1. Forum
  2. Usenet
  3. SCI.CRYPT

  • [digest] 2025 Week 10 (3/3)

    From IACR ePrint Archive@21:1/5 to All on Mon Mar 10 02:23:20 2025
    [continued from previous message]

    We observe that the hitherto unconsidered latency of fetching keys from storage significantly impacts performance, as does network speed. We design a Linear Secret Sharing (LSS)-based system $LSS^M$ and a Function Secret Sharing (FSS)-based system $FSS^M$
    for secure inference, optimized for small key size and communication, respectively. Notably, our highly-optimized and hardware-aware CPU-based $LSS^M$ outperforms prior GPU-based LSS systems by up to $50\times$. We then show that the best choice between
    $LSS^M$ and $FSS^M$ depends on the deployment scenario.
    In fact, under certain deployments, a combination of $LSS^M$ and $FSS^M$ can leverage heterogeneous processing across CPU and GPU. Such protocol-system co-design lets us outperform state-of-the-art secure inference systems
    by up to $21\times$ (geomean $3.25\times$).



    ## 2025/425

    * Title: A Note on the Blindness of the Scheme from ePrint 2025/397
    * Authors: Lucjan Hanzlik
    * [Permalink](https://eprint.iacr.org/2025/425)
    * [Download](https://eprint.iacr.org/2025/425.pdf)

    ### Abstract

    This note demonstrates that the blind signature scheme based on cryptographic group actions, as proposed in ePrint paper 2025/397, fails to ensure blindness. Specifically, we construct an adversary that achieves a $1/8$ advantage in the blindness
    experiment. The attack leverages selective abort techniques (also known as selective failure attacks), a well-known strategy in the MPC literature.



    ## 2025/426

    * Title: Exploring How to Authenticate Application Messages in MLS: More Efficient, Post-Quantum, and Anonymous Blocklistable
    * Authors: Keitaro Hashimoto, Shuichi Katsumata, Guillermo Pascual-Perez
    * [Permalink](https://eprint.iacr.org/2025/426)
    * [Download](https://eprint.iacr.org/2025/426.pdf)

    ### Abstract

    The Message Layer Security (MLS) protocol has recently been standardized by the IETF. MLS is a scalable secure group messaging protocol expected to run more efficiently compared to the Signal protocol at scale, while offering a similar level of strong
    security. Even though MLS has undergone extensive examination by researchers, the majority of the works have focused on confidentiality.

    In this work, we focus on the authenticity of the application messages exchanged in MLS. Currently, MLS authenticates every application message with an EdDSA signature and while manageable, the overhead is greatly amplified in the post-quantum setting as
    the NIST-recommended Dilithium signature results in a 40x increase in size. We view this as an invitation to explore new authentication modes that can be used instead. We start by taking a systematic view on how application messages are authenticated in
    MLS and categorize authenticity into four different security notions. We then propose several authentication modes, offering a range of different efficiency and security profiles. For instance, in one of our modes, COSMOS++, we replace signatures with
    one-time tokens and a MAC tag, offering roughly a 75x savings in the post-quantum communication overhead. While this comes at the cost of weakening security compared to the authentication mode used by MLS, the lower communication overhead seems to make
    it a worthwhile trade-off with security.



    ## 2025/427

    * Title: BUFFing Threshold Signature Schemes
    * Authors: Marc Fischlin, Aikaterini Mitrokotsa, Jenit Tomy
    * [Permalink](https://eprint.iacr.org/2025/427)
    * [Download](https://eprint.iacr.org/2025/427.pdf)

    ### Abstract

    We explore advanced security notions for threshold signature schemes, focusing on Beyond UnForgeability Features (BUFF), introduced by Cremers et al. (S&P’21) in the non-threshold setting. The BUFF properties protect against attacks based on
    maliciously chosen keys, e.g., expropriating a message-signature pair under a new public key (called exclusive ownership). We first formalize these notions in the threshold setting and examine their relationships. Notably, unlike regular signature
    schemes, the hierarchy of variants of exclusive ownership notions only holds for threshold schemes if they are also robust.
    We then present a generic compiler that transforms any threshold signature scheme to satisfy exclusive ownership, and message-bound signature properties with minimal overhead. Furthermore, we modify the threshold BLS signature scheme to achieve these
    additional properties without increasing the signature size. Lastly, we identify specific structures in threshold signature schemes where BUFF properties can be naturally extended from the underlying standard signature scheme, and we analyze and prove
    the security properties in some of the existing threshold schemes.



