## In this issue

1. [2023/1409] Solving the Hidden Number Problem for CSIDH and ...
2. [2024/861] A new multivariate primitive from CCZ equivalence
3. [2025/993] Fully-Homomorphic Encryption from Lattice Isomorphism
4. [2025/1064] From Signature-Based Witness Encryption to RAM ...
5. [2025/1228] Quantum-Safe Hybrid Key Exchanges with KEM-Based ...
6. [2025/1283] Fast AVX-512 Implementation of the Optimal Ate ...
7. [2025/1287] Fault Injection Evaluation with Statistical ...
8. [2025/1314] THF: Designing Low-Latency Tweakable Block Ciphers
9. [2025/1321] Threshold Receipt-Free Voting with Server-Side Vote ...
10. [2025/1322] Generation of Fast Finite Field Arithmetic for ...
11. [2025/1323] Pairing-Based Batch Arguments for NP with a Linear- ...
12. [2025/1324] FPGA-Friendly Compact and Efficient AES-like 8x8 S-Box
13. [2025/1325] Revisiting the IPA-sumcheck connection
14. [2025/1326] New Techniques for Analyzing Differentials with ...
15. [2025/1327] Randomized Agreement, Verifiable Secret Sharing and ...
16. [2025/1328] Private Set Intersection and other Set Operations ...
17. [2025/1329] Cryptanalysis of a multivariate CCZ scheme
18. [2025/1330] Exploring Core Monomial Prediction Further: Weak- ...
19. [2025/1331] Constant-Cycle Hardware Private Circuits
20. [2025/1332] Technical Note: LeanSig for Post-Quantum Ethereum
21. [2025/1333] Policy-Based Redactable Set Signatures
22. [2025/1334] On the use of ECDSA with hierarchical public key ...
23. [2025/1335] A Compact Post-quantum Strong Designated Verifier ...
24. [2025/1336] Representations of Elementary Vectors in VOLE-in- ...
25. [2025/1337] $\textsf{Electrum}$: UC Fail-Stop Server-Supported ...
26. [2025/1338] Limits on the Power of Constrained PRFs and ...
27. [2025/1339] Breaking the Twinkle Authenticated Encryption ...
28. [2025/1340] Zelda: Efficient Multi-server Preprocessing PIR ...
29. [2025/1341] Practical Attack on All Parameters of the HPPC ...
30. [2025/1342] Simultaneous Diophantine Approximation for Compact ...
31. [2025/1343] A Hybrid Asymmetric Password-Authenticated Key ...
32. [2025/1344] Side-Channel Sensitivity Analysis on HQC: Towards a ...
33. [2025/1345] SLVer Bullet: Straight-Line Verification for ...
34. [2025/1346] Cryptanalysis of TFHE-friendly Cipher FRAST
35. [2025/1347] Public Traceability in Threshold Decryption
36. [2025/1348] The CRO Trilemma : a formal incompatibility between ...
37. [2025/1349] $\mathsf{HyperFond}$: A Transparent and Post- ...
38. [2025/1350] Rhyme: A Fiat-Shamir Lattice-based Signature with ...
39. [2025/1351] Revisiting the Generalized Birthday Problem and ...
40. [2025/1352] InsPIRe: Communication-Efficient PIR with Silent ...
41. [2025/1353] Introducing two ROS attack variants: breaking one- ...
42. [2025/1354] Shred-to-Shine Metamorphosis in Polynomial ...
43. [2025/1355] Unconditional Pseudorandomness against Shallow ...
44. [2025/1356] Group Signatures with Message-Dependent Opening ...
45. [2025/1357] How to Copy-Protect Malleable-Puncturable ...
46. [2025/1358] Domain-Oriented Masking Revisited: More Efficient ...
47. [2025/1359] Runtime Code Generation for Constant-Time Secret- ...
48. [2025/1360] Towards more secure constructions of private set ...
49. [2025/1361] Exploring Kaneko’s bound: On multi-edges, loops and ...
50. [2025/1362] Cryptanalysis of the best HFE-LL' Constructions
51. [2025/1363] Universally Composable Adaptor Signatures
52. [2025/1364] A Framework for Witness Encryption from Linearly ...

