[continued from previous message]
Quantum Key Distribution (QKD) is currently being discussed as a technology to safeguard communication in a future where quantum computers compromise traditional public-key cryptosystems. In this paper, we conduct a comprehensive security evaluation of
QKD-based solutions, focusing on real-world use cases sourced from academic literature and industry reports. We analyze these use cases, assess their security and identify the possible advantages of deploying QKD-based solutions. We further compare QKD-
based solutions with Post-Quantum Cryptography (PQC), the alternative approach to achieving security when quantum computers compromise traditional public-key cryptosystems, evaluating their respective suitability for each scenario. Based on this
comparative analysis, we critically discuss and comment on which use cases QKD is suited for, considering factors such as implementation complexity, scalability, and long-term security. Our findings contribute to a better understanding of the role QKD
could play in future cryptographic infrastructures and offer guidance to decision-makers considering the deployment of QKD.
## 2025/174
* Title: VITARIT: Paying for Threshold Services on Bitcoin and Friends
* Authors: Lucjan Hanzlik, Aniket Kate, Easwar Vivek Mangipudi, Pratyay Mukherjee, Sri AravindaKrishnan Thyagarajan
* [Permalink](
https://eprint.iacr.org/2025/174)
* [Download](
https://eprint.iacr.org/2025/174.pdf)
### Abstract
Blockchain service offerings have seen a rapid rise
in recent times. Many of these services realize a decentralized
architecture with a threshold adversary to avoid a single
point of failure and to mitigate key escrow issues. While
payments to such services are straightforward in systems
supporting smart contracts, achieving fairness poses challenges
in systems like Bitcoin, adhering to the UTXO model with
limited scripting capabilities. This is especially challenging
without smart contracts, as we wish to pay only the required
threshold of t + 1 out of the n servers offering the service
together, without any server claiming the payment twice.
In this paper, we introduce VITARIT 1, a novel payment
solution tailored for threshold cryptographic services in UTXO
systems like Bitcoin. Our approach guarantees robust provable
security while facilitating practical deployment. We focus on
the t-out-of-n distributed threshold verifiable random function
(VRF) service with certain properties, such as threshold BLS
signatures, a recently highlighted area of interest. Our protocol
enables clients to request verifiable random function (VRF)
values from the threshold service, triggering payments to up
to t + 1 servers of the distributed threshold VRF.
Our efficient design relies on simple transactions using
signature verification scripts, making it immediately applicable
in Bitcoin-like systems. We also introduce new tools and
techniques at both the cryptographic and transaction layers,
including a novel signature-VRF exchange protocol for standard
constructions, which may be of independent interest. Addition-
ally, our transaction flow design prevents malicious servers
from claiming payments twice, offering broader implications for
decentralized payment systems. Our prototype implementation
shows that in the two-party interaction, the client takes 126.4
msec, and the server takes 204 msec, demonstrating practicality
and deployability of the system
## 2025/175
* Title: Updatable Public-Key Encryption, Revisited
* Authors: Joël Alwen, Georg Fuchsbauer, Marta Mularczyk
* [Permalink](
https://eprint.iacr.org/2025/175)
* [Download](
https://eprint.iacr.org/2025/175.pdf)
### Abstract
We revisit Updatable Public-Key Encryption (UPKE), which was introduced as a practical mechanism for building forward-secure cryptographic protocols. We begin by observing that all UPKE notions to date are neither syntactically flexible nor secure enough
for the most important multi-party protocols motivating UPKE. We provide an intuitive taxonomy of UPKE properties -- some partially or completely overlooked in the past -- along with an overview of known (explicit and implicit) UPKE constructions. We
then introduce a formal UPKE definition capturing all intuitive properties needed for multi-party protocols.
Next, we provide a practical pairing-based construction for which we provide concrete security bounds under a standard assumption in the random oracle and the algebraic group model. The efficiency profile of the scheme compares very favorably with
existing UPKE constructions (despite the added flexibility and stronger security). For example, when used to improve the forward security of the Messaging Layer Security protocol [RFC9420], our new UPKE construction requires $\approx 1\%$ of the
bandwidth of the next-most efficient UPKE construction satisfying the strongest UPKE notion previously considered.
