## In this issue
1. [2023/867] Security Analysis of Forward Secure Log Sealing in ...
2. [2024/1665] DMM: Distributed Matrix Mechanism for ...
3. [2025/282] Transistor: a TFHE-friendly Stream Cipher
4. [2025/366] Enabling Microarchitectural Agility: Taking ML-KEM ...
5. [2025/668] (Interleaved) Extended Gabidulin Codes, More ...
6. [2025/896] InstaRand: Instantly Available and Instantly ...
7. [2025/1061] On the Adaptive Security of FROST
8. [2025/1116] The Pipes Model for Latency Analysis
9. [2025/1117] Speeding Up Sum-Check Proving
10. [2025/1118] Extracting Some Layers of Deep Neural Networks in ...
11. [2025/1119] Strong Secret Sharing with Snitching
12. [2025/1120] Traceable Secret Sharing Schemes for General Access ...
13. [2025/1121] 1-private n-party AND from 5 random bits
14. [2025/1122] An Induction Principle for Hybrid Arguments in ...
15. [2025/1123] Cryptographic Treatment of Key Control Security -- ...
16. [2025/1124] Toxic Decoys: A Path to Scaling Privacy-Preserving ...
17. [2025/1125] Reusable Designated Verifier NIZK from Lossy ...
18. [2025/1126] Leakage-Resilient Extractors against Number-on- ...
19. [2025/1127] KIVR: Committing Authenticated Encryption Using ...
20. [2025/1128] Solving LWE with Independent Hints about Secret and ...
21. [2025/1129] Lattice-based Obfuscation from NTRU and Equivocal LWE
22. [2025/1130] An Open-Source Framework for Efficient Side-Channel ...
23. [2025/1131] Empowering Privacy: A Zero Cost Protocol for ...
24. [2025/1132] Foundations of Multi-Designated Verifier Signature: ...
25. [2025/1133] A Note on the Rank Defect Phenomena in The ...
26. [2025/1134] Optimal Dimensionality Reduction using Conditional ...
27. [2025/1135] Keep It Unsupervised: Horizontal Attacks Meet ...
28. [2025/1136] Learning Parity with Quantization: Achieving Full- ...
29. [2025/1137] Security Analysis on UOV Families with Odd ...
30. [2025/1138] ZK-NR: A Layered Cryptographic Architecture for ...
31. [2025/1139] From Permissioned to Proof-of-Stake Consensus
32. [2025/1140] Unconditionally secure encryption algorithm with ...
33. [2025/1141] LZKSA: Lattice-Based Special Zero-Knowledge Proofs ...
34. [2025/1142] OnionPIRv2: Efficient Single-Server PIR
35. [2025/1143] Wedges, oil, and vinegar -- An analysis of UOV in ...
36. [2025/1144] Parasol Compiler: Pushing the Boundaries of FHE ...
37. [2025/1145] Dynamic Group Signatures with Verifier-Local Revocation
38. [2025/1146] QV-net: Decentralized Self-Tallying Quadratic ...
39. [2025/1147] Jigsaw: Doubly Private Smart Contracts
40. [2025/1148] On the Composition of Single-Keyed Tweakable Even- ...
41. [2025/1149] An Efficient Encryption Scheme Based on $(U+V, ...
42. [2025/1150] Lightweight Sorting in Approximate Homomorphic ...
43. [2025/1151] Faster signature verification with 3-dimensional ...
44. [2025/1152] ZK-ProVer: Proving Programming Verification in Non- ...
45. [2025/1153] Privacy-aware White and Black List Searching for ...
46. [2025/1154] Evaluation of Modular Polynomials from ...
47. [2025/1155] On the Security of Group Ring Learning with Errors
48. [2025/1156] An efficient construction of Raz's two-source ...
49. [2025/1157] General Multi-Prime Multi-Power RSA - A ...
50. [2025/1158] Bridging Bitcoin to Second Layers via BitVM2
51. [2025/1159] $\mathsf{DekartProof}$: Efficient Vector Range ...
52. [2025/1160] Black-box Approaches to Authenticated Dictionaries: ...
53. [2025/1161] High-Performance FPGA Accelerator for the Post- ...
54. [2025/1162] SV-LLM: An Agentic Approach for SoC Security ...
