We propose a novel notion of Two-Factor Authenticated Key Exchange (TFA-KE), defined in the universal composability model (UC), which extends asymmetric PAKE (aPAKE) by a 2nd authentication factor in the form of a $t$-bit one-time code computed by a personal device based on a clock or counter. Our notion strengthens the security of standard integration of aPAKE with short authentication codes by additionally slowing down offline brute-force password search in case of server compromise by a factor of $2^t$. In other words, our TFA-KE notion uses $t$-bit authentication codes not only to improve on-line security of password authentication, as is the current practice, but also to strengthen password security on server corruption, whilst retaining the ability of aPAKE to avoid the common but deplorable practice of relying on "secure-channel" encryption for password protection. We show a generic framework for implementing TFA-KE, with two efficient instantiations. Our key enabling tool is a tight one-way function (TOWF) with an algebraic structure that allows for its evaluation on a secret-shared input. We initiate the study of such functions, and we provide two proposals which we show to be tightly one-way in the Generic Group Model. Tightness means that a function evaluation on an input sampled from domain $\mathcal{X}$ takes $\Omega(|\mathcal{X}|)$ time to invert, which in our application implies that offline password search attacks are slowed to $\Omega(|D|\cdot 2^t)$ for passwords sampled from dictionary $D$.

Privacy-oriented cryptocurrencies like Zerocash only support direct payments and not the execution of more complex contracts. Bitcoin and Ethereum, on the other hand, cannot guarantee privacy, and using them for contract execution leaves open questions about the fungibility of proceeds and requires contract designers to take frontrunning countermeasures. This work reconciles the two worlds and develops a practical framework for decentralized execution of complex contracts that (1) is undetectable to the network at large, (2) maintains anonymity of the potentially mutually distrustful counterparties and unlinkability of their repeated interactions, (3) guarantees fair termination, and (4) is immediately resistant to frontrunning and miner bribery attacks. This is achieved by leveraging the confidentiality and anonymity guarantees of Zerocash and the verifiability and flexibility of trusted execution environments.

Distributed quantum computing (DQC) enables multi-device collaboration to reduce per-node circuit depth and solve larger-scale problems beyond the processing capability of a single quantum device. In 2022, Tan et al. proposed a distributed Simon's algorithm via a concatenation-type periodic function. In comparison with the standard version, the distributed Simon's algorithm has a lower per-node quantum query complexity resulting in not only a reduced per-node circuit depth but a higher per-node qubit requirement as well. This paper proposes a new distributed Simon's algorithm by constructing an XOR-type periodic function, which can reduce both the per-node quantum query complexity and the per-node qubit requirement. Specifically, the per-node quantum query complexity is reduced to $2c(n-t)$ ($c>3$), matching that of Tan et al.'s scheme; furthermore, the per-node qubit requirement is diminished significantly from Tan et al.'s $2^{t+1}m$ to $m+n-t$, which is an exponential reduction with respect to $t$. Here, $n$ and $m$ respectively denote the input and output lengths of the periodic function while $t$ is an integer satisfying $n/2<t<n$. Given the scale limitations of current quantum hardware, our distributed algorithm makes it feasible to tackle larger-scale problems that cannot be solved on a single quantum device. Based on this new algorithm, we propose distributed quantum key-recovery attacks on the SoEM22 construction. Compared with state-of-the-art non-distributed quantum attacks based on the standard Simon's algorithm, our attack requires notably lower per-node qubit overhead, while retaining comparable time complexity in both the classical and quantum query models.

Simulation-based formulation of security enables us to naturally capture our intuition for security. However, since the simulation-based formulation is rather complicated, it is convenient to consider alternative simulation-free formulations which are easy to manipulate but can be employed to give the same security as the simulation-based one. So far the indistinguishability-based and comparison-based formulations have been introduced as such ones. Regarding the security for public key encryption, while these three formulations are shown equivalent in most settings, some relations among these formulations of non-malleability under the valid ciphertext condition, in which an adversary fails if it outputs an invalid ciphertext, remain open. This work aims to help to consider the appropriateness of the formulations of security by clarifying the above open relations among the formulations of non-malleable encryption.

Active weighted threshold signatures support dynamic changes to signer weights, thresholds, and committee membership. We show that local validity of weighted update operations is not a compositional security abstraction: a sequence of individually valid updates can move an initially sub-threshold coalition into an authorized reachable state. We introduce rank-exposure guards, a compiler that enforces a reconstruction-safety invariant over live, stale, derivative, public, and transient signing material. The compiler wraps ledger-sound one-step update engines with atomic activation and old-epoch digest-bound transition certificates, lifting fixed-state weighted unforgeability and update soundness to sequence-level active unforgeability. We instantiate the compiler as REG-ADAPT, a guarded GLI reconfiguration scheme built around ADAPT-style local updates, and implement it on top of the public ADAPT Go artifact. Our evaluation shows that the artifact detects and rejects unsafe update sequences, while adding only microsecond-scale metadata and rank-audit overhead.

This paper formalizes the cryptographic core of the FLEX protocol and its enhanced variation FLEX2 . The analysis formalizes a minimal ledger abstraction, capturing Taproot, CSV timelocks, and reorg bounds, and defines ideal functionalities implemented as transaction-DAG and state machines. Main contributions include proving on-chain enforceability, CDS secrecy, soundness, leakage-bounded privacy, and universal composability realization under standard assumptions.

Asynchronous complete secret sharing (ACSS) and asynchronous dynamic proactive secret sharing (ADPSS) are fundamental primitives for secret sharing and resharing in modern threshold systems, such as multi-party computation, distributed key management, and blockchain. However, existing ACSS constructions that employ homomorphic commitments incur notable computational overhead, while the lightweight-computation constructions require quadratic per-secret communication, limiting scalability as the number of parties grows. ADPSS constructions inevitably inherit these inefficiencies due to their tight coupling to the commitment-based ACSS and requiring at least quadratic cross-committee communication. To break these bottlenecks, we design GoSSamer, a concretely and asymptotically efficient protocol suite, where both our ACSS and ADPSS achieve (1) lightweight computation with only hash function and symmetric encryption; (2) asymptotically optimal, linear per-secret communication; (3) optimal resilience in asynchronous networks; and (4) post-quantum security. In GoSSamer-ACSS, we propose an original-evaluation propagation paradigm for linear communication without commitment‑requiring interpolation, which further unlocks our lightweight bivariate-polynomial-based degree checking for share verification. Building on this foundation, GoSSamer‑ADPSS contributes two further techniques: a consistency verification technique that decouples the ADPSS framework from the commitment-based ACSS, and a dual-committee reconstruction technique that yields linear per-secret communication. When deployed in distributed AWS instances, GoSSamer-ACSS reduces the runtime by 95.6% compared to the linear-communication scheme hbACSS (NDSS'22) and 45.8% compared to lightweight SS24 (JoC'24). GoSSamer-ADPSS reduces the runtime by at least 67.7% compared to LongLive (Usenix Security'23). Moreover, when applied to practical distributed key management systems, the GoSSamer-ACSS-based distributed key generation is 7-11x faster than DXK+23 (Usenix Security'23), and GoSSamer-ADPSS-based key resharing reaches a throughput of 1994 keys/s across 10-node committees, compared to 85 keys/s in LongLive.

Post-quantum signatures have been suffering from their inefficiency compared to traditional signatures. To reduce space consumption, a promising approach is to design signature schemes with message recovery, which can embed part of the message into the signature without increasing its length. A notable example is the PSS-R signature scheme (probabilistic signature scheme with recovery) proposed by Bellare and Rogaway (EUROCRYPT 1996) in the classical ROM (random oracle model). However, there were few works considering post-quantum signature schemes with message recovery. In this work, we study the design of post-quantum signature scheme with message recovery in the QROM (quantum ROM). Specifically, we adapt the classic PSS-R signature scheme to the post-quantum setting and prove its security in the QROM. Our security proof is conceptually similar to the original proof of PSS-R, but faces challenges in QROM when we need to reprogram two random oracles with correlated inputs/outputs. To address these issues, we extend the tight adaptive reprogramming theorem (Grilo et al., ASIACRYPT 2021) and the measure-and-reprogram theorem (Don et al., CRYPTO 2020) to our setting, to support reprogramming two oracles successively, where the input to one oracle depends on the other oracle's output. With these extended proof techniques, we provide the first security proof of a PSS-R-like signature scheme with message recovery in the QROM.

Updatable public-key encryption (UPKE) is a cryptographic primitive that was proposed for secure messaging to provide forward secrecy in public-key settings. It extends standard public-key encryption with a key-update mechanism that lets anyone update a receiver’s public key and issue a corresponding token for updating the secret key. Unlike traditional forward secrecy where all past messages should remain secure after a key leakage, UPKEs guarantee security only as long as at least one honest update has occurred. While classically-secure efficient instantiations of UPKE are known from Diffie-Hellman assumptions, constructing an efficient post-quantum secure UPKE scheme with unbounded updates remains an open problem. In this work, we propose an isogeny-based UPKE that relies on a dimension-four version of the FESTA public-key encryption scheme. It is practically efficient and supports an unbounded amount of updates. Moreover, we provide a formal security proof based on a problem in isogeny-based cryptography that has received considerable scrutiny.

The Swiss Post voting system is one of the most advanced cryptographic voting protocols deployed for political elections, offering end-to-end verifiability and vote privacy. It provides significant documentation and independent scrutiny reports. Still, we argue that two significant pillars of trust need to be further developed. One is formal verification accompanied by machine-checked proofs. The second is security in presence of a corrupt setup component. In this work, we propose formal specifications of a simplified version of the Swiss Post voting protocol and initial verification results with the Tamarin prover. We also propose a revised protocol design that mitigates risks from a corrupt setup, and a prototype implementation of necessary zero-knowledge proofs.

We present a novel construction that applies the Ciphertext-Policy Attribute-Based Encryption paradigm in an original symmetric framework, where also the encryptor needs to have enough attributes to be able to produce a ciphertext for a given policy. The scheme is built from minimal assumptions on collision-resistant hash functions and pseudorandom functions, exploiting the properties of linear secret sharing and polynomial interpolation. Thus, it is natively Post-Quantum secure. We formally define a novel extended form for access trees, that trades a polynomial space expansion for a more predictable topological structure. This structure enhance the arithmetic possibilities of the associated secret sharing primitive. Moreover, we propose a comprehensive notation for access trees, sharing and interpolation, which may help in the study of these powerful primitives.

This literature review explores the state-of-the-art advancements in quantum and post-quantum blockchain. The realm of quantum computing is on the rise and will disrupt entire tech industries, including classical cryptography, which is the foundation of blockchain. There has been extensive research on classical cryptosystems (i.e., post-quantum) and their integration with blockchain to create quantum-resistant classical blockchains. We have reviewed the state-of-the-art in these post-quantum blockchains in academic research. But to have forward compatibility with the quantum internet and infrastructure in the future and to have quantum mechanical security, research has been conducted to implement blockchain on quantum technologies and quantum cryptography as well. Consequently, we have explored the current state of research in these quantum solutions, known as quantum blockchains.

We give efficient formulas to evaluate isogenies of ordinary elliptic curves over finite fields of characteristic $2$, extending the odd-characteristic techniques of Hisil--Costello and Renes to binary fields. For odd prime degree $\ell = 2s+1$, our affine product evaluation computes the image $x$-coordinate using $5s\mathbf{M}$ field multiplications, or $4s\mathbf{M}$ when the kernel points are normalized. We derive an inversion-free variant that evaluates the $x$-map in projective and twisted Kummer coordinates, allowing carried points to remain projective across successive isogeny steps. Over $\mathbb{F}_{2^{511}}$, microbenchmarks show that the inversion-free projective and twisted variants are faster than Vélu-style $x$-evaluation when outputs are kept in projective/twisted form, while the affine one-inversion variant is about $4.2\times$ faster.

Designing non-interactive proof systems, such as NIZK or SNARKs, for lattice-based protocols is a well-motivated problem with numerous applications including aggregate signatures, verifiable random functions, group signatures, verifiable homomorphic encryption schemes, and others. Although many works have made efforts toward efficient lattice-based protocols, several challenges remain. In particular, a major challenge, as highlighted by Ganesh et al. (Journal of Cryptology 2023) and Zhang et al. (CCS 2025), is the algebraic gap between polynomial rings, which are typically used in lattice-based constructions, and fields, which are commonly used in the constructions of non-interactive proofs. In this paper, we introduce a novel technique called ring switching, which bridges this gap by transforming proofs over polynomial-ring arithmetic into proofs over finite fields or Galois rings with prime power modulus. Using ring switching, we construct an efficient non-interactive argument of knowledge for Ring-R1CS over $\mathbb{Z}_Q[X]/(X^N+1)$ for arbitrary prime-power moduli $Q$. Our construction achieves sublinear proof size and enables significantly faster verification by eliminating costly ring multiplications. The ring switching framework is compatible with parameter regimes used in practical lattice-based cryptosystems, including NTT-friendly and power-of-two moduli. Subsequent works building on this technique further demonstrate its efficiency, achieving substantial verification time improvements in lattice-based polynomial commitments and verifiable homomorphic encryption schemes.

We present a method for secure pattern matching over encrypted texts using TFHE. Our approach realizes a fully secure binary search algorithm by leveraging two operational modes of integer-input TFHE. While the BGV-based method of Bonte and Iliashenko (CCSW '20) requires $O(|P| \cdot |T|)$ secure character comparisons to find a pattern $P$ in a text $T$, our method reduces this to $O(|P|\log |T|)$ comparisons, achieving improved scalability for large texts. As a result, our method can find a pattern of length 100 in an encrypted text containing genomic data of one million characters in less than 5 minutes, where prior work would require approximately 5 days for the same task. These results highlight the practicality of TFHE and its potential for large-scale secure string search.

The recent study has demonstrated that neural networks can serve as a navigator for an automatic search model for integral cryptanalysis with a reduction in computational complexity. However, the inherent drawbacks of using a deep learning model such as large datasets and limited interpretability are the major obstacles in cryptanalysis. In this paper, we introduce another simple data-driven approach using the linear algebraic concept to characterize key-independent balance properties as the kernel of a matrix with empirical parity data. We stack the ciphertext parities obtained under many independent keys into the parity matrix and prove that every mask satisfying the matrix multiplication as zero corresponds exactly to a balance property. Candidates of the balance mask from the test are additionally evaluated by the spurious mask test. We demonstrate the practicality and generality of the kernel methodology on seven lightweight block ciphers spanning SPN with SKINNY, Midori, PRESENT, LED and ARX with SPECK, SIMON, SIMECK. Across these cases, our method recovers known distinguishers and reveals additional non-trivial linear combinations missed by conventional analyses. We additionally position the kernel method relative to other similar methodologies. Our results show that the kernel method provides a rigorous and cipher-agnostic alternative to neural feature exploration and complements division property-based search techniques.

