Search results

<!DOCTYPE html> <html lang="en"> <head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no"> <link href="/css/dist/css/bootstrap.min.css" rel="stylesheet"> <title>Search results</title> <link rel="stylesheet" href="/css/eprint.css?v=10"> <link rel="shortcut icon" href="/favicon.ico" type="image/x-icon" /> <link rel="apple-touch-icon" href="/img/apple-touch-icon-180x180.png" /> <style> input { background-color: #e8e8e8 !important; } mark { font-weight: 600; padding: .2em 0px .2em 0px; color: black; } span.term { font-weight: 700 !important; font-family: var(--bs-font-monospace), monospace !important; } form { background-color:#fff; } @media (min-width: 768px) { form { position:sticky;top:6rem; } } </style> <meta name="description" content="Search the Cryptology ePrint Archive"> </head> <body> <noscript> <h1 class="text-center">What a lovely hat</h1> <h4 class="text-center">Is it made out of <a href="https://iacr.org/tinfoil.html">tin foil</a>?</h4> </noscript> <div class="fixed-top" id="topNavbar"> <nav class="navbar navbar-custom navbar-expand-lg"> <div class="container px-0 justify-content-between justify-content-lg-evenly"> <div class="order-0 align-items-center d-flex"> <button class="navbar-toggler btnNoOutline" type="button" data-bs-toggle="collapse" data-bs-target="#navbarContent" aria-controls="navbarContent" aria-expanded="false"> <span class="icon-bar top-bar"></span> <span class="icon-bar middle-bar"></span> <span class="icon-bar bottom-bar"></span> </button> <a class="d-none me-5 d-lg-inline" href="https://iacr.org/"><img class="iacrlogo" src="/img/iacrlogo_small.png" alt="IACR Logo" style="max-width:6rem;"></a> </div> <a class="ePrintname order-1" href="/"> <span class="longNavName">Cryptology ePrint Archive</span> </a> <div class="collapse navbar-collapse order-3" id="navbarContent"> <ul class="navbar-nav me-auto ms-2 mb-2 mb-lg-0 justify-content-end w-100"> <li class="ps-md-3 nav-item dropdown"> <a class="nav-link dropdown-toggle" href="#" id="navbarDropdown" role="button" data-bs-toggle="dropdown" aria-expanded="false"> Papers </a> <ul class="dropdown-menu me-3" aria-labelledby="navbarDropdown"> <span class="text-dark mx-3" style="white-space:nowrap;">Updates from the last:</span> <li><a class="dropdown-item ps-custom" href="/days/7">7 days</a></li> <li><a class="dropdown-item ps-custom" href="/days/31">31 days</a></li> <li><a class="dropdown-item ps-custom" href="/days/183">6 months</a></li> <li><a class="dropdown-item ps-custom" href="/days/365">365 days</a></li> <li><hr class="dropdown-divider"></li> <li><a class="dropdown-item" href="/byyear">Listing by year</a></li> <li><a class="dropdown-item" href="/complete">All papers</a></li> <li><a class="dropdown-item" href="/complete/compact">Compact view</a></li> <li><a class="dropdown-item" href="https://www.iacr.org/news/subscribe">Subscribe</a></li> <li><hr class="dropdown-divider"></li> <li><a class="dropdown-item" href="/citation.html">How to cite</a></li> <li><hr class="dropdown-divider"></li> <li><a class="dropdown-item" href="/rss">Harvesting metadata</a></li> </ul> </li> <li class="ps-md-3 nav-item dropdown"> <a class="nav-link dropdown-toggle" href="#" id="submissionsDropdown" role="button" data-bs-toggle="dropdown" aria-expanded="false"> Submissions </a> <ul class="dropdown-menu me-3" aria-labelledby="submissionsDropdown"> <li><a class="dropdown-item" href="/submit">Submit a paper</a></li> <li><a class="dropdown-item" href="/revise">Revise or withdraw a paper</a></li> <li><a class="dropdown-item" href="/operations.html">Acceptance and publishing conditions</a></li> </ul> </li> <li class="ps-md-3 nav-item dropdown"> <a class="nav-link dropdown-toggle" href="#" id="aboutDropdown" role="button" data-bs-toggle="dropdown" aria-expanded="false"> About </a> <ul class="dropdown-menu me-3" aria-labelledby="aboutDropdown"> <li><a class="dropdown-item" href="/about.html">Goals and history</a></li> <li><a class="dropdown-item" href="/news.html">News</a></li> <li><a class="dropdown-item" href="/stats">Statistics</a></li> <li><a class="dropdown-item" href="/contact.html">Contact</a></li> </ul> </li> </ul> </div> <div class="dropdown ps-md-2 text-right order-2 order-lg-last"> <button class="btn btnNoOutline" type="button" id="dropdownMenuButton1" data-bs-toggle="dropdown" aria-expanded="false"> <img src="/img/search.svg" class="searchIcon" alt="Search Button"/> </button> <div id="searchDd" class="dropdown-menu dropdown-menu-end p-0" aria-labelledby="dropdownMenuButton1"> <form action="/search" method="GET"> <div class="input-group"> <input id="searchbox" name="q" type="search" class="form-control" autocomplete="off"> <button class="btn btn-secondary border input-group-append ml-2"> Search </button> </div> </form> <div class="ms-2 p-1 d-none"><a href="/search">Advanced search</a></div> </div> </div> </div> </nav> </div> <main id="eprintContent" class="container px-3 py-4 p-md-4"> <div class="row"> <div class="col-12 col-lg-4"> <form class="p-2 pt-md-4 align-items-end needs-validation" novalidate onsubmit="return validateForm()" method="GET" action="/search"> <label for="anything" class="mt-2 form-label">Match anything</label> <input type="text" name="q" class="form-control form-control-sm" id="anything" aria-label="Match anything" value="differe*"> <label for="title" class="mt-4 form-label">Match title</label> <input type="text" name="title" class="form-control form-control-sm" id="title" aria-label="Match title" value=""> <label for="authors" class="mt-4 form-label">Match authors</label> <input type="text" name="authors" class="form-control form-control-sm" id="authors" aria-label="Match authors" value=""> <label for="category" class="mt-4 form-label">Category</label><br> <select class="form-select form-select-sm" id="category" name="category" aria-label="Category"> <option value="">All categories</option> <option value="APPLICATIONS" >Applications</option> <option value="PROTOCOLS" >Cryptographic protocols</option> <option value="FOUNDATIONS" >Foundations</option> <option value="IMPLEMENTATION" >Implementation</option> <option value="SECRETKEY" >Secret-key cryptography</option> <option value="PUBLICKEY" >Public-key cryptography</option> <option value="ATTACKS" >Attacks and cryptanalysis</option> </select> <div class="row d-none d-lg-flex"> <div class="col-6"> <label for="submittedafter" class="mt-4 form-label">Submitted after</label><br> <input class="form-control form-control-sm" type="number" min="1996" id="submittedafter" name="submittedafter" aria-label="Submitted after" value="None" placeholder="Enter a year"> </div> <div class="col-6"> <label for="submittedbefore" class="mt-4 form-label">Submitted before</label><br> <input class="form-control form-control-sm" type="number" min="1996" id="submittedbefore" name="submittedbefore" aria-label="Submitted before" value="None" placeholder="Enter a year"> <div class="invalid-feedback"> Dates are inconsistent </div> </div> </div> <div class="row d-none d-lg-flex"> <div class="col-6"> <label for="revisedafter" class="mt-4 form-label">Revised after</label><br> <input class="form-control form-control-sm" type="number" min="1996" id="revisedafter" name="revisedafter" aria-label="Revised after" placeholder="Enter a year" value="None"> <div class="invalid-feedback"> Dates are inconsistent </div> </div> <div class="col-6"> <label for="revisedbefore" class="mt-4 form-label">Revised before</label><br> <input class="form-control form-control-sm" type="number" min="1996" id="revisedbefore" name="revisedbefore" aria-label="Revised before" value="None" placeholder="Enter a year"> </div> </div> <div class="d-none d-lg-flex mt-3"> <div class="form-check"> <input type="checkbox" id="relevance" name="relevance" > <label for="relevance" class="form-check-label ms-2">Sort by relevance</label> </div> </div> <div class="mt-3 d-flex"> <button class="btn btn-primary btn-sm" type="submit">Search</button> <button id="clearButton" class="btn btn-secondary btn-sm ms-2" type="button">Clear</button> <button id="helpButton" class="btn btn-info btn-sm ms-auto" type="button" data-bs-toggle="modal" data-bs-target="#helpModal">Help</button> </div> </form> <div class="modal" tabindex="-1" id="helpModal"> <div class="modal-dialog modal-lg"> <div class="modal-content"> <div class="modal-header"> <h4 class="modal-title">Search Help</h4> <button type="button" class="btn-close" data-bs-dismiss="modal" aria-label="Close"></button> </div> <div class="modal-body"> <p> You can search for a phrase by enclosing it in double quotes, e.g., <span class="term text-nowrap"><a href="/search?q=%22differential%20privacy%22">"differential privacy"</a></span>. </p> <p> You can require or exclude specific terms using + and -. For example, to search for papers that contain the term elliptic but not the term factoring, use <span class="term text-nowrap"><a href="/search?q=%2Belliptic%20-factoring">+elliptic -factoring</a></span> </p> <p> To search in a title or for author name, use <span class="term text-nowrap"><a href="/search?q=title%3Aisogeny%20author%3Aboneh">title:isogeny author:boneh</a></span>. If you want to require both, you can use <span class="term text-nowrap"><a href="/search?q=title%3Aisogeny%20AND%20author%3Aboneh">title:isogeny AND author:boneh</a></span> because it recognizes logical operators <span class="term">AND</span> and <span class="term">OR</span>. This is equivalent to <a href="/search?title=isogeny&authors=boneh">using the individual fields</a> for author and title. You can also use NOT to negate a condition, as with <span class="term text-nowrap"><a href="/search?q=title%3Aisogeny%20AND%20NOT%20author%3Aboneh">title:isogeny AND NOT author:boneh</a></span> to search for papers with an author other than Boneh. </p> <p> To find documents containing a term starting with the string <span class="term">differe</span>, use <span class="term"><a href="/search?q=differe%2A">differe*</a></span>. This will match the terms difference, different, and differential </p> <p> Note that search applies stemming, so that if you search for <span class="term">yield</span> it will also match terms <span class="term">yields</span> and <span class="term">yielding</span>. If you want to disable stemming, capitalize the term. A search for <span class="term">Adam</span> will not match the term 'Adams'. </p> <p> The system attempts to recognize possible misspellings. This is perhaps a source of amusement more than anything else. </p> <p> This currently searches the text in titles, authors, abstracts, and keywords, but does not search in the PDF or PS itself. </p> </div> <div class="modal-footer"> <button type="button" class="btn btn-secondary" data-bs-dismiss="modal">Close</button> </div> </div> </div> </div>  </div> <div class="col-12 col-lg-8" style="min-height:80vh"> <h4 class="mt-3 ms-4">5200 results sorted by ID</h5> <div class="ms-lg-4 mt-3 results"> <div class="mb-4"> <div class="d-flex"><a title="2025/566" class="paperlink" href="/2025/566">2025/566</a> <span class="ms-2"><a href="/2025/566.pdf">(PDF)</a></span> <small class="ms-auto">Last updated: 2025-03-28</small> </div> <div class="ms-md-4"> <div class="d-flex flex-column flex-md-row justify-content-between"> <div> <strong>Cryptanalysis of Fruit-F: Exploiting Key-Derivation Weaknesses and Initialization Vulnerabilities</strong> <div class="mt-1"><span class="fst-italic">Subhadeep Banik, Hailun Yan</span></div> </div> <div class="float-end mt-1 ms-md-3"> <small class="badge category category-ATTACKS">Attacks and cryptanalysis</small> </div> </div> <p class="mb-0 mt-1 search-abstract">Fruit-F is a lightweight short-state stream cipher designed by Ghafari et al. The authors designed this version of the cipher, after earlier versions of the cipher viz. Fruit 80/v2 succumbed to correlation attacks. The primary motivation behind this design seemed to be preventing correlation attacks. Fruit-F has a Grain-like structure with two state registers of size 50 bits each. In addition, the cipher uses an 80-bit secret key and an 80-bit IV. The authors use a complex key-derivation...</p> </div> </div> <div class="mb-4"> <div class="d-flex"><a title="2025/564" class="paperlink" href="/2025/564">2025/564</a> <span class="ms-2"><a href="/2025/564.pdf">(PDF)</a></span> <small class="ms-auto">Last updated: 2025-03-27</small> </div> <div class="ms-md-4"> <div class="d-flex flex-column flex-md-row justify-content-between"> <div> <strong>Combined Masking and Shuffling for Side-Channel Secure Ascon on RISC-V</strong> <div class="mt-1"><span class="fst-italic">Linus Mainka, Kostas Papagiannopoulos</span></div> </div> <div class="float-end mt-1 ms-md-3"> <small class="badge category category-IMPLEMENTATION">Implementation</small> </div> </div> <p class="mb-0 mt-1 search-abstract">Both masking and shuffling are very common software countermeasures against side-channel attacks. However, exploring possible combinations of the two countermeasures to increase and fine-tune side-channel resilience is less investigated. With this work, we aim to bridge that gap by both concretising the security guarantees of several masking and shuffling combinations presented in earlier work and additionally investigating their randomness cost. We subsequently implement these approaches to...</p> </div> </div> <div class="mb-4"> <div class="d-flex"><a title="2025/558" class="paperlink" href="/2025/558">2025/558</a> <span class="ms-2"><a href="/2025/558.pdf">(PDF)</a></span> <small class="ms-auto">Last updated: 2025-03-26</small> </div> <div class="ms-md-4"> <div class="d-flex flex-column flex-md-row justify-content-between"> <div> <strong>Breaking and Fixing Content-Defined Chunking</strong> <div class="mt-1"><span class="fst-italic">Kien Tuong Truong, Simon-Philipp Merz, Matteo Scarlata, Felix Günther, Kenneth G. Paterson</span></div> </div> <div class="float-end mt-1 ms-md-3"> <small class="badge category category-APPLICATIONS">Applications</small> </div> </div> <p class="mb-0 mt-1 search-abstract">Content-defined chunking (CDC) algorithms split streams of data into smaller blocks, called chunks, in a way that preserves chunk boundaries when the data is partially changed. CDC is ubiquitous in applications that deduplicate data such as backup solutions, software patching systems, and file hosting platforms. Much like compression, CDC can introduce leakage when combined with encryption: fingerprinting attacks can exploit chunk length patterns to infer information about the data. To...</p> </div> </div> <div class="mb-4"> <div class="d-flex"><a title="2025/550" class="paperlink" href="/2025/550">2025/550</a> <span class="ms-2"><a href="/2025/550.pdf">(PDF)</a></span> <small class="ms-auto">Last updated: 2025-03-26</small> </div> <div class="ms-md-4"> <div class="d-flex flex-column flex-md-row justify-content-between"> <div> <strong>Exact Formula for RX-Differential Probability through Modular Addition for All Rotations</strong> <div class="mt-1"><span class="fst-italic">Alex Biryukov, Baptiste Lambin, Aleksei Udovenko</span></div> </div> <div class="float-end mt-1 ms-md-3"> <small class="badge category category-SECRETKEY">Secret-key cryptography</small> </div> </div> <p class="mb-0 mt-1 search-abstract">This work presents an exact and compact formula for the probability of rotation-xor differentials (RX-differentials) through modular addition, for arbitrary rotation amounts, which has been a long-standing open problem. The formula comes with a rigorous proof and is also verified by extensive experiments. Our formula uncovers error in a recent work from 2022 proposing a formula for rotation amounts bigger than 1. Surprisingly, it also affects correctness of the more studied and used...</p> </div> </div> <div class="mb-4"> <div class="d-flex"><a title="2025/543" class="paperlink" href="/2025/543">2025/543</a> <span class="ms-2"><a href="/2025/543.pdf">(PDF)</a></span> <small class="ms-auto">Last updated: 2025-03-25</small> </div> <div class="ms-md-4"> <div class="d-flex flex-column flex-md-row justify-content-between"> <div> <strong>Models of Kummer lines and Galois representations</strong> <div class="mt-1"><span class="fst-italic">Razvan Barbulescu, Damien Robert, Nicolas Sarkis</span></div> </div> <div class="float-end mt-1 ms-md-3"> <small class="badge category category-FOUNDATIONS">Foundations</small> </div> </div> <p class="mb-0 mt-1 search-abstract">In order to compute a multiple of a point on an elliptic curve in Weierstrass form one can use formulas in only one of the two coordinates of the points. These $x$-only formulas can be seen as an arithmetic on the Kummer line associated to the curve. In this paper, we look at models of Kummer lines, and define an intrinsic notion of isomorphisms of Kummer lines. This allows us to give conversion formulas between Kummer models in a unified manner. When there is one rational point $T$ of...