International Association
for Cryptologic Research

Optimizing Boolean circuits presents a considerable challenge, especially when aiming to construct circuits amenable to Fully Homomorphic Encryption (FHE) schemes. FHE enables arbitrary computations on encrypted data but incorporates a computationally intensive operation called bootstrapping, necessary for reducing noise in ciphertexts to facilitate computations on circuits of arbitrary depth. This operation can consume a substantial amount of time, depending on the size of the circuits. To address this issue, we propose a technique for efficiently synthesizing circuits specific to FHE by utilizing multi-input homogeneous and composite Boolean gates. Following this we develop an automated framework for designing efficient circuits compatible with FHE schemes. In this work, we use Torus-FHE (TFHE) (JoC 2019), a widely used FHE scheme for Boolean circuits due to its fast bootstrapping operation per bit. Existing techniques typically employ either multi-input homogeneous gates or, multi-bit Look-Up tables during circuit synthesis, which often limits their ability to produce highly optimized circuits for FHE. Our approach addresses this limitation by proposing viable multi-input composite gates alongwith the homogeneous gates during circuit synthesis. Additionally, we propose an efficient and lightweight circuit synthesis approach based on graph optimization. Our approach identifies convex sub-graphs in a Directed Acyclic Graph (DAG) representing the input circuit and replaces them with a more compact structure. This results in a reduction of the number of nodes in the DAG and so as the number of Boolean gates in the input circuit. Our proposed framework provides the most efficient Boolean circuits for TFHE till date, achieving up to a 20% improvement in homomorphic evaluation time compared to the state-of-the-art general compiler optimization techniques for TFHE, and it also demonstrates a 4-6× improvement over prior work on FHEW-like schemes.

The Learning with Rounding (LWR) problem, introduced as a deterministic variant of Learning with Errors (LWE), has become a promising foundation for post-quantum cryptography. This Systematization of Knowledge (SoK) paper presents a comprehensive survey of the theoretical foundations, algorithmic developments, and practical implementations of LWR-based cryptographic schemes. We introduce LWR within the broader landscape of lattice-based cryptography and post-quantum security, highlighting its advantages such as reduced randomness, improved efficiency, and enhanced side-channel resistance. We explore the evolution of security reductions from LWR to LWE, including recent advances that support practical parameter regimes and address challenges in both bounded and unbounded sample settings. This paper systematically reviews existing LWR-based schemes --- including Saber, Lizard, Florete, Espada, Sable, and SMAUG --- analyzing their design choices, parameter sets, and performance trade-offs. Furthermore, we examine the impact of LWR on side-channel resistance, failure probabilities, and masking efficiency, demonstrating its suitability for secure and efficient implementations. By consolidating the research spanning theory and practice, this SoK aims to guide future cryptographic design and standardization efforts leveraging LWR.

The current Domain Name System (DNS) infrastructure faces critical vulnerabilities including poisoning attacks, censorship mechanisms, and centralized points of failure that compromise internet freedom and security. Recent incidents such as DNS poisoning attacks on ISP customers highlight the urgent need for resilient alternatives. This paper presents a novel blockchain-based Decentralized Domain Name System (DDNS). We designed a specialized Proof-of-Work blockchain to maximize support for DNS-related protocols and achieve node decentralization. The system integrates our blockchain with IPFS for distributed storage, implements cryptographic primitives for end-to-end trust signatures, and achieves Never Trust, Always Verify zero-trust verification. Our implementation achieves 15-second domain record propagation times, supports 20 standard DNS record types, and provides perpetual free .ddns domains. The system has been deployed across distributed infrastructure in San Jose, Los Angeles, and Orange County, demonstrating practical scalability and resistance to traditional DNS manipulation techniques. Performance evaluation shows the system can handle up to Max Theor. TPS 1,111.1 tx/s (minimal transactions) and Max Theor. TPS 266.7 tx/s (regular transactions) for domain operations while maintaining sub-second query resolution through intelligent caching mechanisms.