Sanitizable signature schemes~(SSS) allow a designated sanitizer to modify admissible portions of a signed message while preserving the validity of the original signer's authorisation. All existing SSS constructions satisfying the Brzuska et~al.\ security framework rely on classical number-theoretic assumptions broken by Shor's algorithm. We present \textsf{UOV-San}, a sanitizable signature scheme based entirely on multivariate cryptography. The construction employs a dual-signature architecture with strict key separation enforced by a two-message interactive signing protocol: the signer holds only $\sk_S$ and the public trapdoor-hash key $\ck$, whereas the sanitizer holds $\sk_{\mathsf{San}}$ and the trapdoor key $\tk$. We introduce a target second-preimage resistance assumption, \textsf{tSPR}, for UOV public maps. It captures the hardness of finding a distinct input $r'\neq r$ that collides with a given random target input $r$ under the public map $P$, namely $P(r')=P(r)$. Based on this assumption we construct MV-CH, a dedicated multivariate target-collision trapdoor hash. MV-CH is not a standard message-dependent chameleon hash of the form $CH(m,r)$; instead, it hashes only the randomness $r$, while message binding is provided by the upper-layer dual-signature construction. The sanitizer can use the UOV trapdoor to generate target collisions, whereas outsiders face the \textsf{tSPR} problem, except for random-oracle target-collision events. \textsf{UOV-San} provably achieves unforgeability, immutability, and accountability---including against a malicious signer---under UOV EUF-CMA security and \textsf{tSPR} in the random-oracle model. We forgo transparency and privacy: these properties are structurally incompatible with the dual-signature architecture and key-separation requirement, and are operationally unnecessary for our target application domains such as supply-chain audit, government document redaction, and blockchain audit trails. Experimental evaluation confirms practical signing times under $5$ ms and verification times under $2$ ms on commodity hardware.

POKE is an isogeny-based public-key encryption (PKE) scheme proposed by Basso and Maino. Among existing isogeny-based PKE schemes, POKE is known to achieve relatively high performance. However, the security of POKE relies on certain ad hoc assumptions, and its security analysis may not yet be fully comprehensive. In this work, we investigate the security of POKE. We show that POKE admits weak keys that reduce the complexity of certain attacks. In the POKE-2D setting, these weak keys do not significantly affect the overall security, since the probability that such keys occur is sufficiently small. In contrast, we demonstrate that POKE-4D is threatened by the presence of these weak keys. Finally, we suggest novel parameters for POKE-4D in order to mitigate the aforementioned weak-key attack. The resulting parameter sizes are comparable to those of POKE-2D. Consequently, the principal advantages of POKE-4D in terms of performance - namely, a more compact prime size and a more efficient encryption algorithm - are no longer preserved.

Cheng and Meng (IEEE Transactions on Information Forensics and Security 2024) introduced server-aided public key authenticated encryption with keyword search (SA-PAEKS). In this short note, we give general attacks that the cloud server (tester) can obtain keyword information from both a ciphertext and a trapdoor.

AMD Versal FPGAs introduce a new CLB micro-architecture featuring the LOOKAHEAD8 carry structure in place of the legacy CARRY4/8 chains, on which existing area-efficient LUT-based multiplier designs map inefficiently. This paper proposes a LUT-based integer multiplier architecture tailored to the Versal fabric. By jointly exploiting radix-4 modified Booth recoding and the new Versal LUT micro-architecture, only $\mathtt{\sim}n^{2}/4$ LUTs are required to generate the partial-product bit heap for an $n$-bit multiplication. A new heuristic for compressor-tree synthesis further improves the area--delay product by 8--20% over state-of-the-art Versal heuristics. Overall, the proposed multipliers achieve up to 40% LUT reduction relative to AMD LogiCORE IP multipliers at comparable critical-path delay. An open-source Python RTL generator with configurable operand widths and pipeline depths is provided for scalable deployment.

Recent work on IOP-based succinct arguments has focused on developing IOPs that improve prover efficiency by relying on linear-time encodable codes. We present two new schemes for improving the efficiency of such succinct arguments: $\quad \bullet$ $\mathsf{FICS}$, an IOP of proximity for multilinear polynomial evaluation that, like prior work Blaze [EUROCRYPT 2025] achieves linear prover time, but additionally reduces the verifier oracle query complexity to $O(\lambda \log \log n + \log n)$ for codewords of length $n$. $\quad \bullet$ $\mathsf{FACS}$, an accumulation scheme for NP that achieves linear prover time and $O(\lambda)$ oracle queries per step of the accumulation. Both schemes support a large class of linear-time encodable codes, including systematic LDPC codes and tensor codes of linear-time encodable codes. We obtain our results by extending and formalizing the framework of Interactive Oracle Reductions (IORs) introduced by Ben-Sasson et al. [TCC 2019]. In particular, we develop new IORs for "codeswitching" tensor codes (Ron-Zewi and Rothblum [JACM 2024]), and also develop a new notion of knowledge soundness for IORs that allows us to easily compose IORs and to prove the security of our schemes in the non-interactive setting, even if the underlying codes are not known to be decodable in polynomial time.

We study the Batch Learning Parity with Noise (LPN) variant, where the oracle returns $k$ samples in a batch and draws the noise vector from a joint noise distribution $\mathcal{D}$ over $\mathbb{F}_2^k$ instead of from an i.i.d. product distribution. This model captures a broad range of correlated or structured noise patterns studied in cryptography and learning theory. Consequently, understanding which dependent-noise distributions preserve the hardness of LPN has become an important question. On the hardness side, we design several reductions from standard LPN to Batch LPN. Our reductions identify broader classes of noise distributions $\mathcal{D}$ that preserve LPN hardness, extending the prior hardness results of Golowich, Moitra, and Rohatgi (FOCS 2024). We show hardness in three regimes: 1. If $\mathcal{D}$ satisfies a mild Fourier-analytic condition $\sum_{\mathbf{s}\neq \mathbf0}|\widehat{P}_{\mathcal{D}}(\mathbf{s})|\le 2\varepsilon$, then Batch LPN is as hard as standard LPN with noise rate $1/2-\varepsilon$; 2. If $\mathcal{D}$ is $\Omega(\eta \cdot k 2^{-k})$-dense (i.e., every error pattern occurs with probability at least $\Omega(\eta \cdot k 2^{-k})$) for $\eta < 1/k$, then Batch LPN is as hard as standard LPN with noise rate $\eta$; 3. If $\mathcal{D}$ is a $\delta$-Santha-Vazirani source, then Batch LPN is as hard as standard LPN with noise rate $1/2-\varepsilon$ whenever $\delta\le O(2^{-k/2}\varepsilon)$, improving the previous $O(2^{-k}\varepsilon)$ dependence (in Golowich et al.). On the algorithmic side, we extend Arora and Ge's (ICALP 2011) linearization attack to show that Batch LPN can be solved when the noise distribution assigns sufficiently small probability to at least one point, giving an algorithmic counterpart to our hardness results. Our reductions are based on random affine transformations and are analyzed through the lens of Fourier analysis, providing a general framework for studying dependent-noise LPN variants.

The only known solution to the big APN problem was found by exploring the CCZ-equivalence class of a specific quadratic function, the Kim mapping, which is linearly equivalent to various highly-structured functions. For example, one of these functions has a univariate representation with a specific factorisation highlighting its subspace property and that it is a cyclotomic mapping, while another has a bivariate representation corresponding to a $(q,q)$-projective mapping. In this paper, we show that the properties of this kind all correspond to a type of functions we introduce: multivariate projective mappings. These are multivariate functions whose coordinates are homogeneous. Furthermore, while a function might not have this form, it can still be equivalent to another function that has it. To handle this case, we describe how to identify the presence of a multivariate projective mapping in the linear-equivalence class of a function. We then derive our main result: for almost all known infinite families of APN functions, there exists a multivariate projective mapping, or a function commuting with the Frobenius mapping, that is CCZ-equivalent to them. Despite the widely different initial representations of these families (univariate, bivariate, or trivariate), this pattern holds. We also discuss concrete techniques to detect (or rule out) the presence of a multivariate projective mapping equivalent to a given function.

Standard hash-to-curve constructions first hash the message to a field element through a cryptographic hash-to-field step, then map this field element to an elliptic-curve point. Inside constraint systems, this inner cryptographic hash is often the dominant cost. Groth, Malvai, Miller and Zhang (Asiacrypt 2025) introduced constraint-friendly map-to-elliptic-curve-group relations that bypass the inner cryptographic hash when hashing to elliptic curve groups inside constraint systems, achieving substantial reductions in circuit size. Their security proof works in the Elliptic Curve Generic Group Model (EC-GGM). We identify three gaps. First, the security bound is not explicitly analyzed, and the bounds stated for the concrete instantiations are loose. Second, the EC-GGM does not capture the algebraic structure of most deployed curves; we exhibit a concrete signature forgery using the parameters claimed secure. Third, the construction requires a congruence condition on the field that is not satisfied by all deployed curves; we extend it to any field. As a countermeasure we propose a y-increment variant that neutralises the algebraic attack, removes the field restriction, and preserves a comparable constraint count. We implement and benchmark both constructions in the open-source gnark (Go) library; the attack is additionally demonstrated via a self-contained SageMath simulation and confirmed at the circuit level against the authors’ own Noir (Rust) implementation.

Research on cryptographic algorithms implemented in hardware and protected against side-channel attacks has advanced rapidly in recent years. Generalized masking schemes, such as Threshold Implementations (TI) and Domain-Oriented Masking (DOM), currently provide a solid theoretical security foundation. Security models, including the probing model and its various extensions, enable formal verification of these guarantees. In addition, established guidelines for designing securely composable gadgets, along with tools for the automatic generation of masked designs, have further advanced the field. Experimental security assessment approaches, such as the Test Vector Leakage Assessment (TVLA) complement these efforts. Consequently, the primary focus of the research community has shifted toward optimizing existing techniques and bridging the gap between theoretical and practical security models. In this work, we demonstrate a case in which side-channel leakage, caused by glitches, can be concealed during experimental assessment in a setup that is theoretically not robustly secure. This effect arises due to specific patterns of glitch propagation. We investigate whether a particular layout of the complete logic chain can further contribute to a design’s resistance to side-channel attacks, potentially reducing latency and area by relaxing glitch-mitigation requirements, such as reducing the number of pipeline registers. To this end, we introduce new adversarial model which further relaxes the model of Müller and Moradi, introduced at CHES 2024. To illustrate the practical relevance of our proposal, we provide experimental evidence by modifying a well-known, provably secure AES S-box design by De Cnudde, rendering it insecure under the robust probing model. We conduct TVLA of power consumption for both FPGA-based (physical) and ASIC-like (simulation) implementations of our netlists, demonstrating the absence of detectable leakage, similar to the originally robustly secure version of the algorithm.

End-to-end encrypted (E2EE) messengers such as Signal, WhatsApp and iMessage increasingly deploy Key Transparency (KT) to make malicious key substitution detectable. Yet KT only delivers its intended protection if users are anchored to the same global append-only KT history. A malicious operator can break this condition by equivocating, presenting incompatible views of the KT directory to different clients. Current deployments delegate detection to a small set of third-party auditors, creating a centralized trust bottleneck that can be pressured, compromised, or fail to audit continuously. We ask whether clients can detect equivocation themselves, without dedicated infrastructure, simply by comparing KT state as they communicate. We introduce MINGLE, an opportunistic in-band gossip protocol for end-to-end encrypted messengers. MINGLE piggybacks compact KT commitments on a subset of ordinary messages before encryption, keeping gossip indistinguishable from regular application data while requiring no external services or overlay network. Rather than asking users to manually verify safety numbers or relying on a small set of auditors, MINGLE distributes the consistency check across the entire communication graph: an adversary wishing to sustain a split view must permanently isolate targeted clients from the rest of the network, preventing any cross-partition message from ever being delivered, a requirement that grows increasingly difficult to maintain covertly as the social graph densifies. MINGLE inherits the Trust-on-First-Use (TOFU) assumption standard in E2EE messengers: equivocation that begins at registration evades immediate detection, though the append-only log ensures it remains retroactively exposable once any cross-partition gossip event occurs. Using a temporal communication model, we show that under eventual cross-partition connectivity, conflicting KT views yield publicly verifiable evidence. We prototype MINGLE in the Signal Android client using Signal's KT Server implementation, incurring a payload overhead of 119 bytes per gossip-carrying message without UI changes. Simulations under realistic messaging patterns show that MINGLE achieves high reliability and fast evidence generation without aggressive gossip flooding. MINGLE yields evidence of a targeted split view in a \(12000\)-client deployment within about \(5\) minutes when only \(20\%\) of clients participate and gossip is attached to roughly \(5\%\) of messages, suggesting that ordinary client communication can serve as a practical audit layer for KT.

Secure aggregation enables a server to learn the sum of private inputs of clients, while revealing no additional information beyond the final sum. Recent work, Willow (CRYPTO 2025) achieves one--shot secure aggregation in the single-server model with dynamic client participation. To ensure security under these features, Willow relies on an auxiliary committee to verify the correctness of the aggregation. Although this verification requires no private information---broadening the set of parties eligible to participate in the committee---the committee’s total work scales linearly with the number of clients, which poses a challenge for large-scale deployments. This linear committee cost limitation is also shared by other state-of-the-art single-server secure aggregation protocols, including Flamingo (IEEE S&P 2023) and OPA (CRYPTO 2025). In this paper, we introduce WillowFold, a secure aggregation scheme based on Willow that enables lightweight verification of the aggregation and requires only logarithmic committee cost in the number of clients. Our scheme additionally supports streaming aggregation and reduces per-client server storage to a single ID (4 bytes), rather than storing full contributions as in Willow (1.5 KB), which facilitates distributed execution of the server-side computation. Finally, we close a gap in Willow’s security proof by showing that the zero-knowledge proofs underlying the scheme must be simulation extractable in order to rule out correlated ciphertext attacks. WillowFold employs proof-carrying data (PCD)---a primitive for incremental verification of distributed computations---to achieve a lightweight verification cost. In particular, we present a concretely efficient instantiation of WillowFold using a variant of Spartan+KZH-Fold (CCS 2025) as the underlying PCD scheme. As independent contributions, we show a zero-knowledge variant of Spartan+KZH, which is the SNARK underlying Spartan+KZH-Fold, that uses logarithmic randomness, and we further prove that this variant satisfies the simulation extractability. We implement and evaluate WillowFold, showing that it supports $8$ million clients with proof size $<60$~KB and verification time under one second--a $10^{5}$-fold improvement over Willow.

We introduce Bolt, a new Multilinear Polynomial Commitment Scheme (MLPCS) designed for high-performance SNARKs. Bolt is geared towards SNARKs for large computations, in which prover speed is paramount but one can afford slightly larger proofs. The construction is based on the code-switching paradigm; our core technical contribution is a new "proof-system friendly" error-correcting code with extremely efficient encoding both asymptotically and concretely. A theory-oriented instantiation of Bolt achieves a commitment time of approximately (3+\epsilon)*N field additions plus a Merkle Tree hash computation of size (1+\epsilon)*N field elements, where N is the size of the multilinear polynomial and \epsilon>0 is arbitrarily small. The prior state-of-the-art, Blaze (Brehm et al., Eurocrypt 2025) used 8N additions and a 4N size Merkle hash. Concretely efficient instantiations of Bolt demonstrate that these asymptotic gains translate into substantial real-world speedups. Our benchmarks show that for N=2^{30} over the field GF(2^{32}) Bolt's commitment time is roughly 3-4x faster than Reed-Solomon based schemes, depending on the specific parameterization. In the slower variant, the proof-size is ~2MB. Bolt also offers better commitment time and especially proof size compared to recent linear-time schemes. For example, its commitment time is about 20% faster than Brakedown (Golovnev et al., Crypto 2023) with a 5-15x smaller proof.

