## In this issue
1. [2023/210] New Generic Constructions of Error-Correcting PIR ...
2. [2024/361] Key Exchange with Tight (Full) Forward Secrecy via ...
3. [2025/201] Cryptanalysis of Isogeny-Based Quantum Money with ...
4. [2025/259] Improved Resultant Attack against Arithmetization- ...
5. [2025/616] State Machine Replication Among Strangers, Fast and ...
6. [2025/889] At the Top of the Hypercube -- Better Size-Time ...
7. [2025/1019] Silent Splitter: Privacy for Payment Splitting via ...
8. [2025/1020] Separating Pseudorandom Codes from Local Oracles
9. [2025/1021] Black-Box Crypto is Useless for Pseudorandom Codes
10. [2025/1022] Burn Your Vote: Decentralized and Publicly ...
11. [2025/1023] Universal Channel Rebalancing: Flexible Coin ...
12. [2025/1024] Towards Trustless Provenance: A Privacy-Preserving ...
13. [2025/1025] Secure Noise Sampling for Differentially Private ...
14. [2025/1026] Malicious Security in Collaborative zk-SNARKs: More ...
15. [2025/1027] Parallel Repetition for Post-Quantum Arguments
16. [2025/1028] Group Key Progression: Strong Security for Shared ...
17. [2025/1029] Improved Key Recovery Attacks of Ascon
18. [2025/1030] Everlasting Anonymous Rate-Limited Tokens
19. [2025/1031] Quasidifferential Saves Infeasible Differential: ...
20. [2025/1032] Constant-Round Asynchronous MPC with Optimal ...
21. [2025/1033] Trusted Hardware-Assisted Leaderless Byzantine ...
22. [2025/1034] JANUS: Enhancing Asynchronous Common Subset with ...
23. [2025/1035] Continuous Group-Key Agreement: Concurrent Updates ...
24. [2025/1036] A Critique on Average-Case Noise Analysis in RLWE- ...
25. [2025/1037] Committed Vector Oblivious Linear Evaluation and ...
26. [2025/1038] Security of Operations on Random Numbers: A Review
27. [2025/1039] Unbounded Distributed Broadcast Encryption and ...
28. [2025/1040] Weave: Efficient and Expressive Oblivious Analytics ...
29. [2025/1041] Rubato: Provably Post-Quantum Secure and Batched ...
30. [2025/1042] Crowhammer: Full Key Recovery Attack on Falcon with ...
31. [2025/1043] Designing QC-MDPC Public Key Encryption Schemes ...
32. [2025/1044] When Threshold Meets Anamorphic Signatures: What is ...
33. [2025/1045] Constrained Verifiable Random Functions Without ...
34. [2025/1046] A Quasi-polynomial Time Algorithm for the ...
35. [2025/1047] Orient Express: Using Frobenius to Express Oriented ...
36. [2025/1048] One-way multilinear functions of the second order ...
37. [2025/1049] XHMQV: Better Efficiency and Stronger Security for ...
38. [2025/1050] Integral Resistance of Block Ciphers with Key ...
39. [2025/1051] Synergy: A Lightweight Block Cipher with Variable ...
40. [2025/1052] How to Trace Viral Content in End-to-End Encrypted ...
41. [2025/1053] Breaking the 1/λ-Rate Barrier for Arithmetic Garbling
42. [2025/1054] Rewardable Naysayer Proofs
43. [2025/1055] Single-server Stateful PIR with Verifiability and ...
44. [2025/1056] Private Signaling Secure Against Actively Corrupted ...
## 2023/210
* Title: New Generic Constructions of Error-Correcting PIR and Efficient Instantiations
* Authors: Reo Eriguchi, Kaoru Kurosawa, Koji Nuida
* [Permalink](
https://eprint.iacr.org/2023/210)
* [Download](
https://eprint.iacr.org/2023/210.pdf)
### Abstract
A $b$-error-correcting $m$-server Private Information Retrieval (PIR) protocol enables a client to privately retrieve a data item of a database from $m$ servers even in the presence of $b$ malicious servers. List-decodable PIR is a generalization of
error-correcting PIR to achieve a smaller number of servers at the cost of giving up unique decoding. Previous constructions of error-correcting and list-decodable PIR have exponential computational complexity in $m$ or cannot achieve sub-polynomial
communication complexity $n^{o(1)}$, where $n$ is the database size. Recently, Zhang, Wang and Wang (ASIACCS 2022) presented a non-explicit construction of error-correcting PIR with $n^{o(1)}$ communication and polynomial computational overhead in $m$.
