## In this issue
1. [2025/748] Symphony of Speeds: Harmonizing Classic McEliece ...
2. [2025/749] GOLF: Unleashing GPU-Driven Acceleration for FALCON ...
3. [2025/750] Secure Rate-Distortion-Perception Trade-off Over ...
4. [2025/751] Improved Range Searching And Range Emptiness Under ...
5. [2025/752] LEAGAN: A Decentralized Version-Control Framework ...
6. [2025/753] Linear-Time Accumulation Schemes
7. [2025/754] On graph based pseudo quadratic multivariate maps ...
8. [2025/755] A Note on "CB-DA: Lightweight and Escrow-Free ...
9. [2025/756] PIRCOR: Communication-Optimal Hintless Single- ...
10. [2025/757] Threshold Niederreiter: Chosen-Ciphertext Security ...
11. [2025/758] Blockcipher-Based Key Commitment for Nonce-Derived ...
12. [2025/759] Let's DOIT: Using Intel's Extended HW/SW Contract ...
13. [2025/760] DGSP: An Efficient Scalable Fully Dynamic Group ...
14. [2025/761] TERRA : Trojan-Resilient Reverse-Firewall for ...
15. [2025/762] $\textbf{MALARIA}$: $\textbf{Ma}$nagement of ...
16. [2025/763] The Tangent Space Attack
17. [2025/764] Security of a secret sharing protocol on the Qline
18. [2025/765] ZKPoG: Accelerating WitGen-Incorporated End-to-End ...
19. [2025/766] Unbiasable Verifiable Random Functions from Generic ...
20. [2025/767] ALPACA: Anonymous Blocklisting with Constant-Sized ...
21. [2025/768] Incompleteness in Number-Theoretic Transforms: New ...
22. [2025/769] Finding the Inverse of some Shift Invariant ...
23. [2025/770] ZHE: Efficient Zero-Knowledge Proofs for HE Evaluations
24. [2025/771] Differential Fault Attacks on TFHE-friendly cipher ...
25. [2025/772] Publicly Auditable Garbled Circuit
26. [2025/773] Exploring Adversarial Attacks on the MaSTer ...
27. [2025/774] Towards a Modern LLL Implementation
28. [2025/775] AuthOr: Lower Cost Authenticity-Oriented Garbling ...
29. [2025/776] Clementine: A Collateral-Efficient, Trust- ...
30. [2025/777] Seamless Switching Between PBS and WoPBS for ...
31. [2025/778] Cryptography from Lossy Reductions: Towards OWFs ...
32. [2025/779] Improving the Round Complexity of MiniCast
33. [2025/780] The Planted Orthogonal Vectors Problem
34. [2025/781] Generalizing the Augot-Finiasz PKE to Other Code ...
35. [2025/782] AES Is Not Enough: the Block Ciphers Zoo Goes ...
36. [2025/783] Non-Adaptive Cryptanalytic Time-Space Lower Bounds ...
37. [2025/784] SHIP: A Shallow and Highly Parallelizable CKKS ...
38. [2025/785] DNDK: Combining Nonce and Key Derivation for Fast ...
39. [2025/786] Robust and Verifiable MPC with Applications to ...
40. [2025/787] Preprocessing for Life: Dishonest-Majority MPC with ...
41. [2025/788] Identity-Based Ring Signature from Quantum Token
42. [2025/789] Rushing at SPDZ: On the Practical Security of ...
43. [2025/790] PULSE: Parallel Private Set Union for Large-Scale ...
44. [2025/791] Analysis of One Privacy-Preserving Electricity Data ...
45. [2025/792] A Scrutiny of the Security of AES-based Hashing and ...
46. [2025/793] Solving systems of polynomial equations via ...
47. [2025/794] Formal Analysis of Multi-Device Group Messaging in ...
48. [2025/795] Efficient Noncommutative KEMs from Twisted Dihedral ...
49. [2025/796] Unified MEDS Accelerator
50. [2025/797] WEBCAT: Web-based Code Assurance and Transparency
51. [2025/798] CRAFT: Characterizing and Root-Causing Fault ...
## 2025/748
* Title: Symphony of Speeds: Harmonizing Classic McEliece Cryptography with GPU Innovation
* Authors: Wen Wu, Jiankuo Dong, Zhen Xu, Zhenjiang Dong, Dung Duong, Fu Xiao, Jingqiang Lin
* [Permalink](
https://eprint.iacr.org/2025/748)
* [Download](
https://eprint.iacr.org/2025/748.pdf)
### Abstract
The Classic McEliece key encapsulation mechanism (KEM), a candidate in the fourth-round post-quantum cryptography (PQC) standardization process by the National Institute of Standards and Technology (NIST), stands out for its conservative design and robust security guarantees. Leveraging the code-based Niederreiter cryptosystem, Classic McEliece delivers high-performance encapsulation and decapsulation, making it well-suited for various applications. However, there has not been a systematic implementation of Classic McEliece on GPU platforms. This paper presents the first high-performance implementation of Classic McEliece on NVIDIA GPUs. Firstly, we present the first GPU-based implementation of Classic McEliece, utilizing a ``CPU-GPU'' heterogeneous approach and a kernel fusion strategy. We significantly reduce global memory accesses, optimizing memory access patterns. This results in encapsulation and decapsulation performance of 28,628,195 ops/s and 3,051,701 ops/s, respectively, for McEliece348864. Secondly, core operations like Additive Fast Fourier Transforms (AFFT), and Transpose AFFT (TAFFT) are optimized. We introduce the concept of the (T)AFFT stepping chain and propose two universal schemes: Memory Access Stepping Strategy (MASS) and Layer-Fused Memory Access Stepping Strategy (LFMASS), which achieve a speedup of 30.56% and 38.37%, respectively, compared to the native
GPU-based McEliece6960119 implementation. Thirdly, extensive experiments on the NVIDIA RTX4090 show significant performance gains, achieving up to 344$\times$ higher encapsulation and 125$\times$ higher decapsulation compared to the official CPU-based AVX implementation, decisively outperforming existing ARM Cortex-M4 and FPGA implementations.
## 2025/749
* Title: GOLF: Unleashing GPU-Driven Acceleration for FALCON Post-Quantum Cryptography
* Authors: Ruihao Dai, Jiankuo Dong, Mingrui Qiu, Zhenjiang Dong, Fu Xiao, Jingqiang Lin
* [Permalink](
https://eprint.iacr.org/2025/749)
* [Download](
https://eprint.iacr.org/2025/749.pdf)
### Abstract
Quantum computers leverage qubits to solve certain computational problems significantly faster than classical computers. This capability poses a severe threat to traditional cryptographic algorithms, leading to the rise of post-quantum cryptography (PQC) designed to withstand quantum attacks. FALCON, a lattice-based signature algorithm, has been selected by the National Institute of Standards and Technology (NIST) as part of its post-quantum cryptography standardization process. However, due to the computational complexity of PQC, especially in cloud-based environments, throughput limitations during peak demand periods have become a bottleneck, particularly for FALCON.
In this paper, we introduce GOLF (GPU-accelerated Optimization for Lattice-based FALCON), a novel GPU-based parallel acceleration framework for FALCON. GOLF includes algorithm porting to the GPU, compatibility modifications, multi-threaded parallelism with distinct data, single-thread optimization for single tasks, and specific enhancements to the Fast Fourier Transform (FFT) module within FALCON. Our approach achieves unprecedented performance in FALCON acceleration on GPUs.
On the NVIDIA RTX 4090, GOLF reaches a signature generation throughput of 42.02 kops/s and a signature verification throughput of 10,311.04 kops/s. These results represent a 58.05$\times$ / 73.14$\times$ improvement over the reference FALCON implementation and a 7.17$\times$ / 3.79$\times$ improvement compared to the fastest known GPU implementation to date. GOLF demonstrates that GPU acceleration is not only feasible for post-quantum cryptography but also crucial for addressing throughput bottlenecks in real-world applications.
## 2025/750
* Title: Secure Rate-Distortion-Perception Trade-off Over Channels: A Randomized Distributed Function Computation (RDFC) Application
* Authors: Gustaf Ahlgren, Onur Gunlu
* [Permalink](
https://eprint.iacr.org/2025/750)
* [Download](
https://eprint.iacr.org/2025/750.pdf)
### Abstract
Secure rate-distortion-perception (RDP) trade-offs arise in critical applications, such as semantic compression and privacy-preserving generative coding, where preserving perceptual quality while minimizing distortion is vital. This paper studies a framework for secure RDP over noiseless and noisy broadcast channels under strong secrecy constraints. We first characterize the exact secure RDP region for noiseless transmission channels. We then develop an inner bound on the secure RDP region for a memoryless broadcast channel with correlated noise components at the receivers' observations and prove its tightness under a more capable broadcast channel assumption. Our results demonstrate how optimized binning schemes simultaneously achieve high perceptual quality, low distortion, and strong secrecy, illuminating fundamental information-theoretic limits for next-generation trustworthy computation systems.
## 2025/751
* Title: Improved Range Searching And Range Emptiness Under FHE Using Copy-And-Recurse
* Authors: Eyal Kushnir, Hayim Shaul
* [Permalink](
https://eprint.iacr.org/2025/751)
* [Download](
https://eprint.iacr.org/2025/751.pdf)
### Abstract
Range counting is the problem of preprocessing a set $P\subset R^d$ of $n$ points, such that given a query range $\gamma$ we can efficiently compute $|P\cap\gamma|$. In the more general range searching problem the goal is to compute $f(P\cap\gamma)$, for some function $f$.
It was already shown (Kushnir et al. PETS'24) how to efficiently answer a range searching query under FHE using a technique they called Copy-and-Recurse to traverse partition trees.
In the Range emptiness problem the goal is to compute only whether $P\cap\gamma =\emptyset$. This was shown (in plaintext) to be done more efficiently.
Range emptiness is interesting on its own and also used as a building block in other algorithms.
In this paper we improve and extend the results of Kushnir et al.
First, for range searching we reduce the overhead term to the optimal $O(n)$, so for example if the ranges are halfspaces in $R^d$ bounded by hyperplanes then range searching can be done with a circuit of size $O(t\cdot n^{1-1/d+\varepsilon}+n)$, where $t$ is the size of the sub-circuit that checks whether a point lies under a hyperplane.