Synchronous protocols are a fundamental and widely studied model in distributed computing and cryptography. In this model, protocols proceed in rounds: at the beginning of each round, parties send messages, and all messages are guaranteed to be delivered before the round ends. The standard communication complexity of a synchronous protocol measures the total number of bits transmitted throughout the execution. However, this metric does not accurately reflect the protocol’s actual running time, since it ignores the inherent parallelism of synchronous communication. In particular, multiple parties may transmit simultaneously within the same round, and the duration of a round is determined not by the total communication volume, but by the longest transmission that must occur sequentially. To capture this aspect of synchronous computation, we introduce \emph{communication-depth}, a new complexity measure for synchronous protocols. Informally, communication-depth quantifies the amount of communication that lies on the protocol’s critical path, namely, the number of bits that must be transmitted sequentially and therefore determine the protocol’s execution time. The communication-depth of a protocol is defined as the sum, over all rounds, of the cost of each round. We consider two variants of round-cost capturing different types of parallel communication the network allows. In the \emph{simultaneous-parties} model, the cost of a round is the maximum number of bits any party sends or receives during that round. In the \emph{simultaneous-channels} model, the cost of a round is the maximum number of bits transmitted over any single channel during the round. We demonstrate the usefulness of communication-depth by fully characterizing the asymptotic complexity of multivalued synchronous broadcast. Perhaps surprisingly, while protocols for $\ell$-bit inputs with asymptotic optimal communication $O(\ell n)$ have been known for a long time, current protocols only achieve communication-depth $\Theta(\ell n)$ in the simultaneous-parties model and $\Theta(\ell)$ in the simultaneous-channels model. Our results provide a complete characterization of multivalued broadcast under communication-depth for both variants. On the negative side, we show that when $n - t = O(1)$, any protocol tolerating up to $t$ corrupt parties requires communication-depth $\Omega(\ell n)$ in the simultaneous-parties model and $\Omega(\ell)$ in the simultaneous-channels model. On the positive side, we show that when $n - t = \Theta(n)$, multivalued broadcast can be achieved with communication-depth $\Theta(\ell)$ in the simultaneous-parties model and $\Theta(\ell/n)$ in the simultaneous-channels model.

Publicly Verifiable Secret Sharing (PVSS) is widely used in distributed systems. Existing schemes usually incur at least $O(n)$ online cost: the dealer encrypts, proves, and publishes $n$ shareholder-dependent objects, which public verification must process. In this work, we present a generic framework that transforms publicly verifiable CCA2-secure threshold encryption (CCATE) into \emph{constant-online} PVSS, with distribution and public- verification costs independent of the number of shareholders. The framework moves the share-generation work into a reusable setup phase: once threshold keys and public verification material are fixed, online sharing amounts to a single publicly verifiable threshold encryption. We instantiate the framework with two CCATE constructions: 1) a pairing-free instantiation using standard Threshold ElGamal encryption under a committee-based setup assumption; and 2) a silent-setup scheme leveraging non-interactive key generation via a Power-of-Tau ceremony, eliminating inter-party coordination during setup. Furthermore, we discuss epoch-based membership updates under the corresponding setup assumptions, clarifying the security boundary of reconfiguration. The resulting schemes incur higher setup costs, but the critical online distribution and public-verification phases are constant-size and constant-time. This trade-off is particularly useful when setup can be amortized over many PVSS instances, as in blockchain and distributed-system deployments.

Efficient and secure hardware implementations of post-quantum cryptographic schemes are critical for real-world adoption. In this work, we propose a unified FPGA-based architecture for Kyber and Dilithium that combines flexibility, lightweight design, and fault tolerance. The architecture adopts a microcoded, programmable datapath supporting both schemes with minimal area overhead, enabling seamless integration of modules such as SHAKE, sampling, and coefficient rounding. To enhance resilience against propagation-based fault attacks—which exploit effective/ineffective fault behavior in public-domain computations—we embed a probabilistic verification mechanism using rejection sampling. This countermeasure transforms deterministic operations into cryptographically constrained probabilistic processes that remain efficient under normal conditions while significantly degrading under adversarial faults. The result is a robust and compact design that not only supports both a lattice-based KEM and signature scheme, but also provides the first unified fault countermeasure architecture for Kyber and Dilithium, maintaining low retry counts and minimal performance degradation in fault-free environments.

Linearization is a cryptanalysis technique in which a nonlinear function (an S-box) is represented by an affine mapping on a certain subset of inputs. Its variants were applied to analyze Keccak, LowMC, RAIN and AIM. In these primitives, the S-boxes are either very small (up to 5 bits) or are very specific monomial functions over a binary field. Linearization of arbitrary S-boxes was never practically explored due to the lack of theoretic, algorithmic, and cryptanalytic understanding. For the first time, we develop an algorithmic toolkit which allows one to compute strong linearizations of S-boxes, when they exist. For up to $n=8$ bits, our algorithms are able to find provably the best possible approximations, while for larger S-boxes it is feasible to obtain good approximations together with meaningful upper bounds. We apply our algorithms to a variety of S-boxes from existing primitives, to monomial functions, to so-called APN functions, and to 16-bit Super-Sboxes. We obtain interesting results raising many new open questions and open up new research directions, as well as a foundation for developing cryptanalytic attacks. To advance the cryptanalytic utility of linearization, we study and solve the problem of covering an S-box with multiple approximations. As an application, we derive a generic linearization approach for the CICO problem (constrained-input-constrained-output) over SPN-based permutations (Substitution-Permutation Networks) with general linear layers. This is the first such general cryptanalysis based on the existence of a strong linearization of the S-box.

In this paper, we propose Titan, an efficient polynomial commitment scheme (PCS) with transparent setup. It achieves commitment time of $O(n)$, evaluation time of $O(\sqrt{n})$ while the proof size and verification scales as $O(\sqrt[4]{n})$. Titan features an order of magnitude smaller proof sizes than hash based PCS, while featuring a significantly more efficient prover and verifier compared to state of the art group based schemes like Dory and Hyrax. To achieve this balance, Titan borrows two-tiered commitments from Dory, and realizes outer commitment using interactive protocols of proximity (IOPP) over groups, such as Basefold and WHIR, instead of expensive bilinear pairings. This allows Titan to be instantiated over general curves with discrete-log hardness such as Pasta Curves, instead of requiring pairing friendly curves. We compile a variant of Spartan protocol for R1CS with Titan PCS to realize a new SNARK, which we call TitanSnark. Our construction TitanSnark preserves the prover efficiency of the existing Spartan protocol, while improving proof size and verification quadratically from $O(\sqrt{n})$ to $O(\sqrt[4]{n})$. Concretely, for circuits of size $\geq 2^{22}$ this results in around $3\times$ more efficient proof size and verification. Our blueprint of combining IOPPs over groups with Pedersen style inner commitments is of independent interest, as are several optimizations towards efficiently realizing WHIR IOPP over prime-order groups.

The advent of quantum computing is expected to transform the landscape of cryptographic security, making many classical algorithms vulnerable to quantum attacks such as Grover’s exhaustive key search. In this study, we present an efficient quantum circuit implementation of the lightweight block cipher KLEIN for all variants. Each functional component of the cipher, such as key addition, substitution, RotateNibbles, MixNibbles, and key scheduling, is implemented. The complete quantum design involves gates such as CCNOT, CNOT, and Pauli-X. Furthermore, we provide a comprehensive resource estimate for executing Grover’s search algorithm on the proposed quantum circuits, highlighting their resilience and practicality in post-quantum cryptographic contexts.

Research at the intersection of artificial intelligence (AI) and cryptography is expanding, but existing surveys often focus on specific techniques or provide only high-level overviews without cross-domain comparison. This paper presents a trend analysis across major subfields of AI-aided cryptography. We review 90 publications from 2021–2025 and complement them with call for papers from journals, conferences, and public tenders. The results show uneven coverage: cryptanalysis and hashing dominate, while protocols, encryption, and post-quantum cryptography are less explored. We outline emerging gaps and likely growth areas to support future research prioritization.

Trusted Execution Environments (TEEs), also known as secure enclaves, such as Intel SGX, Intel TDX or AMD SEV are seeing widespread use to perform computations on highly sensitive data. To analyze the security of cryptographic protocols using TEEs, several formal models exist, notably the one by Pass et al. (EUROCRYPT 2017) for attested computations in the Generalized UC framework. Using this model and the proposed global ideal functionality $\mathcal{G}_{\mathrm{att}}^{\mathrm{PST}}$, provably secure multi-party computations with practical efficiency are possible. Attested computations are achieved by having enclave outputs signed with a key pair held by $\mathcal{G}_{\mathrm{att}}^{\mathrm{PST}}$, together with the enclave's code. Being a global functionality, the verification key can be obtained by any party. Perhaps surprisingly, this model does not give rise to a meaningful notion of public verifiability, i. e. the ability of external parties to plausibly verify results, even though some commercially available enclaves allow exactly that. We formalize this intuition in the form of an impossibility result and propose a novel simulation technique where equivocation is not handled by the simulator resp. adversary anymore, but in a coordinated effort between our new functionality $\mathcal{G}_{\mathrm{att}}$ and a (local) ideal functionality $\mathcal{F}$ that is realized with public verifiability. To this end, several technical problems need to be solved, in particular to ensure that this new mechanism cannot be abused. While unconventional, this approach is, to the best of our knowledge, the first to achieve a general variant of public verifiability a) even when all protocol parties are corrupted and $\mathcal{F}$ is probabilistic and b) where guarantees of honest (external) verifiers are not affected by simulation at all. We call the latter property global public verifiability. We also address a second impossibility result of Pass et al., namely the requirement that every protocol party needs a TEE (even in a setting without public verifiability), unless an additional (global) setup is used. We address this impossibility result by introducing designated-verifier attestations that are only valid for a single party in a single protocol execution, akin to what is possible with real-world enclaves. Using our improved model, we propose protocols for (globally publicly verifiable) composable general MPC and prove their security under the notion of Universal Composition with Global Subroutines (Badertscher et al., TCC 2020) and static malicious corruptions.

Fair and free elections are the foundation of democracies and democratic processes. They require voting protocols that guarantee the integrity and verifiability of the result, as well as the private choice of each voter. Currently deployed e-voting protocols rely on traditional hardness assumptions, like the discrete logarithm problem, to provide these security guarantees. They are not post-quantum secure (pq-secure). While first proposals for pq-secure protocols exist, they are limited in the variety of voting scenarios they can support and/or in terms of efficiency. In this work, we therefore propose PQKryvos, an efficient and flexible pq-secure homomorphic e-voting protocol that can be instantiated for a wide variety of election methods and ballot formats. Our construction efficiently combines homomorphic lattice-based commitments with hash-based general-purpose proofs (GPZKPs) to ensure ballot correctness. As a pq-secure instantiation of the Kryvos framework introduced by Huber et al. (CCS 2022), PQKryvos not only provides voter privacy and (public) verifiability of the result, but additionally allows for the stronger privacy notion of public tally-hiding. Public tally-hiding ensures that only the intended election result (such as the full vote count or only the winner) is publicly revealed, while no additional information is leaked. This further improves the privacy for both voters and election candidates. PQKryvos is the first homomorphic pq-secure e-voting protocol to generically support arbitrary ballot formats and the first to provide public tally-hiding. Our implementation and evaluation of PQKryvos demonstrate that it achieves practical performance for diverse election schemes and outperforms the original pre-quantum Kryvos instantiation in some settings. Moreover, we demonstrate that by utilizing GPZKPs, existing pq-secure e-voting protocols can support additional ballot formats, can be enhanced in their tallying phase, and can be extended to publicly tally-hiding protocols.

Blockchain-enabled data sharing provides public verifiability and auditability for access control in Internet of Things environments. However, before formal authorization is granted, efficiently verifying whether a data requester satisfies a hidden access policy remains challenging. Existing schemes may expose user attributes, access policies, or matching relationships during on-chain verification, while pairing-based operations, decryption tests, or general zero-knowledge circuits often introduce high verification overhead or strong trust assumptions. To address these issues, this paper proposes a privacy-preserving pre-verification access control scheme based on attribute vector commitments and Bulletproofs. The proposed scheme encodes user attributes and access policies into vector forms and uses vector commitments to hide authenticated user attributes. Access eligibility verification is then transformed into a hidden inner-product relation, allowing a data requester to prove policy satisfaction without revealing its real attributes or the policy contents. The pre-verification process is pairing-free and does not require trusted setup, making it suitable for smart-contract-based public verification. In addition, proxy re-encryption is integrated to support controlled data access after successful pre-verification. Security analysis shows that the proposed scheme achieves pre-verification completeness, knowledge soundness, zero-knowledge, attribute privacy, policy privacy, and collusion resistance. Performance analysis and experimental results demonstrate that the proposed scheme reduces on-chain verification overhead, communication cost, and deployment complexity compared with existing access control schemes, making it practical for privacy-preserving data sharing in blockchain-assisted Internet of Things environments.

We introduce CRISP (\underline{C}ircuit-p\underline{R}ivate Single-\underline{I}mage \underline{S}teganog\\raphy with \underline{P}ermutations), a provably secure homomorphic steganography scheme that addresses key limitations in existing approaches to private outsourced computation. CRISP operates under an explicit threat model: the cloud provider knows steganography is in use, knows the scheme, and knows the channel-assignment permutations; the only secret is the per-execution pixel position. This is the natural model for outsourced computation, where hiding the existence of stego content is logically incompatible with delegating the computation. The security goal is therefore positional and structural hiding under known-presence, not Cachin-style undetectability. Within this model, current methods suffer from two problems: excessive image overhead and a complete lack of circuit privacy. The wire-per-image architecture used by ProSt requires a separate cover image for each circuit wire, and inadvertently fixes wire roles to specific images, exposing the underlying logical gate structure to an honest-but-curious cloud provider. CRISP resolves these by embedding all three Fredkin gate inputs into the RGB channels of a \emph{single} cover image at a secret pixel position $(\mathit{row},\mathit{col})$, with all three outputs written to a single output image. Two independently sampled permutations control channel-to-role assignment: $\pi_{\mathrm{in}}$ before embedding and $\pi_{\mathrm{out}}$ after Fredkin computation. Both are public; circuit privacy comes from $\pi_{\mathrm{out}}$ being resampled independently per gate, which breaks the per-channel LSB-correlation attack that the Fredkin gate's control-bit pass-through would otherwise enable. Our security analysis demonstrates that the adversary's advantage in inferring the embedded secret decays as $\Theta\!\left(1/(h{\times}w)\right)$, where $h{\times}w$ is the image resolution. We give a self-contained Bayesian proof of this bound, an explicit refutation of the na\"ive ``concatenate all LSBs'' attack, and a precise scope statement for the circuit privacy guarantee. Per gate, CRISP uses two images versus ProSt's six, a $3\times$ per-gate reduction. At the circuit level, the un-obfuscated 14-gate benchmark uses $33$ images versus ProSt's $47$ ($1.42\times$); the 17-gate obfuscated form uses $44$ versus $61$ ($1.39\times$). Larger circuits achieve higher reduction ratios as the source-image overhead amortises. Correctness, security, and efficiency are formally proved and experimentally validated.