## 2025/176
* Title: HyperLoop: Rationally secure efficient cross-chain bridge
* Authors: Aniket Kate, Easwar Vivek Mangipudi, Charan Nomula, Raghavendra Ramesh, Athina Terzoglou, Joshua Tobkin
* [Permalink](
https://eprint.iacr.org/2025/176)
* [Download](
https://eprint.iacr.org/2025/176.pdf)
### Abstract
Cross-chain bridges, realizing the transfer of information and assets between blockchains, form the core of blockchain interoperability solutions. Most existing bridge networks are modeled in an honest-malicious setting, where the bridge nodes are either
honest or malicious. Rationality allows the nodes to deviate from the protocol arbitrarily for an economic incentive. In this work, we present HyperLoop, an efficient cross-chain multi-signature bridge and prove that it is safe and live game-
theoretically, under the more realistic rational-malicious model.
As rational bridge nodes are allowed to deviate from the protocol and even collude, a monitor mechanism is necessitated, which we realize by introducing whistle-blower nodes. These whistle-blowers constantly check the operations of the bridge and raise
complaints to a complaint resolution network in case of discrepancies. To enforce punishments, it is necessary for the nodes to stake an amount before participating as bridge nodes. Consequently, a cap on the volume of funds transferred over the bridge
is established. We describe a sliding window mechanism and establish a relation between the stake and the sliding window limit necessary for the safety of the bridge.
Our design yields an economic, computation, and communication-efficient bridge. We realize and deploy our bridge prototype bridging Ethereum and Polygon chains over testnets. For a 19-node bridge network, each bridge node takes an average of only 3 msec
to detect and sign a source chain request, showing the highly efficiency and low-latency of the bridge.
## 2025/177
* Title: On the Power of Sumcheck in Secure Multiparty Computation
* Authors: Zhe Li, Chaoping Xing, Yizhou Yao, Chen Yuan
* [Permalink](
https://eprint.iacr.org/2025/177)
* [Download](
https://eprint.iacr.org/2025/177.pdf)
### Abstract
Lund et al. (JACM 1992) invented the powerful Sumcheck protocol that has been extensively used in complexity theory and also for designing concretely efficient (zero-knowledge) arguments. In this work, we systematically study Sumcheck in the context of
secure multi-party computation (MPC). Our main result is a new generic framework for lifting semi-honest MPC protocols to malicious security, with a {\em constant} multiplicative overhead in {\em both} computation and communication, and even additional
logarithmic communication in the best case. In general, our approach applies to any semi-honest linear secret-sharing based MPC secure up to additive attacks, where secret-sharings can be added with an authentication property. At a high-level, our
approach has a highly distributive flavor, where the parties jointly emulate a Sumcheck prover that proves the correctness of MPC semi-honest evaluations in zero-knowledge, meanwhile they also jointly emulate a Sumcheck verifier and verify the proof
themselves. Along the way, we provide a new angle of view on the {\em fully linear interactive oracle proof} (FLIOP) systems proposed by Boneh et al. (CRYPTO 2019). That is, essentially distributed sumcheck on proving a batch of multiplications is an
optimized concrete instantiation of the FLIOP-based approach.
As concrete applications of our techniques, we first consider semi-honest MPC protocols based on Shamir secret-sharing with an honest majority. Suppose $M$-party and circuit size $N$, to achieve malicious security, our approach only introduces additional
$10MN+O(M\log{N})$ total computation, communication of reconstructions of $4\log{N}+6$ secret-shared values, $O(\log{N})$ rounds and $O(\log{N})$ correlated randomness. This shows that malicious security with abort in honest majority MPC comes {\em free}
in terms of both computation and communication.
We then consider dishonest majority MPC, where the best known semi-honest protocol achieves $2N$ online communication per party and sublinear preprocessing by using programmable pseudorandom correlation generators (PCGs). We realize malicious MPC with $
4N+O(\log{N})$ online communication as well as sublinear preprocessing, matching the optimal $2\times$ communication overhead in Hazay et al. (JOC 2024). Our protocol is essentially obtained by using Sumcheck techniques to check authenticated
multiplication triple relations, which requires only $N+1$ {\em standard Beaver triples} and $O(\log{N})$ random authenticated shares for $N$ semi-honestly generated authenticated triples. Compared to the FLIOP-based checking mechanism (Boyle et al.
