys by leveraging the no-cloning principle. OSS has since become an important conceptual tool with many applications in decentralized settings and for quantum cryptography with classical communication. OSS are also closely related to separations between classical-binding and collapse-binding for post-quantum hashing and commitments. Unfortunately, the only known OSS construction due to Amos et al. was only justified in a classical oracle model, and moreover their justification was ultimately found to contain a fatal bug. Thus, the existence of OSS, even in a classical idealized model, has remained open.

We give the first standard-model OSS, with provable security assuming (sub-exponential) indistinguishability obfuscation (iO) and LWE. This also gives the first standard-model separation between classical and collapse-binding post-quantum commitments/hashing, solving a decade-old open problem. Along the way, we also give the first construction with unconditional security relative to a classical oracle. To achieve our standard-model construction, we develop a notion of permutable pseudorandom permutations (permutable PRPs), and show how they are useful for translating oracle proofs involving random permutations into obfuscation-based proofs. In particular, obfuscating permutable PRPs gives a trapdoor one-way permutation that is $\textit{full-domain}$, solving another decade-old-problem of constructing this object from (sub-exponential) iO and one-way functions.



## 2025/487

* Title: webSPDZ: Versatile MPC on the Web
* Authors: Thomas Buchsteiner, Karl W. Koch, Dragos Rotaru, Christian Rechberger
* [Permalink](https://eprint.iacr.org/2025/487)
* [Download](https://eprint.iacr.org/2025/487.pdf)

### Abstract

Multi-party computation (MPC) has become increasingly practical in the last two decades, solving privacy and security issues in various domains, such as healthcare, finance, and machine learning. One big caveat is that MPC sometimes lacks usability since the knowledge barrier for regular users can be high. Users have to deal with, e.g., various CLI tools, private networks, and sometimes even must install many dependencies, which are often hardware-dependent.

A solution to improve the usability of MPC is to build browser-based MPC engines where each party runs within a browser window. Two examples of such an MPC web engine are JIFF and the web variant of MPyC. Both support an honest majority with passive corruptions.

$\texttt{webSPDZ}$: Our work brings one of the most performant and versatile general-purpose MPC engines, MP-SPDZ, to the web. MP-SPDZ supports ≥40 MPC protocols with different security models, enabling many security models on the web. To port MP-SPDZ to the web, we use Emscripten to compile MP-SPDZ’s C++ BackEnd to WebAssembly and upgrade the party communication for the browser (WebRTC or WebSockets). We call the new MPC web engine webSPDZ. As with the native versions of the mentioned MPC web engines, MPyC-Web and JIFF, webSPDZ outperforms them in our end-to-end experiments.

We believe that webSPDZ brings forth many interesting and practically relevant use cases. Thus, webSPDZ pushes the boundaries of practical MPC: making MPC more usable and enabling it for a broader community.



## 2025/488

* Title: Exploring General Cyclotomic Rings in Torus-Based Fully Homomorphic Encryption: Part I - Prime Power Instances
* Authors: Philippe Chartier, Michel Koskas, Mohammed Lemou
* [Permalink](https://eprint.iacr.org/2025/488)
* [Download](https://eprint.iacr.org/2025/488.pdf)

### Abstract

In the realm of fully homomorphic encryption on the torus, we investigate the algebraic manipulations essential for handling polynomials within cyclotomic rings characterized by prime power indices. This includes operations such as modulo reduction, computation of the trace operator, extraction, and the blind rotation integral to the bootstrapping procedure, all of which we reformulate within this mathematical framework.



## 2025/489

* Title: Translating Between the Common Haar Random State Model and the Unitary Model
* Authors: Eli Goldin, Mark Zhandry
* [Permalink](https://eprint.iacr.org/2025/489)
* [Download](https://eprint.iacr.org/2025/489.pdf)

### Abstract

Black-box separations are a cornerstone of cryptography, indicating barriers to various goals. A recent line of work has explored black-box separations for quantum cryptographic primitives. Namely, a number of separations are known in the Common Haar Random State (CHRS) model, though this model is not considered a complete separation, but rather a starting point. A few very recent works have attempted to lift these separations to a unitary separation, which are considered complete separations. Unfortunately, we find significant errors in some of these lifting results.

We prove general conditions under which CHRS separations can be generically lifted, thereby giving simple, modular, and bug-free proofs of complete unitary separations between various quantum primitives. Our techniques allow for simpler proofs of existing separations as well as new separations that were previously only known in the CHRS model.