</p> </div> </div> <div class="mb-4"> <div class="d-flex"><a title="2025/537" class="paperlink" href="/2025/537">2025/537</a> <span class="ms-2"><a href="/2025/537.pdf">(PDF)</a></span> <small class="ms-auto">Last updated: 2025-03-26</small> </div> <div class="ms-md-4"> <div class="d-flex flex-column flex-md-row justify-content-between"> <div> <strong>Improved Framework of Related-key Differential Neural Distinguisher and Applications to the Standard Ciphers</strong> <div class="mt-1"><span class="fst-italic">Rui-Tao Su, Jiong-Jiong Ren, Shao-Zhen Chen</span></div> </div> <div class="float-end mt-1 ms-md-3"> <small class="badge category category-ATTACKS">Attacks and cryptanalysis</small> </div> </div> <p class="mb-0 mt-1 search-abstract">In recent years, the integration of deep learning with differential cryptanalysis has led to differential neural cryptanalysis, enabling efficient data-driven security evaluation of modern cryptographic algorithms. Compared to traditional differential cryptanalysis, differential neural cryptanalysis enhances the efficiency and automation of the analysis by training neural networks to automatically extract statistical features from ciphertext pairs. As research advances, neural distinguisher...</p> </div> </div> <div class="mb-4"> <div class="d-flex"><a title="2025/520" class="paperlink" href="/2025/520">2025/520</a> <span class="ms-2"><a href="/2025/520.pdf">(PDF)</a></span> <small class="ms-auto">Last updated: 2025-03-19</small> </div> <div class="ms-md-4"> <div class="d-flex flex-column flex-md-row justify-content-between"> <div> <strong>Masking-Friendly Post-Quantum Signatures in the Threshold-Computation-in-the-Head Framework</strong> <div class="mt-1"><span class="fst-italic">Thibauld Feneuil, Matthieu Rivain, Auguste Warmé-Janville</span></div> </div> <div class="float-end mt-1 ms-md-3"> <small class="badge category category-PROTOCOLS">Cryptographic protocols</small> </div> </div> <p class="mb-0 mt-1 search-abstract">Side-channel attacks pose significant threats to cryptographic implementations, which require the inclusion of countermeasures to mitigate these attacks. In this work, we study the masking of state-of-the-art post-quantum signatures based on the MPC-in-the-head paradigm. More precisely, we focus on the recent threshold-computation-in-the-head (TCitH) framework that applies to some NIST candidates of the post-quantum standardization process. We first provide an analysis of side-channel attack...</p> </div> </div> <div class="mb-4"> <div class="d-flex"><a title="2025/511" class="paperlink" href="/2025/511">2025/511</a> <span class="ms-2"><a href="/2025/511.pdf">(PDF)</a></span> <small class="ms-auto">Last updated: 2025-03-28</small> </div> <div class="ms-md-4"> <div class="d-flex flex-column flex-md-row justify-content-between"> <div> <strong>VeriSSO: A Privacy-Preserving Legacy-Compatible Single Sign-On Protocol Using Verifiable Credentials</strong> <div class="mt-1"><span class="fst-italic">Ifteher Alom, Sudip Bhujel, Yang Xiao</span></div> </div> <div class="float-end mt-1 ms-md-3"> <small class="badge category category-APPLICATIONS">Applications</small> </div> </div> <p class="mb-0 mt-1 search-abstract">Single Sign-On (SSO) is a popular authentication mechanism enabling users to access multiple web services with a single set of credentials. Despite its convenience, SSO faces outstanding privacy challenges. The Identity Provider (IdP) represents a single point of failure and can track users across different Relying Parties (RPs). Multiple colluding RPs may track users through common identity attributes. In response, anonymous credential-based SSO solutions have emerged to offer...</p> </div> </div> <div class="mb-4"> <div class="d-flex"><a title="2025/505" class="paperlink" href="/2025/505">2025/505</a> <span class="ms-2"><a href="/2025/505.pdf">(PDF)</a></span> <small class="ms-auto">Last updated: 2025-03-17</small> </div> <div class="ms-md-4"> <div class="d-flex flex-column flex-md-row justify-content-between"> <div> <strong>Capitalized Bitcoin Fork for National Strategic Reserve</strong> <div class="mt-1"><span class="fst-italic">Charanjit Singh Jutla, Arnab Roy</span></div> </div> <div class="float-end mt-1 ms-md-3"> <small class="badge category category-PROTOCOLS">Cryptographic protocols</small> </div> </div> <p class="mb-0 mt-1 search-abstract">We describe a strategy for a nation to acquire majority stake in Bitcoin with zero cost to the taxpayers of the nation. We propose a bitcoin fork sponsored by the the government of the nation, and backed by the full faith of treasury of the nation, such that the genesis block of this fork attributes fixed large amount of new kinds of tokens called strategic-reserve-bitcoin tokens (SRBTC) to the nation's treasury, which is some multiple (greater than one) of the amount of all Bitcoin tokens...</p> </div> </div> <div class="mb-4"> <div class="d-flex"><a title="2025/496" class="paperlink" href="/2025/496">2025/496</a> <span class="ms-2"><a href="/2025/496.pdf">(PDF)</a></span> <small class="ms-auto">Last updated: 2025-03-16</small> </div> <div class="ms-md-4"> <div class="d-flex flex-column flex-md-row justify-content-between"> <div> <strong>Shortcut2Secrets: A Table-based Differential Fault Attack Framework</strong> <div class="mt-1"><span class="fst-italic">Weizhe Wang, Pierrick Méaux, Deng Tang</span></div> </div> <div class="float-end mt-1 ms-md-3"> <small class="badge category category-ATTACKS">Attacks and cryptanalysis</small> </div> </div> <p class="mb-0 mt-1 search-abstract">Recently, Differential Fault Attacks (DFAs) have proven highly effective against stream ciphers designed for Hybrid Homomorphic Encryption (HHE). In this work, we present a table-based DFA framework called the \textit{shortcut attack}, which generalizes the attack proposed by Wang and Tang on the cipher \textsf{Elisabeth}. The framework applies to a broad sub-family of ciphers following the Group Filter Permutator (GFP) paradigm and enhances previous DFAs by improving both the fault...</p> </div> </div> <div class="mb-4"> <div class="d-flex"><a title="2025/491" class="paperlink" href="/2025/491">2025/491</a> <span class="ms-2"><a href="/2025/491.pdf">(PDF)</a></span> <small class="ms-auto">Last updated: 2025-03-15</small> </div> <div class="ms-md-4"> <div class="d-flex flex-column flex-md-row justify-content-between"> <div> <strong>Blind Brother: Attribute-Based Selective Video Encryption</strong> <div class="mt-1"><span class="fst-italic">Eugene Frimpong, Bin Liu, Camille Nuoskala, Antonis Michalas</span></div> </div> <div class="float-end mt-1 ms-md-3"> <small class="badge category category-APPLICATIONS">Applications</small> </div> </div> <p class="mb-0 mt-1 search-abstract">The emergence of video streams as a primary medium for communication and the demand for high-quality video sharing over the internet have given rise to several security and privacy issues, such as unauthorized access and data breaches. To address these limitations, various Selective Video Encryption (SVE) schemes have been proposed, which encrypt specific portions of a video while leaving others unencrypted. The SVE approach balances security and usability, granting unauthorized users access...</p> </div> </div> <div class="mb-4"> <div class="d-flex"><a title="2025/490" class="paperlink" href="/2025/490">2025/490</a> <span class="ms-2"><a href="/2025/490.pdf">(PDF)</a></span> <small class="ms-auto">Last updated: 2025-03-14</small> </div> <div class="ms-md-4"> <div class="d-flex flex-column flex-md-row justify-content-between"> <div> <strong>PREAMBLE: Private and Efficient Aggregation of Block Sparse Vectors and Applications</strong> <div class="mt-1"><span class="fst-italic">Hilal Asi, Vitaly Feldman, Hannah Keller, Guy N. Rothblum, Kunal Talwar</span></div> </div> <div class="float-end mt-1 ms-md-3"> <small class="badge category category-PROTOCOLS">Cryptographic protocols</small> </div> </div> <p class="mb-0 mt-1 search-abstract">We revisit the problem of secure aggregation of high-dimensional vectors in a two-server system such as Prio. These systems are typically used to aggregate vectors such as gradients in private federated learning, where the aggregate itself is protected via noise addition to ensure differential privacy. Existing approaches require communication scaling with the dimensionality, and thus limit the dimensionality of vectors one can efficiently process in this setup. We propose PREAMBLE:...</p> </div> </div> <div class="mb-4"> <div class="d-flex"><a title="2025/487" class="paperlink" href="/2025/487">2025/487</a> <span class="ms-2"><a href="/2025/487.pdf">(PDF)</a></span> <small class="ms-auto">Last updated: 2025-03-14</small> </div> <div class="ms-md-4"> <div class="d-flex flex-column flex-md-row justify-content-between"> <div> <strong>webSPDZ: Versatile MPC on the Web</strong> <div class="mt-1"><span class="fst-italic">Thomas Buchsteiner, Karl W. Koch, Dragos Rotaru, Christian Rechberger</span></div> </div> <div class="float-end mt-1 ms-md-3"> <small class="badge category category-IMPLEMENTATION">Implementation</small> </div> </div> <p class="mb-0 mt-1 search-abstract">Multi-party computation (MPC) has become increasingly practical in the last two decades, solving privacy and security issues in various domains, such as healthcare, finance, and machine learning. One big caveat is that MPC sometimes lacks usability since the knowledge barrier for regular users can be high. Users have to deal with, e.g., various CLI tools, private networks, and sometimes even must install many dependencies, which are often hardware-dependent. A solution to improve the...</p> </div> </div> <div class="mb-4"> <div class="d-flex"><a title="2025/484" class="paperlink" href="/2025/484">2025/484</a> <span class="ms-2"><a href="/2025/484.pdf">(PDF)</a></span> <small class="ms-auto">Last updated: 2025-03-14</small> </div> <div class="ms-md-4"> <div class="d-flex flex-column flex-md-row justify-content-between"> <div> <strong>EvoLUTe+: Fine-Grained Look-Up-Table-based RTL IP Redaction</strong> <div class="mt-1"><span class="fst-italic">Rui Guo, M Sazadur Rahman, Jingbo Zhou, Hadi M Kamali, Fahim Rahman, Farimah Farahmandi, Mark Tehranipoor</span></div> </div> <div class="float-end mt-1 ms-md-3"> <small class="badge category category-ATTACKS">Attacks and cryptanalysis</small> </div> </div> <p class="mb-0 mt-1 search-abstract">Hardware obfuscation is an active trustworthy design technique targeting threats in the IC supply chain, such as IP piracy and overproduction. Recent research on Intellectual Property (IP) protection technologies suggests that using embedded reconfigurable components (e.g., eFPGA redaction) could be a promising approach to hide the functional and structural information of security-critical designs. However, such techniques suffer from almost prohibitive overhead in terms of area, power,...</p> </div> </div> <div class="mb-4"> <div class="d-flex"><a title="2025/481" class="paperlink" href="/2025/481">2025/481</a> <span class="ms-2"><a href="/2025/481.pdf">(PDF)</a></span> <small class="ms-auto">Last updated: 2025-03-13</small> </div> <div class="ms-md-4"> <div class="d-flex flex-column flex-md-row justify-content-between"> <div> <strong>RHQC: post-quantum ratcheted key exchange from coding assumptions</strong> <div class="mt-1"><span class="fst-italic">Julien Juaneda , Marina Dehez-Clementi, Jean-Christophe Deneuville, Jérôme Lacan</span></div> </div> <div class="float-end mt-1 ms-md-3"> <small class="badge category category-PUBLICKEY">Public-key cryptography</small> </div> </div> <p class="mb-0 mt-1 search-abstract">Key Exchange mechanisms (KE or KEMs) such as the Diffie-Hellman protocol have proved to be a cornerstone conciliating the efficiency of symmetric encryption and the practicality of public key primitives. Such designs however assume the non-compromission of the long term asymmetric key in use. To relax this strong security assumption, and allow for modern security features such as Perfect Forward Secrecy (PFS) or Post Compromise Security (PCS), Ratcheted-KE (RKE) have been proposed. ...</p> </div> </div> <div class="mb-4"> <div class="d-flex"><a title="2025/464" class="paperlink" href="/2025/464">2025/464</a> <span class="ms-2"><a href="/2025/464.pdf">(PDF)</a></span> <small class="ms-auto">Last updated: 2025-03-12</small> </div> <div class="ms-md-4"> <div class="d-flex flex-column flex-md-row justify-content-between"> <div> <strong>SoK: Efficient Design and Implementation of Polynomial Hash Functions over Prime Fields</strong> <div class="mt-1"><span class="fst-italic">Jean Paul Degabriele, Jan Gilcher, Jérôme Govinden, Kenneth G. Paterson</span></div> </div> <div class="float-end mt-1 ms-md-3"> <small class="badge category category-IMPLEMENTATION">Implementation</small> </div> </div> <p class="mb-0 mt-1 search-abstract">Poly1305 is a widely-deployed polynomial hash function. The rationale behind its design was laid out in a series of papers by Bernstein, the last of which dates back to 2005. As computer architectures evolved, some of its design features became less relevant, but implementers found new ways of exploiting these features to boost its performance. However, would we still converge to this same design if we started afresh with today's computer architectures and applications? To answer this...</p> </div> </div> <div class="mb-4"> <div class="d-flex"><a title="2025/462" class="paperlink" href="/2025/462">2025/462</a> <span class="ms-2"><a href="/2025/462.pdf">(PDF)</a></span> <small class="ms-auto">Last updated: 2025-03-12</small> </div> <div class="ms-md-4"> <div class="d-flex flex-column flex-md-row justify-content-between"> <div> <strong>Practical Key Collision on AES and Kiasu-BC</strong> <div class="mt-1"><span class="fst-italic">Jianqiang Ni, Yingxin Li, Fukang Liu, Gaoli Wang</span></div> </div> <div class="float-end mt-1 ms-md-3"> <small class="badge category category-ATTACKS">Attacks and cryptanalysis</small> </div> </div> <p class="mb-0 mt-1 search-abstract">The key collision attack was proposed as an open problem in key-committing security in Authenticated Encryption (AE) schemes like $\texttt{AES-GCM}$ and $\texttt{ChaCha20Poly1305}$. In ASIACRYPT 2024, Taiyama et al. introduce a novel type of key collision—target-plaintext key collision ($\texttt{TPKC}$) for $\texttt{AES}$. Depending on whether the plaintext is fixed, $\texttt{TPKC}$ can be divided into $\texttt{fixed-TPKC}$ and $\texttt{free-TPKC}$, which can be directly converted into...</p> </div> </div> <div class="mb-4"> <div class="d-flex"><a title="2025/457" class="paperlink" href="/2025/457">2025/457</a> <span class="ms-2"><a href="/2025/457.pdf">(PDF)</a></span> <small class="ms-auto">Last updated: 2025-03-11</small> </div> <div class="ms-md-4"> <div class="d-flex flex-column flex-md-row justify-content-between"> <div> <strong>A 10-bit S-box generated by Feistel construction from cellular automata</strong> <div class="mt-1"><span class="fst-italic">Thomas Prévost, Bruno Martin</span></div> </div> <div class="float-end mt-1 ms-md-3"> <small class="badge category category-FOUNDATIONS">Foundations</small> </div> </div> <p class="mb-0 mt-1 search-abstract">In this paper, we propose a new 10-bit S-box generated from a Feistel construction. The subpermutations are generated by a 5-cell cellular automaton based on a unique well-chosen rule and bijective affine transformations. In particular, the cellular automaton rule is chosen based on empirical tests of its ability to generate good pseudorandom output on a ring cellular automaton. Similarly, Feistel's network layout is based on empirical data regarding the quality of the output S-box. We...</p> </div> </div> <div class="mb-4"> <div class="d-flex"><a title="2025/445" class="paperlink" href="/2025/445">2025/445</a> <span class="ms-2"><a href="/2025/445.pdf">(PDF)</a></span> <small class="ms-auto">Last updated: 2025-03-13</small> </div> <div class="ms-md-4"> <div class="d-flex flex-column flex-md-row justify-content-between"> <div> <strong>A proof of P≠NP (New symmetric encryption algorithm against any linear attacks and differential attacks)</strong> <div class="mt-1"><span class="fst-italic">Gao Ming</span></div> </div> <div class="float-end mt-1 ms-md-3"> <small class="badge category category-FOUNDATIONS">Foundations</small> </div> </div> <p class="mb-0 mt-1 search-abstract">P vs NP problem is the most important unresolved problem in the field of computational complexity. Its impact has penetrated into all aspects of algorithm design, especially in the field of cryptography. The security of cryptographic algorithms based on short keys depends on whether P is equal to NP. In fact, Shannon strictly proved that the one-time-pad system meets unconditional security, but because the one-time-pad system requires the length...