Second, we introduce a variation of copy-and-recurse that we call leveled copy-and-recurse. With this variation we improve range searching in the 1-dimensional case as well as traversal of other trees (e.g., binary trees and B-trees).
Third, we show how to answer range emptiness queries under FHE more efficiently than range counting.
We implemented our algorithms and show that our techniques for range emptiness yield a solution that is $\times 3.6$ faster than the previous results for a database of $2^{25}$ points.
## 2025/752
* Title: LEAGAN: A Decentralized Version-Control Framework for Upgradeable Smart Contracts
* Authors: Gulshan Kumar, Rahul Saha, Mauro Conti, William J Buchanan
* [Permalink](
https://eprint.iacr.org/2025/752)
* [Download](
https://eprint.iacr.org/2025/752.pdf)
### Abstract
Smart contracts are integral to decentralized systems like blockchains and enable the automation of processes through programmable conditions. However, their immutability, once deployed, poses challenges when addressing errors or bugs. Existing solutions, such as proxy contracts, facilitate upgrades while preserving application integrity. Yet, proxy contracts bring issues such as storage constraints and proxy selector clashes - along with complex inheritance management. This paper introduces a novel upgradeable smart contract framework with version control, named "decentraLized vErsion control and updAte manaGement in upgrAdeable smart coNtracts (LEAGAN)." LEAGAN is the first decentralized updatable smart contract framework that employs data separation with Incremental Hash (IH) and Revision Control System (RCS). It updates multiple contract versions without starting anew for each update, and reduces time complexity, and where RCS optimizes space utilization through differentiated version control. LEAGAN also introduces the first status contract in upgradeable smart contracts, and which reduces overhead while maintaining immutability. In Ethereum Virtual Machine (EVM) experiments, LEAGAN shows 40\% better space utilization, 30\% improved time complexity, and 25\% lower gas consumption compared to state-of-the-art models. It thus stands as a promising solution for enhancing blockchain system efficiency.
## 2025/753
* Title: Linear-Time Accumulation Schemes
* Authors: Benedikt Bünz, Alessandro Chiesa, Giacomo Fenzi, William Wang
* [Permalink](
https://eprint.iacr.org/2025/753)
* [Download](
https://eprint.iacr.org/2025/753.pdf)
### Abstract
Proof-carrying data (PCD) is a powerful cryptographic primitive for computational integrity in a distributed setting. State-of-the-art constructions of PCD are based on accumulation schemes (and, closely related, folding schemes).
We present WARP, the first accumulation scheme with linear prover time and logarithmic verifier time. Our scheme is hash-based (secure in the random oracle model), plausibly post-quantum secure, and supports unbounded accumulation depth.
We achieve our result by constructing an interactive oracle reduction of proximity that works with any linear code over a sufficiently large field. We take a novel approach by constructing a straightline extractor that relies on erasure correction, rather than error-tolerant decoding like prior extractors. Along the way, we introduce a variant of straightline round-by-round knowledge soundness that is compatible with our extraction strategy.
## 2025/754
* Title: On graph based pseudo quadratic multivariate maps of prescribed degree as instruments of key establishment
* Authors: Vasyl Ustimenko, Tymoteusz Chojecki
* [Permalink](
https://eprint.iacr.org/2025/754)
* [Download](
https://eprint.iacr.org/2025/754.pdf)
### Abstract
Let us assume that one of two trusted parties (administrator) manages the information system (IS) and another one (user) is going to use the resources of this IS during the certain time interval. So they need establish secure user’s access password to the IS resources of this system via selected authenticated key exchange protocol. So they need to communicate via insecure communication channel and secretly con-struct a cryptographically strong session key that can serve for the establishment of secure passwords in the form of tuples in certain alphabet during the certain time interval. Nowadays selected protocol has to be postquantum secure. We propose the implementation of this scheme in terms of Symbolic Computa-tions. The key exchange protocol is one of the key exchange algorithms of Noncommutative Cryptography with the platform of multivariate transformation of the affine space over selected finite commutative ring. The session key is a multivariate map on the affine space. Platforms and multivariate maps are construct-ed in terms of Algebraic Graph Theory.
## 2025/755
* Title: A Note on "CB-DA: Lightweight and Escrow-Free Certificate-Based Data Aggregation for Smart Grid"
* Authors: Zhengjun Cao, Lihua Liu
* [Permalink](
https://eprint.iacr.org/2025/755)
* [Download](
https://eprint.iacr.org/2025/755.pdf)
### Abstract
We show that the data aggregation scheme [IEEE TDSC, 2023, 20(3), 2011-2024] is flawed, because the signer only signs a part of data, not the whole data.. An adversary can replace the unsigned component to cheat the verifier. To frustrate this attack, all components of the target data should be concatenated together and then be hashed and signed, so as to ensure that the signature verification can prove the whole message integrity.
## 2025/756
* Title: PIRCOR: Communication-Optimal Hintless Single-Server PIR via Homomorphic Rotation
* Authors: Xue Yang, Ruida Wang, Depan Peng, Kun Liu, Xianhui Lu, Xiaohu Tang
* [Permalink](
https://eprint.iacr.org/2025/756)
* [Download](
https://eprint.iacr.org/2025/756.pdf)
### Abstract
This work addresses the hintless single-server Private Information Retrieval (PIR) from the perspective of high-level protocol design and introduces PIRCOR and PIRCOR$^{*}$ that outperform the state-of-the-art PIRANA (Liu et. al., IEEE S&P 2024) and YPIR (Menon and Wu, USENIX Security 2024) in terms of the query size and the query generation time. In PIRCOR, we construct an efficient Rotation-based Expanded Binary Code (REBC) to expand $\alpha$ primary codewords into $\beta$ expanded codewords by the Rotation-Mutual-Multiplication operation. By leveraging the innovative REBC, PIRCOR reduces the query size for single-query PIR by a factor of $\mathcal{O}\left(N^{\frac{\delta-1}{\delta}}\right)$ compared to PIRANA, while also avoiding the $\mathcal{O}(N +\frac{|\mathrm{DB}|}{N})$ linear scaling inherent in YPIR ($N$, $\delta$ and $|\mathrm{DB}|$ are the (R)LWE secret dimension, the number of codewords with a Hamming weight of $1$ and the number of database elements). Based on PIRCOR, we further present PIRCOR$^{*}$ by additionally introducing the Rotation-self-Multiplication operation, which achieves a $\mathbf{50\%}$ reduction in rotation operations and a smaller query size when $\delta = 2$.
Building upon PIRCOR and PIRCOR$^{*}$, we further propose their optimized variants, PIRCOR-op and PIRCOR$^{*}$-op, to further reduce the online response time. Similar to YPIR that leverage pre-processing, PIRCOR-op and PIRCOR$^{*}$-op allow all rotations and part of multiplications to be carried out in an offline stage before receiving the query. Additionally, we also design FHE-operator acceleration with leveled optimization and implementation optimization of ciphertext rotation.
For 8 KB element retrieval in an 8 GB database, PIRCOR achieves a $\mathbf{10..7\times}$ query size reduction compared to PIRANA. When benchmarked against YPIR, the improvements are even more striking: PIRCOR reduces the query size by $\mathbf{26.8\times}$ and accelerates query generation by a staggering $\mathbf{6,080\times}$. Notably, the enhanced PIRCOR$^{*}$ achieves a $\mathbf{53.6\times}$ reduction in query size compared to YPIR, while improving query generation time by an impressive $\mathbf{12,160\times}$.
## 2025/757
* Title: Threshold Niederreiter: Chosen-Ciphertext Security and Improved Distributed Decoding
* Authors: Pascal Giorgi, Fabien Laguillaumie, Lucas Ottow, Damien Vergnaud
* [Permalink](
https://eprint.iacr.org/2025/757)
* [Download](
https://eprint.iacr.org/2025/757.pdf)
### Abstract
Threshold public-key encryption securely distributes private key shares among multiple participants, requiring a minimum number of them to decrypt messages. We introduce a quantum-resistant threshold public-key encryption scheme based on the code-based Niederreiter cryptosystem that achieves security against chosen ciphertext attacks. A previous attempt was made recently by Takahashi, Hashimoto, and Ogata (published at DCC in 2023) but we show that it contains a critical security flaw that allow adversaries to exploit malformed ciphertexts to gain information about the secret key.
In this work, we formalize a generic conversion enhancing security of (classical) public-key encryption from one-wayness against passive attacks to indistinguishability against chosen-ciphertext attacks. The conversion uses a non-interactive zero-knowledge argument with strong security properties to ensure ciphertext well-formedness. We then provide an instantiation for Niederreiter encryption based on recent techniques introduced in the "MPC-in-the-head" paradigm. The publicly verifiable validity of ciphertexts makes this scheme suitable for threshold public-key encryption and prevents an attack similar to the one on Takahashi-Hashimoto-Ogata scheme. To improve the multi-party computation protocol for decryption (involving secure computations on polynomials), we introduce a field-switching technique that allows to significantly reduce the shared secret key size and computational overhead.
## 2025/758
* Title: Blockcipher-Based Key Commitment for Nonce-Derived Schemes
* Authors: Panos Kampanakis, Shai Halevi, Nevine Ebeid, Matt Campagna
* [Permalink](
https://eprint.iacr.org/2025/758)
* [Download](
https://eprint.iacr.org/2025/758.pdf)
### Abstract
AES-GCM has been the status quo for efficient symmetric encryption for decades. As technology and cryptographic applications evolved over time, AES-GCM has posed some challenges to certain use-cases due to its default 96-bit nonce size, 128-bit block size, and lack of key commitment. Nonce-derived schemes are one way of addressing these challenges: Such schemes derive multiple keys from nonce values, then apply standard AES-GCM with the derived keys (and possibly another 96-bit nonce). The approach overcomes the nonce length and data limit issues since each derived key is only used to encrypt a few messages. By itself, the use of nonce-derived keys does not address key commitment, however. Some schemes chose to include a built-in key commitment mechanism, while others left it out of scope.