The fundamental incompatibility between confidentiality, reliability, and le gal opposability, formalized as the CRO trilemma, imposes an entropic bound Γ_CRO on cryptographic security in contextual adversarial settings. This pa per introduces Q2CSI (Quantum Composable Contextual Security Infras tructure), a layered framework resolving this trilemma through dialectical separation. Q2CSI decomposes security guarantees into three isolated yet composable layers: Iron (reliability: temporal/logging integrity), Gold (con f identiality: semantic entropy preservation), and Clay (opposability: insti tutional interpretability). By embedding entropic constraints into an ex tended Universal Composability (UC) model, Q2CSI achieves Γ_CRO < 0.4, surpassing monolithic designs, while maintaining post-quantum resilience. The architecture is abstractly instantiated with minimal primitives (IND CCA2 encryption, EUF-CMA signatures) and validated via a symbolic UC framework. Proofs demonstrate strict dialectical isolation, bounded contex tual leakage, and compatibility with quantum adversaries. Q2CSI establishes a foundation for legally verifiable post-quantum protocols, with applications in zero-knowledge attestations and regulatory-compliant signatures.

Deep learning-based side-channel analysis (DLSCA) has demonstrated remarkable performance over the past few years. Even with limited preprocessing and feature engineering, DLSCA is capable of breaking protected targets, sometimes requiring only a single attack trace. In the DLSCA context, the commonly investigated countermeasures are Boolean masking and desynchronization. While the exact mechanisms of how DLSCA breaks masking are less understood, the core idea behind handling desynchronization is simple. Convolutional neural networks (CNNs) are shift invariant, allowing them to overcome desynchronization. However, considering the importance and practicality of desynchronization countermeasures, we know remarkably little about the limits of CNNs or how to enhance their capabilities when dealing with desynchronization.

In this work, we begin with the theoretical foundations of shift and temporal scale equivariance. Afterward, we build a neural network model allowing such equivariance and test it against several commonly considered targets. Our results demonstrate that equivariant CNNs are robust, easy to design, and achieve excellent attack performance. More precisely, we showcase how such a simple model can even outperform recent transformer-based neural networks. Finally, we demonstrate the practical relevance of scale equivariance by showing how an equivariant CNN can learn leakage from a device operating at one clock frequency and generalize to a device with a different clock frequency, a result not previously demonstrated in DLSCA.

We study additive positive accumulators, which maintain a short digest of a growing set such that each value in the set can prove membership via a generated witness. Due to compactness of the digest, previously added values may require updated witnesses as the set grows.

In this paper, we establish a trade-off between the bit-length of the accumulator value and the number of witness updates, using techniques generalized from [MQR22]. Specifically, we show that if the accumulator value has bit-length poly(log n), where n is the number of accumulated values, then some values must incur Ω(log n/ log log n) witness updates, which matches the upper bound in [MQ23]. This improves upon the recent ω(1) lower bound of [BCCK25]. Our techniques and results also apply to Registration-based Encryption[GHMR18].

Searchable symmetric encryption allows clients to outsource their databases to a semi-trusted cloud server while enabling private searches. The Oblivious Cross-Tag (OXT) protocol is a fundamental approach to conjunctive keyword search, ensuring that search performance scales with the least frequent keyword while introducing keyword pair result pattern (KPRP) and intersection result pattern (IP) leakages. However, recent studies show that the KPRP leakage in OXT can be exploited, allowing the cloud server to infer information about the client database. Several works have aimed to mitigate this issue, with Doris being the first non-interactive OXT-based scheme to hide KPRP and IP leakages. However, this comes at the cost of increased storage overhead. In this work, we propose a Doris-based conjunctive SSE scheme with improved storage efficiency. We replace the XOR filter in Doris with our XEBFF filter, which formalizes XOR filters and Binary Fuse Filters. Additionally, we introduce a frequency estimation approach using Count-Min Sketch to efficiently determine the least frequent keyword, which all previous OXT-based schemes overlook. Our scheme reduces storage overhead by 8% compared to Doris while maintaining search performance. With our s-term selection protocol, we ensure that search operations typically scale with the least frequent keyword.

The Lattice Isomorphism Problem (LIP) is a relatively recent cryptographic assumption whose precise hardness remains not fully understood. Certain weak instances have been identified through hull attacks on $p$-ary lattices constructed via Construction A using linear codes with trivial hulls. In this work, we generalize the notion of the hull by introducing ideal-based hulls for Hermitian lattices. We propose a new hull attack targeting lattices derived from Generalized Construction A over number fields, under specific structural conditions. Furthermore, we show that modular lattices offer intrinsic resistance to hull attacks: the hull introduces only a limited variation in the lattice gap, bounded by a factor depending on the root discriminant of the number field. In particular, for modular $\mathbb{Z}$-lattices, the hull gap coincides exactly with the original lattice gap. As a concrete example, we show that the family of Barnes-Wall lattices, which are alternatively unimodular and 2-modular over $\mathbb{Z}$, are resistant to hull attacks.

