Papers updated in last 7 days (66 results)
Icy-DVRF: A Distributed Verifiable Random Function based on FROST signatures
Unbiased and unpredictable randomness is a cornerstone of Web3 security, underpinning everything from consensus protocols to DeFi logic. Although Distributed Verifiable Random Functions (DVRFs) eliminate central points of failure, current designs often have to compromise performance. Most existing protocols are hindered by one of three limitations: proofs that scale linearly with the number of participants, high computational cost of bilinear pairings, or latency introduced by mandatory interactive steps during generation. In this work, we present Icy-DVRF, a protocol that improves DVRFwCP by employing a preprocessing scheme similar to FROST to reduce the number of interaction rounds among participants and lowering the additional communication cost from $O(n^2 t)$ to $O(t)$ while maintaining constant-size proofs. The downside of our construction is that, relative to DDH-DVRF and GLOW-DVRF, this approach incurs an additional off-chain communication round due to the threshold structure of our non-interactive zero-knowledge proof. This architecture ensures that verification costs remain low, regardless of the set of participants. While theoretical estimates suggest verification costs of approximately one quarter of those of standard designs, our empirical benchmarks on the Sepolia testnet, utilizing the EIP-2537: Precompile for BLS12-381 curve operations, confirm that Icy-DVRF requires only 88,803 gas for full execution. This represents a significant 43.02\% reduction in total gas consumption compared to existing pairing-based constructions, saving 67,035 gas per on-chain verification. Off-chain, eliminating DVRFwCP's Augmented Secure-DKG round yields a per-node speedup ranging from a factor of $1.46$ at $(n,t)=(5,3)$ to a factor of $4.43$ at $(n,t)=(50,34)$.
Mosaic: Practical Malicious Security for Garbled Circuits on Bitcoin
Bitcoin's scripting language cannot verify arbitrary computation natively, yet applications such as trust-minimized bridges depend on this capability. Recent techniques employ garbled circuits: the prover commits off chain to a garbled circuit encoding a verifier, designed so that evaluating it on an invalid witness reveals a secret. Posting that secret on chain serves as a fraud proof, allowing the verifier to claim the prover's stake without any on-chain computation. To evaluate the garbled circuit and recover the secret, the verifier needs the prover's input labels, which the prover must post on chain. Since Bitcoin charges permanently for block space, minimizing this on-chain footprint is a primary design concern. Achieving malicious security via cut-and-choose compounds this: the prover must produce multiple independently garbled copies of the circuit, requiring one set of labels per copy.
We present Mosaic, a protocol that achieves malicious security via cut-and-choose but reduces the on-chain footprint so that it is independent of the number of garbled copies. The key technique, first introduced by Eagen (Glock, 2025) in this setting, is polynomial label correlation: labels across all $N$ garbled copies are arranged as evaluations of a degree-$t$ polynomial, so the $t$ shares revealed during cut-and-choose fall one short of the reconstruction threshold. We use adaptor signatures to arrange that the prover's on-chain witness commitment reveals the missing share as a byproduct; the evaluator then reconstructs labels for all unchallenged copies by interpolation. We sketch why Mosaic is secure against a malicious prover and verifier and instantiate it for trust-minimized Bitcoin bridging with a Groth16 verifier circuit, a full protocol specification, and a Rust implementation.
Minimizing Mempool Dependency in PoW Mining on Blockchain: A Paradigm Shift with Compressed Block Representation for Enhanced Scalability, Decentralization and Security.
While existing Proof-of-Work (PoW) based blockchain protocols have demonstrated innovative potential, they face inherent limitations regarding scalability, efficiency, and decentralization. The compact block propagation method, though effective in reducing network bandwidth and propagation delay in ideal environments, suffers from performance degradation due to mempool inconsistencies among nodes. This paper proposes a novel block propagation and consensus protocol that mitigates the blockchain's dependency on mempool synchronization. The proposed approach redefines the PoW process to shorten the time to consensus despite increased block sizes. Specifically, it includes a compressed transaction input ID list within the compact block to induce nodes to immediately begin mining without full verification. The full verification of transactions adopts a 'delayed verification' method, performed in parallel with the mining operation. This study enables the processing of more transactions quickly while maintaining the decentralization and security of Bitcoin (e.g., achieving approximately 66.7 TPS with 10MB blocks).
DLFA: Deep Learning based Fault Analysis against Block Ciphers
The proliferation of embedded cryptographic devices in the Internet of Things (IoT) ecosystem has elevated the importance of physical security assessments. Although traditional Fault Analysis (FA) methods exhibit significant effectiveness in cryptographic key recovery, their practical application is heavily constrained by rigid mathematical requirements, the demand for precise physical fault injection, and a sensitivity to measurement noise. To address these limitations, this paper proposes Deep Learning-based Fault Analysis (DLFA), a comprehensive attack framework. By decomposing cryptanalysis into tailored feature engineering and neural network classification, DLFA successfully unifies four prominent fault models (i.e., Differential (DFA), Statistical (SFA), Statistical Ineffective (SIFA), and Persistent Fault Analysis (PFA)) under a single data-driven paradigm. Extensive physical evaluations on the SAKURA-G FPGA implementing AES-128 demonstrate that DLFA reduces the data complexity and computational time overhead compared to classical algebraic solvers. More crucially, DLFA exhibits sustained analytical stability against severe physical injection noise, relaxing the stringent hardware requirements for attackers. Finally, we employ the Integrated Gradients (IG) principle to conduct a quantitative attribution analysis, proving that the neural networks autonomously learn valid cryptographic leakages rather than overfitting to experimental artifacts.
Fast cube roots in Fp2 via the algebraic torus
Computing cube roots in quadratic extensions of finite fields is a subroutine that arises in elliptic-curve point decompression, hash-to curve and isogeny-based protocols. While the factorization $p^2 −1 = (p−1)(p+ 1)$ suggests a known subgroup decomposition, implementing the cube root via separate operations in the two subgroups does not beat a direct $\mathbb{F}_{p^2}$ exponentiation in practice. We propose a carefully engineered algorithm that reduces the $\mathbb{F}_{p^2}$ cube root to a single $\mathbb{F}_p$ addition chain and a single Lucas sequence in the algebraic torus $\mathbb{T}_2(\mathbb{F}_p)$. The algorithm works directly for any prime $p \equiv 1 \pmod 3$ (and more generally whenever $p \not \equiv 8 \pmod 9$), which covers all primes arising in practice. We prove correctness in all residuosity cases and implement the algorithm in Go. Benchmarks on six primes spanning pairing-based and isogeny-based cryptography show 1.6–2.3$\times$ speed-ups over direct (addition chain) exponentiations in $\mathbb{F}_{p^2}$.
Weighted Cryptography with Weight-Independent Complexity
Cryptographic primitives involving multiple participants, such as secure multiparty computation (MPC), threshold signatures, and threshold encryption, are typically designed under the assumption that at least a threshold number of participants remain honest and non-colluding. However, many real-world applications require more expressive access structures beyond simple thresholds. A prominent example is the weighted threshold access structure, where each party is assigned a weight and security holds as long as the total weight of corrupted parties does not exceed a specified threshold.
Despite the practical relevance of such access structures, our understanding of efficient constructions supporting them remains limited. For instance, existing approaches for weighted MPC and weighted threshold encryption incur costs that scale with the total assigned weights to all parties or rely on non-black-box use of cryptography.
In this work, we present the first black-box constructions of the following weighted cryptosystems with weight-independent complexity in the trusted setup model: (i) a weighted MPC protocol with guaranteed output delivery, (ii) a semi-honest weighted threshold encryption scheme and (iii) a semi-honest weighted threshold Schnorr signature scheme.
At the heart of our constructions is a new succinct computational secret sharing scheme with linear homomorphism for weighted threshold access structures. We provide two concrete instantiations of this primitive, based on the Decisional Composite Residuosity (DCR) assumption and the Learning With Errors (LWE) assumption, respectively. Furthermore, our constructions extend to any general access structure that can be represented efficiently as a monotone Boolean circuit.
Divide-and-Pair: Faster subgroup membership testing for elliptic curves
Subgroup membership testing (SMT) on an elliptic curve with non-trivial cofactor is essential to prevent small-subgroup attacks in cryptographic protocols. In the existing literature, there exist two non-trivial methods for SMT on elliptic curves with modest cofactor (typically a power of $2$): Pornin's approach tests membership by repeatedly dividing by prime divisors of the cofactor (mostly halving), finishing with a Legendre symbol; Koshelev's approach replaces all divisions with Tate pairings (possibly in the quadratic extension of the base field), but requires non-degeneracy conditions that are not always met. In this paper, we observe that both approaches sit at the extremes of a single division-pairing trade-off. The resulting method, \mainalgorithm, is always at least as fast as either Pornin's or Koshelev's method and strictly faster in many cases. We instantiate \mainalgorithm on five curves in widespread use, including Curve25519, Curve448, GC256A, Four$\mathbb{Q}$ and Jubjub. Our Go implementation, built on the open-source \texttt{gnark-crypto} library, achieves significant speedups over state-of-the-art tests, namely of $1.6\times$ on Curve25519, $1.3\times$ on Curve448, $1.4\times$ on GC256A, $10.8\times$ on Four$\mathbb{Q}$ and $7\times$ on Jubjub.
Boolean Arithmetic over $\mathbb{F}_2$ from Group Commutators
This paper studies efficient realizations of arithmetic over the binary field $\mathbb{F}_2$ in nonabelian groups using only intrinsic group operations, namely multiplication and inversion. The constructions rely on commutators to implement Boolean computation within the group structure. Two complementary approaches are presented: a realization of a universal Boolean gate (NAND) and direct realizations of the field operations XOR and AND. These approaches apply to finite nonabelian simple groups and can be implemented using a small number of group operations. Explicit realizations are provided in the alternating groups $A_5$ and $A_6$. For the smallest nonabelian simple group $A_5$, these constructions achieve state-of-the-art efficiency in the number of group operations.
Practical Fair Data Exchange without In-Circuit Public-Key Operations
Fair data exchange (FDE) lets a seller receive payment if and only if the
buyer obtains the committed data, and its most practical realizations reduce
the task to verifiable encryption under committed key (VECK) over a
Reed--Solomon-coded file with Fiat--Shamir sampling. In the state-of-the-art
code-based scheme, however, proving is dominated not by the file but by a
size-independent constant: in-circuit ElGamal operations tie the sampled
ciphertexts to the commitment, and the resulting elliptic-curve gadgets both
inflate the circuit and force the proving system onto a slow two-chain inner
curve whose key verification is expensive to settle on-chain. We eliminate
these ciphertexts---and with them every in-circuit public-key operation. In
our construction the polynomial commitment itself certifies sample--file
consistency: a KZG subset-consistency check and a single evaluation opening,
exposed only as a group element, tie the sample to the committed file, while
a lightweight commit-and-prove SNARK certifies only field-arithmetic masking
and interpolation relations. We prove security in the algebraic group model
and random oracle model under discrete-logarithm-type computational assumptions,
dropping the DDH and DCR assumptions of prior VECK schemes. The circuit
shrinks by about \(20\times\) and the prover runs directly on BLS12-381: for
\(2^{17}\)-element files, cryptographic proof generation drops from \(21.1\) s to
\(0.945\) s at sample size \(512\), while cryptographic verification depends only
on that sample size. The key stays on a precompile-friendly curve, where its
scalar multiplication costs \(12{,}000\) gas instead of \(0.9\)--\(5.9\) million
for the non-precompiled alternatives.
Improved Subfield Curve Search For Specific Field Characteristics
Isogeny-based cryptography relies its security on the hardness of the supersingular isogeny problem: finding an isogeny between two supersingular curves defined over a quadratic field extension of $\mathbb{F}_{p}$.