However, their protocol requires the number of servers to be larger than the minimum one $m=2b+1$ and they left it as an open problem to reduce it. As for list-decodable PIR, there is no construction with $n^{o(1)}$ communication.
In this paper, we propose new generic constructions of error-correcting and list-decodable PIR from any one-round regular PIR. Our constructions increase computational complexity only by a polynomial factor in $m$ while the previous generic constructions
incur $\binom{m}{b}$ multiplicative overheads. Instantiated with the best-known protocols, our construction provides for the first time an explicit error-correcting PIR protocol with $n^{o(1)}$ communication, which reduces the number of servers of the
protocol by Zhang, Wang and Wang (ASIACCS 2022). For sufficiently large $b$, we also show the existence of $b$-error-correcting PIR with $n^{o(1)}$ communication achieving the minimum number of servers, by allowing for two rounds of interaction.
Furthermore, we show an extension to list-decodable PIR and obtain for the first time a protocol with $n^{o(1)}$ communication. Other instantiations improve the communication complexity of the state-of-the-art $t$-private protocols in which $t$ servers
may collude. Along the way, we formalize the notion of \textit{locally surjective map families}, which generalize perfect hash families and may be of independent interest.
## 2024/361
* Title: Key Exchange with Tight (Full) Forward Secrecy via Key Confirmation
* Authors: Jiaxin Pan, Doreen Riepel, Runzhi Zeng
* [Permalink](
https://eprint.iacr.org/2024/361)
* [Download](
https://eprint.iacr.org/2024/361.pdf)
### Abstract
Weak forward secrecy (wFS) of authenticated key exchange (AKE) protocols is a passive variant of (full) forward secrecy (FS). A natural mechanism to upgrade from wFS to FS is the use of key confirmation messages which compute a message authentication
code (MAC) over the transcript. Unfortunately, Gellert, Gjøsteen, Jacobson and Jager (GGJJ, CRYPTO 2023) show that this mechanism inherently incurs a loss proportional to the number of users, leading to an overall non-tight reduction, even if wFS was
established using a tight reduction.
Inspired by GGJJ, we propose a new notion, called one-way verifiable weak forward secrecy (OW-VwFS), and prove that OW-VwFS can be transformed tightly to FS using key confirmation in the random oracle model (ROM). To implement our generic transformation,
we show that several tightly wFS AKE protocols additionally satisfy our OW-VwFS notion tightly. We highlight that using the recent lattice-based protocol from Pan, Wagner, and Zeng (CRYPTO 2023) can give us the first lattice-based tightly FS AKE via key
confirmation in the classical random oracle model. Besides this, we also obtain a Decisional-Diffie-Hellman-based protocol that is considerably more efficient than the previous ones.
Finally, we lift our study on FS via key confirmation to the quantum random oracle model (QROM). While our security reduction is overall non-tight, it matches the best existing bound for wFS in the QROM (Pan, Wagner, and Zeng, ASIACRYPT 2023), namely, it
is square-root- and session-tight. Our analysis is in the multi-challenge setting, and it is more realistic than the single-challenge setting as in Pan et al..