We demonstrate that the LLRing linkable ring signature scheme of Hui and Chau (ESORICS 2024) has a unlinkability vulnerability, meaning an adversary can create more unlinkable signatures than the number of secret keys they own, contradicting its security guarantees.

We also find that a similar attack applies to the Threshold Ring Referral scheme of Ta, Hui, and Chau (Security and Privacy 2025). We show how to restore linkability by constructing modifications to the Bulletproofs and Dory protocols.

In this work, we explore the possibility of unconditionally secure universally composable (UC) commitments, a very relevant cryptographic primitive in the context of secure multi-party computation. To this end, we assume the existence of Physically Uncloneable Functions (PUFs), a hardware security assumption that has been proven useful for securely achieving diverse tasks. In prior work [ASIACRYPT 2013, LNCS, vol. 8270, pp. 100–119] it was shown that a protocol for unconditional UC-secure commitments can be constructed even when the PUFs are malicious. Here, we report an attack to this protocol, as well as a few more issues that we identified in its construction. To address them, first we revise some of the previous PUF properties, and introduce new properties and tools that allow us to rigorously develop and present the security proofs. Second, we propose two different ways for making the commitment scheme secure against the attack we found. The first involves considering a new model where the creator of a PUF is notified whenever the PUF is queried and the second involves restricting adversaries to only being able to create stateless malicious PUFs. Finally, we analyze the efficiency of our schemes and show that our constructions are advantageous in this respect compared to the original proposal.

The syndrome decoding problem is one of the NP-complete problems lying at the foundation of code-based cryptography. The variant thereof where the distance between vectors is measured with respect to the Lee metric, rather than the more commonly used Hamming metric, has been analyzed recently in several works due to its potential relevance for building more efficient code-based cryptosystems. The purpose of this article is to present a zero-knowledge proof of knowledge for this variant of the problem.

This paper introduces Gluon W, a novel stablecoin protocol inspired by nuclear physics and named after the particle responsible for the stability of matter in the universe. The key idea in Gluon W is to split (as in nuclear fission) an existing volatile asset into its stable and unstable components. These components can be merged back (as in nuclear fusion) into the original asset or transmuted into each other (as in nuclear beta decays). Various stability theorems are proven and their proofs are formally verified using the interactive proof assistant Rocq.

Credentials are used to verify a user’s identity and attributes and form the basis of securing user access to the system resources. Users obtain credentials and store them on their (mobile) devices, and present them when needed. Anonymous credentials protect the user’s identity, and ensure unlinkability of multiple showing of the credential. In this paper, we consider a setting where a user is issued multiple credentials in sequence (e.g., for completing courses), and credential subsequences must be presented in order of issuance. We focus on the anonymous credential system where information such as the time of issuing is hidden for anonymity, or settings where there is no global clock and issuing time information is not recorded. We propose a novel order-preserving Proof-of-Credential-Subsequence (PoCS) system called KROM that allows a user that is potentially untrusted, to present a subsequence of their locally stored credentials to a verifier, while the relative chronological order of issuance is preserved. We formalize the security and privacy of KROM and present two constructions: a basic one that is based on Merkle trees and one with batched verification that significantly improves the efficiency of the system. We use KROM to construct an anonymous order-preserving proof-of-location-subsequence system and prove its security. The system enables users to selectively present a subsequence of their visited locations to a verifier or an auditor. The main challenge that is addressed is to ensure that the location information that must be in plaintext, does not breach privacy when used in sequence.

We are proud to announce the winners of the 2024 IACR Test-of-Time Award for Crypto.

The IACR Test-of-Time Award honors papers published at the 3 IACR flagship conferences 15 years ago which have had a lasting impact on the field.