</p> </div> </div> <div class="mb-4"> <div class="d-flex"><a title="2025/439" class="paperlink" href="/2025/439">2025/439</a> <span class="ms-2"><a href="/2025/439.pdf">(PDF)</a></span> <small class="ms-auto">Last updated: 2025-03-07</small> </div> <div class="ms-md-4"> <div class="d-flex flex-column flex-md-row justify-content-between"> <div> <strong>Preimage Attacks on up to 5 Rounds of SHA-3 Using Internal Differentials</strong> <div class="mt-1"><span class="fst-italic">Zhongyi Zhang, Chengan Hou, Meicheng Liu</span></div> </div> <div class="float-end mt-1 ms-md-3"> <small class="badge category category-ATTACKS">Attacks and cryptanalysis</small> </div> </div> <p class="mb-0 mt-1 search-abstract">In this paper, we study preimage resistance of the SHA-3 standard. We propose a squeeze meet-in-the-middle attack as a new preimage attack method for the sponge functions. This attack combines the squeeze attack and meet-in-the-middle attack, and is implemented by internal differentials. We analyze the inverse operation of the SHA-3 round function, and develop a new target internal differential algorithm as well as a linearization technique for the Sbox in the backward phase. In addition, we...</p> </div> </div> <div class="mb-4"> <div class="d-flex"><a title="2025/437" class="paperlink" href="/2025/437">2025/437</a> <span class="ms-2"><a href="/2025/437.pdf">(PDF)</a></span> <small class="ms-auto">Last updated: 2025-03-07</small> </div> <div class="ms-md-4"> <div class="d-flex flex-column flex-md-row justify-content-between"> <div> <strong>Improved Cryptanalysis of ChaCha: Beating PNBs with Bit Puncturing</strong> <div class="mt-1"><span class="fst-italic">Antonio Flórez-Gutiérrez, Yosuke Todo</span></div> </div> <div class="float-end mt-1 ms-md-3"> <small class="badge category category-SECRETKEY">Secret-key cryptography</small> </div> </div> <p class="mb-0 mt-1 search-abstract">ChaCha is a widely deployed stream cipher and one of the most important symmetric primitives. Due to this practical importance, many cryptanalysis have been proposed. Until now, Probabilistic Neutral Bits (PNBs) have been the most successful. Given differential-linear distinguishers, PNBs are the technique for key recovery relying on an experimental backward correlation obtained through blackbox analysis. A careful theoretical analysis exploiting the round function design may find a better...</p> </div> </div> <div class="mb-4"> <div class="d-flex"><a title="2025/433" class="paperlink" href="/2025/433">2025/433</a> <span class="ms-2"><a href="/2025/433.pdf">(PDF)</a></span> <small class="ms-auto">Last updated: 2025-03-06</small> </div> <div class="ms-md-4"> <div class="d-flex flex-column flex-md-row justify-content-between"> <div> <strong>MIDAS: an End-to-end CAD Framework for Automating Combinational Logic Locking</strong> <div class="mt-1"><span class="fst-italic">Akashdeep Saha, Siddhartha Chowdhury, Rajat Subhra Chakraborty, Debdeep Mukhopadhyay</span></div> </div> <div class="float-end mt-1 ms-md-3"> <small class="badge category category-IMPLEMENTATION">Implementation</small> </div> </div> <p class="mb-0 mt-1 search-abstract">Logic locking has surfaced as a notable safeguard against diverse hazards that pose a risk to the integrated circuit (IC) supply chain. Existing literature on logic locking largely encompasses the art of proposing new constructions, on the one hand, and unearthing weaknesses in such algorithms on the other. Somehow, in this race of make and break, the stress on automation of adopting such techniques on real-life circuits has been rather limited. For the first time, we present a...</p> </div> </div> <div class="mb-4"> <div class="d-flex"><a title="2025/428" class="paperlink" href="/2025/428">2025/428</a> <span class="ms-2"><a href="/2025/428.pdf">(PDF)</a></span> <small class="ms-auto">Last updated: 2025-03-05</small> </div> <div class="ms-md-4"> <div class="d-flex flex-column flex-md-row justify-content-between"> <div> <strong>On Improved Cryptanalytic Results against ChaCha for Reduced Rounds ≥ 7</strong> <div class="mt-1"><span class="fst-italic">Nitin Kumar Sharma, Sabyasachi Dey, Santanu Sarkar, Subhamoy Maitra</span></div> </div> <div class="float-end mt-1 ms-md-3"> <small class="badge category category-ATTACKS">Attacks and cryptanalysis</small> </div> </div> <p class="mb-0 mt-1 search-abstract">In this paper, we analyze the subtle issues of complexity estimates related to state-of-the-art cryptanalytic efforts on ChaCha. In this regard, we demonstrate that the currently best-known cryptanalytic result on $7$-round ChaCha with time $2^{189.7}$ and data $2^{102.63}$ [Xu et al., ToSC 2024] can be estimated as $2^{178.12}$ for time and $2^{101.09}$ for data complexity. We improve the best-known result for the $7.25$ round by obtaining an improved set of Probabilistic Neutral Bits and...</p> </div> </div> <div class="mb-4"> <div class="d-flex"><a title="2025/426" class="paperlink" href="/2025/426">2025/426</a> <span class="ms-2"><a href="/2025/426.pdf">(PDF)</a></span> <small class="ms-auto">Last updated: 2025-03-05</small> </div> <div class="ms-md-4"> <div class="d-flex flex-column flex-md-row justify-content-between"> <div> <strong>Exploring How to Authenticate Application Messages in MLS: More Efficient, Post-Quantum, and Anonymous Blocklistable</strong> <div class="mt-1"><span class="fst-italic">Keitaro Hashimoto, Shuichi Katsumata, Guillermo Pascual-Perez</span></div> </div> <div class="float-end mt-1 ms-md-3"> <small class="badge category category-PROTOCOLS">Cryptographic protocols</small> </div> </div> <p class="mb-0 mt-1 search-abstract">The Message Layer Security (MLS) protocol has recently been standardized by the IETF. MLS is a scalable secure group messaging protocol expected to run more efficiently compared to the Signal protocol at scale, while offering a similar level of strong security. Even though MLS has undergone extensive examination by researchers, the majority of the works have focused on confidentiality. In this work, we focus on the authenticity of the application messages exchanged in MLS. Currently, MLS...</p> </div> </div> <div class="mb-4"> <div class="d-flex"><a title="2025/417" class="paperlink" href="/2025/417">2025/417</a> <span class="ms-2"><a href="/2025/417.pdf">(PDF)</a></span> <small class="ms-auto">Last updated: 2025-03-10</small> </div> <div class="ms-md-4"> <div class="d-flex flex-column flex-md-row justify-content-between"> <div> <strong>Evaluation of Privacy-aware Support Vector Machine (SVM) Learning using Homomorphic Encryption</strong> <div class="mt-1"><span class="fst-italic">William J Buchanan, Hisham Ali</span></div> </div> <div class="float-end mt-1 ms-md-3"> <small class="badge category category-IMPLEMENTATION">Implementation</small> </div> </div> <p class="mb-0 mt-1 search-abstract">The requirement for privacy-aware machine learning increases as we continue to use PII (Personally Identifiable Information) within machine training. To overcome these privacy issues, we can apply Fully Homomorphic Encryption (FHE) to encrypt data before it is fed into a machine learning model. This involves creating a homomorphic encryption key pair, and where the associated public key will be used to encrypt the input data, and the private key will decrypt the output. But, there is often a...</p> </div> </div> <div class="mb-4"> <div class="d-flex"><a title="2025/414" class="paperlink" href="/2025/414">2025/414</a> <span class="ms-2"><a href="/2025/414.pdf">(PDF)</a></span> <small class="ms-auto">Last updated: 2025-03-21</small> </div> <div class="ms-md-4"> <div class="d-flex flex-column flex-md-row justify-content-between"> <div> <strong>Deimos Cipher: A High-Entropy, Secure Encryption Algorithm with Strong Diffusion and Key Sensitivity</strong> <div class="mt-1"><span class="fst-italic">Mohsin Belam</span></div> </div> <div class="float-end mt-1 ms-md-3"> <small class="badge category category-SECRETKEY">Secret-key cryptography</small> </div> </div> <p class="mb-0 mt-1 search-abstract">Deimos Cipher is a symmetric encryption algorithm designed to achieve high entropy, strong diffusion, and computational efficiency. It integrates HKDF with BLAKE2b for key expansion, ensuring secure key derivation from user-supplied passwords. The encryption process employs XChaCha20, a high-speed stream cipher, to provide strong security and resistance against nonce reuse attacks. To guarantee data integrity and authentication, HMAC-SHA256 is used, preventing unauthorized...</p> </div> </div> <div class="mb-4"> <div class="d-flex"><a title="2025/411" class="paperlink" href="/2025/411">2025/411</a> <span class="ms-2"><a href="/2025/411.pdf">(PDF)</a></span> <small class="ms-auto">Last updated: 2025-03-04</small> </div> <div class="ms-md-4"> <div class="d-flex flex-column flex-md-row justify-content-between"> <div> <strong>Security of the Ascon Authenticated Encryption Mode in the Presence of Quantum Adversaries</strong> <div class="mt-1"><span class="fst-italic">Nathalie Lang, Stefan Lucks, Bart Mennink, Suprita Talnikar</span></div> </div> <div class="float-end mt-1 ms-md-3"> <small class="badge category category-SECRETKEY">Secret-key cryptography</small> </div> </div> <p class="mb-0 mt-1 search-abstract">We examine the post-quantum security of the Ascon authenticated encryption (AE) mode. In spite of comprehensive research of Ascon's classical security, the potential impact of quantum adversaries on Ascon has not yet been explored much. We investigate the generic security of the Ascon AE mode in the setting where the adversary owns a quantum computer to improve its attack, while the adversarial encryption or decryption queries are still classical. In this so-called Q1 model, Ascon achieves...</p> </div> </div> <div class="mb-4"> <div class="d-flex"><a title="2025/403" class="paperlink" href="/2025/403">2025/403</a> <span class="ms-2"><a href="/2025/403.pdf">(PDF)</a></span> <small class="ms-auto">Last updated: 2025-03-03</small> </div> <div class="ms-md-4"> <div class="d-flex flex-column flex-md-row justify-content-between"> <div> <strong>Periodic Table of Cryptanalysis: Geometric Approach with Different Bases</strong> <div class="mt-1"><span class="fst-italic">Kai Hu, Chi Zhang, Chengcheng Chang, Jiashu Zhang, Meiqin Wang, Thomas Peyrin</span></div> </div> <div class="float-end mt-1 ms-md-3"> <small class="badge category category-SECRETKEY">Secret-key cryptography</small> </div> </div> <p class="mb-0 mt-1 search-abstract">In the past three decades, we have witnessed the creation of various cryptanalytic attacks. However, relatively little research has been done on their potential underlying connections. The geometric approach, developed by Beyne in 2021, shows that a cipher can be viewed as a linear operation when we treat its input and output as points in an induced \textit{free vector space}. By performing a change of basis for the input and output spaces, one can obtain various transition matrices....</p> </div> </div> <div class="mb-4"> <div class="d-flex"><a title="2025/402" class="paperlink" href="/2025/402">2025/402</a> <span class="ms-2"><a href="/2025/402.pdf">(PDF)</a></span> <small class="ms-auto">Last updated: 2025-03-03</small> </div> <div class="ms-md-4"> <div class="d-flex flex-column flex-md-row justify-content-between"> <div> <strong>Related-Key Differential and Boomerang Cryptanalysis in the Fixed-Key Model</strong> <div class="mt-1"><span class="fst-italic">Chengcheng Chang, Kai Hu, Muzhou Li, Meiqin Wang</span></div> </div> <div class="float-end mt-1 ms-md-3"> <small class="badge category category-SECRETKEY">Secret-key cryptography</small> </div> </div> <p class="mb-0 mt-1 search-abstract">Differential cryptanalysis, along with its variants such as boomerang attacks, is widely used to evaluate the security of block ciphers. These cryptanalytic techniques often rely on assumptions like the \textit{hypothesis of stochastic equivalence} and \textit{Markov ciphers assumption}. Recently, more attention has been paid to verifying whether differential characteristics (DCs) meet these assumptions, finding both positive and negative results. A part of these efforts includes the...</p> </div> </div> <div class="mb-4"> <div class="d-flex"><a title="2025/399" class="paperlink" href="/2025/399">2025/399</a> <span class="ms-2"><a href="/2025/399.pdf">(PDF)</a></span> <small class="ms-auto">Last updated: 2025-03-03</small> </div> <div class="ms-md-4"> <div class="d-flex flex-column flex-md-row justify-content-between"> <div> <strong>Computational Quantum Anamorphic Encryption and Anamorphic Secret Sharing</strong> <div class="mt-1"><span class="fst-italic">SAYANTAN GANGULY, Shion Samadder Chaudhury</span></div> </div> <div class="float-end mt-1 ms-md-3"> <small class="badge category category-FOUNDATIONS">Foundations</small> </div> </div> <p class="mb-0 mt-1 search-abstract">The concept of anamorphic encryption, first formally introduced by Persiano et al. in their influential 2022 paper titled ``Anamorphic Encryption: Private Communication Against a Dictator,'' enables embedding covert messages within ciphertexts. One of the key distinctions between a ciphertext embedding a covert message and an original ciphertext, compared to an anamorphic ciphertext, lies in the indistinguishability between the original ciphertext and the anamorphic ciphertext. This...</p> </div> </div> <div class="mb-4"> <div class="d-flex"><a title="2025/396" class="paperlink" href="/2025/396">2025/396</a> <span class="ms-2"><a href="/2025/396.pdf">(PDF)</a></span> <small class="ms-auto">Last updated: 2025-03-03</small> </div> <div class="ms-md-4"> <div class="d-flex flex-column flex-md-row justify-content-between"> <div> <strong>Trail-Estimator: An Automated Verifier for Differential Trails in Block Ciphers</strong> <div class="mt-1"><span class="fst-italic">Thomas Peyrin, Quan Quan Tan, Hongyi Zhang, Chunning Zhou</span></div> </div> <div class="float-end mt-1 ms-md-3"> <small class="badge category category-ATTACKS">Attacks and cryptanalysis</small> </div> </div> <p class="mb-0 mt-1 search-abstract">Differential cryptanalysis is a powerful technique for attacking block ciphers, wherein the Markov cipher assumption and stochastic hypothesis are commonly employed to simplify the search and probability estimation of differential trails. However, these assumptions often neglect inherent algebraic constraints, potentially resulting in invalid trails and inaccurate probability estimates. Some studies identified violations of these assumptions and explored how they impose constraints on key...</p> </div> </div> <div class="mb-4"> <div class="d-flex"><a title="2025/390" class="paperlink" href="/2025/390">2025/390</a> <span class="ms-2"><a href="/2025/390.pdf">(PDF)</a></span> <small class="ms-auto">Last updated: 2025-03-01</small> </div> <div class="ms-md-4"> <div class="d-flex flex-column flex-md-row justify-content-between"> <div> <strong>Lattice-Based Post-Quantum iO from Circular Security with Random Opening Assumption (Part II: zeroizing attacks against private-coin evasive LWE assumptions)</strong> <div class="mt-1"><span class="fst-italic">Yao-Ching Hsieh, Aayush Jain, Huijia Lin</span></div> </div> <div class="float-end mt-1 ms-md-3"> <small class="badge category category-FOUNDATIONS">Foundations</small> </div> </div> <p class="mb-0 mt-1 search-abstract">Indistinguishability obfuscation (iO) stands out as a powerful cryptographic primitive but remains notoriously difficult to realize under simple-to-state, post-quantum assumptions. Recent works have proposed lattice-inspired iO constructions backed by new “LWE-with-hints” assumptions, which posit that certain distributions of LWE samples retain security despite auxiliary information. However, subsequent cryptanalysis has revealed structural vulnerabilities in these assumptions, leaving us...