## 2025/490

* Title: PREAMBLE: Private and Efficient Aggregation of Block Sparse Vectors and Applications
* Authors: Hilal Asi, Vitaly Feldman, Hannah Keller, Guy N. Rothblum, Kunal Talwar
* [Permalink](https://eprint.iacr.org/2025/490)
* [Download](https://eprint.iacr.org/2025/490.pdf)

### Abstract

We revisit the problem of secure aggregation of high-dimensional vectors in a two-server system such as Prio. These systems are typically used to aggregate vectors such as gradients in private federated learning, where the aggregate itself is protected via noise addition to ensure differential privacy. Existing approaches require communication scaling with the dimensionality, and thus limit the dimensionality of vectors one can efficiently process in this setup.

We propose PREAMBLE: Private Efficient Aggregation Mechanism for  Block-sparse Euclidean Vectors. PREAMBLE is a novel extension of distributed point functions that enables communication- and computation-efficient aggregation of block-sparse vectors, which are sparse vectors where the non-zero entries occur in a small number of clusters of consecutive coordinates. We then show that PREAMBLE can be combined with random sampling and privacy amplification by sampling results, to allow asymptotically optimal privacy-utility trade-offs for vector aggregation, at a fraction of the communication cost. When coupled with recent advances in numerical privacy accounting, our approach incurs a negligible overhead in noise variance, compared to the Gaussian mechanism used with Prio.



## 2025/491

* Title: Blind Brother: Attribute-Based Selective Video Encryption
* Authors: Eugene Frimpong, Bin Liu, Camille Nuoskala, Antonis Michalas
* [Permalink](https://eprint.iacr.org/2025/491)
* [Download](https://eprint.iacr.org/2025/491.pdf)

### Abstract

The emergence of video streams as a primary medium for communication and the demand for high-quality video sharing over the internet have given rise to several security and privacy issues, such as unauthorized access and data breaches. To address these limitations, various Selective Video Encryption (SVE) schemes have been proposed, which encrypt specific portions of a video while leaving others unencrypted. The SVE approach balances security and usability, granting unauthorized users access to certain parts while encrypting sensitive content. However, existing SVE schemes adopt an all-or-nothing coarse-grain encryption approach, where a user with a decryption key can access all the contents of a given video stream. This paper proposes and designs a fine-grained access control-based selective video encryption scheme, ABSVE, and a use-case protocol called \protocol. Our scheme encrypts different identified Regions of Interest (ROI) with a unique symmetric key and applies a Ciphertext Policy Attribute Based Encryption (CP-ABE) scheme to tie these keys to specific access policies. This method provides multiple access levels for a single encrypted video stream. Crucially, we provide a formal syntax and security definitions for ABSVE, allowing for rigorous security analysis of this and similar schemes --  which is absent in prior works. Finally, we provide an implementation and evaluation of our protocol in the Kvazaar HEVC encoder. Overall, our constructions enhance security and privacy while allowing controlled access to video content and achieve comparable efficiency to compression without encryption.



## 2025/492

* Title: Endorser Peer Anonymization in Hyperledger Fabric for Consortium of Organizations
* Authors: Dharani J, Sundarakantham K, Kunwar Singh, Mercy Shalinie S
* [Permalink](https://eprint.iacr.org/2025/492)
* [Download](https://eprint.iacr.org/2025/492.pdf)

### Abstract

Hyperledger Fabric is a unique permissioned platform for implementing blockchain in a consortium. It has a distinct transaction flow of execute-order-validate. During the execution phase, a pre-determined set of endorsing peers execute a transaction and sign the transaction response. This process is termed endorsement. In the validation phase, peers validate the transaction with reference to an endorsement policy. The identity of the endorsing organizations is obtainable to all the nodes in the network through the endorser signature and endorsement policy. Knowing this has led to serious vulnerabilities in the blockchain network.
In this paper, we propose a privacy-preserving endorsement system which conceals both endorser signature and endorsement policy. Endorser is anonymized by replacing the signature scheme with a scoped-linkable threshold ring signature scheme. Endorsement policy is secured using Pedersen commitments and non-interactive proof of knowledge of integer vector. We also achieve efficiency in the computation by employing non-interactive proof of co-prime roots. We provide the necessary security analysis to prove that the proposed work guarantees anonymity and unlinkability properties. A comparative analysis of our work with an existing framework is provided which shows that the proposed scheme offers higher level of security and it is optimal in terms of efficiency.