The Delfs-Galbraith algorithm is one of the most efficient procedures for solving the supersingular isogeny problem with a time complexity of $\mathcal{\tilde{O}}(p^{1/2})$ operations. The bottleneck of the Delfs-Galbraith algorithm is the so-called subfield curve search (i.e., finding an isogenous supersingular elliptic curve defined over the prime field), which determines the time complexity of the aforementioned algorithm.
Given that, for efficiency, most recent isogeny-based constructions propose using finite fields with field characteristics equal to $p = 2^a \cdot f - 1$ for some positive integers $a$ and $f$.
This work primarily focuses on primes of that particular form and presents two heuristic algorithms for finding subfield curves with a time complexity of $\mathcal{O}(p^{1/2})$ operations and a memory complexity polynomial in $\log_2{p}$. We show how to adapt these algorithms to primes of the form $p = d^a \cdot f - 1$ with $d$ being a small integer, with a particular focus on $d=12$. We provide concrete time-complexity bounds for both kinds of primes $p = 2^a\cdot f - 1$ and $p = {12}^a \cdot f - 1$.
Our algorithms exploit the existence of large $d^a$-torsion points and extend the subfield root detection algorithm of Corte-Real Santos, Costello, and Shi (Crypto, 2022) to a projective scenario where one can work with the curve coefficients instead of their explicit j-invariants.
We highlight that our algorithms easily extend to primes of the form $p =2^a \cdot f + 1$, $p =4 \cdot d_1 \cdot d_2 \cdots d_n - 1$ for small odd primes $d_i$'s, and primes such that $p - 1$ and $p + 1$ are $B$-smooth for some integer $B$.
Concrete Bit-Operation Cost of XL: For Solving Multivariate Quadratic Systems Using Wiedemann and Berlekamp-Massey
We present a concrete bit-operation cost model for solving multivariate quadratic systems with XL using Wiedemann linear algebra, and Berlekamp-Massey sequence recovery. Following the CryptAttackTester methodology, we implement XL in a circuit-oriented model and derive closed-form cost formulas for the XL, Wiedemann, and Berlekamp-Massey steps. We instantiate the model for GF(2), GF(31), and GF(256), including baseline, constant-coefficient, and bucketed matrix-evaluation variants. Experiments on small parameter sizes show that the formulas accurately predict the circuit costs, while asymptotic analysis confirms convergence to the expected leading constant factors determined by the underlying field arithmetic. We apply the resulting estimates to Fukuoka MQ Challenge instances and to multivariate candidates from the NIST additional-signature process, providing a unified bit-operation comparison of direct Wiedemann-XL costs across several MQ-based schemes.
A Separation Principle for Lookup-Based zkML: Activation-Function Structure Cannot Reduce Per-Lookup Proving Cost
In zero-knowledge machine learning (zkML), the dominant cost is generating the proof, not running the model, and it concentrates in the nonlinearities a transformer must evaluate inside the proof system. It is tempting to exploit a nonlinearity's mathematical structure (low degree, parity, or kernel form) to prove it more cheaply. We show this hope is misplaced for the dominant cost: in a Shout-style (one-hot) lookup argument the per-lookup proving work is a function of the access pattern alone, never of the table values, so function structure has zero leverage on it. This is a separation principle; structure can cheapen only a secondary, once-per-proof table term. That table term stays subordinate as models get deeper because the only data-dependent amplifier of per-layer error in a pre-LN transformer is the LayerNorm gain 1/σ: a σ-floor on typical inputs lets a single fixed proving precision suffice at every depth, keeping proof cost near-linear in the number of layers. Whether
a fixed precision survives depth is a property of the network, shared by FHE and integer-quantized inference; what is paradigm-specific is the pricing: the leverage of structure inverts between FHE’s multiplicative-depth metric and the lookup address metric. We measure this depth-to-cost scaling on two independent proving systems (EZKL/halo2 and Jolt Atlas), and turn the one dial the separation leaves open, the committed address width, into a bit-exact, upstreamed reduction in prover time.
A family of invertible shift-invariant maps with strong arithmetic properties
Shift-invariant maps have been employed to design nonlinear layers in many symmetric cryptographic schemes, such as the $\chi$-map used in Keccak.
In this paper, we study a family of shift-invariant maps on $\mathbb{F}_2^n$ which exhibit strong arithmetic properties with respect to the composition. The set of their defining functions, which we denote by $\Omega_{\underline{a}}$, is induced by a so-called ``bifix-free'' sequence $\underline{a}=(a_1,a_2,\ldots,a_m)\in \mathbb{F}_2^m$ with $2\leq m<n$.
It is shown that $\Omega_{\underline{a}}$ forms a commutative monoid with respect to the composition.
If $m\nmid n$, then $\Omega_{\underline{a}}$ is isomorphic to the unit group of $\mathbb{F}_2[x]/ (x^{\lceil \frac{n}{m} \rceil})$; if $m\mid n$, then the unit group of $\Omega_{\underline{a}}$ is isomorphic to that of $\mathbb{F}_2[x]/ (x^{ \frac{2n}{m}}+x^{ \frac{n}{m}})$.
The isomorphic relation transforms the composition of functions in $\Omega_{\underline{a}}$ into the multiplication of polynomials in the quotient ring of $\mathbb{F}_2[x]$, where the algebraic properties of the latter are well-understood.
As a straightforward application, we focus on the algebraic properties of a particular class of functions in $\Omega_{\underline{a}}$, denoted by
$\rho_k$ for $k\geq 1$, which include the $\chi$-map as well as several other known maps studied in earlier literature.
It is shown that $\rho_k$ is invertible if and only if $m\nmid n$. Also the inverse and the cycle structure of $\rho_k$ (if invertible) can be fully characterized.
As different bifix-free sequences $\underline{a}$ typically induce different families of functions $\Omega_{\underline{a}}$ with pairwise trivial intersections, this work offers abundant parameter flexibility for designing invertible shift-invariant maps as well as deep insights into their algebraic properties.
Resource Estimation of the Distributed Quantum Algorithm for the Elliptic Curve Logarithm Problem
Elliptic Curve Cryptography (ECC) underpins modern public-key infrastructure, relying on the computational hardness of the Elliptic Curve Discrete Logarithm Problem (ECDLP). While monolithic quantum computers running Shor's algorithm present a long-term threat to ECC, their physical realization is bottlenecked by the massive logical qubit demands of modular arithmetic—specifically modular inversion. Distributed Quantum Computing (DQC) offers a compelling alternative by linking smaller, cooperative quantum processing units (QPUs). In this paper, we adapt two distributed quantum algorithms to the elliptic curve setting and perform a rigorous resource estimation of their architectures. Integrating the compact, register-sharing Extended Euclidean Algorithm (EEA) formulation by Luo et al., we demonstrate distinct resource footprints for each approach on a cryptographically secure 256-bit elliptic curve. Specifically, Xu et al.'s zero-quantum-communication variant requires between 1080 and 1140 logical qubits per node (depending on the search window configuration), while Li et al.'s sequential quantum-communication-based variant can be realized with as few as 828 to 1068 logical qubits per node (depending on the number of participating network nodes). Our comparative analysis maps out the critical trade-offs between quantum communication overhead, classical coordination, and single-node hardware constraints, establishing a clear design space for near-term distributed quantum cryptanalysis.
A Minrank-based Encryption Scheme à la Alekhnovich-Regev
Introduced in 2003 and 2005, Alekhnovich and Regev' schemes were the first public-key encryptions whose security is only based on the average hardness of decoding random linear codes and LWE, without other security assumptions. Such security guarantees made them very popular, being at the origin of the now standardized HQC or Kyber.
We present an adaptation of Alekhnovich and Regev' encryption scheme whose security is only based on the hardness of a slight variation of MinRank, the so-called stationary-MinRank problem. We succeeded to reach this strong security guarantee by showing that stationary-MinRank benefits from a search-to-decision reduction. Our scheme therefore brings a partial answer to the long-standing open question of building an encryption scheme whose security relies solely on the hardness of MinRank.
Finally, we show after a thoroughly security analysis that our scheme is practical and competitive with other encryption schemes admitting such strong security guarantees. Our scheme is slightly less efficient than FrodoKEM, but much more efficient than Alekhnovich and Regev' original schemes, with possibilities of improvements by considering more structure, in the same way as HQC and Kyber.
Privacy-Preserving Federated Inference for Genomic Analysis with Homomorphic Encryption
In recent years, federated learning has gained significant momentum as a collaborative machine learning approach, particularly in the field of medicine. While the decentralized nature of federated learning provides greater security guarantees compared to traditional machine learning methods, it is still susceptible to myriad attacks. Moreover, as federated learning becomes increasingly ubiquitous in medicine, its use for classification tasks is expected to increase; however, maintaining patient data confidentiality remains a significant challenge, especially for genetic data. While previous works focus on utilizing Single Nucleotide Polymorphisms or numerical data, recent advances in gene sequencing amplify the importance of inference from DNA sequences. In this work, we introduce a novel framework for secure federated inference on nucleotide-based genotype data and provide a gateway to private inference through fully homomorphic encryption. A federated model with five local clients was created and trained before being encrypted with the TFHE cryptosystem and placed for inference. We tested multiple different local and global model architectures, including a standard neural network, a support vector machine, and an LSTM (long-short-term memory), and compared their respective abilities across accuracy, precision, recall, and runtime metrics. These frameworks successfully identified promoter sequences encoded within given DNA sequences, as well as whether a given sequence was a coding sequence or an intergenomic sequence, showing their potential applications in secure genomic data analysis in a federated context. Our work represents a crucial step in privacy-preserving federated inference on nucleotide-based data.
Single-Trace Power Analysis of LESS Key Generation
This paper presents a side-channel attack on the Linear Equivalence Signature Scheme (LESS) v2.0. LESS derives its security from the Linear Equivalence Problem and was evaluated as a candidate during Round 2 of the NIST post-quantum cryptography standardization process. LESS secret keys are used to generate monomial matrices, which are stored efficiently in two one-dimensional lists: the permutation list and the coefficient list. Recovering the secret monomial matrices is sufficient to forge signatures, as they are the values actually used during signing. We propose a profiled, single-trace horizontal attack on LESS key generation that recovers the full secret monomial matrices. First, the monomial coefficients that are multiplied by the dense part of the public generator matrix are recovered via power analysis of the matrix multiplication function. Next, we attack the reduced row echelon form function to recover the permutation list. We then complete the attack algebraically via two independent paths: the Primary attack and the Secondary attack. The Primary attack uses only the recovered coefficients in matrix multiplication together with their permutation positions, and a known parity-check matrix equation. The Secondary attack is an alternative that relies on another algebraic relation between the secret key and the public key and uses all the recovered values. We validated our attack on an ARM Cortex-M4 microcontroller. On the NIST Category 1 parameter set, the Primary attack achieves a 99.1% exact-recovery rate and the Secondary attack achieves a 99% exact-recovery rate, over 6000 independent keys. We also analyze potential countermeasures and show that independently shuffling the row processing order within each column reduces the success rate of our attack to negligible levels, providing protection against the specific attack vector demonstrated in this paper.
Silentium revisited: Pseudorandom Beaver Triple Expansion
In the line of the SPDZ protocol for secure multi-party computation,
the generation of Beaver triples is the most expensive task.