</p> </div> </div> <div class="mb-4"> <div class="d-flex"><a title="2025/386" class="paperlink" href="/2025/386">2025/386</a> <span class="ms-2"><a href="/2025/386.pdf">(PDF)</a></span> <small class="ms-auto">Last updated: 2025-02-28</small> </div> <div class="ms-md-4"> <div class="d-flex flex-column flex-md-row justify-content-between"> <div> <strong>How Small Can S-boxes Be</strong> <div class="mt-1"><span class="fst-italic">Chenhao Jia, Tingting Cui, Qing Ling, Yan He, Kai Hu, Yu Sun, Meiqin Wang</span></div> </div> <div class="float-end mt-1 ms-md-3"> <small class="badge category category-SECRETKEY">Secret-key cryptography</small> </div> </div> <p class="mb-0 mt-1 search-abstract">S-boxes are the most popular nonlinear building blocks used in symmetric-key primitives. Both cryptographic properties and implementation cost of an S-box are crucial for a good cipher design, especially for lightweight ones. This paper aims to determine the exact minimum area of optimal 4-bit S-boxes (whose differential uniform and linearity are both 4) under certain standard cell library. Firstly, we evaluate the upper and lower bounds upon the minimum area of S-boxes, by...</p> </div> </div> <div class="mb-4"> <div class="d-flex"><a title="2025/382" class="paperlink" href="/2025/382">2025/382</a> <span class="ms-2"><a href="/2025/382.pdf">(PDF)</a></span> <small class="ms-auto">Last updated: 2025-02-28</small> </div> <div class="ms-md-4"> <div class="d-flex flex-column flex-md-row justify-content-between"> <div> <strong>On the Security and Privacy of CKKS-based Homomorphic Evaluation Protocols</strong> <div class="mt-1"><span class="fst-italic">Intak Hwang, Seonhong Min, Jinyeong Seo, Yongsoo Song</span></div> </div> <div class="float-end mt-1 ms-md-3"> <small class="badge category category-PROTOCOLS">Cryptographic protocols</small> </div> </div> <p class="mb-0 mt-1 search-abstract">CKKS is a homomorphic encryption (HE) scheme that supports arithmetic over complex numbers in an approximate manner. Despite its utility in PPML protocols, formally defining the security of CKKS-based protocols is challenging due to its approximate nature. To be precise, in a sender-receiver model, where the receiver holds input ciphertexts and the sender evaluates its private circuit, it is difficult to define sender's privacy in terms of indistinguishability, whereas receiver's privacy...</p> </div> </div> <div class="mb-4"> <div class="d-flex"><a title="2025/367" class="paperlink" href="/2025/367">2025/367</a> <span class="ms-2"><a href="/2025/367.pdf">(PDF)</a></span> <small class="ms-auto">Last updated: 2025-02-26</small> </div> <div class="ms-md-4"> <div class="d-flex flex-column flex-md-row justify-content-between"> <div> <strong>Partial Lattice Trapdoors: How to Split Lattice Trapdoors, Literally</strong> <div class="mt-1"><span class="fst-italic">Martin R. Albrecht, Russell W. F. Lai, Oleksandra Lapiha, Ivy K. Y. Woo</span></div> </div> <div class="float-end mt-1 ms-md-3"> <small class="badge category category-PUBLICKEY">Public-key cryptography</small> </div> </div> <p class="mb-0 mt-1 search-abstract">Lattice trapdoor algorithms allow us to sample hard random lattices together with their trapdoors, given which short lattice vectors can be sampled efficiently. This enables a wide range of advanced cryptographic primitives. In this work, we ask: can we distribute lattice trapdoor algorithms non-interactively? We study a natural approach to sharing lattice trapdoors: splitting them into partial trapdoors for different lower-rank sublattices which allow the local sampling of short...</p> </div> </div> <div class="mb-4"> <div class="d-flex"><a title="2025/366" class="paperlink" href="/2025/366">2025/366</a> <span class="ms-2"><a href="/2025/366.pdf">(PDF)</a></span> <small class="ms-auto">Last updated: 2025-02-26</small> </div> <div class="ms-md-4"> <div class="d-flex flex-column flex-md-row justify-content-between"> <div> <strong>Enabling Microarchitectural Agility: Taking ML-KEM & ML-DSA from Cortex-M4 to M7 with SLOTHY</strong> <div class="mt-1"><span class="fst-italic">Amin Abdulrahman, Matthias J. Kannwischer, Thing-Han Lim</span></div> </div> <div class="float-end mt-1 ms-md-3"> <small class="badge category category-IMPLEMENTATION">Implementation</small> </div> </div> <p class="mb-0 mt-1 search-abstract">Highly-optimized assembly is commonly used to achieve the best performance for popular cryptographic schemes such as the newly standardized ML-KEM and ML-DSA. The majority of implementations today rely on hand-optimized assembly for the core building blocks to achieve both security and performance. However, recent work by Abdulrahman et al. takes a new approach, writing a readable base assembly implementation first and leaving the bulk of the optimization work to a tool named SLOTHY based...</p> </div> </div> <div class="mb-4"> <div class="d-flex"><a title="2025/362" class="paperlink" href="/2025/362">2025/362</a> <span class="ms-2"><a href="/2025/362.pdf">(PDF)</a></span> <small class="ms-auto">Last updated: 2025-02-26</small> </div> <div class="ms-md-4"> <div class="d-flex flex-column flex-md-row justify-content-between"> <div> <strong>Adaptively Secure Fully Homomorphic Message Authentication Code with Pre-processable Verification</strong> <div class="mt-1"><span class="fst-italic">Jeongsu Kim, Aaram Yun</span></div> </div> <div class="float-end mt-1 ms-md-3"> <small class="badge category category-SECRETKEY">Secret-key cryptography</small> </div> </div> <p class="mb-0 mt-1 search-abstract">There has been remarkable progress in fully homomorphic encryption, ever since Gentry's first scheme. In contrast, fully homomorphic authentication primitives received relatively less attention, despite existence of some previous constructions. While there exist various schemes with different functionalities for fully homomorphic encryption, there are only a few options for fully homomorphic authentication. Moreover, there are even fewer options when considering two of the most important...</p> </div> </div> <div class="mb-4"> <div class="d-flex"><a title="2025/342" class="paperlink" href="/2025/342">2025/342</a> <span class="ms-2"><a href="/2025/342.pdf">(PDF)</a></span> <small class="ms-auto">Last updated: 2025-02-24</small> </div> <div class="ms-md-4"> <div class="d-flex flex-column flex-md-row justify-content-between"> <div> <strong>Traceable Threshold Encryption without Trusted Dealer</strong> <div class="mt-1"><span class="fst-italic">Jan Bormet, Jonas Hofmann, Hussien Othman</span></div> </div> <div class="float-end mt-1 ms-md-3"> <small class="badge category category-PROTOCOLS">Cryptographic protocols</small> </div> </div> <p class="mb-0 mt-1 search-abstract">The fundamental assumption in $t$-out-of-$n$ threshold encryption is that the adversary can only corrupt less than $t$ parties. Unfortunately, it may be unfounded in practical scenarios where shareholders could be incentivized to collude. Boneh, Partap, and Rotem (Crypto'24) recently addressed the setting where $t$ or more shareholders work together to decrypt illegally. Inspired by the well-established notion of traitor tracing in broadcast encryption, they added a traceability mechanism...</p> </div> </div> <div class="mb-4"> <div class="d-flex"><a title="2025/341" class="paperlink" href="/2025/341">2025/341</a> <span class="ms-2"><a href="/2025/341.pdf">(PDF)</a></span> <small class="ms-auto">Last updated: 2025-02-24</small> </div> <div class="ms-md-4"> <div class="d-flex flex-column flex-md-row justify-content-between"> <div> <strong>CCA-Secure Traceable Threshold (ID-based) Encryption and Application</strong> <div class="mt-1"><span class="fst-italic">Rishiraj Bhattacharyya, Jan Bormet, Sebastian Faust, Pratyay Mukherjee, Hussien Othman</span></div> </div> <div class="float-end mt-1 ms-md-3"> <small class="badge category category-PROTOCOLS">Cryptographic protocols</small> </div> </div> <p class="mb-0 mt-1 search-abstract">A recent work by Boneh, Partap, and Rotem [Crypto'24] introduced the concept of traceable threshold encryption, in that if $t$ or more parties collude to construct a decryption box, which performs decryptions, then at least one party's identity can be traced by making a few black-box queries to the box. This has important applications, e.g., in blockchain mempool privacy, where collusion yields high financial gain through MEVs without any consequence - the possibility of tracing discourages...</p> </div> </div> <div class="mb-4"> <div class="d-flex"><a title="2025/335" class="paperlink" href="/2025/335">2025/335</a> <span class="ms-2"><a href="/2025/335.pdf">(PDF)</a></span> <small class="ms-auto">Last updated: 2025-02-24</small> </div> <div class="ms-md-4"> <div class="d-flex flex-column flex-md-row justify-content-between"> <div> <strong>Privacy-Preserving Multi-Signatures: Generic Techniques and Constructions Without Pairings</strong> <div class="mt-1"><span class="fst-italic">Calvin Abou Haidar, Dipayan Das, Anja Lehmann, Cavit Özbay, Octavio Perez Kempner</span></div> </div> <div class="float-end mt-1 ms-md-3"> <small class="badge category category-PUBLICKEY">Public-key cryptography</small> </div> </div> <p class="mb-0 mt-1 search-abstract">Multi-signatures allow a set of parties to produce a single signature for a common message by combining their individual signatures. The result can be verified using the aggregated public key that represents the group of signers. Very recent work by Lehmann and Özbay (PKC '24) studied the use of multi-signatures for ad-hoc privacy-preserving group signing, formalizing the notion of multi-signatures with probabilistic yet verifiable key aggregation. Moreover, they proposed new BLS-type...</p> </div> </div> <div class="mb-4"> <div class="d-flex"><a title="2025/331" class="paperlink" href="/2025/331">2025/331</a> <span class="ms-2"><a href="/2025/331.pdf">(PDF)</a></span> <small class="ms-auto">Last updated: 2025-02-24</small> </div> <div class="ms-md-4"> <div class="d-flex flex-column flex-md-row justify-content-between"> <div> <strong>Private Multi-Party Neural Network Training over $\mathbb{Z}_{2^k}$ via Galois Rings</strong> <div class="mt-1"><span class="fst-italic">Hengcheng Zhou</span></div> </div> <div class="float-end mt-1 ms-md-3"> <small class="badge category category-APPLICATIONS">Applications</small> </div> </div> <p class="mb-0 mt-1 search-abstract">Secret-sharing-based multi-party computation provides effective solutions for privacy-preserving machine learning. In this paper, we present novel protocols for privacy-preserving neural network training using Shamir secret sharing scheme over Galois rings. The specific Galois ring we use is $GR(2^k, d)$, which contains $\mathbb{Z}_{2^k}$ as a subring. The algebraic structure of $GR(2^k, d)$ enables us to benefit from Shamir scheme while performing modulo operations only on $2^k$...</p> </div> </div> <div class="mb-4"> <div class="d-flex"><a title="2025/321" class="paperlink" href="/2025/321">2025/321</a> <span class="ms-2"><a href="/2025/321.pdf">(PDF)</a></span> <small class="ms-auto">Last updated: 2025-02-26</small> </div> <div class="ms-md-4"> <div class="d-flex flex-column flex-md-row justify-content-between"> <div> <strong>Differential Cryptanalysis of the Reduced Pointer Authentication Code Function used in Arm’s FEAT_PACQARMA3 Feature</strong> <div class="mt-1"><span class="fst-italic">Roberto Avanzi, Orr Dunkelman, Shibam Ghosh</span></div> </div> <div class="float-end mt-1 ms-md-3"> <small class="badge category category-SECRETKEY">Secret-key cryptography</small> </div> </div> <p class="mb-0 mt-1 search-abstract">The Pointer Authentication Code ($\textsf{PAC}$) feature in the Arm architecture is used to enforce the Code Flow Integrity ($\textsf{CFI}$) of running programs. It does so by generating a short $\textsf{MAC}$ - called the $\textsf{PAC}$ - of the return address and some additional context information upon function entry, and checking it upon exit. An attacker that wants to overwrite the stack with manipulated addresses now faces an additional hurdle, as they now have to guess,...</p> </div> </div> <div class="mb-4"> <div class="d-flex"><a title="2025/316" class="paperlink" href="/2025/316">2025/316</a> <span class="ms-2"><a href="/2025/316.pdf">(PDF)</a></span> <small class="ms-auto">Last updated: 2025-02-28</small> </div> <div class="ms-md-4"> <div class="d-flex flex-column flex-md-row justify-content-between"> <div> <strong>$\mathsf{Zinc}$: Succinct Arguments with Small Arithmetization Overheads from IOPs of Proximity to the Integers</strong> <div class="mt-1"><span class="fst-italic">Albert Garreta, Hendrik Waldner, Katerina Hristova, Luca Dall'Ava</span></div> </div> </div> <p class="mb-0 mt-1 search-abstract">We introduce $\mathsf{Zinc}$, a hash-based succinct argument for integer arithmetic. $\mathsf{Zinc}$'s goal is to provide a practically efficient scheme that bypasses the arithmetization overheads that many succinct arguments present. These overheads can be of orders of magnitude in many applications. By enabling proving statements over the integers, we are able to arithmetize many operations of interest with almost no overhead. This includes modular operations involving any moduli, not...</p> </div> </div> <div class="mb-4"> <div class="d-flex"><a title="2025/315" class="paperlink" href="/2025/315">2025/315</a> <span class="ms-2"><a href="/2025/315.pdf">(PDF)</a></span> <small class="ms-auto">Last updated: 2025-02-21</small> </div> <div class="ms-md-4"> <div class="d-flex flex-column flex-md-row justify-content-between"> <div> <strong>Cryptanalysis of Full SCARF</strong> <div class="mt-1"><span class="fst-italic">Antonio Flórez-Gutiérrez, Eran Lambooij, Gaëtan Leurent, Håvard Raddum, Tyge Tiessen, Michiel Verbauwhede</span></div> </div> <div class="float-end mt-1 ms-md-3"> <small class="badge category category-SECRETKEY">Secret-key cryptography</small> </div> </div> <p class="mb-0 mt-1 search-abstract">SCARF is a tweakable block cipher dedicated to cache address randomization, proposed at the USENIX Security conference. It has a 10-bit block, 48-bit tweak, and 240-bit key. SCARF is aggressively optimized to meet the harsh latency constraints of cache address randomization, and uses a dedicated model for its security claim. The full version of SCARF has 8 rounds, and its designers claim security up to $2^{40}$ queries and $2^{80}$ computations. In this work we present a distinguisher...</p> </div> </div> <div class="mb-4"> <div class="d-flex"><a title="2025/310" class="paperlink" href="/2025/310">2025/310</a> <span class="ms-2"><a href="/2025/310.pdf">(PDF)</a></span> <small class="ms-auto">Last updated: 2025-02-20</small> </div> <div class="ms-md-4"> <div class="d-flex flex-column flex-md-row justify-content-between"> <div> <strong>Non-Interactive Key Exchange: New Notions, New Constructions, and Forward Security</strong> <div class="mt-1"><span class="fst-italic">Suvradip Chakraborty, Dennis Hofheinz, Roman Langrehr</span></div> </div> <div class="float-end mt-1 ms-md-3"> <small class="badge category category-PUBLICKEY">Public-key cryptography</small> </div> </div> <p class="mb-0 mt-1 search-abstract">Non-interactive key exchange (NIKE) is a simple and elegant cryptographic primitive that allows two or more users to agree on a secret shared key without any interaction. NIKE schemes have been formalized in different scenarios (such as the public-key, or the identity-based setting), and have found many applications in cryptography. In this work, we propose a NIKE variant that generalizes public-key and identity-based NIKE: a multi-authority identity-based NIKE (MA-ID-NIKE) is defined...</p> </div> </div> <div class="mb-4"> <div class="d-flex"><a title="2025/298" class="paperlink" href="/2025/298">2025/298</a> <span class="ms-2"><a href="/2025/298.pdf">(PDF)</a></span> <small class="ms-auto">Last updated: 2025-02-20</small> </div> <div class="ms-md-4"> <div class="d-flex flex-column flex-md-row justify-content-between"> <div> <strong>Stateless Hash-Based Signatures for Post-Quantum Security Keys</strong> <div class="mt-1"><span class="fst-italic">Ruben Gonzalez</span></div> </div> <div class="float-end mt-1 ms-md-3"> <small class="badge category category-IMPLEMENTATION">Implementation</small> </div> </div> <p class="mb-0 mt-1 search-abstract">The U.S. National Institute of Standards and Technology recently standardized the first set of post-quantum cryptography algo- rithms. These algorithms address the quantum threat, but also present new challenges due to their larger memory and computational footprint. Three of the four standardized algorithms are lattice based, offering good performance but posing challenges due to complex implementation and intricate security assumptions. A more conservative choice for quantum- safe...