## In this issue

1. [2024/1657] Securely Computing One-Sided Matching Markets
2. [2025/1018] MT-TMVP: Modular Tiled TMVP-based Polynomial ...
3. [2025/1169] Understanding Lasso: A Novel Lookup Argument Protocol
4. [2025/1170] Optimized Rank Sort for Encrypted Real Numbers
5. [2025/1171] Beyond LWE: a Lattice Framework for Homomorphic ...
6. [2025/1172] Guarding the Signal: Secure Messaging with Reverse ...
7. [2025/1173] The Effectiveness of Differential Privacy in Real- ...
8. [2025/1174] Efficient Constant-Size Linkable Ring Signatures ...
9. [2025/1175] Simple VESS
10. [2025/1176] Solve Approximate CVP via Variants of Nearest-Colattice
11. [2025/1177] Mind the Gap: Securing QKD Interfaces with Post- ...
12. [2025/1178] Engel p-adic Supersingular Isogeny-based ...
13. [2025/1179] A Tale of Two Worlds, a Formal Story of WireGuard ...
14. [2025/1180] Cryptanalysis of HiAE
15. [2025/1181] UOV-Based Verifiable Timed Signature Scheme
16. [2025/1182] Pseudorandom Correlation Generators for Multiparty ...
17. [2025/1183] PA1 Security on Release of Unverified Plaintext in ...
18. [2025/1184] zkGPT: An Efficient Non-interactive Zero-knowledge ...
19. [2025/1185] From Worst-Case Hardness of $\mathsf{NP}$ to ...
20. [2025/1186] Unconditional Individual Verifiability with Receipt ...
21. [2025/1187] Ligerito: A Small and Concretely Fast Polynomial ...
22. [2025/1188] Depth-Optimized Quantum Implementation of CHAM
23. [2025/1189] Performance and Privacy: A Low-Latency Secure ...
24. [2025/1190] Towards AI-driven Optimization of Robust Probing ...
25. [2025/1191] A Polynomial Public-Key Cryptosystem Based on ...
26. [2025/1192] PrivacyGo: Privacy-Preserving Ad Measurement with ...
27. [2025/1193] Non-Homomorphic Key Blinding from Symmetric Primitives

## 2024/1657

* Title: Securely Computing One-Sided Matching Markets
* Authors: James Hsin-Yu Chiang, Ivan Damgård, Claudio Orlandi, Mahak Pancholi, Mark Simkin
* [Permalink](https://eprint.iacr.org/2024/1657)
* [Download](https://eprint.iacr.org/2024/1657.pdf)

### Abstract

Top trading cycles (TTC) is a famous algorithm for trading indivisible goods between a set of agents such that all agents are as happy as possible about the outcome. In this paper, we present a protocol for executing TTC in a privacy preserving way. To
the best of our knowledge, it is the first of its kind. As a technical contribution of independent interest, we suggest a new algorithm for determining all nodes in a functional graph that are on a cycle. The algorithm is particularly well suited for
secure implementation in that it requires no branching and no random memory access. Finally, we report on a prototype implementation of the protocol based on somewhat homomorphic encryption.



## 2025/1018

* Title: MT-TMVP: Modular Tiled TMVP-based Polynomial Multiplication for Post-Quantum Cryptography on FPGAs
* Authors: Shekoufeh Neisarian, Elif Bilge Kavun
* [Permalink](https://eprint.iacr.org/2025/1018)
* [Download](https://eprint.iacr.org/2025/1018.pdf)

### Abstract

As quantum technology advances, developing cryptographic solutions resistant to quantum attacks is crucial. Post-Quantum Cryptography (PQC) provides a practical approach by running on classical computers. They rely on hard mathematical problems, with
lattice-based being one of the National Institute of Standards and Technology (NIST)-recognized schemes known for its small key sizes. Hardware implementation of these schemes faces challenges due to the computational intensity of operations like
polynomial multiplication, especially for resource-constrained devices. This paper proposes a novel Modular Tiled Toeplitz Matrix-Vector Polynomial Multiplication (MT-TMVP) for lattice-based PQC algorithms and presents a resource-optimized Field
Programmable Gate Array (FPGA) architecture. The proposed implementation significantly reduces resource utilization and Area-Delay Product (ADP) compared to state-of-the-art polynomial multipliers. It utilizes 99.68% and 84.22% fewer Look-Up Tables (LUTs)
on Artix-7 and Zynq Ultrascale+ FPGAs, respectively, and achieves 99.94% and 80.02% ADP improvements on these FPGAs compared to the best results in the literature. By leveraging Block RAM (BRAM), the proposed architecture offers robustness against
timing-based Side-Channel Attacks (SCAs), and the design is modular and scalable to any polynomial degree.