The Test-of-Time award for Crypto 2010 is awarded to the following two papers:

Factorization of a 768-bit RSA modulus, by Thorsten Kleinjung, Kazumaro Aoki, Jens Franke, Arjen K. Lenstra, Emmanuel Thomé, Joppe W. Bos, Pierrick Gaudry, Alexander Kruppa, Peter L. Montgomery, Dag Arne Osvik, Herman te Riele, Andrey Timofeev and Paul Zimmermann.
For the landmark factorization of a 768-bit RSA modulus, guiding the deprecation of RSA-1024 and advancing practical cryptanalysis.

Cryptographic Extraction and Key Derivation: The HKDF Scheme, by Hugo Krawczyk.
For formalizing key derivation and introducing HKDF, a widely adopted and standardized extract-then-expand scheme.

For more information, see https://www.iacr.org/testoftime.

Congratulations to all winners!

We establish the randomized distributed function computation (RDFC) framework, in which a sender transmits just enough information for a receiver to generate a randomized function of the input data. Describing RDFC as a form of semantic communication, which can be essentially seen as a generalized remote‑source‑coding problem, we show that security and privacy constraints naturally fit this model, as they generally require a randomization step. Using strong coordination metrics, we ensure (local differential) privacy for every input sequence and prove that such guarantees can be met even when no common randomness is shared between the transmitter and receiver.

This work provides lower bounds on Wyner's common information (WCI), which is the communication cost when common randomness is absent, and proposes numerical techniques to evaluate the other corner point of the RDFC rate region for continuous‑alphabet random variables with unlimited shared randomness. Experiments illustrate that a sufficient amount of common randomness can reduce the semantic communication rate by up to two orders of magnitude compared to the WCI point, while RDFC without any shared randomness still outperforms lossless transmission by a large margin. A finite blocklength analysis further confirms that the privacy parameter gap between the asymptotic and non-asymptotic RDFC methods closes exponentially fast with input length. Our results position RDFC as an energy-efficient semantic communication strategy for privacy‑aware distributed computation systems.

This paper presents an enhancement to cube-attack-like cryptanalysis by minimizing output-bit dependency on related key bits, thereby improving attack complexity. We construct two distinct initial states differing exclusively in predetermined bit positions. Through independent cube summation and state difference analysis, we observed reduced related key bits dependency for specific output bits. We validate our approach by targeting four Keccak keyed variants Ketje Minor, Ketje Major, Keccak-MAC-512 and Keccak-MAC-384, developing a dedicated tool to recover all output-bit superpolies. Using our computational resources, we successfully attacked 4-round of Ketje Minor and 5-round of other variants, confirming both the method's validity and practical applicability. While the best known attacks on these structures reach 7-round, our results improve upon the 5-round.

We construct our initial state configurations based on the automated method proposed by Bi et al. in Design, Codes and Cryptography (2019), and compare our results with theirs. For the 4-round Ketje Minor, we reduce the time complexity from \(2^{20}\) to \(2^{16.8}\); for the 5-round Ketje Major, from \(2^{24.3}\) to \(2^{23.9}\); for 5 round Keccak-MAC-512, from \(2^{34}\) to \(2^{31.3}\); and for 5 round Keccak-MAC-384, from \(2^{27.6}\) to \(2^{25.5}\).

The impending threat posed by large-scale quantum computers necessitates a reevaluation of signature schemes deployed in blockchain protocols. In particular, blockchains relying on ECDSA, such as Bitcoin and Ethereum, exhibit inherent vulnerabilities due to on-chain public key exposure and the lack of post-quantum security guarantees. Although several post-quantum transition proposals have been introduced, including hybrid constructions and zero-knowledge-based key migration protocols, these approaches often fail to protect inactive "sleeping" accounts, are cumbersome, or require address changes, violating core immutability and full backward compatibility assumptions.

In this work, we observe that blockchains employing EdDSA with RFC 8032-compliant key derivation (e.g., Sui, Solana, Near, Stellar, Aptos, Cosmos) possess an underexplored structural advantage. Specifically, EdDSA’s hash-based deterministic secret key generation enables post-quantum zero-knowledge proofs of elliptic curve private key ownership, which can help switching to a quantum-safe algorithm proactively without requiring transfer of assets to new addresses.