CRYPTO 2022) that requires $O(\sqrt{N})$ communication and $O(N^{1.5})$ computation, we do not introduce any cryptographic assumption beyond PCGs, and have $O(N)$ computation.
## 2025/178
* Title: Improved Differential and Linear Cryptanalysis on Round-Reduced SIMON * Authors: Chao Niu, Muzhou Li, Jifu Zhang, Meiqin Wang
* [Permalink](
https://eprint.iacr.org/2025/178)
* [Download](
https://eprint.iacr.org/2025/178.pdf)
### Abstract
SIMON is a lightweight block cipher proposed by the National Security Agency. According to previous cryptanalytic results on SIMON, differential and linear cryptanalysis are the two most effective attacks on it.
Usually, there are many trails sharing the same input and output differences (resp. masks).
These trails comprise the differential (resp. linear hull) and can be used together when mounting attacks.
In ASIACRYPT 2021, Leurent et al. proposed a matrix-based method on SIMON-like ciphers, where only trails whose active bits stay in a $w$-bit window are considered.
The static window in each round is chosen to be $w$ least significant bits. They applied this efficient framework on SIMON and SIMECK, and have obtained many better differentials and linear hulls than before. For SIMON, they also found that there seems to be some potential for improvement, which should be further investigated.
In this paper, we dynamically choose window for each round to achieve better distinguishers. Benefiting from these dynamic windows, we can obtain stronger differentials and linear hulls than previously proposed for almost all versions of SIMON.
Finally, we provided the best differential/linear attacks on SIMON48, SIMON64, and SIMON96 in terms of round number, complexity, or success rate.
## 2025/179
* Title: Higher-Order Deterministic Masking with Application to Ascon
* Authors: Vahid Jahandideh, Bart Mennink, Lejla Batina
* [Permalink](
https://eprint.iacr.org/2025/179)
* [Download](
https://eprint.iacr.org/2025/179.pdf)
### Abstract
Side-channel attacks (SCAs) pose a significant threat to the implementations of lightweight ciphers, particularly in resource-constrained environments where masking—the primary countermeasure—is constrained by tight resource limitations.
This makes it crucial to reduce the resource and randomness requirements of masking schemes. In this work, we investigate an approach to minimize the randomness complexity of masking algorithms. Specifically, we explore the theoretical foundations of
deterministic higher-order masking, which relies solely on offline randomness present in the initial input shares and eliminates the need for online (fresh) randomness during internal computations.
We demonstrate the feasibility of deterministic masking for ciphers such as Ascon, showing that their diffusion layer can act as a refresh subcircuit. This ensures that, up to a threshold number, probes placed in different rounds remain independent.
Based on this observation, we propose composition theorems for deterministic masking
schemes. On the practical side, we extend the proof of first- and second-order probing security for Ascon’s protected permutation from a single round to an arbitrary number of rounds
## 2025/180
* Title: On the Atomicity and Efficiency of Blockchain Payment Channels
* Authors: Di Wu, Shoupeng Ren, Yuman Bai, Lipeng He, Jian Liu, Wu Wen, Kui Ren, Chun Chen
* [Permalink](
https://eprint.iacr.org/2025/180)
* [Download](
https://eprint.iacr.org/2025/180.pdf)
### Abstract
Payment channels have emerged as a promising solution to address the performance limitations of cryptocurrencies payments, enabling efficient off-chain transactions while maintaining security guarantees. However, existing payment channel protocols,
including the widely-deployed Lightning Network and the state-of-the-art Sleepy Channels, suffer from a fundamental vulnerability: non-atomic state transitions create race conditions that can lead to unexpected financial losses. We first formalize
current protocols into a common paradigm and prove that this vulnerability is fundamental—any protocol following this paradigm cannot guarantee balance security due to the inherent race conditions in their design. To address this limitation, we propose
a novel atomic paradigm for payment channels that ensures atomic state transitions, effectively eliminating race conditions while maintaining all desired functionalities. Based on this paradigm, we introduce Ultraviolet, a secure and efficient payment
channel protocol that achieves both atomicity and high performance, while avoiding the introduction of unimplemented Bitcoin features. Ultraviolet reduces the number of required messages per transaction by half compared to existing solutions, while
maintaining comparable throughput. We formally prove the security of Ultraviolet under the universal composability framework and demonstrate its practical efficiency through extensive evaluations across multiple regions. This results in a 37% and 52%
reduction in latency compared to the Lightning Network and Sleepy Channels, respectively. Regarding throughput, Ultraviolet achieves performance comparable to the Lightning Network and delivers 2× the TPS of Sleepy Channels.