## 2023/1409

* Title: Solving the Hidden Number Problem for CSIDH and CSURF via Automated Coppersmith
* Authors: Jonas Meers, Julian Nowakowski
* [Permalink](https://eprint.iacr.org/2023/1409)
* [Download](https://eprint.iacr.org/2023/1409.pdf)

### Abstract

We define and analyze the Commutative Isogeny Hidden
Number Problem which is the natural analogue of the Hidden Number Problem in the CSIDH and CSURF setting. In short, the task is as follows: Given two supersingular elliptic curves \(E_A\), \(E_B\) and access to an oracle that outputs some of the most
significant bits of the \({\mathsf{CDH}}\) of two curves, an adversary must compute the shared curve \(E_{AB}={\mathsf{CDH}}(E_A,E_B)\).

We show that we can recover \(E_{AB}\) in polynomial time by using Coppersmith's method as long as the oracle outputs \({\frac{13}{24}} + \varepsilon \approx 54\%\) (CSIDH) and \({\frac{31}{41}} + \varepsilon \approx 76\%\) (CSURF) of the most
significant bits of the \({\mathsf{CDH}}\), where $\varepsilon > 0$ is an arbitrarily small constant. To this end, we give a purely combinatorial restatement of Coppersmith's method, effectively concealing the intricate aspects of lattice theory and
allowing for near-complete automation. By leveraging this approach, we attain recovery attacks with $\varepsilon$ close to zero within a few minutes of computation.



## 2024/861

* Title: A new multivariate primitive from CCZ equivalence
* Authors: Marco Calderini, Alessio Caminata, Irene Villa
* [Permalink](https://eprint.iacr.org/2024/861)
* [Download](https://eprint.iacr.org/2024/861.pdf)

### Abstract

Multivariate Cryptography is one of the candidates for Post-quantum Cryptography. Multivariate schemes are usually constructed by applying two secret affine invertible transformations $\mathcal S,\mathcal T$ to a set of multivariate polynomials $\mathcal{
F}$ (often quadratic). The polynomials $\mathcal{F}$ possess a trapdoor that allows the legitimate user to find a solution of the corresponding system, while the public polynomials $\mathcal G=\mathcal S\circ\mathcal F\circ\mathcal T$ look like random
polynomials. The polynomials $\mathcal G$ and $\mathcal F$ are said to be affine equivalent. In this article, we present a more general way of constructing a multivariate scheme by considering the CCZ equivalence, which has been introduced and studied in
the context of vectorial Boolean functions.



## 2025/993

* Title: Fully-Homomorphic Encryption from Lattice Isomorphism
* Authors: Pedro Branco, Giulio Malavolta, Zayd Maradni
* [Permalink](https://eprint.iacr.org/2025/993)
* [Download](https://eprint.iacr.org/2025/993.pdf)

### Abstract

The lattice isomorphism problem (LIP) asks, given two lattices $\Lambda_0$ and $\Lambda_1$, to decide whether there exists an orthogonal linear map from $\Lambda_0$ to $\Lambda_1$. In this work, we show that the hardness of (a circular variant of) LIP
implies the existence of a fully-homomorphic encryption scheme for all classical and quantum circuits. Prior to our work, LIP was only known to imply the existence of basic cryptographic primitives, such as public-key encryption or digital signatures.



## 2025/1064

* Title: From Signature-Based Witness Encryption to RAM Obfuscation: Achieving Blockchain-Secured Cryptographic Primitives
* Authors: Lev Stambler
* [Permalink](https://eprint.iacr.org/2025/1064)
* [Download](https://eprint.iacr.org/2025/1064.pdf)

### Abstract

Goyal and Goyal demonstrated that extractable witness encryption, when combined with smart-contract equipped proof-of-stake blockchains, can yield powerful cryptographic primitives such as one-time programs and pay-to-use programs. However, no standard
model construction for extractable witness encryption is known, and instantiations from alternatives like indistinguishability obfuscation are highly inefficient.

This paper circumvents the need for extractable witness encryption by combining signature-based witness encryption (Döttling et al.) with witness encryption for KZG commitments (Fleischhacker et al.). Inspired by Goyal et al., we introduce $T+1$-
Extractable Witness Encryption for Blockchains ($T+1$-eWEB), a novel primitive that encrypts a secret, making its decryption contingent upon the subsequent block's state. Leveraging $T+1$-eWEBs, we then build a conditional one-time memory, leading to a $
T+1$ one-time program ($T+1$-OTP) also conditional on the next block state. Finally, using our $T+1$-OTP, we develop a conditional RAM obfuscation scheme where program execution can be contingent on the blockchain state, thereby enabling applications
like pay-to-use programs.