In this work, we explore efficient key commitment methods that can be added to any nonce-derived scheme in a black-box manner. Our focus is on options that use the underlying block cipher and no other primitive, are efficient, and only use standard primitives which are FIPS-approved. For concreteness we focus here specifically on adding key commitment to XAES-256-GCM, a nonce-scheme originally proposed by Filippo Valsorda, but these methods can be adapted to any other nonce-derived scheme. We propose an efficient CMAC-based key commitment solution, and prove its security in the ideal-cipher model. We argue that adding this solution yields a FIPS-compliant mode, quantify the data and message length limits of this mode and compare this combination to other nonce-derived modes. We also benchmark our key committing XAES-256-GCM performance.
## 2025/759
* Title: Let's DOIT: Using Intel's Extended HW/SW Contract for Secure Compilation of Crypto Code
* Authors: Santiago Arranz-Olmos, Gilles Barthe, Benjamin Grégoire, Jan Jancar, Vincent Laporte, Tiago Oliveira, Peter Schwabe
* [Permalink](
https://eprint.iacr.org/2025/759)
* [Download](
https://eprint.iacr.org/2025/759.pdf)
### Abstract
It is a widely accepted standard practice to implement cryptographic software so that secret inputs do not influence the cycle count. Software following this paradigm is often referred to as "constant-time" software and typically involves following three rules: 1) never branch on a secret-dependent condition, 2) never access memory at a secret-dependent location, and 3) avoid variable-time arithmetic operations on secret data. The third rule requires knowledge about such variable-time arithmetic instructions, or vice versa, which operations are safe to use on secret inputs. For a long time, this knowledge was based on either documentation or microbenchmarks, but critically, there were never any guarantees for future microarchitectures. This changed with the introduction of the data-operand-independent-timing (DOIT) mode on Intel CPUs and, to some extent, the data-independent-timing (DIT) mode on Arm CPUs. Both Intel and Arm document a subset of their respective instruction sets that are intended to leak no information about their inputs through timing, even on future microarchitectures if the CPU is set to run in a dedicated DOIT (or DIT) mode.
In this paper, we present a principled solution that leverages DOIT to enable cryptographic software that is future-proof constant-time, in the sense that it ensures that only instructions from the DOIT subset are used to operate on secret data, even during speculative execution after a mispredicted branch or function return location. For this solution, we build on top of existing security type systems in the Jasmin framework for high-assurance cryptography.
We then use our solution to evaluate the extent to which existing cryptographic software built to be "constant-time" is already secure in this stricter paradigm implied by DOIT and what the performance impact is to move from constant-time to future-proof constant-time.
## 2025/760
* Title: DGSP: An Efficient Scalable Fully Dynamic Group Signature Scheme Using $\rm{SPHINCS}^+$
* Authors: Mojtaba Fadavi, Seyyed Arash Azimi, Sabyasachi Karati, Samuel Jaques
* [Permalink](
https://eprint.iacr.org/2025/760)
* [Download](
https://eprint.iacr.org/2025/760.pdf)
### Abstract
A group signature scheme enables users of a group to anonymously sign messages on behalf of the group, while a designated authority can revoke anonymity when needed to ensure user accountability. Among group signature schemes, fully dynamic ones are particularly desirable as they allow new users to join and misbehaved existing users to be revoked without requiring system-wide updates.
This paper introduces DGSP, a post-quantum fully dynamic group signature scheme that addresses key limitations of existing schemes like DGMT and SPHINX-in-the-Head (SITH). Leveraging the properties of ${\rm SPHINCS}^+$, DGSP achieves a superior balance between scalability and efficiency by (i) supporting up to $2^{60}$ users, (ii) requiring negligible setup time, and (iii) featuring efficient algorithms with short signatures of constant-size. Notably, while DGMT is limited to $2^{15}$ users, DGSP extends this to $2^{60}$ while keeping signatures compact—only 3.03 to 4.93 times larger than those of DGMT, yet just 0.021 to 0.004 times the size of SITH signatures. This makes DGSP a compelling solution for applications requiring both large-scale user support and signature efficiency in the post-quantum setting. Moreover, DGSP strengthens managerial accountability compared to DGMT by (i) enabling users to verify their certificates generated by the manager and (ii) ensuring public verifiability of the manager's signature attribution. Although SITH claims to support $2^{60}$ users, our analysis reveals that its opening algorithm is highly inefficient, making it impractical to handle such a large number of users..
Our security analysis shows that DGSP achieves unforgeability, anonymity, and traceability in the standard model. We also provide a complete implementation of DGSP. Our experimental study exhibits that DGSP is superior over existing schemes in terms of efficiency and scalability.
## 2025/761
* Title: TERRA : Trojan-Resilient Reverse-Firewall for Cryptographic Applications
* Authors: Chandan Kumar, Nimish Mishra, Suvradip Chakraborty, Satrajit Ghosh, Debdeep Mukhopadhyay
* [Permalink](
https://eprint.iacr.org/2025/761)
* [Download](
https://eprint.iacr.org/2025/761.pdf)
### Abstract
Reverse firewalls (RFs), introduced by Mironov and Stephens Davidowitz at Eurocrypt 2015, provide a defence mechanism for cryptographic protocols against subversion attacks. In a subversion setting, an adversary compromises the machines of honest parties, enabling the leakage of their secrets through the protocol transcript. Previous research in this area has established robust guarantees, including resistance against data exfiltration for an RF. In this work, we present a new perspective focused on the implementation specifics of RFs. The inherently untrusted nature of RFs exposes their real-world implementations to the risk of Trojan insertion — an especially pressing issue in today’s outsourced supply chain ecosystem. We argue how Trojan-affected RF implementations can compromise their core exfiltration resistance property, leading to a complete breakdown of the RF’s security guarantees.
Building on this perspective, we propose an enhanced definition for ``Trojan-resilient Reverse Firewalls'' (Tr-RF), incorporating an additional Trojan resilience property. We then present concrete instantiations of Tr-RFs for Coin Tossing (CT) and Oblivious Transfer (OT) protocols, utilizing techniques from Private Circuit III (CCS'16) to convert legacy RFs into Tr-RFs. We also give simulation-based proofs to claim the enhanced security guarantees of our Tr-RF instantiations. Additionally, we offer concrete implementations of our Tr-RF based CT and OT protocols utilizing the Open-Portable Trusted Execution Environment (OP-TEE). Through OP-TEE, we practically realize assumptions made in Private Circuit III that are critical to ensuring Tr-RF security, bridging the gap between theoretical models and real-world applications. To the best of our knowledge, this provides the first practical implementation of reverse firewalls for any cryptographic functionality. Our work emphasizes the importance of evaluating protocol specifications within implementation-specific contexts.
## 2025/762
* Title: $\textbf{MALARIA}$: $\textbf{Ma}$nagement of Low-$\textbf{La}$tency $\textbf{R}$outing $\textbf{I}$mpact on Mix Network $\textbf{A}$nonymity (Extended Version)
* Authors: Mahdi Rahimi
* [Permalink](
https://eprint.iacr.org/2025/762)
* [Download](
https://eprint.iacr.org/2025/762.pdf)
### Abstract
Mix networks (mixnets) offer robust anonymity even against adversaries monitoring all network links; however, they impose high latency on communications. To address this, recent research has explored strategic low-latency routing within mixnets. While these strategies appear to reduce latency, their impact on mixnet anonymity has not been carefully assessed, raising concerns about potential deanonymization of clients. Tackling this challenge, this paper first quantifies the anonymity loss associated with low-latency routing techniques in mixnets. Building on these insights, second, we introduce a novel low-latency routing method that maintains mixnet anonymity while achieving significant latency reductions compared to the state-of-the-art solution LARMix (NDSS, 2024). Our approach also ensures a more balanced load distribution among mixnet nodes. Moreover, under adversarial conditions where parts of the mixnet are compromised, our method does not confer significant advantages to the adversary, unlike LARMix. Thus, our proposal emerges as the optimal choice for low-latency routing in mixnets. Furthermore, we note that this version expands on both the analytical and experimental results of the previously published paper in NCA 2024, specifically through investigating the anonymity of Loopix-like mixnets.
## 2025/763
* Title: The Tangent Space Attack
* Authors: Axel Lemoine
* [Permalink](
https://eprint.iacr.org/2025/763)
* [Download](
https://eprint.iacr.org/2025/763.pdf)
### Abstract
We propose a new method for retrieving the algebraic structure of a generic alternant code given an arbitrary generator matrix, provided certain conditions are met. We then discuss how this challenges the security of the McEliece cryptosystem instantiated with this family of codes. The central object of our work is the quadratic hull related to a linear code, defined as the intersection of all quadrics passing through the columns of a given generator or parity-check matrix, where the columns are considered as points in the affine or projective space. The geometric properties of this object reveal important information about the internal algebraic structure of the code. This is particularly evident in the case of generalized Reed-Solomon codes, whose quadratic hull is deeply linked to a well-known algebraic variety called the rational normal curve. By utilizing the concept of Weil restriction of affine varieties, we demonstrate that the quadratic hull of a generic dual alternant code inherits many interesting features from the rational normal curve, on account of the fact that alternant codes are subfield-subcodes of generalized Reed-Solomon codes. If the rate of the generic alternant code is sufficiently high, this allows us to construct a polynomial-time algorithm for retrieving the underlying generalized Reed-Solomon code from which the alternant code is defined, which leads to an efficient key-recovery attack against the McEliece cryptosystem when instantiated with this class of codes. Finally, we discuss the generalization of this approach to Algebraic-Geometry codes and Goppa codes.
## 2025/764
* Title: Security of a secret sharing protocol on the Qline
* Authors: Alex B. Grilo, Lucas Hanouz, Anne Marin
* [Permalink](
https://eprint.iacr.org/2025/764)
* [Download](
https://eprint.iacr.org/2025/764.pdf)
### Abstract
Secret sharing is a fundamental primitive in cryptography, and it can be achieved even with perfect security. However, the distribution of shares requires computational assumptions, which can compromise the overall security of the protocol. While traditional Quantum Key Distribution (QKD) can maintain security, its widespread deployment in general networks would incur prohibitive costs.
In this work, we present a quantum protocol for distributing additive secret sharing of 0, which we prove to be composably secure within the Abstract Cryptography framework.