55. [2025/1163] Efficient, Scalable Threshold ML-DSA Signatures: An ...
56. [2025/1164] Man-in-the-Middle and Key Recovery Attacks against ...
57. [2025/1165] Automated Analysis and Synthesis of Message ...
58. [2025/1166] Threshold Signatures Reloaded: ML-DSA and Enhanced ...
59. [2025/1167] Security Analysis on a Public-Key Inverted-Index ...
60. [2025/1168] On Frontrunning Risks in Batch-Order Fair Systems ...
## 2023/867
* Title: Security Analysis of Forward Secure Log Sealing in Journald
* Authors: Felix Dörre, Astrid Ottenhues
* [Permalink](
https://eprint.iacr.org/2023/867)
* [Download](
https://eprint.iacr.org/2023/867.pdf)
### Abstract
This paper presents a security analysis of forward-secure log sealing in the journald logging system, which is installed by default in almost all modern Linux distributions. Forward-secure log sealing is a cryptographic technique used to ensure the
integrity of past log entries even in the event of a full system compromise. We identify multiple security vulnerabilities in journald resulting from a gap between the model of the cryptographic primitives and their usage in a larger context. Our
contribution is both theoretical and practical: As a practical contribution, we discovered attacks on the log sealing in journald and provide descriptions as well as implementations of the attacks. In particular one vulnerability allows to forge
arbitrary logs for past entries without the validation tool noticing any problem. This finding completely breaks the security guarantee of log sealing. For all described vulnerabilities we provide patches, the two more serious ones are merged in systemd
version 255. As a theoretical contribution, we provide formal definitions that capture the expected security properties of log sealing. We demonstrate our attacks on the vulnerable version of journald by showing how an attacker can defeat this security
definition. Furthermore, we provide a modified version of the logging scheme which underlies the one in journald and prove that it satisfies our security definition. Since our patches have been merged, our logging scheme is the basis for the log sealing
in journald. This work narrows the gap between theory and practice. It provides a practical example of the problems that can occur when applying cryptographic primitives to a complex real world system. It makes the logging implementation used in many
Linux distributions more secure and demonstrates the importance of rigorous security analysis of cryptographic systems.
## 2024/1665
* Title: DMM: Distributed Matrix Mechanism for Differentially-Private Federated Learning Based on Constant-Overhead Linear Secret Resharing
* Authors: Alexander Bienstock, Ujjwal Kumar, Antigoni Polychroniadou
* [Permalink](
https://eprint.iacr.org/2024/1665)
* [Download](
https://eprint.iacr.org/2024/1665.pdf)
### Abstract
Federated Learning (FL) solutions with central Differential Privacy (DP) have seen large improvements in their utility in recent years arising from the $\textit{matrix mechanism}$, while FL solutions with distributed (more private) DP have lagged behind.
In this work, we introduce the $\textit{distributed}$ matrix mechanism to achieve the best-of-both-worlds; better privacy of distributed DP and better utility from the matrix mechanism. We accomplish this using a novel cryptographic protocol that
securely transfers sensitive values across client committees of different training iterations with constant communication overhead. This protocol accommodates the dynamic participation of users required by FL, including those that may drop out from the
computation. We provide experiments which show that our mechanism indeed significantly improves the utility of FL models compared to previous distributed DP mechanisms, with little added overhead.
## 2025/282
* Title: Transistor: a TFHE-friendly Stream Cipher
* Authors: Jules Baudrin, Sonia Belaïd, Nicolas Bon, Christina Boura, Anne Canteaut, Gaëtan Leurent, Pascal Paillier, Léo Perrin, Matthieu Rivain, Yann Rotella, Samuel Tap
* [Permalink](
https://eprint.iacr.org/2025/282)
* [Download](
https://eprint.iacr.org/2025/282.pdf)
### Abstract
Fully Homomorphic Encryption (FHE) allows computations on encrypted data without requiring decryption, ensuring data privacy during processing. However, FHE introduces a significant expansion of ciphertext sizes compared to plaintexts, which results in
higher communication. A practical solution to mitigate this issue is transciphering, where only the master key is homomorphically encrypted, while the actual data is encrypted using a symmetric cipher, usually a stream cipher. The server then
homomorphically evaluates the stream cipher to convert the encrypted data into a homomorphically encrypted form.