    ## 2025/428

    * Title: On Improved Cryptanalytic Results against ChaCha for Reduced Rounds ≥ 7
    * Authors: Nitin Kumar Sharma, Sabyasachi Dey, Santanu Sarkar, Subhamoy Maitra * [Permalink](https://eprint.iacr.org/2025/428)
    * [Download](https://eprint.iacr.org/2025/428.pdf)

    ### Abstract

    In this paper, we analyze the subtle issues of complexity estimates related to state-of-the-art cryptanalytic efforts on ChaCha. In this regard, we demonstrate that the currently best-known cryptanalytic result on $7$-round ChaCha with time $2^{189.7}$
    and data $2^{102.63}$ [Xu et al., ToSC 2024] can be estimated as $2^{178.12}$ for time and $2^{101.09}$ for data complexity. We improve the best-known result for the $7.25$ round by obtaining an improved set of Probabilistic Neutral Bits and considering
    our revised estimation. Our result with time complexity $2^{212.43}$ and data complexity $2^{100.56}$ improves the result of Xu et al., where they could achieve time and data complexity $2^{223.9}$ and $2^{100.80}$, respectively. For both the $7$ and $7.
    25$ rounds, we can show an improvement of the order of $2^{11}$ in the time complexity. For $7.5$-round, we improve the result of Dey [IEEE-IT 2024], which reports the time and data complexity of $2^{255.24}$ and $2^{32.64}$, respectively. By applying
    the formula of the same paper and incorporating additional PNBs, we obtain improved time and data complexity of $2^{253.23}$ and $2^{34.47}$, respectively. Thus, this paper describes the currently best-known cryptanalytic results against reduced round
    ChaCha. Our results do not affect the security claims of the complete algorithm with 20 rounds. Also, we provide a rebuttal of the Work by Wang et al. \cite{wangeprint} and analyze their claim about the error in the ``Divide-and-Conquer'' Approach.



    ## 2025/429

    * Title: Enhanced CKKS Bootstrapping with Generalized Polynomial Composites Approximation
    * Authors: Seonhong Min, Joon-woo Lee, Yongsoo Song
    * [Permalink](https://eprint.iacr.org/2025/429)
    * [Download](https://eprint.iacr.org/2025/429.pdf)

    ### Abstract

    Bootstrapping in approximate homomorphic encryption involves evaluating the modular reduction function. Traditional methods decompose the modular reduction function into three components: scaled cosine, double-angle formula, and inverse sine. While these
    approaches offer a strong trade-off between computational cost and level consumption, they lack flexibility in parameterization.

    In this work, we propose a new method to decompose the modular reduction function with improved parameterization, generalizing prior trigonometric approaches. Numerical experiments demonstrate that our method achieves near-optimal approximation errors.
    Additionally, we introduce a technique that integrates the rescaling operation into matrix operations during bootstrapping, further reducing computational overhead.



    ## 2025/430

    * Title: Non-interactive Anonymous Tokens with Private Metadata Bit
    * Authors: Foteini Baldimtsi, Lucjan Hanzlik, Quan Nguyen, Aayush Yadav
    * [Permalink](https://eprint.iacr.org/2025/430)
    * [Download](https://eprint.iacr.org/2025/430.pdf)

    ### Abstract

    Anonymous tokens with private metadata bit (ATPM) have received increased interest as a method for anonymous client authentication while also embedding trust signals that are only readable by the authority who holds the issuance secret key and nobody
    else. A drawback of all existing ATPM constructions is that they require client-issuer interaction during the issuance process. In this work, we build the first non-interactive anonymous tokens (NIAT) with private metadata bit, inspired by the recent
    work of Hanzlik (Eurocrypt '23) on non-interactive blind signatures. We discuss how the non-interaction property during the issuance process allows for more efficient issuance protocols that avoid the need for online signing. We construct an efficient
    NIAT scheme based on Structure-preserving Signatures on Equivalence Classes (SPS-EQ) and experimentally evaluate its performance. We also present an extension to our NIAT construction that allows the identification of clients who attempt to double-
    spend (i.e., present the same token twice).



    ## 2025/431

    * Title: Commitment Schemes Based on Module-LIP
    * Authors: Hengyi Luo, Kaijie Jiang, Yanbin Pan, Anyu Wang
    * [Permalink](https://eprint.iacr.org/2025/431)
    * [Download](https://eprint.iacr.org/2025/431.pdf)

    ### Abstract

    Recently, Jiang et al. (EUROCRYPT 2025) proposed a universal framework for constructing commitment schemes using group actions, and instantiated it with the Lattice Isomorphism Problem (LIP). This paper attempts to construct an instantiation based on
    module-LIP with this framework. More precisely, we first present a reduction from $\mathcal{O}_{\mathbb{L}}^2$-LIP to $\mathcal{O}_{\mathbb{L}}^2$-LAP. Then we develop a re-randomized algorithm based on the self-reduction framework of Module-LIP (Ducas
    et al. ASIACRYPT 2022), adapting it to the framework to construct commitment schemes.