Moreover, our protocol targets the Qline, a recently proposed quantum network architecture designed to simplify and reduce the cost of quantum communication.
Once the shares are distributed, they can be used to securely perform a wide range of cryptographic tasks, including standard additive secret sharing, anonymous veto, and symmetric key establishment.
## 2025/765
* Title: ZKPoG: Accelerating WitGen-Incorporated End-to-End Zero-Knowledge Proof on GPU
* Authors: Muyang Li, Yueteng Yu, Bangyan Wang, Xiong Fan, Shuwen Deng
* [Permalink](
https://eprint.iacr.org/2025/765)
* [Download](
https://eprint.iacr.org/2025/765.pdf)
### Abstract
Zero-Knowledge Proof (ZKP) is a cornerstone technology in privacy-preserving computing, addressing critical challenges in domains such as finance and healthcare by ensuring data confidentiality during computation. However, the high computational overhead of ZKP, particularly in proof generation and verification, limits its scalability and usability in real-world applications. Existing efforts to accelerate ZKP primarily focus on specific components, such as polynomial commitment schemes or elliptic curve operations, but fail to deliver an integrated, flexible, and efficient end-to-end solution that includes witness generation.
In this work, we present ZKPoG, a GPU-based ZKP acceleration platform that achieves full end-to-end optimization. ZKPoG addresses three key challenges: (1) designing a witness-generation-incorporated flow for Plonkish circuits, enabling seamless integration of frontend and backend with GPU acceleration; (2) optimizing memory usage to accommodate large-scale circuits on affordable GPUs with limited memory; and (3) introducing an automated compiler for custom gates, simplifying adaptation to diverse applications. Experimental results on an NVIDIA RTX 4090 GPU show on average $22.8\times$ end-to-end acceleration compared to state-of-the-art CPU implementations and on average $12.7\times$ speedup over existing GPU-based approaches.
## 2025/766
* Title: Unbiasable Verifiable Random Functions from Generic Assumptions
* Authors: Nicholas Brandt
* [Permalink](
https://eprint.iacr.org/2025/766)
* [Download](
https://eprint.iacr.org/2025/766.pdf)
### Abstract
We present conceptually simple constructions of verifiable random functions (VRF) that fulfill strong notions of unbiasability recently introduced by Giunta and Stewart [EC:GS24]. VRFs with such strong properties were previously only known in the random oracle model or from the decisional Diffie–Hellman assumption with preprocessing. In contrast, our constructions are based on generic assumptions and are thus the first to be plausibly post-quantum secure. Moreover, our constructions fulfill several additional properties such as:
• If the underlying VRF is aggregate, key-homomorphic or computable in \(\mathsf{NC}^1\), then so is our VRF.
• For any verification key, the VRF output has almost the same min-entropy as the VRF input.
Lastly, we outline a path towards a lattice-based VRF (without setup).
## 2025/767
* Title: ALPACA: Anonymous Blocklisting with Constant-Sized Updatable Proofs
* Authors: Jiwon Kim, Abhiram Kothapalli, Orestis Chardouvelis, Riad S. Wahby, Paul Grubbs
* [Permalink](
https://eprint.iacr.org/2025/767)
* [Download](
https://eprint.iacr.org/2025/767.pdf)
### Abstract
In recent years, online anonymity has become increasingly important but is under threat due to the challenges of moderating anonymous spaces. A promising cryptographic solution, known as anonymous blocklisting, allows users to post anonymously while still enabling moderation. Moderation via anonymous blocklisting roughly works by requiring that when users post a message they attach a cryptographic proof that they did not author any posts on a “blocklist”.
Existing anonymous blocklisting schemes are unfortunately still far from achieving practical performance for large blocklists. This is essentially due to all prior works requiring a user to (cryptographically) reprocess blocklist entries many times. Relatedly, prior works have relatively high verification times and proof sizes.
In this work, we introduce ALPACA, the first anonymous blocklisting system with the property that a user only needs to do a constant amount of work per blocklist entry. Thus, our scheme has asymptotically optimal performance. Our scheme is also the first to have verification times and proof sizes that are independent of the number of blocklist entries.
Our key technique is a new variant of incrementally verifiable computation (IVC), designed to ensure anonymity. Along the way, we introduce new definitions to formally establish security. On a mid-range laptop, ALPACA’s proof generation time is always 6.15 seconds and proof size is 25.6KBs. On a server, the verification time is always 400ms.
## 2025/768
* Title: Incompleteness in Number-Theoretic Transforms: New Tradeoffs and Faster Lattice-Based Cryptographic Applications
* Authors: Syed Mahbub Hafiz, Bahattin Yildiz, Marcos A. Simplicio Jr, Thales B. Paiva, Henrique Ogawa, Gabrielle De Micheli, Eduardo L. Cominetti
* [Permalink](
https://eprint.iacr.org/2025/768)
* [Download](
https://eprint.iacr.org/2025/768.pdf)
### Abstract
Lattices are the basis of most NIST-recommended post-quantum cryptography (PQC) schemes, required to thwart the threat posed by the eventual construction of large-scale quantum computers. At the same time, lattices enable more advanced cryptographic constructions, such as fully homomorphic encryption (FHE), which is increasingly used for privacy-preserving applications like machine learning. This work delves into the efficiency and trade-off assessment of polynomial multiplication algorithms and their applications to PQC, FHE, and other schemes. Such algorithms are at the core of lattice-based cryptography and may become a critical bottleneck when deploying PQC- and FHE-based solutions on resource-constrained devices. We propose a formal analysis of so-called incompleteness in the Number Theoretic Transform (NTT). Although this concept is not new, our systematization shows how to optimize polynomial multiplication in quotient rings, considering factors such as the degree of incompleteness, the associated prime moduli, constraints of the target platform, and target security level. Besides efficiency, we formally show that the systematized family of incomplete NTT variants supports a larger set of prime moduli. This property enables new trade-offs for algorithms like the FIPS-approved module-lattice-based key encapsulation mechanism (ML-KEM) and faster amortized bootstrapping in FHE schemes. Our results include shorter ciphertexts in ML-KEM with only a modest hit in performance and a 6-42% performance boost in the NTT computation of a state-of-the-art FHE solution.
## 2025/769
* Title: Finding the Inverse of some Shift Invariant Transformations
* Authors: Fukang Liu, Vaibhav Dixit, Santanu Sarkar, Willi Meier, Takanori Isobe
* [Permalink](
https://eprint.iacr.org/2025/769)
* [Download](
https://eprint.iacr.org/2025/769.pdf)
### Abstract
We study the problem of how to find the inverse of shift invariant (SI) transformations proposed in Daemen's thesis. In particular, two of them have been used in practice: $y_i=x_i\oplus \overline{x_{i+1}}x_{i+2}$ and $y_i=x_i\oplus \overline{x_{i+1}}x_{i+2}x_{i+3}$. The first one is the well-known $\chi$ transformation used in \textsf{SHA-3}, \textsf{Subterranean 2.0} and \textsf{Rasta}, while the second one is used in a recently proposed ZK-friendly hash function called Monolith. While the concrete formula of the inverse of $\chi$ of arbitrary size has been given and proved by Liu et al. at JoC 2022, it remains unknown how to deduce such a formula and how to systematically study other SI transformations.
In this work, we aim to provide a general method and flow to find the inverse of SI transformations, though it is still limited to some specific types and it may not work for all such transformations. However, such a general method does shed new insight on how to find their inverse, as we can apply this method to several different SI transformations, including the one used in Monolith. We expect that this method can be further generalized and applied to more SI transformations.
## 2025/770
* Title: ZHE: Efficient Zero-Knowledge Proofs for HE Evaluations
* Authors: Zhelei Zhou, Yun Li, Yuchen Wang, Zhaomin Yang, Bingsheng Zhang, Cheng Hong, Tao Wei, Wenguang Chen
* [Permalink](
https://eprint.iacr.org/2025/770)
* [Download](
https://eprint.iacr.org/2025/770.pdf)
### Abstract
Homomorphic Encryption (HE) allows computations on encrypted data without decryption. It can be used where the users’ information are to be processed by an untrustful server, and has been a popular choice in privacy-preserving applica- tions. However, in order to obtain meaningful results, we have to assume an honest-but-curious server, i.e., it will faithfully follow what was asked to do. If the server is malicious, there is no guarantee that the computed result is correct. The notion of verifiable HE (vHE) is introduced to detect malicious server’s behaviors, but current vHE schemes are either more than four orders of magnitude slower than the underlying HE operations (Atapoor et. al, CIC 2024) or fast but incompatible with server- side private inputs (Chatel et. al, CCS 2024).
In this work, we propose a vHE framework ZHE: effi- cient Zero-Knowledge Proofs (ZKPs) that prove the correct execution of HE evaluations while protecting the server’s private inputs. More precisely, we first design two new highly- efficient ZKPs for modulo operations and (Inverse) Number Theoretic Transforms (NTTs), two of the basic operations of HE evaluations. Then we build a customized ZKP for HE evaluations, which is scalable, enjoys a fast prover time and has a non-interactive online phase. Our ZKP is applicable to all Ring-LWE based HE schemes, such as BGV and CKKS. Finally, we implement our protocols for both BGV and CKKS and conduct extensive experiments on various HE workloads. Compared to the state-of-the-art works, both of our prover time and verifier time are improved; especially, our prover cost is only roughly 27-36× more expensive than the underlying HE operations, this is two to three orders of magnitude cheaper than state-of-the-arts.
## 2025/771
* Title: Differential Fault Attacks on TFHE-friendly cipher $\textsf{FRAST}$
* Authors: Weizhe Wang, Deng Tang
* [Permalink](
https://eprint.iacr.org/2025/771)
* [Download](
https://eprint.iacr.org/2025/771.pdf)
### Abstract
Differential Fault Attacks (DFAs) have recently emerged as a significant threat against stream ciphers specifically designed for Hybrid Homomorphic Encryption (HHE).