Despite its theoretical value, our construction is impractical due to a "bit-by-bit" signing requirement for the state root and an inefficient method for storing validator keys. We thus posit the construction of a practical $T+1$-OTP as a significant
open problem. This work provides the first theoretical pathway for building such primitives without extractable witness encryption, representing a novel step for blockchain-secured cryptography.



## 2025/1228

* Title: Quantum-Safe Hybrid Key Exchanges with KEM-Based Authentication
* Authors: Christopher Battarbee, Christoph Striecks, Ludovic Perret, Sebastian Ramacher, Kevin Verhaeghe
* [Permalink](https://eprint.iacr.org/2025/1228)
* [Download](https://eprint.iacr.org/2025/1228.pdf)

### Abstract

Authenticated Key Exchange (AKE) between any two entities is one of the most important security protocols available for securing our digital networks and infrastructures. In PQCrypto 2023, Bruckner, Ramacher and Striecks proposed a novel hybrid AKE (HAKE)
protocol dubbed Muckle+ that is particularly useful in large quantum-safe networks consisting of a large number of nodes. Their protocol is hybrid in the sense that it allows key material from conventional, post-quantum, and quantum cryptography
primitives to be incorporated into a single end-to-end authenticated shared key.

To achieve the desired authentication properties, Muckle+ utilizes post-quantum digital signatures. However, available instantiations of such signatures schemes are not yet efficient enough compared to their post-quantum key-encapsulation mechanism (KEM)
counterparts, particularly in large networks with potentially several connections in a short period of time.

To mitigate this gap, we propose Muckle# that pushes the efficiency boundaries of currently known HAKE constructions. Muckle# uses post-quantum key-encapsulating mechanisms for implicit authentication inspired by recent works done in the area of
Transport Layer Security (TLS) protocols, particularly, in KEMTLS (CCS'20).

We port those ideas to the HAKE framework and develop novel proof techniques on the way. Due to our KEM-based approach, the resulting protocol has a slightly different message flow compared to prior work that we carefully align with the HAKE framework
and which makes our changes to Muckle+ non-trivial. Lastly, we evaluate the approach by a prototypical implementation and a direct comparison with Muckle+ to highlight the efficiency gains.



## 2025/1283

* Title: Fast AVX-512 Implementation of the Optimal Ate Pairing on BLS12-381
* Authors: Hao Cheng, Georgios Fotiadis, Johann Großschädl, Daniel Page
* [Permalink](https://eprint.iacr.org/2025/1283)
* [Download](https://eprint.iacr.org/2025/1283.pdf)

### Abstract

Non-degenerate bilinear maps on elliptic curves, commonly referred to as pairings, have many applications including short signature schemes, zero-knowledge proofs and remote attestation protocols. Computing a state-of-the-art pairing at the $128$-bit
security level, such as the optimal ate pairing over the curve BLS12-381, is very costly due to the high complexity of some of its sub-operations: most notable are the Miller loop and final exponentiation. In the past ten years, a few optimized pairing
implementations have been introduced in the literature, but none of those took advantage of the vector (SIMD) extensions of state-of-the-art Intel and AMD CPUs, especially AVX-512; this is surprising, because doing so offers the potential to reach
significant speed-ups. Consequently, the questions of 1) how computation of the optimal ate pairing can be effectively vectorized, and 2) what execution time such a vectorized implementation can achieve are still open. This paper addresses said questions
by introducing a carefully-optimized AVX-512 implementation of the optimal ate pairing on BLS12-381. A central feature of the implementation is the use of $8$-way Integer Fused Multiply-Add (IFMA) instructions, which are capable to execute eight $52 \
times 52$-bit multiplications in a SIMD-parallel fashion. We introduce new vectorization strategies and describe optimizations of existing ones to speed up arithmetic operations in the extension fields $\mathbb{F}_{p^4}$, $\mathbb{F}_{p^6}$, and $\mathbb{
F}_{p^{12}}$ as well as certain higher-level functions. Furthermore, we discuss some parallelization bottlenecks and how they impact execution time. We benchmarked our pairing software, which we call avxbls, on an Intel Core i3-1005G1 ("Ice Lake") CPU
and found that it needs $1,265,314$ clock cycles (resp. $1,195,236$ clock cycles) for the full pairing, with the Granger-Scott cyclotomic squaring (resp. compressed cyclotomic squaring) being used in the final exponentiation. For comparison, the non-
vectorized (i.e., scalar) x64 assembly implementation from the widely-used blst library has an execution time of $2,351,615$ cycles, which is $1.86$ times (resp. $1.97$ times) slower. avxbls also outperforms Longa's implementation (CHES 2023) by almost
the same factor. The practical importance of these results is amplified by Intel's recent announcement to support AVX10, which includes IFMA instructions, in all future CPUs.



