[digest] 2025 Week 12

## In this issue

1. [2025/384] Optimizing Final Exponentiation for Pairing- ...
2. [2025/388] Fair Exchange for Decentralized Autonomous ...
3. [2025/501] Quantum Key-Recovery Attacks on Permutation-Based ...
4. [2025/502] Registration-Based Encryption in the Plain Model
5. [2025/503] Max Bias Analysis: A New Approach on Computing the ...
6. [2025/504] Ideal Compartmented Secret Sharing Scheme Based on ...
7. [2025/505] Capitalized Bitcoin Fork for National Strategic Reserve
8. [2025/506] On the Estonian Internet Voting System, IVXV, SoK ...
9. [2025/507] Scalable Zero-knowledge Proofs for Non-linear ...
10. [2025/508] Towards Building Scalable Constant-Round MPC from ...
11. [2025/509] Almost Optimal KP and CP-ABE for Circuits from ...
12. [2025/510] Adaptive Adversaries in Byzantine-Robust Federated ...
13. [2025/511] VeriSSO: A Privacy-Preserving Legacy-Compatible ...
14. [2025/512] Optimizing AES-GCM on ARM Cortex-M4: A Fixslicing ...
15. [2025/513] Server-Aided Anonymous Credentials
16. [2025/514] On Extractability of the KZG Family of Polynomial ...
17. [2025/515] Compressed Sigma Protocols: New Model and ...
18. [2025/516] Don't Use It Twice: Reloaded! On the Lattice ...
19. [2025/517] Designated-Verifier SNARGs with One Group Element
20. [2025/518] Secret-Sharing Schemes for General Access ...
21. [2025/519] mid-pSquare: Leveraging the Strong Side-Channel ...
22. [2025/520] Masking-Friendly Post-Quantum Signatures in the ...
23. [2025/521] Division polynomials for arbitrary isogenies
24. [2025/522] New Techniques for Analyzing Fully Secure ...
25. [2025/523] Assembly optimised Curve25519 and Curve448 ...
26. [2025/524] Ring Referral: Efficient Publicly Verifiable Ad hoc ...
27. [2025/525] Deniable Secret Sharing
28. [2025/526] AI Agents in Cryptoland: Practical Attacks and No ...
29. [2025/527] SoK: Fully-homomorphic encryption in smart contracts
30. [2025/528] VeRange: Verification-efficient Zero-knowledge ...
31. [2025/529] On the Anonymity in "A Practical Lightweight ...
32. [2025/530] Lattice-based extended withdrawable signatures
33. [2025/531] Understanding the new distinguisher of alternant ...
34. [2025/532] Chunking Attacks on File Backup Services using ...
35. [2025/533] JesseQ: Efficient Zero-Knowledge Proofs for ...
36. [2025/534] Plonkify: R1CS-to-Plonk transpiler
37. [2025/535] zkPyTorch: A Hierarchical Optimized Compiler for ...
38. [2025/536] A Fiat-Shamir Transformation From Duplex Sponges

## 2025/384

* Title: Optimizing Final Exponentiation for Pairing-Friendly Elliptic Curves with Odd Embedding Degrees Divisible by 3
* Authors: Loubna Ghammam, Nadia El Mrabet, Walid Haddaji, Leila Ben Abdelghani
* [Permalink](https://eprint.iacr.org/2025/384)
* [Download](https://eprint.iacr.org/2025/384.pdf)

### Abstract

In pairing-based cryptography, the final exponentiation with a large fixed exponent is essential to ensure unique outputs in both Tate and optimal ate pairings. While significant progress has been made in optimizing elliptic curves with even embedding degrees, advancements for curves with odd embedding degrees, particularly those divisible by 3, have been more limited. This paper introduces new optimization techniques for computing the final exponentiation of the optimal ate pairing on these curves. The first technique takes advantage of some existing seeds' forms, which enable cyclotomic cubing, and extends this approach to generate new seeds with a similar structure. The second technique involves generating new seeds with sparse ternary representations, replacing squaring operations with cyclotomic cubing.
The first technique improves efficiency by $1.7\%$ and $1.5\%$ compared to the square and multiply (\textbf{SM}) method for existing seeds at $192-$bit and $256-$bit security levels, respectively. For newly generated seeds, it achieves efficiency gains of $3.4\%$ at $128-$bit, $5\%$ at $192-$bit, and $8.6\%$ at $256-$bit security levels. The second technique improves efficiency by $3.3\%$ at $128-$bit, $19.5\%$ at $192-$bit, and $4.3\%$ at $256-$bit security levels.



## 2025/388

* Title: Fair Exchange for Decentralized Autonomous Organizations via Threshold Adaptor Signatures
* Authors: Ruben Baecker, Paul Gerhart, Jonathan Katz, Dominique Schröder
* [Permalink](https://eprint.iacr.org/2025/388)
* [Download](https://eprint.iacr.org/2025/388.pdf)

### Abstract

A Decentralized Autonomous Organization (DAO) enables multiple parties to collectively manage digital assets in a blockchain setting. We focus on achieving fair exchange between DAOs using a cryptographic mechanism that operates with minimal blockchain assumptions and, crucially, does not rely on smart contracts. 

Specifically, we consider a setting where a DAO consisting of $n_\mathsf{S}$ sellers holding shares of a witness $w$ interacts with a DAO comprising $n_\mathsf{B}$ buyers holding shares of a signing key $sk$; the goal is for the sellers to exchange $w$ for a signature under $sk$ transferring a predetermined amount of funds. 
Fairness is required to hold both between DAOs (i.e., ensuring that each DAO receives its asset if and only if the other does) as well as within each DAO (i.e., ensuring that all members of a DAO receive their asset if and only if every other member does). 

We formalize these fairness properties and present an efficient protocol for DAO-based fair exchange under standard cryptographic assumptions. Our protocol leverages certified witness encryption and threshold adaptor signatures, two primitives of independent interest that we introduce and show how to construct efficiently.



## 2025/501

* Title: Quantum Key-Recovery Attacks on Permutation-Based Pseudorandom Functions
* Authors: Hong-Wei Sun, Fei Gao, Rong-Xue Xu, Dan-Dan Li, Zhen-Qiang Li, Ke-Jia Zhang
* [Permalink](https://eprint.iacr.org/2025/501)
* [Download](https://eprint.iacr.org/2025/501.pdf)

### Abstract

Due to their simple security assessments, permutation-based pseudo-random functions (PRFs) have become widely used in cryptography. It has been shown that PRFs using a single $n$-bit permutation achieve $n/2$ bits of security, while those using two permutation calls provide $2n/3$ bits of security in the classical setting. This paper studies the security of permutation-based PRFs within the Q1 model, where attackers are restricted to classical queries and offline quantum computations. We present improved quantum-time/classical-data tradeoffs compared with the previous attacks. Specifically, under the same assumptions/hardware as Grover's exhaustive search attack, i.e. the offline Simon algorithm, we can recover keys in quantum time $\tilde{O}(2^{n/3})$, with $O(2^{n/3})$ classical queries and $O(n^2)$ qubits. Furthermore, we enhance previous superposition attacks by reducing the data complexity from exponential to polynomial, while maintaining the same time complexity. This implies that permutation-based PRFs become vulnerable when adversaries have access to quantum computing resources. It is pointed out that the above quantum attack can be used to quite a few cryptography, including PDMMAC and pEDM, as well as general instantiations like XopEM, EDMEM, EDMDEM, and others.