## 2025/181
* Title: Improved NTT and CRT-based RNR Blinding for Side-Channel and Fault Resistant Kyber
* Authors: Max Duparc, Mounir Taha
* [Permalink](
https://eprint.iacr.org/2025/181)
* [Download](
https://eprint.iacr.org/2025/181.pdf)
### Abstract
In this paper, we build upon the blinding methods introduced in recent years to enhance the protection of lattice-based cryptographic schemes against side-channel and fault injection attacks. Specifically, we propose a cost-efficient blinded Number
Theoretic Transform (NTT) that impedes the convergence of Soft Analytical Side-Channel Attacks (SASCA), even with limited randomness sampling. Additionally, we extend the blinding mechanism based on the Chinese Remainder Theorem (CRT) and Redundant
Number Representation (RNR) introduced by Heiz and Pöppelmann by reducing the randomness sampling overhead and accelerating the verification phase.
These two blinding mechanisms are nicely compatible with each other's and, when combined, provide enhanced resistance against side-channel attacks, both classical and soft analytical, as well as fault injection attacks, while maintaining high performance
and low overhead, making the approach well-suited for practical applications, particularly in resource-constrained IoT environments.
## 2025/182
* Title: Deny Whatever You Want: Dual-Deniable Public-Key Encryption
* Authors: Zhiyuan An, Fangguo Zhang
* [Permalink](
https://eprint.iacr.org/2025/182)
* [Download](
https://eprint.iacr.org/2025/182.pdf)
### Abstract
We introduce an enhanced requirement of deniable public key encryption that we call dual-deniability. It asks that a sender who is coerced should be able to produce fake randomness, which can explain the target ciphertext as the encryption of any
alternative message under any valid key she/he desires to deny. Compared with the original notion of deniability (Canetti et al. in CRYPTO ’97, hereafter named message-deniability), this term further provides a shield for the anonymity of the receiver
against coercion attacks.
We first give a formal definition of dual-deniability, along with its weak-mode variant. For conceptual understanding, we then show dual-deniability implies semantic security and anonymity against CPA, separates full robustness, and even
contradicts key-less or mixed robustness, while is (constructively) implied by key-deniability and full robustness with a minor assumption for bits encryption. As for the availability of dual-deniability, our main scheme is a generic approach from
ciphertext-simulatable PKE, where we devise a subtle multi-encryption schema to hide the true message within random masking ciphertexts under plan-ahead setting. Further, we leverage the weak model to present a more efficient scheme having negligible
detection probability and constant ciphertext size. Besides, we revisit the notable scheme (Sahai and Waters in STOC ’14) and show it is inherently dual-deniable. Finally, we extend the Boneh-Katz transform to capture CCA security, deriving dual-
deniable and CCA-secure PKE from any selectively dual-deniable IBE under multi-TA setting. Overall our work mounts the feasibility of anonymous messaging against coercion attacks.
## 2025/183
* Title: OBLIVIATOR: Oblivious Parallel Joins and other Operators in Shared Memory Environments
* Authors: Apostolos Mavrogiannakis, Xian Wang, Ioannis Demertzis, Dimitrios Papadopoulos, Minos Garofalakis
* [Permalink](
https://eprint.iacr.org/2025/183)
* [Download](
https://eprint.iacr.org/2025/183.pdf)
### Abstract
We introduce oblivious parallel operators designed for both non-foreign key and foreign key equi-joins. Obliviousness ensures nothing is revealed about the data besides input/output sizes, even against a strong adversary that can observe memory access
patterns.