## 2025/201
* Title: Cryptanalysis of Isogeny-Based Quantum Money with Rational Points
* Authors: Hyeonhak Kim, DongHoe Heo, Seokhie Hong
* [Permalink](
https://eprint.iacr.org/2025/201)
* [Download](
https://eprint.iacr.org/2025/201.pdf)
### Abstract
Quantum money is the cryptographic application of the quantum no-cloning theorem. It has recently been instantiated by Montgomery and Sharif (Asiacrypt '24) from class group actions on elliptic curves. In this work, we propose a concrete cryptanalysis by
leveraging the efficiency of evaluating division polynomials with the coordinates of rational points, offering a speedup of $O(\log^4p)$ compared to the brute-force attack. Since our attack still requires exponential time, it remains impractical to forge
a quantum banknote. Interestingly, due to the inherent properties of quantum money, our attack method also results in a more efficient verification procedure. Our algorithm leverages the properties of quadratic twists to utilize rational points in
verifying the cardinality of the superposition of elliptic curves. We expect this approach to contribute to future research on elliptic-curve-based quantum cryptography.
## 2025/259
* Title: Improved Resultant Attack against Arithmetization-Oriented Primitives * Authors: Augustin Bariant, Aurélien Boeuf, Pierre Briaud, Maël Hostettler, Morten Øygarden, Håvard Raddum
* [Permalink](
https://eprint.iacr.org/2025/259)
* [Download](
https://eprint.iacr.org/2025/259.pdf)
### Abstract
In the last decade, the introduction of advanced cryptographic protocols operating on large finite fields $\mathbb{F}_q$ has raised the need for efficient cryptographic primitives in this setting, commonly referred to as Arithmetization-Oriented (AO).
The cryptanalysis of AO hash functions is essentially done through the study of the CICO problem on the underlying permutation. Two recent works at Crypto 2024 and Asiacrypt 2024 managed to solve the CICO problem much more efficiently than traditional GrÃ
¶bner basis methods, using respectively advanced Gröbner basis techniques and resultants.
In this paper, we propose an attack framework based on resultants that applies to a wide range of AO permutations and improves significantly upon these two recent works. Our improvements mainly come from an efficient reduction procedure that we propose
and rigorously analyze, taking advantage of fast multivariate multiplication. We present the most efficient attacks on Griffin, Arion, Anemoi, and Rescue. We show that most variants of Griffin, Arion and Anemoi fail to reach the claimed security level.
For the first time, we successfully break a parameter set of Rescue, namely its $512$-bit security variant. The presented theory and complexity estimates are backed up with experimental attacks. Notably, we practically find CICO solutions for $8$ out of $
10$ rounds of Griffin, $11$ out of $20$ rounds of Anemoi, $6$ out of $18$ rounds of Rescue, improving by respectively $1$, $3$ and $1$ rounds on the previous best practical attacks.
## 2025/616
* Title: State Machine Replication Among Strangers, Fast and Self-Sufficient
* Authors: Juan Garay, Aggelos Kiayias, Yu Shen
* [Permalink](
https://eprint.iacr.org/2025/616)
* [Download](
https://eprint.iacr.org/2025/616.pdf)
### Abstract
A set of unacquainted parties, some of which may misbehave, communicate with each other over an unauthenticated and unreliable gossip network. They wish to jointly replicate a state machine $\Pi$ so that each one of them has fair access to its operation.
Specifically, assuming parties' computational power is measured as queries to an oracle machine $H(\cdot)$, parties can issue symbols to the state machine in proportion to their queries to $H(\cdot)$ at a given fixed rate. Moreover, if such access to
the state machine is provided continuously in expected constant time installments we qualify it as fast fairness.
A state machine replication (SMR) protocol in this permissionless setting is expected to offer consistency across parties and reliably process all symbols that honest parties wish to add to it in a timely manner despite continuously fluctuating
participation and in the presence of an adversary who commands less than half of the total queries to $H(\cdot)$ per unit of time.
A number of protocols strive to offer the above guarantee together with fast settlement --- notably, the Bitcoin blockchain offers a protocol that settles against Byzantine adversaries in polylogarithmic rounds, while fairness only holds in a fail-stop
adversarial model (due to the fact that Byzantine behavior can bias access to the state machine in the adversary's favor). In this work, we put forth the first Byzantine-resilient protocol solving SMR in this setting with both expected-constant-time
settlement and fast fairness. Furthermore, our protocol is self-sufficient in the sense of performing its own time keeping while tolerating an adaptively fluctuating set of parties.