In this work, we propose DFAs on the $\textsf{FRAST}$ cipher, which is a cipher specifically tailored for Torus-based Fully Homomorphic Encryption (TFHE). The round function of $\textsf{FRAST}$ employs random S-boxes to minimize the number of rounds, and can be efficiently evaluated in TFHE. With our specific key recovery strategy, we can mount the DFA with a few faults. Under the assumption of precise fault injection, our DFA can recover the key within one second using just 4 or 6 faults. When discarding the assumption and considering a more practical fault model, we can still achieve key recovery in a few minutes without increasing the number of faults. To the best of our knowledge, this is the first third-party cryptanalysis on $\textsf{FRAST}$. We also explored countermeasures to protect $\textsf{FRAST}$. Our analysis revealed that negacyclic S-boxes, a key component of TFHE-friendly ciphers, are unsuitable for incorporating linear structures to resist DFA. Consequently, we recommend removing the negacyclic restriction in the penultimate round of FRAST and introducing non-zero linear structures into the S-boxes of the last two rounds. We believe that our work will provide valuable insights for the design of TFHE-friendly ciphers.
## 2025/772
* Title: Publicly Auditable Garbled Circuit
* Authors: San Ling, Chan Nam Ngo, Khai Hanh Tang, Huaxiong Wang
* [Permalink](
https://eprint.iacr.org/2025/772)
* [Download](
https://eprint.iacr.org/2025/772.pdf)
### Abstract
Generic Secure Multiparty Computation (Generic MPC) recently received much attraction in the blockchain realm as it allows mutually distrustful parties to jointly compute a global function using their private inputs while keeping them private; and more so; the expression of the function can be done in a programmable manner (hence `generic'); as opposed to the first rising star cryptographic technique Zero-Knowledge Proof (ZKP) which only allows computation on private input of a single party (via the `commit-and-prove' approach). While ZKP, by nature, allows public verifiability, Generic MPC is not so: Generic MPC mostly focuses on Malicious Security in which the computing result is verifiable only among the computing parties. Yet, in the blockchain realm, public verifiability is important, as the consensus protocol is not just among the computing parties but also external servers. A few works were done to bridge this gap (albeit not in the blockchain realm), i.e., Public Auditable MPC. Public Audtitability is a stronger property than Public Verifiability: the first one certifies the computation done in the MPC, while the latter certifies only the relation between the outputs and the inputs. However, they are non-constant round protocols and only for Secret-Sharing-based MPC, i.e., round complexity scales linearly with the circuit multiplicative depth, while round latency is an important cost metric in the blockchain domain. We address this problem by providing a Public Auditable Garbled Circuit protocol that is maliciously secure, publicly auditable, and constant-round. Our protocol is efficient, with only minimal overhead in terms of round, communication, and public transcript size.
## 2025/773
* Title: Exploring Adversarial Attacks on the MaSTer Truncation Protocol
* Authors: Martin Zbudila, Aysajan Abidin, Bart Preneel
* [Permalink](
https://eprint.iacr.org/2025/773)
* [Download](
https://eprint.iacr.org/2025/773.pdf)
### Abstract
At CANS 2024, Zbudila et al. presented MaSTer, a maliciously secure multi-party computation protocol for truncation. It allows adversaries to manipulate outputs with a bounded additive error while avoiding detection with a certain probability. In this work, we analyse the broader implications of adversarial exploitation in probabilistic truncation protocols, specifically in relation to MaSTer. We propose three attack strategies aimed at inducing misclassification in deep neural network (DNN) inference. Our empirical evaluation across multiple datasets demonstrates that while adversarial influence remains negligible under realistic constraints, certain configurations and network architectures exhibit increased vulnerability. By improving the understanding of the risks associated with probabilistic truncation protocols in privacy-preserving machine learning, our work demonstrates that the MaSTer protocol is robust in realistic settings.
## 2025/774
* Title: Towards a Modern LLL Implementation
* Authors: Léo Ducas, Ludo N. Pulles, Marc Stevens
* [Permalink](
https://eprint.iacr.org/2025/774)
* [Download](
https://eprint.iacr.org/2025/774.pdf)
### Abstract
We propose BLASter, a proof of concept LLL implementation that demonstrates the practicality of multiple theoretical improvements. The implementation uses the segmentation strategy from Neumaier–Stehlé (ISSAC 2016), parallelism and Seysen's reduction that was proposed by Kirchner–Espitau–Fouque (CRYPTO 2021) and implemented in OptLLL, and the BLAS library for linear algebra operations. It consists of only 1000 significant lines of C++ and Python code, and is made publicly available.
For q-ary lattices that fplll can handle without multiprecision (dimension <180), BLASter is considerably faster than fplll, OptLLL and Ryan–Heninger's flatter (CRYPTO 2023), without degrading output reduction quality. Thanks to Seysen's reduction it can further handle larger dimension without resorting to multiprecision, making it more than 10x faster than flatter and OptLLL, and 100x faster than fplll in dimensions 256 to 1024.
It further includes segmented BKZ and segmented deep-LLL variants. The latter provides bases as good as BKZ-15 and has a runtime that is only a couple of times more than our LLL baseline.
This remains a proof of concept: the effective use of higher precision — which is needed to handle \(\textit{all}\) lattices — has further obstacles and is left for future work. Still, this work contains many lessons learned, and is meant to motivate and guide the development of a robust and modern lattice reduction library, which shall be much faster than fplll.
## 2025/775
* Title: AuthOr: Lower Cost Authenticity-Oriented Garbling of Arbitrary Boolean Circuits
* Authors: Osman Biçer, Ali Ajorian
* [Permalink](
https://eprint.iacr.org/2025/775)
* [Download](
https://eprint.iacr.org/2025/775.pdf)
### Abstract
Authenticity-oriented (previously named as privacy-free) garbling
schemes of Frederiksen et al. Eurocrypt ’15 are designed to satisfy
only the authenticity criterion of Bellare et al. ACM CCS ’12, and to be
more efficient compared to full-fledged garbling schemes. In this work,
we improve the state-of-the-art authenticity-oriented version of half gates
(HG) garbling of Zahur et al. Crypto ’15 by allowing it to be bandwidth-free
if any of the input wires of an AND gate is freely settable by the
garbler. Our full solution AuthOr then successfully combines the ideas
from information-theoretical garbling of Kondi and Patra Crypto ’17 and
the HG garbling-based scheme that we obtained. AuthOr has a lower
communication cost (i.e. garbled circuit or GC size) than HG garbling
without any further security assumption. Theoretically, AuthOr’s GC
size reduction over HG garbling lies in the range between 0 to 100%,
and the exact improvement depends on the circuit structure. We have
implemented our scheme and conducted tests on various circuits that are
constructed by independent researchers. Our experimental results show
that in practice, the GC size gain may be up to roughly 98%.
## 2025/776
* Title: Clementine: A Collateral-Efficient, Trust-Minimized, and Scalable Bitcoin Bridge
* Authors: Ekrem Bal, Lukas Aumayr, Atacan İyidoğan, Giulia Scaffino, Hakan Karakuş, Cengiz Eray Aslan, Orfeas Stefanos Thyfronitis Litos
* [Permalink](
https://eprint.iacr.org/2025/776)
* [Download](
https://eprint.iacr.org/2025/776.pdf)
### Abstract
This whitepaper introduces Clementine, a secure, collateral-efficient, trust-minimized, and scalable Bitcoin bridge based on BitVM2 that enables withdrawals from rollups or other side systems to Bitcoin. Clementine proposes a new Bitcoin light client that remains secure against adversaries controlling less than 50% of Bitcoin’s hash rate, assuming at least one honest Watchtower in a permissioned set. The protocol is collateral-efficient, reusing locked funds over time and reducing unnecessary dust outputs through the strategic use of 0-value outputs, and scalable, enabling a single challenge per Operator to slash multiple misbehaviors. This increases throughput and reduces on-chain load without compromising security. Clementine enables trust-minimized and efficient peg-outs from Citrea to Bitcoin, making zk-rollups on Bitcoin practical and unlocking new paths for native scalability and interoperability.
## 2025/777
* Title: Seamless Switching Between PBS and WoPBS for Scalable TFHE
* Authors: Rostin Shokri, Nektarios Georgios Tsoutsos
* [Permalink](
https://eprint.iacr.org/2025/777)
* [Download](
https://eprint.iacr.org/2025/777.pdf)
### Abstract
Fully Homomorphic Encryption (FHE) enables arbitrary and unlimited computations directly on encrypted data. Notably, the TFHE scheme allows users to encrypt bits or small numbers (4-6 bits) and compute any univariate function using programmable bootstrapping (PBS), while simultaneously refreshing the ciphertext noise. Since both linear and non-linear functions can be evaluated using PBS, it is possible to compute arbitrary functions and circuits of unlimited depth without any accuracy loss. Nevertheless, a major limitation of TFHE, compared to other FHE schemes, is that it operates on a single ciphertext at a time, and the underlying message size remains small. For larger messages with longer bit sizes, the execution overhead of PBS grows exponentially with the number of message bits. A recent approach, called Without-padding PBS (WoPBS), enables computation of much larger lookup tables (10-28 bits), with the execution cost scaling linearly with the number of message bits. The significant encoding mismatch between the PBS and WoPBS, however, complicates the use of both approaches within the same circuit execution.
In this work, we introduce novel switching algorithms that enable ciphertexts to be converted back and forth between the PBS and WoPBS contexts without impacting the input noise. Moreover, we introduce a new method to bootstrap ciphertexts within the WoPBS context, allowing for unlimited XOR operations at negligible cost. To enhance runtime, we further introduce optimized parameters for both contexts. We validate our techniques through the homomorphic evaluation of AES encryption and decryption, demonstrating transciphering applications that outperform related works.
## 2025/778
* Title: Cryptography from Lossy Reductions: Towards OWFs from ETH, and Beyond
* Authors: Pouria Fallahpour, Alex B. Grilo, Garazi Muguruza, Mahshid Riahinia
* [Permalink](
https://eprint.iacr.org/2025/778)
* [Download](
https://eprint.iacr.org/2025/778.pdf)
### Abstract
One-way functions (OWFs) form the foundation of modern cryptography, yet their unconditional existence remains a major open question. In this work, we study this question by exploring its relation to lossy reductions, i.e., reductions $R$ for which it holds that $I(X;R(X)) \ll n$ for all distributions $X$ over inputs of size $n$.
