## In this issue
1. [2024/884] Security of Fixed-Weight Repetitions of Special- ...
2. [2025/1058] Adaptive TDF from any TDF via Pseudorandom ...
3. [2025/1219] Foundations of Single-Decryptor Encryption
4. [2025/1235] HiAE Remains Secure in Its Intended Model: A ...
5. [2025/1237] Replication of Quantum Factorisation Records with ...
6. [2025/1238] Extended $c$-differential distinguishers of full ...
7. [2025/1239] Improved (Again) Key Pair Generation for Falcon, ...
8. [2025/1240] pracy: A Practical Compiler for Attribute-Based ...
9. [2025/1241] Public Key Linting for ML-KEM and ML-DSA
10. [2025/1242] Note: Full-round distinguisher for Synergy
11. [2025/1243] Improving special cases of the computational ...
12. [2025/1244] A New Bijective Pairing Alternative for Encoding ...
13. [2025/1245] Integrating and Benchmarking KpqC in TLS/X.509
14. [2025/1246] On Round-Optimal Computational VSS
15. [2025/1247] Field-Tested Authentication for Quantum Key ...
16. [2025/1248] Beyond Side-Channels: Evaluating Inner Product ...
17. [2025/1249] An Automated Model to Search For Differential Meet- ...
18. [2025/1250] The Weighted Sum Correlation Analysis
19. [2025/1251] Black Box to Blueprint: Visualizing Leakage ...
20. [2025/1252] Tree PCPs
21. [2025/1253] BitVM with Succinct On-Chain Cost from AB-LFE, ...
22. [2025/1254] Batch Decryption without Epochs and its Application ...
23. [2025/1255] Efficient Full Domain Functional Bootstrapping from ...
24. [2025/1256] Lattice-based Multi-key Homomorphic Signatures ...
25. [2025/1257] Non-Profiled Higher-Order Side-Channel Attacks ...
26. [2025/1258] Multi-Source Randomness Extraction and Generation ...
27. [2025/1259] Preimage-type Attacks for Reduced Ascon-Hash: ...
28. [2025/1260] Opossum Attack: Application Layer Desynchronization ...
29. [2025/1261] FAEST for Memory-Constrained Devices with Side- ...
30. [2025/1262] Vectorised Hashing Based on Bernstein-Rabin- ...
31. [2025/1263] OasisDB: An Oblivious and Scalable System for ...
32. [2025/1264] Copy Protecting Cryptographic Functionalities over ...
33. [2025/1265] A note on a recent attack against SPEEDY-7-192
34. [2025/1266] Efficiently parsing existing eID documents for ...
35. [2025/1267] SMOOTHIE: (Multi-)Scalar Multiplication ...
36. [2025/1268] What’s the Matter? An In-Depth Security Analysis of ...
37. [2025/1269] Linear Prover IOPs in Log Star Rounds
38. [2025/1270] Key Recovery from Side-Channel Power Analysis ...
39. [2025/1271] Applications Of Zero-Knowledge Proofs On Bitcoin
40. [2025/1272] EinHops: Einsum Notation for Expressive Homomorphic ...
41. [2025/1273] Threshold Structure-Preserving Signatures with ...
42. [2025/1274] Improved Matrix Inversion with Packed Ciphertexts ...
43. [2025/1275] Improving the Fault Robustness of Polynomial Masking
44. [2025/1276] On Weak NIZKs, One-way Functions and Amplification
45. [2025/1277] Scalable Accountable Byzantine Agreement and Beyond
46. [2025/1278] In the Vault, But Not Safe: Exploring the Threat of ...
## 2024/884
* Title: Security of Fixed-Weight Repetitions of Special-Sound Multi-Round Interactive Proofs
* Authors: Michele Battagliola, Riccardo Longo, Federico Pintore, Edoardo Signorini, Giovanni Tognolini
* [Permalink](
https://eprint.iacr.org/2024/884)
* [Download](
https://eprint.iacr.org/2024/884.pdf)
### Abstract
Interactive proofs are a cornerstone of modern cryptography and, as such, used in many areas, from digital signatures to multi-party computation. Often the knowledge error $\kappa$ of an interactive proof is not small enough and thus needs to be reduced.
This is usually achieved by repeating the interactive proof in parallel $t$ times.