    ## 2025/432

    * Title: Black-Box (and Fast) Non-Malleable Zero Knowledge
    * Authors: Vincenzo Botta, Michele Ciampi, Emmanuela Orsini, Luisa Siniscalchi, Ivan Visconti
    * [Permalink](https://eprint.iacr.org/2025/432)
    * [Download](https://eprint.iacr.org/2025/432.pdf)

    ### Abstract

    Non-malleable zero-knowledge (NMZK), originally introduced in the seminal work of Dolev, Dwork, and Naor (STOC 91), is a fundamental concept for modeling the security of proof systems against man-in-the-middle attacks.

    Recently, Kim, Liang, and Pandey (CRYPTO 2022) presented the first efficient constant-round NMZK argument system based solely on symmetric-key cryptography. Their construction relies on a non-black-box use of the involved cryptographic primitives and on
    multiple executions of Ligero (CCS 2017) that affect both the round complexity and the computational efficiency of their protocol. Their work left open the natural important challenge of achieving NMZK using the underlying primitives only in a black-box
    fashion (regardless of the number of rounds and actual efficiency).

    In this paper, we solve the aforementioned open problem by presenting the first NMZK argument system based on the black-box use of cryptographic primitives. Our work is optimal in the use of primitives since we only need one-way functions, and
    asymptotically optimal in the number of rounds since we only require a constant number of rounds. Our argument system is non-malleable with respect to the strong "simulation-extractability" flavor of non-malleability.

    Furthermore, we also show that our construction can be efficiently instantiated in Minicrypt, significantly improving upon the work of Kim et al., both in terms of round complexity and computational efficiency.



    ## 2025/433

    * Title: MIDAS: an End-to-end CAD Framework for Automating Combinational Logic Locking
    * Authors: Akashdeep Saha, Siddhartha Chowdhury, Rajat Subhra Chakraborty, Debdeep Mukhopadhyay
    * [Permalink](https://eprint.iacr.org/2025/433)
    * [Download](https://eprint.iacr.org/2025/433.pdf)

    ### Abstract

    Logic locking has surfaced as a notable safeguard
    against diverse hazards that pose a risk to the integrated circuit
    (IC) supply chain. Existing literature on logic locking largely
    encompasses the art of proposing new constructions, on the one
    hand, and unearthing weaknesses in such algorithms on the
    other. Somehow, in this race of make and break, the stress on
    automation of adopting such techniques on real-life circuits has
    been rather limited. For the first time, we present a generic
    end-to-end combinational logic locking CAD framework, MIDAS.
    This framework analyses circuit netlists and generates locked
    netlists. Due to its generic circuit analysis, it bridges the gap,
    integrates diverse logic locking techniques, and offers a scope of
    integration of potential future ones. MIDAS framework’s efficacy
    has been verified through its application on ISCAS’85 and
    ISCAS’99 benchmark circuits, locked using six different schemes
    such as EPIC, Anti-SAT, SFLL-HD, SFLL-fault, CAS-Lock, and
    LoPher. MIDAS minimizes the hardware overhead requirements
    of otherwise resource-intensive locking technique LoPher by
    extracting an influential portion of circuit to lock and utilizing
    a simple fitness function. We also assess the overhead increase
    for the aforementioned locking methods, thereby complicating
    the identification of influential nodes within the locked netlists.
    Finally, we evaluate MIDAS by selectively locking parts of a commercially-designed open-source RISC-V core.



    ## 2025/434

    * Title: Fine-Grained Verifier NIZK and Its Applications
    * Authors: Shuai Han, Shengli Liu, Xiangyu Liu, Dawu Gu
    * [Permalink](https://eprint.iacr.org/2025/434)
    * [Download](https://eprint.iacr.org/2025/434.pdf)

    ### Abstract

    In this paper, we propose a new type of non-interactive zero-knowledge (NIZK), called Fine-grained Verifier NIZK (FV-NIZK), which provides more flexible and more fine-grained verifiability of proofs than standard NIZK that supports public verifiability
    and designated-verifier NIZK (DV-NIZK) that supports private verifiability. FV-NIZK has two statistically (or computationally) equivalent verification approaches:

    --- a master verification using the master secret key $msk$;

    --- a fine-grained verification using a derived secret key $sk_d$, which is derived from $msk$ w.r.t. $d$ (which may stand for user identity, email address, vector, etc.).

    We require unbounded simulation soundness (USS) of FV-NIZK to hold, even if an adversary obtains derived secret keys $sk_d$ with $d$ of its choices, and define proof pseudorandomness which stipulates the pseudorandomness of proofs for adversaries that
    are not given any secret key.

    We present two instantiations of FV-NIZK for linear subspace languages, based on the matrix decisional Diffie-Hellman (MDDH) assumption.
    One of the FV-NIZK instantiations is pairing-free and achieves almost tight USS and proof pseudorandomness. We also adapt the two instantiations to support unbounded fine-grained secret key delegations.

    We illustrate the usefulness of FV-NIZK by showing two applications and obtain the following pairing-free schemes:

    --- the first almost tightly mu