Schnorr blind signature is one of the most efficient and widely used blind signatures. At CRYPTO'23, Katsumata et al. proposed CSIOtter, the first blind signature from isogenies, which does not follow the construction framework of the Schnorr blind signature. Instead, CSIOtter was constructed from the sigma protocol for an OR relation that captures the idea of the Abe-Okamoto signature and hence can adapt the proof techniques by Kastner, Loss and Xu (PKC'22) into its security proof. Unfortunately, the concurrent security of CSIOtter was later broken independently by Katsumata et al. (PKC'24) and Do et al. (Eurocrypt'24). As a result, CSIOtter and Schnorr-like blind signature schemes constructed from Sigma protocols with small challenge space should not be used for polynomially many concurrent signing sessions without additional boosting transformations. Sequential security, and in some settings logarithmic-session concurrent security, remain meaningful security guarantees. In this paper, we provide an intensive study of the Schnorr blind signature from isogenies in the Algebraic Group Action Model (AGAM) and the Random Oracle Model (ROM). In particular, we first prove the tight security of the existing Schnorr signature from isogenies under the group action discrete logarithm assumption (GADLOG) in AGAM + ROM, which serves as the foundation for the proof of the sequential security and logarithmic-session concurrent security of the Schnorr blind signature in AGAM + ROM under the hardness of the one-more group action discrete logarithm (OMGADLOG) assumption. We also clarify a limitation of the direct parallel-repetition approach: because the large challenge space is obtained from binary challenges, the construction should not be claimed to satisfy general two-open-session concurrent security for polynomially many total signing sessions. In addition, of independent interest, we also present the Schnorr-Signed Hashed ElGamal KEM from isogenies and prove its CCA2 security in AGAM + ROM under the hardness of GADLOG.

Secret sharing under expressive access structures and public verifiability have largely been developed in separate lines of work. Generalized secret sharing (GSS) supports arbitrary monotone access structures, but relies on private channels and gives no public evidence that the dealer distributed a consistent sharing. Publicly verifiable secret sharing (PVSS), in contrast, supports public verification over insecure channels, but is fundamentally tailored to threshold policies. We introduce publicly verifiable generalized secret sharing (PVGSS), a primitive that combines arbitrary monotone access structures with non-interactive public verification of both encrypted shares and decrypted reconstruction shares. Our construction encrypts only the leaf shares of an underlying GSS instance and proves, via Schnorr-type NIZK proofs, that all ciphertexts are globally consistent with a single secret. The key technical ingredient is a GSS testing procedure that checks this global consistency from proof responses, without revealing the shares. We instantiate PVGSS from recursive Shamir secret sharing and from linear secret sharing schemes, obtaining verification complexity linear in the number of leaves of the access structure. We formalize correctness, encrypted-share verifiability, share-decryption verifiability, and IND1-secrecy, and prove security in the random oracle model under DDH, knowledge soundness of the proof systems, and privacy of the underlying GSS-on-group sharing. As an application, we show how PVGSS enables publicly accountable secret release in a decentralized exchange protocol.

Verifiable secret sharing (VSS) is a fundamental primitive for secure computation and its round complexity has been well studied. The works of Gennaro et al. [STOC'01] and Fitzi et al. [TCC'06] settled the landscape in the perfect-security setting, showing that for the optimal corruption threshold $t<n/3$, the exact round complexity is three, and for the sub-optimal corruption threshold $t<n/4$ it is two rounds. Similarly, Patra et al. [CRYPTO'09] and Kumaresan et al. [ASIACRYPT'10] settled the landscape in the statistical setting, showing that for $t<n/2$ (resp. $t<n/3$), the exact round complexity is three (resp. two). Current protocols with optimal resilience incur three rounds even when the actual number of corruptions $f$ is sub-optimal. Fix corruption threshold parameters $0\le k \le t$. We ask whether it is possible to obtain a VSS protocol that incurs two rounds when $f\le k$, and three rounds when $k<f\le t$. We show matching feasibility and impossibility results demonstrating that this is possible if and only if $3t+k < n$ for perfect security, and $2t+k < n$ for statistical security.

We present protocols where one entity, the server, evaluates a circuit with encrypted inputs from the second party, the client. We give secret key somewhat additive homomorphic schemes where the client has perfect privacy (server is computationally unbounded). Our scheme is somewhat additive homomorphic and we extend it to support multiplication. The server handles circuit multiplication gates by sending the multiplicands to the client which does the multiplication and updates the decryption key so that the original ciphertext vector includes the encrypted multiplication gate outputs. The key idea for client privacy is the permutation table which consists of rows of vectors modulo a prime integer m. The initial row is (1, d2, . . . , dc) where di−1|di, di > N (a + 1)di−1, for an integer N which is a power of 2 and integer a, 2 ≤ i ≤ c. Subsequent rows are integer multiples of the first row, modulo m. The permutation table has a subset of rows (vectors) whose components are relatively short (facilitating addition without overflowing m) and which map to every possible vector modulo N (giving perfect privacy since every plaintext vector is possible given a ciphertext vector from the table.) We give a 2-party computation (2PC) protocol that also incorporates server inputs where the client has perfect privacy. Server privacy only holds against a computationally bounded adversary since it depends on the hardness of a variant of the HSSP (Hidden Subset Sum Problem) and the DDH (Decisional Diffie Hellman Assumption). We leverage the Castagnos Laguillaumie linear homomorphic public key encryption for setup. The 2PC protocol maintains circuit privacy except for leaking the number of multiplication gates to the client. Scaling the 2PC protocol via separate encryption parameters for smaller subcircuits allows the ciphertext size to remain constant as circuit size grows.

Modern portfolio theory (MPT) prescribes how to maximise the return of an asset portfolio for a given level of risk. The optimal trade-off between return and variance defines the efficient frontier. Whether actual cryptoasset portfolios approximate this prescription and whether proximity to the frontier translates into realised performance remain difficult to test at large scale in traditional markets due to their opaque nature and the inaccessibility of data. As we show, public blockchains make these questions measurable: every token transfer is recorded, thus enabling complete portfolio reconstruction for every account at any point in time. We leverage this transparency to reconstruct cryptoasset portfolios for over 116 M Ethereum accounts across the full chain history (2015-2025), measure their distance to the constrained efficient frontier, and quantify how deviations translate into realised performance. Here we show that market entry timing, not allocation choice, is the dominant predictor of realised cryptoasset returns. On-chain wealth is highly concentrated and portfolios are pervasively under-diversified, with single-asset holdings accounting for 83.35% of accounts. Two-asset portfolios sit closest to the efficient frontier defined by their held assets, a proximity that reflects the narrowness of their opportunity set rather than deliberate optimisation. Passive market-capitalisation weighting outperforms every MPT optimisation strategy in median realised return, and entry month alone explains 70-79% of the variance in returns, far exceeding the contribution of allocation choice. Mean-variance optimisation therefore appears neither descriptive of observed behaviour nor prescriptively useful in the cryptoasset domain, even if MPT retains its value as a normative benchmark.

Distributed common randomness generation (i.e., the common coin problem) is a cornerstone of randomized distributed computing. While a long line of research has sought scalable solutions, the asynchronous setting remains a challenge. Specifically, while Blum et al. (TCC'21) achieved sub-quadratic communication complexity, their approach lacks ``balance'': certain nodes must still send $\Omega(n)$ messages, creating a scalability bottleneck. Furthermore, their solution only tolerates a $1/3 - \epsilon$ fraction of corrupted nodes, whereas the classic construction by Cachin et al. (PODC'00) tolerates up to $1/2$ under the same setup assumptions. In this work, we close these gaps by presenting the first balanced asynchronous common coin protocol with sub-quadratic communication complexity. In our construction, the communication cost of every honest node is bounded by $\widetilde{O}(\sqrt{n})$. Our protocol supports an adaptive adversary corrupting up to $1/2 - \epsilon$ nodes. Beyond these asymptotic improvements, our solution avoids the heavy cryptographic machinery (such as fully homomorphic encryption) required by Blum et al. and terminates in just two deterministic rounds, compared to the dozens of expected rounds in prior work. At the heart of our construction are explicit and efficient sampler constructions. These samplers partition a population with a $1/2 + \epsilon$ honest majority into $O(\sqrt{n})$ communities, ensuring that a majority of these communities maintain a ``forever-honest'' majority. By leveraging how communities are allocated, we design mechanisms that allow each community to collectively emulate a single ``virtual node'' in Cachin et al.'s protocol. Reducing the number of participants from $n$ physical nodes to $O(\sqrt{n})$ virtual nodes drives the total communication complexity to a sub-quadratic level. Finally, we extend our methodology to Asynchronous Binary Byzantine Agreement (ABA), yielding the first balanced ABA protocol with sub-quadratic communication complexity that tolerates up to $1/3 - \epsilon$ adaptive corruptions.

We introduce $\textit{Miraidon}$, a new family of MinRank-based post-quantum signature schemes built from a novel zero-knowledge proof system. Our primary construction, $\textit{Miraidon-S}$, is a digital signature scheme with competitive public key and signature sizes, improved soundness parameters, and security based on the hardness of the MinRank problem. Building on this framework, we further construct $\textit{Miraidon-RS}$, a ring signature scheme, and introduce $\textit{Miraidon-LRS}$, the first linkable ring signature scheme based on the MinRank problem. We present concrete parameters and comparisons with contemporary lattice- and code-based ring and linkable ring signatures, showing that MinRank provides a promising foundation for efficient advanced post-quantum signature primitives.

Permutation and lookup arguments are at the core of most deployed SNARK protocols today. Most modern techniques for performing them require a grand product check. This requires either committing to large field elements (e.g. in Plonk) or using GKR (e.g. in Spartan) which has worse verifier cost and proof size. Moreover, both have a soundness error that grows linearly with the input size. We reduce permutation argument to sumcheck argument and present two permutation arguments that have $\mathsf{polylog}(n)/|\mathbb{F}|$ soundness error. BiPerm only requires the prover to perform $O(n)$ field operations on top of committing to the witness, but at the cost of limiting the choices of PCS. We show a general construction, MulPerm, which has no restriction on the PCS choice and its prover performs essentially linear field operations, $n\cdot \tilde O(\sqrt{\log(n)})$. Both permutation arguments generalize to lookups. We demonstrate how our arguments can be used to improve SNARK systems such as HyperPlonk (Eurocrypt 2023) and Spartan (Crypto 2020), and build a GKR-based protocol for proving non-uniform circuits. Further, MulPerm enables the fastest succinct argument with sublinear verification for arbitrary circuits over small fields. Plugging MulPerm into prior small field constructions overcomes the previous lack of an efficient permutation argument with sufficiently small soundness error.

Topology-hiding computation (THC) enables a set of parties, communicating over an incomplete network, to execute a secure multiparty computation (MPC) protocol for securely computing a function, while also hiding the network topology from within a given class of graphs. Semi-honest THC can be achieved over arbitrary graph classes, facing an arbitrary number of corruptions, from various assumptions implying oblivious transfer (OT). These assumptions are justified by strong lower bounds, indicating that $2$-secure topology-hiding broadcast (THB) over certain diameter-$3$ graph classes requires OT, as well as $1$-secure THC over certain diameter-$2$ graph classes of variable size. While THC from weaker assumptions, such as key agreement (KA), is achievable for $t=1$ over fixed-size graphs, the case of multiple corruptions remains unclear, with no known candidate constructions. Even in the simpler, privacy-free case of THB, tolerating $t>1$ corruptions without assuming OT is only known for "friendship" graphs (which are diameter-$2$ graphs of a certain form): in fact, the latter holds information theoretically and for $t<n$. The state of the art raises two foundational questions: First, considering THC, is OT necessary for protecting against adversaries with multiple points of view in the graph? Second, considering THB, is there a zero-one law for $t>1$, where given a graph class, THB either holds unconditionally or requires OT? In this work we study these questions over graphs of diameter $2$ (in which the lower bounds requiring OT do not hold) and provide THC protocols for various graph classes supporting many corruptions assuming KA. For some of these results we obtain optimal resilience assuming KA: $t<n$ for THB and $t<n/2$ for THC. We also present new lower bounds, showing that in certain graph classes that support information-theoretic THB for $t=1$, KA is necessary for $t=2$.

The secure evaluation of Boolean functions or Secure Boolean Evaluation (SBE) is a fundamental component in this area of research. SBE allows parties to jointly compute Boolean functions without exposing their private inputs. SBE finds applications in privacy-preserving protocols and secure multi-party computations. The existing schemes need at least $(1.5\lambda+5)$-bit strings to garble an AND gate with security parameter $\lambda$, where $\lambda$ is the length of arbitrary bit strings associated with inputs $0$ and $1$. In this manuscript, we discuss how we circumvent the communication cost of non-input gates independent of $\lambda$. We present an efficient and generic two-party protocol (namely $\mathsf{BooleanEval}$) for the secure evaluation of Boolean functions by utilizing a 1-out-of-2 Oblivious Transfer (OT) as a building block. We introduce randomized Bloom filter (namely, $\mathsf{ RBF}_S$) associated with a set $S$ to compute non-input $\mathsf{AND}$ gates. Moreover, $\mathsf{BooleanEval}$ only employs hash evaluations and XOR operations as the core computational step, making it lightweight and fast. Unlike other lightweight state-of-the-art designs of SBE, $\mathsf{BooleanEval}$ avoids the use of additional cryptographic primitives, such as commitment schemes, to reduce the computational overhead.

Post-quantum migration in TLS 1.3 couples signature-algorithm choice with certificate-hierarchy structure, chain exposure during the handshake, and role-dependent cryptographic cost. In certificate-based authentication, the practical effect of a signature family depends on where it appears in the certification hierarchy, how much of that hierarchy is exposed during the handshake, and how the resulting cryptographic cost is distributed across client and server roles. Post-quantum TLS migration must therefore be evaluated as cryptographic design within authenticated key establishment, with algorithm selection assessed in its deployment context. This paper presents a local experimental study of TLS 1.3 authentication strategies implemented with OpenSSL~3 and oqsprovider. Using a reproducible laboratory setting, it compares ML-DSA and SLH-DSA across multiple certificate placements, hierarchy depths, and key-exchange modes, including classical, hybrid, and pure post-quantum configurations. The analysis is organized into four complementary campaigns: a leaf-only comparison, a full hierarchy strategy matrix, a depth comparison, and a key-exchange exploration. Across the experimental matrix, the main discontinuity appears when SLH-DSA is placed in the server leaf certificate. In that configuration, handshake latency and server-side compute cost increase by orders of magnitude, whereas strategies that confine SLH-DSA to upper trust layers and preserve ML-DSA in the interactive leaf remain within a more plausible operational range. The results also show that transport size alone does not explain the heavy regime: outside leaf-SLH scenarios, transferred bytes and observed chain size track latency closely, but once SLH-DSA reaches the leaf, server-side cryptographic cost becomes dominant. The paper evaluates post-quantum TLS migration as a problem of certificate-hierarchy design, chain exposure, and cryptographic cost concentration during live authentication. In practical terms, signature placement matters at least as much as signature-family choice.