## 2025/502

* Title: Registration-Based Encryption in the Plain Model
* Authors: Jesko Dujmovic, Giulio Malavolta, Wei Qi
* [Permalink](https://eprint.iacr.org/2025/502)
* [Download](https://eprint.iacr.org/2025/502.pdf)

### Abstract

Registration-based encryption (RBE) is a recently developed alternative to identity-based encryption, that mitigates the well-known key-escrow problem by letting each user sample its own key pair. In RBE, the key authority is substituted by a key curator, a completely transparent entity whose only job is to reliably aggregate users' keys. However, one limitation of all known RBE scheme is that they all rely on one-time trusted setup, that must be computed honestly.
   
    In this work, we ask whether this limitation is indeed inherent and we initiate the systematic study of RBE in the plain model, without any common reference string. We present the following main results:
        - (Definitions) We show that the standard security definition of RBE is unachievable without a trusted setup and we propose a slight weakening, where one honest user is required to be registered in the system.
        - (Constructions) We present constructions of RBE in the plain model, based on standard cryptographic assumptions. Along the way, we introduce the notions of non-interactive witness indistinguishable (NIWI) proofs secure against chosen statements attack and re-randomizable RBE, which may be of independent interest.
        A major limitation of our constructions, is that users must be updated upon every new registration.
        - (Lower Bounds) We show that this limitation is in some sense inherent. We prove that any RBE in the plain model that satisfies a certain structural requirement, which holds for all known RBE constructions, must update all but a vanishing fraction of the users, upon each new registration. This is in contrast with the standard RBE settings, where users receive a logarithmic amount of updates throughout the lifetime of the system.



## 2025/503

* Title: Max Bias Analysis: A New Approach on Computing the Entropy of Free Ring-Oscillator
* Authors: Nicolas David, Eric Garrido
* [Permalink](https://eprint.iacr.org/2025/503)
* [Download](https://eprint.iacr.org/2025/503.pdf)

### Abstract

This work introduce a new approach called Max bias analysis for the entropy computation of structures of Free Ring Oscillator-based Physical Random Number Generator. It employs the stochastic model based on the well-established Wiener process, specifically adapted to only capture thermal noise contributions while accounting for potential non-zero bias in the duty cycle.
Our analysis is versatile, applicable to combinations of multiple sampled Ring Oscillator (RO) filtering by any function. The entropy computation takes as inputs the parameters of the thermal stochastic model and delivers directly a proven bound for both Shannon entropy and min-entropy to fulfill AIS31 and NIST SP 800-90 B. As an example, we apply the new methodology on an enhanced structure of TRNG combining several free-running Ring Oscillators filtered by a vectorial function built from a linear error correcting code that optimizes the functional performance in terms of [entropy rate/silicium area used] and that maintains the mathematical proof of the entropy lower bound as simple as possible.



## 2025/504

* Title: Ideal Compartmented Secret Sharing Scheme Based on the Chinese Remainder Theorem for Polynomial Rings
* Authors: Alexandru-Valentin Basaga, Sorin Iftene
* [Permalink](https://eprint.iacr.org/2025/504)
* [Download](https://eprint.iacr.org/2025/504.pdf)

### Abstract

A secret sharing scheme starts with a secret and then derives from it
certain shares (or shadows)  which are distributed to users. 
The secret may be recovered only by certain
predetermined groups. In case of compartmented secret sharing, the
set of users is partitioned into compartments and the secret
can be recovered only if the number of participants from
any compartment is greater than or equal to a fixed compartment threshold
and the total number of participants is greater than or equal to a global threshold.

In this paper we  use the Chinese Remainder Theorem for Polynomial Rings in order to construct an  ideal compartmented secret sharing scheme, inspired by the work from [20].



## 2025/505

* Title: Capitalized Bitcoin Fork for National Strategic Reserve
* Authors: Charanjit Singh Jutla, Arnab Roy
* [Permalink](https://eprint.iacr.org/2025/505)
* [Download](https://eprint.iacr.org/2025/505.pdf)

### Abstract

We describe a strategy for a nation to acquire majority stake in Bitcoin with zero cost to the taxpayers of the nation. We propose a bitcoin fork sponsored by the the government of the nation, and backed by the full faith of treasury of the nation, such that the genesis block of this fork attributes fixed large amount of new kinds of tokens called strategic-reserve-bitcoin tokens (SRBTC) to the nation's treasury, which is some  multiple (greater than one) of the amount of all Bitcoin tokens (BTC) currently set in the Bitcoin protocol.. The BTC tokens continue to be treated 1:1 as SRBTC tokens in the forked chain. The only capital that the nation puts up is its explicit guarantee that the SRBTC tokens of the fork will be accepted as legal tender, such as payment of tax to the treasury.

We suggest that this is a better approach than starting a new blockchain that mimics Bitcoin, as it will be  partially fair to the current holders of Bitcoin, which in turn would make it competitive in the space of other such possible forks by other powerful nations. Moreover, such a proof-of-work blockchain  retains its egalitarian and democratic nature, which competitively deters the said nation from any dilutions in the future.

To justify our proposal we setup three competitive games, and show strategies for different players that are in Nash equilibrium and which throw further light on these claims. In particular,

1. The first game shows that if the only two alternatives for investors is to invest in BTC or SRBTC, then individuals who have a certain fraction $\theta$ of their wealth already invested in BTC, will invest new money in the original chain, whereas the individuals whose current wealth invested in BTC is less than the $\theta$ fraction will invest new money in SRBTC.
2. The second game shows that if there is a third alternative for investment, which is cash that is losing value (inflation-adjusted) by a percentage $d$, then the investors who had less than $\theta$ fraction of wealth in Bitcoin, will invest in SRBTC only if the dilution of SRBTC is large enough (as an increasing (linear) function of $1/d$). Here by dilution we mean the new SRBTC tokens that are allowed to be eventually mined in the fork.
3.  The third game shows that investors would prefer a fork of Bitcoin over a replica of Bitcoin that doesn't value original BTC, when both are available and even if both are backed similarly by one or more nations.



## 2025/506

* Title: On the Estonian Internet Voting System, IVXV, SoK  and Suggestions
* Authors: Shymaa M. Arafat
* [Permalink](https://eprint.iacr.org/2025/506)
* [Download](https://eprint.iacr.org/2025/506.pdf)

### Abstract

The Estonian i-voting experience is probably the richest to analyze; a country that is considered a pioneer in digitizing both the government and private sector since 2001, and hence digital voting in 2005, yet there are still some complaints submitted, critics and remarks to consider about the IVXV system. In this paper, we introduce a Systemization of Knowledge of the Estonian IVXV i-voting system and propose some added security enhancements. The presented SoK includes applications implemented by election observers in 2023 & 2024 elections, which, to our knowledge, has never been mentioned and/or analyzed in the academic literature before. The paper also updates the general knowledge about an extra right given to auditors
(but not observers) in the June 2024 European election, recent complaints, and about newer solutions suggested by academia in 2024. Finally, we discuss the current system status in 2024 EP elections and propose our own suggestions to some problems stated in the OSCE-ODIHR 2023 report that are still there.