## 2025/889
* Title: At the Top of the Hypercube -- Better Size-Time Tradeoffs for Hash-Based Signatures
* Authors: Dmitry Khovratovich, Mikhail Kudinov, Benedikt Wagner
* [Permalink](
https://eprint.iacr.org/2025/889)
* [Download](
https://eprint.iacr.org/2025/889.pdf)
### Abstract
Hash-based signatures have been studied for decades and have recently gained renewed attention due to their post-quantum security. At the core of the most prominent hash-based signature schemes, XMSS and SPHINCS+, lies a one-time signature scheme based
on hash chains due to Winternitz. In this scheme, messages are encoded into vectors of positions (i.e., vertices in a hypercube) in the hash chains, and the signature contains the respective chain elements. The encoding process is crucial for the
efficiency and security of this construction. In particular, it determines a tradeoff between signature size and computational costs. Researchers have been trying to improve this size-time tradeoff curve for decades, but all improvements have been
arguably marginal.
In this work, we revisit the encoding process with the goal of minimizing verification costs and signature sizes. As our first result, we present a novel lower bound for the verification cost given a fixed signature size. Our lower bound is the first to
directly apply to general encodings including randomized, non-uniform, and non-injective ones.
Then, we present new encodings and prove their security. Inspired by our lower bound, these encodings follow a counterintuitive approach: we map messages non-uniformly into the top layers of a much bigger hypercube than needed but the encoding itself has
(hard to find) collisions. With this, we get a 20 % to 40 % improvement in the verification cost of the signature while keeping the same security level and the same size.
Our constructions can be directly plugged into any signature scheme based on hash chains, which includes SPHINCS+ and XMSS.
## 2025/1019
* Title: Silent Splitter: Privacy for Payment Splitting via New Protocols for Distributed Point Functions
* Authors: Margaret Pierce, Saba Eskandarian
* [Permalink](
https://eprint.iacr.org/2025/1019)
* [Download](
https://eprint.iacr.org/2025/1019.pdf)
### Abstract
In a world where financial transactions are primarily performed or recorded online, protecting sensitive transaction details has become crucial. Roommates sharing housing costs or friends splitting travelling expenses may use applications such as
Splitwise to easily track debts and minimize the number of individual repayments. However, these apps reveal potentially sensitive financial transaction activity to their operators. In this paper, we present Silent Splitter, a privacy-preserving payment
splitting system which enables users to securely set up groups, perform transactions within those groups, and "settle up" without revealing group membership or any sensitive transaction details (such as the users involved or amount of money exchanged) to
the system itself. Silent Splitter operates in the two server setting and uses Distributed Point Functions (DPFs) to securely record transactions. Of independent interest, we also present new protocols for proving knowledge of properties of DPFs as part
of our system.
## 2025/1020
* Title: Separating Pseudorandom Codes from Local Oracles
* Authors: Nico Döttling, Anne Müller, Mahesh Sreekumar Rajasree
* [Permalink](
https://eprint.iacr.org/2025/1020)
* [Download](
https://eprint.iacr.org/2025/1020.pdf)
### Abstract
Pseudorandom codes (PRCs) are error-correcting codes with the distinguishing feature that their codewords are computationally indistinguishable from random strings. Introduced by Christ and Gunn (CRYPTO 2024), PRCs have found applications in areas such
as AI watermarking, where both robustness and pseudorandomness are essential. All known constructions of PRCs rely on coding-theoretic hardness assumptions. In this work, we study how inherent the use of coding-theoretic hardness is in the construction
of pseudorandom codes.
We show that there is no black-box construction of PRCs with binary alphabets capable of decoding from a constant fraction of Bernoulli noise from a class of oracles we call local oracles. The class of local oracles includes random oracles and trapdoor
permutation oracles, and can be interpreted as a meaningful notion of oracles that are not resilient against noise. Our separation result is cast in the Impagliazzo-Rudich framework and crucially relies on the Bonami-Beckner hypercontractivity theorem on
the Boolean hypercube.
As a complementary result, we show that PRCs with large alphabets that can tolerate high error rates can indeed be constructed in a black-box manner from one-way functions.