## 2025/1169

* Title: Understanding Lasso: A Novel Lookup Argument Protocol
* Authors: Oleg Fomenko, Anton Levochko
* [Permalink](https://eprint.iacr.org/2025/1169)
* [Download](https://eprint.iacr.org/2025/1169.pdf)

### Abstract

In 2023, Srinath Setty, Justin Thaler, and Riad Wahby published a paper that describes a novel lookup argument with efficient verification called Lasso. We present a focused and accessible overview of the Lasso lookup argument that stands for the
foundational component of the Jolt ZK-VM. This article distills the core principles behind Lasso: the sum-check protocol, multilinear polynomials and their extensions, Spark commitment, offline memory-checking, and the evolution of Spark called Surge. By
clarifying the underlying protocols and their relationship to innovations like Spark and Surge, we aim to provide researchers and engineers with practical insights into the cryptographic foundations powering both Lasso and the Jolt virtual machine.



## 2025/1170

* Title: Optimized Rank Sort for Encrypted Real Numbers
* Authors: Seunghu Kim, Eymen Ünay, Ayse Yilmazer-Metin, Hyung Tae Lee
* [Permalink](https://eprint.iacr.org/2025/1170)
* [Download](https://eprint.iacr.org/2025/1170.pdf)

### Abstract

Sorting arrays encrypted under fully homomorphic encryption remains a fundamental challenge due to the high cost of private comparisons and the incompatibility of conventional sorting algorithms with the encrypted domain. Recently, Hong et al. (IEEE
Transactions on Information Forensics and Security, 2021) proposed a $k$-way sorting network tailored to encrypted real numbers, but its reliance on multiple comparison stages incurs substantial multiplicative depth and significant bootstrapping overhead,
even for modest array sizes.

In this work, we propose a novel rank-based sorting algorithm for encrypted real numbers that performs only a single comparison stage, thereby eliminating the need for bootstrapping operations. Our empirical evaluation demonstrates that the proposed
method significantly outperforms the $k$-way approach for small to medium array sizes $(n\leq 1024)$, achieving a $46.91\times$ speedup at $n=256$ with a total runtime of $79$ seconds. Furthermore, we examine the recent matrix-based rank sort method by
Mazzone et al. (USENIX Security '25) and show that integrating our optimized rank construction improves its efficiency. Specifically, we achieve $1.77\times$ and $2.43\times$ performance gains for $n=128$ and $n=512$, respectively.



## 2025/1171

* Title: Beyond LWE: a Lattice Framework for Homomorphic Encryption
* Authors: Alberto Leporati, Lorenzo Rovida, Wessel van Woerden
* [Permalink](https://eprint.iacr.org/2025/1171)
* [Download](https://eprint.iacr.org/2025/1171.pdf)

### Abstract

We suggest a generalization of homomorphic encryption (HE) schemes from a purely geometrical and lattice-based perspective. All the current reference HE schemes are based on the ring version of the Learning with Errors (LWE) problem. In this proposal, we
first investigate LWE-based cryptosystems from a lattice point of view and present a framework that allows to obtain the same result, in geometrical terms, from any lattice — as long as it contains a sufficiently short trapdoor vector.

More precisely, we generalize the classical BGV (Brakerski, Gentry and Vaikuntanathan, ITCS '12) and GSW (Gentry, Sahai and Waters, CRYPTO '14) schemes to purely lattice-based variants, which we call Lattice-BGV and Lattice-GSW.
By abstracting away the particular hardness assumption, our lattice framework allows to be instantiated with a broader range of lattices and hardness assumptions.
For example, LWE gives a natural trapdoor for random $q$-ary lattices, and when plugged into our framework one obtains the original BGV and GSW schemes, while in this work we will also consider an instantiation based on the Lattice Isomorphism Problem (
LIP), leading to the first more advanced cryptographic scheme build from LIP$^*$. Our framework also gives a geometrical and natural explanation of HE procedures and generalizes some properties, such as the ability to store many messages in a single
ciphertext, one for each short trapdoor vector, without relying on any particular algebraic structure.