## 2025/507

* Title: Scalable Zero-knowledge Proofs for Non-linear Functions in Machine Learning
* Authors: Meng Hao, Hanxiao Chen, Hongwei Li, Chenkai Weng, Yuan Zhang, Haomiao Yang, Tianwei Zhang
* [Permalink](https://eprint.iacr.org/2025/507)
* [Download](https://eprint.iacr.org/2025/507.pdf)

### Abstract

Zero-knowledge (ZK) proofs have been recently explored for the integrity of machine learning (ML) inference. However, these protocols suffer from high computational overhead, with the primary bottleneck stemming from the evaluation of non-linear functions. In this paper, we propose the first systematic ZK proof framework for non-linear mathematical functions in ML using the perspective of table lookup. The key challenge is that table lookup cannot be directly applied to non-linear functions in ML since it would suffer from inefficiencies due to the intolerably large table. Therefore, we carefully design several important building blocks, including digital decomposition, comparison, and truncation, such that they can effectively utilize table lookup with a quite small table size while ensuring the soundness of proofs. Based on these blocks, we implement complex mathematical operations and further construct ZK proofs for current mainstream non-linear functions in ML such as ReLU, sigmoid, and normalization. The extensive experimental evaluation shows that our framework achieves 50 ∼ 179× runtime improvement compared to the state-of-the-art work, while maintaining a similar level of communication efficiency.



## 2025/508

* Title: Towards Building Scalable Constant-Round MPC from Minimal Assumptions via Round Collapsing
* Authors: Vipul Goyal, Junru Li, Rafail Ostrovsky, Yifan Song
* [Permalink](https://eprint.iacr.org/2025/508)
* [Download](https://eprint.iacr.org/2025/508.pdf)

### Abstract

In this work, we study the communication complexity of constant-round secure multiparty computation (MPC) against a fully malicious adversary and consider both the honest majority setting and the dishonest majority setting. In the (strong) honest majority setting (where $t=(1/2-\epsilon)n$ for a constant $\epsilon$), the best-known result without relying on FHE is given by Beck et al. (CCS 2023) based on the LPN assumption that achieves $O(|C|\kappa)$ communication, where $\kappa$ is the security parameter and the achieved communication complexity is independent of the number of participants. In the dishonest majority setting, the best-known result is achieved by Goyal et al. (ASIACRYPT 2024), which requires $O(|C|n\kappa)$ bits of communication and is based on the DDH and LPN assumptions.

In this work, we achieve the following results: (1) For any constant $\epsilon<1$, we give the first constant-round MPC in the dishonest majority setting for corruption threshold $t<(1-\epsilon)n$ with $O(|C|\kappa+D (n+\kappa)^2\kappa)$ communication assuming random oracles and oblivious transfers, where $D$ is the circuit depth. (2) We give the first constant-round MPC in the standard honest majority setting (where $t=(n-1)/2$) with $O(|C|\kappa+D (n+\kappa)^2\kappa)$ communication only assuming random oracles.

Unlike most of the previous constructions of constant-round MPCs that are based on multiparty garbling, we achieve our result by letting each party garble his local computation in a non-constant-round MPC that meets certain requirements. We first design a constant-round MPC that achieves $O(|C|\kappa + Dn^2\kappa)$ communication assuming random oracles in the strong honest majority setting of $t=n/4$. Then, we combine the party virtualization technique and the idea of MPC-in-the-head to boost the corruption threshold to $t<(1-\epsilon)n$ for any constant $\epsilon<1$ assuming oblivious transfers to achieve our first result. Finally, our second result is obtained by instantiating oblivious transfers using a general honest-majority MPC and the OT extension technique built on random oracles.



## 2025/509

* Title: Almost Optimal KP and CP-ABE for Circuits from Succinct LWE
* Authors: Hoeteck Wee
* [Permalink](https://eprint.iacr.org/2025/509)
* [Download](https://eprint.iacr.org/2025/509.pdf)

### Abstract

We present almost-optimal lattice-based attribute-based encryption (ABE) and laconic function evaluation (LFE). For depth d circuits over $\ell$-bit inputs, we obtain

* key-policy (KP) and ciphertext-policy (CP) ABE schemes with ciphertext, secret key and public key size $O(1)$;

* LFE with ciphertext size $\ell + O(1)$ as well as CRS and digest size $O(1)$;

where O(·) hides poly(d, λ) factors. The parameter sizes are optimal, up to the poly(d) dependencies. The security of our schemes rely on succinct LWE (Wee, CRYPTO 2024). Our results constitute a substantial improvement over the state of the art; none of our results were known even under the stronger evasive LWE assumption.



## 2025/510

* Title: Adaptive Adversaries in Byzantine-Robust Federated Learning: A survey.
* Authors: Jakub Kacper Szeląg, Ji-Jian Chin, Sook-Chin Yip
* [Permalink](https://eprint.iacr.org/2025/510)
* [Download](https://eprint.iacr.org/2025/510.pdf)

### Abstract

Federated Learning (FL) has recently emerged as one of the leading paradigms for collaborative machine learning, serving as a tool for model computation without a need to expose one’s privately stored data. However, despite its advantages, FL systems face severe challenges within its own security solutions that address both privacy and robustness of models. This paper focuses on vulnerabilities within the domain of FL security with emphasis on model-robustness. Identifying critical gaps in current defences, particularly against adaptive adversaries which modify their attack strategies after being disconnected and rejoin systems to continue attacks. To our knowledge, other surveys in this domain do not cover the concept of adaptive adversaries, this along with the significance of their impact serves as the main motivation for this work. Our contributions are fivefold: (1) we present a comprehensive overview of FL systems, presenting a complete summary of its fundamental building blocks, (2) an extensive overview of existing vulnerabilities that target FL systems in general, (3) highlight baseline attack vectors as well as state-of-the-art approaches to development of attack methods and defence mechanisms, (4) introduces a novel baseline method of attack leveraging reconnecting malicious clients, and (5) identifies future research directions to address and counter adaptive attacks. We demonstrate through experimental results that existing baseline secure aggregation rules used in other works for comparison such as Krum and Trimmed Mean are insufficient against those attacks. Further, works improving upon those algorithms do not address this concern either. Our findings serve as a basis for redefining FL security paradigms in the direction of adaptive adversaries.



## 2025/511

* Title: VeriSSO: A Privacy-Preserving Legacy-Compatible Single Sign-On Protocol Using Verifiable Credentials
* Authors: Ifteher Alom, Sudip Bhujel, Yang Xiao
* [Permalink](https://eprint.iacr.org/2025/511)
* [Download](https://eprint.iacr.org/2025/511.pdf)

### Abstract

Single Sign-On (SSO) is a popular authentication mechanism enabling users to access multiple web services with a single set of credentials. Despite its convenience, SSO faces outstanding privacy challenges. The Identity Provider (IdP) represents a single point of failure and can track users across different Relying Parties (RPs). Multiple colluding RPs may track users through common identity attributes. In response, anonymous credential-based SSO solutions have emerged to offer privacy-preserving authentication without revealing unnecessary user information. However, these solutions face two key challenges: supporting RP authentication without compromising user unlinkability and maintaining compatibility with the predominant Authorization Code Flow (ACF).

This paper introduces VeriSSO, a novel SSO protocol based on verifiable credentials (VC) that supports RP authentication while preserving privacy and avoiding single points of failure. VeriSSO employs an independent authentication server committee to manage RP and user authentication, binding RP authentication with credential-based anonymous user authentication. This approach ensures user unlinkability while supporting RP authentication and allows RPs to continue using their existing verification routines with identity tokens as in the ACF workflow. VeriSSO's design also supports lawful de-anonymization, ensuring user accountability for misbehavior during anonymity. Experimental evaluations of VeriSSO demonstrate its efficiency and practicality, with authentication processes completed within 100 milliseconds.