Recently, it was shown that the $t$-fold parallel repetition of any $(k_1,\ldots,k_{\mu})$-special-sound multi-round public-coin interactive proof reduces the knowledge error from $\kappa$ to $\kappa^t$, which is optimal.
However, parallel repetitions lead to an increase in transcript size. A common technique to mitigate this drawback, which is often employed in digital signatures obtained by using the Fiat-Shamir transform, is to use fixed-weight challenges, i.e. vectors
of challenges having a constant number of entries (for which the last component is) equal to a fixed value.
While widely used, this method has not been fully assessed from a security standpoint. In particular, the effect of the technique on the knowledge error of repeated interactive proofs has remained unstudied.
In this work, we fill the gap and prove that a fixed-weight repetition of a $(k_1,\ldots,k_{\mu})$-special-sound multi-round public-coin interactive proof
is still knowledge sound. We provide an explicit bound for the knowledge error of the protocol, proving that it matches the maximum cheating probability of a dishonest prover.
Our results apply to some recently-proposed digital signatures which are supposed to be quantum resistant, for example the code-based signature CROSS.
## 2025/1058
* Title: Adaptive TDF from any TDF via Pseudorandom Ciphertext PKE
* Authors: Fuyuki Kitagawa, Takahiro Matsuda
* [Permalink](
https://eprint.iacr.org/2025/1058)
* [Download](
https://eprint.iacr.org/2025/1058.pdf)
### Abstract
We present a generic construction of adaptive trapdoor function (TDF) from the combination of any TDF and pseudorandom-ciphertext public-key encryption (PKE) scheme. As a direct corollary, we can obtain adaptive TDF from any trapdoor permutation (TDP)
whose domain is both recognizable and sufficiently dense. In our construction, we can prove that the function's output is indistinguishable from uniform even when an adversary has access to the inversion oracle.
## 2025/1219
* Title: Foundations of Single-Decryptor Encryption
* Authors: Fuyuki Kitagawa, Takashi Yamakawa
* [Permalink](
https://eprint.iacr.org/2025/1219)
* [Download](
https://eprint.iacr.org/2025/1219.pdf)
### Abstract
Single decryptor encryption (SDE) is public key encryption (PKE) where the decryption key is an unclonable quantum state. Coladangelo, Liu, Liu, and Zhandry (CRYPTO 2021) realized the first SDE assuming subexponentially secure indistinguishability
obfuscation (iO) and one-way functions (OWFs), along with the polynomial hardness of the learning with errors (LWE) assumption. Since then, SDE has played a pivotal role in recent advances in quantum cryptography. However, despite its central importance
in unclonable cryptography, many fundamental questions about SDE remain unanswered. For example, a line of works has proposed various security notions for SDE, but their relationships have hardly been discussed. Moreover, while many subsequent works have
adopted the construction methodology of Coladangelo et al., none have explored its improvement, leaving the possibility of a more efficient approach to SDE.
In this work, we address these fundamental questions concerning SDE. Our contributions are threefold.
New security notion: We introduce a strengthened indistinguishability-based security notion for SDE, which we call CPA+ anti-piracy security. We show that CPA+ security unifies the existing security notions for SDE, as detailed in the third item.
New construction: We present an SDE scheme that satisfies CPA+ anti-piracy security, based solely on polynomially secure iO and OWFs. In addition to relying on weaker and more general assumptions, our SDE scheme offers a significant advantage over the
scheme of Coladangelo et al., as both the construction and its security proof are much simpler.
Relationships among security notions: We demonstrate that CPA+ anti-piracy security implies all existing security notions for SDE, with the sole exception of identical challenge ciphertext security proposed by Georgiou and Zhandry (EPRINT 2020). Although
we do not establish a direct implication from CPA+ anti-piracy security to identical challenge ciphertext security, we provide a generic transformation from an SDE scheme satisfying the former to one achieving the latter in the quantum random oracle
model. Additionally, we establish various relationships among different security notions for SDE. By combining these results with our SDE construction, we derive several new feasibility results.