$^*$ In a concurrent work Branco, Malavolta and Maradni (ePrint 2025/993) propose an alternative LIP-based FHE construction.



## 2025/1172

* Title: Guarding the Signal: Secure Messaging with Reverse Firewalls
* Authors: Yevgeniy Dodis, Bernardo Magri, Noah Stephens-Davidowitz, Yiannis Tselekounis
* [Permalink](https://eprint.iacr.org/2025/1172)
* [Download](https://eprint.iacr.org/2025/1172.pdf)

### Abstract

Secure messaging protocols allow users to communicate asynchronously over untrusted channels with strong guarantees of privacy, authenticity, forward secrecy, and post-compromise security. However, traditional security analyses of these protocols assume
complete trust in the hardware and software of honest participants, overlooking a significant class of real-world threats known as subversion attacks. These attacks alter cryptographic algorithms to compromise security, by exfiltrating secrets or
creating vulnerabilities that are often undetected.

The notion of reverse firewalls (EC'15), aims at protecting against subversion attacks by introducing a third party, called a "reverse firewall" (RF), which sits between a party and the outside world and modifies its outgoing and incoming messages in a
way such that, even if the party's machine has been corrupted (in a way that maintains functionality), security is still preserved. Importantly, the firewall shares no private information with the parties, and parties put no more trust in the firewall
than they do in the communication channel. In this work, we address the existing gap in secure messaging and subversion attacks by presenting several key contributions:

- We design the first subversion-resilient secure messaging protocol based on the model of RF. Our protocol is based on the Signal protocol---the current state-of-the-art in two-party secure messaging, though it lacks subversion resilience---and achieves
subversion resilience with only constant overhead over Signal.

- We develop a subversion-resilient version of the X3DH protocol in the RF model. X3DH is a core component that facilitates secure initial key agreement in Signal's protocol.

- We introduce and formalize the notion of Continuous Key Agreement with Tamper Detection, an essential concept for subversion-resilient secure messaging. Our notion enables parties to continuously agree on keys, even in the presence of active
adversaries capable of partially tampering with the key exchange transcript. We present a construction of our notion and prove its subversion resilience in the model of RF.



## 2025/1173

* Title: The Effectiveness of Differential Privacy in Real-world Settings: A Metrics-based Framework to help Practitioners Visualise and Evaluate $\varepsilon$
* Authors: Akasha Shafiq, Abhishek Kesarwani, Dimitrios Vasilopoulos, Paolo Palmieri
* [Permalink](https://eprint.iacr.org/2025/1173)
* [Download](https://eprint.iacr.org/2025/1173.pdf)

### Abstract

Differential privacy (DP) has emerged as a preferred solution for privacy-preserving data analysis, having been adopted by several leading Internet companies. DP is a privacy-preserving mechanism that protects against re-identification of individuals
within aggregated datasets. It is known that the privacy budget $\varepsilon$ determines the trade-off between privacy and utility. In this paper, we propose the use of novel set of metrics and an easy-to-implement, step-by-step framework to facilitate
the implementation of the DP mechanism on real-world datasets and guide the selection of $\varepsilon$ based on desired accuracy vs utility trade-off. Currently, for a given query there is no widely accepted methodology on how to select $\varepsilon$ and
choose the best DP mechanism that offers an optimal trade-off between privacy and utility. In order to address this gap, we perform experiments by considering three real-world datasets, aiming to identify optimal $\varepsilon$ and suitable mechanisms (
Laplace or Gaussian) based on privacy utility trade-off as per use case for the commonly used count, sum and average queries for each dataset. Based on our experiment results, we observe that using our metric and framework, one can analyse noise
distribution charts of multiple queries, and choose the suitable $\varepsilon$ and the DP mechanism for achieving a balance between privacy and utility. Additionally, we show that the optimal $\varepsilon$ depends on the particular query, desired
accuracy and context in which DP is implemented, which suggests that an arbitrary, a-prior selection of $\varepsilon$ cannot provide adequate results. Our framework prioritises the plotting and visualisation of values and results in the DP analysis,
making its adoption easy for a wider audience.