</p> </div> </div> <div class="mb-4"> <div class="d-flex"><a title="2025/289" class="paperlink" href="/2025/289">2025/289</a> <span class="ms-2"><a href="/2025/289.pdf">(PDF)</a></span> <small class="ms-auto">Last updated: 2025-02-19</small> </div> <div class="ms-md-4"> <div class="d-flex flex-column flex-md-row justify-content-between"> <div> <strong>Significantly Improved Cryptanalysis of Salsa20 With Two-Round Criteria</strong> <div class="mt-1"><span class="fst-italic">Sabyasachi Dey, Subhamoy Maitra, Santanu Sarkar, Nitin Kumar Sharma</span></div> </div> <div class="float-end mt-1 ms-md-3"> <small class="badge category category-ATTACKS">Attacks and cryptanalysis</small> </div> </div> <p class="mb-0 mt-1 search-abstract">Over the past decade and a half, cryptanalytic techniques for Salsa20 have been increasingly refined, largely following the overarching concept of Probabilistically Neutral Bits (PNBs) by Aumasson et al. (FSE 2008). In this paper, we present a novel criterion for choosing key-$\mathcal{IV}$ pairs using certain 2-round criteria and connect that with clever tweaks of existing techniques related to Probabilistically Independent $\mathcal{IV}$ bits (earlier used for ARX ciphers, but not for...</p> </div> </div> <div class="mb-4"> <div class="d-flex"><a title="2025/276" class="paperlink" href="/2025/276">2025/276</a> <span class="ms-2"><a href="/2025/276.pdf">(PDF)</a></span> <small class="ms-auto">Last updated: 2025-02-28</small> </div> <div class="ms-md-4"> <div class="d-flex flex-column flex-md-row justify-content-between"> <div> <strong>Finding and Protecting the Weakest Link: On Side-Channel Attacks on Masked ML-DSA</strong> <div class="mt-1"><span class="fst-italic">Julius Hermelink, Kai-Chun Ning, Richard Petri</span></div> </div> <div class="float-end mt-1 ms-md-3"> <small class="badge category category-ATTACKS">Attacks and cryptanalysis</small> </div> </div> <p class="mb-0 mt-1 search-abstract">NIST has standardized ML-KEM and ML-DSA as replacements for pre-quantum key exchanges and digital signatures. Both schemes have already seen analysis with respect to side-channels, and first fully masked implementations of ML-DSA have been published. Previous attacks have focused on unprotected implementations or assumed only hiding countermeasures to be in-place. Thus, in contrast to ML-KEM, the threat of side-channel attacks for protected implementations of ML-DSA is mostly unclear. In...</p> </div> </div> <div class="mb-4"> <div class="d-flex"><a title="2025/272" class="paperlink" href="/2025/272">2025/272</a> <span class="ms-2"><a href="/2025/272.pdf">(PDF)</a></span> <small class="ms-auto">Last updated: 2025-02-18</small> </div> <div class="ms-md-4"> <div class="d-flex flex-column flex-md-row justify-content-between"> <div> <strong>X-Transfer: Enabling and Optimizing Cross-PCN Transactions</strong> <div class="mt-1"><span class="fst-italic">Lukas Aumayr, Zeta Avarikioti, Iosif Salem, Stefan Schmid, Michelle Yeo</span></div> </div> <div class="float-end mt-1 ms-md-3"> <small class="badge category category-PROTOCOLS">Cryptographic protocols</small> </div> </div> <p class="mb-0 mt-1 search-abstract">Blockchain interoperability solutions allow users to hold and transfer assets among different chains, and in so doing reap the benefits of each chain. To fully reap the benefits of multi-chain financial operations, it is paramount to support interoperability and cross-chain transactions also on Layer-2 networks, in particular payment channel networks (PCNs). Nevertheless, existing works on Layer-2 interoperability solutions still involve on-chain events, which limits their scalability and...</p> </div> </div> <div class="mb-4"> <div class="d-flex"><a title="2025/247" class="paperlink" href="/2025/247">2025/247</a> <span class="ms-2"><a href="/2025/247.pdf">(PDF)</a></span> <small class="ms-auto">Last updated: 2025-02-17</small> </div> <div class="ms-md-4"> <div class="d-flex flex-column flex-md-row justify-content-between"> <div> <strong>LatticeFold+: Faster, Simpler, Shorter Lattice-Based Folding for Succinct Proof Systems</strong> <div class="mt-1"><span class="fst-italic">Dan Boneh, Binyi Chen</span></div> </div> <div class="float-end mt-1 ms-md-3"> <small class="badge category category-PROTOCOLS">Cryptographic protocols</small> </div> </div> <p class="mb-0 mt-1 search-abstract">Folding is a technique for building efficient succinct proof systems. Many existing folding protocols rely on the discrete-log based Pedersen commitment scheme, and are therefore not post-quantum secure and require a large (256-bit) field. Recently, Boneh and Chen constructed LatticeFold, a folding protocol using lattice-based commitments which is plausibly post-quantum secure and can operate with small (64-bit) fields. For knowledge soundness, LatticeFold requires the prover to provide a...</p> </div> </div> <div class="mb-4"> <div class="d-flex"><a title="2025/242" class="paperlink" href="/2025/242">2025/242</a> <span class="ms-2"><a href="/2025/242.pdf">(PDF)</a></span> <small class="ms-auto">Last updated: 2025-03-01</small> </div> <div class="ms-md-4"> <div class="d-flex flex-column flex-md-row justify-content-between"> <div> <strong>Rational Secret Sharing with Competition</strong> <div class="mt-1"><span class="fst-italic">Tiantian Gong, Zeyu Liu</span></div> </div> <div class="float-end mt-1 ms-md-3"> <small class="badge category category-PROTOCOLS">Cryptographic protocols</small> </div> </div> <p class="mb-0 mt-1 search-abstract">The rational secret sharing problem (RSS) considers incentivizing rational parties to share their received information to reconstruct a correctly shared secret. Halpern and Teague (STOC'04) demonstrate that solving the RSS problem deterministically with explicitly bounded runtime is impossible, if parties prefer learning the secret than not learning, and they prefer fewer other parties to learn. To overcome this impossibility result, we propose RSS with competition. We consider a...</p> </div> </div> <div class="mb-4"> <div class="d-flex"><a title="2025/240" class="paperlink" href="/2025/240">2025/240</a> <span class="ms-2"><a href="/2025/240.pdf">(PDF)</a></span> <small class="ms-auto">Last updated: 2025-02-15</small> </div> <div class="ms-md-4"> <div class="d-flex flex-column flex-md-row justify-content-between"> <div> <strong>Robust Non-Interactive Zero-Knowledge Combiners</strong> <div class="mt-1"><span class="fst-italic">Michele Ciampi, Lorenzo Magliocco, Daniele Venturi, Yu Xia</span></div> </div> <div class="float-end mt-1 ms-md-3"> <small class="badge category category-PROTOCOLS">Cryptographic protocols</small> </div> </div> <p class="mb-0 mt-1 search-abstract">A $t$-out-of-$n$ robust non-interactive zero-knowledge (NIZK) combiner is a construction that, given access to $n$ candidate instantiations of a NIZK for some language, itself implements a NIZK for the same language. Moreover, the combiner is secure, assuming at least $t$ of the given candidates are secure. In this work, we provide the first definition of combiners for NIZK, and prove that no robust NIZK combiner exists assuming $t \le \lfloor n/2 \rfloor$ (unless the polynomial hierarchy...</p> </div> </div> <div class="mb-4"> <div class="d-flex"><a title="2025/235" class="paperlink" href="/2025/235">2025/235</a> <span class="ms-2"><a href="/2025/235.pdf">(PDF)</a></span> <small class="ms-auto">Last updated: 2025-02-14</small> </div> <div class="ms-md-4"> <div class="d-flex flex-column flex-md-row justify-content-between"> <div> <strong>Doubly Efficient Cryptography: Commitments, Arguments and RAM MPC</strong> <div class="mt-1"><span class="fst-italic">Wei-Kai Lin, Ethan Mook, Daniel Wichs</span></div> </div> <div class="float-end mt-1 ms-md-3"> <small class="badge category category-PROTOCOLS">Cryptographic protocols</small> </div> </div> <p class="mb-0 mt-1 search-abstract">Can a sender commit to a long input without even reading all of it? Can a prover convince a verifier that an NP statement holds without even reading the entire witness? Can a set of parties run a multiparty computation (MPC) protocol in the RAM model, without necessarily even reading their entire inputs? We show how to construct such "doubly efficient" schemes in a setting where parties can preprocess their input offline, but subsequently they can engage in many different protocol...</p> </div> </div> <div class="mb-4"> <div class="d-flex"><a title="2025/232" class="paperlink" href="/2025/232">2025/232</a> <span class="ms-2"><a href="/2025/232.pdf">(PDF)</a></span> <small class="ms-auto">Last updated: 2025-02-14</small> </div> <div class="ms-md-4"> <div class="d-flex flex-column flex-md-row justify-content-between"> <div> <strong>Authenticated BitGC for Actively Secure Rate-One 2PC</strong> <div class="mt-1"><span class="fst-italic">Hanlin Liu, Xiao Wang, Kang Yang, Yu Yu</span></div> </div> <div class="float-end mt-1 ms-md-3"> <small class="badge category category-PROTOCOLS">Cryptographic protocols</small> </div> </div> <p class="mb-0 mt-1 search-abstract">In this paper, we present a constant-round actively secure two-party computation protocol with small communication based on the ring learning with errors (RLWE) assumption with key-dependent message security. Our result builds on the recent BitGC protocol by Liu, Wang, Yang, and Yu (Eurocrypt 2025) with communication of one bit per gate for semi-honest security. First, we achieve a different manner of distributed garbling, where the global correlation is secret-shared among the two parties....</p> </div> </div> <div class="mb-4"> <div class="d-flex"><a title="2025/213" class="paperlink" href="/2025/213">2025/213</a> <span class="ms-2"><a href="/2025/213.pdf">(PDF)</a></span> <small class="ms-auto">Last updated: 2025-02-16</small> </div> <div class="ms-md-4"> <div class="d-flex flex-column flex-md-row justify-content-between"> <div> <strong>An Innovative Lightweight Symmetric Encryption Algorithm Integrating NeoAlzette ARX S-box and XCR CSPRNG</strong> <div class="mt-1"><span class="fst-italic">Jiang Yu</span></div> </div> <div class="float-end mt-1 ms-md-3"> <small class="badge category category-SECRETKEY">Secret-key cryptography</small> </div> </div> <p class="mb-0 mt-1 search-abstract">This paper introduces "Little OaldresPuzzle_Cryptic," a novel lightweight symmetric encryption algorithm. At the core of this algorithm are two main cryptographic components: the NeoAlzette permutation S-box based on ARX (Addition-Rotation-XOR) primitives and the innovative pseudo-random number generator XorConstantRotation (XCR), used exclusively in the key expansion process. The NeoAlzette S-box, a non-linear function for 32-bit pairs, is meticulously designed for both encryption...</p> </div> </div> <div class="mb-4"> <div class="d-flex"><a title="2025/211" class="paperlink" href="/2025/211">2025/211</a> <span class="ms-2"><a href="/2025/211.pdf">(PDF)</a></span> <small class="ms-auto">Last updated: 2025-02-12</small> </div> <div class="ms-md-4"> <div class="d-flex flex-column flex-md-row justify-content-between"> <div> <strong>Prior-Based Label Differential Privacy via Secure Two-Party Computation</strong> <div class="mt-1"><span class="fst-italic">Amit Agarwal, Stanislav Peceny, Mariana Raykova, Phillipp Schoppmann, Karn Seth</span></div> </div> <div class="float-end mt-1 ms-md-3"> <small class="badge category category-PROTOCOLS">Cryptographic protocols</small> </div> </div> <p class="mb-0 mt-1 search-abstract">Differential privacy (DP) is a fundamental technique used in machine learning (ML) training for protecting the privacy of sensitive individual user data. In the past few years, a new approach for combining prior-based Local Differential Privacy (LDP) mechanisms with a relaxed DP criterion, known as Label DP, has shown great promise in increasing the utility of the final trained model without compromising on the DP privacy budget. In this work, we identify a crucial privacy gap in the current...</p> </div> </div> <div class="mb-4"> <div class="d-flex"><a title="2025/206" class="paperlink" href="/2025/206">2025/206</a> <span class="ms-2"><a href="/2025/206.pdf">(PDF)</a></span> <small class="ms-auto">Last updated: 2025-02-11</small> </div> <div class="ms-md-4"> <div class="d-flex flex-column flex-md-row justify-content-between"> <div> <strong>Revisiting the Differential-Linear Attacks on ChaCha from IEEE TIT and INDOCRYPT 2024 (Extended Abstract)</strong> <div class="mt-1"><span class="fst-italic">Xinhai Wang, Lin Ding, Zhengting Li, Jiang Wan, Bin Hu</span></div> </div> <div class="float-end mt-1 ms-md-3"> <small class="badge category category-ATTACKS">Attacks and cryptanalysis</small> </div> </div> <p class="mb-0 mt-1 search-abstract">The ChaCha stream cipher has become one of the best known ARX-based ciphers because of its widely use in several systems, such as in TLS, SSH and so on. In this paper, we find some errors in the attacks on ChaCha256 from IEEE TIT and INDOCRYPT 2024, and then corrected cryptanalytic attacks on ChaCha256 are given. However, the corrected attacks have extremely large time and data complexities. The corrected results show that the technique proposed in IEEE TIT may not be able to obtain improved...</p> </div> </div> <div class="mb-4"> <div class="d-flex"><a title="2025/202" class="paperlink" href="/2025/202">2025/202</a> <span class="ms-2"><a href="/2025/202.pdf">(PDF)</a></span> <small class="ms-auto">Last updated: 2025-02-11</small> </div> <div class="ms-md-4"> <div class="d-flex flex-column flex-md-row justify-content-between"> <div> <strong>Distributed Non-Interactive Zero-Knowledge Proofs</strong> <div class="mt-1"><span class="fst-italic">Alex B. Grilo, Ami Paz, Mor Perry</span></div> </div> <div class="float-end mt-1 ms-md-3"> <small class="badge category category-FOUNDATIONS">Foundations</small> </div> </div> <p class="mb-0 mt-1 search-abstract">Distributed certification is a set of mechanisms that allows an all-knowing prover to convince the units of a communication network that the network's state has some desired property, such as being $3$-colorable or triangle-free. Classical mechanisms, such as proof labeling schemes (PLS), consist of a message from the prover to each unit, followed by on-e round of communication between each unit and its neighbors. Later works consider extensions, called distributed interactive proofs,...</p> </div> </div> <div class="mb-4"> <div class="d-flex"><a title="2025/197" class="paperlink" href="/2025/197">2025/197</a> <span class="ms-2"><a href="/2025/197.pdf">(PDF)</a></span> <small class="ms-auto">Last updated: 2025-02-11</small> </div> <div class="ms-md-4"> <div class="d-flex flex-column flex-md-row justify-content-between"> <div> <strong>Cryptanalysis of a nonlinear filter-based stream cipher</strong> <div class="mt-1"><span class="fst-italic">Tim Beyne, Michiel Verbauwhede</span></div> </div> <div class="float-end mt-1 ms-md-3"> <small class="badge category category-SECRETKEY">Secret-key cryptography</small> </div> </div> <p class="mb-0 mt-1 search-abstract">It is shown that the stream cipher proposed by Carlet and Sarkar in ePrint report 2025/160 is insecure. More precisely, one bit of the key can be deduced from a few keystream bytes. This property extends to an efficient key-recovery attack. For example, for the proposal with 80 bit keys, a few kilobytes of keystream material are sufficient to recover half of the key.</p> </div> </div> <div class="mb-4"> <div class="d-flex"><a title="2025/190" class="paperlink" href="/2025/190">2025/190</a> <span class="ms-2"><a href="/2025/190.pdf">(PDF)</a></span> <small class="ms-auto">Last updated: 2025-02-09</small> </div> <div class="ms-md-4"> <div class="d-flex flex-column flex-md-row justify-content-between"> <div> <strong>Binary Codes for Error Detection and Correction in a Computationally Bounded World</strong> <div class="mt-1"><span class="fst-italic">Jad Silbak, Daniel Wichs</span></div> </div> <div class="float-end mt-1 ms-md-3"> <small class="badge category category-FOUNDATIONS">Foundations</small> </div> </div> <p class="mb-0 mt-1 search-abstract">We study error detection and correction in a computationally bounded world, where errors are introduced by an arbitrary $\textit{polynomial-time}$ adversarial channel. Our focus is on $\textit{seeded}$ codes, where the encoding and decoding procedures can share a public random seed, but are otherwise deterministic. We can ask for either $\textit{selective}$ or $\textit{adaptive}$ security, depending on whether the adversary can choose the message being encoded before or after seeing the...