We demonstrate how Post-Quantum NIZKs can be constructed to prove knowledge of the "seed" used in EdDSA key derivation, enabling post-quantum-secure transaction authorization without altering addresses or disclosing elliptic curve data. By post-quantum readiness, we mean that with a single user action all future signatures can be made post-quantum secure, even if past transactions used classical elliptic curve cryptography. This allows even users who have previously exposed their public key to seamlessly enter the post-quantum era without transferring assets or changing their account address.

As part of this analysis, we also show that BIP32-based ECDSA wallets are not post-quantum ready without breaking changes, as they rely on direct scalar exposure in derivation, making backward-compatible upgrades infeasible. In contrast, SLIP-0010 hash-chain based EdDSA private key derivation provides a foundation for seamless, backwards-compatible migration to quantum-safe wallets, supporting secure upgrades even for dormant or legacy accounts.

This mechanism affords a quantum-resilient path and is the first of its kind that preserves full backward compatibility, supports account abstraction, and critically secures dormant accounts, whether from users or custodians, that would otherwise be compromised under quantum adversaries.

Fully homomorphic encryption (FHE) enables computations over encrypted data without the need for decryption. Recently there has been an increased interest in developing FHE based algorithms to facilitate encrypted matrix multiplication (EMM) due to rising data security concerns surrounding cyber-physical systems, sensor processing, blockchain, and machine learning. Presently, FHE operations have a high computational overhead, resulting in an increased need for low operational complexity algorithms to compensate. We present a novel matrix encoding and EMM algorithm for power-of-2 cyclotomic based rings, utilizing three-dimensional rotations which offer improvements over the one-dimensional rotations used in previous work. We encode each $d \times d$ matrix as a single, batch-encoded, ciphertext, with minimum ciphertext size $d^3$. The proposed algorithm improves the number of plaintext-ciphertext multiplications from $O(d)$ to $O(1)$ and the number of rotations from $O(d)$ to $O(\log_2{d})$. In addition, our work supports rectangular matrix multiplication and matrix packing without incurring additional operations per execution. Benchmarks were obtained with a Microsoft SEAL implementation and compared against leading EMM algorithm, with our work performing $4$ times faster for $16 \times 16$ matrices on consumer hardware. Our algorithm is compatible with existing encrypted machine learning frameworks and can be a drop-in replacement for existing matrix multiplication algorithms for increased speed. The favorable time complexity is well suited for time sensitive encrypted algorithms such as computer vision, controls, and patient health monitoring.

Server authentication assures users that they are communicating with a server that genuinely represents a claimed domain. Today, server authentication relies on certification authorities (CAs), third parties who sign statements binding public keys to domains. CAs remain a weak spot in Internet security, as any faulty CA can issue a certificate for any domain. This paper describes the design, implementation, and experimental evaluation of NOPE, a new mechanism for server authentication that uses succinct proofs (for example, zero-knowledge proofs) to prove that a DNSSEC chain exists that links a public key to a specified domain.

The use of DNSSEC dramatically reduces reliance on CAs, and the small size of the proofs enables compatibility with legacy infrastructure, including TLS servers, certificate formats, and certificate transparency. NOPE proofs add minimal performance overhead to clients, increasing the size of a typical certificate chain by about 10% and requiring just over 1 ms to verify. NOPE’s core technical contributions (which generalize beyond NOPE) include efficient techniques for representing parsing and cryptographic operations within succinct proofs, which reduce proof generation time and memory requirements by nearly an order of magnitude.

Privacy-preserving machine learning (PPML) based on cryptographic protocols has emerged as a promising paradigm to protect user data privacy in cloud-based machine learning services. While it achieves formal privacy protection, PPML often incurs significant efficiency and scalability costs due to orders of magnitude overhead compared to the plaintext counterpart. Therefore, there has been a considerable focus on mitigating the efficiency gap for PPML. In this survey, we provide a comprehensive and systematic review of recent PPML studies with a focus on cross-level optimizations. Specifically, we categorize existing papers into protocol level, model level, and system level, and review progress at each level. We also provide qualitative and quantitative comparisons of existing works with technical insights, based on which we discuss future research directions and highlight the necessity of integrating optimizations across protocol, model, and system levels. We hope this survey can provide an overarching understanding of existing approaches and potentially inspire future breakthroughs in the PPML field. As the field is evolving fast, we also provide a public GitHub repository to continuously track the developments, which is available at https://github.com/PKU-SEC-Lab/Awesome-PPML-Papers.