Silentium (Rieder, PrivCryp 25) is the implementation of a Pseudorandom
Correlation Generator (PCG) for Beaver triples (Boyle et al.,
Crypto 20). PCGs focus on low-communication costs., e.g. their PCG reduces
the communication by one order of magnitude compared to protocols
in MP-SPDZ. Silentium is an implementation of their PCG, achieving
similar running times than MP-SPDZ. We make three theoretical
contributions to Silentium, including an implementation. First, we make
a practical proposal how to generate Beaver triples over binary fields F2λ,
which extends the previous setting over prime fields. For this, we propose
a suitable instantiation of the Number Theoretic Transform. Second, we
show how to use the binary triples to construct what we call a Beaver
triple expansion scheme, that is we construct a scheme that expands a
small batch of Beaver triples into a large batch of Beaver triples, in the
sense of recently established oblivious transfer extension schemes. This
feature enables an efficient preprocessing stage for the PCG, closing a
practical issue of Silentium. Finally, we provide details about the Silentium
implementation, by clearing a technical bug in the initial theoretical
protocol description.
A Blockchain-Based Access Control Scheme with Hidden Attributes and Policies Using Commitments and Zero-Knowledge Proofs
Blockchain provides public verifiability for access control in Internet of Things (IoT) data sharing, but its transparency can expose requester attributes, access policies, and their satisfaction relations. Existing privacy-preserving approaches often protect only one side of the authorization decision or rely on pairing-based ABE/HVE, interactive homomorphic computation, or circuit-specific proof parameters. This paper proposes a blockchain-based access control scheme that verifies authorization over hidden, authenticated inputs using commitments and non-interactive zero-knowledge proofs. Requester attributes and access policies are encoded as vectors. Multiple attribute authorities sign requester-bound local commitments, while the data provider independently commits to the policy vector. The requester proves that the committed vectors satisfy the required inner-product relation through a linked commit-and-prove protocol using a Bulletproof inner-product argument. A smart contract verifies the authority evidence, commitment aggregation, and access proof while learning only the authorization result. We formally establish policy hiding, attribute hiding, and authenticated attribute integrity. The recursive inner-product argument makes the dominant per-request access-verification communication grow logarithmically with the vector dimension. We implement a Rust experimental prototype and make the source code, benchmark configurations, results, and plotting scripts publicly available. Experiments over vector dimensions from 16 to 512 quantify the communication and computation costs. At the largest evaluated dimension, the modeled access-verification record remains below 1 KB, while final decryption takes 0.103 ms. These results indicate that the scheme supports bilateral authorization privacy and public verifiability without pairing-based authorization or circuit-specific trusted setup.
SQISign on ARM
We present the first vectorized implementation of SQIsign for high-performance Arm architectures. SQIsign is a promising candidate in the NIST On-Ramp Digital Signatures Call Round 2 to its most compact key and signature sizes. However, its signing performance remains a primary bottleneck, particularly the ideal-to-isogeny conversion. The conversion requires a large number of operations on elliptic curves and Abelian varieties, which depend on finite field arithmetic. Despite recent algorithmic improvements, research on high-performance implementations and efficient vectorized finite field arithmetic for SQIsign is still unexplored.
Our main contribution is the first demonstration of non-trivial vectorization speedups for SQIsign. By leveraging the NEON instruction set, we implement highly efficient finite field arithmetic and batched elliptic curve operations tailored for 2-dimensional isogeny chain computations. This accelerates the subroutine by 2.24$\times$ over the state-of-the-art. Moreover, our improvements are completely orthogonal to the recent algorithmic improvement Qlapoti (Asiacrypt 2025), offering similar performance gains in the SQIsign signing algorithm. When combined with Qlapoti, our implementation achieves a speedup of more than 2.24$\times$ in signing at NIST security level I. We expect our work to inspire further SQIsign optimization from a vectorization perspective, especially for quaternion computations with precise bounds.
Syndrome Decoding with Hints
We study the syndrome decoding problem (SDP) in the presence of side information. The SDP asks, given a binary parity-check matrix $\mathbf{H}$ and a syndrome $\mathbf{s}$, to find a low Hamming weight binary error $\mathbf{e}$ such that $\mathbf{H} \mathbf{e} = \mathbf{s}$ over $\mathbb{F}_2$. Recent work (Cayrel et al., Eurocrypt '21) exploits a fault injection attack to reveal syndrome entries over the integers, referred to as perfect hints. Subsequent works considered side-channel scenarios to reveal similar, but noisy, information (approximate hints).
Both types of hints have been shown empirically to allow for solving the SDP once enough of them are available. However, fundamental questions about the impact of these hints on the hardness of the SDP, such as thresholds for a collapse into the polynomial-time regime or how to exploit arbitrary amounts of hints, remain open.
In this work, we show that both types of hints effectively allow one to transform the SDP instance into a soft-decision decoding instance. We then adapt Information Set Decoding (ISD) algorithms, the best known technique to solve generic SDP instances, to this setting. In contrast to previous work, we obtain non-trivial speedups for any amount of available hints, interpolating smoothly between the complexity of standard ISD (no hints) and polynomial time (sufficient hints). Furthermore, our practical simulations show that Hint-ISD achieves the polynomial-time regime generally under fewer hints than previous approaches.
We then provide an explicit bound on the number of hints required to reach the polynomial-time regime. This bound confirms earlier practical observations that higher error weights, such as those found in the McEliece cryptosystem, exhibit higher resistance against hint exposure than schemes using smaller error weights, such as HQC.
Attribute-Based Threshold Issuance Anonymous Counting Tokens and Its Application to Sybil-Resistant Self-Sovereign Identity
Self-sovereign identity (SSI) systems empower users to (anonymously) establish and verify their identity when accessing both digital and real-world resources, emerging as a promising privacy-preserving solution for user-centric identity management. Recent work by Maram et al. proposes the privacy-preserving Sybil-resistant decentralized SSI system CanDID (IEEE S&P 2021). While this is an important step, notable shortcomings undermine its efficacy. The two most significant among them being the following: First, unlinkability breaks in the presence of a single malicious issuer. Second, it introduces interactiveness, as the users are required to communicate each time with issuers to collect credentials intended for use in interactions with applications. This contradicts the goal of SSI, whose aim is to give users full control over their identities. This paper first introduces the concept of publicly verifiable attribute-based threshold anonymous counting tokens (tACT). Unlike recent approaches confined to centralized settings (Benhamouda et al., ASIACRYPT 2023), tACT operates in a distributed-trust environment. Accompanied by a formal security model and a provably secure instantiation, tACT introduces a novel dimension to token issuance, which, we believe, holds independent interest. Next, the paper leverages the proposed tACT scheme to construct an efficient Sybil-resistant SSI system. This system supports various functionalities, including threshold issuance, unlinkable multi-show selective disclosure, and non-interactive, non-transferable credentials that offer constant-size credentials. Finally, our benchmark results show an efficiency improvement in our construction when compared to CanDID all while accommodating a greater number of issuers and additionally reducing to a one-round protocol that can be run in parallel with all issuers.
CHIP: Efficient Homomorphic Encryption-Based CNN Batch Inference Using Channel-Interleaved Packing with Small Rotation Key Set
As privacy concerns rise, numerous laws require machine learning-based applications to comply with stringent privacy regulations. While Homomorphic Encryption (HE) allows computation directly on encrypted data, existing HE-based inference solutions suffer from significant computational and memory overhead for both single and multiple samples. Additionally, current methods require many rotation keys, which limits their practicality in a broader range of scenarios.
To address these challenges, we propose channel-interleaved packing (CHIP) to embed three-dimensional (3-D) data into 2-D ciphertexts, enabling 3-D HE convolution to be performed as a 2-D HE convolution combined with channel aggregations via ciphertext rotations. To further improve the performance of CHIP-based convolution, we introduce an efficient 2-D convolution that halves the number of HE multiplications. For computationally intensive inference tasks, we employ partial-kernel and mini-batch strategies that iteratively process sliced kernels and subsets of samples, aggregating the results to produce the final output.
Experimental results demonstrate the superior efficiency of our method compared to the state-of-the-art HE-based approaches by Lee et al. (ICML'22) and Cheon et al. (IEEE TDSC'24) in both single-sample and multi-sample scenarios. Using ResNet18, VGG11, and VGG16 with a batch size of 64, our solution achieves speedups of up to 4.7$\times$. When processing a single test sample, the speedup increases to 60$\times$. Moreover, our method requires only 29 rotation keys for evaluation, which is at least 35% fewer than previous works, resulting in an overall memory reduction of up to 45%. Code is available at: https://github.com/whcjimmy/chip.
New Post-Quantum IBE leveraging maturity, efficiency and security of standard schemes
Many Identity-Based Encryption (IBE) schemes rely on the hardness of the Discrete Logarithm Problem, making them vulnerable to quantum attacks. In recent years, lattice-based cryptography has emerged as a source of Post-Quantum cryptosystems, for example with Kyber, Dilithium and Falcon chosen by NIST to be standardized as ML-KEM, ML-DSA and FN-DSA. Some IBEs have also been proposed over lattices, but they can still be considered as interesting theoretical constructions, the community's attention having been more on the NIST competition than on optimizing IBEs, assessing their security, and protecting them against physical attacks. So, in this paper, we build a new IBE scheme from the basic blocks of the highly studied ML-KEM, ML-DSA and ModFalcon, to put both their maturity and efficiency at the benefits of IBE. More precisely, we leverage the Module-NTRU trapdoor from ModFalcon to enable extraction of secret keys, we use the encryption and decryption algorithms from ML-KEM, and the modular arithmetic and Number-Theoretic Transform from ML-DSA. Therefore, being able to reuse code from widely deployed schemes, our IBE is much easier to implement and maintain in practice, and can benefit from existing (and future) optimizations, hardware accelerators, and side-channel protections, with very little to no additional work. We also prove the IND-sID-CPA-security of our scheme under standard assumptions, and precisely describe the algorithms and the choice of concrete parameters.
On Extending Integral Distinguishers
Integral cryptanalysis analyzes block ciphers using input structures for which the sum of a chosen function of the output bits becomes key-independent. However, most methods still test one output expression at a time, so they can miss distinguishers that emerge only when several outputs are combined, either linearly or nonlinearly. They are also not designed to capture key-dependent integral combinations, which may hold deterministically on part of the key space.
In this work, we develop Split-and-Cancel, a method that combines exact expansion in a short final part with an oracle on the preceding rounds to determine which suffix monomials can survive from the chosen structure and records them in a binary matrix. Key-independent combinations are then extracted from the left kernel of this matrix. We first apply the method in a reduced model with omitted boundary key additions, where linear dependencies in this matrix yield certified key-independent sum combinations among output bits and higher-degree output products.
When the omitted boundary key is restored, the same combinations yield deterministic weak-key distinguishers.
We apply the method to SIMON, SIMECK, SPECK, PRESENT, and GIFT. Our strongest deterministic results add one round to the best integral distinguishers for SIMON-32, SIMON-48, SIMON-64, SIMON-96, SIMON-128, all standard SIMECK variants, and SPECK from block sizes 32 to 128. For PRESENT and GIFT, we obtain one-round improvements for deterministic weak-key integral distinguishers. In each case, the exact weak-key class covers at least a quarter of the key space: $2^{78}$ of $2^{80}$ keys for PRESENT-80, $2^{126}$ of $2^{128}$ keys for PRESENT-128, GIFT-64 and GIFT-128. These results show that exact modeling of a short final part can reveal key-independent and weak-key integral behavior missed by single-observable searches.