## 2025/1174

* Title: Efficient Constant-Size Linkable Ring Signatures for Ad-Hoc Rings via Pairing-Based Set Membership Arguments
* Authors: Min Xie, Zhengzhou Tu, Man Ho Au, Junbin Fang, Xuan Wang, Zoe Lin Jiang
* [Permalink](https://eprint.iacr.org/2025/1174)
* [Download](https://eprint.iacr.org/2025/1174.pdf)

### Abstract

Linkable Ring Signatures (LRS) allow users to anonymously sign messages on behalf of ad-hoc rings, while ensuring that multiple signatures from the same user can be linked. This feature makes LRS widely used in privacy-preserving applications like e-
voting and e-cash. To scale to systems with large user groups, efficient schemes with short signatures and fast verification are essential. Recent works, such as DualDory (ESORICS’22) and LLRing (ESORICS’24), improve verification efficiency through
offline precomputations but rely on static rings, limiting their applicability in ad-hoc ring scenarios. Similarly, constant-size ring signature schemes based on accumulators face the same limitation.

In this paper, we propose a framework for constructing constant-size LRS suitable for large ad-hoc rings. We introduce a novel pairing-based Set Membership Argument (SMA) with a proof size of only three group elements. By leveraging KZG polynomial
commitments, we optimize the verification to require only constant group exponentiations and pairings, as well as linear field multiplications. Utilizing the SMA, our framework achieves constant-size signatures with verification dominated by linear field
operations, outperforming existing schemes that require linear group exponentiations in ad-hoc ring settings. Moreover, it exhibits strong scalability: (i) compatibility with any PKI-based cryptosystem and (ii) scoped linkability, enabling flexible
definitions of linking scope.

We instantiate our framework using a discrete logarithm public key structure. On the $BN254$ curve, our signature size is fixed at 687 bytes, which to our best knowledge is the shortest LRS for ring sizes larger than 32. For a ring size of 1024, our
verification cost is only 10.4 ms, achieving 48.6×, 2.6×–467×, 7.9×–13.2×, and 2.2×–102.5× improvements over Omniring (CCS’19), DualDory (with and without precomputation), LLRing-DL (with and without precomputation), and LLRing-P (with and
without precomputation), respectively. Moreover, this performance gap continues to grow as the ring size increases.



## 2025/1175

* Title: Simple VESS
* Authors: Victor Shoup
* [Permalink](https://eprint.iacr.org/2025/1175)
* [Download](https://eprint.iacr.org/2025/1175.pdf)

### Abstract

We present a scheme for verifiably encrypting a Shamir secret sharing to a committee of shareholders. Such a scheme can be used to easily implement distributed key generation (DKG) and resharing protocols used in threshold signing and decryption
protocols. Our scheme is a minor variation on known techniques, and is not the most efficient in terms of communication and computational complexity. However, it is extremely simple and easy to implement. Moreover, for moderately sized shareholder
committees of up to, say, 13 parties or so, and for applications where a DKG/resharing only needs to be performed occasionally, its performance should be acceptable in practice.



## 2025/1176

* Title: Solve Approximate CVP via Variants of Nearest-Colattice
* Authors: Wenwen Xia, Geng Wang, Dawu Gu
* [Permalink](https://eprint.iacr.org/2025/1176)
* [Download](https://eprint.iacr.org/2025/1176.pdf)

### Abstract

The approximate Closest Vector Problem (CVP) is a core computational problem underlying many post-quantum lattice-based signature schemes, including Dilithium, one-more-ISIS, and HuFu. While the security of these schemes is typically expressed in terms
of the Inhomogeneous Short Integer Solution (ISIS) problem, it is well-known that ISIS can be efficiently reduced to approximate CVP. Despite its foundational role, approximate CVP with non-negligible approximation factors remains far less explored than
other lattice problems such as SVP or LWE, creating a critical gap in both theory and practice.