We introduce Transistor, a stream cipher specifically designed for efficient homomorphic evaluation within the TFHE scheme, a widely-used FHE framework known for its fast bootstrapping and ability to handle low-precision data. Transistor operates on $\
mathbb{F}_{17}$ which is chosen to optimize TFHE performances. Its components are carefully engineered to both control noise growth and provide strong security guarantees. First, a simple TFHE-friendly implementation technique for LFSRs allows us to use
such components to cheaply increase the state size. At the same time, a small Finite State Machine is the only part of the state updated non-linearly, each non-linear operation corresponding in TFHE to a rather expensive Programmable Bootstrapping. This
update is done using an AES-round-like transformation. But, in contrast to other stream ciphers like SNOW or LEX, our construction comes with information-theoretic security arguments proving that an attacker cannot obtain any information about the secret
key from three or fewer consecutive keystream outputs. These information-theoretic arguments are then combined with a thorough analysis of potential correlations to bound the minimal keystream length required for recovering the secret key.
Our implementation of Transistor significantly outperforms the state of the art of TFHE transciphering, achieving a throughput of over 60 bits/s on a standard CPU, all while avoiding the need for an expensive initialization process.
## 2025/366
* Title: Enabling Microarchitectural Agility: Taking ML-KEM & ML-DSA from Cortex-M4 to M7 with SLOTHY
* Authors: Amin Abdulrahman, Matthias J. Kannwischer, Thing-Han Lim
* [Permalink](
https://eprint.iacr.org/2025/366)
* [Download](
https://eprint.iacr.org/2025/366.pdf)
### Abstract
Highly-optimized assembly is commonly used to achieve the best performance for popular cryptographic schemes such as the newly standardized ML-KEM and ML-DSA.
The majority of implementations today rely on hand-optimized assembly for the core building blocks to achieve both security and performance.
However, recent work by Abdulrahman et al. takes a new approach, writing a readable base assembly implementation first and leaving the bulk of the optimization work to a tool named SLOTHY based on constraint programming.
SLOTHY performs instruction scheduling, register allocation, and software pipelining simultaneously using constraints modeling the architectural and microarchitectural details of the target platform.
In this work, we extend SLOTHY and investigate how it can be used to migrate already highly hand-optimized assembly to a different microarchitecture, while maximizing performance.
As a case study, we optimize state-of-the-art Arm Cortex-M4 implementations of ML-KEM and ML-DSA for the Arm Cortex-M7.
Our results suggest that this approach is promising:
For the number-theoretic transform (NTT) – the core building block of both ML-DSA and ML-KEM – we achieve speed-ups of $1.97\times$ and $1.69\times$, respectively.
For Keccak – the permutation used by SHA-3 and SHAKE and also vastly used in ML-DSA and ML-KEM – we achieve speed-ups of 30% compared to the M4 code and 5% compared to hand-optimized M7 code.
For many other building blocks, we achieve similarly significant speed-ups of up to $2.35\times$.
Overall, this results in 11 to 33% faster code for the entire cryptosystems.
## 2025/668
* Title: (Interleaved) Extended Gabidulin Codes, More Attacks on Rank Decoding Problem, and Their Applications to Cryptosystems
* Authors: Yongcheng Song, Rongmao Chen, Fangguo Zhang, Xinyi Huang, Jian Weng, Huaxiong Wang
* [Permalink](
https://eprint.iacr.org/2025/668)
* [Download](
https://eprint.iacr.org/2025/668.pdf)
### Abstract
In this paper, we investigate the Extended Gabidulin (EG) codes and the Interleaved EG (IEG) codes, develop more powerful attacks on the variants of the Rank Decoding (RD) problem, and enhance rank-based cryptosystems such as RQC and ROLLO.
First, we develop a general decoding algorithm for the (I)EG codes by solving the Linear Reconstruction (LR) problem. We find that the (I)EG codes can be probabilistically decoded by Welch-Berlekamp like algorithm, can achieve arbitrarily small decoding
failure rate, and can decode up to the rank Gilbert-Varshamov bound (even close to the minimal distance). Our conclusion intrinsically shows that it is not necessary to require that the generator be linearly independent as Gabidulin codes for designing
decodable codes from $q$-polynomials. An interesting and important byproduct is that we demonstrate that decoding interleaved Gabidulin codes can be achieved deterministically by solving the LR problem. It has long been believed that there are only
probabilistic decoding algorithms for interleaved Gabidulin codes (IEEE TIT 2011, DCC 2014, DCC 2024).