PKE and ABE with Collusion-Resistant Secure Key Leasing
Secure key leasing (SKL) is an advanced encryption functionality that allows a secret key holder to generate a quantum decryption key and securely lease it to a user. Once the user returns the quantum decryption key (or provides a classical certificate confirming its deletion), they lose their decryption capability. Previous works on public key encryption with SKL (PKE-SKL) have only considered the single-key security model, where the adversary receives at most one quantum decryption key. However, this model does not accurately reflect real-world applications of PKE-SKL. To address this limitation, we introduce collusion-resistant security for PKE-SKL (denoted as PKE-CR-SKL). In this model, the adversary can adaptively obtain multiple quantum decryption keys and access a verification oracle which validates the correctness of queried quantum decryption keys. Importantly, the size of the public key and ciphertexts must remain independent of the total number of generated quantum decryption keys. We present the following constructions:
- A PKE-CR-SKL scheme based on the learning with errors (LWE) assumption.
- An attribute-based encryption scheme with collusion-resistant SKL (ABE-CR-SKL), also based on the LWE assumption.
- An ABE-CR-SKL scheme with classical certificates, relying on multi-input ABE with polynomial arity.
- An adaptively secure identity-based encryption scheme with collusion-resistant SKL based on the LWE assumption.
A Lattice-based Designated Verifier zkSNARK from Standard Assumptions
Designated Verifier zero-knowledge Succinct Non-Interactive Arguments of Knowledge (DV-zkSNARKs) are cryptographic argument systems in which the ability to verify proofs is restricted to a designated verifier. Unlike publicly verifiable zkSNARKs, these constructions ensure that only an authorized party can validate the correctness of the proof. Existing lattice-based DV-zkSNARK constructions typically rely either on linear-only encryption or on the Linear Targeted Malleability (LTM) assumption. The former has been cryptanalytically broken and therefore no longer provides a credible basis for post-quantum security. The latter is a non-standard and comparatively less established assumption and, moreover, restricts knowledge soundness to the non-adaptive setting. To overcome these limitations, we propose an inner-product argument system whose security relies solely on the well-established hardness of the Module Short Integer Solution (MSIS) problem and that achieves adaptive knowledge soundness in the random oracle model. This construction enables a designated verifier, holding a secret key, to succinctly verify inner product of a committed witness with an arbitrary vector. By combining our argument system with a linear probabilistic checkable proof (LPCP) compiler, to the best of our knowledge, we obtain the first DV-zkSNARK construction based on standard assumptions. Our implementation achieves prover and verification times comparable to the state of the art, while reducing public parameter size by a factor of 10, at the cost of a 2.5x increase in proof size.
Batch subgroup membership testing on pairing-friendly curves
A major challenge in elliptic curve cryptosystems consists
in efficiently mitigating the small-subgroup attack. This paper explores
batch subgroup membership testing (SMT) on pairing-friendly curves,
particularly for the Barreto–Lynn–Scott family of embedding degree 12
(BLS12) due to its critical role in modern pairing-based cryptography.
Our research introduces a novel two-step procedure for batch SMT to
rapidly verify multiple points at once, cleverly combining the already
existing tests based on the Tate pairing and a non-trivial curve endo-
morphism. We clarify why the invented technique is significantly faster
(despite a negligible error probability) than testing each point individu-
ally. Moreover, it is applicable to prominent curves like BLS12-381 and
BLS12-377 being frequently employed in zero-knowledge applications.
Nonetheless, to further enhance the speed (or reduce the error proba-
bility) of the proposed batch point validation, we have generated two
new BLS12 curves that are specifically optimized for this purpose. We
also provide an open-source high-speed software implementation in Go,
showcasing significant performance improvements achieved by our work.
Hardware Private Cubic Circuits
Cryptographic hardware implementations often leak secret information through side channels. This can allow attackers to learn secret data, such as a cryptographic key, without any vulnerability in the cryptographic algorithm itself. A popular countermeasure to such attacks is masking, which ensures that processed data is independent of the secrets by splitting them into multiple independent shares, often at the cost of significant overhead in terms of required area, latency, and randomness.
The composable PINI notion in the glitch-extended probing model ensures some degree of security against such side-channel analysis attacks, and guarantees that the circuit may be arbitrarily composed with other PINI circuits while maintaining the same security level.
This allows for the secure implementation of arbitrary circuits using trivial composition, replacing elementary gates with "gadgets" realizing the same functionality in a PINI-secure manner.
Up to now, PINI gadgets at arbitrary security order are limited to quadratic functions, i.e., 2-input gates, with the best known as HPC3.X realizing a 2-input multiplier in one clock cycle.
In this work, we present HPCC, the first low-latency 3-input multiplication gadget for arbitrary fields that maintains a constant latency of one cycle, independent of the number of shares. HPCC additionally allows for the computation of any number of multiplications in a single cycle with relatively little overhead when two of the three operands are identical. When instantiated with two shares and for $\mathbb{F}_2$, HPCC halves the previous record for lowest number of fresh masks required at comparable area cost.
With more shares, HPCC is the only single-cycle gadget realizing 3-input multiplications in arbitrary fields. We leverage HPCC to implement the first composable AES S-Box with two cycles of latency with an arbitrary number of shares. This S-Box design significantly outperforms the previous record in terms of area and randomness when instantiated with three shares and stands as the only two-cycle solution for more shares.
Cross-Algorithm Deep Learning-based Non-Profiled Side-Channel Attacks Exploiting Symmetric Leakage
Deep Learning-based Non-profiled Side-Channel Analysis (DL-NSCA) enables automatic feature extraction without a profiling device, but existing approaches mainly target non-linear operations, requiring prior knowledge of the algorithm's unique non-linear structure and computable non-linear intermediate values. These limit applicability in analyzing proprietary or undisclosed implementations and in settings where plaintext/ciphertext are masked by unknown randomness (e.g., tweaks or nonces).
We observe that linear operations are fundamental as common cryptographic primitives appearing at the beginning or end of algorithms in conjunction with the secret key, and are widely used to mask sensitive input/output. Motivated by this observation, we propose a new DL-NSCA perspective that targets the outputs of linear operations, referred to as symmetric leakage, to enable cross algorithm attacks. The main limitation of the prior distinguisher lies in their reliance on a simplistic
correspondence between deep learning metrics and side channel information. This leads to two issues: the effectiveness of the distinguisher varies significantly with the chosen training epoch, and a wrong key inducing a negative correlation may be indistinguishable from the correct key under symmetric leakage.
To address this, we provide a formal algebraic characterization of the relationship between the structure of the leakage function and the number of maxima given from the distinguisher. Guided by this theory, we propose a new distinguisher, VS-GBA, an epoch-invariant distinguisher that interprets SCA information from deep learning metrics and approaches the theoretical optimum. It is applicable to both the asymmetric leakage and symmetric leakage through a structure-aware screening criterion. Our experiments show that, on the high-noise 32-bit ARM Cortex-M4 device, when the core operations are protected, asymmetric leakage analysis fails to recover the keys for all three evaluated algorithms within the maximum trace budget (GE=70 for masked AES, GE=27 for masked PRESENT, and GE=66 for masked ASCON). In contrast, VS-GBA, which targets symmetric leakage, recovers the key with a 100% success rate using 8,000, 8,500, and 16,000 traces, respectively.
Furthermore, we present a DL-NSCA attack on XTS-AES (NIST SP 800-38E), extending DL-NSCA to scenarios where plaintext/ciphertext is masked
by a secret tweak.
Breaking Verifiable Delay Functions in the Random Oracle Model
This work resolves the open problem of whether verifiable delay functions (VDFs) can be constructed in the random oracle model.A VDF is a cryptographic primitive that requires a long time to compute (even with parallelization), but produces a unique output that is efficiently and publicly verifiable.
We prove that VDFs do not exist in the random oracle model. This also rules out black-box constructions of VDFs from other cryptographic primitives, such as one-way functions, one-way permutations and collision-resistant hash functions.
Prior to our work, Mahmoody, Smith and Wu (ICALP 2020) prove that \emph{perfectly unique} VDFs (a much stronger form of VDFs) do not exist in the random oracle model; on the other hand, Ephraim, Freitag, Komargodski, and Pass (Eurocrypt 2020) construct VDFs in the random oracle model assuming the hardness of repeated squaring. Our result is optimal -- we bridge the current gap between previously known impossibility results and existing constructions.
We initiate the study of \emph{proof of work functions}, a new cryptographic primitive that shares similarities with both VDFs and proof of works. We show that a stronger form of it does not exist in the random oracle model, leaving open the fascinating possibility of a random-oracle-based construction.
Low-Stack HAETAE for Memory-Constrained Microcontrollers
We present a low-stack implementation of the module-lattice signature scheme \(\mathrm{HAETAE}\), targeting microcontrollers with \(8\,\mathrm{kB}\)–\(16\,\mathrm{kB}\) of available SRAM. On such devices, peak stack usage is often the binding constraint, and \(\mathrm{HAETAE}\)'s hyperball-based sampler, large transient polynomial vectors, and variable-length signature payloads (hint and high-bits arrays) pose a particular challenge. To address this, we introduce (i) rejection-aware pass decomposition, which isolates encoding to the post-acceptance path; (ii) component-level early rejection, which short-circuits the response computation when a partial norm already exceeds the bound; and (iii) reverse-order streaming entropy coding using range Asymmetric Numeral Systems (rANS), which eliminates full hint and high-bits staging buffers. Combined with streamed matrix generation, a two-pass hyperball sampler with streaming Gaussian backend, and row-streamed verification, these techniques bring signing stack usage from \(71\,\mathrm{kB}\)–\(141\,\mathrm{kB}\) in the reference implementation down to \(5.8\,\mathrm{kB}\)–\(6.0\,\mathrm{kB}\), key generation to \(4.7\,\mathrm{kB}\)–\(5.7\,\mathrm{kB}\), and verification to \(4.7\,\mathrm{kB}\)–\(4.8\,\mathrm{kB}\) across all three security levels. Our pure C implementation covers all three security levels (\(\mathrm{HAETAE}\)-2/3/5), whose optimization paths differ due to the public-key domain (\(d > 0\) vs. \(d = 0\)) and rejection structure. We implement our optimization on a Nucleo-L4R5ZI and compare it to the reference `pqm4` implementation (for \(\mathrm{HAETAE}\)-2 and -3) and to a recently published memory-optimized implementation (targeting \(\mathrm{HAETAE}\)-5 only). We reduce \(\mathrm{HAETAE}\)-2, -3, and -5 stack usage by respectively \(75\%\), \(86\%\), and \(8\%\) for key generation, \(92\%\), \(95\%\), and \(24\%\) for signature generation, and \(85\%\), \(91\%\), and \(22\%\) for verification. Depending on the parameter set, this impacts performance by at most a factor of \(1.8\) and \(3.4\) for key generation and signature generation, respectively, while even offering a performance improvement of up to \(18\%\) for verification. Verification at all security levels fits within \(8\,\mathrm{kB}\) of RAM (signature buffer + stack) and is \(2.34\)–\(3.34\times\) faster than ML-DSA m4fstack at each comparable security level. We additionally validate portability under RIOT-OS on ARM Cortex-M4 and RISC-V targets.
Deterministic State Machines as Guarded Linear Constraint Systems: Double-spend prevention as a state property
This paper formalizes the Deterministic State Machine, or DSM, as a guarded, linear, forward only, constraint based computation model. DSM does not require a blockchain, validator set, sequencer, gas market, mempool, clock based ordering rule, or global consensus layer for ordinary state evolution. State validity is determined by local verification of cryptographically precommitted candidate futures, deterministic fulfillment guards, explicit resource consumption keys, canonical encodings, signatures, and Sparse Merkle Tree commitments.
The architectural shift is that finality moves from a network decision to a state property. Instead of requiring some external party, committee, sequencer, validator set, or global clock to agree that a transition happened, DSM asks whether the proposed transition consumes the committed state resource and advances it deterministically. If it does, the successor is locally realized. If it does not, it is not state. Finality is therefore not provided as a service by an ordering network; it is a consequence of the consumed resource itself. This is global realization without global ordering: local acceptance composes into a coherent realized history because incompatible histories cannot merge.