## 2025/1287

* Title: Fault Injection Evaluation with Statistical Analysis - How to Deal with Nearly Fabricated Large Circuits
* Authors: Felix Uhle, Nicolai Müller, Amir Moradi
* [Permalink](https://eprint.iacr.org/2025/1287)
* [Download](https://eprint.iacr.org/2025/1287.pdf)

### Abstract

A critical aspect of securing cryptographic hardware is their resistance to FI attacks, which involve the successful injection of faults into the system in operation. Specifically, a hardware design must be resilient to well-established fault injection
techniques, including voltage or clock glitching, laser fault injections, and the more recently introduced EMFI. Ideally, the protection level must be verified before the chip is fabricated.
Although initial efforts to verify the resistance of hardware designs against fault injection have been made, analyzing the security of practical designs with realistic gate counts under fault injections that affect multiple gates or the entire circuit
state remains a significant challenge. This scenario, however, is considered more realistic than assessing resistance to a fixed, relatively small number of faults.

In this work, we introduce FIESTA, a versatile automated framework for analyzing the resistance of hardware circuits under the general random fault model. By leveraging a non-exhaustive approach, FIESTA is capable of evaluating larger designs compared to
state-of-the-art tools, while maintaining a reasonable level of confidence. FIESTA supports various adversary models, allowing customized resistance analysis against specific adversaries. In particular, we present a concrete procedure for evaluating more
realistic precise adversaries, based on practical observations. Using FIESTA, we assessed the resistance of several (protected) AES cores.



## 2025/1314

* Title: THF: Designing Low-Latency Tweakable Block Ciphers
* Authors: Jianhua Wang, Tao Huang, Guang Zeng, Tianyou Ding, Shuang Wu, Siwei Sun
* [Permalink](https://eprint.iacr.org/2025/1314)
* [Download](https://eprint.iacr.org/2025/1314.pdf)

### Abstract

We introduce a concrete instance of the LRW+ paradigm: the Three-Hash Framework (THF), a mode for constructing tweakable block ciphers that employs three hash functions to process tweak inputs. Through a general practical cryptanalysis of THF in both
single-tweak and multiple-tweak settings, and by comparing it with two representative modes, 4-LRW1 and 2-LRW2, we demonstrate that THF has the potential to achieve lower latency due to its more balanced resistance to both single- and multiple-tweak
attacks.
Based on this framework, we design Blink, a family of tweakable block ciphers specifically optimized for minimal latency. The hash functions in Blink were carefully chosen to align with the low-latency requirements, ensuring both efficiency and strong
security. A thorough cryptanalysis of Blink is provided, with an emphasis on its resistance to multiple-tweak attacks.
Finally, hardware evaluations highlight the exceptional low-latency performance of Blink, distinguishing it as one of the most efficient tweakable block ciphers.



## 2025/1321

* Title: Threshold Receipt-Free Voting with Server-Side Vote Validation
* Authors: Thi Van Thao Doan, Olivier Pereira, Thomas Peters
* [Permalink](https://eprint.iacr.org/2025/1321)
* [Download](https://eprint.iacr.org/2025/1321.pdf)

### Abstract

Proving the validity of ballots is a central element of verifiable elections. Such proofs can however create challenges when one desires to make a protocol receipt-free.
We explore the challenges raised by validity proofs in the context of protocols where threshold receipt-freeness is obtained by secret sharing an encryption of a vote between multiple authorities.
In such contexts, previous solutions verified the validity of votes by decrypting them after passing them through a mix-net. This approach however creates subtle privacy risks, especially when invalid votes leak structural patterns that threaten receipt-
freeness.
We propose a different approach of threshold receipt-free voting in which authorities re-randomize ballot shares then jointly compute a ZK proof of ballot validity before letting the ballots enter a (possibly homomorphic) tallying phase. Our approach
keeps the voter computational costs limited while offering verifiability and improving the ballot privacy of previous solutions.
We present two protocols that enable a group of servers to verify and publicly prove that encrypted votes satisfy some validity properties: Minimix, which preserves prior voter-side behavior with minimal overhead, and Homorand, which requires voters to
submit auxiliary data to facilitate validation over large vote domains. We show how to use our two protocols within a threshold receipt-free voting framework. We provide formal security proofs and efficiency analyses to illustrate trade-offs in our
designs.