Our solution achieves this by combining trusted hardware with efficient oblivious primitives for compaction and sorting, and two oblivious algorithms: (i) an oblivious aggregation tree, which can be described as a variation of the parallel prefix sum,
customized for trusted hardware, and (ii) a novel algorithm for obliviously expanding the elements of a relation.
In the sequential setting, our oblivious join performs $4.6\times$- $5.14\times$ faster than the prior state-of-the-art solution (Krastnikov et al., VLDB 2020) on data sets of size $n=2^{24}$. In the parallel setting, our algorithm achieves a speedup of
up to roughly $16\times$ over the sequential version, when running with 32 threads (becoming up to $80\times$ compared to the sequential algorithm of Krastnikov et al.).
Finally, our oblivious operators can be used independently to support other oblivious relational database queries, such as oblivious selection and oblivious group-by.
## 2025/184
* Title: NodeChain: Cheap Data Integrity Without Consensus
* Authors: Orfeas Stefanos Thyfronitis Litos, Zhaoxuan Wu, Alfredo Musumeci, Songyun Hu, James Helsby, Michael Breza, William Knottenbelt
* [Permalink](
https://eprint.iacr.org/2025/184)
* [Download](
https://eprint.iacr.org/2025/184.pdf)
### Abstract
Blockchains enable decentralised applications that withstand Byzantine failures and do not need a central authority. Unfortunately, their massive replication requirements preclude their use on constrained devices.
We propose a novel blockchain-based data structure which forgoes replication without affecting the append-only nature of blockchains, making it suitable for maintaining data integrity over networks of storage-constrained devices. Our solution does not
provide consensus, which is not required by our motivating application, namely securely storing sensor data of containers in cargo ships.
We elucidate the practical promise of our technique by following a multi-faceted approach: We (i) formally prove the security of our protocol in the
Universal Composition (UC) setting, as well as (ii) provide a small-scale proof-of-concept implementation, (iii) a performance simulation for large-scale deployments which showcases a reduction in storage of more than $1000$x compared to traditional
blockchains, and (iv) a resilience simulation that predicts the practical effects of network jamming attacks.
## 2025/185
* Title: AutoDiVer: Automatically Verifying Differential Characteristics and Learning Key Conditions
* Authors: Marcel Nageler, Shibam Ghosh, Marlene Jüttler, Maria Eichlseder
* [Permalink](
https://eprint.iacr.org/2025/185)
* [Download](
https://eprint.iacr.org/2025/185.pdf)
### Abstract
Differential cryptanalysis is one of the main methods of cryptanalysis and has been applied to a wide range of ciphers. While it is very successful, it also relies on certain assumptions that do not necessarily hold in practice. One of these is the
hypothesis of stochastic equivalence, which states that the probability of a differential characteristic behaves similarly for all keys. Several works have demonstrated examples where this hypothesis is violated, impacting the attack complexity and
sometimes even invalidating the investigated prior attacks. Nevertheless, the hypothesis is still typically taken for granted. In this work, we propose AutoDiVer, an automatic tool that allows to thoroughly verify differential characteristics. First, the
tool supports calculating the expected probability of differential characteristics while considering the key schedule of the cipher. Second, the tool supports estimating the size of the space of keys for which the characteristic permits valid pairs, and
deducing conditions for these keys. AutoDiVer implements a custom SAT modeling approach and takes advantage of a combination of features of advanced SAT solvers, including approximate model counting and clause learning. To show applicability to many
different kinds of block ciphers like strongly aligned, weakly aligned, and ARX ciphers, we apply AutoDiVer to GIFT, PRESENT, RECTANGLE, SKINNY, WARP, SPECK, and SPEEDY.