In this work, we bridge this gap by advancing the Colattice framework for solving approximate CVP with large approximation factors. More concretely, (1) We define a practical version of the Colattice algorithm and propose a randomized Nearest Colattice
for generating more than one approximate closest vector. (2) Define a formal strategy space for blockwise approximate CVP. (3) Propose a polynomial-time strategy selection algorithm and prove its correctness under standard lattice heuristics. (4)
Building on this, we design an efficient security estimator for approximate CVP in both Euclidean and Infinity norms, and extend it to approximate batch-CVP attack settings. (5) By applying this estimator, we perform concrete security evaluations of
Dilithium, HuFu, and one-more-ISIS. Our results reveal that the security of Dilithium are 20 $\log_2({\rm gates})$ lower than the required security thresholds at NIST levels 3 and 5, and none of the evaluated schemes withstand approximate batch-CVP
attacks with $2^{64}$ queries. (6) We integrate a slicer and Colattice into G6K-CPU, leveraging the Locality-Sensitive Hashing (LSH) technqiue for nearest neighbors search (NNS). This is the first practical implementation of an NNS-accelerated slicer.
Our results demonstrate the practical efficiency of approximate CVP and batch-CVP attacks, highlighting the need for more accurate security estimation.

These findings underscore the practical importance of accurate approximate CVP modeling and call for a reassessment of current parameter sets in post-quantum signature schemes.



## 2025/1177

* Title: Mind the Gap: Securing QKD Interfaces with Post-Quantum Proxies
* Authors: Sayan Das, Aarav Varshney, Prasanna Ravi, Anupam Chattopadhyay
* [Permalink](https://eprint.iacr.org/2025/1177)
* [Download](https://eprint.iacr.org/2025/1177.pdf)

### Abstract

Quantum Key Distribution (QKD) is a promising technology that enables information-theoretic secure key exchange using quantum principles. It is being increasingly deployed in critical sectors through emerging Quantum Key-as-a-Service (QKaaS) models.
However, current standards like ETSI GS QKD 014 assume that QKD keys are consumed within trusted environments—an assumption that breaks down in real-world deployments where keys are delivered over classical networks to remote, potentially untrusted
endpoints. This creates a security gap at the interface between QKD systems and key-consuming applications. In this paper, we identify this gap and propose a proxy-based solution that secures QKD key delivery using post-quantum cryptography (PQC). Our
proxy transparently applies PQC-based signatures and key encapsulation to ETSI-compliant QKD APIs, without requiring changes to existing infrastructure. It supports cryptographic agility, allowing runtime switching between multiple PQC schemes. We
benchmark our design using both QKD simulators and production-grade QKD hardware, and show that it introduces minimal overhead with efficient NIST PQC algorithms. Our findings highlight the need for stronger protection of the QKD interface in practical
deployments. We advocate for a revision to ETSI GS QKD 014 to include an addendum that addresses this critical gap and promotes end-to-end quantum-safe integration.



## 2025/1178

* Title: Engel p-adic Supersingular Isogeny-based Cryptography over Laurent series
* Authors: Ilias Cherkaoui, Ciaran Clarke, Indrakshi Dey
* [Permalink](https://eprint.iacr.org/2025/1178)
* [Download](https://eprint.iacr.org/2025/1178.pdf)

### Abstract

This paper builds the foundation for a cryptosystem based on p-adic representations of supersingular elliptic curve isogenies generated through Engel expansions of Laurent series. This mathematical framework manifests as a lightweight encryption scheme
implemented on ESP32 microcontrollers for IoT applications. Efficient isogeny paths are constructed for quantum-resistant primitives secured against Shor's algorithm by decomposing elements into Engel sequences. Performance analysis confirms linear
computational scaling with message size and speed gain at a higher clock rate, along with power trace signatures corroborating theoretical computational models. Consequently, we confirm the practical feasibility of our proposed p-adic isogeny
cryptography on resource-constrained embedded systems while offering rigorous post-quantum security assurances.



