IACR News
If you have a news item you wish to distribute, they should be sent to the communications secretary. See also the events database for conference announcements.
Here you can see all recent updates to the IACR webpage. These updates are also available:
22 October 2025
Rachel Thomas, Oliwia Kempinski, Hari Kailad, Emma Margaret Shroyer, Ian Miers, Gabriel Kaptchuk
ePrint Report
We present cryptographic personas, an approach for facilitating access to pseudonymous speech within communities without enabling abuse. In systems equipped with cryptographic personas, users are able to authenticate to the service provider under new, unlinkable personas at will and post messages under those personas. When users violate community norms, their ability to post anonymously can be revoked. We develop two significant improvements to existing work on anonymous banning systems that make it possible to integrate cryptographic personas into real-time applications like group messaging: we show how to push expensive proof generation into an offline phase and find a way to optimize server-side overhead using recent proof folding techniques. We implement cryptographic personas, integrating them into a variety of settings, and show that they are concretely efficient enough for deployment.
Eshika Saxena, Alberto Alfarano, François Charton, Emily Wenger, Kristin Lauter
ePrint Report
AI-powered attacks on Learning with Errors (LWE), an important hard math problem in post-quantum cryptography, rival or outperform "classical" attacks on LWE under certain parameter settings. Despite the promise of this approach, a dearth of accessible data limits AI practitioners' ability to study and improve these attacks. Creating LWE data for AI model training is time- and compute-intensive and requires significant domain expertise. To fill this gap and accelerate AI research on LWE attacks, we propose the TAPAS datasets, a Toolkit for Analysis of Post-quantum cryptography using AI Systems. These datasets cover several LWE settings and can be used off-the-shelf by AI practitioners to prototype new approaches to cracking LWE. This work documents TAPAS dataset creation, establishes attack performance baselines, and lays out directions for future work.
Bing-Jyue Chen, Lilia Tang, David Heath, Daniel Kang
ePrint Report
Permutation and multiset checks underpin many SNARKs, yet existing techniques either incur superlinear prover time or rely on auxiliary commitments with soundness error that grows linearly in the input size. We present new arguments with linear-time provers and logarithmic soundness, without auxiliary commitments.
Prior work achieving logarithmic soundness error arithmetizes the permutation as a product of several multilinear polynomials, a formulation chosen for compatibility with the classic Sumcheck PIOP. A simpler alternative treats permutations as multilinear extensions of their permutation matrices. While this formulation was previously believed to require quadratic prover time, we show that this overhead can be eliminated by taking a linear-algebraic perspective. This viewpoint has a key advantage: partially evaluating the multilinear polynomial of the permutation requires no additional field operations and amounts to applying the inverse permutation to the verifier's challenge vector. This makes the step essentially free in terms of algebraic cost, unlike in prior approaches. Compared to concurrent work BiPerm (Bünz et al., ePrint Archive, 2025), our scheme requires no permutation preprocessing and supports prover-supplied permutations.
We show a sparsity-aware PCS like Dory (Lee, TCC, 2021) can compile our PIOP to a SNARK such that the resulting SNARK prover still runs in time $O(n)$. Our construction is the first logarithmically-sound SNARK with an $O(n)$-time prover for both permutation and multiset checks. We further prove a matching optimal prover lower bound, and we identify specific permutations that can be evaluated by the verifier in $O(\mathrm{polylog}(n))$-time. The ability to evaluate these permutations in $O(\mathrm{polylog}(n))$ time allows the verifier to avoid relying on prover-supplied commitments or evaluation proofs. As a result, we obtain the first logarithmically sound, field-agnostic SNARK with an $O(n)$-time prover in this setting.