## 2025/186
* Title: Computing Quaternion Embeddings and Endomorphism rings of Supersingular Oriented Elliptic curves
* Authors: Maher Mamah
* [Permalink](
https://eprint.iacr.org/2025/186)
* [Download](
https://eprint.iacr.org/2025/186.pdf)
### Abstract
In this paper, we investigate several computational problems motivated by post-quantum cryptosystems based on isogenies and ideal class group actions on oriented elliptic curves. Our main technical contribution is an efficient algorithm for embedding the
ring of integers of an imaginary quadratic field \( K \) into some maximal order of the quaternion algebra \( B_{p,\infty} \) ramified at a prime \( p \) and infinity. Assuming the Generalized Riemann Hypothesis (GRH), our algorithm runs in probabilistic
polynomial time, improving upon previous results that relied on heuristics or required the factorization of \( \textnormal{disc}(K) \). Notably, this algorithm may be of independent interest.
Our approach enhances the work of Love and Boneh on computing isogenies between \( M \)-small elliptic curves by eliminating heuristics and improving computational efficiency. Furthermore, given a quadratic order \( \mathfrak{O} \) in \( K \), we
show that our algorithm reduces the computational endomorphism ring problem of \( \mathfrak{O} \)-oriented elliptic curves to the Vectorization problem in probabilistic polynomial time, assuming the conductor of \( \mathfrak{O} \) can be efficiently
factorized. Previously, the best known result required the full factorization of \( \textnormal{disc}(\mathfrak{O}) \), which may be exponentially large.
Additionally, when the conductor of \( \mathfrak{O} \) can be efficiently factorized, we establish a polynomial-time equivalence between the Quaternion Order Embedding Problem, which asks to embed a quadratic order \( \mathfrak{O} \) into a maximal
order in \( B_{p,\infty} \), and computing horizontal isogenies between \( \mathfrak{O} \)-oriented elliptic curves. Leveraging this reduction, we propose a rigorous algorithm, under GRH, that solves the quaternion order embedding problem in time \( \
tilde{O}(|\mathrm{disc}(\mathfrak{O})|^{1/2}) \), improving upon previous methods that required higher asymptotic time and relied on several heuristics.
## 2025/187
* Title: Asymptotic improvements to provable algorithms for the code equivalence problem
* Authors: Huck Bennett, Drisana Bhatia, Jean-François Biasse, Medha Durisheti, Lucas LaBuff, Vincenzo Pallozzi Lavorante, Philip Waitkevich
* [Permalink](
https://eprint.iacr.org/2025/187)
* [Download](
https://eprint.iacr.org/2025/187.pdf)
### Abstract
We present several new provable algorithms for two variants of the code equivalence problem on linear error-correcting codes, the Linear Code Equivalence Problem (LCE) and the Permutation Code Equivalence Problem (PCE). Specifically, for arbitrary codes
of block length $n$ and dimension $k$ over any finite field $\mathbb{F}_q$, we show:
1) A deterministic algorithm running in $2^{n + o(n+q)}$ time for LCE.
2) A randomized algorithm running in $2^{n/2 + o(n+q)}$ time for LCE and PCE. 3) A quantum algorithm running in $2^{n/3 + o(n+q)}$ time for LCE and PCE.
The first algorithm complements the deterministic roughly $2^n$-time algorithm of Babai (SODA 2011) for PCE.
The second two algorithms improve on recent work of Nowakowski (PQCrypto 2025), which gave algorithms with similar running times, but only for code equivalence on \emph{random} codes and only over fields of order $q \geq 7$.
## 2025/188
* Title: BulletCT: Towards More Scalable Ring Confidential Transactions With Transparent Setup
* Authors: Nan Wang, Qianhui Wang, Dongxi Liu, Muhammed F. Esgin, Alsharif Abuadbba
* [Permalink](
https://eprint.iacr.org/2025/188)
* [Download](
https://eprint.iacr.org/2025/188.pdf)
### Abstract
RingCT signatures are essential components of Ring Confidential Transaction (RingCT) schemes on blockchain platforms, enabling anonymous transaction spending and significantly impacting the scalability of these schemes. This paper makes two primary
contributions:
We provide the first thorough analysis of a recently developed Any-out-of-N proof in the discrete logarithm (DLOG) setting and the associated RingCT scheme, introduced by ZGSX23 (S&P '23). The proof conceals the number of the secrets to offer greater
anonymity than K-out-of-N proofs and uses an efficient "K-Weight" technique for its construction. However, we identify for the first time several limitations of using Any-out-of-N proofs, such as increased transaction sizes, heightened cryptographic
complexities and potential security risks. These limitations prevent them from effectively mitigating the longstanding scalability bottleneck.