## 2025/512

* Title: Optimizing AES-GCM on ARM Cortex-M4: A Fixslicing and FACE-Based Approach
* Authors: Hyunjun Kim, Hwajeong Seo
* [Permalink](https://eprint.iacr.org/2025/512)
* [Download](https://eprint.iacr.org/2025/512.pdf)

### Abstract

The Advanced Encryption Standard (AES) in Galois/Counter Mode (GCM) delivers both confidentiality and integrity yet poses performance and security challenges on resource-limited microcontrollers. In this paper, we present an optimized AES-GCM implementation for the ARM Cortex-M4 that combines Fixslicing AES with the FACE (Fast AES-CTR Encryption) strategy, significantly reducing redundant computations in AES-CTR. We further examine two GHASH implementations—a 4-bit Table-based approach and a Karatsuba-based constant-time variant—to balance speed, memory usage, and resistance to timing attacks.. Our evaluations on an STM32F4 microcontroller show that Fixslicing+FACE reduces AES-128 GCTR cycle counts by up to 19.41\%, while the Table-based GHASH achieves nearly double the speed of its Karatsuba counterpart. These results confirm that, with the right mix of bitslicing optimizations, counter-mode caching, and lightweight polynomial multiplication, secure and efficient AES-GCM can be attained even on low-power embedded devices.



## 2025/513

* Title: Server-Aided Anonymous Credentials
* Authors: Rutchathon Chairattana-Apirom, Franklin Harding, Anna Lysyanskaya, Stefano Tessaro
* [Permalink](https://eprint.iacr.org/2025/513)
* [Download](https://eprint.iacr.org/2025/513.pdf)

### Abstract

This paper formalizes the notion of server-aided anonymous credentials (SAACs), a new model for anonymous credentials (ACs) where, in the process of showing a credential, the holder is helped by additional auxiliary information generated in an earlier (anonymous) interaction with the issuer. This model enables lightweight instantiations of 'publicly verifiable and multi-use' ACs from pairing-free elliptic curves, which is important for compliance with existing national standards. A recent candidate for the EU Digital Identity Wallet, BBS#, roughly adheres to the SAAC model we have developed; however, it lacks formal security definitions and proofs.

In this paper, we provide rigorous definitions of security for SAACs, and show how to realize SAACs from the weaker notion of keyed-verification ACs (KVACs) and special types of oblivious issuance protocols for zero-knowledge proofs. We instantiate this paradigm to obtain two constructions: one achieves statistical anonymity with unforgeability under the Gap $q$-SDH assumption, and the other achieves computational anonymity and unforgeability under the DDH assumption.



## 2025/514

* Title: On Extractability of the KZG Family of Polynomial Commitment Schemes
* Authors: Juraj Belohorec, Pavel Dvořák, Charlotte Hoffmann, Pavel Hubáček, Kristýna Mašková, Martin Pastyřík
* [Permalink](https://eprint.iacr.org/2025/514)
* [Download](https://eprint.iacr.org/2025/514.pdf)

### Abstract

We present a unifying framework for proving the knowledge-soundness of KZG-like polynomial commitment schemes, encompassing both univariate and multivariate variants. By conceptualizing the proof technique of Lipmaa, Parisella, and Siim for the univariate KZG scheme (EUROCRYPT 2024), we present tools and falsifiable hardness assumptions that permit black-box extraction of the multivariate KZG scheme. Central to our approach is the notion of a canonical Proof-of-Knowledge of a Polynomial (PoKoP) of a polynomial commitment scheme, which we use to capture the extractability notion required in constructions of practical zk-SNARKs. We further present an explicit polynomial decomposition lemma for multivariate polynomials, enabling a more direct analysis of interpolating extractors and bridging the gap between univariate and multivariate commitments. Our results provide the first standard-model proofs of extractability for the multivariate KZG scheme and many of its variants under falsifiable assumptions.



## 2025/515

* Title: Compressed Sigma Protocols: New Model and Aggregation Techniques
* Authors: Yuxi Xue, Tianyu Zheng, Shang Gao, Bin Xiao, Man Ho Au
* [Permalink](https://eprint.iacr.org/2025/515)
* [Download](https://eprint.iacr.org/2025/515.pdf)

### Abstract

Sigma protocols ($\Sigma$-protocols) provide a foundational paradigm for constructing secure algorithms in privacy-preserving applications. To enhance efficiency, several extended models [BG18], [BBB+18], [AC20] incorporating various optimization techniques have been proposed as ``replacements'' for the original $\Sigma$-protocol. However, these models often lack the expressiveness needed to handle complex relations and hinder designers from applying appropriate instantiation and optimization strategies.

In this paper, we introduce a novel compressed $\Sigma$-protocol model that effectively addresses these limitations by providing concrete constructions for relations involving non-linear constraints. Our approach is sufficiently expressive to encompass a wide range of relations. Central to our model is the definition of doubly folded commitments, which, along with a proposed Argument of Knowledge, generalizes the compression and amortization processes found in previous models. Despite the ability to express more relations, this innovation also provides a foundation to discuss a general aggregation technique, optimizing the proof size of instantiated schemes.

To demonstrate the above statements, we provide a brief review of several existing protocols that can be instantiated using our model to demonstrate the versatility of our construction. We also present use cases where our generalized model enhances applications traditionally considered ``less compact'', such as binary proofs [BCC+15] and $k$-out-of-$n$ proofs [ACF21]. In conclusion, our new model offers a more efficient and expressive alternative to the current use of $\Sigma$-protocols, paving the way for broader applicability and optimization in cryptographic applications.



## 2025/516

* Title: Don't Use It Twice: Reloaded! On the Lattice Isomorphism Group Action
* Authors: Alessandro Budroni, Jesús-Javier Chi-Domínguez, Ermes Franch
* [Permalink](https://eprint.iacr.org/2025/516)
* [Download](https://eprint.iacr.org/2025/516.pdf)

### Abstract

Group actions have emerged as a powerful framework in post-quantum cryptography, serving as the foundation for various cryptographic primitives. The Lattice Isomorphism Problem (LIP) has recently gained attention as a promising hardness assumption for designing quantum-resistant protocols. Its formulation as a group action has opened the door to new cryptographic applications, including a commitment scheme and a linkable ring signature.
In this work, we analyze the security properties of the LIP group action and present new findings. Specifically, we demonstrate that it fails to satisfy the weak unpredictability and weak pseudorandomness properties when the adversary has access to as few as three and two instances with the same secret, respectively. This significantly improves upon prior analysis by Budroni et al. (PQCrypto 2024).
As a direct consequence of our findings, we reveal a vulnerability in the linkable ring signature scheme proposed by Khuc et al. (SPACE 2024), demonstrating that the hardness assumption underlying the linkable anonymity property does not hold.



## 2025/517

* Title: Designated-Verifier SNARGs with One Group Element
* Authors: Gal Arnon, Jesko Dujmovic, Yuval Ishai
* [Permalink](https://eprint.iacr.org/2025/517)
* [Download](https://eprint.iacr.org/2025/517.pdf)

### Abstract

We revisit the question of minimizing the proof length of designated-verifier succinct non-interactive arguments (dv-SNARGs) in the generic group model. Barta et al. (Crypto 2020) constructed such dv-SNARGs with inverse-polynomial soundness in which the proof consists of only two group elements. For negligible soundness, all previous constructions required a super-constant number of group elements.