## 2025/1021
* Title: Black-Box Crypto is Useless for Pseudorandom Codes
* Authors: Sanjam Garg, Sam Gunn, Mingyuan Wang
* [Permalink](
https://eprint.iacr.org/2025/1021)
* [Download](
https://eprint.iacr.org/2025/1021.pdf)
### Abstract
A pseudorandom code is a keyed error-correction scheme with the property that any polynomial number of encodings appear random to any computationally bounded adversary. We show that the pseudorandomness of any code tolerating a constant rate of random
errors cannot be based on black-box reductions to almost any generic cryptographic primitive: for instance, anything that can be built from random oracles, generic multilinear groups, and virtual black-box obfuscation. Our result is optimal, as
Ghentiyala and Guruswami (2024) observed that pseudorandom codes tolerating any sub-constant rate of random errors exist using a black-box reduction from one-way functions.
The key technical ingredient in our proof is the hypercontractivity theorem for Boolean functions, which we use to prove our impossibility in the random oracle model. It turns out that this easily extends to an impossibility in the presence of "crypto
oracles," a notion recently introduced---and shown to be capable of implementing all the primitives mentioned above---by Lin, Mook, and Wichs (EUROCRYPT 2025).
## 2025/1022
* Title: Burn Your Vote: Decentralized and Publicly Verifiable Anonymous Voting at Scale
* Authors: Stefan Dziembowski, Shahriar Ebrahimi, Haniyeh Habibi, Parisa Hassanizadeh, Pardis Toolabi
* [Permalink](
https://eprint.iacr.org/2025/1022)
* [Download](
https://eprint.iacr.org/2025/1022.pdf)
### Abstract
Secure and trustworthy electronic voting requires more than correctness and censorship resistance, it must also ensure voter privacy, vote confidentiality, and protection against coercion. Prior work attempt to address these challenges using heavyweight
cryptographic primitives such as homomorphic encryption, time-lock puzzles, or multi-party computation. These approaches often involve complex computations, depend on trusted parties, and typically do not scale well. We propose a lightweight, fully on-
chain anonymous voting protocol based on a novel application of the proof-of-burn (PoB) mechanism. Voters anonymously commit to their votes by burning tokens to pseudorandom addresses and later submit zero-knowledge proofs attesting to their valid
participation. Our design achieves vote integrity, coercion resistance, and unlinkability without relying on encrypted ballots, trusted third parties, or centralized tallying. The tallying process is public and operates on plaintext votes that are
authenticated yet unlinkable to voters. This enables flexible voting models—including token-weighted and quadratic voting—with minimal on-chain overhead. We formally analyze the protocol’s security guarantees and demonstrate support for a broad
range of voting models. We implement the protocol as an open-source library fully compatible with the Ethereum Virtual Machine (EVM), and our experimental evaluation confirms its high scalability and improved efficiency compared to the state-of-the-art.
## 2025/1023
* Title: Universal Channel Rebalancing: Flexible Coin Shifting in Payment Channel Networks
* Authors: Stefan Dziembowski, Shahriar Ebrahimi, Omkar Gavhane, Susil Kumar Mohanty
* [Permalink](
https://eprint.iacr.org/2025/1023)
* [Download](
https://eprint.iacr.org/2025/1023.pdf)
### Abstract
Payment Channel Networks (PCNs) enhance blockchain scalability by enabling off-chain transactions. However, repeated unidirectional multi-hop payments often cause channel imbalance or depletion, limiting scalability and usability. Existing rebalancing
protocols, such as Horcrux [NDSS’25] and Shaduf [NDSS’22], rely on on-chain operations, which hinders efficiency and broad applicability.
We propose Universal Channel Rebalancing (UCRb), a blockchain-agnostic, fully off-chain framework that ensures correct behavior among untrusted participants without on-chain interaction.
UCRb incorporates the following core innovations:
(1) a fair and reliable incentive-compatible mechanism that encourages voluntary user participation in off-chain channel rebalancing,
(2) integration of Pedersen commitments to achieve atomic off-chain payments and rebalancing operations, while ensuring balance security, and
(3) zero-knowledge proofs to enable privacy-preserving channel initialization and coin shifting, ensuring that user identities and fund allocations remain hidden throughout the process.