Our main result is that either OWFs exist or any lossy reduction for any promise problem $\Pi$ runs in time $2^{\Omega(\log\tau_\Pi / \log\log n)}$, where $\tau_\Pi(n)$ is the infimum of the runtime of all (worst-case) solvers of $\Pi$ on instances of size $n$. More precisely, by having a reduction with a better runtime, for an arbitrary promise problem $\Pi$, and by using a non-uniform advice, we construct (a family of) OWFs. In fact, our result requires a milder condition, that $R$ is lossy for sparse uniform distributions (which we call mild-lossiness). It also extends to $f$-reductions as long as $f$ is a non-constant permutation-invariant Boolean function, which includes $\text{And-, Or-, Maj-, Parity-}$, $\text{Mod}_k$-, and $\text{Threshold}_k$-reductions.
Additionally, we show that worst-case to average-case Karp reductions and randomized encodings are special cases of mild-lossy reductions and improve the runtime above as $2^{\Omega(\log \tau_\Pi)}$ when these mappings are considered. Restricting to weak fine-grained OWFs, this runtime can be further improved as $\Omega(\tau_\Pi)$.
Intuitively, the latter asserts that if weak fine-grained OWFs do not exist then any instance randomization of any $\Pi$ has the same runtime (up to a constant factor) as the best worst-case solver of $\Pi$.
Taking $\Pi$ as $k\text{Sat}$, our results provide sufficient conditions under which (fine-grained) OWFs exist assuming the Exponential Time Hypothesis (ETH). Conversely, if (fine-grained) OWFs do not exist, we obtain impossibilities on instance compressions (Harnik and Naor, FOCS 2006) and instance randomizations of $k\text{Sat}$ under the ETH.
Moreover, the analysis can be adapted to studying such properties of any $\text{NP}$-complete problem.
Finally, we partially extend these findings to the quantum setting; the existence of a pure quantum mildly-lossy reduction for $\Pi$ within the runtime $2^{o(\log\tau_\Pi / \log\log n)}$ implies the existence of one-way state generators, where $\tau_\Pi$ is defined with respect to quantum solvers.
## 2025/779
* Title: Improving the Round Complexity of MiniCast
* Authors: Thomas Locher, Victor Shoup
* [Permalink](
https://eprint.iacr.org/2025/779)
* [Download](
https://eprint.iacr.org/2025/779.pdf)
### Abstract
For very long messages, the reliable broadcast protocol with the best communication complexity to date is the Minicast protocol of Locher & Shoup [2024]. To reliably broadcast a message $m$ to $n$ parties, Minicast has communication complexity $\sim 1.5 |m| n$, when $|m|$ is large. However, the round complexity of Minicast is 4, which is worse than the 3 rounds of the classical protocol of Bracha. We give a new reliable broadcast protocol whose communication complexity is essentially the same as that of Minicast, but whose round complexity is just 3. Like Minicast, our new protocol does not rely on any cryptography other than hash functions. We also give a new 2-round protocol that relies on signatures. For large $|m|$, its communication complexity is also $\sim 1.5 |m| n$, unless the sender provably misbehaves, in which case its communication complexity may degrade to at most $\sim 2 |m| n$.
## 2025/780
* Title: The Planted Orthogonal Vectors Problem
* Authors: David Kühnemann, Adam Polak, Alon Rosen
* [Permalink](
https://eprint.iacr.org/2025/780)
* [Download](
https://eprint.iacr.org/2025/780.pdf)
### Abstract
In the $k$-Orthogonal Vectors ($k$-OV) problem we are given $k$ sets, each containing $n$ binary vectors of dimension $d=n^{o(1)}$, and our goal is to pick one vector from each set so that at each coordinate at least one vector has a zero. It is a central problem in fine-grained complexity, conjectured to require $n^{k-o(1)}$ time in the worst case.
We propose a way to plant a solution among vectors with i.i.d. $p$-biased entries, for appropriately chosen $p$, so that the planted solution is the unique one. Our conjecture is that the resulting $k$-OV instances still require time $n^{k-o(1)}$ to solve, on average.
Our planted distribution has the property that any subset of strictly less than $k$ vectors has the same marginal distribution as in the model distribution, consisting of i.i.d. $p$-biased random vectors. We use this property to give average-case search-to-decision reductions for $k$-OV.
## 2025/781
* Title: Generalizing the Augot-Finiasz PKE to Other Code Classes
* Authors: Anmoal Porwal, Anna Baumeister, Violetta Weger, Antonia Wachter-Zeh, Pierre Loidreau
* [Permalink](
https://eprint.iacr.org/2025/781)
* [Download](
https://eprint.iacr.org/2025/781.pdf)
### Abstract
The Augot-Finiasz system is a public-key encryption (PKE) scheme based on Reed-Solomon codes and was later followed by analogous versions in the rank metric. Although these schemes were eventually broken, their fundamental idea remains exciting. Notably, these schemes are significantly different from the McEliece system as there is no need to hide the code and, as such, promise much better parameters. Further, they admit a simple description where both the public key and ciphertext are just corrupted codewords of a public code. An interesting question is whether the general idea can be made to work, i.e., resist all known attacks, by using other code classes. This paper shows how to generalize the Augot-Finiasz system to other code families. We reduce the correctness and security of this framework to simple assertions about the code class with which it is instantiated. Specifically, its correctness is equivalent to the existence of an efficient error-erasure decoder, and its security reduces to an easily understood hardness assumption, called "supercode decoding", close to the syndrome decoding problem.
## 2025/782
* Title: AES Is Not Enough: the Block Ciphers Zoo Goes Homormorphic (over TFHE)
* Authors: Daphné Trama, Aymen Boudguiga, Renaud Sirdey
* [Permalink](
https://eprint.iacr.org/2025/782)
* [Download](
https://eprint.iacr.org/2025/782.pdf)
### Abstract
The dream of achieving data privacy during external computations has
become increasingly concrete in recent years. Indeed, since the early days of Fully Homomorphic Encryption (FHE) more than a decade ago, new cryptosystems and techniques have constantly optimized the efficiency of computation on encrypted data.
However, one of the main disadvantages of FHE, namely its significant ciphertext expansion factor, remains at the center of the efficiency bottleneck of FHE schemes. To tackle the issue of slow uplink FHE data transmission, we use transciphering. With transciphering, the client naturally encrypts its data under a symmetric scheme and sends them to the server with (once and for all) an FHE encryption of the symmetric scheme’s key. With its larger computing power, the server then evaluates the symmetric scheme’s decryption algorithm within the homomorphic domain to obtain homomorphic ciphertexts that allow it to perform the requested calculations.
Since the first use of this method a bit more than ten years ago, papers on the homomorphic evaluation of AES have been numerous. And as the AES execution is the application chosen by NIST in the FHE part of its recent call for proposals on threshold encryption, the stakes of such work go up another level. But what about other standardized block ciphers? Is the AES the more efficient option? In this work, we leverage on two methods which have successfully been applied to the
homomorphic evaluation of AES to study several state-of-the-art symmetric block ciphers (namely CLEFIA, PRESENT, PRINCE, SIMON, SKINNY). That is to say, we implement a representative set of symmetric block ciphers using TFHE.
These implementations allow us to compare the efficiency of this set of symmetric schemes and to categorize them. We highlight the characteristics of block ciphers that are fast to execute in the homomorphic domain and those that are particularly costly.
Finally, this classification of operation types enables us to sketch out what the ideal block cipher for transciphering homomorphic data in integer mode might look like.
## 2025/783
* Title: Non-Adaptive Cryptanalytic Time-Space Lower Bounds via a Shearer-like Inequality for Permutations
* Authors: Itai Dinur, Nathan Keller, Avichai Marmor
* [Permalink](
https://eprint.iacr.org/2025/783)
* [Download](
https://eprint.iacr.org/2025/783.pdf)
### Abstract
The power of adaptivity in algorithms has been intensively studied in diverse areas of theoretical computer science. In this paper, we obtain a number of sharp lower bound results which show that adaptivity provides a significant extra power in cryptanalytic time-space tradeoffs with (possibly unlimited) preprocessing time.
Most notably, we consider the discrete logarithm (DLOG) problem in a generic group of $N$ elements. The classical `baby-step giant-step' algorithm for the problem has time complexity $T=O(\sqrt{N})$, uses $O(\sqrt{N})$ bits of space (up to logarithmic factors in $N$) and achieves constant success probability.
We examine a generalized setting where an algorithm obtains an advice string of $S$ bits and is allowed to make $T$ arbitrary non-adaptive queries that depend on the advice string (but not on the challenge group element for which the DLOG needs to be computed).
We show that in this setting, the $T=O(\sqrt{N})$ online time complexity of the baby-step giant-step algorithm cannot be improved, unless the advice string is more than $\Omega(\sqrt{N})$ bits long. This lies in stark contrast with the classical adaptive Pollard's rho algorithm for DLOG, which can exploit preprocessing to obtain the tradeoff curve $ST^2=O(N)$. We obtain similar sharp lower bounds for the problem of breaking the Even-Mansour cryptosystem in symmetric-key cryptography and for several other problems.
To obtain our results, we present a new model that allows analyzing non-adaptive preprocessing algorithms for a wide array of search and decision problems in a unified way.
Since previous proof techniques inherently cannot distinguish between adaptive and non-adaptive algorithms for the problems in our model, they cannot be used to obtain our results. Consequently, we rely on information-theoretic tools for handling distributions and functions over the space $S_N$ of permutations of $N$ elements. Specifically, we use a variant of Shearer's lemma for this setting, due to Barthe, Cordero-Erausquin, Ledoux, and Maurey (2011), and a variant of the concentration inequality of Gavinsky, Lovett, Saks and Srinivasan (2015) for read-$k$ families of functions, that we derive from it. This seems to be the first time a variant of Shearer's lemma for permutations is used in an algorithmic context, and it is expected to be useful in other lower bound arguments.