## 2025/1235
* Title: HiAE Remains Secure in Its Intended Model: A Clarification of Claimed Attacks
* Authors: Han Chen, Tao Huang, Phuong Pham, Shuang Wu
* [Permalink](
https://eprint.iacr.org/2025/1235)
* [Download](
https://eprint.iacr.org/2025/1235.pdf)
### Abstract
HiAE is a recently proposed high-throughput authenticated encryption algorithm that achieves exceptional performance on both x86 and ARM architectures. Following its publication, several cryptanalysis papers have claimed that HiAE’s 256-bit encryption
security is broken under the nonce-respecting model. In this note, we clarify that the claimed attacks rely critically on submitting forged-tag decryption queries — a type of behavior explicitly excluded by HiAE’s original security model.
HiAE was designed under a standard nonce-based AEAD setting without decryption oracle access, offering 256-bit security against key and state recovery, and 128-bit security against forgery. This design approach follows the same principle as well-known
schemes such as AEGIS and MORUS.
The conclusion that HiAE is broken is based on a misinterpretation of its security model, as the attacks rely on conditions that the design explicitly excludes.
## 2025/1237
* Title: Replication of Quantum Factorisation Records with an 8-bit Home Computer, an Abacus, and a Dog
* Authors: Peter Gutmann, Stephan Neuhaus
* [Permalink](
https://eprint.iacr.org/2025/1237)
* [Download](
https://eprint.iacr.org/2025/1237.pdf)
### Abstract
This paper presents implementations that match and, where possible, exceed current quantum factorisation records using a VIC-20 8-bit home computer from 1981, an abacus, and a dog. We hope that this work will inspire future efforts to match any further
quantum factorisation records, should they arise.
## 2025/1238
* Title: Extended $c$-differential distinguishers of full $9$ and reduced-round Kuznyechik cipher
* Authors: Pantelimon Stanica, Ranit Dutta, Bimal Mandal
* [Permalink](
https://eprint.iacr.org/2025/1238)
* [Download](
https://eprint.iacr.org/2025/1238.pdf)
### Abstract
This paper introduces {\em truncated inner $c$-differential cryptanalysis}, a novel technique that for the first time enables the practical application of $c$-differential uniformity to block ciphers. While Ellingsen et al. (IEEE Trans. Inf. Theory, 2020)
established the notion of $c$-differential uniformity using $(F(x\oplus a), cF(x))$, a key challenge remained: multiplication by $c$ disrupts the structural properties essential for block cipher analysis, particularly key addition.
We resolve this challenge by developing an \emph{inner} $c$-differential approach where multiplication by $c$ affects the input: $(F(cx\oplus a), F(x))$. We prove that the inner $c$-differential uniformity of a function $F$ equals the outer $c$-
differential uniformity of $F^{-1}$, establishing a fundamental duality. This modification preserves cipher structure while enabling practical cryptanalytic applications.
Our main contribution is a comprehensive multi-faceted statistical-computational framework, implementing truncated $c$-differential analysis against the full 9-round Kuznyechik cipher (the inner $c$-differentials are immune to the key whitening at the
backend). Through extensive computational analysis involving millions of differential pairs, we demonstrate statistically significant non-randomness across all tested round counts. For the full 9-round cipher, we identify multiple configurations
triggering critical security alerts, with bias ratios reaching $1.7\times$ and corrected p-values as low as $1.85 \times 10^{-3}$,
suggesting insufficient security margin against this new attack
vector. This represents the first practical distinguisher against the full 9-round Kuznyechik.
## 2025/1239
* Title: Improved (Again) Key Pair Generation for Falcon, BAT and Hawk
* Authors: Thomas Pornin
* [Permalink](
https://eprint.iacr.org/2025/1239)
* [Download](
https://eprint.iacr.org/2025/1239.pdf)
### Abstract
In this short note, we describe some further improvements to the key pair generation process for the Falcon and Hawk lattice-based signature schemes, and for the BAT key encapsulation scheme, in a fully constant-time way and without any use of floating-
point operations. Our new code is slightly faster than our previous implementation, and, more importantly for small embedded systems, uses less RAM space.