We evaluate UCRb using real-world Lightning Network dataset and compare its performance against state-of-the-art solutions including Horcrux, Shaduf, and Revive [CCS'17].
UCRb exhibits a success ratio enhancement between 15% and 50%, while also reducing the required user deposits by 72%--92%. It maintains an almost negligible rate of channel depletion. Additionally, the long-term performance of UCRb is roughly 1.5 times
that of its short-term performance, suggesting that continuous operation leads to improved efficiency. We implement a prototype for UCRb smart contracts and demonstrate its practicality through extensive evaluation. As \texttt{CoinShift} operations
require no on-chain interaction, the protocol incurs minimal gas costs. For instance, opening and closing channels with 10 neighbors costs only 130K-160K gas—significantly lower than comparable solutions.
## 2025/1024
* Title: Towards Trustless Provenance: A Privacy-Preserving Framework for On-chain Media Verification
* Authors: Piotr Mikołajczyk, Parisa Hassanizadeh, Shahriar Ebrahimi
* [Permalink](
https://eprint.iacr.org/2025/1024)
* [Download](
https://eprint.iacr.org/2025/1024.pdf)
### Abstract
As generative models continue to evolve, verifying the authenticity, provenance, and integrity of digital media has become increasingly critical—particularly for domains like journalism, digital art, and scientific documentation.
In this work, we present a decentralized verifiable media ecosystem for managing, verifying, and transacting authentic digital media using zero-knowledge proofs (ZKPs).
Building on VIMz (Dziembowski et al., PETS'25), we extend the framework in three key directions. First, we generalize the model to support arbitrary image regions to achieve selective transformations support such as redaction and regional blurring—
features commonly required in privacy-preserving applications. Second, we introduce performance optimizations that yield up to an 18% improvement in off-chain proof generation, and enhance the framework to support cost-efficient on-chain verification.
Third, we design and implement a modular smart contract architecture to support a wide range of decentralized media applications.
As a flagship use case, we develop a decentralized media marketplace that enables permissionless licensing, ownership transfer, and verifiable attribution. In this setting, users can share transformed media—such as cropped, blurred, or resized previewsâ
€”alongside ZKPs that prove derivation from a signed original, eliminating the need to trust the seller.
Unlike prior fair exchange protocols, which rely on trusted descriptions or encrypted payload delivery, our system enables verifiable public previews and origin-bound proofs without revealing the full content. This approach unlocks new applications
beyond marketplaces, including automated infringement dispute resolution and photography contests with verifiable criteria.
## 2025/1025
* Title: Secure Noise Sampling for Differentially Private Collaborative Learning
* Authors: Olive Franzese, Congyu Fang, Radhika Garg, Somesh Jha, Nicolas Papernot, Xiao Wang, Adam Dziedzic
* [Permalink](
https://eprint.iacr.org/2025/1025)
* [Download](
https://eprint.iacr.org/2025/1025.pdf)
### Abstract
Differentially private stochastic gradient descent (DP-SGD) trains machine learning (ML) models with formal privacy guarantees for the training set by adding random noise to gradient updates. In collaborative learning (CL), where multiple parties jointly
train a model, noise addition occurs either (i) before or (ii) during secure gradient aggregation. The first option is deployed in distributed DP methods, which require greater amounts of total noise to achieve security, resulting in degraded model
utility. The second approach preserves model utility but requires a secure multiparty computation (MPC) protocol. Existing methods for MPC noise generation require tens to hundreds of seconds of runtime per noise sample because of the number of parties
involved. This makes them impractical for collaborative learning, which often requires thousands or more samples of noise in each training step.