Prior work achieving logarithmic soundness error arithmetizes the permutation as a product of several multilinear polynomials, a formulation chosen for compatibility with the classic Sumcheck PIOP. A simpler alternative treats permutations as multilinear extensions of their permutation matrices. While this formulation was previously believed to require quadratic prover time, we show that this overhead can be eliminated by taking a linear-algebraic perspective. This viewpoint has a key advantage: partially evaluating the multilinear polynomial of the permutation requires no additional field operations and amounts to applying the inverse permutation to the verifier's challenge vector. This makes the step essentially free in terms of algebraic cost, unlike in prior approaches. Compared to concurrent work BiPerm (Bünz et al., ePrint Archive, 2025), our scheme requires no permutation preprocessing and supports prover-supplied permutations.
We show a sparsity-aware PCS like Dory (Lee, TCC, 2021) can compile our PIOP to a SNARK such that the resulting SNARK prover still runs in time $O(n)$. Our construction is the first logarithmically-sound SNARK with an $O(n)$-time prover for both permutation and multiset checks. We further prove a matching optimal prover lower bound, and we identify specific permutations that can be evaluated by the verifier in $O(\mathrm{polylog}(n))$-time. The ability to evaluate these permutations in $O(\mathrm{polylog}(n))$ time allows the verifier to avoid relying on prover-supplied commitments or evaluation proofs. As a result, we obtain the first logarithmically sound, field-agnostic SNARK with an $O(n)$-time prover in this setting.
Zhuo Huang, Weijia Wang, Xiaogang Zhou, Yu Yu
ePrint Report
HQC (Hamming Quasi-Cyclic) was selected as the fifth algorithm in the NIST suite of post-quantum cryptographic (PQC) standards. As the only code-based algorithm currently standardized by NIST, HQC offers a good balance between security assurance, performance, and implementation simplicity. Most existing power analyses against HQC are of the SPA style: they can recover secrets with a small number of traces, but can only tolerate limited noise. In this paper, we develop a chosen-ciphertext DPA-style attack methodology against HQC. We formalize a dedicated chosen-ciphertext setting in which the adversary selects $(\mathbf{u},\mathbf{v})$ to target the intermediate value $\mathbf{v}\oplus(\mathbf{u}\mathbf{y})$ over $\mathbb{F}_2[x]/(x^n-1)$. We further optimize the attack by reducing its computational complexity and generalizing it to target masked HQC implementations. The proposed approach is validated through both simulation and practical experiments. In noiseless simulations, full-key recovery is achieved with just \(10\) traces, and the required number of traces increases linearly with 1/SNR. In practical evaluations on an STM32F4 microprocessor, the secret key can be recovered with \(45\) traces without profiling and \(10\) traces with profiling. When first-order masking is applied, key recovery on the same hardware target remains feasible by exploiting second-order features, requiring approximately \(7{,}500\) traces without profiling. Our results establish a direct and analyzable connection between leakage on \(\mathbf{v}\oplus \mathbf{u}\mathbf{y}\) and end-to-end key recovery, emphasizing the necessity of higher-order masking countermeasures for HQC implementations.
Adrian Cinal
ePrint Report
Privacy-oriented cryptocurrencies like Zerocash only support direct payments and not the execution of more complex contracts. Bitcoin and Ethereum, on the other hand, cannot guarantee privacy, and using them for contract execution leaves open questions about fungibility of the proceeds and requires contract designers to take frontrunning countermeasures. This work reconciles the two worlds and develops a practical framework for decentralized execution of complex contracts that (1) is undetectable to the network at large, (2) maintains anonymity of the potentially mutually distrustful counterparties, (3) guarantees fair termination, and (4) is immediately resistant to frontrunning and miner bribery attacks. This is achieved by leveraging the confidentiality and anonymity guarantees of Zerocash and the verifiability and flexibility of trusted execution environments.
Brandenburgische Technische Universität Cottbus-Senftenberg
Job Posting
limited to 3 years, full time, with possibility for extension
Tasks:
- Active research in the area of intrusion detection systems (IDS) for critical infrastructures, secure cyber-physical systems, and artificial intelligence / machine learning for traffic analysis
- Implementation and evaluation of new algorithms and methods
- Cooperation and knowledge transfer with industrial partners
- Publication of scientific results
- Assistance with teaching
The employment takes place with the goal of doctoral graduation (obtaining a PhD degree).