    We show that one group element suffices for negligible soundness. Concretely, we obtain dv-SNARGs (in fact, dv-SNARKs) with $2^{-\tau}$ soundness where proofs consist of one element of a generic group $\mathbb G$ and $O(\tau)$ additional bits. In particular, the proof length in group elements is constant even with $1/|\mathbb G|$ soundness error.
   
    In more concrete terms, compared to the best known SNARGs using bilinear groups, we get dv-SNARGs with roughly $2$x shorter proofs (with $2^{-80}$ soundness at a $128$-bit security level). We are not aware of any practically feasible proof systems that achieve similar succinctness, even fully interactive or heuristic ones.

    Our technical approach is based on a novel combination of techniques for trapdoor hash functions and group-based homomorphic secret sharing with linear multi-prover interactive proofs.



## 2025/518

* Title: Secret-Sharing Schemes for General Access Structures: An Introduction
* Authors: Amos Beimel
* [Permalink](https://eprint.iacr.org/2025/518)
* [Download](https://eprint.iacr.org/2025/518.pdf)

### Abstract

A secret-sharing scheme is a method by which a dealer distributes shares to parties such that only authorized subsets of parties can reconstruct the secret. Secret-sharing schemes are an important tool in cryptography and they are used as a building block in many secure protocols, e.g., secure multiparty computation protocols for arbitrary functionalities, Byzantine agreement, threshold cryptography, access control, attribute-based encryption, and weighted cryptography (e.g., stake-based blockchains). The collection of authorized sets that should be able to reconstruct the secret is called an access structure.. The main goal in secret sharing is to minimize the share size in a scheme realizing an access structure. In most of this monograph, we will consider secret-sharing schemes with information-theoretic security, i.e., schemes in which unauthorized sets cannot deduce any information on the secret even when the set has unbounded computational power. Although research on secret-sharing schemes has been conducted for nearly 40 years, we still do not know what the optimal share size required to realize an arbitrary 𝑛-party access structure is; there is an exponential gap between the best known upper bounds and the best known lower bounds on the share size.

In this monograph, we review the most important topics on secret sharing. We start by discussing threshold secret-sharing schemes in which the authorized sets are all sets whose size is at least some threshold 𝑡; these are the most useful secret-sharing schemes. We then describe efficient constructions of secret-sharing schemes for general access structures; in particular, we describe constructions of linear secret-sharing schemes from monotone formulas and monotone span programs and provide a simple construction for arbitrary 𝑛-party access structures with share size 2𝑐𝑛 for some constant 𝑐 < 1. To demonstrate the importance of secret-sharing schemes, we show how they are used to construct secure multi-party computation protocols for arbitrary functions. We next discuss the main problem with known secret-sharing schemes – the large share size, which is exponential in the number of parties. We present the known lower bounds on the share size. These lower bounds are fairly weak, and there is a big gap between the lower and upper bounds. For linear secret-sharing schemes, which are a class of schemes based on linear algebra that contains most known schemes, exponential lower bounds on the share size are known. We then turn to study ideal secret-sharing schemes in which the share size of each party is the same as the size of the secret; these schemes are the most efficient secret-sharing schemes. We describe a characterization of the access structures that have ideal schemes via matroids. Finally, we discuss computational secret-sharing schemes, i.e., secret-sharing schemes that are secure only against polynomial-time adversaries. We show computational schemes for monotone and non-monotone circuits; these constructions are more efficient than the best known schemes with information-theoretic security.



## 2025/519

* Title: mid-pSquare: Leveraging the Strong Side-Channel Security of Prime-Field Masking in Software
* Authors: Brieuc Balon, Lorenzo Grassi, Pierrick Méaux, Thorben Moos, François-Xavier Standaert, Matthias Johann Steiner
* [Permalink](https://eprint.iacr.org/2025/519)
* [Download](https://eprint.iacr.org/2025/519.pdf)

### Abstract

Efficiently protecting embedded software implementations of standard symmetric cryptographic primitives against side-channel attacks has been shown to be a considerable challenge in practice. This is, in part, due to the most natural countermeasure for such ciphers, namely Boolean masking, not amplifying security well in the absence of sufficient physical noise in the measurements. So-called prime-field masking has been demonstrated to provide improved theoretical guarantees in this context, and the Feistel for Prime Masking (FPM) family of Tweakable Block Ciphers (TBCs) has been recently introduced (Eurocrypt’24) to efficiently leverage these advantages. However, it was so far only instantiated for and empirically evaluated in a hardware implementation context, by using a small (7-bit) prime modulus. In this paper, we build on the theoretical incentive to increase the field size to obtain improved side-channel (Eurocrypt’24) and fault resistance (CHES’24), as well as on the practical incentive to instantiate an FPM instance with optimized performance on 32-bit software platforms. We introduce mid-pSquare for this purpose, a lightweight TBC operating over a 31-bit Mersenne prime field. We first provide an in-depth black box security analysis with a particular focus on algebraic attacks – which, contrary to the cryptanalysis of instances over smaller primes, are more powerful than statistical ones in our setting. We also design a strong tweak schedule to account for potential related-tweak algebraic attacks which, so far, are almost unknown in the literature. We then demonstrate that mid-pSquare implementations deliver very competitive performance results on the target platform compared to analogous binary TBCs regardless of masked or unmasked implementation (we use fix-sliced SKINNY for our comparisons). Finally, we experimentally establish the side-channel security improvements that masked mid-pSquare can lead to, reaching unmatched resistance to profiled horizontal attacks on lightweight 32-bit processors (ARM Cortex-M4).



## 2025/520

* Title: Masking-Friendly Post-Quantum Signatures in the Threshold-Computation-in-the-Head Framework
* Authors: Thibauld Feneuil, Matthieu Rivain, Auguste Warmé-Janville
* [Permalink](https://eprint.iacr.org/2025/520)
* [Download](https://eprint.iacr.org/2025/520.pdf)

### Abstract

Side-channel attacks pose significant threats to cryptographic implementations, which require the inclusion of countermeasures to mitigate these attacks. In this work, we study the masking of state-of-the-art post-quantum signatures based on the MPC-in-the-head paradigm. More precisely, we focus on the recent threshold-computation-in-the-head (TCitH) framework that applies to some NIST candidates of the post-quantum standardization process. We first provide an analysis of side-channel attack paths in the signature algorithms based on the TCitH framework. We then explain how to apply standard  masking to achieve a $d$-probing secure implementation of such schemes, with performance scaling in $O(d^{2})$, for $d$ the masking order.

    Our main contribution is to introduce different ways to tweak those signature schemes towards their masking friendliness. While the TCitH framework comes in two variants, the GGM variant and the Merkle tree variant, we introduce a specific tweak for each of these variants. These tweaks allow us to achieve complexities of $O(d)$ and $O(d \log d)$ at the cost of non-constant signature size, caused by the inclusion of additional seeds in the signature. We also propose a third tweak that takes advantage of the threshold secret sharing used in TCitH. With the right choice of parameters, we show how, by design, some parts of the TCitH algorithms satisfy probing security without additional countermeasures. While this approach can substantially reduce the cost of masking in some part of the signature algorithm, it degrades the soundness of the core zero-knowledge proof, hence slightly increasing the size of the signature.