The central claim is not that DSM forbids all branching at the level of precommitment. DSM explicitly permits precommitment forking. Multiple candidate futures may be prepared for a common parent, including Deterministic Limbo Vault release paths, refund paths, hash fulfillment paths, recovery paths, abort paths, contingent payment paths, CPTA token operations, offline bearer steps, and other mutually exclusive branches. The invariant is:
multiple futures may be described, but for a fixed consumed resource, at most one may be realized.
A resource is the thing that produces exactly one realized successor. A relationship parent, spendable object, vault generation, token balance object, source vault generation, recovery generation, or offline anchor step is a resource in this sense. Candidate branches are only possible futures. Realization consumes the resource.
A generation is a logical version of a resource family. It is not a time period, not a clock interval, not a scheduling unit, and not an external ordering coordinate. Generations are ordered only by DSM derivability and resource consumption.
This paper makes explicit the machinery required for that statement. Guard exclusivity is not left as convention. A DSM precommit set is valid only if its guard family is well formed. A well formed guard family gives either a deterministic branch selector, a mechanically proven exclusive guard class, or a set of branch predicates that are structurally tied to the same consumed resource. Parent consumption is modeled through canonical resource consumption keys and a consumed parent set committed by the DSM root. Branch local keys may exist for indexing or audit, but the shared resource key is what enforces linear exclusion.
A hardened form of the model is also stated: for any conflict class, all conflicting candidates must resolve to an identical canonical resource consumption set, and those keys must be derived from the committed parent state rather than supplied as discretionary branch data. This removes the implementation hazard where release, refund, recovery, or policy branches accidentally consume different keys.
The role of guard exclusivity is clarified. Pairwise guard exclusivity is useful and required for guard classes that claim exclusive fulfillment, but it is not the only safety mechanism. When conflicting branches share the same derived resource consumption key set, linearity alone prevents co realization even if several guards are simultaneously fulfilled. Thus the load bearing safety rule is not merely that guards should not overlap. The load bearing safety rule is that conflicting futures must fight over the same derived resource.
Tripwire is formalized as the theorem that two conflicting realized successors from the same consumed resource cannot both be derivable. More precisely, conflicting candidates may be constructed or transmitted as bytes, but they cannot both validate under the DSM step predicate and cannot both go through as accepted state transitions for the same consumed resource. Forks are therefore not selected against by consensus. They are excluded by guarded realization and exposed by reconciliation if conflicting invalid bytes are presented outside the valid model.
Offline bearer mode is treated as an optional mode predicate, and this revision states its corrected form. Transfer uniqueness, including offline transfer uniqueness, is a software theorem of the guarded linear kernel. An SMT committed anchor counter makes the offline origin an explicit coordinate of the committed state, every offline candidate from that origin consumes the same derived anchor step resource key, and realized history uniqueness applies without a hardware term. Hardware is thereby demoted to the one job software cannot perform: uniqueness of the physical device instance. Every offline release carries a three factor identity witness, a seed rooted DSM signature, a PUF rooted non exportable chip signature, and a partition sealed host signature over the same root advance message, and the physical monotonic counter survives only as a tracker of the SMT counter: a non rewind floor, a stale image tripwire, and an offline exposure cap. The receiver witnessed counter positioned commit of earlier drafts is superseded: a scalar counter read never binds the transition it brackets, and the binding was never needed.
The safety theorems of this paper are supported by machine checked artifacts. The general key scoped fork exclusion theorems are proved in Lean 4 over an abstract guarded model, with the uniqueness and Tripwire core depending on no axioms. A companion TLA${}^{+}$ development model checks the same statements in both a per state form and a realized history form on concrete guard families, and by deliberate falsification of a malformed family confirms that guard family well formedness is load bearing. A relationship scoped model checks that same parent multi receiver forks are unconstructible in online DSM. Appendices A and B point to these artifacts. Their exact scope and boundary are stated in the Claim Boundary section.
Latency-Aware, High-Throughput Homomorphic AES Evaluation with CKKS
Homomorphic Advanced Encryption Standard (AES) evaluation refers to evaluating the AES circuit with a fully homomorphic encryption (FHE)-encrypted secret key. Applications include in particular Transciphering, which converts AES-encrypted data into FHE ciphertexts without exposing the secret key.
Existing homomorphic AES evaluations show a clear separation between latency-oriented solutions and throughput-oriented solutions. CKKS-based methods exploit massive SIMD parallelism and focus on throughput by processing many AES blocks in parallel. They are hardly suitable for latency-critical settings. In contrast, TFHE-based methods process a small number of blocks efficiently. They are preferable for low-latency settings, but provide very limited throughput.
In this work, we show that AES-CKKS evaluation can achieve both interactive latency and high throughput. Our first variant is optimized for latency and decrypts a single AES block in only 26ms on an NVIDIA RTX-5090. This is more than 6× faster than recent TFHE-based state-of-the-art approaches; further, an extension of it processes 4 AES blocks at once in 29ms. Our second variant is based on a new embedding of $\textrm{GF}(16)$, the finite field with 16 elements, into CKKS message space. It is optimized for throughput and processes up to 2048 AES blocks at once, achieving 238KB/s throughput (a more than 3.41× improvement over the state-of-the-art CKKS-based approaches), while maintaining latency comparable to TFHE-based methods. To the best of our knowledge, this is the first AES-FHE evaluation algorithm combining good latency and throughput properties, bringing homomorphic outsourcing with AES within reach of real-time applications on constrained devices.
Our main ingredients are redundant structures that maximize SIMD utilization, improved algorithms for the SubBytes step (one of them being based on inversion in $\textrm{GF}(256)$ using CKKS), fusion of linear layers into bootstrapping, and carefully crafted FHE parameters.
Private IP Address Inference in NAT Networks via Off-Path TCP Control-Plane Attack
NAT is widely assumed to conceal the private IP addresses
of internal clients from both off-path attackers within the same LAN and external observers. We show that this assumption does not hold. We present a novel off-path deanonymization attack that infers the private
IP addresses of NATed clients engaged in active TCP connections with a remote server. Our attack builds on known NAT behaviors in real-world Wi-Fi routers, such as port preservation, insufficient reverse-path validation, and the absence of TCP window tracking, previously shown
to enable off-path TCP hijacking. By inferring a NATed client’s private IP address, our attack defeats the anonymity commonly attributed to NAT, creating a persistent privacy leak that enables deanonymization and user profiling. We validate the attack on 6 Wi-Fi routers and 2 real-world Wi-Fi networks using SSH and HTTP/HTTPS traffic over TCP, finding that 5 of the 6 routers and both networks are vulnerable.
Optimized Implementation of Warp-Cooperative GPU HCTR2-ARIA Wide-Block Encryption
HCTR2 is a wide-block encryption mode that encrypts one fixed-size message as a single unit, so that flipping a single plaintext bit re-randomizes the whole ciphertext. Its main use is disk encryption, where the message is a disk sector. We instantiate it with ARIA, the Korean national block-cipher standard, and implement it on an NVIDIA RTX 4080 GPU. With many independent messages, assigning one thread per message keeps the device occupied. At low queue depth, however, most of the GPU sits idle, and encrypting one 16 KiB message is several times slower than a single CPU core. The reason is that one HCTR2 message is internally sequential, so it cannot simply be split across threads.
We present a fine-grained kernel in which one 32-thread warp cooperates on a single message. The kernel exploits the linearity of POLYVAL. It splits the long hash computation into contiguous per-thread pieces, has each thread compute a partial result, and combines the partials with warp shuffles to obtain exactly the same value as the sequential computation. This brings the latency of one message down to parity with a single CPU core (ARIA-256: 222 μs on the GPU vs. 209 μs on the CPU). Moreover, the number of threads per message and of messages per block acts as a knob that trades latency for throughput, spanning 222 μs/30 GB/s to 1774 μs/49 GB/s. With as few as four messages in flight the GPU already beats the CPU. We validate correctness for all three key sizes.
Evaluating Hybrid KEM/DSA for KpqC and NIST PQC on ARM Cortex-M4
Primitive-only PQC benchmarks are insufficient for attributing composed hybrid costs on Cortex-M4 because shared hash backends, randomized-signature behavior, and fixed classical/wrapper work affect measured performance. We implement a common bare-metal Cortex-M4 harness for representative KpqC/NIST families, measuring uniform Hash-CT hybrid KEM benchmark rows with X25519 and Bindel et al. hybrid-signature AND-combiner rows. The goal is composed-cost attribution under a uniform benchmark transcript rather than primitive-only ranking.
Our measurements show three attribution effects. First, replacing only Keccak-f[1600] changes SHAKE-heavy signing by up to 2.16×, while SPHINCS⁺-SHA2 and FN-DSA control rows remain at 1.00×. Second, median-only signature tables can change deployment conclusions. In the nominal level-5 signing rows, HAETAE5 beats FN-DSA-1024 by median and mean latency, but its observed maximum reaches 4.53× its median while FN-DSA-1024 remains essentially flat. Third, a local SMAUG-T backend improves standalone SMAUG-T by 1.79–1.82×, but the visible gain drops to 1.42–1.65× inside SMAUG-T+X25519 hybrids. Supporting KEM rows place lattice hybrids at 3.7–8.8 M cycles and HQC hybrids at 19.6–74.5 M cycles. Together, the results motivate reporting composed-cost attribution, backend provenance, and variance alongside primitive timings.
Optimizing ARIA-GCM on GPUs
This paper proposes an optimized GPU implementation of the ARIA-GCM authenticated-encryption pipeline (CTR keystream, GHASH authentication, and their AEAD composition): ARIA-CTR uses a packed 32-bit S-box staged in shared memory, GHASH is optimized separately with a fixed-key 4-bit Shoup lookup table, the two stages are integrated as both a two-kernel and a fused single-kernel AEAD, and the same aria_gcm.cu source is tuned for Ampere and Pascal through compile-time parameters. For ARIA-CTR, the four distinct S-box tables are merged into one 1 KiB shared-memory table (R=1 staging) and each thread encrypts CTR_IPT counter blocks in parallel to fill the ALU-bound diffusion layer. For GHASH, each thread owns one segment of sblk blocks, applies W-way Horner interleaving with precomputed powers of H, and keeps the reduction table in shared memory. Experiments on an RTX 3090 and a GTX 1080 Ti show that packed S-box staging improves naive ARIA-CTR by 14.5×, the Shoup LUT improves bit-serial GHASH by 21.5×, and the tuned pipeline reaches 924 Gb/s (CTR), 2,865 Gb/s (GHASH), and 622 Gb/s (fused AEAD) on the RTX 3090. Using a simple sequential-composition model, we show that the GHASH optimization is what shifts the AEAD bottleneck onto ARIA-CTR: without it the pipeline would be GHASH-bound near 120 Gb/s, whereas the tuned GHASH makes CTR account for about three quarters of the per-byte cost. We back the analysis with Nsight Compute measurements of register usage, achieved occupancy, shared-memory bank conflicts, and DRAM traffic.