We present a novel protocol for MPC noise sampling tailored to the collaborative learning setting. It works by constructing an approximation of the distribution of interest which can be efficiently sampled by a series of table lookups. Our method
achieves significant runtime improvements and requires much less communication compared to previous work, especially at higher numbers of parties. It is also highly flexible – while previous MPC sampling methods tend to be optimized for specific
distributions, we prove that our method can generically sample
noise from statistically close approximations of arbitrary discrete distributions. This makes it compatible with a wide variety of DP mechanisms. Our experiments demonstrate the efficiency and utility of our method applied to a discrete Gaussian
mechanism for differentially private collaborative learning. For 16 parties, we achieve a runtime of 0.06 seconds and 11.59 MB total communication per sample, a 230× runtime improvement and 3× less communication compared to the prior state-of-the-art
for sampling from discrete Gaussian distribution in MPC.
## 2025/1026
* Title: Malicious Security in Collaborative zk-SNARKs: More than Meets the Eye * Authors: Sanjam Garg, Aarushi Goel, Abhishek Jain, Bhaskar Roberts, Sruthi Sekar
* [Permalink](
https://eprint.iacr.org/2025/1026)
* [Download](
https://eprint.iacr.org/2025/1026.pdf)
### Abstract
Collaborative zk-SNARKs (Ozdemir and Boneh, USENIX’22) are a multiparty variant of zk-SNARKs where multiple, mutually distrustful provers, each holding a private input, jointly compute a zk-SNARK using their combined inputs. A sequence of works has
proposed efficient constructions of collaborative zk-SNARKs using a common template that involves designing secure multiparty computation (MPC) protocols to emulate a zk-SNARK prover without making non-black-box use of cryptography. To achieve security
against malicious adversaries, these works adopt compilers from the MPC literature that transform semi-honest MPC into malicious-secure MPC.
In this work, we revisit this design template.
• Pitfalls: We demonstrate two pitfalls in the template, which can lead to a loss of input privacy. We first show that it is possible to compute collaborative proofs on invalid witnesses, which in turn can leak the inputs of honest provers. Next, we
show that using state-of-the-art malicious security compilers as-is for proof computation is insecure, in general. Finally, we discuss mitigation strategies.
• Malicious Security Essentially for Free: As our main technical result, we show that in the honest-majority setting, one can forego malicious security checks performed by state-of-the-art malicious security compilers during collaborative proof
generation of several widely used zk-SNARKs. In other words, we can avoid the overheads of malicious security compilers, enabling faster proof generation.
To the best of our knowledge, this is the first example of non-trivial computations where semi-honest MPC protocols achieve malicious security. The observations underlying our positive results are general and may have applications beyond collaborative
zkSNARKs.
## 2025/1027
* Title: Parallel Repetition for Post-Quantum Arguments
* Authors: Andrew Huang, Yael Tauman Kalai
* [Permalink](
https://eprint.iacr.org/2025/1027)
* [Download](
https://eprint.iacr.org/2025/1027.pdf)
### Abstract
In this work, we show that parallel repetition of public-coin interactive arguments reduces the soundness error at an exponential rate even in the post-quantum setting. Moreover, we generalize this result to hold for threshold verifiers, where the
parallel repeated verifier accepts if and only if at least $t$ of the executions are accepted (for some threshold $t$). Prior to this work, these results were known only when the cheating prover was assumed to be classical.
We also prove a similar result for three-message private-coin arguments. Previously, Bostanci, Qian, Spooner, and Yuen (STOC 2024) proved such a parallel repetition result in the more general setting of quantum protocols, where the verifier and
communication may be quantum. We consider only protocols where the verifier is classical, but obtain a simplified analysis, and for the more general setting of threshold verifiers.
## 2025/1028
* Title: Group Key Progression: Strong Security for Shared Persistent Data
* Authors: Matilda Backendal, David Balbás, Miro Haller
* [Permalink](
https://eprint.iacr.org/2025/1028)
* [Download](
https://eprint.iacr.org/2025/1028.pdf)
### Abstract
End-to-end encryption allows data to be outsourced and stored on an untrusted server, such as in the cloud, without compromising data privacy. In the setting when this data is shared between a group of users, members also all share access to the same
static key material used for data encryption. When the group membership changes, access control is only enforced by the server: security breaches or compelled disclosure would allow even a removed member to decrypt the current shared data.
[continued in next message]
--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)