We give an efficiently computable invariant for the (Signed) Permutation Code Equivalence ((S)PCE) problem we call the square class invariant, that was previously not recognised in coding theory. Our invariant naturally yields a distinguisher for the decision version of (S)PCE as defined at Eurocrypt 2025 by Albrecht, Benčina and Lai [ABL25], breaking the hardness assumption that underpins the security of their updatable public-key encryption scheme. Moreover, we extend a 2023 result by Bruin, Ducas and Gibbons by showing the genus of the Construction A lattice of a code generator matrix with any hull dimension is completely determined by the hull dimension and our square class invariant, and that neither of these genera splits non-trivially into spinor genera (as soon as the lattice dimension is at least \(5\)), implying the genus of the Construction A \(q\)-ary lattice encodes all known efficiently computable coding-theoretic invariants for (S)PCE and vice versa. Thus our distinguisher can be rephrased as comparing the genera of Construction A lattices of the (S)PCE instance in the spirit of the Lattice Isomorphism Problem. We also give a complete description of the genus distribution of uniformly random \(q\)-ary lattices. This motivates the definition of a genus of a linear code as the genus of the Construction A lattice of any of its generator matrices, and we adapt the sampling algorithm from [ABL25] to sample from a single genus uniformly at random, and can thus restrict their hardness assumption for (S)PCE to a single genus. Restricting PCE to one genus and using our sampling algorithms is then used with a slight modification to the security proof to mend the scheme from [ABL25]. Finally we show that associating to a linear code generator matrix a quadratic space whose geometry is given by the corresponding Gram matrix and computing its Witt decomposition yields the same invariants that define the code genus, implying two \(q\)-ary lattices are locally equivalent if and only if the quadratic spaces associated to their underlying linear codes share a Witt decomposition type.

Discrete Gaussian Sampling on lattices is a fundamental problem in lattice-based cryptography. It appears both in basic cryptographic primitives such as digital signatures and as an important cryptanalysis building block for solving hard lattice problems. In this paper, we show a quantum algorithm based on the quantum rejection sampling technique whose complexity is asymptotically quadratically faster than its classical counterpart in [Wang \& Ling, IEEE Trans. Inf. Theory 2019]. Our sampler outputs a quantum state which can either be measured to get the desired distribution or be used directly as such in other quantum algorithms. By doing so, we derive two versions of quantum dual attacks that improve upon the previous ones in [Pouly \& Shen, EUROCRYPT 2024]. The two versions are incomparable, each having distinct advantages (speed vs memory requirement). The second version is particularly interesting as it requires only polynomial classical and quantum memory, excluding the classical memory used in the preprocessing step of the Discrete Gaussian sampler. Our quantum Discrete Gaussian sampler can also be used to speed up the algorithm for solving the Short Integer Solution problem, in any norm, of [Bollauf, Pouly \& Shen, ePrint 2026/225].

A generator is a function that maps a random seed to a list of coefficients. We study generators that preserve distance to a linear code: the linear combination of any list of vectors using coefficients sampled by the generator has distance to the code no smaller than that of the original vectors, except for a small error. Distance preservation plays a central role in modern probabilistic proofs, and has been formalized in several ways. We study mutual correlated agreement, the strongest known form of distance preservation. We initiate a systematic study of mutual correlated agreement, aiming to characterize the class of generators with this property. Towards this, we study polynomial generators, a rich class that includes all examples of generators considered in the distance preservation literature. Our main result is that all polynomial generators guarantee mutual correlated agreement for every linear code. This improves on prior work both in generality (the class of generators covered) and in parameters (the error bounds). We additionally provide new results for the case where the linear code is a Reed--Solomon code, which is of particular interest in applications. We prove that all polynomial generators satisfy mutual correlated agreement for Reed--Solomon codes up to the Johnson bound. In particular, we improve upon the state-of-the-art by Ben-Sasson, Carmon, Ishai, Kopparty, and Saraf (FOCS 2020) and answer a question posed by Arnon, Chiesa, Fenzi, and Yogev (Eurocrypt 2025). Along the way we develop a flexible and general toolbox for mutual correlated agreement, and are the first to establish distance preservation for generators that lie beyond polynomial generators.

We design decentralized multi-authority functional encryption (MAFE) for $\mathsf{P/Poly}$ circuits from minimal assumptions in both the bounded-collusion and fully collusion-resistant models, i.e., from public-key encryption and from functional encryption, respectively. Prior constructions required sub-exponentially hard public-key encryption with random oracles (bounded collusion) or sub-exponentially-hard obfuscation (collusion-resistant). Under the additional assumption of SXDH or LWE, our constructions remain secure against an adversary that corrupts any $k$ of the $n$ local authorities, provided $\binom{n}{k} = \mathsf{poly}(\lambda)$, covering, for example, $k = O(1)$ and $n = \mathsf{poly}(\lambda)$ or $k = O(\log \lambda)$ and $n = O(\log \lambda)$. Complementing this, we show that any MAFE scheme that tolerates corruption of more than $\chi = O(\log \lambda)$ authorities and remains non-trivially compact (i.e., parameter sizes scale sub-linearly in $2^{\chi}$) implies indistinguishability obfuscation. Thus, our scheme is essentially optimal across a wide parameter regime. Along the way, we introduce two abstractions, MAFE with $\textit{synchronous setup}$ and $\textit{synchronous key generation} $ that provide a path to constructing multi-authority encryption schemes from their centralized counterparts, and may be useful for designing other multi-authority encryption systems.

The increasing deployment of large language models (LLMs) in high-stakes domains demands infrastructure to ensure trust in artificial intelligence (AI)-generated outputs and actions. Users often struggle to validate results from LLMs because their reasoning is opaque and possibly beyond human comprehension. This paper introduces proof-carrying output (PCO), a framework in which an AI system returns an answer accompanied by a machine-checkable proof. We define φ-compliance formally (see the compliance definition in the paper): given a decidable predicate φ over signed inputs and AI outputs published by a named authority, a pair (x, y) is φ-compliant iff φ(x, y) = 1. "Compliance" in the rest of the paper refers to this binary, machine-checkable relation, not to organizational assurance practice. The framework is an instance of the producer-verifier-with-audit pattern previously introduced for game-theoretic rational behavior, applied here to regulatory compliance for AI-mediated decisions. Our primary security contribution is a cryptographic accountability layer that binds an AI output, its formal proof, the verifying validator's version, and a trusted timestamp into a non-repudiable commitment recorded on an append-only ledger before the output is acted upon. This layer provides four properties—binding, hiding, temporal ordering, and audit correctness—which jointly yield non-repudiation of AI-mediated decisions, a property neither LLM outputs nor formal proofs provide in isolation. These proofs rely on established proof assistants such as Rocq (Coq) (the Coq proof assistant was recently renamed to Rocq; we use "Rocq" throughout the paper, with "Coq" appearing where the historical name is more recognizable) for symbolic reasoning and (linear temporal logic (LTL), signal temporal logic (STL)) for temporal logics prior to output usage. A legal entity—whether a human subject to law or an AI agent bound by smart contracts—must employ independent proof validators to confirm that the inputs (multiple-choice selections and signed documents) correctly lead to the output under published specifications and regulations. After validation and before acting on the output, the legal entity cryptographically commits the query, specification, output, validator version, timestamp, and proof to an append-only ledger. The entity then proceeds based on the output and reveals the proof only during the audit. We demonstrate PCO through three case studies with working Rocq/STL implementations: tax computation, autonomous-vehicle compliance, and recommendation transparency, extending proof-carrying code (PCC) from static programs to dynamic AI outputs. To enable reliable proof generation as an enabling substrate, we propose that regulatory authorities publish specification-coupled small language models (SLMs) trained on canonical scenario-proof pairs; we view this as supporting infrastructure rather than the core security contribution. We explicitly delimit PCO's scope to compliance predicates expressible as decidable first-order logic with bounded quantification or STL over finite-horizon signals; free-form prose, input authenticity, and specification correctness are out of scope and treated as orthogonal problems. PCO complements existing approaches to interpretable and explainable AI by providing machine-verifiable certificates of compliance rather than human-readable rationalizations.

We further explore the explicit connections between supersingular curve isogenies and Bruhat-Tits trees. By identifying a supersingular elliptic curve $E$ over $\mathbb{F}_p$ as the root of the tree, and a basis for the Tate module $T_\ell(E)$; our main result is that given a vertex $M$ of the Bruhat-Tits tree one can write down a generator of the ideal $I \subseteq \text{End}(E)$ directly, using simple linear algebra, that defines an isogeny corresponding to the path in the Bruhat-Tits tree from the root to the vertex $M$. In contrast to previous methods to go from a vertex in the Bruhat-Tits tree to an ideal, once a basis for the Tate module is set up and an explicit map $\Phi : \text{End}(E) \otimes_{\mathbb{Z}_\ell} \to M_2( \mathbb{Z}_\ell )$ is constructed, our method does not require any computations involving elliptic curves, isogenies, or discrete logs. This idea leads to simplifications and potential speedups to algorithms for converting between isogenies and ideals.

Format-preserving de-identification methods, for example format- preserving encryption, enable de-identified data to act as an in-place replacement for the original data by retaining syntactic properties. However, when applied to data types with multiple formats, format preservation introduces inherent information-theoretic leakage, as the format itself can reveal non-trivial information about the original data, creating an attack surface that can be realized when appropriate aux- iliary information is available. We formalize format preservation and use Shannon entropy to quantify the resulting leakage. To illustrate the practical impact of this, we document real-world use of format- preserving de-identification on variable-format data types and apply the theory to a real-world dataset. Using personal data from Dan- ish financial institutions, we find that a length and word-preserving transformation has a leakage of 10.12 bits for person names and 3.9 bits for cities, out of a maximum of 17.2 bits. While exploiting this leakage requires appropriate auxiliary information, such information is often readily available in practice. In the worst-case scenario, this can lead to re-identification of some data records; however, even in less extreme cases, it can significantly narrow down the search space for re-identification, e.g. by revealing the length of the original data, or the format of an e-mail domain.

Given two linear codes, the Code Equivalence Problem asks to find (if it exists) an isometry mapping one code into the other. A special case is the Permutation Equivalence Problem (PEP), where the isometry must be a permutation. The hardness of PEP is crucially dependent on the hull of a code, that is, the intersection between a code and its dual. Indeed, most of the known algorithms have running time that grows exponentially with the hull dimension. Since random codes have very small hull with large probability, PEP is deemed easy for random codes. In this paper we study how the so-called Schur product between linear codes can be employed to solve PEP. The basic idea is to transform a given PEP instance by computing the square of the given codes. While it is well known that the square code operation preserves equivalence between linear codes, we show that, regardless of the hull dimension of the starting codes, their square codes have trivial hull with high probability. Furthermore, we show that as long as the code rate is sufficiently low, no additional permutations mapping the square codes exist with high probability. This effectively generates a new pair of equivalent codes with trivial hulls, where the underlying permutation remains identical to that of the original instance. This observation allows us to leverage existing hull-based attacks to recover the permutation for the square codes, and consequently, for the original codes. Furthermore, we improve this attack by exploiting the structural relationship between hulls: if a permutation maps two codes, the same permutation also maps their respective hulls. We show that by considering the square of the hull as a code in its own right, its hull also becomes trivial with high probability. This allows for the identification of new weak instances of PEP, leading to an attack whose complexity no longer depends on the initial hull dimension, as it is the case of most known algorithm. In particular, we show that our attack achieves average polynomial-time complexity (since the square of the hull, when seen as a code, intersects with its dual in a low dimensional space with large probability) as long as $k < \sqrt{2n}$ or $h < \sqrt{2n}$, where $n$, $k$, and $h$ denote the code length, dimension, and hull dimension, respectively. We corroborate our analysis, which relies on some (plausible) heuristics, with intensive numerical simulations. As a concrete application, we consider the updatable encryption scheme proposed by Albrecht, Benčina, and Lai at Eurocrypt 2025. All the recommended instances fall into the range of weak PEP instances identified in this paper; hence, they are susceptible to our attack. As a demonstration, we successfully recover the secret permutation for two of the instances claiming 128 bits of security in about $10$ minutes on average on a laptop. As a fix, instances with hull dimension $h > \sqrt{2n}$ should be employed.

Succinct zero-knowledge arguments (zk-SNARKs) enable a prover to convince a verifier of the truth of a statement via a succinct, efficiently verifiable proof without revealing any additional information about the witness. A barrier to the practical deployment of zk-SNARKs is their high proving cost. With this motivation, we study server-aided zk-SNARKs, where a client/prover outsources most of its work to a single, untrusted server, while the server learns nothing about the witness, the statement, or even the proof. We formalize this notion and show how to efficiently realize server-aided proving for widely deployed zk-SNARKs such as Nova, Groth16, and Plonk. The key building block underlying our designs is a new primitive, encrypted multi-scalar multiplication (EMSM), that enables private delegation of multi-scalar multiplications (MSMs). We construct an EMSM from variants of the LPN assumption in which the client does $O(1)$ group operations, while the server’s work matches that of the native plaintext MSM. We implement and evaluate our constructions. Compared to local proving, our techniques lower the client's computation by up to ${18{\times}}$ and reduce the proving latency by up to ${8{\times}}$.

Lightweight cryptographic primitives are widely deployed in resource-constrained environments, particularly in Internet of Things (IoT) devices. Due to their public accessibility, these devices are vulnerable to physical attacks, especially fault attacks. Recently, deep learning–based cryptanalytic techniques have demonstrated promising results; however, their application to fault attacks remains limited, particularly for stream ciphers. In this work, we investigate the feasibility of deep learning assisted differential fault attacks on three lightweight stream ciphers, namely ACORNv3, MORUSv2, and ATOM, under a relaxed fault model in which a single-bit bit-flipping fault is injected at an unknown location. We develop and train multilayer perceptron (MLP) models to identify the fault locations. Experimental results show that the trained models achieve high identification accuracies of 0.999880, 0.999231, and 0.823568 for ACORNv3, MORUSv2 and ATOM, respectively, and outperform traditional signature-based methods. For the secret recovery process, we introduce a threshold-based method to optimize the number of fault injections required to recover the secret information. The results show that the initial state of ACORN can be recovered with 21 to 34 faults, while MORUS requires 213 to 248 faults, with at most 6 bits of guessing. Both attacks reduce the attack complexity compared to existing works. For ATOM, the results show that it possesses a higher security margin, as the majority of state bits in the Nonlinear Feedback Shift Register (NFSR) can only be recovered under a precise control model. To the best of our knowledge, this work provides the first experimental results of differential fault attacks on ATOM.

The problem of computing an isogeny of large prime degree from a supersingular elliptic curve of unknown endomorphism ring is assumed to be hard both for classical as well as quantum computers. In this work, we first build a two-round identification protocol whose security reduces to this problem. The challenge consists of a random large prime $q$ and the prover simply replies with an efficient representation of an isogeny of degree $q$ from its public key. Using the hash-and-sign paradigm, we then derive a signature scheme with a very simple and flexible signing procedure and prove its security in the standard model. Our optimized C implementation of the signature scheme shows that signing is roughly $1.8\times$ faster than all SQIsign variants, whereas verification is $1.4\times$ times slower. The sizes of the public key and signature are comparable to existing schemes. Latest version: PRISM with a pinch of salt: Simple, Efficient and Strongly Unforgeable Signatures from Isogenies, from the same authors, is an extended and updated version of the present article. It is available at https://eprint.iacr.org/2026/443.