Quantum Implementation and Analysis of Rijndael
We present a quantum resource estimation of the Rijndael variants
\[
N_b = N_k \in \{4,5,6,7,8\}, \qquad N_r = N_b + 6,
\]
under the NIST MAXDEPTH quantum cost model. Extending the AES quantum
encryption oracle~\cite{ref5} parametrically to arbitrary $N_b = N_k$,
we generalize the in-place key schedule, including the single- and
double-\texttt{SubWord} cases, the \texttt{ShiftRows} offsets, and the
round constants. We implement and verify the resulting oracles using
ProjectQ. The verified variants range from 1,624 qubits at a full depth
of 1,090 for Rijndael-128/128 to 3,240 qubits at a full depth of 1,839
for Rijndael-256/256. Under the NIST PQC MAXDEPTH bounds
$\{2^{40}, 2^{64}, 2^{96}\}$, the Grover key-recovery qubit cost in
$\log_2$ units ranges from $\{80.15, 32.15, 10.67\}$ for
Rijndael-128/128 to $\{210.65, 162.65, 98.65\}$ for
Rijndael-256/256. The standardized analogues at Categories 1, 3, and 5,
namely Rijndael-128/128, Rijndael-192/192, and Rijndael-256/256, meet
the corresponding AES-based bounds. The intermediate Rijndael-160/160
and Rijndael-224/224 variants provide reference points between the
standardized AES key lengths.
Improved Quantum Circuits for Information Set Decoding with Application to Code-Based Cryptography
Information set decoding (ISD) is the standard generic decoding attack considered for code-based cryptography. A concrete quantum-resource estimate for Grover-accelerated ISD requires an oracle whose dominant component is Gauss–Jordan elimination.
We improve the elimination circuit of Perriello et al. [25] and Jang et al. [15] by not updating the entries that no later pivot or the final weight predicate reads. The required result vector is recovered by a parallel back-substitution on the syndrome register. For the target schemes, our elimination circuit improves the qubit count by about 22% compared to [15]. The Toffoli count improves by about 20% compared to both [25] and [15]. The Toffoli depth improves by about 67% compared to [25] but degrades by about 0.3% compared to [15].
We report logical resource estimates for the quantum ISD attack on HQC and Classic McEliece. The product of the total gate count and the full depth exceeds the NIST post-quantum security thresholds, and the full depth exceeds the MAXDEPTH upper bound.
We also provide fault-tolerant estimates of the physical qubit count and the runtime under a surface-code model with magic-state distillation. As one example, HQC-128 requires about $2^{43}$ physical qubits and about $2^{53}$ years at a 1 μs code cycle.
A Memory-Efficient and Assembly-Optimized Implementation of NTRU+
This paper presents a memory-efficient and high-speed implementation of NTRU+, one of the key encapsulation mechanisms (KEMs) selected by Korea’s post-quantum cryptography project (KpqC), on the ARM Cortex-M4. NTRU+ is small enough to run on its own on a Cortex-M4 class microcontroller, yet in real embedded environments, the peak stack occupied by polynomial buffers and the running time dominated by the NTT become key constraints. To address this, in the proposed technique, we reduce memory by analyzing when each polynomial buffer is actually live and restructuring the algorithm so that only a single buffer is resident during computation, and we significantly improve speed by rewriting the NTT for the mixed-radix structure of NTRU+ in Cortex-M4 assembly. By doing so, the assembly NTT acceleration compensates for the recomputation overhead introduced by the memory optimization, so that the combined implementation is both smaller and faster than the reference. Experimental results show that, relative to the KpqClean_ver2[1] reference implementation, the proposed technique reduces the peak stack by 83–84% while improving the speed of all three operations by up to 1.8×.
Accelerating FAEST Signing on GPU via Fused AES Constraint Generation and Batched Leaf Hashing
FAEST is a symmetric-key post-quantum digital signature scheme and a third-round candidate in the NIST Additional Digital Signatures standardization process. Its signing path concentrates cost in two operations: round-wise constraint generation, which proves in zero knowledge that the AES circuit is computed correctly, and finite-field multiplication, which computes the leaf nodes of a vector commitment. This paper accelerates both operations on a CUDA-enabled GPU, with AES round constraint generation as the main contribution. Specifically, we fuse the three consecutive stages that make up constraint generation into a fused GPU path and keep the intermediate results between stages resident in device memory, thereby reducing host–device data transfer. As a supporting measure, we batch independent finite-field multiplications for leaf nodes, jointly improving end-to-end signing performance. We verify the correctness of the implementation through byte-level output agreement with the CPU reference implementation. Combining fused constraint generation with batched leaf hashing, the full GPU path achieves up to roughly a 3× end-to-end signing speedup over the CPU reference. Furthermore, when AES constraint generation fusion is added on top of leaf hashing that is already performed on the GPU, an additional reduction in signing latency is observed in five of the six evaluated AES s/f variants. The magnitude of this effect does not scale monotonically with the security parameter; rather, it is determined by the per-variant bottleneck structure.
Post-Quantum Anonymous Signatures from the Lattice Isomorphism Group Action
Post-quantum assumptions may not rely on the difficulty of finding secret subgroups as many classical schemes did. Instead, several assumptions make use of more general group actions, with the hope that quantum algorithms are not helpful in this less structured setting. Group action-based constructions were first presented in the context of isogenies in which an ideal class group acts on elliptic curves, but equivalence problems in error-correcting codes and lattices also exhibit such structures.
Previous works presented anonymity-preserving constructions in a generic group action framework; however, they were not general enough to encompass the group action underlying the Lattice Isomorphism Problem (LIP), for which the acting group is countably infinite and non-commutative.
We bridge this gap by, from zero-knowledge proofs of OR statements, building generic blind signatures and strong designated-verifier signatures with non-delegability from standard assumptions corresponding to a generalised group action inverse problem.
GlitchSnipe: Toward Localized Voltage Fault Attacks
Voltage glitching is one of the most prominent fault injection techniques due to its effectiveness and simplicity. Although it is generally regarded as a spatially global fault method, in which the injected glitch uniformly affects all circuits on the die, several studies have observed that specific locations may be affected more than others. To characterize this phenomenon, we draw inspiration from methods used in electromagnetic interference (EMI) analysis. In this paper, we demonstrate that voltage attacks can be modeled as the transfer of conducted electromagnetic energy through the power delivery network (PDN) to the chip’s die. By analyzing voltage glitches in the frequency domain and modeling the PDN as a communication channel, we demonstrate that different frequency components of an injected glitch signal propagate through the network in distinct patterns. In this context, we further show that modulating the supply voltage with a single-frequency sinusoidal signal, rather than injecting a pulse-shaped glitch, enables an adversary to influence transistors in specific regions of the chip and thus induce localized faults. To validate these claims, we first propose a post-silicon profiling framework that identifies the frequency bands in which the system’s PDN is most vulnerable and maps the spatial regions of the chip affected by each frequency component. To this end, we perform extensive profiling on several FPGAs using distributed time-to-digital converters (TDCs) to measure the impact of injected signals across a range of frequencies. As a proof-of-concept, we also demonstrate successful localized voltage attacks on simple FSMs and AES-128 implementations with various placements, to further show the sensitivity of chip locations to injected energy at different frequencies. Our results reveal that even minor changes in design placement can significantly affect a circuit’s susceptibility to voltage-based fault attacks, either weakening or strengthening its resilience.
Starfighters—On the General Applicability of X-Wing
In this work, we present a comprehensive analysis of QSF, the KEM combiner used by X-Wing (Communications in Cryptology 1(1), 2024). While the X-Wing paper focuses on the application of QSF to ML-KEM-768 and X25519, we discuss the combiner’s applicability to other post-quantum KEMs and ECDH instantiations.
Particularly, we establish the compatibility of QSF to KEMs based on variants of the Fujisaki-Okamoto transform by proving ciphertext second-preimage resistance (C2PRI) for these variants. Building on these results, we show that QSF is compatible with, to the best of our knowledge, all post-quantum KEMs currently standardized or considered for standardization—including ML-KEM, (e)FrodoKEM, HQC, Classic McEliece, and various NTRU variants. Notably, this means these schemes can be used with QSF to construct PQ/T hybrid KEMs.
In addition, we introduce QSI, a variant of QSF that combines two KEMs by hashing their shared keys, yielding a KEM that is IND-CCA-secure as long as one constituent KEM is IND-CCA-secure and the other is C2PRI-secure. We establish the same compatibility results for QSI as for QSF.
Finally, we analyze both QSF and QSI regarding (their preservation of) the recently introduced family of binding properties for KEMs.
Statistically Undetectable Backdoors in Deep Neural Networks
We show how an adversarial model trainer can plant backdoors in a large class of deep, feedforward neural networks. These backdoors are statistically undetectable in the white-box setting, meaning that the backdoored and honestly trained models are close in total variation distance, even given the full descriptions of the models (e.g., all of the weights). The backdoor provides access to invariance-based adversarial examples for every input, mapping distant inputs to unusually close outputs. However, without the backdoor, it is provably impossible (under LWE) to generate any such adversarial examples in polynomial time. Our theoretical and preliminary empirical findings demonstrate a fundamental power asymmetry between model trainers and model users.
HACC: A Scalable Hierarchical Accumulator with Sublinear Cost for Large Dynamic Sets
Dynamic universal accumulators provide succinct set commitments for evolving datasets, but balancing efficiency and scalability remains challenging. In particular, Bilinear Pairing (BP) accumulators offer constant size witnesses, but their public parameters size and dynamic operation costs grow linearly with the global capacity of the set.
To address this bottleneck, we propose a trapdoorless hierarchical accumulator (HACC) that keeps BP-style efficient witness update and verification while avoiding this linear dependence. For a set of current size $n$ and a pre-defined parameter $t$ ($t \ll n$), HACC requires only $\mathcal{O}(t)$ public parameters, while supporting addition, deletion, and witness generation in $\mathcal{O}(t\log_t n)$ time, which is far more efficient than the $\mathcal{O}(n)$ costs of BP accumulators (Nguyen, CT-RSA'05, Damg\r{a}rd et al., eprint'08, and Srinivasan et al., CCS'22); moreover, HACC has $\mathcal{O}(\log_t n)$ sized witnesses with amortized $\mathcal{O}(1)$ witness updates. We further integrate polynomial multiproofs to reduce witness verification to constant pairing complexity in read-heavy epoch-based settings. We prove correctness and soundness of HACC under the $t$-SDH assumption in the random oracle model. Experimental results show that under comparable parameter budgets, HACC is $9.7\times$ -- $1803.4\times$ faster than BP accumulators for element update and witness generation, and consumes $34.6\times$ -- $3679.4\times$ smaller public parameters size.
An $n^{n+o(n)}$-Time Algorithm for the Lattice Isomorphism Problem
The Lattice Isomorphism Problem asks whether two given lattices $\mathcal L_1$ and $\mathcal L_2$ are related by an orthogonal linear transformation. Haviv and Regev gave a seminal $n^{O(n)}$-time algorithm for this problem based on an isolation lemma (SODA 2014).
We give algorithms for the decision, search, and all-isomorphisms versions of the problem running in time $n^{n+o(n)}$ times a polynomial in the input size. The main new ingredient is a Gaussian heat argument over convex bodies generated by shortest vectors: for $w\sim D_{\mathcal L^*,s}$, the vector $w$ canonically determines $n-o(n)$ independent shortest vectors, leaving a residual instance of rank $o(n)$. The remaining residual dimensions are handled by an $n^{o(n)}$-time canonicalizer obtained by adapting the Haviv-Regev algorithm. We then combine this canonicalizer with a birthday argument to recover all isomorphisms.
For the all-isomorphisms version, this bound is asymptotically optimal in the worst case up to an $n^{o(n)}$ factor. As an extension, we also give, in the QRAM model, a quantum variant running in time $n^{\frac{2}{3}n+o(n)}$. It outputs a representative isomorphism together with generators for the automorphism group, thereby providing a compact description of the entire isomorphism coset.