## 2025/493

* Title: Tighter Concrete Security for the Simplest OT
* Authors: Iftach Haitner, Gil Segev
* [Permalink](https://eprint.iacr.org/2025/493)
* [Download](https://eprint.iacr.org/2025/493.pdf)

### Abstract

The Chou-Orlandi batch oblivious transfer (OT) protocol is a particularly attractive OT protocol that bridges the gap between practical efficiency and strong security guarantees and is especially notable due to its simplicity. The security analysis provided by Chou and Orlandi bases the security of their protocol on the hardness of the computational Diffie-Hellman ($\mathsf{CDH}$) problem in prime-order groups. Concretely, in groups in which no better-than-generic algorithms are known for the $\mathsf{CDH}$ problem, their security analysis yields that an attacker running in time $t$ and issuing $q$ random-oracle queries breaks the security of their protocol with probability at most $\epsilon \leq q^2 \cdot t / 2^{\kappa/2}$, where $\kappa$ is the bit-length of the group's order. This concrete bound, however, is somewhat insufficient for 256-bit groups (e.g., for $\kappa = 256$, it does not provide any guarantee already for $t = 2^{48}$ and $q = 2^{40}$).

In this work, we establish a tighter concrete security bound for the Chou-Orlandi protocol. First, we introduce the list square Diffie-Hellman ($\ell\text{-}\mathsf{sqDH}$) problem and present a tight reduction from the security of the protocol to the hardness of solving $\ell\text{-}\mathsf{sqDH}$. That is, we completely shift the task of analyzing the concrete security of the protocol to that of analyzing the concrete hardness of the $\ell\text{-}\mathsf{sqDH}$ problem. Second, we reduce the hardness of the $\ell\text{-}\mathsf{sqDH}$ problem to that of the decisional Diffie-Hellman ($\mathsf{DDH}$) problem without incurring a multiplicative loss. Our key observation is that although $\mathsf{CDH}$ and $\mathsf{DDH}$ have the same assumed concrete hardness, relying on the hardness of $\mathsf{DDH}$ enables our reduction to efficiently test the correctness of the solutions it produces.

Concretely, in groups in which no better-than-generic algorithms are known for the $\mathsf{DDH}$ problem, our analysis yields that an attacker running in time $t$ and issuing $q \leq t$ random-oracle queries breaks the security of the Chou-Orlandi protocol with probability at most $\epsilon \leq t / 2^{\kappa/2}$ (i.e., we eliminate the above multiplicative $q^2$ term). We prove our results within the standard real-vs-ideal framework considering static corruptions by malicious adversaries, and provide a concrete security treatment by accounting for the statistical distance between a real-model execution and an ideal-model execution.



## 2025/494

* Title: Electromagnetic Side-Channel Analysis of PRESENT Lightweight Cipher
* Authors: Nilupulee A Gunathilake, Owen Lo, William J Buchanan, Ahmed Al-Dubai
* [Permalink](https://eprint.iacr.org/2025/494)
* [Download](https://eprint.iacr.org/2025/494.pdf)

### Abstract

Side-channel vulnerabilities pose an increasing threat to cryptographically protected devices. Consequently, it is crucial to observe information leakages through physical parameters such as power consumption and electromagnetic (EM) radiation to reduce susceptibility during interactions with cryptographic functions. EM side-channel attacks are becoming more prevalent. PRESENT is a promising lightweight cryptographic algorithm expected to be incorporated into Internet-of-Things (IoT) devices in the future. This research investigates the EM side-channel robustness of PRESENT using a correlation attack model. This work extends our previous Correlation EM Analysis (CEMA) of PRESENT with improved results. The attack targets the Substitution box (S-box) and can retrieve 8 bytes of the 10-byte encryption key with a minimum of 256 EM waveforms. This paper presents the process of EM attack modelling, encompassing both simple and correlation attacks, followed by a critical analysis.



## 2025/495

* Title: A Security-Enhanced Pairing-Free Certificateless Aggregate Signature for  Vehicular Ad-Hoc Networks, Revisited
* Authors: Zhengjun Cao, Lihua Liu
* [Permalink](https://eprint.iacr.org/2025/495)
* [Download](https://eprint.iacr.org/2025/495.pdf)

### Abstract

We show that the aggregate signature scheme  [IEEE Syst. J.,  2023, 17(3), 3822-3833] is insecure against forgery attack. This flaw is due to that the ephemeral key or ephemeral value chosen in the signing phase is not indeed  bound to the final signature. An adversary can sign any message while the verifier cannot find the fraud. We also suggest a revising method to frustrate this attack.