Shuffling is a fundamental operation in secure multiparty computation (MPC). However, the best-known maliciously secure $n$-party $m$-element shuffle protocols still incur at least $n^2 m$ online communication and computation, which exceeds the best-known $O(nm)$ result for the semi-honest additive secret sharing setting. In this paper, we formalize the permute-in-turn paradigm for building MPC shuffle protocols from MPC permutation protocols, which captures the methodology implicitly adopted in most prior works. By further extending and enhancing this paradigm, we present generic transformations from semi-honest (resp.\ malicious) MPC permutation protocols to semi-honest (resp.\ malicious) MPC shuffle protocols that shuffle $m$ items among $n$ parties using only $O(n^2+nm)$ online computation and communication. Our transformation is for free in two senses: it preserves the overall asymptotic complexity of the natural approach of performing $n$ MPC permutations and yields an online phase with linear communication and computation complexity, while freeing the online phase of the shuffle protocol from depending on the implementation of the underlying MPC permutation protocol. This decoupling allows future work to optimize permutation protocols independently while benefiting all shuffle constructions following the paradigm. Our results immediately yield the first maliciously secure shuffle with linear online communication and computation, under both additive secret sharing and Shamir secret sharing, improving upon the previous bounds of $O(Bn^2 m)$ and $O(n^2 m \log m)$, respectively. We formally prove semi-honest and universally composable (UC) security corresponding transformations. Our prototype demonstrates an over $20\times$ improvement in online efficiency over prior state-of-the-art protocols when shuffling $m=2^{12}$ items among $n=15$ parties, with over $150\times$ online communication savings and only a $1.1\times$ slowdown in the offline phase. Given the widespread use of shuffling in MPC, our techniques are broadly applicable to practical protocols.

This work presents several algorithms to perform operations in the quaternion ideals and orders stemming from the Deuring correspondence. While most of the desired operations can be solved with generic linear algebra, we show that they can be performed much more efficiently while maintaining a strict control over the size of the integers involved. This allows us to obtain a very efficient implementation with fixed sized integers of the effective Deuring correspondence. We apply our new algorithms to improve greatly the practical performances of a recent algorithm by Corte-Real Santos, Eriksen, Leroux, Meyer and Panny to evaluate modular polynomials. Our new implementation, including several other improvements, runs 20 times faster than before for the level ℓ = 11681. The Deuring correspondence also plays a central role in the most recent developments in isogeny-based cryptography, and in particular in the SQIsign signature scheme submitted to the NIST PQC competition. After the latest progresses, it appears that fixed-sized efficient quaternion operations is one of the main missing feature of the most recent implementations of SQIsign. We believe that several of our new algorithms could be very useful for that.

This paper studies efficient realizations of arithmetic over the binary field $\mathbb{F}_2$ in nonabelian groups using only intrinsic group operations, namely multiplication and inversion. The constructions rely on commutators to implement Boolean computation within the group structure. Two complementary approaches are presented: a realization of a universal Boolean gate (NAND) and direct realizations of the field operations XOR and AND. These approaches apply to finite nonabelian simple groups and can be implemented using a small number of group operations. Explicit realizations are provided in the alternating groups $A_5$ and $A_6$. For the smallest nonabelian simple group $A_5$, these constructions achieve state-of-the-art efficiency in the number of group operations.

As the Hamming Quasi-Cyclic (HQC) cryptosystem was recently selected by NIST for standardization, a thorough evaluation of its implementation security is critical before its widespread deployment. This paper presents single-trace side-channel attacks that recover the full long-term secret key of HQC, experimentally evaluated on a protected Cortex-M4 implementation. We introduce two distinct attacks that significantly advance the state of the art: a passive attack that uniquely models key recovery as a moderate-density parity-check (MDPC) decoding problem from a single valid ciphertext, and an active chosen-ciphertext attack employing a new probing strategy on a linear combination of secret key components for significantly improved efficiency. Both attacks are enabled by a new information set decoding (ISD) variant that exploits soft side-channel information, a contribution of broader importance to code-based cryptography. Our experiments show that a single trace suffices for full key recovery under realistic conditions, effectively defeating countermeasures such as codeword masking for the first time. We also show that several existing defenses are ineffective against the new attacks.

A prominent line of rank-metric code-based cryptography has long relied on highly structured algebraic code families, such as Gabidulin codes, for their optimal rank-distance properties and efficient decoding. However, this structure exposes algebraic invariants, most notably extension-field linearity and Frobenius invariance, that enable powerful polynomial-time distinguishers and effective key-recovery attacks. In this work, we revisit this structural tension from a new perspective. Rather than relying solely on masking, we identify a simple yet fundamental structural incompatibility that rules out the direct extension-field linear representation on which these attacks rely. Building on this insight, we introduce Enhanced Gabidulin Matrix Subcodes (EnGMS), a family of masked matrix codes obtained from K'-dimensional Fq-subcodes of expanded Gabidulin codes. When m does not divide K', where m is the extension degree, this dimension mismatch is not merely a randomization heuristic. It deterministically rules out hidden Fq^m-linear expansion structure, a key algebraic prerequisite for the relevant attacks in [5, 43]. Using a generic transform, EnGMS-based constructions yield IND-CCA2-secure public-key encryption schemes and key encapsulation mechanisms, while retaining deterministic decoding and zero decryption failure. At standard security levels, our schemes achieve very compact ciphertexts with moderate public-key sizes, demonstrating that provable structural guarantees can coexist with competitive size efficiency.

Symbolic formal verification of cryptographic protocols based on the Dolev-Yao (DY) attacker model---an active attacker with full network control and perfect cryptography---is well-established for finding design-level logical flaws in cryptographic protocols. Building on this, DY fuzzing enriches fuzzing with this attacker model to uncover logical bugs at the implementation level. In contrast to bit-level fuzzers (e.g., AFL), DY fuzzing leverages a formal model of messages and cryptography to generate structured, adversarial executions, such as replaying and re-signing a modified payload. However, a significant limitation of DY fuzzing is the requirement to precisely model properties to check at runtime (e.g., session parameter agreement). Defining these properties is labor-intensive and inherently non-exhaustive, often necessitating complex instrumentation of the Programs Under Test (PUTs). Consequently, typically only a subset of logical attacks is detected. We address this limitation by introducing Differential DY Fuzzing (DDYF), which uses a differential oracle to compare executions across different protocol implementations. By interpreting discrepancies through the DY model, it identifies semantic differences indicative of bugs or vulnerabilities, effectively minimizing false positives. We propose a generic design for DDYF, implement it within the puffin DY fuzzer, and evaluate it on two major TLS implementations. Our results demonstrate that DDYF can detect vulnerabilities that evade state-of-the-art fuzzers, specifically those requiring DY attacker capabilities (missed by bit-level differential fuzzers) or complex objective oracles (missed by DY fuzzing). DDYF also uncovered 8 new RFC violations in Openssl and Wolfssl, which are by-design hardly detectable with non-differential oracle. Furthermore, we show that DDYF exposes fine-grained behavioral discrepancies, enabling more precise fingerprinting of protocol implementations.

This paper presents a side-channel attack on the Linear Equivalence Signature Scheme (LESS) v2.0. LESS derives its security from the Linear Equivalence Problem and was evaluated as a candidate during Round 2 of the NIST post-quantum cryptography standardization process. LESS secret keys are used to generate monomial matrices, which are stored efficiently in two one-dimensional lists: the permutation list and the coefficient list. Recovering the secret monomial matrices is sufficient to forge signatures, as they are the values actually used during signing. We propose a profiled, single-trace horizontal attack that recovers the full secret monomial matrices. First, monomial coefficients that are multiplied by the dense part of the public generator matrix are recovered via power analysis of the matrix multiplication function. Next, we attack the reduced row echelon form function to recover the permutation list. Finally, we exploit an algebraic relation between the recovered values and the public key to obtain the rest of the coefficient list. We validated our attack on an ARM Cortex-M4 microcontroller. Our results demonstrate that we can exactly recover the secret monomial matrices from a single power trace with a 96\% success rate on the NIST Category 1 parameter set. We also analyze potential countermeasures and show that independently shuffling the row processing order within each column reduces the success rate of our attack to negligible levels, providing protection against the specific attack vector demonstrated in this paper.

Consensus among $n$ parties tolerating up to $t$ Byzantine faults requires $n > 2t$ in synchronous networks and $n > 3t$ in asynchronous networks. The higher resilience achievable in synchrony relies on a known message delay bound $\Delta$, whereas asynchronous protocols make no timing assumptions but must tolerate fewer faults. Prior work addressed this gap only partially. Some protocols achieve responsiveness under synchrony, meaning that their running time adapts to the \emph{actual} network delay, but offer no guarantees under asynchrony, while others guarantee correctness under both network conditions but sacrifice responsiveness. Only recently, Elsheimy, Kamp, Loss, and Nielsen (IACR~2026) showed for binary validated Byzantine agreement (VBA) that if $t_s$, $t_a$, and $t_r$ denote the synchronous, asynchronous, and responsiveness thresholds, respectively, then the conditions $n > 2t_s + t_a$ and $n > t_s + 2t_r$ are necessary and sufficient to simultaneously achieve asynchronous security, synchronous security, and responsiveness. While binary BA (or VBA) can be extended to multi-valued Byzantine agreement (MVBA) via standard reductions, such transformations generally incur blow-up in the communication. Whether these tight resilience conditions can be achieved for MVBA \emph{with optimal communication complexity} remained open. In this work, we resolve this question. For the aforementioned optimal thresholds, we construct an MVBA protocol that is asynchronously secure when $f \le t_a$, synchronously secure when $f \le t_s$, and responsive when $f \le t_r$, where $f$ is the actual number of corruptions. Our construction builds on Dumbo-MVBA~(Lu et al., PODC 2020) and preserves asymptotically optimal efficiency. When $n - 2t_s = \Theta(n)$, our first construction achieves $O(n^2\kappa + n\ell)$ communication for $\ell$-bit inputs and computational security parameter $\kappa$, matching the best known bounds in asynchrony of Lu et al. (PODC 2020) and the best known synchronous bounds of Shrestha et al. (FC 2025). When $n - 2t_s$ is small, we provide an alternative construction with communication $O(n^2\kappa + n\ell)$ in synchrony and $O(\lambda (n^2\kappa + n\ell))$ in asynchrony, where $\lambda$ is a statistical security parameter. Whenever $f \le t_r$, both protocols terminate in expected $O(\delta)$ time, where $\delta$ is the actual network delay; otherwise, the expected running time is $O(\Delta)$.

Threshold signatures, especially ECDSA, enhance key protection by addressing the single-point-of-failure issue. Threshold signing can be divided into offline and online phases, based on whether the message is required. Schemes with low-cost online phases are referred to as ``online-friendly". Another critical aspect of threshold ECDSA for real-world applications is robustness, which guarantees the successful completion of each signing execution whenever a threshold number $t$ of semi-honest participants is met, even in the presence of misbehaving signatories. The state-of-the-art online-friendly threshold ECDSA without robustness was developed by Doerner et al. in S\&P'24, requiring only three rounds. Recent work by Wong et al. in NDSS'23 (WMY\(^+\)23) and NDSS'24 (WMC24) achieves robustness but demands additional communication rounds (7 and 4, respectively) or incurs costly operations in the online phase, such as computations over a homomorphic encryption scheme. This paper presents the first three-round threshold ECDSA scheme with both robustness and an online-friendly design. The online phase of our scheme relies solely on several elliptic-curve group operations, which are 2 to 3 orders of magnitude less computationally intensive than those based on linearly homomorphic encryption schemes. We implement our protocol and conduct a comprehensive comparison with WMY$^+$23 and WMC24. Benchmark results show that the online phase of our scheme is $2.5\times$ faster than that of WMY$^+$23 and hundreds of times faster than that of WMC24. Lastly, we demonstrate that our techniques can be extended to construct an online-friendly and robust three-round threshold BBS+ scheme.

Discrete Gaussian sampling is an important operation at the core of many lattice-based cryptosystems, which presents significant challenges from an implementation standpoint. In particular, it is difficult to protect against side-channel attacks. Extensive research has gone into the problem of addressing timing side-channel attacks, and as result, constant-time discrete Gaussian sampling is now well-understood. However, few papers so far have attempted to achieve protection against stronger side-channel attacks like correlation power analysis via, e.g., masking, and those that have tend to suffer from underwhelming performance. Focusing on the case of discrete Gaussians with fixed center and standard deviation, the state-of-the-art approach to applying a masking countermeasure is to start from a constant-time cumulative distribution table-based (CDT-based) sampler, possibly with a search tree twist. Such a CDT-based sampler compares a uniform random value to each element of the CDT of the target distribution. Replacing these comparisons with a masked comparison circuit (typically based on a carry-save adder like Kogge-Stone) yields the desired, albeit costly, countermeasure. In this paper, we propose a very different approach to masked discrete Gaussian sampling. We start from a new rejection-based discrete Gaussian sampler, obtained by discretizing a sampler for the continuous normal distribution related to an algorithm of Marsaglia (1963). We show that our new sampler can be expressed elegantly in terms of uniform and geometric distributions, in a way that is surprisingly friendly to masking, particularly when using bitslicing. The resulting masked, t-probing secure gadget dramatically outperforms previous work. When applied to NIST candidate signature HAWK, we find it to need less than 5 masked AND gates per generated sample on a 32-bit architecture, and about 20 times fewer than the state-of-the-art, comparison tree-based masked sampler of Eid et al. (TCHES 2026). Furthermore, we show that while Eid et al.'s sampler can be sped up with significant tweaks (bitslicing, faster masked comparisons, etc.), the modified gadget still requires 4 to 5 times as many masked AND gates as our techniques.

Proposer-Builder Separation (PBS) in Ethereum improves decentralization and scalability by offloading block construction to specialized builders. In practice, MEV-Boost implements PBS via a side-car protocol with trusted relays, resulting in increased centralization as well as security and performance concerns. We propose Decentralized Proposer-as-a-Service (DPaaS), a deployable architecture that eliminates relays while preserving compatibility with Ethereum’s consensus layer. Our insight is that we can reduce centralized trust by distributing the combined roles of the proposer and relay to a set of Proposer Entities (PEs), each running in independent Trusted Execution Environments (TEEs). For compatibility, DPaaS presents itself to Ethereum as a single validator, leveraging the threshold and aggregation properties of the BLS signature scheme used in Ethereum. To decentralize the relay roles (e.g., auctioneer) across TEEs, we developed a new Byzantine broadcast protocol that provides necessary censorship-resistance and availability-backed properties on top of standard consensus. We implemented a prototype of DPaaS and validated it end-to-end on a local Ethereum testnet. Our evaluation, deployed across four independent cloud hosts and driven by real-world traces, shows that DPaaS achieves ≤ 5 ms bid processing latency, 55.69 ms latency from the end of auction to block proposal, and 3% more MEV earnings – demonstrating that DPaaS can offer security and decentralization benefits while providing strong performance.

Garbled circuits with one-bit-per-gate communication were recently introduced by Liu et al. (BitGC, Eurocrypt 2025), Meyer et al. (Crypto 2025), and Ishai et al. (Crypto 2025). However, these works focus primarily on the theoretical communication complexity, leaving open questions about practical computational efficiency. In this paper, we present a set of optimizations that substantially improve its practical efficiency. First, we eliminate key barriers to enable SIMD support for BitGC, leading to a substantial speedup in its homomorphic operations. Second, we demonstrate that XOR gates can be garbled without any communication, improving both efficiency and simplicity. Finally, we present a computationally efficient garbling scheme that requires zero communication for XOR gates and only 5 bits per AND gate. When applied to an AES-128 circuit, our fastest garbling scheme generates a garbled circuit of just 4 KB in 2 minutes on a single CPU core.