</p> </div> </div> <div class="mb-4"> <div class="d-flex"><a title="2025/185" class="paperlink" href="/2025/185">2025/185</a> <span class="ms-2"><a href="/2025/185.pdf">(PDF)</a></span> <small class="ms-auto">Last updated: 2025-03-12</small> </div> <div class="ms-md-4"> <div class="d-flex flex-column flex-md-row justify-content-between"> <div> <strong>AutoDiVer: Automatically Verifying Differential Characteristics and Learning Key Conditions</strong> <div class="mt-1"><span class="fst-italic">Marcel Nageler, Shibam Ghosh, Marlene Jüttler, Maria Eichlseder</span></div> </div> <div class="float-end mt-1 ms-md-3"> <small class="badge category category-ATTACKS">Attacks and cryptanalysis</small> </div> </div> <p class="mb-0 mt-1 search-abstract">Differential cryptanalysis is one of the main methods of cryptanalysis and has been applied to a wide range of ciphers. While it is very successful, it also relies on certain assumptions that do not necessarily hold in practice. One of these is the hypothesis of stochastic equivalence, which states that the probability of a differential characteristic behaves similarly for all keys. Several works have demonstrated examples where this hypothesis is violated, impacting the attack complexity...</p> </div> </div> <div class="mb-4"> <div class="d-flex"><a title="2025/179" class="paperlink" href="/2025/179">2025/179</a> <span class="ms-2"><a href="/2025/179.pdf">(PDF)</a></span> <small class="ms-auto">Last updated: 2025-02-06</small> </div> <div class="ms-md-4"> <div class="d-flex flex-column flex-md-row justify-content-between"> <div> <strong>Higher-Order Deterministic Masking with Application to Ascon</strong> <div class="mt-1"><span class="fst-italic">Vahid Jahandideh, Bart Mennink, Lejla Batina</span></div> </div> <div class="float-end mt-1 ms-md-3"> <small class="badge category category-IMPLEMENTATION">Implementation</small> </div> </div> <p class="mb-0 mt-1 search-abstract">Side-channel attacks (SCAs) pose a significant threat to the implementations of lightweight ciphers, particularly in resource-constrained environments where masking—the primary countermeasure—is constrained by tight resource limitations. This makes it crucial to reduce the resource and randomness requirements of masking schemes. In this work, we investigate an approach to minimize the randomness complexity of masking algorithms. Specifically, we explore the theoretical foundations...</p> </div> </div> <div class="mb-4"> <div class="d-flex"><a title="2025/178" class="paperlink" href="/2025/178">2025/178</a> <span class="ms-2"><a href="/2025/178.pdf">(PDF)</a></span> <small class="ms-auto">Last updated: 2025-02-06</small> </div> <div class="ms-md-4"> <div class="d-flex flex-column flex-md-row justify-content-between"> <div> <strong>Improved Differential and Linear Cryptanalysis on Round-Reduced SIMON</strong> <div class="mt-1"><span class="fst-italic">Chao Niu, Muzhou Li, Jifu Zhang, Meiqin Wang</span></div> </div> <div class="float-end mt-1 ms-md-3"> <small class="badge category category-SECRETKEY">Secret-key cryptography</small> </div> </div> <p class="mb-0 mt-1 search-abstract">SIMON is a lightweight block cipher proposed by the National Security Agency. According to previous cryptanalytic results on SIMON, differential and linear cryptanalysis are the two most effective attacks on it. Usually, there are many trails sharing the same input and output differences (resp. masks). These trails comprise the differential (resp. linear hull) and can be used together when mounting attacks. In ASIACRYPT 2021, Leurent et al. proposed a matrix-based method on...</p> </div> </div> <div class="mb-4"> <div class="d-flex"><a title="2025/172" class="paperlink" href="/2025/172">2025/172</a> <span class="ms-2"><a href="/2025/172.pdf">(PDF)</a></span> <small class="ms-auto">Last updated: 2025-02-05</small> </div> <div class="ms-md-4"> <div class="d-flex flex-column flex-md-row justify-content-between"> <div> <strong>SoK: Understanding zk-SNARKs: The Gap Between Research and Practice</strong> <div class="mt-1"><span class="fst-italic">Junkai Liang, Daqi Hu, Pengfei Wu, Yunbo Yang, Qingni Shen, Zhonghai Wu</span></div> </div> <div class="float-end mt-1 ms-md-3"> <small class="badge category category-IMPLEMENTATION">Implementation</small> </div> </div> <p class="mb-0 mt-1 search-abstract">Zero-knowledge succinct non-interactive arguments of knowledge (zk-SNARKs) are a powerful tool for proving computation correctness, attracting significant interest from researchers, developers, and users. However, the complexity of zk-SNARKs has created gaps between these groups, hindering progress. Researchers focus on constructing efficient proving systems with stronger security and new properties, while developers and users prioritize toolchains, usability, and compatibility. In this...</p> </div> </div> <div class="mb-4"> <div class="d-flex"><a title="2025/167" class="paperlink" href="/2025/167">2025/167</a> <span class="ms-2"><a href="/2025/167.pdf">(PDF)</a></span> <small class="ms-auto">Last updated: 2025-02-04</small> </div> <div class="ms-md-4"> <div class="d-flex flex-column flex-md-row justify-content-between"> <div> <strong>Wiretapping LLMs: Network Side-Channel Attacks on Interactive LLM Services</strong> <div class="mt-1"><span class="fst-italic">Mahdi Soleimani, Grace Jia, In Gim, Seung-seob Lee, Anurag Khandelwal</span></div> </div> <div class="float-end mt-1 ms-md-3"> <small class="badge category category-ATTACKS">Attacks and cryptanalysis</small> </div> </div> <p class="mb-0 mt-1 search-abstract">Recent server-side optimizations like speculative decoding significantly enhance the interactivity and resource efficiency of Large Language Model (LLM) services. However, we show that these optimizations inadvertently introduce new side-channel vulnerabilities through network packet timing and size variations that tend to be input-dependent. Network adversaries can leverage these side channels to learn sensitive information contained in \emph{encrypted} user prompts to and responses from...</p> </div> </div> <div class="mb-4"> <div class="d-flex"><a title="2025/164" class="paperlink" href="/2025/164">2025/164</a> <span class="ms-2"><a href="/2025/164.pdf">(PDF)</a></span> <small class="ms-auto">Last updated: 2025-02-04</small> </div> <div class="ms-md-4"> <div class="d-flex flex-column flex-md-row justify-content-between"> <div> <strong>Multi-Authority Functional Encryption with Bounded Collusions from Standard Assumptions</strong> <div class="mt-1"><span class="fst-italic">Rishab Goyal, Saikumar Yadugiri</span></div> </div> <div class="float-end mt-1 ms-md-3"> <small class="badge category category-PUBLICKEY">Public-key cryptography</small> </div> </div> <p class="mb-0 mt-1 search-abstract">Multi-Authority Functional Encryption ($\mathsf{MA}$-$\mathsf{FE}$) [Chase, TCC'07; Lewko-Waters, Eurocrypt'11; Brakerski et al., ITCS'17] is a popular generalization of functional encryption ($\mathsf{FE}$) with the central goal of decentralizing the trust assumption from a single central trusted key authority to a group of multiple, independent and non-interacting, key authorities. Over the last several decades, we have seen tremendous advances in new designs and constructions for...</p> </div> </div> <div class="mb-4"> <div class="d-flex"><a title="2025/159" class="paperlink" href="/2025/159">2025/159</a> <span class="ms-2"><a href="/2025/159.pdf">(PDF)</a></span> <small class="ms-auto">Last updated: 2025-02-03</small> </div> <div class="ms-md-4"> <div class="d-flex flex-column flex-md-row justify-content-between"> <div> <strong>A Holistic Framework for Impossible Boomerang Attacks</strong> <div class="mt-1"><span class="fst-italic">Yincen Chen, Qinggan Fu, Ning Zhao, Jiahao Zhao, Ling Song, Qianqian Yang</span></div> </div> <div class="float-end mt-1 ms-md-3"> <small class="badge category category-SECRETKEY">Secret-key cryptography</small> </div> </div> <p class="mb-0 mt-1 search-abstract">In 2011, Lu introduced the impossible boomerang attack at DCC. This powerful cryptanalysis technique combines the strengths of the impossible differential and boomerang attacks, thereby inheriting the advantages of both cryptographic techniques. In this paper, we propose a holistic framework comprising two generic and effective algorithms and a MILP-based model to search for the optimal impossible boomerang attack systematically. The first algorithm incorporates any key guessing strategy,...</p> </div> </div> <div class="mb-4"> <div class="d-flex"><a title="2025/158" class="paperlink" href="/2025/158">2025/158</a> <span class="ms-2"><a href="/2025/158.pdf">(PDF)</a></span> <small class="ms-auto">Last updated: 2025-02-11</small> </div> <div class="ms-md-4"> <div class="d-flex flex-column flex-md-row justify-content-between"> <div> <strong>Optimizing Key Recovery in Impossible Cryptanalysis and Its Automated Tool</strong> <div class="mt-1"><span class="fst-italic">Jianing Zhang, Haoyang Wang</span></div> </div> <div class="float-end mt-1 ms-md-3"> <small class="badge category category-ATTACKS">Attacks and cryptanalysis</small> </div> </div> <p class="mb-0 mt-1 search-abstract">Impossible differential (ID) cryptanalysis and impossible boomerang (IB) cryptanalysis are two methods of impossible cryptanalysis against block ciphers. Since the seminal work introduced by Boura et al. in 2014, there have been no substantial advancements in the key recovery process for impossible cryptanalysis, particularly for the IB attack.In this paper, we propose a generic key recovery framework for impossible cryptanalysis that supports arbitrary key-guessing strategies, enabling...</p> </div> </div> <div class="mb-4"> <div class="d-flex"><a title="2025/154" class="paperlink" href="/2025/154">2025/154</a> <span class="ms-2"><a href="/2025/154.pdf">(PDF)</a></span> <small class="ms-auto">Last updated: 2025-02-02</small> </div> <div class="ms-md-4"> <div class="d-flex flex-column flex-md-row justify-content-between"> <div> <strong>Shadowfax: Combiners for Deniability</strong> <div class="mt-1"><span class="fst-italic">Phillip Gajland, Vincent Hwang, Jonas Janneck</span></div> </div> <div class="float-end mt-1 ms-md-3"> <small class="badge category category-PROTOCOLS">Cryptographic protocols</small> </div> </div> <p class="mb-0 mt-1 search-abstract">As cryptographic protocols transition to post-quantum security, most adopt hybrid solutions combining pre-quantum and post-quantum assumptions. However, this shift often introduces trade-offs in terms of efficiency, compactness, and in some cases, even security. One such example is deniability, which enables users, such as journalists or activists, to deny authorship of potentially incriminating messages. While deniability was once mainly of theoretical interest, protocols like X3DH, used in...</p> </div> </div> <div class="mb-4"> <div class="d-flex"><a title="2025/149" class="paperlink" href="/2025/149">2025/149</a> <span class="ms-2"><a href="/2025/149.pdf">(PDF)</a></span> <small class="ms-auto">Last updated: 2025-01-30</small> </div> <div class="ms-md-4"> <div class="d-flex flex-column flex-md-row justify-content-between"> <div> <strong>Practical Asynchronous Distributed Key Reconfiguration and Its Applications</strong> <div class="mt-1"><span class="fst-italic">Hanwen Feng, Yingzi Gao, Yuan Lu, Qiang Tang, Jing Xu</span></div> </div> <div class="float-end mt-1 ms-md-3"> <small class="badge category category-PROTOCOLS">Cryptographic protocols</small> </div> </div> <p class="mb-0 mt-1 search-abstract">In this paper, we study practical constructions of asynchronous distributed key reconfiguration ($\mathsf{ADKR}$), which enables an asynchronous fault-tolerant system with an existing threshold cryptosystem to efficiently generate a new threshold cryptosystem for a reconfigured set of participants. While existing asynchronous distributed threshold key generation ($\mathsf{ADKG}$) protocols theoretically solve $\mathsf{ADKR}$, they fail to deliver satisfactory scalability due to cubic...</p> </div> </div> <div class="mb-4"> <div class="d-flex"><a title="2025/148" class="paperlink" href="/2025/148">2025/148</a> <span class="ms-2"><a href="/2025/148.pdf">(PDF)</a></span> <small class="ms-auto">Last updated: 2025-01-31</small> </div> <div class="ms-md-4"> <div class="d-flex flex-column flex-md-row justify-content-between"> <div> <strong>A Comprehensive Formal Security Analysis of OPC UA</strong> <div class="mt-1"><span class="fst-italic">Vincent Diemunsch, Lucca Hirschi, Steve Kremer</span></div> </div> <div class="float-end mt-1 ms-md-3"> <small class="badge category category-PROTOCOLS">Cryptographic protocols</small> </div> </div> <p class="mb-0 mt-1 search-abstract">OPC UA is a standardized Industrial Control System (ICS) protocol, deployed in critical infrastructures, that aims to ensure security. The forthcoming version 1.05 includes major changes in the underlying cryptographic design, including a Diffie-Hellmann based key exchange, as opposed to the previous RSA based version. Version 1.05 is supposed to offer stronger security, including Perfect Forward Secrecy (PFS). We perform a formal security analysis of the security protocols specified in...</p> </div> </div> <div class="mb-4"> <div class="d-flex"><a title="2025/145" class="paperlink" href="/2025/145">2025/145</a> <span class="ms-2"><a href="/2025/145.pdf">(PDF)</a></span> <small class="ms-auto">Last updated: 2025-01-30</small> </div> <div class="ms-md-4"> <div class="d-flex flex-column flex-md-row justify-content-between"> <div> <strong>Breaking RSA with Overclocking-induced GPU Faults</strong> <div class="mt-1"><span class="fst-italic">Reuven Yakar, Avishai Wool, Eyal Ronen</span></div> </div> <div class="float-end mt-1 ms-md-3"> <small class="badge category category-IMPLEMENTATION">Implementation</small> </div> </div> <p class="mb-0 mt-1 search-abstract">Overclocking is a a supported functionality of Nvidia GPUs, and is a common performance enhancement practice. However, overclocking poses a danger for cryptographic applications. As the temperature in the overclocked GPU increases, spurious computation faults occur. Coupled with well known fault attacks against RSA implementations, one can expect such faults to allow compromising RSA private keys during decryption or signing. We first validate this hypothesis: We evaluate two...</p> </div> </div> <div class="mb-4"> <div class="d-flex"><a title="2025/142" class="paperlink" href="/2025/142">2025/142</a> <span class="ms-2"><a href="/2025/142.pdf">(PDF)</a></span> <small class="ms-auto">Last updated: 2025-03-17</small> </div> <div class="ms-md-4"> <div class="d-flex flex-column flex-md-row justify-content-between"> <div> <strong>hax: Verifying Security-Critical Rust Software using Multiple Provers</strong> <div class="mt-1"><span class="fst-italic">Karthikeyan Bhargavan, Maxime Buyse, Lucas Franceschino, Lasse Letager Hansen, Franziskus Kiefer, Jonas Schneider-Bensch, Bas Spitters</span></div> </div> <div class="float-end mt-1 ms-md-3"> <small class="badge category category-IMPLEMENTATION">Implementation</small> </div> </div> <p class="mb-0 mt-1 search-abstract">We present hax, a verification toolchain for Rust targeted at security-critical software such as cryptographic libraries, protocol imple- mentations, authentication and authorization mechanisms, and parsing and sanitization code. The key idea behind hax is the pragmatic observation that different verification tools are better at handling different kinds of verification goals. Consequently, hax supports multiple proof backends, including domain-specific security analysis tools like ProVerif...</p> </div> </div> <div class="mb-4"> <div class="d-flex"><a title="2025/138" class="paperlink" href="/2025/138">2025/138</a> <span class="ms-2"><a href="/2025/138.pdf">(PDF)</a></span> <small class="ms-auto">Last updated: 2025-01-28</small> </div> <div class="ms-md-4"> <div class="d-flex flex-column flex-md-row justify-content-between"> <div> <strong>Preprocessing Security in Multiple Idealized Models with Applications to Schnorr Signatures and PSEC-KEM</strong> <div class="mt-1"><span class="fst-italic">Jeremiah Blocki, Seunghoon Lee</span></div> </div> <div class="float-end mt-1 ms-md-3"> <small class="badge category category-PUBLICKEY">Public-key cryptography</small> </div> </div> <p class="mb-0 mt-1 search-abstract">In modern cryptography, relatively few instantiations of foundational cryptographic primitives are used across most cryptographic protocols. For example, elliptic curve groups are typically instantiated using P-256, P-384, Curve25519, or Curve448, while block ciphers are commonly instantiated with AES, and hash functions with SHA-2, SHA-3, or SHAKE. This limited diversity raises concerns that an adversary with nation-state-level resources could perform a preprocessing attack, generating a...