Requirements:
- Master’s degree (or equivalent) in Computer Science or related disciplines
- Strong interest in IT security and/or networking and distributed systems
- Knowledge of at least one programming language (C++, Java, etc.) and one scripting language (Perl, Python, etc.) or strong willingness to quickly learn new programming languages
- Linux/Unix skills
- Knowledge of data mining, machine learning, statistics and result visualization concepts is of advantage
- Excellent working knowledge of English; German is of advantage
- Excellent communication skills
Applications containing the following documents:
- A detailed Curriculum Vitae
- Transcript of records from your Master studies
- An electronic version of your Master thesis, if possible should be sent in a single PDF file as soon as possible, but not later than 10.11.2025 at itsec-jobs.informatik@lists.b-tu.de
Closing date for applications:
Contact: Prof. Dr.-Ing. Andriy Panchenko, itsec-jobs.informatik@lists.b-tu.de
More information: https://www.b-tu.de/fg-it-sicherheit
ClairVault
Job Posting
Company Description
ClairVault is an early-stage startup developing privacy-preserving technologies that allow organizations to use their sensitive data securely and in compliance with regulations. Our core mission is to make encrypted data usable: enabling real-time search, analytics, and predictions without decryption.We focus on advanced cryptographic methods such as privacy-preserving encryption, secure computation, and vector-embedding encryption, working with early customers in healthcare, finance, and enterprise systems. With academic and industry advisors and proof-of-concept projects underway, ClairVault is bridging research and real-world applications of cryptography.
Role Description
This is a full-time remote or hybrid role for a Cryptography Researcher. You will explore, design, and analyze cryptographic protocols for privacy-preserving data processing and work closely with engineers to translate your research into high-performance implementations. This role is ideal for someone passionate about advancing applied cryptography while helping shape the foundation of an innovative startup. Responsibilities- Research and design cryptographic schemes for privacy-preserving computation and encrypted data search.
- Analyze the security and efficiency of proposed schemes.
- Collaborate with Rust developers to implement research into production-ready libraries.
- Evaluate and benchmark cryptographic algorithms on real-world datasets.
- Stay ahead of emerging trends in cryptography, privacy, and secure computation.
- Advanced degree (Master’s/PhD) in Cryptography, Computer Science, Mathematics, or a related field.
- Strong knowledge of modern cryptography (e.g., homomorphic encryption, lattice-based cryptography, secure multiparty computation, zero-knowledge proofs).
- Demonstrated research contributions (publications, preprints, or open-source projects).
- Ability to analyze the trade-offs between theoretical security guarantees and practical performance.
- Comfortable working in an early-stage startup environment.
Closing date for applications:
Contact: Please send your CV, research portfolio/publications, or links to relevant work to jobs@clairvault.com.
Institute of Science Tokyo (formerly Tokyo Institute of Technology)
Job Posting
Associate Professor of Department of Mathematical and Computing, School of Computing. Area of Specialization: Theoretical Computer Science, Computational Complexity Theory, Algorithm Theory, Computational Learning Theory, Mathematical Logic, Formal language Theory, Software Verification, Programming Languages, Cryptography, Distributed Systems, etc.
Closing date for applications:
Contact: Keisuke Tanaka, Professor, School of Computing, Institute of Science Tokyo (formerly Tokyo Institute of Technology) e-mail: keisuke@comp.isct.ac.jp.
More information: https://jrecin.jst.go.jp/seek/SeekJorDetail?id=D125101483&ln=1
Lund University, Department of Electrical and Information Technology; Lund, Sweden
Job Posting
Through the Wallenberg AI, Autonomous Systems and Software Program (WASP) we now offer two new doctoral student positions in the area of Cybersecurity and Privacy. The research is devoted to the broader area of privacy-preserving communication and computation outsourcing.