## 2025/1240
* Title: pracy: A Practical Compiler for Attribute-Based Encryption in Python
* Authors: Sven Argo, Marloes Venema, Adrian Ackermann, Tim Güneysu
* [Permalink](
https://eprint.iacr.org/2025/1240)
* [Download](
https://eprint.iacr.org/2025/1240.pdf)
### Abstract
Attribute-based encryption (ABE) is a versatile primitive that has been considered in many applications to enforce access control cryptographically. To actually benefit from ABE in practice, we require implementations of schemes that
satisfy all the properties that are needed. Many theoretical advancements have been
made to attain such properties, ultimately resulting in powerful abstractions such
as pair encodings. To build an ABE scheme, we use a compiler (in the theoretical
sense), which transforms a provably secure pair encoding scheme into a provably secure ABE scheme. Although several such compilers have been introduced, they all abstract away many details that are relevant for engineers, which can hinder the
implementation of schemes in practice.
To address this problem, we propose pracy, which is a tool that automatically implements an ABE scheme from an input pair encoding scheme. To achieve this, we first note that we need to overcome a general issue in any automation efforts –
including automated optimization and security analysis – in the field of pairing-based
cryptography. In particular, there exist no parsers that properly model the interaction
between the predicate and the pair encodings. Therefore, we devise a new formal model and type system, which capture this interaction in a way that is compatible
with automated implementation efforts. To illustrate the feasibility of our model
and system, we construct pracy, which is a (practical) compiler in Python that can
implement ABE schemes in multiple target programming languages such as Python and C/C++. With pracy, we not only make the implementation of ABE schemes
from pair encodings more accessible to practitioners, we realize the potential that
pair encodings have to simplify implementation efforts.
## 2025/1241
* Title: Public Key Linting for ML-KEM and ML-DSA
* Authors: Evangelos Karatsiolis, Franziskus Kiefer, Juliane Krämer, Mirjam Loiero, Christian Tobias, Maximiliane Weishäupl
* [Permalink](
https://eprint.iacr.org/2025/1241)
* [Download](
https://eprint.iacr.org/2025/1241.pdf)
### Abstract
With the advancing standardization of post-quantum cryptographic schemes, the need for preparing the IT security infrastructure for integrating post-quantum schemes increases. The focus of this work is a specific part of the IT security infrastructure,
namely public key infrastructures. For public certification authorities, it is crucial to guarantee the quality of public keys certified by them. To this end, linting is deployed, which describes the process of analyzing the content of a certificate with
respect to predefined rules, the so-called lints. In this work, we initiate the study of lints for post-quantum cryptography. As a starting point, we choose lattice-based schemes and analyze the public keys of the NIST standards ML-KEM and ML-DSA. We
base our analyses on the NIST FIPS standards and IETF documents. We formally describe the identified lints and classify them with respect to the property of the public key that the lint checks. We implement the lints for a common X.509 certificate linter
and provide an open-source tool.
## 2025/1242
* Title: Note: Full-round distinguisher for Synergy
* Authors: Orr Dunkelman, Eran Lambooij, Gaëtan Leurent
* [Permalink](
https://eprint.iacr.org/2025/1242)
* [Download](
https://eprint.iacr.org/2025/1242.pdf)
### Abstract
In this note we study the proposed cipher Synergy and describe a full round differential with probability $2^{-21.29}$. The claims have been experimentally verified.
## 2025/1243
* Title: Improving special cases of the computational isogeny problem
* Authors: Steven Galbraith, Valerie Gilchrist, Damien Robert
* [Permalink](
https://eprint.iacr.org/2025/1243)
* [Download](
https://eprint.iacr.org/2025/1243.pdf)
### Abstract
Given two elliptic curves over F_q, computing an isogeny mapping one to the other is conjectured to be classically and quantumly hard. This problem plays an important role in the security of elliptic curve cryptography. In 2024, Galbraith applied
recently developed techniques for isogenies to improve the state-of-the-art for this problem.
In this work, we focus on computing ascending isogenies. We give a simplified framework for computing self-pairings, and show how they can be used to improve upon the approach from Galbraith to recover these ascending isogenies and eliminate a heuristic
assumption from his work. We show that this new approach gives an improvement to the overall isogeny recovery when the curves have a small crater (super-polynomial in size). We also study how these self-pairings affect the security of the (PEARL)SCALLOP
group action, gaining an improvement over the state-of-the-art for some very particular parameter choices. The current SCALLOP parameters remain unaffected.