## 2025/496

* Title: Shortcut2Secrets: A Table-based Differential Fault Attack Framework
* Authors: Weizhe Wang, Pierrick Méaux, Deng Tang
* [Permalink](https://eprint.iacr.org/2025/496)
* [Download](https://eprint.iacr.org/2025/496.pdf)

### Abstract

Recently, Differential Fault Attacks (DFAs) have proven highly effective against stream ciphers designed for Hybrid Homomorphic Encryption (HHE). In this work, we present a table-based DFA framework called the \textit{shortcut attack}, which generalizes the attack proposed by Wang and Tang on the cipher \textsf{Elisabeth}.
The framework applies to a broad sub-family of ciphers following the Group Filter Permutator (GFP) paradigm and enhances previous DFAs by improving both the fault identification and path generation steps. Notably, the shortcut attack circumvents the issue of function representation, allowing successful attacks even when the cipher's filter function cannot be represented over the ring it is defined on.

Additionally, we provide complexity estimates for the framework and apply the shortcut attack to \textsf{Elisabeth-4} and its patches. As a result, we optimize the DFA on \textsf{Elisabeth-4}, requiring fewer keystreams and running faster than previous methods. Specifically, we achieve a DFA that requires only $3000$ keystreams, which is one-fifth of the previous best result. We also successfully mount a practical DFA on \textsf{Gabriel-4} and provide a theoretical DFA for \textsf{Elisabeth-b4}.

For the latest patch, \textsf{Margrethe-18-4}, which follows the more general Mixed Filter Permutator (MFP) paradigm, we present a DFA in a stronger model.. To the best of our knowledge, these are the first DFA results on the patches of \textsf{Elisabeth-4}. Finally, we derive security margins to prevent shortcut attacks on a broad sub-family of MFP ciphers, which can serve as parameter recommendations for designers.



## 2025/497

* Title: Fast Scloud+: A Fast Hardware Implementation for the Unstructured LWE-based KEM - Scloud+
* Authors: Jing Tian, Yaodong Wei, Dejun Xu, Kai Wang, Anyu Wang, Zhiyuan Qiu, Fu Yao, Guang Zeng
* [Permalink](https://eprint.iacr.org/2025/497)
* [Download](https://eprint.iacr.org/2025/497.pdf)

### Abstract

Scloud+ is an unstructured LWE-based key encapsulation mechanism (KEM) with conservative quantum security, in which ternary secrets and lattice coding are incorporated for higher computational and communication efficiency. However, its efficiencies are still much inferior to those of the structured LWE-based KEM, like ML-KEM (standardized by NIST). In this paper, we present a configurable hardware architecture for Scloud+.KEM to improve the computational efficiency. Many algorithmic and architectural co-optimizations are proposed to reduce the complexity and increase the degree of parallelism. Specially, the matrix multiplications are computed by a block in serial and the block is calculated in one cycle, without using any multipliers. In addition, the random bits all are generated by an unfolded Keccak core, well matched with the data flow required by the block matrix multiplier. The proposed design is coded in Verilog and implemented under the SMIC 40nm LP CMOS technology. The synthesized results show that Scloud+.KEM-128 only costs 23.0 $us$, 24.3 $us$, and 24.6 $us$ in the KeyGen, Encaps, and Decaps stages, respectively, with an area consumption of 0.69 $mm^2$, significantly narrowing the gap with the state-of-the-art of Kyber hardware implementation.