</p> </div> </div> <div class="mb-4"> <div class="d-flex"><a title="2025/130" class="paperlink" href="/2025/130">2025/130</a> <span class="ms-2"><a href="/2025/130.pdf">(PDF)</a></span> <small class="ms-auto">Last updated: 2025-01-27</small> </div> <div class="ms-md-4"> <div class="d-flex flex-column flex-md-row justify-content-between"> <div> <strong>Symmetric Perceptrons, Number Partitioning and Lattices</strong> <div class="mt-1"><span class="fst-italic">Neekon Vafa, Vinod Vaikuntanathan</span></div> </div> <div class="float-end mt-1 ms-md-3"> <small class="badge category category-FOUNDATIONS">Foundations</small> </div> </div> <p class="mb-0 mt-1 search-abstract">The symmetric binary perceptron ($\mathrm{SBP}_{\kappa}$) problem with parameter $\kappa : \mathbb{R}_{\geq1} \to [0,1]$ is an average-case search problem defined as follows: given a random Gaussian matrix $\mathbf{A} \sim \mathcal{N}(0,1)^{n \times m}$ as input where $m \geq n$, output a vector $\mathbf{x} \in \{-1,1\}^m$ such that $$|| \mathbf{A} \mathbf{x} ||_{\infty} \leq \kappa(m/n) \cdot \sqrt{m}~.$$ The number partitioning problem ($\mathrm{NPP}_{\kappa}$) corresponds to the special...</p> </div> </div> <div class="mb-4"> <div class="d-flex"><a title="2025/125" class="paperlink" href="/2025/125">2025/125</a> <span class="ms-2"><a href="/2025/125.pdf">(PDF)</a></span> <small class="ms-auto">Last updated: 2025-03-22</small> </div> <div class="ms-md-4"> <div class="d-flex flex-column flex-md-row justify-content-between"> <div> <strong>A Privacy Model for Classical & Learned Bloom Filters</strong> <div class="mt-1"><span class="fst-italic">Hayder Tirmazi</span></div> </div> <div class="float-end mt-1 ms-md-3"> <small class="badge category category-APPLICATIONS">Applications</small> </div> </div> <p class="mb-0 mt-1 search-abstract">The Classical Bloom Filter (CBF) is a class of Probabilistic Data Structures (PDS) for handling Approximate Query Membership (AMQ). The Learned Bloom Filter (LBF) is a recently proposed class of PDS that combines the Classical Bloom Filter with a Learning Model while preserving the Bloom Filter's one-sided error guarantees. Bloom Filters have been used in settings where inputs are sensitive and need to be private in the presence of an adversary with access to the Bloom Filter through an...</p> </div> </div> <div class="mb-4"> <div class="d-flex"><a title="2025/124" class="paperlink" href="/2025/124">2025/124</a> <span class="ms-2"><a href="/2025/124.pdf">(PDF)</a></span> <small class="ms-auto">Last updated: 2025-03-04</small> </div> <div class="ms-md-4"> <div class="d-flex flex-column flex-md-row justify-content-between"> <div> <strong>GPU Implementations of Three Different Key-Switching Methods for Homomorphic Encryption Schemes</strong> <div class="mt-1"><span class="fst-italic">Ali Şah Özcan, Erkay Savaş</span></div> </div> <div class="float-end mt-1 ms-md-3"> <small class="badge category category-IMPLEMENTATION">Implementation</small> </div> </div> <p class="mb-0 mt-1 search-abstract">In this work, we report on the latest GPU implementations of the three well-known methods for the key switching operation, which is critical for Fully Homomorphic Encryption (FHE). Additionally, for the first time in the literature, we provide implementations of all three methods in GPU for leveled CKKS schemes. To ensure a fair comparison, we employ the most recent GPU implementation of the number-theoretic transform (NTT), which is the most time-consuming operation in key switching, and...</p> </div> </div> <div class="mb-4"> <div class="d-flex"><a title="2025/120" class="paperlink" href="/2025/120">2025/120</a> <span class="ms-2"><a href="/2025/120.pdf">(PDF)</a></span> <small class="ms-auto">Last updated: 2025-03-12</small> </div> <div class="ms-md-4"> <div class="d-flex flex-column flex-md-row justify-content-between"> <div> <strong>Module Learning with Errors with Truncated Matrices</strong> <div class="mt-1"><span class="fst-italic">Katharina Boudgoust, Hannah Keller</span></div> </div> <div class="float-end mt-1 ms-md-3"> <small class="badge category category-FOUNDATIONS">Foundations</small> </div> </div> <p class="mb-0 mt-1 search-abstract">The Module Learning with Errors ($\mathsf{MLWE}$) problem is one of the most commonly used hardness assumption in lattice-based cryptography. In its standard version, a matrix $\mathbf{A}$ is sampled uniformly at random over a quotient ring $R_q$, as well as noisy linear equations in the form of $\mathbf{A} \mathbf{s}+ \mathbf{e} \bmod q$, where $\mathbf{s}$ is the secret, sampled uniformly at random over $R_q$, and $\mathbf{e}$ is the error, coming from a Gaussian distribution. Many...</p> </div> </div> <div class="mb-4"> <div class="d-flex"><a title="2025/111" class="paperlink" href="/2025/111">2025/111</a> <span class="ms-2"><a href="/2025/111.pdf">(PDF)</a></span> <small class="ms-auto">Last updated: 2025-01-23</small> </div> <div class="ms-md-4"> <div class="d-flex flex-column flex-md-row justify-content-between"> <div> <strong>On the structure of the Schur squares of Twisted Generalized Reed-Solomon codes and application to cryptanalysis</strong> <div class="mt-1"><span class="fst-italic">Alain Couvreur, Rakhi Pratihar, Nihan Tanisali, Ilaria Zappatore</span></div> </div> <div class="float-end mt-1 ms-md-3"> <small class="badge category category-ATTACKS">Attacks and cryptanalysis</small> </div> </div> <p class="mb-0 mt-1 search-abstract">Twisted generalized Reed-Solomon (TGRS) codes constitute an interesting family of evaluation codes, containing a large class of maximum distance separable codes non-equivalent to generalized Reed-Solomon (GRS) ones. Moreover, the Schur squares of TGRS codes may be much larger than those of GRS codes with same dimension. Exploiting these structural differences, in 2018, Beelen, Bossert, Puchinger and Rosenkilde proposed a subfamily of Maximum Distance Separable (MDS) Twisted Reed--Solomon...</p> </div> </div> <div class="mb-4"> <div class="d-flex"><a title="2025/106" class="paperlink" href="/2025/106">2025/106</a> <span class="ms-2"><a href="/2025/106.pdf">(PDF)</a></span> <small class="ms-auto">Last updated: 2025-01-24</small> </div> <div class="ms-md-4"> <div class="d-flex flex-column flex-md-row justify-content-between"> <div> <strong>NTRU+Sign: Compact NTRU-Based Signatures Using Bimodal Distributions</strong> <div class="mt-1"><span class="fst-italic">Joo Woo, Jonghyun Kim, Ga Hee Hong, Seungwoo Lee, Minkyu Kim, Hochang Lee, Jong Hwan Park</span></div> </div> <div class="float-end mt-1 ms-md-3"> <small class="badge category category-PUBLICKEY">Public-key cryptography</small> </div> </div> <p class="mb-0 mt-1 search-abstract">We present a new lattice-based signature scheme, called ‘NTRU+Sign’, using the Fiat-Shamir with Aborts framework. The proposed scheme is designed based on a novel NTRU-based key structure that fits well with bimodal distributions, enabling efficiency improvements compared to its predecessor, BLISS. The novel NTRU-based key structure is characterized by: (1) effectively changing a modulus from 2q to q, which is different from the existing usage of 2q for bimodal distributions, and (2)...</p> </div> </div> <div class="mb-4"> <div class="d-flex"><a title="2025/105" class="paperlink" href="/2025/105">2025/105</a> <span class="ms-2"><a href="/2025/105.pdf">(PDF)</a></span> <small class="ms-auto">Last updated: 2025-02-27</small> </div> <div class="ms-md-4"> <div class="d-flex flex-column flex-md-row justify-content-between"> <div> <strong>Twist and Shout: Faster memory checking arguments via one-hot addressing and increments</strong> <div class="mt-1"><span class="fst-italic">Srinath Setty, Justin Thaler</span></div> </div> <div class="float-end mt-1 ms-md-3"> <small class="badge category category-PROTOCOLS">Cryptographic protocols</small> </div> </div> <p class="mb-0 mt-1 search-abstract">A memory checking argument enables a prover to prove to a verifier that it is correctly processing reads and writes to memory. They are used widely in modern SNARKs, especially in zkVMs, where the prover proves the correct execution of a CPU including the correctness of memory operations. We describe a new approach for memory checking, which we call the method of one-hot addressing and increments. We instantiate this method via two different families of protocols, called Twist and Shout....</p> </div> </div> <div class="mb-4"> <div class="d-flex"><a title="2025/104" class="paperlink" href="/2025/104">2025/104</a> <span class="ms-2"><a href="/2025/104.pdf">(PDF)</a></span> <small class="ms-auto">Last updated: 2025-01-22</small> </div> <div class="ms-md-4"> <div class="d-flex flex-column flex-md-row justify-content-between"> <div> <strong>Additive Randomized Encodings from Public Key Encryption</strong> <div class="mt-1"><span class="fst-italic">Nir Bitansky, Saroja Erabelli, Rachit Garg</span></div> </div> <div class="float-end mt-1 ms-md-3"> <small class="badge category category-PROTOCOLS">Cryptographic protocols</small> </div> </div> <p class="mb-0 mt-1 search-abstract">Introduced by Halevi, Ishai, Kushilevitz, and Rabin (CRYPTO 2023), Additive randomized encodings (ARE) reduce the computation of a $k$-party function $f(x_1,\dots,x_k)$ to locally computing encodings $\hat x_i$ of each input $x_i$ and then adding them together over some Abelian group into an output encoding $\hat y = \sum \hat x_i$, which reveals nothing but the result. The appeal of ARE comes from the simplicity of the non-local computation, involving only addition. This gives rise for...</p> </div> </div> <div class="mb-4"> <div class="d-flex"><a title="2025/102" class="paperlink" href="/2025/102">2025/102</a> <span class="ms-2"><a href="/2025/102.pdf">(PDF)</a></span> <small class="ms-auto">Last updated: 2025-01-22</small> </div> <div class="ms-md-4"> <div class="d-flex flex-column flex-md-row justify-content-between"> <div> <strong>A practical distinguisher on the full Skyscraper permutation</strong> <div class="mt-1"><span class="fst-italic">Antoine Bak</span></div> </div> <div class="float-end mt-1 ms-md-3"> <small class="badge category category-SECRETKEY">Secret-key cryptography</small> </div> </div> <p class="mb-0 mt-1 search-abstract">Skyscraper is a cryptographic permutation published in TCHES 2025, optimized for use in proof systems such as PlonK. This primitive is based on a 10-round Feistel network combining $x^2$ monomials and lookup-based functions to achieve competitive plain performances and efficiency in proof systems supporting lookups. In terms of security, the $x^2$ monomials are supposed to provide security against statistical attacks, while lookups are supposed to provide security against algebraic...</p> </div> </div> <div class="mb-4"> <div class="d-flex"><a title="2025/097" class="paperlink" href="/2025/097">2025/097</a> <span class="ms-2"><a href="/2025/097.pdf">(PDF)</a></span> <small class="ms-auto">Last updated: 2025-01-22</small> </div> <div class="ms-md-4"> <div class="d-flex flex-column flex-md-row justify-content-between"> <div> <strong>Available Attestation: Towards a Reorg-Resilient Solution for Ethereum Proof-of-Stake</strong> <div class="mt-1"><span class="fst-italic">Mingfei Zhang, Rujia Li, Xueqian Lu, Sisi Duan</span></div> </div> <div class="float-end mt-1 ms-md-3"> <small class="badge category category-PROTOCOLS">Cryptographic protocols</small> </div> </div> <p class="mb-0 mt-1 search-abstract">Ethereum transitioned from Proof-of-Work consensus to Proof-of-Stake (PoS) consensus in September 2022. While this upgrade brings significant improvements (e.g., lower energy costs and higher throughput), it also introduces new vulnerabilities. One notable example is the so-called malicious \textit{reorganization attack}. Malicious reorganization denotes an attack in which the Byzantine faulty validators intentionally manipulate the canonical chain so the blocks by honest validators are...</p> </div> </div> <div class="mb-4"> <div class="d-flex"><a title="2025/094" class="paperlink" href="/2025/094">2025/094</a> <span class="ms-2"><a href="/2025/094.pdf">(PDF)</a></span> <small class="ms-auto">Last updated: 2025-02-24</small> </div> <div class="ms-md-4"> <div class="d-flex flex-column flex-md-row justify-content-between"> <div> <strong>Multi-Key Homomorphic Secret Sharing</strong> <div class="mt-1"><span class="fst-italic">Geoffroy Couteau, Lalita Devadas, Aditya Hegde, Abhishek Jain, Sacha Servan-Schreiber</span></div> </div> <div class="float-end mt-1 ms-md-3"> <small class="badge category category-PROTOCOLS">Cryptographic protocols</small> </div> </div> <p class="mb-0 mt-1 search-abstract">Homomorphic secret sharing (HSS) is a distributed analogue of fully homomorphic encryption (FHE) where following an input-sharing phase, two or more parties can locally compute a function over their private inputs to obtain shares of the function output. Over the last decade, HSS schemes have been constructed from an array of different assumptions. However, all existing HSS schemes, except ones based on assumptions known to imply multi-key FHE, require a public-key infrastructure (PKI) or...</p> </div> </div> <div class="mb-4"> <div class="d-flex"><a title="2025/079" class="paperlink" href="/2025/079">2025/079</a> <span class="ms-2"><a href="/2025/079.pdf">(PDF)</a></span> <small class="ms-auto">Last updated: 2025-03-03</small> </div> <div class="ms-md-4"> <div class="d-flex flex-column flex-md-row justify-content-between"> <div> <strong>Exploring side-channels in Intel Trust Domain Extensions</strong> <div class="mt-1"><span class="fst-italic">Upasana Mandal, Shubhi Shukla, Nimish Mishra, Sarani Bhattacharya, Paritosh Saxena, Debdeep Mukhopadhyay</span></div> </div> <div class="float-end mt-1 ms-md-3"> <small class="badge category category-ATTACKS">Attacks and cryptanalysis</small> </div> </div> <p class="mb-0 mt-1 search-abstract">Intel Trust Domain Extensions (TDX) has emerged as a crucial technology aimed at strengthening the isolation and security guarantees of virtual machines, especially as the demand for secure computation is growing largely. Despite the protections offered by TDX, in this work, we dig deep into the security claims and uncover an intricate observation in TDX. These findings undermine TDX's core security guarantees by breaching the isolation between the Virtual Machine Manager (VMM) and Trust...</p> </div> </div> <div class="mb-4"> <div class="d-flex"><a title="2025/071" class="paperlink" href="/2025/071">2025/071</a> <span class="ms-2"><a href="/2025/071.pdf">(PDF)</a></span> <small class="ms-auto">Last updated: 2025-01-16</small> </div> <div class="ms-md-4"> <div class="d-flex flex-column flex-md-row justify-content-between"> <div> <strong>The HHE Land: Exploring the Landscape of Hybrid Homomorphic Encryption</strong> <div class="mt-1"><span class="fst-italic">Hossein Abdinasibfar, Camille Nuoskala, Antonis Michalas</span></div> </div> <div class="float-end mt-1 ms-md-3"> <small class="badge category category-PUBLICKEY">Public-key cryptography</small> </div> </div> <p class="mb-0 mt-1 search-abstract">Hybrid Homomorphic Encryption (HHE) is considered a promising solution for key challenges that emerge when adopting Homomorphic Encryption (HE). In cases such as communication and computation overhead for clients and storage overhead for servers, it combines symmetric cryptography with HE schemes. However, despite a decade of advancements, enhancing HHE usability, performance, and security for practical applications remains a significant stake. This work contributes to the field by...</p> </div> </div> <div class="mb-4"> <div class="d-flex"><a title="2025/067" class="paperlink" href="/2025/067">2025/067</a> <span class="ms-2"><a href="/2025/067.pdf">(PDF)</a></span> <small class="ms-auto">Last updated: 2025-01-16</small> </div> <div class="ms-md-4"> <div class="d-flex flex-column flex-md-row justify-content-between"> <div> <strong>Constant latency and finality for dynamically available DAG</strong> <div class="mt-1"><span class="fst-italic">Hans Schmiedel, Runchao Han, Qiang Tang, Ron Steinfeld, Jiangshan Yu</span></div> </div> <div class="float-end mt-1 ms-md-3"> <small class="badge category category-PROTOCOLS">Cryptographic protocols</small> </div> </div> <p class="mb-0 mt-1 search-abstract">Directed Acyclic Graph (DAG) based protocols have shown great promise to improve the performance of blockchains. The CAP theorem shows that it is impossible to have a single system that achieves both liveness (known as dynamic availability) and safety under network partition.This paper explores two types of DAG-based protocols prioritizing liveness or safety, named structured dissemination and Graded Common Prefix (GCP), respectively. For the former, we introduce the first...