## 2025/1244
* Title: A New Bijective Pairing Alternative for Encoding Natural Numbers
* Authors: Manideep Thotakura
* [Permalink](
https://eprint.iacr.org/2025/1244)
* [Download](
https://eprint.iacr.org/2025/1244.pdf)
### Abstract
Pairing functions uniquely encode pairs of natural numbers into single values, a fundamental operation
in mathematics and computer science. This paper presents an alternative approach inspired by geometric
visualization—viewing pairs as arrangements of square blocks with missing tiles.
Our method achieves packing efficiency comparable to the classical Cantor pairing function and
matches the time complexity of both Cantor and Szudzik functions. Encoding is performed in constant
time using simple arithmetic operations, while decoding requires square root computations, resulting in
efficient inversion.
By combining algebraic rigor with intuitive geometric insight, this approach offers a practical and
accessible alternative for applications involving data encoding, spatial structures, and combinatorial
problems.
## 2025/1245
* Title: Integrating and Benchmarking KpqC in TLS/X.509
* Authors: Minjoo Sim, Gyeongju Song, Minwoo Lee, Seyoung Yoon, Anubhab Baksi, Hwajeong Seo
* [Permalink](
https://eprint.iacr.org/2025/1245)
* [Download](
https://eprint.iacr.org/2025/1245.pdf)
### Abstract
This paper reports on the implementation and performance evaluation of Korean Post-Quantum Cryptography standards within existing TLS/X.509 infrastructure. We integrated HAETAE, AIMer, SMAUG-T, and NTRU+—the four KpqC standard algorithms—into the
OpenSSL ecosystem via a modified liboqs framework. Then, we measured static overhead (certificate size) and dynamic overhead (TLS handshake latency) under both computational-bound (localhost) and network-bound (LAN) settings. Our results indicate that,
focusing on the Korean standards, KpqC certificates are 11.5–48 times larger than the classical ECC baseline. In performance, the tested KpqC KEMs increase handshake latency by over 750\% in computation-bound tests (localhost) and by up to 35\% in
network-bound tests (LAN). To our knowledge, this study constitutes the first practical evaluation of KpqC standards in real-world TLS environments, providing concrete performance data to guide post-quantum migration strategies.
## 2025/1246
* Title: On Round-Optimal Computational VSS
* Authors: Karim Baghery, Navid Ghaedi Bardeh, Shahram Khazaei, Mahdi Rahimi
* [Permalink](
https://eprint.iacr.org/2025/1246)
* [Download](
https://eprint.iacr.org/2025/1246.pdf)
### Abstract
In ASIACRYPT 2011, Backes, Kate, and Patra (BKP) introduced two computationally secure round-optimal (2-round) Verifiable Secret Sharing (VSS) schemes in the honest-majority setting, one based on non-homomorphic commitments and the other on homomorphic
ones. Their scheme based on non-homomorphic commitments has $O(n^2)$ computational complexity and necessitates $O(n^2\lambda)$ public and private communication for the dealer, where $n$ denotes the number of parties and $\lambda$ is the security
parameter. They showed that these costs are $n$ times higher compared to their round-optimal VSS scheme employing homomorphic commitments and posed a research question regarding the inevitability of this gap. In this paper, we fill this gap by
introducing a new variant of the recently proposed unified framework $\mathbf{\Pi}$ by Baghery at PKC 2025, designed to enable the construction of more efficient round-optimal VSS schemes in the honest-majority setting. Compared to the original framework,
our variant reduces the required rounds by one while maintaining compatibility with any commitments and achieving comparable efficiency. Leveraging this new general construction, we develop several round-optimal VSS schemes that surpass state-of-the-art
alternatives. Particularly noteworthy is the new round-optimal VSS scheme based on non-homomorphic commitments, which improves the BKP scheme by a factor of $n$ across all efficiency metrics. Compared to their schemes based on homomorphic commitments,
our schemes demonstrate significantly expedited verification and reconstruction. Implementation results further validate the practicality of these new VSS schemes. For example, for $(n, t)=(256, 127)$, where $t$ represents the threshold, compared to the
hash-based BKP VSS scheme, our proposed scheme showcases speed-ups exceeding $120,000\times$ (and $50\times$) for the dealer (and parties, respectively), while also requiring $365\times$ (and $512\times$) less communication.