Second, we develop the Blockwise Puncturing (BP) strategy for attacking on the Blockwise RD (BRD) problem (Asiacrypt 2023, IEEE TIT 2025) and Non-Homogenous RD (NHRD) problem (NIST PQC 2020, IEEE TIT 2024). We find that the BP strategy can significantly
speed up the overdetermined MM modeling and even underdetermined MM modelings. When the proposed attacks are applied to existing rank-based cryptosystems based on the BRD and NHRD problems, such as RQC (IEEE TIT 2025, IEEE TIT 2024, PQC 2024) and ROLLO (
IEEE TIT 2025, IEEE TIT 2022), the most parameters sets are lower than the claimed security. This implies that these cryptosystems should enlarge parameters to resist the MM attack with the BP strategy.
Third, we apply the EG codes to RQC based on the BRD problem. We find that the gain of using the EG codes in decoding capacity outweighs the complexity loss in solving the BRD problem with the BP strategy, which still makes it possible to design more
efficient RQC. As a result, RQC remains attractive sizes with a bandwidth of about 2.3 KB for 128-bit security. Overall, RQC still outperforms Hamming metric ones of NIST PQC Round 4 submissions, such as HQC, BIKE, and Classic McEliece, in terms of
bandwidth, especially about 65% more compact than the NIST PQC selected HQC.
## 2025/896
* Title: InstaRand: Instantly Available and Instantly Verifiable On-chain Randomness
* Authors: Jacob Gorman, Lucjan Hanzlik, Aniket Kate, Pratyay Mukherjee, Pratik Sarkar, Sri AravindaKrishnan Thyagarajan
* [Permalink](
https://eprint.iacr.org/2025/896)
* [Download](
https://eprint.iacr.org/2025/896.pdf)
### Abstract
Web3 applications, such as on-chain gaming, require unbiased and publicly verifiable randomness that can be obtained quickly and cost-effectively whenever needed. Existing services, such as those based on Verifiable Random Functions (VRF), incur network
delays and high fees due to their highly interactive nature. FlexiRand [CCS 2023] addressed these problems by hiding the output of the VRF and using that as a seed to derive many randomnesses locally. These randomnesses are instantly available for usage.
However, these randomnesses can not be verified independently (or instantly) without disclosing the seed, leaving scope for malicious actors to cheat.
To solve this problem, we introduce a new notion, called instantly-verifiable VRF (iVRF), which enables the generation of many randomnesses from one VRF output seed, such that each of them is verifiable independently - this enables the $first$
solution to $cost-effectively$ generate randomnesses, such that they are $instantly$ $available$ and also $independently/instantly$ $verifiable$.
To instantiate we propose a generic construction called InstaRand - it combines any (possibly distributed) VRF at the server's end with another VRF at the client's end to construct an iVRF. Our specific instantiation uses the BLS-based GLOW-DVRF [
Euro S&P 2021] at the server's end and the DDH-based VRF of Goldberg et al. [RFC 2023] at the client's end. We use the universal composability framework to analyze the security. Moreover, due to its generality, InstaRand can be instantiated with any post-
quantum secure VRF to yield a post-quantum secure iVRF.
Our experiments demonstrate that our instantiation of InstaRand is $highly$ $practical$. The client incurs a $one-time$ cost to generate the seed (server's VRF output) by querying the GLOW-dVRF servers once. Once the seed is set up, the client
locally generates the pseudorandom value on demand in $0.18~ms$, avoiding the client-server round-trip delay. Each value can be independently verified in $0.22~ms$. This yields a $400\times$ improvement in terms of output generation and $20\times$
improvement in verification cost over existing solutions.
## 2025/1061
* Title: On the Adaptive Security of FROST
* Authors: Elizabeth Crites, Jonathan Katz, Chelsea Komlo, Stefano Tessaro, Chenzhi Zhu
* [Permalink](
https://eprint.iacr.org/2025/1061)
* [Download](
https://eprint.iacr.org/2025/1061.pdf)
### Abstract
FROST and its variants are state-of-the-art protocols for threshold Schnorr signatures that are used in real-world applications. While static security of these protocols has been shown by several works, the security of these protocols under adaptive
corruptions—where an adversary can choose which parties to corrupt at any time based on information it learns during protocol executions—has remained a notorious open problem that has received renewed attention due to recent standardization efforts
for threshold schemes.