## 2025/498

* Title: Scoop: An Optimizer for Profiling Attacks against Higher-Order Masking
* Authors: Nathan Rousselot, Karine Heydemann, Loïc Masure, Vincent Migairou
* [Permalink](https://eprint.iacr.org/2025/498)
* [Download](https://eprint.iacr.org/2025/498.pdf)

### Abstract

In this paper we provide new theoretical and empirical evidences that gradient-based deep learning profiling attacks (DL-SCA) suffer from masking schemes. This occurs through an initial stall of the learning process: the so-called plateau effect. To understand why, we derive an analytical expression of a DL-SCA model targeting simulated traces which enables us to study an analytical expression of the loss. By studying the loss landscape of this model, we show that not only do the magnitudes of the gradients decrease as the order of masking increases, but the loss landscape also exhibits a prominent saddle point interfering with the optimization process. From these observations, we (1) propose the usage of a second-order optimization algorithm mitigating the impact of low-gradient areas. In addition, we show how to leverage the intrinsic sparsity of valuable information in SCA traces to better pose the DL-SCA problem. To do so, we (2) propose to use the implicit regularization properties of the sparse mirror descent. These propositions are gathered in a new publicly available optimization algorithm, Scoop. Scoop combines second-order derivative of the loss function in the optimization process, with a sparse stochastic mirror descent. We experimentally show that Scoop pushes further the current limitations of DL-SCA against simulated traces, and outperforms the state-of-the-art on the ASCADv1 dataset in terms of number of traces required to retrieve the key, perceived information and plateau length. Scoop also performs the first non-worst-case attack on the ASCADv2 dataset. On simulated traces, we show that using Scoop reduces the DL-SCA time complexity by the equivalent of one masking order.



## 2025/499

* Title: SCAPEgoat: Side-channel Analysis Library
* Authors: Dev Mehta, Trey Marcantino, Mohammad Hashemi, Sam Karkache, Dillibabu Shanmugam, Patrick Schaumont, Fatemeh Ganji
* [Permalink](https://eprint.iacr.org/2025/499)
* [Download](https://eprint.iacr.org/2025/499.pdf)

### Abstract

Side-channel analysis (SCA) is a growing field in
hardware security where adversaries extract secret information
from embedded devices by measuring physical observables like
power consumption and electromagnetic emanation. SCA is a
security assessment method used by governmental labs, standardization
bodies, and researchers, where testing is not just
limited to standardized cryptographic circuits, but it is expanded
to AI accelerators, Post Quantum circuits, systems, etc. Despite
its importance, SCA is performed on an ad hoc basis in the
sense that its flow is not systematically optimized and unified
among labs. As a result, the current solutions do not account
for fair comparisons between analyses. Furthermore, neglecting
the need for interoperability between datasets and SCA metric
computation increases students’ barriers to entry. To address
this, we introduce SCAPEgoat, a Python-based SCA library
with three key modules devoted to defining file format, capturing
interfaces, and metric calculation. The custom file framework
organizes side-channel traces using JSON for metadata, offering
a hierarchical structure similar to HDF5 commonly applied in
SCA, but more flexible and human-readable. The metadata can
be queried with regular expressions, a feature unavailable in
HDF5. Secondly, we incorporate memory-efficient SCA metric
computations, which allow using our functions on resource-restricted
machines. This is accomplished by partitioning datasets
and leveraging statistics-based optimizations on the metrics. In
doing so, SCAPEgoat makes the SCA more accessible to newcomers
so that they can learn techniques and conduct experiments
faster and with the possibility to expand on in the future.



## 2025/500

* Title: SecurED: Secure Multiparty Edit Distance for Genomic Sequences
* Authors: Jiahui Gao, Yagaagowtham Palanikuma, Dimitris Mouris, Duong Tung Nguyen, Ni Trieu
* [Permalink](https://eprint.iacr.org/2025/500)
* [Download](https://eprint.iacr.org/2025/500.pdf)

### Abstract

DNA edit distance (ED) measures the minimum number of single nucleotide insertions, substitutions, or deletions required to convert a DNA sequence into another. ED has broad applications in healthcare such as sequence alignment, genome assembly, functional annotation, and drug discovery. Privacy-preserving computation is essential in this context to protect sensitive genomic data. Nonetheless, the existing secure DNA edit distance solutions lack efficiency when handling large data sequences or resort to approximations and fail to accurately compute the metric.

In this work, we introduce secureED, a protocol that tackles these limitations, resulting in a significant performance enhancement of approximately $2-24\times$ compared to existing methods. Our protocol computes a secure ED between two genomes, each comprising $1,000$ letters, in just a few seconds. The underlying technique of our protocol is a novel approach that transforms the established approximate matching technique (i.e., the Ukkonen algorithm) into exact matching, exploiting the inherent similarity in human DNA to achieve cost-effectiveness. Furthermore, we introduce various optimizations tailored for secure computation in scenarios with a limited input domain, such as DNA sequences composed solely of the four nucleotide letters.