Efficient Polynomial Multiplication for HQC on ARM Cortex-M4
In this paper, we propose the Hybrid FAFFT-CRT method for accelerating HQC polynomial multiplication on the ARM Cortex-M4. The method uses the Chinese Remainder Theorem to map the polynomial ring to a product of an FAFFT-friendly ring of size $2^{d+1}$ and a small-degree residual ring, reducing the FAFFT transform length by half compared to the state-of-the-art. We also present the Hybrid Karatsuba-FAFFT method as an alternative hybrid based on a 2-way Karatsuba split, and apply radix-16 multiplication to HQC for the first time, with an operation-count cost model for selecting Karatsuba and Toom-Cook combinations. Additionally, we improve the core FAFFT butterfly through shortened XOR sequences, register scheduling, and SWAPMOVE-based bit swaps. On a NUCLEO-L4R5ZI board with a Cortex-M4 microcontroller, the Hybrid FAFFT-CRT method reduces polynomial multiplication cycles by 36.0% and 29.3% for HQC-1 and HQC-3, leading to cycle reductions for key generation, encapsulation, and decapsulation by 25.5%, 26.1%, and 23.5% for HQC-1, and 19.3%, 20.0%, and 19.1% for HQC-3. For HQC-5, our optimized butterfly FAFFT provides a consistent speedup of 1.4-1.6% across all KEM operations.
AsymSAE: Verifier-Based Asymmetric SAE Protocol for Personal Wi-Fi Networks
Password-authenticated key exchange (PAKE) remains central to WPA3-Personal, the personal mode of the latest Wi-Fi security standard, where the Simultaneous Authentication of Equals (SAE) protocol enables secure Wi-Fi access via a low-entropy password. However, SAE’s symmetric password authentication makes all associated stations (STAs) vulnerable once the network-edge access point (AP) is compromised. Although SAE+ (IEEE TIFS 2024) addresses this issue in the client–server model with verifier-based asymmetric authentication, its weak binding of the password-derived verifier, ephemeral randomness, and protocol transcripts still enables key-compromise impersonation (KCI) attacks and offline dictionary attacks. Therefore, designing a verifier-based asymmetric SAE protocol that preserves the SAE workflow while resisting these attacks remains challenging. To address this challenge, we propose AsymSAE, a verifier-based asymmetric SAE protocol tailored for personal Wi-Fi networks. Following the SAE workflow in IEEE Std 802.11-2024, AsymSAE realizes asymmetric authentication by allowing the STA and AP to use the user password and the password-derived verifier, respectively. We further formulate a verifier-based security model to capture the asymmetric structure, and prove the security of AsymSAE in this model. Heuristic security analysis and ProVerif verification demonstrate that AsymSAE provides forward secrecy, transcript-based offline dictionary attack resistance, AP-side KCI resistance, session-key confidentiality, and mutual authentication. Our performance evaluation, including ns-3-based network simulation, demonstrates that AsymSAE can achieve significant verifier-based security enhancement without incurring extra communication overhead, while introducing minimal additional computational overhead and authentication latency.
SCOUT-CT: Sound Constant-Time Outcome with Uncertainty Tracking using multi-taint analysis
Side-channel attacks are an important class of security exploits, in which an attacker gains access to confidential data by observing information inadvertently leaked by a system.
Writing constant-time code is a common defense against time-based and microarchitectural side-channel attacks.
Many approaches have been proposed to automatically verify that a program is constant-time.
Sound methods can detect all information leaks but, to efficiently analyze large programs, most of them rely on overapproximation which can yield false alarms (i.e., reports of non-existent information leaks).
Each finding produced by such analyses therefore requires manual inspection.
Additionally, most existing approaches do not perform binary-level analysis and thus miss vulnerabilities introduced by compilation.
In this paper, we present a novel sound analysis for detecting information leaks under the constant-time threat model.
Compared with existing work, our technique improves taint analysis by systematically tracking precision loss to determine whether a detected information leak could be caused by overapproximation.
Findings for which no precision loss is detected are reported as confirmed; as long as they do not arise from dead code, confirmed findings are guaranteed to be true and thus do not require significant manual inspection.
Only findings with detected precision loss need classical human verification.
Our analysis operates directly on binary executables.
We instantiate our technique within the abstract interpretation framework and provide a proof of correctness.
We implemented our approach in a prototype tool, SCOUT-CT, and evaluated it on a benchmark of constant-time and non-constant-time programs, including real-world cryptographic implementations.
Our results show that SCOUT-CT is effective: our tool detected all 98 timing leaks in the benchmark and automatically classified 97 as confirmed findings that do not require significant manual inspection.
Computing Isomorphisms between Products of Supersingular Elliptic Curves
The Deligne-Ogus-Shioda theorem guarantees the existence of isomorphisms between products of supersingular elliptic curves over finite fields. In this paper, we present methods for explicitly computing these isomorphisms in polynomial time, given the endomorphism rings of the curves involved. Our approach leverages the Deuring correspondence, enabling us to reformulate computational isogeny problems into algebraic problems in quaternions. Specifically, we reduce the computation of isomorphisms to solving systems of quadratic and linear equations over the integers derived from norm equations. We develop $\ell$-adic techniques for solving these equations when we have access to a low discriminant subring. Combining these results leads to the description of an efficient probabilistic Las Vegas algorithm for computing the desired isomorphisms. Under GRH, it is proved to run in expected polynomial time.
BaseFold: Efficient Field-Agnostic Polynomial Commitment Schemes from Foldable Codes
This works introduces Basefold, a new $\textit{field-agnostic}$ Polynomial Commitment Scheme (PCS) for multilinear polynomials that has $O(\log^{2}(n))$ verifier costs and $O(n \log n)$ prover time. An important application of a multilinear PCS is constructing Succinct Non-interactive Arguments (SNARKs) from multilinear polynomial interactive oracle proofs (PIOPs). Furthermore, field-agnosticism is a major boon to SNARK efficiency in applications that require (or benefit from) a certain field choice.
Our inspiration for Basefold is the Fast Reed-Solomon Interactive-Oracle Proof of Proximity (FRI IOPP), which leverages two properties of Reed-Solomon (RS) codes defined over "FFT-friendly'' fields: $O(n \log n)$ encoding time, and a second property that we call foldability. We first introduce a generalization of the FRI IOPP that works over any foldable linear code in linear time. Second, we construct a new family of linear codes which we call $\textit{random foldable codes}$, that are a special type of punctured Reed-Muller codes, and prove tight bounds on their minimum distance. Unlike RS codes, our new codes are foldable and have $O(n \log n)$ encoding time over ${any}$ sufficiently large field. Finally, we construct a new multilinear PCS by carefully interleaving our IOPP with the classical sumcheck protocol, which also gives a new multilinear PCS from FRI.
Basefold is 2-3 times faster than prior multilinear PCS constructions from FRI when defined over the same finite field. More significantly, using Hyperplonk (Eurocrypt, 2022) as a multilinear PIOP backend for apples-to-apples comparison, we show that Basefold results in a SNARK that has better concrete efficiency across a range of field choices than with any prior multilinear PCS in the literature. Hyperplonk with Basefold has a proof size that is more than $10$ times smaller than Hyperplonk with Brakedown and its verifier is over $30$ times faster for circuits with more than $2^{20}$ gates. Compared to FRI, Hyperplonk with Basefold retains efficiency over any sufficiently large field. For illustration, with Basefold we can prove ECDSA signature verification over the secp256k1 curve more than $20$ times faster than Hyperplonk with FRI and the verifier is also twice as fast. Proofs of signature verification have many useful applications, including offloading blockchain transactions and enabling anonymous credentials over the web.
The Most Efficient Protocol for PAKE: What Exact Stuff Do You Need to Hash at the End?
A Password-Authenticated Key Exchange (PAKE) protocol allows two parties to jointly establish a cryptographic session key, in the "password-only" setting where the only information shared in advance is a low-entropy password. In recent years, the One-encryption EKE with 2-round Feistel cipher (OEKE-2F) protocol, a compiler from Key Encapsulation Mechanism (KEM) to PAKE, has received much attention, for the following reasons: (1) When instantiated with the Diffie–Hellman KEM, it is the most computationally efficient PAKE protocol to date that is secure in the Universal Composability (UC) framework; and (2) When instantiated with a post-quantum KEM, it provides a generic way to construct efficient PAKE protocols based on post-quantum assumptions.
Unfortunately, the community cannot agree upon what the OEKE-2F protocol exactly is: part of the second protocol message is an RO hash of the KEM key, together with any number of the following:
- The password,
- The KEM public key,
- The first protocol message, and
- The KEM ciphertext.
This yields 16 potential variants of OEKE-2F; only two of them have been studied in the literature, and their pros and cons are poorly understood.
In this work, we present a comprehensive analysis of *all 16 variants* of OEKE-2F, proving the UC-security of each of them. The general takeaway is that the "hash everything" version requires the fewest security properties of the underlying KEM scheme, and the more items we remove from the hash, the more security requirements the KEM scheme has to satisfy — although all of the additional KEM properties are still mild. We pinpoint the exact KEM properties each version of OEKE-2F needs, and thoroughly explain the rationales.
The significance of this work lies in that it helps the community converge upon the "right" version of OEKE-2F, and perhaps also in that this is the first paper by the author that is over 100 pages.
Thresholdizing Standardized FALCON Signatures
Threshold signatures allow a quorum of parties to jointly produce a signature while preventing any smaller subset from doing so. Following NIST's post-quantum standardization, designing threshold schemes compatible with the newly selected primitives is a pressing task. In particular, no prior threshold signature scheme produces signatures verifiable under the unmodified FALCON verification algorithm - the NIST-selected post-quantum scheme with the smallest signatures and keys.
In this work, we present the first such threshold FALCON signing protocol, establishing its feasibility. Our technical contributions are threefold. First, we adapt the MPC-based discrete Gaussian sampling protocol of Wei et al. [CCS:WYFCW23] to support private centers and standard deviations, as required by FALCON's signing process. Second, we carry out a Rényi divergence analysis of the Klein sampler under fixed-point arithmetic, showing that $73$ bits of precision suffice to achieve the same security as the FALCON specification. Third, we design an efficient MPC protocol for the Klein sampler that exploits the fixed trapdoor basis to construct a pseudorandom correlation generator for authenticated VOLE using only two-party DPFs, reducing per-signature communication significantly over standard authenticated triple generation. We implement and benchmark our protocol in two settings: $N$-party signing with all-but-one corruption, and 3-party signing with honest majority, demonstrating that threshold FALCON signing is feasible for applications where compatibility with the FALCON standard is required.
Notes on the ideal arithmetic correlations of $N$-ary sequences
In this paper, we investigate the nonexistence of $N$-ary sequences with ideal arithmetic correlation. We prove that there exist no ternary, quaternary, or $6$-ary sequences with ideal arithmetic autocorrelation when the connection integer is an odd prime power $p^{t}$ and $\textup{ord}_{p^{t}}(N)=\phi(p^{t})/4$, where $\phi$ denotes Euler's totient function. Furthermore, when the connection integer is an odd prime $p$ and $\textup{ord}_{p}(N)=\phi(p)/6$, no such ternary, quaternary, or $6$-ary sequences exist for ideal arithmetic correlation. This includes in particular the case $p\equiv7(\textup{mod}12)$, for which $\textup{ord}_{p}(N)=\phi(p)/6$ and we further show that no $N$-ary sequence with ideal arithmetic correlation exists for any prime $N>2$. These results provide further evidence that ideal arithmetic correlation is highly restrictive in the $N$-ary setting.
Anonymous Communication on Expander Networks
Who is talking to whom? Consider a group of users who wish to communicate anonymously via a network of intermediate relays. We study anonymous communication under two standard strong adversarial models. A passive adversary observes all network traffic and additionally views the internal states of a constant fraction of corrupted relays, while an active adversary may also control the behavior of these corrupted relays. The goal of an anonymous communication protocol is to ensure that the adversary cannot distinguish who is communicating with whom.