Communication over the internet is susceptible to surveillance and censorship. Privacy preserving communication techniques (e.g., Tor, Nym, Snowflake) allow users to circumvent such surveillance and censorship. The research scope would include designing, analyzing and implementing such systems; additionally, studying different attacks and countermeasures are expected to be part of the research method.
Privacy-preserving computation outsourcing allows users to outsource computation tasks to a cloud server without revealing to the server anything about the user data or even what kind of computations the user is performing. There are different techniques for such privacy-preserving computation outsourcing such as Trusted Execution Environment (e.g., Intel SGX) and Fully Homomorphic Encryption (TFHE, BGV). The research method will be a combination of system studies, design, and experimental research.
How to apply:
Applications shall be written in English and include:
How to apply:
Applications shall be written in English and include:
- CV and a cover letter stating the reasons why you are interested in the doctoral programme/employment and in what way the research project corresponds to your interests and educational background.
- Copies of issued study certificates and/or awarded degree certificates.
- Other documents you wish to be considered (grade transcripts, contact information for your references, letters of recommendation, etc.)
Closing date for applications:
Contact: Debajyoti Das, Associate senior lecturer, debajyoti.das@eit.lth.se
Christian Gehrmann, Professor, christian.gehrmann@eit.lth.se
More information: https://lu.varbi.com/en/what:job/jobID:856834/
Maastricht University
Job Posting
Are you an expert in Network Security, with a strong ambition to advance research in this area? Are you eager to educate and mentor motivated students and upcoming Cybersecurity professionals? Then, the Department of Advanced Computing Sciences is looking for you.
We are looking for a colleague to strengthen our research and educational initiatives on Cybersecurity. Within that scope, your focus will be on Network Security: you will bring in, share, and develop valuable expertise. You will be part of the ambitious Cybersecurity team, that operates at Maastricht University in Maastricht and at the Brightlands Smart Services Campus in Heerlen.
Our ideal candidate has:
We are looking for a colleague to strengthen our research and educational initiatives on Cybersecurity. Within that scope, your focus will be on Network Security: you will bring in, share, and develop valuable expertise. You will be part of the ambitious Cybersecurity team, that operates at Maastricht University in Maastricht and at the Brightlands Smart Services Campus in Heerlen.
Our ideal candidate has:
- A PhD degree in Computer Science or a strongly related field; Experience in mentoring a team of junior researchers;
- A collaborative mindset;
- A strong and consistent track record in research and teaching;
- A proven track record with funding acquisition at national or European level.
Closing date for applications:
Contact: Are you interested in this exciting position but still have questions? Feel free to contact Bart Mennink, bart.mennink@maastrichtuniversity.nl for more information.
More information: https://vacancies.maastrichtuniversity.nl/job/Maastricht-AssistantAssociate-Professor-in-Network-Security/1329480557/
20 October 2025
Liang Zhang, Dongliang Cai, Yiwen Gao, Haibin Kan, Jiheng Zhang, Moti Yung
ePrint Report
Existing PVSS schemes suffer from at least $O(n)$ online complexity due to the need to individually encrypt and prove/ verify each of the $n$ shares. In this work, we present a generic framework for constructing PVSS schemes with $O(1)$ complexity for share distribution and (the expected to be repeated numerous times) public verification. Our key insight lies in establishing a novel connection between PVSS and CCA2-Secure threshold encryption (CCATE), which enables public verifiability enforced by Non-Interactive Zero-Knowledge (NIZK) proofs. We show that a CCATE scheme can be generically transformed into a secure PVSS scheme, eliminating the $O(n)$ bottleneck per on-line operations. We instantiate the framework by presenting two CCATE constructions: 1) A pairing-free scheme based on a committee-based Distributed Key Generation (DKG) protocol and Threshold ElGamal encryption. 2) A silent setup scheme leveraging a non-interactive distributed key generation, relying on Power-of-Tau ceremony. Furthermore, we introduce solutions for dynamic membership updates in both DKG constructions, demonstrating their practicality and adaptability for real-world applications. The scheme is based on an off-line setup stage (before a specific value to share is given) where the $O(n)$ complexity is dealt with. Although our schemes incur higher setup costs, they drastically reduce the complexity of the critical distribution and verification stages to constant time. This trade-off marks a significant advancement in the scalability of PVSS-based systems, especially in the context of blockchain modern transactions. Conceptually, the work points out how variants of the notion of Threshold Encryption can potentially serve as a ``compression mechanism'' for information sharing schemes.