We show adaptive security (without erasures) of FROST and several variants under different corruption thresholds and computational assumptions. Let n be the total number of parties, t+1 the signing threshold, and t_c an upper bound on the number of
corrupted parties.
1. We prove adaptive security when t_c = t/2 in the random oracle model (ROM) based on the algebraic one-more discrete logarithm assumption (AOMDL)—the same conditions under which FROST is proven statically secure.
2. We introduce the low-dimensional vector representation (LDVR) problem, parameterized by t_c, t, and n, and prove adaptive security in the algebraic group model (AGM) and ROM based on the AOMDL assumption and the hardness of the LDVR problem for the
corresponding parameters. In some regimes (including some t_c >t/2) we show the LDVR problem is unconditionally hard, while in other regimes (in particular, when t_c = t) we show that hardness of the LDVR problem is necessary for adaptive security to
hold. In fact, we show that hardness of the LDVR problem is necessary for proving adaptive security of a broad class of threshold Schnorr signatures.
## 2025/1116
* Title: The Pipes Model for Latency Analysis
* Authors: Andrew Lewis-Pye, Kartik Nayak, Nibesh Shrestha
* [Permalink](
https://eprint.iacr.org/2025/1116)
* [Download](
https://eprint.iacr.org/2025/1116.pdf)
### Abstract
Protocols for State-Machine-Replication (sometimes called 'blockchain' protocols) generally make use of rotating leaders to drive consensus. In typical protocols (henceforth called 'single-sender' protocols), the leader is a single processor responsible
for making and disseminating proposals to others. Since the leader acts as a bottleneck, apparently limiting throughput, a recent line of research has investigated the use of 'multi-sender' protocols in which many processors distribute proposals in
parallel. Examples include DAG-based protocols such as DAG-Rider, Bullshark, Sailfish, Cordial Miners, Mysticeti, and variants such as Autobahn. However, existing models do not allow for a formal analysis to determine whether these protocols can actually
handle higher throughputs than single-sender protocols such as PBFT, Tendermint, and HotStuff.
In this paper, we describe a very simple model that allows for such an analysis. For any given protocol, the model allows one to calculate latency as a function of network bandwidth, network delays, the number of processors $n$, and the incoming
transaction rate. Each protocol has a latency bottleneck: an incoming transaction rate at which latency becomes unbounded over the protocol execution, i.e., a maximum throughput that the protocol can handle without unbounded latency.
With the aim of building to an analysis for state-of-the-art State-Machine-Replication (SMR) protocols, we begin by considering protocols for simpler primitives, such as Best-effort Broadcast and Reliable Broadcast. For Best-effort Broadcast, we
establish a tight lower bound on latency for single-sender and multi-sender protocols when blocks are distributed without the use of techniques such as erasure coding. Perhaps unsurprisingly, a key difference between the single-sender and multi-sender
approaches in this case is a factor $n$ in the point at which the latency bottleneck appears. However, for other primitives such as Reliable Broadcast, our results may be more surprising: the factor $n$ difference now disappears, and maximum throughput
for the two approaches differs by a constant factor, while multi-sender approaches will generally have latency that grows more quickly with $n$. For state-of-the-art SMR protocols, the picture that emerges is one with seemingly inherent trade-offs. If
one compares single-sender protocols that use pipelining and erasure coding, such as DispersedSimplex, with DAG-based protocols such as Sailfish or Bullshark, the former are seen to have lower latency for a wide range of throughputs, while the benefit of
the latter protocols is that they have a latency bottleneck which is higher by a constant factor.
## 2025/1117
* Title: Speeding Up Sum-Check Proving
* Authors: Suyash Bagad, Quang Dao, Yuval Domb, Justin Thaler
* [Permalink](
https://eprint.iacr.org/2025/1117)
* [Download](
https://eprint.iacr.org/2025/1117.pdf)
### Abstract
At the core of the fastest known SNARKs is the sum-check protocol. In this paper, we describe two complementary optimizations that significantly accelerate sum-check proving in key applications.
