Abstract. End-to-end encrypted applications protect user data by ensuring that user secrets are only available on client devices. However, if a user loses all of their devices, they need a way to recover their data using only a short password. To realize a password-based secret recovery system resilient to brute-force attacks, prior works relied on secure hardware or a few non-colluding servers. In this work, we take a conceptually different approach that distributes trust across the many clients already in the system, while using the server only as an orchestrator without relying on it for privacy. To achieve this, we design and implement Chorus, a secret recovery system that employs ephemeral committees, each consisting of approximately a thousand clients, to provide strong privacy with high scalability. Committees change frequently in Chorus, typically on the order of a few minutes, to severely limit an attacker’s ability to compromise clients on a committee. We design Chorus for unreliable, resource-constrained clients and show that the per-client overhead decreases as more clients join the system. Assuming each user performs recovery once a year, the expected per-client overhead in Chorus is under 30 s of computation on a mobile device and 13.2 MB of communication, both incurred only once every four months in a configuration with 100M clients, up to 50M of which may be offline and at most 10M may be compromised. To achieve this performance, we contribute two key techniques: (i) a password-based secret recovery scheme that confines expensive committee interactions to infrequent, latency-tolerant operations, and (ii) a non-interactive verifiable secret-sharing scheme that reduces client overhead by two orders of magnitude by delegating computation to the server.
Image showing part 2 of abstract.
Chorus: Secret Recovery with Ephemeral Client Committees (Deevashwer Rathee, Emma Dauterman, Allison Li, Raluca Ada Popa) ia.cr/2026/715
![Abstract. Polynomial commitment schemes (PCSs) are a fundamental cryptographic primitive that allows a prover to reveal evaluations for a committed polynomial. Motivated by the inefficiency of proof generation for large-scale computations as well as the concerns regarding third-party reliance and quantum threats, a line of recent works has focused on distributing code-based PCS, where the proving workload is distributed among multiple sub-provers to accelerate proof generation, while preserving transparent setup and plausible quantum resilience. However, for M sub-provers generating an evaluation proof for a polynomial of size N, existing solutions either require O(N) total communication among sub-provers, or incur an O(M) overhead in proof size.
In this paper, we introduce Veloz, a novel distribution framework for code-based multilinear PCS, which for the first time achieves communication cost sublinear in N, and eliminates the dependence of proof size on the number of sub-provers, without compromising proving speed or security. At its core is a customized proof aggregation method from interleaved code that efficiently combines sub-proofs via minimum communication. We further present two instantiations of Veloz: one based on Reed-Solomon code, Veloz_(RS), achieves $O(\frac{N}{M}\log{\frac{N}{\log{N}}})$ proving time, $O(\lambda \cdot \frac{\log^{2}{N}}{\log\log{N}} + M\cdot\frac{N}{\log{N}})$ communication, and $O(\lambda \cdot \frac{\log^{2}{N}}{\log\log{N}})$ proof size; the other based on the fast linear code from Brakedown (Golovnev et al., CRYPTO 2023), Veloz_(Lin), features $O(\frac{N}{M})$ proving time, $O(\lambda \cdot K + M\cdot\frac{N}{K})$ communication, and O(λ ⋅ K) proof size for $K \in [\sqrt[3]{N}, \sqrt{N}]$, while enjoying field agnosticity.
We also implement both schemes in Rust and conduct a comprehensive performance evaluation. The experimental results demonstrate their linear scalability with increasing M. More specifically, for N = 2³⁰ and M = 8, Veloz_(RS) takes 74.8s for proof generation, achieving a 5.18 × speedup compared to running a single prover, while Veloz_(Lin) generates a proof in 26.9s and achieves a 7.02 × speedup.](https://cdn.bsky.app/img/feed_thumbnail/plain/did:plc:fwa55bujvdrwlwlwgqmmxmuf/bafkreifjbm63xdl3iu4c2wrpakbbikiqz7f3doljnkytvidops3qwc4dsq)
![Abstract. Designing cryptographic hash functions that simultaneously achieve high throughput and strong provable security remains a fundamental challenge in symmetric cryptography. Traditional constructions, such as the Merkle-Damgrd (MD) and SPONGE paradigms, inherently suffer from structural limitations: they either expose internal chaining values to length-extension attacks or impose a rigid trade-off between security (capacity) and efficiency (rate), bounding their architectural potential.
In this paper, we introduce the paradigm, a modular design principle that structurally decouples a hash function into two independent components with distinct security objectives: (1) a (VIL) compression component optimized for high-speed message absorption, requiring only collision resistance and multiple-preimage resistance; and (2) a (FIL) finalization component utilizing independent random permutations to ensure indifferentiability from a random oracle. This separation enables the VIL component to maximize processing throughput (approaching the full primitive width) while the FIL component provides robust randomness extraction, effectively mitigating length-extension attacks and achieving tight security bounds.
Leveraging this paradigm, we propose the , comprising two instantiations: (based on the JH iteration structure with wide-pipe design) and (utilizing dual parallel Cipher-Block-Chaining lanes). Both constructions employ pairwise distinct round permutations and achieve superior message processing rates compared to conventional SPONGE-based designs, with Rocket-2 delivering more than 2× the throughput of SHA3-512 for large messages.
For practical instantiation without requiring multiple independent cryptographic primitives, we present , a novel domain-separation technique that derives 2^(w) effectively independent round functions from a single large permutation using a counter-based input diversification. While backward queries introduce a heuristic assumption regarding preimage multiplicity (bounded by a negligible failure probability ≤ 2⁻⁵²⁶ for counter size w ≥ 64 and hash length 512 bits), we prove the construction remains sound for practical message lengths up to 2^(w − 8) blocks.
Finally, to formalize the security-efficiency trade-off, we propose (H.E.), a scale-invariant heuristic metric defined as the product of normalized security level and normalized processing rate. We demonstrate that conventional Merkle-Damgrd and SPONGE constructions exhibit H.E. values fundamentally bounded by 1/8, whereas the Rocket constructions achieve H.E. values approaching 1/4 (specifically, 0.227 for Rocket-2 with Keccak-p[1600]), thereby establishing a new Pareto frontier in hash function design.](https://cdn.bsky.app/img/feed_thumbnail/plain/did:plc:fwa55bujvdrwlwlwgqmmxmuf/bafkreiehx43tzhmsz67ts3t63zosf4e3o5q2sugl2qo3xaesrmlpykqu4u)