    We analyze the complexity of the masked implementations of our tweaked TCitH signatures and provide benchmarks on a RISC-V platform with built-in hash accelerator. We use a modular benchmarking approach, allowing to estimate the performance of diverse signature instances with different tweaks and parameters. Our results illustrate how the different variants scale for an increasing masking order. For instance, for a masking order $d = 3$, we obtain signatures of around $14$ kB that run in $0.67$ second on a the target RISC-V CPU with a $250$MHz frequency. This is to be compared with the $4.7$ seconds required by the original signature scheme masked at the same order on the same platform. For a masking order $d=7$, we obtain a signature of $17.5$ kB running in $1.75$ second, to be compared with $16$ seconds for the stardard masked signature.

    Finally, we discuss the extension of our techniques to signature schemes based on the VOLE-in-the-Head framework, which shares similarities with the GGM variant of TCitH. One key takeaway of our work is that the Merkle tree variant of TCitH is inherently more amenable to efficient masking than frameworks based on GGM trees, such as TCitH-GGM or VOLE-in-the-Head.



## 2025/521

* Title: Division polynomials for arbitrary isogenies
* Authors: Katherine E. Stange
* [Permalink](https://eprint.iacr.org/2025/521)
* [Download](https://eprint.iacr.org/2025/521.pdf)

### Abstract

Following work of Mazur-Tate and Satoh, we extend the definition of division polynomials to arbitrary isogenies of elliptic curves, including those whose kernels do not sum to the identity.  In analogy to the classical case of division polynomials for multiplication-by-n, we demonstrate recurrence relations, identities relating to classical elliptic functions, the chain rule describing relationships between division polynomials on source and target curve, and generalizations to higher dimension (i.e., elliptic nets).



## 2025/522

* Title: New Techniques for Analyzing Fully Secure Protocols: A Case Study of Solitary Output Secure Computation
* Authors: Bar Alon, Benjamin Saldman, Eran Omri
* [Permalink](https://eprint.iacr.org/2025/522)
* [Download](https://eprint.iacr.org/2025/522.pdf)

### Abstract

Solitary output secure computation allows a set of mutually distrustful parties to compute a function of their inputs such that only a designated party obtains the output. Such computations should satisfy various security properties such as correctness, privacy, independence of inputs, and even guaranteed output delivery. We are interested in full security, which captures all of these properties. Solitary output secure computation has been the study of many papers in recent years, as it captures many real-world scenarios.

A systematic study of fully secure solitary output computation was initiated by Halevi et al. [TCC 2019]. They showed several positive and negative results, however, they did not characterize what functions can be computed with full security. Alon et al. [EUROCRYPT 2024] considered the special, yet important case, of three parties with Boolean output, where the output-receiving party has no input. They completely characterized the set of such functionalities that can be computed with full security. Interestingly, they also showed a possible connection with the seemingly unrelated notion of fairness, where either all parties obtain the output or none of them do.

We continue this line of investigation and study the set of three-party solitary output Boolean functionalities where all parties hold private inputs. Our main contribution is defining and analyzing a family of ``special-round'' protocols, which generalizes the set of previously proposed protocols. Our techniques allow us to identify which special-round protocols securely compute a given functionality (if such exists). Interestingly, our analysis can also be applied in the two-party setting (where fairness is an issue). Thus, we believe that our techniques may prove useful in additional settings and deepen our understanding of the connections between the various settings.



## 2025/523

* Title: Assembly optimised Curve25519 and Curve448 implementations for ARM Cortex-M4 and Cortex-M33
* Authors: Emil Lenngren
* [Permalink](https://eprint.iacr.org/2025/523)
* [Download](https://eprint.iacr.org/2025/523.pdf)

### Abstract

Since the introduction of TLS 1.3, which includes X25519 and X448 as key exchange algorithms, one could expect that high efficient implementations for these two algorithms become important as the need for power efficient and secure IoT devices increases. Assembly optimised X25519 implementations for low end processors such as Cortex-M4 have existed for some time but there has only been scarce progress on optimised X448 implementations for low end ARM processors such as Cortex-M4 and Cortex-M33. This work attempts to fill this gap by demonstrating how to design a constant time X448 implementation that runs in 2 273 479 cycles on Cortex-M4 and 2 170 710 cycles on Cortex-M33 with DSP. An X25519 implementation is also presented that runs in 441 116 cycles on Cortex-M4 and 411 061 cycles on Cortex-M33 with DSP.



## 2025/524

* Title: Ring Referral: Efficient Publicly Verifiable Ad hoc Credential Scheme with Issuer and Strong User Anonymity for Decentralized Identity and More
* Authors: The-Anh Ta, Xiangyu Hui, Sid Chi-Kin Chau
* [Permalink](https://eprint.iacr.org/2025/524)
* [Download](https://eprint.iacr.org/2025/524.pdf)

### Abstract

In this paper, we present a ring referral scheme, by which a user can publicly prove her knowledge of a valid signature for a private message that is signed by one of an ad hoc set of authorized issuers, without revealing the signing issuer. Ring referral is a natural extension to traditional ring signature by allowing a prover to obtain a signature from a third-party signer. Our scheme is useful for diverse applications, such as certificate-hiding decentralized identity, privacy-enhancing federated authentication, anonymous endorsement and privacy -preserving referral marketing. In contrast with prior issuer-hiding credential schemes, our ring referral scheme supports more distinguishing features, such as (1) public verifiability over an ad hoc ring, (2) strong user anonymity against collusion among the issuers and verifier to track a user, (3) transparent setup,  (4) message hiding, (5) efficient multi-message logarithmic verifiability, (6) threshold scheme for requiring multiple co-signing issuers. Finally, we implemented our ring referral scheme with extensive empirical evaluation



## 2025/525

* Title: Deniable Secret Sharing
* Authors: Ran Canetti, Ivan Damgård, Sebastian Kolby, Divya Ravi, Sophia Yakoubov
* [Permalink](https://eprint.iacr.org/2025/525)
* [Download](https://eprint.iacr.org/2025/525.pdf)

### Abstract

We introduce deniable secret sharing (DSS), which, analogously to deniable encryption, enables shareholders to produce fake shares that are consistent with a target “fake message”, regardless of the original secret. In contrast to deniable encryption, in a DSS scheme an adversary sees multiple shares, some of which might be real, and some fake. This makes DSS a more difficult task, especially in situations where the fake shares need to be generated by individual shareholders, without coordination with other shareholders.

We define several desirable properties for DSS, and show both positive and negative results for each. The strongest property is fake hiding, which is a natural analogy of deniability for encryption: given a complete set of shares, an adversary cannot determine whether any shares are fake. We show a construction based on Shamir secret sharing that achieves fake hiding as long as (1) the fakers are qualified (number $t$ or more), and (2) the set of real shares which the adversary sees is unqualified. Next we show a construction based on indistinguishability obfuscation that relaxes condition (1) and achieves fake hiding even when the fakers are unqualified (as long as they comprise more than half of the shareholders). We also extend the first construction to provide the weaker property of faker anonymity for all thresholds. (Faker anonymity requires that given some real shares and some fake shares, an adversary should not be able to tell which are fake, even if it can tell that some fake shares are present.) All of these constructions require the fakers to coordinate in order to produce fake shares.

On the negative side, we first show that fake hiding is unachievable when the fakers are a minority, even if the fakers coordinate. Further, if the fakers do not coordinate, then even faker anonymity is unachievable as soon as $t < n$ (namely the reconstruction threshold is smaller than the number of parties).