## 2025/1247
* Title: Field-Tested Authentication for Quantum Key Distribution and DoS Attacks
* Authors: Antoine Gansel, Juliane Krämer, Tim Schumacher, Patrick Struck, Maximilian Tippmann, Thomas Walther
* [Permalink](
https://eprint.iacr.org/2025/1247)
* [Download](
https://eprint.iacr.org/2025/1247.pdf)
### Abstract
Authentication is a crucial requirement for the security of Quantum Key Distribution (QKD). Yet, the integration of suitable methods in QKD systems tends to receive little attention from the research community. As a result, Wegman-Carter message
authentication established itself as the go-to solution, leading to serious inefficiencies and additional trust assumptions, making it hard to recover from denial-of-service attacks. Another method is to use the lattice-based signature scheme Dilithium,
as proposed by Wang et al. (npj quantum information; 2021). This method avoids the drawbacks of Wegman-Carter but, unfortunately, introduces new disadvantages. In this work, we implement and test several authentication methods on an actual QKD system. We
compare and analyze three authentication variants, i.e., Wegman-Carter, Dilithium, and the established message-authentication code Chaskey, as a new method for authentication in QKD, which uses fewer quantum keys. We focus on the key consumptions,
runtimes, and practicality in a field test of the QKD system. Lastly, we take a broader look at authentication for QKD in the context of Denial-of-Service attacks and propose a solution by combining several authentication methods to achieve their
individual advantages while simultaneously avoiding several drawbacks.
## 2025/1248
* Title: Beyond Side-Channels: Evaluating Inner Product Masking Against SIFA
* Authors: Wu Qianmei, Sayandeep Saha, Wei Cheng, Fan Zhang, Shivam Bhasin
* [Permalink](
https://eprint.iacr.org/2025/1248)
* [Download](
https://eprint.iacr.org/2025/1248.pdf)
### Abstract
Statistical Ineffective Fault Attack (SIFA) presents a critical threat to cryptographic implementations by circumventing conventional detection-based countermeasures effective against traditional fault attacks. Particularly, SIFA operates via two
mechanisms: SIFA-1 exploits fault effectiveness dependency on target values, while SIFA-2 leverages conditional propagation of faulted values based on sensitive intermediates. Recent studies suggest that, masking, mainly a side-channel protection, also
exhibits promising resistance to SIFA-1, such as prime masking. In this paper, we systematically evaluate the resilience of Inner Product Masking (IPM) against SIFA, which has been established in prior works as a powerful side-channel-resistant
alternative to Boolean masking. Specifically, with regard to SIFA-1, our theoretical analysis demonstrates that Inner Product (IP) encoding provides stronger SIFA-1 resistance than both Boolean and prime masking under generic multi-bit fault models using
various fault types. More interestingly, an equivalence between Side-channel and SIFA-1 security has been theoretically established for IP encoding, indicating that optimal IP encoding exists that simultaneously provides the highest side-channel
resistance and maximizes the complexity of effective SIFA-1 attacks. For SIFA-2, our analysis reveals that IPM’s protection remains fundamentally bounded by the computational field size, consistent with previous results in this regard, e.g., for prime
field masking. However, some vulnerabilities to persistent faults are anticipated for the most recently proposed IPM multiplication gadget. Given the compatibility with existing ciphers and demonstrated superior resistance against SIFA-1, IPM emerges as
a more promising fault-resistant encoding technique compared to prime masking.
## 2025/1249
* Title: An Automated Model to Search For Differential Meet-In-The-Middle Attack: Applications to AndRX Ciphers
* Authors: Debasmita Chakraborty, Soumya Sahoo, Phuong Hoa Nguyen, Santanu Sarkar
* [Permalink](
https://eprint.iacr.org/2025/1249)
* [Download](
https://eprint.iacr.org/2025/1249.pdf)
### Abstract
Differential meet-in-the-middle (MITM) cryptanalysis, recently introduced
by Boura et al., has emerged as a powerful and versatile technique for assessing the
security of modern block cipher designs. Since its introduction, this method has
been effectively applied to a variety of block ciphers, including different variants of
SKINNY, CRAFT, and AES. However, identifying such attacks manually–especially on
bit-oriented ciphers with large block sizes–can be a complex and error-prone process,
which underscores the growing importance of automated solutions in this domain. In this work, we present, for the first time to the best of our knowledge, a novel
and efficient automated tool for constructing optimized differential MITM attacks on
bit-oriented block ciphers, with a particular focus on AndRX designs. Our framework
begins by modeling an efficient constraint programming (CP) model to search for single-key optimal differential trails in AndRX ciphers. Building on this, we propose
a unified bitwise CP model to automatically construct optimized differential MITM
attacks within the same design framework. Furthermore, we incorporate two dedicated optimization strategies–namely, the equivalent subkey technique and the selective key guessing technique–both of which are tailored to the structural properties of
AndRX ciphers and significantly enhance key recovery efficiency. Additionally, we also apply two additional optimization techniques: the parallel partitioning technique and the reducing data with imposed conditions techniques to further enhance the
differential MITM attack on AndRX ciphers.