## 2025/1322

* Title: Generation of Fast Finite Field Arithmetic for Cortex-M4 with ECDH and SQIsign Applications
* Authors: Felix Carvalho Rodrigues, Décio Gazzoni Filho, Gora Adj, Isaac A. Canales-Martínez, Jorge Chávez-Saab, Julio López, Michael Scott, Francisco Rodríguez-Henríquez
* [Permalink](https://eprint.iacr.org/2025/1322)
* [Download](https://eprint.iacr.org/2025/1322.pdf)

### Abstract

Finite field arithmetic is central to several cryptographic algorithms on embedded devices like the ARM Cortex-M4, particularly for elliptic curve and isogeny-based cryptography. However, rapid algorithm evolution, driven by initiatives such as NIST’s
post-quantum standardization, might frequently render hand-optimized implementations obsolete.
We address this challenge with m4-modarith, a library generating C code with inline assembly for the Cortex-M4 that rivals custom-tuned assembly,
enabling agile development in this ever-changing landscape.
Our generated modular multiplications obtains fast performances, competitive with hand-optimized assembly implementations published in the literature, even outperforming some of them for Curve25519.
Two contributions are pivotal to this success.
First, we introduce a novel multiplication strategy that matches the memory access complexity of the operand caching method while being applicable to a larger cache size for Cortex-M4 implementations. Second, we generalize an efficient pseudo-Mersenne
reduction strategy, and formally prove its correctness and applicability for most primes of cryptographic interest.
Our generator allowed agile optimization of SQIsign’s NIST PQC Round 2 submission, improving level 1 verification from 123 Mcycles to only 54 Mcycles, a $2.3\times$ speedup.
As an additional case study, we use our generator to improve performance of portable implementations of RFC~7748 by up to $2.2\times$.



## 2025/1323

* Title: Pairing-Based Batch Arguments for NP with a Linear-Size CRS
* Authors: Binyi Chen, Noel Elias, David J. Wu
* [Permalink](https://eprint.iacr.org/2025/1323)
* [Download](https://eprint.iacr.org/2025/1323.pdf)

### Abstract

Non-interactive batch arguments (BARGs) for NP allow a prover to prove $\ell$ NP statements with a proof whose size scales sublinearly with $\ell$. In this work, we construct a pairing-based BARG where the size of the common reference string (CRS) scales
linearly with the number of instances and the prover's computational overhead is quasi-linear in the number of instances. Our construction is fully black box in the use of the group. Security relies on a $q$-type assumption in composite-order pairing
groups.

The best black-box pairing-based BARG prior to this work has a nearly-linear size CRS (i.e., a CRS of size $\ell^{1 + o(1)}$) and the prover overhead is quadratic in the number of instances. All previous pairing-based BARGs with a sublinear-size CRS
relied on some type of recursive composition and correspondingly, non-black-box use of the group. The main technical insight underlying our construction is to substitute the vector commitment in previous pairing-based BARGs with a polynomial commitment.
This yields a scheme that does not rely on cross terms in the common reference string. In previous black-box pairing-based schemes, the super-linear-size CRS and quadratic prover complexity was due to the need for cross terms.



## 2025/1324

* Title: FPGA-Friendly Compact and Efficient AES-like 8x8 S-Box
* Authors: Ahmet Malal, Cihangir Tezcan
* [Permalink](https://eprint.iacr.org/2025/1324)
* [Download](https://eprint.iacr.org/2025/1324.pdf)

### Abstract

One of the main layers in the Advanced Encryption Standard (AES) is the substitution layer, where an $8 \times 8$ S-Box is used $16$ times. The substitution layer provides confusion and makes the algorithm resistant to cryptanalysis techniques.
Therefore, the security of the algorithm is also highly dependent on this layer. However, the cost of implementing $8 \times 8$ S-Box on FPGA platforms is considerably higher than other layers of the algorithm. Since S-Boxes are repeatedly used in the
algorithm, the cost of the algorithm highly comes from the substitution layer. In 2005, Canright used different extension fields to represent AES S-Box to get FPGA-friendly compact designs. The best optimization proposed by Canright reduced the gate-area
of the AES S-Box implementation by $20\%$.