## 2025/1179

* Title: A Tale of Two Worlds, a Formal Story of WireGuard Hybridization
* Authors: Pascal Lafourcade, Dhekra Mahmoud, Sylvain Ruhault, Abdul Rahman Taleb
* [Permalink](https://eprint.iacr.org/2025/1179)
* [Download](https://eprint.iacr.org/2025/1179.pdf)

### Abstract

PQ-WireGuard is a post-quantum variant of WireGuard
Virtual Private Network (VPN), where Diffie-Hellman-based key exchange is replaced by post-quantum Key Encapsulation Mechanisms-based key
exchange. In this paper, we first conduct a thorough formal analysis
of PQ-WireGuard's original design, in which we point out and fix a
number of weaknesses. This leads us to an improved construction
PQ-WireGuard*. Secondly, we propose and formally analyze a new
protocol, based on both WireGuard and PQ-WireGuard*, named
Hybrid-WireGuard, compliant with current best practices for
post-quantum transition about hybridization techniques. For our
analysis, we use the SAPIC+ framework that enables the generation of
three state-of-the-art protocol models for the verification tools
ProVerif, DeepSec and Tamarin from a single specification,
leveraging the strengths of each tool. We formally prove that
Hybrid-WireGuard is secure. Eventually, we propose a generic, efficient and usable Rust implementation of our new protocol.



## 2025/1180

* Title: Cryptanalysis of HiAE
* Authors: Alexander Bille, Elmar Tischhauser
* [Permalink](https://eprint.iacr.org/2025/1180)
* [Download](https://eprint.iacr.org/2025/1180.pdf)

### Abstract

We describe key recovery attacks on the authenticated stream cipher HiAE, which was recently proposed for future high-throughput communication networks such as 6G by Huawei. HiAE uses a 2048-bit state, a 256-bit key and produces 128-bit tags, targeting
256-bit security against key and state recovery. As a nonce-based AEAD scheme, it relies on the uniqueness of the nonce per key for these security claims. Our analysis indicates that a complete recovery of the 256-bit key of HiAE is possible with a
complexity of $2^{128}$ data and at most $2^{129.585}$ time in the nonce-respecting attack setting, with various small tradeoffs concerning the data and time complexity. While infeasible in practice, this attack therefore violates the 256-bit security
claim for HiAE. We describe further complete key-recovery attacks in the nonce-misuse and release of unverfied plaintext (RUP) settings which require only a small constant number of repeated nonces or unverified decryption queries, respectively.



## 2025/1181

* Title: UOV-Based Verifiable Timed Signature Scheme
* Authors: Erkan Uslu, Oğuz Yayla
* [Permalink](https://eprint.iacr.org/2025/1181)
* [Download](https://eprint.iacr.org/2025/1181.pdf)

### Abstract

Verifiable Timed Signatures (VTS) are cryptographic primitives that enable the creation of a signature that can only be retrieved after a specific time delay, while also providing verifiable evidence of its existence. This framework is particularly
useful in blockchain applications. Current VTS schemes rely on signature algorithms such as BLS, Schnorr, and ECDSA, which are vulnerable to quantum attacks due to the vulnerability of the discrete logarithm problem to Shor's Algorithm. We introduce VT-
UOV, a novel VTS scheme based on the Salt-Unbalanced Oil and Vinegar (Salt-UOV) Digital Signature Algorithm. As a multivariate polynomial-based cryptographic primitive, Salt-UOV provides strong security against both classical and quantum adversaries.
Adapting Salt-UOV into the VTS framework requires addressing challenges such as complex parameters instead of a integer, the computational complexity of solving multivariate equations, and the integration of Time-Lock Puzzles (TLPs) for enforcing delayed
signature generation. Our experimental results show that VT-UOV exhibits a unique performance profile among existing VTS constructions. This paper offers a detailed exploration of the VT-UOV scheme and its overall security and performance properties.



## 2025/1182

* Title: Pseudorandom Correlation Generators for Multiparty Beaver Triples over $\mathbb{F}_2$
* Authors: Peihan Miao, Alice Murphy, Akshayaram Srinivasan, Max Tromanhauser
* [Permalink](https://eprint.iacr.org/2025/1182)
* [Download](https://eprint.iacr.org/2025/1182.pdf)

### Abstract

We construct an efficient pseudorandom correlation generator (PCG) (Boyle et al., Crypto'19) for two-party programmable oblivious linear evaluation (OLE) functionality over $\mathbb{F}_2$. Our construction (i) has an efficient seed expansion phase, and (
ii) comes with a concretely efficient protocol for distributing the seeds that makes black-box use of cryptography and runs in a constant number of rounds.