To demonstrate the practical effectiveness of our tool, we apply it to all versions of SIMON and Simeck, two widely studied
representatives of the AndRX family, and report improved cryptanalytic results. Specifically, we present differential MITM attacks on SIMON-32-64, SIMON-48-96,
SIMON-64-128, and SIMON-96-144, covering 23, 25, 32, and 38 rounds, respectively. All of these results represent improvements in the number of attacked rounds compared to the best known differential attacks, classical meet-in-the-middle (MITM), and
Demirci-Selçuk MITM (DS-MITM) attacks on the corresponding versions of SIMON. For instance, we present a 37-round differential MITM attack on SIMON-96-144, which extends the best known differential, classical MITM, and DS-MITM attacks by 1, 17, and 18 rounds, respectively. In the case of Simeck, we report a 29-round
differential MITM attack on Simeck-48-96, improving the previous best differential
attack by one round. These results demonstrate the strength and versatility of our
automated tool. Importantly, our automated method for constructing differential MITM attacks operates at the bit level and is generic in nature, making it applicable
to a broad class of bit-oriented block ciphers beyond the AndRX family.
## 2025/1250
* Title: The Weighted Sum Correlation Analysis
* Authors: Elena Dubrova, Sönke Jendral, Yanning Ji, Ruize Wang
* [Permalink](
https://eprint.iacr.org/2025/1250)
* [Download](
https://eprint.iacr.org/2025/1250.pdf)
### Abstract
This paper introduces the weighted sum correlation analysis method, a profiled higher-order side-channel attack that quantifies the significance of time-domain samples based on a chosen leakage model. We also demonstrate the utility of the Hilbert
transform in side-channel analysis, showing how its phase-shifting property can be exploited to construct an effective fused score that combines multiple correlation coefficients into a single metric. We validate the presented method on the challenging
case of the AES-CCM accelerator in a commercial Bluetooth chip, leveraging RF signals captured via a software-defined radio as a side channel. Compared to the correlation analysis methods presented at RWC'25 and CHES'25, the weighted sum approach
achieves at least a threefold reduction in the number of traces required for key recovery. Remarkably, it also outperforms deep learning-based analysis.
## 2025/1251
* Title: Black Box to Blueprint: Visualizing Leakage Propagation in Deep Learning Models for SCA
* Authors: Suvadeep Hajra, Debdeep Mukhopadhyay
* [Permalink](
https://eprint.iacr.org/2025/1251)
* [Download](
https://eprint.iacr.org/2025/1251.pdf)
### Abstract
Deep learning (DL)-based side-channel analysis (SCA) has emerged as a powerful approach for extracting secret information from cryptographic devices. However, its performance often deteriorates when targeting implementations protected by masking and
desynchronization-based countermeasures, or when analyzing long side-channel traces. In earlier work, we proposed EstraNet, a Transformer Network (TN)-based model designed to address these challenges by capturing long-distance dependencies and
incorporating shift-invariant attention mechanisms.
In this work, we perform an in-depth analysis of the internal behavior of EstraNet and propose methods to further enhance its effectiveness. First, we introduce {\bf DL-ProVe} (Deep Learning Leakage Propagation Vector Visualization), a novel technique
for visualizing how leakage from secret shares in a masked implementation propagates and recombines into the unmasked secret through the layers of a DL model trained for SCA. We then apply DL-ProVe to EstraNet, providing the first detailed explanation of
how leakage is accumulated and combined within such an architecture.
[continued in next message]
--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)