Jan Sebastian Götte
ePrint Report
Germany is currently rolling out an opt-out, nation-scale
database of the medical records of the majority of its population, with low-income people being disproportionally represented among its users. While there has been considerable criticism of the system coming from civil society, independent academic analysis of the system by the cryptography and information security community has been largely absent. In this paper, we aim to raise awareness of the system’s existence and, based on the system’s public specifications, highlight several concerning cryptographic engineering decisions. Our core observations is that the system’s most sensitive long-term user keys are derived by a rudimentary, home-grown centralized key escrow mechanism. This mechanism relies on a per-use salt and only 256 bit of entropy, shared globally across millions of users. Furthermore, the system’s specification mandates only level 3 compliance with the obsolete FIPS 140-2 security standard, which requires “hard, opaque potting”, but lacks active tamper sensing. As a result, the system remains vulnerable to attacks by nation states and other well-funded adversaries.
Jan Sebastian Götte, Björn Scheuermann
ePrint Report
Security Meshes are patterns of sensing traces covering an area that are used in Hardware Security Modules (HSMs) and other systems to detect attempts to physically intrude into the device's protective shell. State-of-the-art solutions manufacture meshes in bespoke processes from carefully chosen materials, which is expensive and makes replication challenging. Additionally, state-of-the-art monitoring circuits sacrifice either monitoring precision or cost efficiency. In this paper, we present an embeddable security mesh monitoring circuit constructed from low-cost, standard components that utilizes Time Domain Reflectometry (TDR) to create a unique fingerprint of a mesh. Our approach is both low-cost and precise, and enables the use of inexpensive standard Printed Circuit Boards (PCBs) as security mesh material. We demonstrate a working prototype of our TDR circuit costing less than 10 € in components that achieves both time resolution and rise time better than 200 ps—a 25 × improvement over previous work. We demonstrate a simple classifier that detects several types of advanced attacks such as probing using an oscilloscope probe or micro-soldering attacks with no false negatives.
Adrian Cinal, Przemysław Kubiak, Mirosław Kutyłowski, Gabriel Wechta
ePrint Report
In this paper, we analyze the clash between privacy-oriented cryptocurrencies and emerging legal frameworks for combating financial crime, focusing in particular on the recent European Union regulations. We analyze Monero, a leading "privacy coin" and a major point of concern for law enforcement, and study the scope of due diligence that must be exercised under the new law with regard to Monero trading platforms and how it translates to the technical capabilities of the Monero protocol. We both recognize flaws in the legislation and identify technical pitfalls threatening either the effective compliance of, say, Monero exchanges or the anonymity endeavour of Monero itself. Of independent interest is that we turn to anamorphic cryptography (marking one of the first practical applications of the concept) and leverage it to build a hidden transaction layer embedded in the Monero blockchain that obfuscates illegal money flow and circumvents transaction-level attempts at enforcing the EU law.
Xiaobin Yu, Meicheng Liu
ePrint Report
Over the past decades, extensive research has been conducted on lightweight cryptographic primitives. The linear layer plays an important role in their security.
In this paper, we propose a family of linear layers consisting of XORs and rotations, which is called multiple rows mixers (MRM). It is a family designed for LS-type ciphers, but mixing elements from several rows. We investigate the impact of the linear layers on the 3-round trail weight of permutations and explore the properties of the inverse of the linear layers with a low XOR count. We employ a generic and extensible approach to determine the parameters of MRM. This approach can automatically generate linear layers that meet the requirements of a given branch number.