The transition to post-quantum cryptography (PQC) digital signatures poses an unexpected threat to the storage structure of relational databases. At the same security level, the AIMer-192f signature reaches 13,056\,B, which is more than 13 times that of RSA-7680 (960\,B). Storing it inline in MySQL InnoDB causes the B$^+$-Tree fan-out to collapse from the theoretically predicted value of 167 to a measured value of 1. This result experimentally reveals that the off-page storage model in the MySQL official manual has a factor of 167 error in this case. To address this problem, we propose an architecture that combines a split-table schema with a Merkle Tree-based batch signing approach. The proposed architecture ($B=512$) restores the collapsed fan-out to 41, reduces the number of leaf pages by 97\%, and improves insertion throughput by 28.1$\times$. It also reduces the per-document signature storage cost by up to 97.6\%. This study quantifies the limitations of the traditional single-table storage approach in a PQC migration environment and presents a practical mitigation architecture.

Batched threshold encryption allows any $t$-out-of-$N$ parties in a committee to decrypt a batch of $B$ ciphertexts using sub-linear $o(NB)$ communication, while ensuring that any subset of $<t$ colluding parties learn no information about the underlying plaintext. Our first result is a batched threshold encryption scheme that is censorship resistant, avoids epoch restrictions, and achieves quasi-linear $O(B\log B)$ decryption complexity in the batch size $B$. Our scheme has the shortest ciphertext among all known constructions: $|\mathbb{G}_1| + |\mathbb{G}_T|$ for CPA security, with CCA security adding only $2|\mathbb{F}|$ via a simulation-extractable NIZK. We prove security under the Decisional Bilinear $q$-Power Diffie-Hellman assumption in asymmetric pairing groups and provide an implementation in Rust to show that our scheme outperforms prior work. Our second result is a new approach for verifying decryption in batched threshold encryption which enables a helper party (that carries out decryption) to provide hints that allow a verifier to check that decryption was carried out correctly using only MSMs and hashes. Concretely, we observe a $114.1\times$ speedup when verifying decryption of 2048 ciphertexts when compared against local decryption. Our approach is quite general and can be applied to other pairing-based advanced encryption schemes such as Timelock Encryption and Silent Threshold Encryption that can be cast as witness encryption schemes.

Anonymity guarantees of privacy-oriented cryptocurrencies are garnering negative attention from lawmakers who view them as antinomic to accountability. Having recognized their potential for innovation, however, regulators may not want to outright ban privacy coins but instead seek a middle ground where financial oversight is effective, and still a modicum of privacy is maintained. Mature designs, such as Zcash, Monero, or Firo, facilitate this through so-called viewing keys that can be disclosed to third parties for the purpose of supervision. This paper initiates the study of the issues of security, privacy, and fungibility that privacy coins face in the non-custodial setting with the legal obligation on users to surrender their viewing keys to the authorities. In doing so, it fills the gap in provable anonymity guarantees for Zcash and, at the same time, exposes non-trivial gaps for Monero and Firo. Of independent interest is that the naturally defined notion of spend indistinguishability is shown to imply practical anamorphic spending as introduced by Cinal et al. (ESORICS'25), and a novel perspective is presented, framing UTXO-based privacy coins under viewing key compromise as transparent account-based cryptocurrencies instead.

A zero-knowledge virtual machine (zkVM) is a versatile, developer-friendly primitive that proves the correct execution of programs on a fixed machine architecture. A major bottleneck for these protocols is the prover’s space complexity, which grows linearly with the number of program steps and makes it impractical to produce proofs for long- running computations. To overcome this, we propose generating these proofs incrementally, using folding schemes. However, realizing this requires new tools in the folding setting: (1) an efficient read-write memory argument for proving the correctness of memory operations; and (2) a method to eliminate the overheads incurred by unused machine instructions when incrementally proving a program execution step. We address these with new techniques. First, we introduce commitment-carrying IVC, where a proof carries an incremental commitment to the prover’s non-deterministic advice provided at different steps. Second, we show how this unlocks efficient read-write memory arguments (which implies indexed lookups arguments), with a cost profile identical to that of memory arguments in the context of non-recursive arguments. Third, we provide a new universal “switchboard” circuit construction that combines circuits of different instructions such that one can “turn off” uninvoked circuit elements and constraints, offering a new way to achieve pay-per-use prover costs. We design an IVC scheme, which we refer to as Nebula, that incorporates these techniques. We implement a prototype of a Nebula-based zkVM for the Ethereum Virtual Machine (EVM). We find that our techniques qualitatively provide a 30×smaller constraint system to represent the EVM over standard memory-checking techniques, and lead to over 260× faster proof generation for the standard ERC-20 token transfer transaction when compared to our baseline Nova (CRYPTO'22) with existing arithmetization methods.

A polynomial commitment scheme (PCS) enables a prover to succinctly commit to a large polynomial and later generate evaluation proofs that can be efficiently verified. In recent years, PCSs have emerged as a central focus of succinct non-interactive argument (SNARG) design. We present TensorSwitch, a hash-based PCS for multilinear polynomials that improves the state-of-the-art in two fundamental bottlenecks: prover time and proof size. We frame our results as an interactive oracle PCS, which can be compiled into a cryptographic PCS using standard techniques. The protocol uses any linear code with rate $\rho$, list-decoding and correlated agreement up to $\delta$, and encoding time $\tau \cdot \ell$, where $\ell$ is the block length. For a size $n$ polynomial, security parameter $\lambda$, and sufficiently large field, it has the following efficiency measures, up to lower order terms: - Commitment time: $(\tau/\rho^{2} + \tau/\rho + 3) \cdot n$ field multiplications. - Opening time: $6 n$ field multiplications. - Query complexity: $\frac{1}{-\log(1-\delta^{2})} \cdot \lambda$. - Verification time: $O(\lambda \log n)$. Moreover, the evaluation proof only contains $O(\log \log n)$ oracles of total size $(\lambda n)^{0.5 + o(1)}$. With a Reed-Solomon code of rate $1/2$, the query complexity is $2.41 \lambda$ and commitment time is dominated by $(6 \log n + 3) \cdot n$ field multiplications. With an RAA code of rate $1/4$ and distance $0.19$, the query complexity is $19 \lambda$ and the commitment time is $42 n$ field additions and $3 n$ field multiplications. For both instantiations, the opening time is dominated by $6 n$ field multiplications.

We define a protocol by which we can recognize if a person is the owner of an object. The object can, for instance, be an official document such as a diploma. In our model, the object has an attached RFID chip. The owner is enrolled when the document is created and the chip is attached. Later on, public verifying terminals can verify if a person is the enrolled owner by means of biometric recognition. Hence, the terminal must scan both the chip and the person. As an implementation demonstrator, we use fingervein biometry. Our system can also be used for access control to an online repository to get more information and services related to the object. We require strong security and privacy levels such as: a secure owner recognition and access limited to the legitimate owner holding the right document, the principle of least privilege, and no storage of biometric data at rest. Our solution relies on an inexpensive off-the-shelf RFID chip.

Instant messaging services are an integral part of today's communication and their privacy has wide societal implications. Major messengers deploy end-to-end encryption, hiding message contents from the service provider. Group messaging, however, creates the challenge of also keeping the group membership list private. The Signal messenger currently implements private group management using techniques inspired by Chase, Perrin, and Zaverucha (CCS 2020). Transitioning this system to quantum-safe turns out to be challenging: While one-to-one messaging can often adopt the newly standardized KEMs and signatures in a relatively direct way, private group management is more complex. Signal's existing design heavily relies on the discrete-log structure to combine anonymous credentials, verifiable encryption, and oblivious PRFs for privacy and functionality. Quantum-safe versions of these components unfortunately are typically far less efficient, requiring heavy zero-knowledge proofs and large communication per group operation. As a result, simply ``swapping in'' quantum-safe primitives is unlikely to yield an optimal protocol. This paper reconsiders the design of the entire group system from the ground-up. Our result is a scheme that possesses the same strong privacy guarantees, but it is built in a more modular way using simpler underlying cryptographic building blocks that permit a more efficient quantum-safe instantiation. The modularity of our protocol further allows for gradual migration to quantum-safe: we can immediately transition components vulnerable to harvest-now-decrypt-later attacks (such as classical public-key encryption, computationally hiding commitments, etc.) while deferring the transition of other building blocks, such as authentication. We prove our design secure in an extended security model that more comprehensively captures the rich feature set of Signal's group messaging system. In our experimental evaluation, the core operations of our new design turn out to be even more efficient than those of Signal's current deployment.

The growing demand for privacy-preserving Transformer inference has led to the emergence of numerous protocols designed to protect sensitive data and model parameters. These protocols utilize diverse cryptographic tools under varying assumptions, each presenting unique characteristics and trade-offs between computation, communication, and accuracy. In this paper, we conduct a systematic and in-depth analysis of existing approaches from diverse performance perspectives, identifying their limitations and research gaps. We further evaluate the reproducibility of prior systems and re-benchmark representative solutions under standardized configurations. Our results yield a principled guideline for balancing protocol trade-offs under different deployment settings.

Given that the Walsh spectrum directly determines key cryptographic properties of Boolean functions, the construction of such functions with desired spectral features has been a major research focus for decades. In this study, we first establish a unified framework for a class of specific Boolean function construction problems corresponding to Walsh transform, which we formally define as \textbf{Problem}. To tackle the \textbf{Problem}, we first designed the Iterative Walsh Recovery (IWR) algorithm as a framework, then added Forgetting and Greedy strategies for heuristic optimization to obtain the FG-IWR algorithm, and finally proved a necessary condition for optimization, ultimately proposing the Optimized Iterative Walsh Recovery (OIWR) algorithm. Through rigorous theoretical analysis and experimental validation, our algorithm simultaneously achieves theoretical guarantees, design flexibility, and computational efficiency. For application, we further present a novel construction method for low-weight correlation immune functions using the OIWR algorithm. Experimental results show that our method successfully addresses two fundamental constraints of Mesnager-Su's approach: limited construction capacity and power-of-two weight restrictions.

The QC-MDPC McEliece cryptosystem is a promising candidate for post-quantum cryptography, and the decoding performance of the underlying QC-MDPC code directly affects the security of the scheme. Deep unfolding, a framework that unfolds an iterative algorithm into a neural network with trainable weights, has been shown to improve belief propagation (BP) decoding for codes with dense parity-check matrices. However, applying deep unfolding directly to the large QC-MDPC codes used in practice is impractical owing to the computational cost of training. Moreover, in QC-MDPC-based cryptosystems, the parity-check matrix serves as the secret key and must be replaced periodically; key-specific training would therefore need to be repeated at each replacement. We address both issues through zero-shot transfer. We propose weight homogenisation, which constrains the trainable weights to a single scalar per iteration, making them independent of the specific Tanner graph. This enables a decoder trained on a small QC-MDPC code to be applied directly to larger codes. Experiments on QC-MDPC codes with parameters proposed for 80-bit and 128-bit security demonstrate that the proposed method achieves a lower decoding error rate than standard BP.

Threshold ring signatures (TRS) enable a quorum of $T$ users to jointly sign a message while hiding which $T$ of the $N$ ring members participated, supporting privacy-preserving endorsement in ad-hoc settings. That said, many deployments do not need anonymity over every $T$-subset of a ring: when the approval pattern is already public, a structured ring can be sufficient. In this work, we first formalize this setting as a structured threshold ring signature (sTRS) and introduce $\mathsf{LoTRS}$, a lattice-based sTRS that avoids a dedicated leader and keeps interaction to the optimal number of two rounds by separating the threshold signing relation from the anonymity mechanism. To the best of our knowledge, $\mathsf{LoTRS}$ is the first construction in which a TRS variant is obtained by combining: (i) an aggregated signing layer: a two-round lattice-based multisignature protocol producing an aggregated signature relation, with (ii) a selection-hiding layer: a $1$-out-of-$N$ proof that hides the chosen ring element supporting that relation. While it is natural to use a $T$-out-of-$N$ proof to build a TRS, our $\mathsf{LoTRS}$ exploits a $1$-out-of-$N$ proof to significantly improve efficiency. $\mathsf{LoTRS}$ concretely instantiates the aggregated signing layer using $\mathsf{DualMS}$ (Crypto'23) and the selection-hiding layer arising from Esgin et al.'s lattice-based one-out-of-many proof (IEEE S&P'22). Our $(T, N\!\cdot\!T)$-$\mathsf{LoTRS}$ construction achieves $\mathsf{polylog}(N, T)$ signature size and outperforms $(T, N)$-TRS schemes significantly. For example, for $N=100$ and $T=50$, our signature size is only $36$ KB, which is $\approx3.5 \times$ smaller than the previously best performing lattice-based scheme $\mathsf{LastRings}$ by Jeon et al (ISC'25). Our Rust reference implementation further supports practicality: for $T=16$ and $N=32$, i.e., structured ring size $T\cdot N = 512$, it produces $25$ KB signatures, with mean signing time $149$ ms and verification time $43$ ms in a release build on a Ryzen AI 9 HX 370 laptop.

In side-channel analysis of ML-KEM (a NIST-standard PQC algorithm), SASCA is a powerful profiling attack. However, obtaining a profiling device strictly matching the target is challenging in practice. To address this, we propose the first profiling-device-free SASCA framework for ML-KEM. The framework first controls the NTT input by choosing ciphertexts and trains a leakage model. Subsequently, leveraging the similarity between NTT and INTT, it uses adversarial unsupervised domain adaptation to fine-tune the model for INTT and recover its secret input. Validated on real embedded devices, the framework achieves effective key recovery using a comparable number of traces to profiling SASCA.

Cryptographic group actions have gained significant attention in recent years for their application on post-quantum Sigma protocols and digital signatures. In NIST's recent additional call for post-quantum signatures, three relevant proposals are based on group actions: LESS, MEDS, and ALTEQ. This work explores signature optimisations leveraging a group's factorisation. We show that if the group admits a factorisation as a semidirect product of subgroups, the group action can be restricted on a quotient space under the equivalence relation induced by the factorisation. If the relation is efficiently decidable, we show that it is possible to construct an equivalent Sigma protocol for a relationship that depends only on one of the subgroups. Moreover, if a special class of representative of the quotient space is efficiently computable via a canonical form, the restricted action is effective and does not incur in security loss. Finally, we apply these techniques to the group actions underlying LESS and MEDS, showing how they will affect the length of signatures and public keys.

A key-independent secret-key distinguisher identifies structural deviations from an ideal random permutation without discovering any information about the secret key. It is therefore of primary importance for understanding the inherent properties of a block cipher's round function. While numerous key-independent secret-key distinguishers have been proposed for 5- and 6-round AES, none has been proposed for 7-round AES to date. In this paper, we propose the first key-independent secret-key distinguisher for 7-round AES, which exploits solely the structural properties of the round function. We propose the Joint Generalized Zero-Difference Property, where a quartet constructed from related differences satisfies three distinct generalized zero-difference properties simultaneously. By leveraging this joint property, we construct a new 7-round differential characteristic that a right quartet follows with a probability of $2^{-250.4}$, whereas a random permutation satisfies the same conditions with a probability of $2^{-253.4}$. Based on this characteristic, we design a distinguishing attack requiring data, time, and memory complexities of $2^{126.2}$. Our analysis confirms that the proposed distinguisher achieves a success probability of approximately 77.8%. We experimentally verify the joint property using small-scale AES, confirming that the theoretical predictions match the observed results. This work achieves the longest-round key-independent secret-key distinguisher for AES reported to date.