We then continue to explore the potential of using K-out-of-N proofs to enhance scalability of RingCT schemes. Our primary innovation is a new DLOG-based RingCT signature that integrates a refined "K-Weight"-based K-out-of-N proof and an entirely new tag
proof. The latter is the first to efficiently enable the linkability of RingCT signatures derived from the former, effectively resisting double-spending attacks.
Finally, we identify and patch a linkability flaw in ZGSX23's signature. We benchmark our scheme against this patched one to show that our scheme achieves a boost in scalability, marking a promising step forward.
## 2025/189
* Title: Experimentally studying path-finding problem between conjugates in supersingular isogeny graphs: Optimizing primes and powers to speed-up cycle finding
* Authors: Madhurima Mukhopadhyay
* [Permalink](
https://eprint.iacr.org/2025/189)
* [Download](
https://eprint.iacr.org/2025/189.pdf)
### Abstract
We study the problem of finding a path between conjugate supersingular elliptic curves over $\mathbb{F}_{p^2}$ for a prime $p$, which is important for cycle finding in supersingular isogeny graphs. We see that for any given $p$, there is some $l$
corresponding to $p$ which accelerates the process of conjugate path-finding. Also, time-wise, the most efficient way of overviewing the graph is seeing $i(=3)$ steps at once. We have outlined methods in which the next vertex of any pseudo-random walk
should be chosen to reach conjugate vertex faster. We have experimentally investigated the paths between frobenius conjugates for wide ranges of small prime $l$. We introduce sets to experimentally learn about the structure of the isogeny graphs when
short cycles are present.
## 2025/190
* Title: Binary Codes for Error Detection and Correction in a Computationally Bounded World
* Authors: Jad Silbak, Daniel Wichs
* [Permalink](
https://eprint.iacr.org/2025/190)
* [Download](
https://eprint.iacr.org/2025/190.pdf)
### Abstract
We study error detection and correction in a computationally bounded world, where errors are introduced by an arbitrary $\textit{polynomial-time}$ adversarial channel. Our focus is on $\textit{seeded}$ codes, where the encoding and decoding procedures
can share a public random seed, but are otherwise deterministic. We can ask for either $\textit{selective}$ or $\textit{adaptive}$ security, depending on whether the adversary can choose the message being encoded before or after seeing the seed. For
large alphabets, a recent construction achieves essentially optimal rate versus error tolerance trade-offs under minimal assumptions, surpassing information-theoretic limits. However, for the binary alphabet, the only prior improvement over information
theoretic codes relies on non-standard assumptions justified via the random oracle model. We show the following:
$\textbf{Selective Security under LWE:}$ Under the learning with errors (LWE) assumption, we construct selectively secure codes over the binary alphabet. For error detection, our codes achieve essentially optimal rate $R \approx 1$ and relative error
tolerance $\rho \approx \frac{1}{2}$. For error correction, they can uniquely correct $\rho < 1/4$ relative errors with a rate $R$ that essentially matches that of the best list-decodable codes with error tolerance $\rho$. Both cases provide significant
improvements over information-theoretic counterparts. The construction relies on a novel form of 2-input correlation intractable hash functions that we construct from LWE.
$\textbf{Adaptive Security via Crypto Dark Matter:}$ Assuming the exponential security of a natural collision-resistant hash function candidate based on the ``crypto dark matter'' approach of mixing linear functions over different moduli, we construct
adaptively secure codes over the binary alphabet, for both error detection and correction. They achieve essentially the same trade-offs between error tolerance $\rho$ and rate $R$ as above, with the caveat that for error-correction they only do so for
sufficiently small values of $\rho$.
--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)