</p> </div> </div> <div class="mb-4"> <div class="d-flex"><a title="2025/064" class="paperlink" href="/2025/064">2025/064</a> <span class="ms-2"><a href="/2025/064.pdf">(PDF)</a></span> <small class="ms-auto">Last updated: 2025-01-16</small> </div> <div class="ms-md-4"> <div class="d-flex flex-column flex-md-row justify-content-between"> <div> <strong>SoK: Trusted setups for powers-of-tau strings</strong> <div class="mt-1"><span class="fst-italic">Faxing Wang, Shaanan Cohney, Joseph Bonneau</span></div> </div> <div class="float-end mt-1 ms-md-3"> <small class="badge category category-APPLICATIONS">Applications</small> </div> </div> <p class="mb-0 mt-1 search-abstract">Many cryptographic protocols rely upon an initial \emph{trusted setup} to generate public parameters. While the concept is decades old, trusted setups have gained prominence with the advent of blockchain applications utilizing zero-knowledge succinct non-interactive arguments of knowledge (zk-SNARKs), many of which rely on a ``powers-of-tau'' setup. Because such setups feature a dangerous trapdoor which undermines security if leaked, multiparty protocols are used to prevent the trapdoor...</p> </div> </div> <div class="mb-4"> <div class="d-flex"><a title="2025/063" class="paperlink" href="/2025/063">2025/063</a> <span class="ms-2"><a href="/2025/063.pdf">(PDF)</a></span> <small class="ms-auto">Last updated: 2025-01-15</small> </div> <div class="ms-md-4"> <div class="d-flex flex-column flex-md-row justify-content-between"> <div> <strong>PunSearch: Enabling Puncturable Encrypted Search over Lattice for Cloud Storage Systems</strong> <div class="mt-1"><span class="fst-italic">Yibo Cao, Shiyuan Xu, Gang Xu, Xiu-Bo Chen, Tao Shang, Yuling Chen, Zongpeng Li</span></div> </div> <div class="float-end mt-1 ms-md-3"> <small class="badge category category-PUBLICKEY">Public-key cryptography</small> </div> </div> <p class="mb-0 mt-1 search-abstract">Searchable encryption (SE) has been widely studied for cloud storage systems, allowing data encrypted search and retrieval. However, existing SE schemes can not support the fine-grained searchability revocation, making it impractical for real applications. Puncturable encryption (PE) [Oakland'15] can revoke the decryption ability of a data receiver for a specific message, which can potentially alleviate this issue. Moreover, the threat of quantum computing remains an important and realistic...</p> </div> </div> <div class="mb-4"> <div class="d-flex"><a title="2025/056" class="paperlink" href="/2025/056">2025/056</a> <span class="ms-2"><a href="/2025/056.pdf">(PDF)</a></span> <small class="ms-auto">Last updated: 2025-02-06</small> </div> <div class="ms-md-4"> <div class="d-flex flex-column flex-md-row justify-content-between"> <div> <strong>Partial-guess, Pre-sieve, Greedy-search - New Unified Key Recovery Framework of Impossible Boomerang Attacks: Full-round Attack on ARADI</strong> <div class="mt-1"><span class="fst-italic">Xichao Hu, Lin Jiao</span></div> </div> <div class="float-end mt-1 ms-md-3"> <small class="badge category category-ATTACKS">Attacks and cryptanalysis</small> </div> </div> <p class="mb-0 mt-1 search-abstract">The impossible boomerang attack is a very powerful attack, and the existing results show that it is more effective than the impossible differential attack in the related-key scenario. However, several limitations persist in the current key recovery process: the division of pre-guess keys is rather coarse; the details of S-boxes are ignored in the differential propagation; the complexity estimation and the key guessing order's determination are relatively rough and primitive. These are the...</p> </div> </div> <div class="mb-4"> <div class="d-flex"><a title="2025/053" class="paperlink" href="/2025/053">2025/053</a> <span class="ms-2"><a href="/2025/053.pdf">(PDF)</a></span> <small class="ms-auto">Last updated: 2025-01-14</small> </div> <div class="ms-md-4"> <div class="d-flex flex-column flex-md-row justify-content-between"> <div> <strong>Founding Zero-Knowledge Proofs of Training on Optimum Vicinity</strong> <div class="mt-1"><span class="fst-italic">Gefei Tan, Adrià Gascón, Sarah Meiklejohn, Mariana Raykova, Xiao Wang, Ning Luo</span></div> </div> <div class="float-end mt-1 ms-md-3"> <small class="badge category category-FOUNDATIONS">Foundations</small> </div> </div> <p class="mb-0 mt-1 search-abstract">Zero-knowledge proofs of training (zkPoT) allow a party to prove that a model is trained correctly on a committed dataset without revealing any additional information about the model or the dataset. Existing zkPoT protocols prove the entire training process in zero knowledge; i.e., they prove that the final model was obtained in an iterative fashion starting from the training data and a random seed (and potentially other parameters) and applying the correct algorithm at each iteration. This...</p> </div> </div> <div class="mb-4"> <div class="d-flex"><a title="2025/028" class="paperlink" href="/2025/028">2025/028</a> <span class="ms-2"><a href="/2025/028.pdf">(PDF)</a></span> <small class="ms-auto">Last updated: 2025-01-11</small> </div> <div class="ms-md-4"> <div class="d-flex flex-column flex-md-row justify-content-between"> <div> <strong>Extending Groth16 for Disjunctive Statements</strong> <div class="mt-1"><span class="fst-italic">Xudong Zhu, Xinxuan Zhang, Xuyang Song, Yi Deng, Yuanju Wei, Liuyu Yang</span></div> </div> <div class="float-end mt-1 ms-md-3"> <small class="badge category category-PROTOCOLS">Cryptographic protocols</small> </div> </div> <p class="mb-0 mt-1 search-abstract">Two most common ways to design non-interactive zero knowledge (NIZK) proofs are based on Sigma ($\Sigma$)-protocols (an efficient way to prove algebraic statements) and zero-knowledge succinct non-interactive arguments of knowledge (zk-SNARK) protocols (an efficient way to prove arithmetic statements). However, in the applications of cryptocurrencies such as privacy-preserving credentials, privacy-preserving audits, and blockchain-based voting systems, the zk-SNARKs for general statements...</p> </div> </div> <div class="mb-4"> <div class="d-flex"><a title="2025/019" class="paperlink" href="/2025/019">2025/019</a> <span class="ms-2"><a href="/2025/019.pdf">(PDF)</a></span> <small class="ms-auto">Last updated: 2025-01-06</small> </div> <div class="ms-md-4"> <div class="d-flex flex-column flex-md-row justify-content-between"> <div> <strong>Foundations of Platform-Assisted Auctions</strong> <div class="mt-1"><span class="fst-italic">Hao Chung, Ke Wu, Elaine Shi</span></div> </div> <div class="float-end mt-1 ms-md-3"> <small class="badge category category-FOUNDATIONS">Foundations</small> </div> </div> <p class="mb-0 mt-1 search-abstract">Today, many auctions are carried out with the help of intermediary platforms like Google and eBay. These platforms serve as a rendezvous point for the buyers and sellers, and charge a fee for its service. We refer to such auctions as platform-assisted auctions. Traditionally, the auction theory literature mainly focuses on designing auctions that incentivize the buyers to bid truthfully, assuming that the platform always faithfully implements the auction. In practice, however, the platforms...</p> </div> </div> <div class="mb-4"> <div class="d-flex"><a title="2024/2100" class="paperlink" href="/2024/2100">2024/2100</a> <span class="ms-2"><a href="/2024/2100.pdf">(PDF)</a></span> <small class="ms-auto">Last updated: 2024-12-31</small> </div> <div class="ms-md-4"> <div class="d-flex flex-column flex-md-row justify-content-between"> <div> <strong>Compact Key Storage in the Standard Model</strong> <div class="mt-1"><span class="fst-italic">Yevgeniy Dodis, Daniel Jost</span></div> </div> <div class="float-end mt-1 ms-md-3"> <small class="badge category category-PROTOCOLS">Cryptographic protocols</small> </div> </div> <p class="mb-0 mt-1 search-abstract">In recent work [Crypto'24], Dodis, Jost, and Marcedone introduced Compact Key Storage (CKS) as a modern approach to backup for end-to-end (E2E) secure applications. As most E2E-secure applications rely on a sequence of secrets $(s_1,...,s_n)$ from which, together with the ciphertexts sent over the network, all content can be restored, Dodis et al. introduced CKS as a primitive for backing up $(s_1,...,s_n)$. The authors provided definitions as well as two practically efficient schemes (with...</p> </div> </div> <div class="mb-4"> <div class="d-flex"><a title="2024/2091" class="paperlink" href="/2024/2091">2024/2091</a> <span class="ms-2"><a href="/2024/2091.pdf">(PDF)</a></span> <small class="ms-auto">Last updated: 2024-12-29</small> </div> <div class="ms-md-4"> <div class="d-flex flex-column flex-md-row justify-content-between"> <div> <strong>Encrypted Multi-map that Hides Query, Access, and Volume Patterns</strong> <div class="mt-1"><span class="fst-italic">Alexandra Boldyreva, Tianxin Tang</span></div> </div> </div> <p class="mb-0 mt-1 search-abstract">We present an encrypted multi-map, a fundamental data structure underlying searchable encryption/structured encryption. Our protocol supports updates and is designed for applications demanding very strong data security. Not only it hides the information about queries and data, but also the query, access, and volume patterns. Our protocol utilizes a position-based ORAM and an encrypted dictionary. We provide two instantiations of the protocol, along with their operation-type-revealing...</p> </div> </div> <div class="mb-4"> <div class="d-flex"><a title="2024/2090" class="paperlink" href="/2024/2090">2024/2090</a> <span class="ms-2"><a href="/2024/2090.pdf">(PDF)</a></span> <small class="ms-auto">Last updated: 2025-03-23</small> </div> <div class="ms-md-4"> <div class="d-flex flex-column flex-md-row justify-content-between"> <div> <strong>Breaking the Shadow: Key Recovery Attack on Full-Round Shadow Block Ciphers with Minimal Data</strong> <div class="mt-1"><span class="fst-italic">Anda Che, Shahram Rasoolzadeh</span></div> </div> <div class="float-end mt-1 ms-md-3"> <small class="badge category category-SECRETKEY">Secret-key cryptography</small> </div> </div> <p class="mb-0 mt-1 search-abstract">Shadow is a family of lightweight block ciphers introduced by Guo, Li, and Liu in 2021, with Shadow-32 having a 32-bit block size and a 64-bit key, and Shadow-64 having a 64-bit block size and a 128-bit key. Both variants use a generalized Feistel network with four branches, incorporating the AND-Rotation-XOR operation similar to the Simon family for their bridging function. This paper reveals that the security claims of the Shadow family are not as strong as suggested. We present a key...</p> </div> </div> <div class="mb-4"> <div class="d-flex"><a title="2024/2084" class="paperlink" href="/2024/2084">2024/2084</a> <span class="ms-2"><a href="/2024/2084.pdf">(PDF)</a></span> <small class="ms-auto">Last updated: 2024-12-27</small> </div> <div class="ms-md-4"> <div class="d-flex flex-column flex-md-row justify-content-between"> <div> <strong>Zero Knowledge Memory-Checking Techniques for Stacks and Queues</strong> <div class="mt-1"><span class="fst-italic">Alexander Frolov</span></div> </div> <div class="float-end mt-1 ms-md-3"> <small class="badge category category-PROTOCOLS">Cryptographic protocols</small> </div> </div> <p class="mb-0 mt-1 search-abstract">There are a variety of techniques for implementing read/write memory inside of zero-knowledge proofs and validating consistency of memory accesses. These techniques are generally implemented with the goal of implementing a RAM or ROM. In this paper, we present memory techniques for more specialized data structures: queues and stacks. We first demonstrate a technique for implementing queues in arithmetic circuits that requires 3 multiplication gates and 1 advice value per read and 2...</p> </div> </div> <div class="mb-4"> <div class="d-flex"><a title="2024/2079" class="paperlink" href="/2024/2079">2024/2079</a> <span class="ms-2"><a href="/2024/2079.pdf">(PDF)</a></span> <small class="ms-auto">Last updated: 2024-12-26</small> </div> <div class="ms-md-4"> <div class="d-flex flex-column flex-md-row justify-content-between"> <div> <strong>Solving AES-SAT Using Side-Channel Hints: A Practical Assessment</strong> <div class="mt-1"><span class="fst-italic">Elena Dubrova</span></div> </div> <div class="float-end mt-1 ms-md-3"> <small class="badge category category-ATTACKS">Attacks and cryptanalysis</small> </div> </div> <p class="mb-0 mt-1 search-abstract">Side-channel attacks exploit information leaked through non-primary channels, such as power consumption, electromagnetic emissions, or timing, to extract sensitive data from cryptographic devices. Over the past three decades, side-channel analysis has evolved into a mature research field with well-established methodologies for analyzing standard cryptographic algorithms like the Advanced Encryption Standard (AES). However, the integration of side-channel analysis with formal methods remains...</p> </div> </div> <div class="mb-4"> <div class="d-flex"><a title="2024/2073" class="paperlink" href="/2024/2073">2024/2073</a> <span class="ms-2"><a href="/2024/2073.pdf">(PDF)</a></span> <small class="ms-auto">Last updated: 2024-12-24</small> </div> <div class="ms-md-4"> <div class="d-flex flex-column flex-md-row justify-content-between"> <div> <strong>Succinct Partial Garbling from Groups and Applications</strong> <div class="mt-1"><span class="fst-italic">Yuval Ishai, Hanjun Li, Huijia Lin</span></div> </div> <div class="float-end mt-1 ms-md-3"> <small class="badge category category-FOUNDATIONS">Foundations</small> </div> </div> <p class="mb-0 mt-1 search-abstract">A garbling scheme transforms a program (e.g., circuit) $C$ into a garbled program $\hat{C}$, along with a pair of short keys $(k_{i,0},k_{i,1})$ for each input bit $x_i$, such that $(C,\hat{C}, \{k_{i,x_i}\})$ can be used to recover the output $z = C(x)$ while revealing nothing else about the input $x$. This can be naturally generalized to partial garbling, where part of the input is public, and a computation $z = C(x, y)$ is decomposed into a public part $C_{\text{pub}}(x)$, depending only...</p> </div> </div> <div class="w-75 mx-auto"> <ul class="pagination mt-5 mb-5"> <li class="page-item active"><span class="page-link">1</span></li> <li class="page-item"><a rel="nofollow" class="page-link" href="/search?q=differe%2A&offset=100">2</a></li> <li class="page-item"><span class="page-link">...</span></li> <li class="page-item"><a rel="nofollow" class="page-link" href="/search?q=differe%2A&offset=5100">52</a></li> <li class="page-item"> <a rel="nofollow" class="page-link" href="/search?q=differe%2A&offset=100">Next »</a> </li> </ul> </div> </div> </div> </div> <script> document.getElementById('clearButton').addEventListener('click', function(ev) { document.querySelectorAll('input').forEach(el => { el.value = ''; }); document.getElementById('category').selectedIndex = "0"; }); function validateForm() { // check that dates are compatible. let submittedAfter = document.getElementById('submittedafter'); let submittedBefore = document.getElementById('submittedbefore'); let revisedAfter = document.getElementById('revisedafter'); let revisedBefore = document.getElementById('revisedbefore'); if (submittedAfter.value && submittedBefore.value && submittedAfter.value > submittedBefore.value) { submittedAfter.classList.add('is-invalid'); submittedBefore.classList.add('is-invalid'); return false; } if (revisedAfter.value && revisedBefore.value && revisedAfter.value > revisedBefore.value) { revisedAfter.classList.add('is-invalid'); revisedBefore.classList.add('is-invalid'); return false; } if (revisedBefore.value && submittedAfter.value && revisedBefore.value < submittedAfter.value) { revisedBefore.classList.add('is-invalid'); submittedAfter.classList.add('is-invalid'); return false; } return true; } </script> <script src="/js/mark.min.js"></script> <script> var instance = new Mark("div.results"); let urlParams = new URLSearchParams(window.location.search); if (urlParams.get('q')) { instance.mark(urlParams.get('q')); } if (urlParams.get('title')) { instance.mark(urlParams.get('title')); } if (urlParams.get('authors')) { instance.mark(urlParams.get('authors')); } </script>  </main> <div class="container-fluid mt-auto" id="eprintFooter"> <a href="https://iacr.org/"> <img id="iacrlogo" src="/img/iacrlogo_small.png" class="img-fluid d-block mx-auto" alt="IACR Logo"> </a> <div class="colorDiv"></div> <div class="alert alert-success w-75 mx-auto"> Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content. </div> </div> <script src="/css/bootstrap/js/bootstrap.bundle.min.js"></script> <script> var topNavbar = document.getElementById('topNavbar'); if (topNavbar) { document.addEventListener('scroll', function(e) { if (window.scrollY > 100) { topNavbar.classList.add('scrolled'); } else { topNavbar.classList.remove('scrolled'); } }) } </script> </body> </html>

CINXE.COM

Search results