One of the most practical and widely adopted approaches is onion routing, where messages are first wrapped in layers of encryption and anonymity emerges through repeated "shuffling" of onions at honest relays that peel a layer and randomly permute outgoing onions. In general, this approach may not achieve anonymity. The challenge is to rigorously quantify conditions for efficiently achieving anonymity, where efficiency is measured as a function of the protocol's security parameter λ, which we assume, without loss of generality, is at least linear in the network size.
A well-known result from ICALP'18 shows that if each hop in a routing path is chosen uniformly at random from all relays, then onion routing achieves anonymity against a passive adversary whenever both the number of rounds and the server load grow faster than log λ. In this setting, anonymity arises from the fact that every onion is repeatedly shuffled with a uniformly random subset of other onions. However, this assumption requires a fully connected network.
We generalize this result to sparse networks. We show that when routing paths are selected by performing independent random walks on a sparse, constant-degree expander graph, onion routing still achieves anonymity with the same asymptotic efficiency parameters as in the complete-network setting. In particular, this matches the optimal round-complexity bound known for complete networks, despite the fact that onions only shuffle within their local neighborhoods at each round, and an adversary may extract information from observing transitions between neighboring nodes.
We further extend our results to active adversaries. In the sparse-expander setting, we construct, under different conditions, (1) a differentially private protocol that achieves (ε, negligible in λ)-differential privacy, and (2) an anonymous protocol. Both run efficiently in polylogarithmic rounds and incur polylogarithmic server load.
A polynomial-time key recovery attack of Facto-DSA
This work introduces a polynomial-time attack on the signature scheme Facto-DSA. We provide an implementation that breaks all proposed parameter sets, including the largest, in under one minute on a standard laptop. These results question the suitability of multivariate polynomial factorization as a foundation for robust cryptographic schemes.
A Prototype-Based Study of Zero-Knowledge Proof Verification for Privacy-Preserving Blockchain Interoperability
Blockchain networks need to exchange messages and assets across independent systems, but cross-chain verification can expose private validation data to relayers, bridge logic, validators, or destination-chain components. This paper presents a prototype-based zero-knowledge verification layer for privacy-preserving blockchain interoperability. The prototype uses Circom and SnarkJS to generate Groth16 proofs, verifies those proofs in Rust using arkworks BN254, and maps the result into a Substrate-style interoperability decision model. The work addresses a practical implementation gap between common zero-knowledge proof tools and Rust-based blockchain interoperability environments. Private values stay off-chain, while only the proof, public commitment, verification metadata, and final decision are passed to the runtime-facing layer. The prototype includes valid-proof acceptance, tampered-input rejection, runtime-compatible verification records, and a simulated interoperability decision layer. Experimental results show proof generation at 199 ms, SnarkJS valid-proof verification at 161 ms, tampered-input rejection at 160 ms, and Rust verifier execution at 340 ms. These results show that a SnarkJS-generated Groth16 proof can be verified in Rust and used to control whether a simulated cross-chain action is accepted or rejected. The current scope does not include a full FRAME pallet or live Cross-Consensus Messaging (XCM) dispatch. In Polkadot, XCM is the message format used to send instructions between different chains. The prototype is not intended to replace Polkadot's existing parachain auditing mechanisms. Instead, it explores a complementary privacy-preserving verification path for selected interoperability conditions where private inputs should not be exposed. The prototype provides a repeatable technical path for building privacy-preserving verification in Polkadot/Substrate-style interoperability workflows.
A New Framework for Efficient Multivariate Functional Bootstrapping
Fully homomorphic encryption (FHE) enables computation on encrypted data without decryption. In TFHE, programmable bootstrapping (PBS) evaluates nonlinear functions through lookup tables (LUTs), but a direct multivariate LUT over a $t$-ary plaintext space has size $t^\ell$. This paper studies LUT compression for multivariate functional bootstrapping via variable separation and additive inner representations.
We first apply this approach to non-negative integer division with remainder. For a dividend $m$, a divisor $d$, and $h=\lfloor m/d\rfloor$, we use a logarithmic transformation to decompose bivariate division into two univariate logarithmic PBS calls, one homomorphic subtraction, and one outer exponential PBS call. To handle integer plaintexts, we introduce a rounded logarithmic function $\operatorname{clog}_{B,M}$ and give a sufficient condition on $M$ for exact quotient recovery. The resulting homomorphic division-with-remainder algorithm achieves $\widetilde{O}(1)$ equivalent blind-rotation complexity under theoretically optimal parameters, and also yields frameworks for modular reduction and truncated division.
We further prove that every finite function $f:[t]^\ell\to[t]$ can be written as $f(x_1,\ldots,x_\ell)=q\left(\sum_{i=1}^{\ell}p_i(x_i)\right)$, and search for small-span representations using simulated annealing with reheating. Experiments show a 3.6x speedup for division with remainder at $t=64$, and a 1.9x speedup for the Hamming-weight interval function, compared with estimates based on [BBR26].
Privacy Coins Under Viewing Key Compromise
Anonymity guarantees of privacy-oriented cryptocurrencies are garnering negative attention from lawmakers who view them as antinomic to accountability. Having recognized their potential for innovation, however, regulators may not want to outright ban privacy coins but instead seek a middle ground where financial oversight is effective, and still a modicum of privacy is maintained. Mature designs, such as Zcash, Monero, or Firo, facilitate this through so-called viewing keys that can be disclosed to third parties for the purpose of supervision. This paper initiates the study of the issues of security, privacy, and fungibility that privacy coins face in the non-custodial setting with the legal obligation on users to surrender their viewing keys to the authorities. In doing so, it fills the gap in provable anonymity guarantees for Zcash, while, at the same time, exposing problems with Monero and Firo.
k-Anonymous Group Signatures
We review $k$-anonymity in authentication schemes, group signatures, and ring signatures. Existing constructions either require a signer to maintain state across interactions, or admit tracing algorithms that cost $O(n^k)$ in the number $n$ of signatures. We introduce $k$-anonymous group signatures ($k$-AGS), that achieves stateless signing with a tracing cost $O(n+k)$, while necessarily sacrificing unlinkability. We present a generic construction of $k$-AGS together with an efficient instantiation.
We additionally construct a proof-of-concept $k$-unlinkable group signature ($k$-UGS) scheme that achieve unlinkability at the expense of $O(n^2k)$ tracing overhead. We pose the question of whether stateless signing, $O(n+k)$ tracing, and unlinkability are simultaneously achievable, and leave it as an open problem.
Building on our $k$-AGS framework, we introduce $k$-Anonymous Set Pre Constrained Group Signatures ($k$-ASPCGS), a threshold variant of Set Pre-Constrained Group Signatures introduced by Bartusek et al. (EUROCRYPT '23). As a proof-of-concept, we present two generic constructions of $k$-ASPCGS.
We show that our notions arise naturally in the context of content moderation in end-to-end encrypted messaging platforms, where users must remain anonymous until a threshold number of distinct illegitimate contents have been reported.
What Happens When integrating Modulus Switching and Lossy Source Coding: A New Dual Attack Variant on LWE
The threat of large-scale quantum computers to classical public-key cryptography has motivated the development of post-quantum cryptographic schemes. Among these, lattice-based constructions have become the mainstream choice in the ongoing NIST standardization process. The security of these schemes typically relies on the hardness of the LWE problem, and the dual-sieve-FFT attack is widely recognized as one of the most effective approaches against it. Recent improvements by MATZOV and Carrier et al. have significantly advanced its efficiency.
In this paper, we propose a new variant of the dual-sieve-FFT attack
that integrates modulus switching and lossy source coding. We provide a theoretical analysis of the integrated approach and show that the enumeration size in the FFT step can be reduced from $q^{n_\text{fft}}$ to $p^{k_\text{fft}}$ (with $p <q, k_{\text{fft}} < n_{\text{fft}}$), leading to lower FFT cost and decoding cost. When applied to KYBER, our variant achieves better total complexity than the attack using only lossy source coding, although the improvement is modest. More importantly, the decoding and FFT costs are reduced by 1–6 bits and 2–7 bits, respectively, in most parameter settings. These reductions are practically meaningful in scenarios where memory usage or multi-target attacks are of concern.
Multi-Client Functional Encryption for Small Domains
In this paper, we revisit the problem of multi-client functional encryption (MCFE) for general functions. Specifically, we consider
the setting of private-key MCFE for constant-arity functions where the
input domain is polynomial in the security parameter. Surprisingly, we
show that in this setting it is possible to construct a private-key MCFE
scheme secure for a bounded number of key and encryption queries based
only on the minimal assumption that one-way functions exist. In contrast, all prior constructions of MCFE for general functions require very
strong assumptions such as indistinguishability obfuscation or multilinear maps.
Our main technique is to show that private-key MCFE for polynomial
input domain can be built from any private-key multi-input functional
encryption (MIFE) while inheriting the security properties of the underlying MIFE. Instantiating our construction with the MIFE of Brakerski et
al. (Eurocrypt 2016) gives us a construction based only on the existence
of one-way functions.
A New CRT-based Fully Homomorphic Encryption
The idea of computing on encrypted data without decryption dates back to the notion of privacy homomorphisms introduced by Rivest, Adleman, and Dertouzos (1978). Their proposals built using the elegant structure of Chinese Remainder Theorem (CRT), were later shown to be insecure under simple known-plaintext attacks. Subsequent CRT-based fully homomorphic encryption (FHE) over the integers addresses this algebraic transparency by injecting noise and basing security on approximate common divisor–type assumptions, but the resulting designs are burdened by large public keys and costly ciphertext refresh procedures.
In this work, we develop a new CRT-based FHE scheme whose security relies on the Ring-LWE (RLWE) hardness assumption. For this purpose, we introduce the CRT-RLWE problem. We show that the problem is at least as hard as the RLWE, thereby positioning our construction within the established post-quantum security landscape of RLWE-based cryptography. Our scheme retains an explicit CRT embedding, separating a message component modulo a prime-power plaintext modulus and an auxiliary CRT component, while using RLWE-style key and ring arithmetic for compactness and efficiency.
Finally, we make it fully homomorphic by using a new bootstrapping procedure, that adopts the recryption paradigm for BGV/BFV schemes utilizing the linear transformation and digit extraction techniques.
How to Encrypt with Random Reversible Circuits
This work revisits a natural paradigm for constructing public-key encryption, whereby the public key is an obfuscated block cipher in encryption mode. We show that if the block cipher is a permutable pseudorandom permutation [Shmueli–Zhandry, Crypto ’25] and the obfuscator is indistinguishability-secure, then the following holds.
1. Applying the obfuscated cipher directly to the message and a short random nonce, without any additional structure or consistency checks, suffices for CCA2 security.
2. Augmenting the scheme with the capability to generate obfuscated decrypt-then-apply-$f$ circuits (for any given function $f$), yields a *functional encryption* scheme that is *simulation-secure against adaptive chosen-ciphertext attacks*.
3. For any length-preserving function $g$, augmenting the public key with an obfuscated decrypt-apply-$g$-reencrypt circuit allows anyone to homomorphically apply $g$ to encrypted data, for an unbounded number of times, while preserving semantic security. (This relies on subexponential security.)
We also show that, under the split-circuit pseudorandomness (SCP) assumption of [Canetti–Chamon–Mucciolo–Ruckenstein, TCC ’24], random reversible circuits form a permutable pseudorandom permutation family. This points to obfuscated random reversible circuits as a potential alternative avenue to public-key encryption with strong security and rich functionality.