## 2025/784
* Title: SHIP: A Shallow and Highly Parallelizable CKKS Bootstrapping Algorithm
* Authors: Jung Hee Cheon, Guillaume Hanrot, Jongmin Kim, Damien Stehlé
* [Permalink](
https://eprint.iacr.org/2025/784)
* [Download](
https://eprint.iacr.org/2025/784.pdf)
### Abstract
The CKKS fully homomorphic encryption scheme enables
efficient homomorphic operations in terms of throughput, but its bootstrapping
algorithm incurs a significant latency. In this work, we introduce
SHIP, a novel bootstrapping algorithm for CKKS ciphertexts. SHIP
enjoys a very shallow homomorphic multiplicative depth compared to
state-of-the-art CKKS bootstrapping algorithms. Bootstrapping depth
directly impacts the required Ring-LWE modulus, and hence the Ring-
LWE degree. The massive depth saving allows us to report the first bootstrapping
of CKKS ciphertexts for full-dimensional cleartext vectors in
ring degree N=2^13, without resorting to an expensive scheme switching
to DM/CGGI. SHIP also enjoys great parallelizability, with minimal
communication between threads. The combined ring size reduction and
high parallelizability lead to very low latency. In ring degree N=2^13,
our experimental implementation runs in 215ms on a 32-core CPU for
real-valued cleartext vectors. This is 2.5x lower than the smallest latency
we could observe with the HEaaN library (using 48 cores). For binary
cleartext vectors, the latency is lowered to 174ms, which is 2.2x lower
than Bae et al [Eurocrypt’24] (with 32 cores).
## 2025/785
* Title: DNDK: Combining Nonce and Key Derivation for Fast and Scalable AEAD
* Authors: Shay Gueron, Thomas Ristenpart
* [Permalink](
https://eprint.iacr.org/2025/785)
* [Download](
https://eprint.iacr.org/2025/785.pdf)
### Abstract
Authenticated encryption with associated data (AEAD) schemes are responsible for securing increasingly critical digital infrastructures, worldwide. Unfortunately, current widely deployed schemes suffer from various limitations that make them difficult to use securely in practice. For example, schemes like AES-GCM limit the amount of data that can be encrypted with a single key, therefore limiting its secure scaling to modern workloads. At the same time, practitioners may not be able to move away from the use of AES-GCM due to mature and widely deployed implementations, legacy constraints, and compliance.
In this paper, we provide approaches to improve the secure scaling of AEAD schemes via what we call derived-nonce, derived-key (DNDK) transforms. At a high level, such transforms use a root key to derive a nonce and key for use with an underlying scheme. The challenge is doing so in a way that introduces as little overhead as possible, and relying on a small number of assumptions on the used primitives. We provide some general results about secure scaling transforms and a concrete design for AES-GCM that is called DNDK-GCM. It requires as little as three additional AES calls to enable use of the same key to encrypt up to $2^{64}$ bytes of data, even when using random nonces. We also provide a detailed performance analysis. DNDK-GCM is now a draft IETF standard, and is already deployed at the cloud scale by companies including Meta.
## 2025/786
* Title: Robust and Verifiable MPC with Applications to Linear Machine Learning Inference
* Authors: Tzu-Shen Wang, Jimmy Dani, Juan Garay, Soamar Homsi, Nitesh Saxena
* [Permalink](
https://eprint.iacr.org/2025/786)
* [Download](
https://eprint.iacr.org/2025/786.pdf)
### Abstract
In this work, we present an efficient secure multi-party computation MPC protocol that provides strong security guarantees in settings with a dishonest majority of participants who may behave arbitrarily. Unlike the popular MPC implementation known as SPDZ [Crypto ’12], which only ensures security with abort, our protocol achieves both complete identifiability and robustness.. With complete identifiability, honest parties can detect and unanimously agree on the identity of any malicious party. Robustness allows the protocol to continue with the computation without requiring a restart, even when malicious behavior is detected. Additionally, our approach addresses the performance limitations observed in the protocol by Cunningham et al. [ICITS ’17], which, while achieving complete identifiability, is hindered by the costly exponentiation operations required by the choice of commitment scheme.
Our protocol is based on the approach by Rivinius et al. [S&P ’22], utilizing lattice-based commitment for better efficiency. We achieves robustness with the help of a semi-honest trusted third party. We benchmark our robust protocol, showing the efficient recovery from parties’ malicious behavior.
Finally, we benchmark our protocol on a ML-as-a-service scenario, wherein clients off-load the desired computation to the servers, and verify the computation result. We benchmark on linear ML inference, running on various datasets. While our efficiency is slightly lower compared to SPDZ’s, we offer stronger security properties that provide distinct advantages.
## 2025/787
* Title: Preprocessing for Life: Dishonest-Majority MPC with a Trusted or Untrusted Dealer
* Authors: Elette Boyle, Niv Gilboa, Matan Hamilis, Yuval Ishai, Ariel Nof
* [Permalink](
https://eprint.iacr.org/2025/787)
* [Download](
https://eprint.iacr.org/2025/787.pdf)
### Abstract
We put forth a new paradigm for practical secure multiparty computation (MPC) in the preprocessing model, where a feasible one-time setup can enable a lifetime of efficient online secure computations.
Our protocols match the security guarantees and low costs of the cheapest category of MPC solutions, namely 3-party protocols (3PC) secure against a single malicious party, with the qualitative advantages that one party communicates data sublinear in the circuit size, and can go offline after its initial messages. This "2+1"-party structure can alternatively be instantiated between 2 parties with the aid of a (possibly untrusted) dealer. Within such existing protocols, we provide comparable online performance while improving the storage and offline dealer-to-party communication requirements by more than 3 orders of magnitude.
At the technical level, we build on a novel combination of the Fully Linear Interactive Oracle Proof (FLIOP)-based protocol design of Boyle et al. (CRYPTO 2021) and pseudorandom correlation generators. We provide an extensive assortment of algorithmic and implementation-level optimizations, design efficient distributed proofs of well-formedness of complex FLIOP correlations, and make them circuit-independent. We implement and benchmark our end-to-end system against the state of the art in the $(2+1)$ regime, a dealer-aided variant of SPDZ for Boolean circuits.
We additionally extend our techniques to the $(n+1)$ party setting, where a dealer aids general dishonest-majority MPC, and provide a variant of the protocol which further achieves security with identifiable abort.
## 2025/788
* Title: Identity-Based Ring Signature from Quantum Token
* Authors: Nabanita Chakraborty, Ratna Dutta
* [Permalink](
https://eprint.iacr.org/2025/788)
* [Download](
https://eprint.iacr.org/2025/788.pdf)
### Abstract
An identity-based ring signature (IRS) is an attractive cryptographic primitive having numerous applications including e-cash and e-voting, that enables a user to authenticate sensitive documents on behalf of a ring of user identities chosen by the signer and provides anonymity and unforgeability. We introduce the first quantum-tokenized identity-based ring signature (QTIRS) scheme qtIRS and its variant D-qtIRS with signature delegation assuming the existence of obfuscated membership-checking circuits and a computationally sound non-interactive zero-knowledge (NIZK) proof system. We emphasize that our schemes are dynamic where a user can join or leave the system without disturbing others, allow unrestricted ring size with signature size independent of the ring size and provide security in the standard model. We enhance our security framework by minimizing restrictions for the adversary and allowing a broader domain to forge and introduce the notion of strong existential unforgeability against adaptive-chosen-message-and-identity attack (sEU-ACMI) and strong anonymity (sAnon). Our scheme qtIRS achieves sEU-ACMI and sAnon security while our scheme D-qtIRS attains strong existential unforgeability against adaptive-chosen-message-and-identity attack with signature delegation (sEU-ACMID) and sAnon. Most interestingly, our D-qtIRS features signature delegation and leased key revocation in the IRS setting, enabling a lessor to grant a limited signing authority to a lessee and revoke the delegated authority whenever needed.. Additionally, we have shown the existence of obfuscated membership-checking circuits which is of independent interest.
## 2025/789
* Title: Rushing at SPDZ: On the Practical Security of Malicious MPC Implementations
* Authors: Alexander Kyster, Frederik Huss Nielsen, Sabine Oechsner, Peter Scholl
* [Permalink](
https://eprint.iacr.org/2025/789)
* [Download](
https://eprint.iacr.org/2025/789.pdf)
### Abstract
Secure multi-party computation (MPC) enables parties to compute a function over private inputs while maintaining confidentiality. Although MPC has advanced significantly and attracts a growing industry interest, open-source implementations are still at an early stage, with no production-ready code and a poor understanding of their actual security guarantees.
In this work, we study the real-world security of modern MPC implementations, focusing on the SPDZ protocol (Damgård et al., CRYPTO 2012, ESORICS 2013), which provides security against malicious adversaries when all-but-one of the participants may be corrupted. We identify a novel type of MAC key leakage in the MAC check protocol of SPDZ, which can be exploited in concurrent, multi-threaded settings, compromising output integrity and, in some cases, input privacy. In our analysis of three SPDZ implementations (MP-SPDZ, SCALE-MAMBA, and FRESCO), two are vulnerable to this attack, while we also uncover further issues and vulnerabilities with all implementations. We propose mitigation strategies and some recommendations for researchers, developers and users, which we hope can bring more awareness to these issues and avoid them reoccurring in future.
## 2025/790
* Title: PULSE: Parallel Private Set Union for Large-Scale Entities
* Authors: Jiahui Gao, Son Nguyen, Marina Blanton, Ni Trieu
* [Permalink](
https://eprint.iacr.org/2025/790)
* [Download](
https://eprint.iacr.org/2025/790.pdf)
### Abstract
Multi-party private set union (mPSU) allows multiple parties to compute the union of their private input sets without revealing any additional information..
Existing efficient mPSU protocols can be categorized into symmetric key encryption (SKE)-based and public key encryption (PKE)-based approaches. However, neither type of mPSU protocol scales efficiently to a large number of parties, as they fail to fully utilize available computational resources, leaving participants idle during various stages of the protocol execution.
This work examines the limitation of existing protocols and proposes a unified framework for designing efficient mPSU protocols. We then introduce an efficient Parallel mPSU for Large-Scale Entities (PULSE) that enables parallel computation, allowing all parties/entities to perform computations without idle time, leading to significant efficiency improvements, particularly as the number of parties increases. Our protocol is based on PKE and secure even when up to $n-1$ semi-honest parties are corrupted. We implemented PULSE and compared it to state-of-the-art mPSU protocols under different settings, showing a speedup of $1.91$ to $3.57\times$ for $n=8$ parties for various set sizes.