The first targets scenarios where polynomial evaluations involve small values, such as unsigned 32-bit integers or elements of small subfields within larger extension fields. This setting is common in applications such as Jolt, a state-of-the-art zero-
knowledge virtual machine (zkVM) built on the sum-check protocol. Our core idea is to replace expensive multiplications over large fields with cheaper operations over smaller domains, yielding both asymptotic speedups and significant constant-factor
improvements.
The second optimization addresses a common pattern where sum-check is applied to polynomials of the form $g(x) = \mathsf{eq}(r, x) \cdot p(x)$, where $\mathsf{eq}$ is the multilinear extension of the equality function. We present a technique that
substantially reduces the prover's cost associated with the equality polynomial component. We also describe how to combine both optimizations, which is essential for applications like Spartan within Jolt.
We have implemented and integrated our optimizations into the Jolt zkVM. Our benchmarks show consistent $2\text{-}3\times$ speedups for proving the first sum-check of Spartan within Jolt, with performance gains reaching 20$\times$ or more when baseline
methods approach their memory limits.
## 2025/1118
* Title: Extracting Some Layers of Deep Neural Networks in the Hard-Label Setting
* Authors: Isaac A. Canales-Martínez, David Santos
* [Permalink](
https://eprint.iacr.org/2025/1118)
* [Download](
https://eprint.iacr.org/2025/1118.pdf)
### Abstract
Although studied for several years now, parameter extraction of Deep Neural Networks (DNNs) has seen the major advances only in recent years. Carlini et al. (Crypto 2020) and Canales-Martínez et al. (Eurocrypt 2024) showed how to extract the parameters
of ReLU-based DNNs efficiently (polynomial time and polynomial number of queries, as a function on the number of neurons) in the raw-output setting, i.e., when the attacker has access to the raw output of the DNN. On the other hand, the more realistic
hard-label setting gives the attacker access only to the most likely label after the DNN's raw output has been processed. Recently, Carlini et al. (Eurocrypt 2025) presented an efficient parameter extraction attack in the hard-label setting applicable to
DNNs having a large number of parameters.
The work in Eurocrypt 2025 recovers the parameters of all layers except the output layer. The techniques presented there are not applicable to this layer due to its lack of ReLUs. In this work, we fill this gap and present a technique that allows
recovery of the output layer. Additionally, we show parameter extraction methods that are more efficient when the DNN has contractive layers, i.e., when the number of neurons decreases in those layers. We successfully apply our methods to some networks
trained on the CIFAR-10 dataset. Asymptotically, our methods have polynomial complexity in time and number of queries. Thus, a complete extraction attack combining the techniques by Carlini et al. and ours remains with polynomial complexity. Moreover,
real execution time is decreased when attacking DNNs with the required contractive architecture.
## 2025/1119
* Title: Strong Secret Sharing with Snitching
* Authors: Jan Bormet, Stefan Dziembowski, Sebastian Faust, Tomasz Lizurej, Marcin Mielniczuk
* [Permalink](
https://eprint.iacr.org/2025/1119)
* [Download](
https://eprint.iacr.org/2025/1119.pdf)
### Abstract
One of the main shortcomings of classical distributed cryptography is its reliance on a certain fraction of participants remaining honest. Typically, honest parties are assumed to follow the protocol and not leak any information, even if behaving
dishonestly would benefit them economically. More realistic models used in blockchain consensus rely on weaker assumptions, namely that no large coalition of corrupt parties exists, although every party can act selfishly. This is feasible since, in a
consensus protocol, active misbehavior can be detected and "punished" by other parties. However, "information leakage", where an adversary reveals sensitive information via, e.g., a subliminal channel, is often impossible to detect and, hence, much more
challenging to handle.
A recent approach to address this problem was proposed by Dziembowski, Faust, Lizurej, and Mielniczuk (ACM CCS 2024), who introduced a new notion called secret sharing with snitching. This primitive guarantees that as long as no large coalition of
mutually trusting parties exists, every leakage of the shared secret produces a "snitching proof" indicating that some party participated in the illegal secret reconstruction. This holds in a very strong model, where mutually distrusting parties use an
MPC protocol to reconstruct any information about the shared secret. Such a "snitching proof" can be sent to a smart contract (modeled as a "judge") deployed on the blockchain, which punishes the aving party financially.