By applying these design principles and methods, we derive a linear layer that has a dimension of 5 × 64, a differential branch number of 12, a linear branch number of 5 and a computational cost of 2.6 XOR operations per bit. MRM is not limited to fixed dimension and can be extended to other dimensions. In addition, we present a concrete instantiation of a 320-bit permutation using a more efficient instance of MRM, named Hsilu. Its non-linear layer employs the χ operating on columns.
Compared with the permutations of Gaston and NIST lightweight standard Ascon, the round function of Hsilu requires fewer XOR operations. Hsilu exhibits competitive security and performance with Ascon and Gaston. We demonstrate that the best-found 3-round differential and linear trails of Hsilu have much higher weights than those of Ascon. Hsilu outperforms Gaston and Ascon in terms of both software and hardware performance.
In this paper, we propose a family of linear layers consisting of XORs and rotations, which is called multiple rows mixers (MRM). It is a family designed for LS-type ciphers, but mixing elements from several rows. We investigate the impact of the linear layers on the 3-round trail weight of permutations and explore the properties of the inverse of the linear layers with a low XOR count. We employ a generic and extensible approach to determine the parameters of MRM. This approach can automatically generate linear layers that meet the requirements of a given branch number.
By applying these design principles and methods, we derive a linear layer that has a dimension of 5 × 64, a differential branch number of 12, a linear branch number of 5 and a computational cost of 2.6 XOR operations per bit. MRM is not limited to fixed dimension and can be extended to other dimensions. In addition, we present a concrete instantiation of a 320-bit permutation using a more efficient instance of MRM, named Hsilu. Its non-linear layer employs the χ operating on columns.
Compared with the permutations of Gaston and NIST lightweight standard Ascon, the round function of Hsilu requires fewer XOR operations. Hsilu exhibits competitive security and performance with Ascon and Gaston. We demonstrate that the best-found 3-round differential and linear trails of Hsilu have much higher weights than those of Ascon. Hsilu outperforms Gaston and Ascon in terms of both software and hardware performance.
Reo Eriguchi
ePrint Report
Private Simultaneous Messages (PSM) and Conditional Disclosure of Secrets (CDS) are two fundamental primitives in information-theoretic cryptography. In a PSM protocol, each party sends a single message to a referee, who can then compute a function $f$ of their private inputs but learns nothing else. A CDS protocol follows the same model as PSM, but the goal is to disclose a secret shared among all parties to the referee if and only if the function $f$ evaluates to $1$. Minimizing the communication complexity of these primitives is a central question in this area. Since the best known constructions for general functions require high communication complexity, recent studies have attempted to obtain more efficient constructions by focusing on symmetric functions, whose outputs are invariant under permutations of inputs. However, the extent to which exploiting symmetry can improve efficiency has remained unclear. In this work, we show upper and lower bounds that relate the optimal communication complexities of PSM and CDS for symmetric functions to those for general functions. When the number of parties is larger than the input domain size, our upper bound for PSM improves the best known communication complexity for symmetric functions. Furthermore, our upper bound for CDS demonstrates for the first time that symmetry can be exploited to reduce communication in CDS protocols. In contrast, when the number of parties is constant, our lower bounds show that focusing on symmetric functions yields only a constant-factor improvement. We also derive an analogous implication for PSM protocols under a plausible conjecture. In addition, our new constructions for symmetric functions lead to improvements over the state-of-the-art results in related models such as ad hoc PSM and secret sharing.
Oleksandra Lapiha, Thomas Prest
ePrint Report
We present a simple IND-CCA lattice-based threshold KEM. At a high level, our design is based on the BCHK transform (Canetti et al., EUROCRYPT 2004), which we adapt to the lattice setting by combining it with the FO transform (Fujisaki and Okamoto, PKC 1999) in order to achieve decryption consistency.
As for the BCHK transform, our construction requires a threshold identity-based encryption (TIBE) scheme with suitable properties. We build such an IBE by combining the ABB IBE (Agrawal, Boneh, Boyen, EUROCRYPT 2010) with recent advances in lattice threshold cryptography, such as the threshold-friendly signature Plover (Esgin et al., EUROCRYPT 2024) and a variant of the Threshold Raccoon scheme (Katsumata et al., CRYPTO 2024).