## 2025/791
* Title: Analysis of One Privacy-Preserving Electricity Data Classification Scheme Based on CNN Model With Fully Homomorphism
* Authors: Zhengjun Cao, Lihua Liu
* [Permalink](
https://eprint.iacr.org/2025/791)
* [Download](
https://eprint.iacr.org/2025/791.pdf)
### Abstract
We show that the data classification scheme [IEEE Trans. Sustain. Comput., 2023, 8(4), 652-669)] failed to check the compatibility of encoding algorithm and homomorphic encryption algorithm. Some calculations should be revised to ensure all operands are first encoded using the same scaling factors. The canonical embedding map depending on the natural projection should be explicitly arranged so as to construct an efficient decoding algorithm.
## 2025/792
* Title: A Scrutiny of the Security of AES-based Hashing and One-way Functions
* Authors: Shiyao Chen, Jian Guo, Eik List, Danping Shi, Tianyu Zhang
* [Permalink](
https://eprint.iacr.org/2025/792)
* [Download](
https://eprint.iacr.org/2025/792.pdf)
### Abstract
AES has cemented its position as the primary symmetric-key primitive for a wide range of cryptographic applications, which motivates the analysis on the concrete security of AES's instantiations in practice, for instance, the collision resistance of AES-based hashing, the key commitment security of AES-based authenticated encryption schemes, and the one-wayness of AES-based one-way functions in ZK and MPC protocols. In this work, we introduce single-color initial structures into meet-in-the-middle (MITM) attacks, a systematic technique to identify attack trails that enable efficient neutral word generation and low-memory attacks. As a result, we have attained: (1) the first classical one-block collision attack on 7-round AES-MMO/MP, marking the first advancement in attack rounds for more than a decade and matching the attack rounds in the quantum setting; (2) the first one-block collision attack on 4-round AES-128-DM, which bridges the gap in Taiyama et al.'s claim at Asiacrypt 2024 from an MITM perspective; (3) the first improvement in single known plaintext key recovery attack on 5-round AES-128 in over a decade; (4) comprehensive results on the security margin of Rijndael-192 and Rijndael-256 in multiple instantiations. These breakthroughs deepen our understanding of AES-like structure, and contribute as a scrutiny of the security of AES-based instantiations.
## 2025/793
* Title: Solving systems of polynomial equations via Macaulay matrices
* Authors: Shuhei Nakamura
* [Permalink](
https://eprint.iacr.org/2025/793)
* [Download](
https://eprint.iacr.org/2025/793.pdf)
### Abstract
One approach to solving polynomial systems is to multiply each equation by monomials, which creates a larger system with the coefficient matrix known as the Macaulay matrix.
The eXtended Linearization (XL) method, introduced by Courtois, Klimov, Patarin, and Shamir in 2000, is one such approach and includes a sub-algorithm that performs Gaussian elimination on the Macaulay matrix.
Due to the simplicity of the method, several improvements and variations have been proposed since its introduction, and it remains an active area of research.
In this paper, we focus on sub-algorithms based on Macaulay matrices that are used in the XL method and its variants and investigate the input parameters that produce the desired output, such as a Gr\"{o}bner basis.
In particular, by summarizing some known facts about the standard degree, we provide a foundation for extending the XL method to the multi-degree case.
## 2025/794
* Title: Formal Analysis of Multi-Device Group Messaging in WhatsApp
* Authors: Martin R. Albrecht, Benjamin Dowling, Daniel Jones
* [Permalink](
https://eprint.iacr.org/2025/794)
* [Download](
https://eprint.iacr.org/2025/794.pdf)
### Abstract
WhatsApp provides end-to-end encrypted messaging to over two billion users. However, due to a lack of public documentation and source code, the specific security guarantees it provides are unclear. Seeking to rectify this situation, we combine the limited public documentation with information we gather through reverse-engineering its implementation to provide a formal description of the subset of WhatsApp that provides multi-device group messaging. We utilise this description to state and prove the security guarantees that this subset of WhatsApp provides. Our analysis is performed within a variant of the Device-Oriented Group Messaging model, which we extend to support device revocation. We discuss how to interpret these results, including the security WhatsApp provides as well as its limitations.
## 2025/795
* Title: Efficient Noncommutative KEMs from Twisted Dihedral Group Ring
* Authors: Ali Raya, Vikas Kumar, Sugata Gangopadhyay, Aditi Kar Gangopadhyay
* [Permalink](
https://eprint.iacr.org/2025/795)
* [Download](
https://eprint.iacr.org/2025/795.pdf)
### Abstract
NTRU schemes have been extensively studied as post-quantum proposals within the category of lattice-based constructions.
Numerous designs have been introduced with security assumptions based on the NTRU hard problem; some focused on security, and others were motivated by faster computations. Recently, some proposals for noncommutative NTRU have appeared in the literature, claiming more resistance to some algebraic attacks. While these proposals provide practical cryptosystems, they fail to perform similarly to the original NTRU over the ring of integers. This work introduces the first construction of noncommutative NTRU that matches the speed of NTRU over the ring of integers.
Additionally, we present another construction over the ring of Eisenstein integers, demonstrating that performance can be further enhanced. We comprehensively implement the Key Encapsulation Mechanisms (KEMs) based on our constructions and compare their efficiency and compactness to both commutative and noncommutative NTRU variants in the literature. Our findings indicate that the new designs provide competitive memory and time requirements while utilizing noncommutative algebra. For example, our noncommutative KEM based on the twisted dihedral group ring over the ring of integers achieves encapsulation and decapsulation speeds comparable to NTRU-HPS, with a key generation speed that is 2.5 times faster. Additionally, our construction based on the ring of Eisenstein integers is at least 1.6 times faster for key generation and 1.3 times faster for both encapsulation and decapsulation compared to NTRU-HPS.
## 2025/796
* Title: Unified MEDS Accelerator
* Authors: Sanjay Deshpande, Yongseok Lee, Mamuri Nawan, Kashif Nawaz, Ruben Niederhagen, Yunheung Paek, Jakub Szefer
* [Permalink](
https://eprint.iacr.org/2025/796)
* [Download](
https://eprint.iacr.org/2025/796.pdf)
### Abstract
The Matrix Equivalence Digital Signature (MEDS) scheme a code-based candidate in the first round of NIST’s Post-Quantum Cryptography (PQC) standardization process, offers competitively small signature sizes but incurs high computational costs for signing and verification. This work explores how a high-performance FPGA-based hardware implementation can enhance MEDS performance by leveraging the inherent parallelism of its computations, while examining the trade-offs between performance gains and resource costs. This work in particular proposes a unified hardware architecture capable of efficiently performing both signing and verification operations within a single combined design. The architecture jointly supports all security parameters, including the dynamic, run-time handling of different prime fields without the need to re-configure the FPGA. This work also evaluates the resource overhead of supporting different prime fields in a single design, which is relevant not only for MEDS but also for other cryptographic schemes requiring similar flexibility. This work demonstrates that custom hardware for PQC signature schemes can flexibly support different prime fields with limited resource overhead. For example, for NIST security Level I, our implementation achieves signing times of 4.5 ms to 65.2 ms and verification times of 4.2 ms to 64.5 ms utilizing 22k to 72k LUTs and 66 to 273 DSPs depending on design variant and optimization goal.
## 2025/797
* Title: WEBCAT: Web-based Code Assurance and Transparency
* Authors: Giulio Berra
* [Permalink](
https://eprint.iacr.org/2025/797)
* [Download](
https://eprint.iacr.org/2025/797.pdf)
### Abstract
Ensuring code integrity in browser-based applications remains a longstanding challenge exacerbated by the complexity of modern web environments. We propose Web-based Code Assurance and Transparency, a novel code integrity verification and enforcement mechanism that prevents the execution of unverified code, unlike previous approaches premised on user-visible error indicators or permissive failure modes. WEBCAT remains compatible with modern web features, uses existing cryptographic components without reinventing primitives or requiring expensive infrastructure, and provides verifiable logs of all system components, even under degraded operational conditions. It follows a separation-of-concerns model in which hosting providers require no special trust or cryptographic keys to deploy developer-signed applications, reflecting real-world deployment scenarios in which trusted applications may be served by multiple less-trusted hosts.
We evaluate our approach by porting Jitsi, GlobaLeaks, Element, CryptPad, Standard Notes, and Bitwarden, demonstrating compatibility across a diverse set of applications. Benchmark results indicate an overhead of up to 2% for non-enrolled domains on cold starts and up to 20% for enrolled ones. Under warm start conditions, the overhead reaches 25% for enrolled domains and 5% for non-enrolled ones—lower than previous methods while addressing a larger threat model and remaining compatible with existing applications.
## 2025/798
* Title: CRAFT: Characterizing and Root-Causing Fault Injection Threats at Pre-Silicon
* Authors: Arsalan Ali Malik, Harshvadan Mihir, Aydin Aysu
* [Permalink](
https://eprint.iacr.org/2025/798)
* [Download](
https://eprint.iacr.org/2025/798.pdf)
### Abstract
Fault injection attacks represent a class of threats that can compromise embedded systems across multiple layers of abstraction, such as system software, instruction set architecture (ISA), microarchitecture, and physical implementation. Early detection of these vulnerabilities and understanding their root causes, along with their propagation from the physical layer to the system software, is critical in securing the cyberinfrastructure.
This work presents a comprehensive methodology for conducting controlled fault injection attacks at the pre-silicon level and an analysis of the underlying system for root-causing behavior. As the driving application, we use the clock glitch attacks in AI/ML applications for critical misclassification. Our study aims to characterize and diagnose the impact of faults within the RISC-V instruction set and pipeline stages, while tracing fault propagation from the circuit level to the AI/ML application software. This analysis resulted in discovering two new vulnerabilities through controlled clock glitch parameters. First, we reveal a novel method for causing instruction skips, thereby preventing the loading of critical values from memory. This can cause disruption and affect program continuity and correctness. Second, we demonstrate an attack that converts legal instructions into illegal ones, thereby diverting control flow in a manner exploitable by attackers. Our work underscores the complexity of fault injection attack exploits and emphasizes the importance of preemptive security analysis.
[digest] 2025 Week 18