Dynamic-committee Proactive Secret Sharing (DPSS) has gained increased attention for its ability to dynamically update the shareholder committees and refresh secret shares, even against adversaries that gradually corrupt all nodes. However, existing state-of-the-art asynchronous DPSS protocols suffer from significant $\mathcal{O}(n^3)$ message complexity and $\mathcal{O}(\lambda n^3)$ communication complexity, where $\lambda$ denotes the security parameter and $n$ is the committee size. In this paper, we distinguish optimistic-case and worst-case scenarios based on node behaviors and network conditions, thus reducing the redundant communication overhead of asynchronous DPSS. Under the trusted setup assumption, we achieved an $\mathcal{O}(n^2)$ message complexity in all scenarios. Additionally, our protocol has an $\mathcal{O}(\lambda n^2)$ communication complexity in the optimistic case, where all nodes are honest and the network is synchronous, and $\mathcal{O}(\lambda n^3)$ communication complexity in the worst case. We also propose two strategies to eliminate the strong trusted setup assumptions, and the asymptotic performance still surpasses the state-of-the-art protocols. For committee sizes of 4 to 400, the estimated concrete communication cost of our DPSS is 19--100x (resp., 8--14x) smaller in the optimistic case (resp., worst case) compared to LongLive (USENIX Security '23). Experiments in AWS show that our DPSS achieves a latency of 1.9--8 seconds for committee sizes from 4 to 64. Single-machine benchmarks reveal a (computational) runtime reduction of up to 44\%.

Recent work at Eurocrypt 2025 by Basso and Maino introduced POKÉ, an isogeny-based public key encryption (PKE) scheme. POKÉ shows how two parties can derive a shared secret on a higher-dimensional, SIDH-like commutative diagram via basis evaluations, giving the fastest isogeny-based PKE to date with performance comparable to the original SIDH. In this paper we present PIKE, a new isogeny-based PKE obtained by tweaking the POKÉ design. Our key change is to use pairings to derive the shared secret while preserving post-quantum security. This brings two benefits: (i) decryption is directly faster, and (ii) by relaxing the required prime form, we can choose smaller primes, further improving overall runtime. We provide a proof-of-concept implementation in SageMath. Under the NIST~I setting, our benchmarks show speedups of $1.30\times$ (key generation), $1.24\times$ (encryption), and $1.47\times$ (decryption) over POKÉ, while maintaining competitive public key and ciphertext sizes. In addition, we provide a C implementation. The encryption and decryption take 53~Mcycles (23~ms) and 34~Mcycles (15~ms) on an Intel i7 2.3 GHz CPU, respectively.

In this work, we revisit the dual attack framework proposed by Pouly and Shen, focusing on the lattice Gaussian sampling term that is a significant bottleneck in the overall attack complexity. We show that this sampling step can be quantumly accelerated by combining the lower bound underlying Wang and Ling's analysis of Klein's algorithm with the quantum rejection sampling (QRS) framework proposed by Ozols et al. Specifically, this lower bound gives precisely the pointwise condition required for quantum rejection sampling when given coherent oracle access to a truncated Klein proposal distribution, which yields a quantum procedure for preparing the truncated dual $q$-ary lattice Gaussian with a quadratic reduction in the sampling complexity. The truncation radius is chosen so that the truncated distribution is negligibly close to the full lattice Gaussian in total variation distance. Substituting this sampler into their dual attack framework results in reduced overall attack-cost estimates. Compared with the Pouly and Shen dual attack (no modulus switching), our method reduces the estimated attack cost by $9$, $4$, and $13$ bits for Kyber-512, Kyber-768, and Kyber-1024 respectively.

TLA$^+$ (Temporal Logic of Actions) is a formal specification language well-suited for distributed systems. However, writing proper TLA$^+$ scripts requires high domain expertise. When it comes to modeling Byzantine behaviors for Byzantine fault-tolerant consensus protocols, the simulation of malicious behavior is a fundamental challenge: overly simplified modeling misses critical vulnerabilities, and verbose modeling leads to state-space explosion. In this paper, we present TLAssist, a large language model (LLM)-assisted tool for semi-automated TLA$^+$ generation tailored for Byzantine reliable broadcast (RBC) protocols. We provide a highly structured workflow and domain-specific data format to improve the quality of LLM prompts. Using five RBC protocols as case studies, we have some interesting findings. First, the specification generated by TLAssist outperforms many open-source TLA$^+$ scripts we are aware of, including those written by domain experts. Second, TLAssist can assist domain experts in identifying deep design flaws. Notably, our case study on the (2,3,4)-Optimistic RBC (a CCS'25 distinguished paper) captures a subtle issue that causes the violation of the totality property. Finally, TLAssist is useful for non-experts. Namely, we show that by revising the protocols slightly, the generated error traces effectively show complex corner cases that can facilitate understanding of the design.

Cloud computing has become the standard for large-scale computation, offering elastic scalability and on-demand resources that exceed typical on-premise capabilities. However, many large-scale computations over sensitive data -- such as genome-wide association studies (GWAS) -- face significant barriers to cloud adoption due to privacy concerns and regulatory constraints. While cryptographic primitives like multi-party computation can alleviate these concerns through provable privacy guaranties, their substantial communication and computational overhead can make cloud deployment cost-prohibitive. To address both privacy and cost constraints, we present ThriftyMPC. ThriftyMPC is a framework that leverages spot instances (ephemeral cloud compute at reduced rates) to enable cost-effective, privacy-preserving computation at scale by combining secure multi-party computation with preemption-tolerant execution. We introduce a formal model for multi-party execution under ephemeral compute conditions, demonstrate how ThriftyMPC handles spot instance preemptions while maintaining cryptographic security guaranties, and provide a formal discussion of these guaranties. Our evaluations on realistic GWAS-inspired workloads over the Google Cloud Platform demonstrate robust execution despite spot instance churn, and show significant cost reduction compared to the state-of-the-art multi-party computation framework (MP-SPDZ) run traditionally using on-demand instances. We show that leveraging multi-party computation on spot instances makes privacy-preserving computation economically viable, enabling organizations to harness the cloud for sensitive workloads previously confined to isolated, on-premise deployments.

Threshold ECDSA signing has become a standard building block for securing cryptocurrency assets, with the protocol of Doerner, Kondi, Lee, and shelat (DKLs, IEEE S&P 2024) emerging as a leading solution due to its efficiency and widespread industry adoption. In this work, we revisit the DKLs protocol to evaluate its concrete security and implementation trade-offs: * Vector Oblivious Linear Evaluation (VOLE): We identify subtle issues in the underlying OT-based Vector Oblivious Linear Evaluation (VOLE) sub-protocol, showing that original parameter choices must be adjusted to reach intended security levels. To address this, we provide a complete analysis of three VOLE variants offering different trade-offs between bandwidth and round complexity. * Two-Party Signing: We introduce an optimized two-party signing protocol that shifts the majority of computation and communication to a message- and key-independent preprocessing phase. This results in an exceptionally efficient online phase where each party exchanges only 0.2KB, a roughly 600 times reduction in communication compared to the full protocol, without being susceptible to known ``pre-signature'' attacks. Our findings consolidate the security of the protocol while providing significant efficiency improvements for practical deployment and standardization.

Poseidon/Poseidon2 and Neptune use sparse S-box activation in internal partial rounds to reduce arithmetization cost. This structure makes linear subspace trails relevant to algebraic attacks. If the initial state is restricted to a suitable linear subspace, then subsequent internal states may remain in prescribed linear subspaces for a number of rounds. The corresponding partial rounds therefore do not increase the degree of the resulting polynomial system. Existing analyses use this property to estimate the complexity of reduced round preimage attacks. It is therefore important to understand how long such linear subspace trails can persist. We revisit infinite and finite linear subspace trails in Poseidon-like designs. First, we study the invariant subspace conditions on Poseidon that give rise to infinitely long trails. We relate these conditions to the characteristic polynomials of the Cauchy MDS matrices used in Poseidon, and we discuss qualitatively why they are unlikely over fields of large characteristic. Second, we analyze finite linear trails for internal partial rounds in a state of width $t$, where each round activates $s$ S-box coordinates. Under the rank-growth condition stated in this paper, when no such invariant subspace exists, a finite trail has length at most $\lceil t/s\rceil-1$. For Poseidon, $s=1$, this gives at most $t-1$ consecutive linearized internal partial rounds. Considering preimage attacks in sponge mode with rate $r$, capacity $c$, and digest size $d$, the available extra constraint budget is $Ec=r-\min\{c,d\}$. For Poseidon, the finite trail bound and this constraint budget together determine how many internal partial rounds can be linearized in the corresponding attack model. For Poseidon2 and Neptune, although MDS-based finite trail bound is not claimed, in the common $s=1$ setting the realizable trail length is still bounded by $Ec$.

Bootstrapping is the key technique that turns leveled homomorphic encryptionc into fully homomorphic encryption, but it remains a major efficiency bottleneck. Recent work by Z. Liu and Y. Wang (ASIACRYPT 2023) showed how to bootstrap \(N\) LWE ciphertexts with total cost of \(\widetilde{O}(N)\) polynomial multiplications based on the BFV scheme. However, their results achieve \(\widetilde{O}(1)\) complexity only through amortization over large batches, and do not give a genuine non-amortized \(\widetilde{O}(1)\) bound for a single ciphertext. In this paper, we present a BFV-based functional bootstrapping algorithm for arbitrary functions over large plaintext spaces with total cost of \(\widetilde{O}(1)\) polynomial multiplications for one LWE ciphertext. The same construction also supports small and moderate batches, and processes a batch of \(m\) ciphertexts with total cost \(\widetilde{O}(m)\) in the supported parameter range. The main technical ingredient is a sparse-packing polynomial-evaluation method for BFV ciphertexts, which exploits the duplicated-slot structure to evaluate an arbitrary polynomial on \(m\) encrypted inputs with total cost of \(\widetilde{O}(m)\). We implement the scheme in Lattigo using the BFV scheme. At 128 bit security and on a single thread, bootstrapping an arbitrary function takes 3.15 seconds for one ciphertext encrypting a 9-bit plaintext and 3.77 seconds for 128 such ciphertexts in one batched invocation. For 16-bit plaintexts, it takes 10.63 seconds for one ciphertext and 18.07 seconds for 16 ciphertexts. These results show that non-amortized single-ciphertext functional bootstrapping, as well as small and moderate batch bootstrapping, can be practical for arbitrary functions over relatively large plaintext spaces.

Code-based fair data exchange (FDE) substantially reduces client work by checking only a Fiat--Shamir sample of a redundant Reed--Solomon codeword. The most practical prior construction, VECK\(^{\star}_{\mathrm{EL}}\), still pays a large prover cost because sampled ElGamal consistency is enforced inside the SNARK circuit. We present a code-based FDE construction that removes these sampled in-circuit ElGamal gadgets. The ciphertext is produced by hash-based masking, sampled consistency with the committed file is certified by KZG commitments, and a small commit-and-prove SNARK checks masking, interpolation, and the key relation \(vk=h^{sk}\). CP-linking is used to bind the hidden opening value \(u_\alpha\) to \(U_\alpha=g_1^{u_\alpha}\). This change reduces the SNARK constraint count by about \(20\times\) and, in our benchmark instantiation, allows the implementation to use BLS12-381 directly instead of the curve cycle required by VECK\(^{\star}_{\mathrm{EL}}\). For \(2^{20}\) scalar-field elements in that instantiation, our prover time is 3.07 seconds at sample size 512 and 3.8 seconds at sample size 1024, compared with 21.7 and 41 seconds for VECK\(^{\star}_{\mathrm{EL}}\). Verification remains sample-size dependent but file-size independent after the ciphertext transcript is fixed, and takes 10--21 ms in our implementation.

We present Frobenius-UOV, a multivariate public-key signature scheme in the Unbalanced Oil and Vinegar (UOV) family. The scheme replaces generic quadratic polynomials with a structured subclass based on Frobenius-type quadratic forms, yielding a compressed public-key representation while retaining the efficient UOV signing procedure. We describe the key-generation, signing, and verification algorithms, and we detail the derivation of the public system from a compact secret description. We discuss security in the standard multivariate setting, including direct algebraic attacks and key-recovery approaches, and we formalize the underlying computational problems induced by the proposed structure. Finally, we report implementation results quantifying the costs of key generation, signing, and verification, as well as the resulting public-key and signature sizes.

Unbiased and unpredictable randomness is a cornerstone of Web3 security, underpinning everything from consensus protocols to DeFi logic. Although Distributed Verifiable Random Functions (DVRFs) eliminate central points of failure, current designs often have to compromise performance. Most existing protocols are hindered by one of three limitations: proofs that scale linearly with the number of participants, high computational cost of bilinear pairings, or latency introduced by mandatory interactive steps during generation. In this work, we present Icy-DVRF, a protocol that improves DVRFwCP by employing a preprocessing scheme similar to FROST to reduce the number of interaction rounds among participants, by lowering the additional communication cost from $O(n^2 t)$ to $O(t)$ while maintaining constant-size proofs. The downside of our construction is that, relative to DDH-DVRF and GLOW-DVRF, this approach incurs an additional off-chain communication round due to the threshold structure of our non-interactive zero-knowledge proof. This architecture ensures that verification costs remain low, regardless of the set of participants. We evaluate Icy-DVRF against established standards and demonstrate that our protocol achieves a substantial efficiency gain over pairing-based alternatives. While theoretical estimates suggest verification costs of approximately one quarter of those of standard designs, our empirical benchmarks on the Sepolia testnet, utilizing the EIP-2537: Precompile for BLS12-381 curve operations, confirm that Icy-DVRF requires only 88,803 gas for full execution. This represents a significant 43.02\% reduction in total gas consumption compared to existing pairing-based constructions, saving 67,035 gas per on-chain verification.

We study $t$-out-of-$n$ threshold fully homomorphic encryption (ThFHE) based on Shamir secret sharing (SSS) in the asynchronous setting. A central bottleneck for SSS-based ThFHE is that Lagrange reconstruction during distributed decryption can amplify noise, forcing a substantially larger ciphertext modulus to maintain correctness. In this work, we revisit SSS-based ThFHE and give a rigorous analysis of the correctness and simulation-security constraints that govern parameter choices. We then compare families of Lagrange interpolation points through the lens of these constraints. Our main contributions are analytic bounds that closely track empirical behavior and significantly reduce the modulus overhead required for distributed decryption. For example, for $n = 512$, our analysis reduces this modulus overhead (in bits) by 30% for $t = n/2$ and by up to 90% for $t$ close to $n$, compared to prior parameterizations.

Enhanced Gabidulin Matrix Codes (EGMC), introduced by Aragon, Couvreur, Dyseryn, Gaborit, and Vincotte at Asiacrypt 2024, were designed to hide the algebraic structure of Gabidulin matrix codes while enabling very compact McEliece- and Niederreiter-type encryption schemes, with ciphertexts as small as 65 bytes at the claimed 128-bit security level. Their security relies on the assumption that a masked EGMC code is hard to distinguish from a random matrix code. We show that this enhanced construction leaves enough structure for an equivalent code of the secret key to be recovered. Unlike previous cryptanalysis, our attack combines combinatorial and algebraic techniques to recover a Gabidulin-equivalent compressed code. This code can then be extended to a full-length equivalent secret key in polynomial time. As a result, the attack provides both a distinguisher and a key-recovery attack against the EGMC encryption schemes. The attack breaks all 16 proposed EGMC parameter sets by large margins. For example, for the claimed 128-bit parameter set $(2,17,37,4,0)$, it reduces the security level from 186 bits to 35 bits. In our implementation, the equivalent secret key is recovered in less than 10 minutes.