## 2025/526

* Title: AI Agents in Cryptoland: Practical Attacks and No Silver Bullet
* Authors: Atharv Singh Patlan, Peiyao Sheng, S. Ashwin Hebbar, Prateek Mittal, Pramod Viswanath
* [Permalink](https://eprint.iacr.org/2025/526)
* [Download](https://eprint.iacr.org/2025/526.pdf)

### Abstract

The integration of AI agents with Web3 ecosystems harnesses their complementary potential for autonomy and openness, yet also introduces underexplored security risks, as these agents dynamically interact with financial protocols and immutable smart contracts. This paper investigates the vulnerabilities of AI agents within blockchain-based financial ecosystems when exposed to adversarial threats in real-world scenarios. We introduce the concept of context manipulation -- a comprehensive attack vector that exploits unprotected context surfaces, including input channels, memory modules, and external data feeds. Through empirical analysis of ElizaOS, a decentralized AI agent framework for automated Web3 operations, we demonstrate how adversaries can manipulate context by injecting malicious instructions into prompts or historical interaction records, leading to unintended asset transfers and protocol violations which could be financially devastating.  Our findings indicate that prompt-based defenses are insufficient, as malicious inputs can corrupt an agent's stored context, creating cascading vulnerabilities across interactions and platforms. This research highlights the urgent need to develop AI agents that are both secure and fiduciarily responsible.



## 2025/527

* Title: SoK: Fully-homomorphic encryption in smart contracts
* Authors: Daniel Aronoff, Adithya Bhat, Panagiotis Chatzigiannis, Mohsen Minaei, Srinivasan Raghuraman, Robert M. Townsend, Nicolas Xuan-Yi Zhang
* [Permalink](https://eprint.iacr.org/2025/527)
* [Download](https://eprint.iacr.org/2025/527.pdf)

### Abstract

Blockchain technology and smart contracts have revolutionized digital transactions by enabling trustless and decentralized exchanges of value. However, the inherent transparency and immutability of blockchains pose significant privacy challenges. On-chain data, while pseudonymous, is publicly visible and permanently recorded, potentially leading to the inadvertent disclosure of sensitive information. This issue is particularly pronounced in smart contract applications, where contract details are accessible to all network participants, risking the exposure of identities and transactional details.

To address these privacy concerns, there is a pressing need for privacy-preserving mechanisms in smart contracts. To showcase this need even further, in our paper we bring forward advanced use-cases in economics which only smart contracts equipped with privacy mechanisms can realize, and show how  fully-homomorphic encryption (FHE) as a privacy enhancing technology (PET) in smart contracts, operating on a public blockchain, can make possible the implementation of these use-cases. Furthermore, we perform a comprehensive systematization of FHE-based approaches in smart contracts, examining their potential to maintain the confidentiality of sensitive information while retaining the benefits of smart contracts, such as automation, decentralization, and security. After we evaluate these existing FHE solutions in the context of the use-cases we consider, we  identify open problems, and suggest future research directions to enhance privacy in blockchain smart contracts.



## 2025/528

* Title: VeRange: Verification-efficient Zero-knowledge Range Arguments with Transparent Setup for Blockchain Applications and More
* Authors: Yue Zhou, Sid Chi-Kin Chau
* [Permalink](https://eprint.iacr.org/2025/528)
* [Download](https://eprint.iacr.org/2025/528.pdf)

### Abstract

Zero-knowledge range arguments are a fundamental cryptographic primitive that allows a prover to convince a verifier of the knowledge of a secret value lying within a predefined range. They have been utilized in diverse applications, such as confidential transactions, proofs of solvency and anonymous credentials. Range arguments with a transparent setup dispense with any trusted setup to eliminate security backdoor and enhance transparency. They are increasingly deployed in diverse decentralized applications on blockchains. One of the major concerns of practical deployment of range arguments on blockchains is the incurred gas cost and high computational overhead associated with blockchain miners. Hence, it is crucial to optimize the verification efficiency in range arguments to alleviate the deployment cost on blockchains and other decentralized platforms. In this paper, we present VeRange with several new zero-knowledge range arguments in the discrete logarithm setting, requiring only $c \sqrt{N/\log N}$ group exponentiations for verification, where $N$ is the number of bits to represent a range and $c$ is a small constant, making them concretely efficient for blockchain deployment with a very low gas cost. Furthermore, VeRange is aggregable, allowing a prover to simultaneously prove $T$ range arguments in a single argument, requiring only $O(\sqrt{TN/\log (TN)}) + T$ group exponentiations for verification. We deployed {\tt VeRange} on Ethereum and measured the empirical gas cost, achieving the fastest verification runtime and the lowest gas cost among the discrete-logarithm-based range arguments in practice.



## 2025/529

* Title: On the Anonymity in "A Practical Lightweight Anonymous Authentication and Key Establishment Scheme for Resource-Asymmetric Smart Environments"
* Authors: Zhengjun Cao, Lihua Liu
* [Permalink](https://eprint.iacr.org/2025/529)
* [Download](https://eprint.iacr.org/2025/529.pdf)

### Abstract

We show that the anonymous authentication and key establishment scheme [IEEE TDSC, 20(4), 3535-3545, 2023] fails to keep user anonymity, not as claimed. We also suggest a method to fix it.



## 2025/530

* Title: Lattice-based extended withdrawable signatures
* Authors: Ramses Fernandez
* [Permalink](https://eprint.iacr.org/2025/530)
* [Download](https://eprint.iacr.org/2025/530.pdf)

### Abstract

This article presents an extension of the work performed by Liu, Baek and Susilo on extended withdrawable signatures to lattice-based constructions. We introduce a general construction, and provide security proofs for this proposal.. As instantiations, we provide concrete construction for extended withdrawable signature schemes based on Dilithium and HAETAE.



## 2025/531

* Title: Understanding the new distinguisher of alternant codes at degree 2
* Authors: Axel Lemoine, Rocco Mora, Jean-Pierre Tillich
* [Permalink](https://eprint.iacr.org/2025/531)
* [Download](https://eprint.iacr.org/2025/531.pdf)

### Abstract

Distinguishing Goppa codes or alternant codes from generic
linear codes [FGO+11] has been shown to be a first step before being
able to attack McEliece cryptosystem based on those codes [BMT24].
Whereas the distinguisher of [FGO+11] is only able to distinguish Goppa
codes or alternant codes of rate very close to 1, in [CMT23a] a much more
powerful (and more general) distinguisher was proposed. It is based on
computing the Hilbert series $\{\mathrm{HF}(d),~d\in  \mathbb{N}\}$ of a Pfaffian modeling.
The distinguisher of [FGO+11] can be interpreted as computing $\mathrm{HF}(1)$.
Computing $\mathrm{HF}(2)$ still gives a polynomial time distinguisher for alternant
or Goppa codes and is apparently able to distinguish Goppa or alternant
codes in a much broader regime of rates as the one of [FGO+11]. However,
the scope of this distinguisher was unclear. We give here a formula for
$\mathrm{HF}(2)$ corresponding to generic alternant codes when the field size $q$
satisfies $q \geq r$, where r is the degree of the alternant code. We also
show that this expression for$\mathrm{HF}(2)$ provides a lower bound in general.
The value of $\mathrm{HF}(2)$ corresponding to random linear codes is known and
this yields a precise description of the new regime of rates that can be
distinguished by this new method. This shows that the new distinguisher
improves significantly upon the one given in [FGO+11].