In this paper, we extend the results from the work of CCS'24 by addressing its two main shortcomings. Firstly, we significantly strengthen the attack model by considering the case when mutually distrusting parties can also rely on a trusted third
party (e.g., a smart contract). We call this new primitive strong secret sharing with snitching (SSSS).
We present an SSSS protocol that is secure in this model. Secondly, unlike in the construction from CCS'24, our protocol does not require the honest parties to perform any MPC computations on hash functions. Besides its theoretical interest, this
improvement is of practical importance, as it allows the construction of SSSS from any (even very "MPC-unfriendly") hash function.
## 2025/1120
* Title: Traceable Secret Sharing Schemes for General Access Structures
* Authors: Oriol Farràs, Miquel Guiot
* [Permalink](
https://eprint.iacr.org/2025/1120)
* [Download](
https://eprint.iacr.org/2025/1120.pdf)
### Abstract
Traceable secret sharing complements traditional schemes by enabling the identification of parties who sell their shares. In the model introduced by Boneh, Partap, and Rotem [CRYPTO’24], a group of corrupted parties generates a reconstruction box $R$
that, given enough valid shares as input, reconstructs the secret. The goal is to trace $R$ back to at least one of the corrupted parties using only black-box access to it.
While their work provides efficient constructions for threshold access structures, it does not apply to the general case. In this work, we extend their framework to general access structures and present the first traceable scheme supporting them.
In the course of our construction, we also contribute to the study of anonymous secret sharing, a notion recently introduced by Bishop et al. [CRYPTO’25], which strengthens classical secret sharing by requiring that shares do not reveal the identities
of the parties holding them. We further advance this area by proposing new and stronger definitions, and presenting an anonymous scheme for general access structures that satisfies them.
## 2025/1121
* Title: 1-private n-party AND from 5 random bits
* Authors: Samuel Dittmer, Rafail Ostrovsky
* [Permalink](
https://eprint.iacr.org/2025/1121)
* [Download](
https://eprint.iacr.org/2025/1121.pdf)
### Abstract
In the field of information-theoretic cryptography, randomness complexity is a key metric for protocols for private computation, that is, the number of random bits needed to realize the protocol. Although some general bounds are known, even for the
relatively simple example of $n$-party AND, the exact complexity is unknown.
We improve the upper bound from Couteau and Ros\'en in Asiacrypt 2022 on the (asymptotic) randomness complexity of $n$-party AND from 6 to 5 bits, that is, we give a $1$-private protocol for computing the AND of $n$ parties' inputs requiring $5$ bits of
additional randomness, for all $n \geq 120$. Our construction, like that of Couteau and Ros\'en, requires a single source of randomness.
Additionally, we consider the modified setting of Goyal, Ishai, and Song (Crypto '22) where helper parties without any inputs are allowed to assist in the computation. In this setting, we show that the randomness complexity of computing a general boolean
circuit $C$ $1$-privately is exactly 2 bits, and this computation can be performed with seven helper parties per gate.
## 2025/1122
* Title: An Induction Principle for Hybrid Arguments in Nominal-SSProve
* Authors: Markus Krabbe Larsen, Carsten Schürmann
* [Permalink](
https://eprint.iacr.org/2025/1122)
* [Download](
https://eprint.iacr.org/2025/1122.pdf)
### Abstract
Inductive reasoning in form of hybrid arguments is prevalent in cryptographic security proofs, but they are not integrated into formalisms used to model cryptographic security proofs, such as, for example, state-separating proofs. In this paper we
present an induction principle for hybrid arguments that says that two games are many-steps indistinguishable if they are, respectively, indistinguishable from the end points of an iterated one-step indistinguishability argument. We demonstrate how to
implement this induction rule in Nominal-SSProve by taking advantage of the nominal character of state-variables and illustrate its versatility by proving a general reduction from many-time CPA-security to one-time CPA-security for any asymmetric
encryption scheme. We
then specialize the result to ElGamal and reduce CPA-secure to the decisional Diffie Hellman-assumption.
## 2025/1123
* Title: Cryptographic Treatment of Key Control Security -- In Light of NIST SP 800-108
[continued in next message]
--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)