The security proof of our scheme relies on a new assumption which we call the Coset-Hint-MLWE assumption, and which is a natural generalisation of the Hint-MLWE assumption (Kim et al., CRYPTO 2023). We prove the hardness of Coset-Hint-MLWE under standard assumptions. We believe this new assumption may be of independent interest.
Unlike prior works on IND-CCA lattice-based threshold KEMs, our construction only relies on simple algorithmic tools and does not use heavy machinery such as multi-party computation or threshold fully homomorphic encryption.
As for the BCHK transform, our construction requires a threshold identity-based encryption (TIBE) scheme with suitable properties. We build such an IBE by combining the ABB IBE (Agrawal, Boneh, Boyen, EUROCRYPT 2010) with recent advances in lattice threshold cryptography, such as the threshold-friendly signature Plover (Esgin et al., EUROCRYPT 2024) and a variant of the Threshold Raccoon scheme (Katsumata et al., CRYPTO 2024).
The security proof of our scheme relies on a new assumption which we call the Coset-Hint-MLWE assumption, and which is a natural generalisation of the Hint-MLWE assumption (Kim et al., CRYPTO 2023). We prove the hardness of Coset-Hint-MLWE under standard assumptions. We believe this new assumption may be of independent interest.
Unlike prior works on IND-CCA lattice-based threshold KEMs, our construction only relies on simple algorithmic tools and does not use heavy machinery such as multi-party computation or threshold fully homomorphic encryption.
Jung Hee Cheon, Minsik Kang, Junho Lee
ePrint Report
Encrypted matrix multiplication (MM) is a fundamental primitive in privacy-preserving machine learning and encrypted data search, but it remains a significant performance bottleneck. Recently, Bae et al.~(Crypto’24) and Park~(Eurocrypt’25) introduced novel algorithms for ciphertext–plaintext (CPMM) and ciphertext–ciphertext (CCMM) matrix multiplications. These algorithms reduce encrypted MM operations to plaintext matrix multiplications (PPMM), enabling implementation through highly optimized BLAS libraries.
While these reduction-based methods offer significant improvements, their applicability is limited to scenarios where the matrix dimension
$d$ is comparable to the ring dimension $N$ in RLWE-based CKKS schemes.
As a result, they fall short for matrix multiplications involving small or medium-sized matrices.
We extend the reduction-based CPMM/CCMM into small-sized matrix operations by batching instances. We use the Slots-in-Coefficient (SinC) encoding where a ring element is represented by a polynomial with coefficients each of which is the Discrete Fourier Transform of matrix entries at the same position. This encoding enables reductions of encrypted batch MM algorithms to a small number of batch PPMMs, which can be efficiently accelerated by BLAS libraries. Our batch encrypted MM flexibly accommodates diverse matrix dimensions and batch sizes independent of the ring dimension $N$, thereby extending its applicability to practical real-world settings.
For two $d \times d$ matrices with $N/d$ batches, our batch CPMM and CCMM algorithms achieve complexity $O(d^2N)$, improving upon Bae et al. at $O(dN^2)$ and Jiang et al~(CCS’18) at $O(d^2 N\log (N))$. We further extend our techniques to rectangular matrices, achieving $O(dN^2)$ for multiplying a $d \times N$ and an $N \times N$ matrix, improving previous $O(N^3)$ methods. A proof-of-concept implementation validates these improvements: multiplying 128 batches of $64 \times 64$ matrices takes $0.20$s (CPMM) and $0.91$s (CCMM), yielding $205\times$ and $64\times$ speedups over previous methods. For a $64 \times 2048$ by $2048 \times 2048$ multiplication, our CCMM completes in $7.8$s, achieving a $28\times$ speedup compared to Park's algorithm.