## 2025/532

* Title: Chunking Attacks on File Backup Services using Content-Defined Chunking
* Authors: Boris Alexeev, Colin Percival, Yan X Zhang
* [Permalink](https://eprint.iacr.org/2025/532)
* [Download](https://eprint.iacr.org/2025/532.pdf)

### Abstract

Systems such as file backup services often use content-defined chunking (CDC) algorithms, especially those based on rolling hash techniques, to split files into chunks in a way that allows for data deduplication. These chunking algorithms often depend on per-user parameters in an attempt to avoid leaking information about the data being stored. We present attacks to extract these chunking parameters and discuss protocol-agnostic attacks and loss of security once the parameters are breached (including when these parameters are not setup at all, which is often available as an option). Our parameter-extraction attacks themselves are protocol-specific but their ideas are generalizable to many potential CDC schemes.



## 2025/533

* Title: JesseQ: Efficient Zero-Knowledge Proofs for Circuits over Any Field
* Authors: Mengling Liu, Yang Heng, Xingye Lu, Man Ho Au
* [Permalink](https://eprint.iacr.org/2025/533)
* [Download](https://eprint.iacr.org/2025/533.pdf)

### Abstract

Recent advances in Vector Oblivious Linear Evaluation (VOLE) protocols have enabled constant-round, fast, and scalable (designated-verifier) zero-knowledge proofs, significantly reducing prover computational cost. Existing protocols, such as QuickSilver [CCS’21] and LPZKv2 [CCS’22], achieve efficiency with prover costs of 4 multiplications in the extension field per AND gate for Boolean circuits, with one multiplication requiring a O(κ log κ)-bit operation where κ = 128 is the security parameter and 3-4 field multiplications per multiplication gate for arithmetic circuits over a large field.
We introduce JesseQ, a suite of two VOLE-based protocols: JQv1 and JQv2, which advance state of the art. JQv1 requires only 2 scalar multiplications in an extension field per AND gate for Boolean circuits, with one scalar needing a O(κ)- bit operation, and 2 field multiplications per multiplication gate for arithmetic circuits over a large field. In terms of communication costs, JQv1 needs just 1 field element per gate. JQv2 further reduces communication costs by half at the cost of doubling the prover’s computation.
Experiments show that, compared to the current state of the art, both JQv1 and JQv2 achieve at least 3.9× improvement for Boolean circuits. For large field circuits, JQv1 has a similar performance, while JQv2 offers a 1.3× improvement. Additionally, both JQv1 and JQv2 maintain the same communication cost as the current state of the art. Notably, on the cheapest AWS instances, JQv1 can prove 9.2 trillion AND gates (or 5.8 trillion multiplication gates over a 61-bit field) for just one US dollar. JesseQ excels in applications like inner products, matrix multiplication, and lattice problems, delivering 40%- 200% performance improvements compared to QuickSilver. Additionally, JesseQ integrates seamlessly with the sublinear Batchman framework [CCS’23], enabling further efficiency gains for batched disjunctive statements.



## 2025/534

* Title: Plonkify: R1CS-to-Plonk transpiler
* Authors: Pengfei Zhu
* [Permalink](https://eprint.iacr.org/2025/534)
* [Download](https://eprint.iacr.org/2025/534.pdf)

### Abstract

Rank-1 Constraint Systems (R1CS) and Plonk constraint systems are two commonly used circuit formats for zero-knowledge succinct non-interactive arguments of knowledge (zkSNARKs). We present Plonkify, a tool that converts a circuit in an R1CS arithmetization to Plonk, with support for both vanilla gates and custom gates. Our tool is able to convert an R1CS circuit with 229,847 constraints to a vanilla Plonk circuit with 855,296 constraints, or a jellyfish turbo Plonk circuit with 429,166 constraints, representing a $2.59\times$ and $1..9\times$ reduction in the number of constraints over the respective naïve conversions.



## 2025/535

* Title: zkPyTorch: A Hierarchical Optimized Compiler for Zero-Knowledge Machine Learning
* Authors: Tiancheng Xie, Tao Lu, Zhiyong Fang, Siqi Wang, Zhenfei Zhang, Yongzheng Jia, Dawn Song, Jiaheng Zhang
* [Permalink](https://eprint.iacr.org/2025/535)
* [Download](https://eprint.iacr.org/2025/535.pdf)

### Abstract

As artificial intelligence (AI) becomes increasingly embedded in high-stakes applications such as healthcare, finance, and autonomous systems, ensuring the verifiability of AI computations without compromising sensitive data or proprietary models is crucial. Zero-knowledge machine learning (ZKML) leverages zero-knowledge proofs (ZKPs) to enable the verification of AI model outputs while preserving confidentiality. However, existing ZKML approaches require specialized cryptographic expertise, making them inaccessible to traditional AI developers.

In this paper, we introduce ZKPyTorch, a compiler that seamlessly integrates ML frameworks like PyTorch with ZKP engines like Expander, simplifying the development of ZKML. ZKPyTorch automates the translation of ML operations into optimized ZKP circuits through three key components. First, a ZKP preprocessor converts models into structured computational graphs and injects necessary auxiliary information to facilitate proof generation. Second, a ZKP-friendly quantization module introduces an optimized quantization strategy that reduces computation bit-widths, enabling efficient ZKP execution within smaller finite fields such as M61. Third, a hierarchical ZKP circuit optimizer employs a multi-level optimization framework at model, operation, and circuit levels to improve proof generation efficiency.

We demonstrate ZKPyTorch effectiveness through end-to-end case studies, successfully converting VGG-16 and Llama-3 models from PyTorch, a leading ML framework, into ZKP-compatible circuits recognizable by Expander, a state-of-the-art ZKP engine. Using Expander, we generate zero-knowledge proofs for
these models, achieving proof generation for the VGG-16 model in 2.2 seconds per CIFAR-10 image for VGG-16 and 150 seconds per token for Llama-3 inference, improving the practical adoption of ZKML.



## 2025/536

* Title: A Fiat-Shamir Transformation From Duplex Sponges
* Authors: Alessandro Chiesa, Michele Orrù
* [Permalink](https://eprint.iacr.org/2025/536)
* [Download](https://eprint.iacr.org/2025/536.pdf)

### Abstract

The Fiat-Shamir transformation underlies numerous non-interactive arguments, with variants that differ in important ways. This paper addresses a gap between variants analyzed by theoreticians and variants implemented (and deployed) by practitioners. Specifically, theoretical analyses typically assume parties have access to random oracles with sufficiently large input and output size, while cryptographic hash functions in practice have fixed input and output sizes (pushing practitioners towards other variants).

In this paper we propose and analyze a variant of the Fiat-Shamir transformation that is based on an ideal permutation of fixed size. The transformation relies on the popular duplex sponge paradigm, and minimizes the number of calls to the permutation (given the amount of information to absorb and to squeeze). Our variant closely models deployed variants of the Fiat-Shamir transformation, and our analysis provides concrete security bounds that can be used to set security parameters in practice.

We additionally contribute spongefish, an open-source Rust library implementing our Fiat-Shamir transformation. The library is interoperable across multiple cryptographic frameworks, and works with any choice of permutation. The library comes equipped with Keccak and Poseidon permutations, as well as several "codecs" for re-mapping prover and verifier messages to the permutation's domain.