In this study, we use the same optimization methods that Canright used to optimize AES S-Box on hardware platforms. Our purpose is not to optimize AES S-Box; we aim to create another $8 \times 8$ S-Box which is strong and compact enough for FPGA
platforms. We create an $8 \times 8$ S-Box using the inverse field operation as in the case of AES S-Box. We use another irreducible polynomial to represent the finite field and get an FPGA-friendly compact and efficient $8 \times 8$ S-Box. The finite
field we propose provides the same level of security against cryptanalysis techniques with a $3.125\%$ less gate-area on Virtex-7 and Artix-7 FPGAs compared to Canright’s results. Moreover, our proposed S-Box requires $11.76\%$ less gate on Virtex-4
FPGAs. These gate-area improvements are beneficial for resource-constraint IoT devices and allow more copies of the S-Box for algorithm parallelism. Therefore, we claim that our proposed S-Box is more compact and efficient than AES S-Box. Cryptographers
who need an $8 \times 8$ S-Box can use our proposed S-Box in their designs instead of AES S-Box with the same level of security but better efficiency.



## 2025/1325

* Title: Revisiting the IPA-sumcheck connection
* Authors: Liam Eagen, Ariel Gabizon
* [Permalink](https://eprint.iacr.org/2025/1325)
* [Download](https://eprint.iacr.org/2025/1325.pdf)

### Abstract

Inner Product Arguments (IPA) [BCC+16,BBB+17] are a family of proof systems with $O(\log n)$ sized proofs, $O(n)$ time verifiers, and transparent setup.
Bootle, Chiesa and Sotiraki [BCS21] observed that an IPA can be viewed as a sumcheck protocol [LFKN92] where the summed polynomial is allowed to have coefficients in a group rather than a field. We leverage this viewpoint to improve the performance of
multi-linear polynomial commitments based on IPA.
Specifically,
- We introduce a simplified variant of Halo-style accumulation that works for multilinear evaluation claims, rather than only univariate ones as in [BGH19,BCMS20].
- We show that the size $n$ MSM the IPA verifier performs can be replaced by a ``group variant'' of $\mathsf{basefold}$[ZCF23].
This reduces the verifier complexity from $O(n)$ to $O_{\lambda}(\log^2 n)$ time at the expense of an additional $4n$ scalar multiplications for the IPA prover.



## 2025/1326

* Title: New Techniques for Analyzing Differentials with Application to AES
* Authors: Itai Dinur
* [Permalink](https://eprint.iacr.org/2025/1326)
* [Download](https://eprint.iacr.org/2025/1326.pdf)

### Abstract

Differential cryptanalysis is one of the most powerful attacks on modern block ciphers. After many year of research, we have very good techniques for showing that the probability that an input difference leads to an output difference (i.e., the
probability of a differential) is either significantly higher, or lower than expected, and such large deviations lead to attacks.

On the other hand, modern techniques cannot estimate with high accuracy the probability of a differential that spans many rounds of the cipher. Therefore, these techniques are sufficient to argue only limited resistance against differential cryptanalysis.

In particular, for the AES, Keliher and Sui proved in 2005 that any 4-round differential has probability at most (about) $2^{-114}$, under the assumption that the round-keys are chosen independently. This establishes limited security arguments against
classical differential cryptanalysis. Stronger bounds are only known when considering thousands of AES rounds, whereas at most 14 rounds are used in practice by AES-256.

In this paper, we propose new techniques for estimating the probability of a differential under the assumption that the round-keys of the cipher are chosen independently. We apply our techniques to AES, and show that the probability of every differential
in 8-round AES is within an additive factor of $2^{-128} \cdot \frac{1}{50}$ from the expected value of $\frac{1}{2^{128} - 1}$.