PCGs for programmable OLE are known to imply PCGs for generating $n$-party Beaver triples over $\mathbb{F}_2$. The resultant PCG has a seed setup phase whose communication cost is $n(n-1)$ times than that of the programmable OLE protocol. The per-party
seed size and the seed expansion time have a multiplicative overhead of $2(n-1)$. Prior constructions for efficiently generating multiparty Beaver triples only worked for finite fields $\mathbb{F}_q$ where $q \geq 3$ or required one bit of per-party
communication for each triple generated (and hence, do not satisfy the PCG definition). Thus, ours is the first concretely efficient PCG for generating Beaver triples over $\mathbb{F}_2$ in the multiparty setting.

Our distributed seed generation protocol generates $N = 2^{30}$ two-party programmable OLEs in 3.5 minutes with 255 MB of communication over a LAN network. The PCG seed size is around 55 MB and the expansion phase requires 10 PRG calls and around 229
thousand XOR and AND operations per triple, producing roughly 31,000 triples per second.

Our PCG for generating multiparty Beaver triples has lower concrete communication cost than the state-of-the-art for small number of parties. When compared to the FOLEAGE protocol (Bombar et al, Asiacrypt 2024) which requires one bit of per-party
communication per triple that is generated, our communication cost is lower by $2.4\times$ when generating $N = 2^{36}$ triples between three parties and is $1.2 \times $ lower for the case of five parties.

At a conceptual level, our protocol deviates from the prior approaches which relied on variants of dual learning parity with noise (LPN) assumption. Instead, our construction combines both the primal and dual versions of LPN to achieve the aforementioned
efficiency.



## 2025/1183

* Title: PA1 Security on Release of Unverified Plaintext in Encrypt-then-MAC AE Schemes
* Authors: Bart Mennink, Suprita Talnikar
* [Permalink](https://eprint.iacr.org/2025/1183)
* [Download](https://eprint.iacr.org/2025/1183.pdf)

### Abstract

At ASIACRYPT 2014, Andreeva et al. put forward a definition for security of authenticated encryption under release of unverified plaintext. They introduced two notions of plaintext awareness (PA1 and its stronger sibling PA2), suggested to be used in
conjunction with confidentiality in case of release of unverified plaintext, as well as the notion of integrity under release of unverified plaintext (INT-RUP). Various efforts have been made to develop a unified model (e.g., Ashur et al., CRYPTO 2017,
Chang et al., ToSC 2019(4)). With respect to the analysis of existing and new modes under release of unverified plaintext, most research however has focused on INT-RUP security only. Plaintext awareness is less studied and understood.
In this work, we take a detailed look at the original definitions of PA1 and PA2 security. We observe that the definitions leave too much room for interpretation, and claimed results such as PA1 security of Encrypt-then-MAC are unjustified. The core of
the issue lies in the fact that PA1 security is necessarily tied to the implementation of the scheme. To resolve this, we present refined definitions of PA1 and PA2 security. We argue that even for these refined definitions, there is no implementation of
Encrypt-and-MAC that is PA1 (nor PA2) secure. For MAC-then-Encrypt, results depend on the actual scheme, as we demonstrate using a negative result and a positive result (from literature, on Romulus-M). Furthermore, we formally prove for Encrypt-then-MAC
that (i) there exist implementations that are PA1 insecure and (ii) there exist implementations that are PA1 secure. In other words, Encrypt-then-MAC is insecure under the old definition but secure under the new definition, provided a proper
implementation is used. We apply this observation to Isap v2, finalist in the NIST Lightweight Cryptography competition, where we additionally deal with the complication that the same key is used for encryption and authentication.



## 2025/1184

* Title: zkGPT: An Efficient Non-interactive Zero-knowledge Proof Framework for LLM Inference
* Authors: Wenjie Qu, Yijun Sun, Xuanming Liu, Tao Lu, Yanpei Guo, Kai Chen, Jiaheng Zhang
* [Permalink](https://eprint.iacr.org/2025/1184)
* [Download](https://eprint.iacr.org/2025/1184.pdf)

### Abstract


[continued in next message]

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)