We extend the reduction-based CPMM/CCMM into small-sized matrix operations by batching instances. We use the Slots-in-Coefficient (SinC) encoding where a ring element is represented by a polynomial with coefficients each of which is the Discrete Fourier Transform of matrix entries at the same position. This encoding enables reductions of encrypted batch MM algorithms to a small number of batch PPMMs, which can be efficiently accelerated by BLAS libraries. Our batch encrypted MM flexibly accommodates diverse matrix dimensions and batch sizes independent of the ring dimension $N$, thereby extending its applicability to practical real-world settings.
For two $d \times d$ matrices with $N/d$ batches, our batch CPMM and CCMM algorithms achieve complexity $O(d^2N)$, improving upon Bae et al. at $O(dN^2)$ and Jiang et al~(CCS’18) at $O(d^2 N\log (N))$. We further extend our techniques to rectangular matrices, achieving $O(dN^2)$ for multiplying a $d \times N$ and an $N \times N$ matrix, improving previous $O(N^3)$ methods. A proof-of-concept implementation validates these improvements: multiplying 128 batches of $64 \times 64$ matrices takes $0.20$s (CPMM) and $0.91$s (CCMM), yielding $205\times$ and $64\times$ speedups over previous methods. For a $64 \times 2048$ by $2048 \times 2048$ multiplication, our CCMM completes in $7.8$s, achieving a $28\times$ speedup compared to Park's algorithm.
Hao Zhang, Zewen Ye, Teng Wang, Yuanming Zhang, Tianyu Wang, Chengxuan Wang, Kejie Huang
ePrint Report
The NIST Post-Quantum Cryptography (PQC) standardization has entered its fourth round, underscoring the critical importance of addressing side-channel attacks (SCA), a dominant threat in real-world cryptographic implementations, especially on embedded devices. This paper presents a novel chosen-ciphertext side-channel attack against CRYSTALS-Kyber (standardized as ML-KEM) implementations with Fisher-Yates shuffled polynomial reduction. We propose an efficient and fault-tolerant key recovery algorithm that, by crafting malicious ciphertexts, induces changes in the Hamming weight distribution of an intermediate polynomial's coefficients (the output of the shuffled polynomial reduction during decapsulation), enabling recovery of secret key coefficients from these changes. To ensure robustness, we propose an error-correction strategy that leverages the Hamming weight classifier's behavior to constrain and shrink the correction search space, maintaining effectiveness even with less accurate classifiers or in low-SNR environments. A Multi-Layer Perceptron (MLP) is employed for Hamming weight classification from side-channel traces, achieving 97.11\% accuracy. We combine statistical analysis with explainable deep learning for precise trace segmentation during pre-processing. Experimental results demonstrate full key recovery with only an average of $10 + 354 \times 3$ ciphertext queries and a success rate of 97.98\%, reducing the adversarial effort by 95.36\% compared to contemporary bit-flip techniques. Although shuffling aims to disrupt temporal correlations, our results show that statistical features persist and leak through shuffled implementations. This work reveals enduring SCA risks in shuffled implementations and informs a broader reassessment of PQC side-channel resilience.
Yusuke Sakai
ePrint Report
Aggregate signatures allow compressing multiple single-signer signatures into a single short aggregate signature. This primitive has attracted new attention due to applications in blockchains and cryptocurrencies. In multisig addresses, which is one of such applications, aggregate signatures reduce the sizes of transactions from multisig addresses. Security of aggregate signatures under adaptive corruptions of signing keys is important, since one of the motivations of multisig addresses was a countermeasure against signing key exposures. We propose the first aggregate signature scheme tightly secure under adaptive corruptions using pairings. An aggregate signature includes two source group elements of bilinear groups plus a bit vector whose length is equal to the number of single-signer signatures being aggregated. To construct a scheme, we employ a technique from quasi-adaptive non-interactive zero-knowledge arguments. Our construction can be seen as modularization and tightness improvement of Libert et al.'s threshold signature scheme supporting signature aggregation (Theoretical Computer Science 645) in a non-threshold setting.