We further apply our techniques to prove that 8-round AES is at most $2^{-18}$-close to a pairwise independent permutation, while 40-round AES is at most $2^{-135}$-close. The latter result improves upon the work of Liu, Tessaro and Vaikuntanathan [
CRYPTO 2021], who proved a similar bound for 9000-round AES.

To obtain our results, we develop and adapt a variety of techniques for analyzing differentials using functional analysis. We expect these techniques to be useful for analyzing differentials in additional block ciphers besides the AES.



## 2025/1327

* Title: Randomized Agreement, Verifiable Secret Sharing and Multi-Party Computation in Granular Synchrony
* Authors: Ananya Appan, David Heath, Ling Ren
* [Permalink](https://eprint.iacr.org/2025/1327)
* [Download](https://eprint.iacr.org/2025/1327.pdf)

### Abstract

Granular Synchrony (Giridharan et al. DISC 2024) is a new network model that unifies the classic timing models of synchrony and asynchrony.
The network is viewed as a graph consisting of a mixture of synchronous, eventually synchronous, and asynchronous communication links. It has been shown that Granular Synchrony allows deterministic Byzantine agreement protocols to achieve a corruption
threshold in between complete synchrony and complete asynchrony if and only if the network graph satisfies the right condition, namely, that no two groups of honest parties of size $n-2t$ can be partitioned from each other.

In this work, we show that the same network condition is also tight for Agreement on a Common Subset (ACS), Verifiable Secret Sharing (VSS), and secure Multi-Party Computation (MPC) with guaranteed output delivery, when the corruption threshold is
between one-third and one-half. Our protocols are randomized and assume that all links are either synchronous or asynchronous. %(no partially synchronous links are needed).
Our ACS protocol incurs an amortized communication cost of $O(n^3\lambda)$ bits per input, and our VSS and MPC protocols incur amortized communication costs of $O(n^3)$ and $O(n^4)$ field elements per secret and per multiplication gate, respectively. To
design our protocols, we also construct protocols for Reliable Broadcast and Externally Valid Byzantine Agreement (EVBA), which are of independent interest.



## 2025/1328

* Title: Private Set Intersection and other Set Operations in the Third Party Setting
* Authors: Foo Yee Yeo, Jason H. M. Ying
* [Permalink](https://eprint.iacr.org/2025/1328)
* [Download](https://eprint.iacr.org/2025/1328.pdf)

### Abstract

We present a collection of protocols to perform privacy-preserving set operations in the third-party private set intersection (PSI) setting. This includes several protocols for multi-party third party PSI. In this model, there are multiple input parties (
or clients) each holding a private set of elements and the receiver is an external party (termed as third-party) with no inputs. Multi-party third party PSI enables the receiver to learn only the intersection result of all input clients' private sets
while revealing nothing else to the clients and the receiver. Our solutions include constructions that are provably secure against an arbitrary number of colluding parties in the semi-honest model. Additionally, we present protocols for third-party
private set difference and private symmetric difference, whereby the learned output by the inputless third-party is the set difference and symmetric difference respectively of two other input parties, while preserving the same privacy guarantees. The
motivation in the design of these protocols stems from their utilities in numerous real-world applications. We implemented our protocols and conducted experiments across various input and output set sizes.



## 2025/1329

* Title: Cryptanalysis of a multivariate CCZ scheme
* Authors: Alessio Caminata, Elisa Gorla, Madison Mabe, Martina Vigorito, Irene Villa
* [Permalink](https://eprint.iacr.org/2025/1329)
* [Download](https://eprint.iacr.org/2025/1329.pdf)

### Abstract

We consider the multivariate scheme $\texttt{Pesto}$, which was introduced by Calderini, Caminata, and Villa. In this scheme, the public polynomials are obtained by applying a CCZ transformation to a set of quadratic secret polynomials. As a consequence,
the public key consists of polynomials of degree $4$.
In this work, we show that the public degree $4$ polynomial system can be efficiently reduced to a system of quadratic polynomials. This seems to suggest that the CCZ transformation may not offer a significant increase in security, contrary to what was
initially believed.



## 2025/1330

* Title: Exploring Core Monomial Prediction Further: Weak-Key Superpoly Recovery for 852-Round Trivium
* Authors: Jiahui He, Kai Hu, Guowei Liu
* [Permalink](https://eprint.iacr.org/2025/1330)
* [Download](https://eprint.iacr.org/2025/1330.pdf)

### Abstract


[continued in next message]

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)