International Association
for Cryptologic Research

We introduce the rotational-add diffusion layers aimed for applications in the design of arithmetization-oriented (AO) symmetric ciphers, such as fully homomorphic encryption (FHE)-friendly symmetric ciphers. This generalizes the rotational-XOR diffusion layers which have been utilized in the design of many important conventional symmetric ciphers like SHA-256, SM4, ZUC and Ascon. A rotational-add diffusion layer is defined over the finite field $\mathbb{F}_{p}$ for arbitrary prime $p$, enabling implementations using only rotations and modular additions/subtractions. The advantage of using such diffusion layers in AO ciphers is that, the costs of scalar multiplications can be reduced since the appearing scalars include only $\pm 1$, thus the total costs depend on sizes of the rotation offsets. In this paper, we investigate characterizations and constructions of lightest rotational-add diffusion layers over $(\mathbb{F}_{p}^{m})^{n}$ that are maximum distance separable (MDS) with a focus on the case $n=4$. It turns out that the minimum achievable size of the rotation offsets is 5 subject to the MDS property constraint. We specify a large class of rotational-add diffusion layers with 5 rotations and traverse all possible patterns of appearance of the scalars $\pm1$. In four cases we can derive computationally tractable necessary and sufficient conditions for the rotational-add diffusion layers to attain the MDS property. These conditions enable explicit characterization of suitable primes $p$ for given parameters. Leveraging these results, we construct three distinct families of rotational-add MDS diffusion layers applicable to AO ciphers. Although a rotational-add diffusion layer with 7 rotations and only additions has already been used in the design of the FHE-friendly block cipher YuX recently, to our knowledge, our work presents the first systematic theoretical characterization of rotational-add MDS diffusion layers and provides explicit constructions of them.

The Iterated Even-Mansour (IEM) construction was introduced by Bogdanov et al. at EUROCRYPT 2012 and can be seen as an abstraction or idealization of blockciphers like AES. IEM provides insights into the soundness of this blockcipher structure and the best possible security for any number of rounds. IEM with $r$ permutations on $n$-bit blocks is secure up to $q \approx 2^{rn/(r+1)}$ queries to the cipher and each permutation.

Forkciphers, introduced at ASIACRYPT 2019 as expanding symmetric ciphers, have since found applications in encryption, authenticated encryption and key derivation. Kim et al. (ToSC 2020) proposed the first IEM-style forkcipher, FTEM, but their security proof is limited to a 2-round design with tweak processing based on XORing AXU hashes. This offers limited insight into practical forkciphers like ForkSkinny, which use 40 to 56 rounds and a different tweak schedule. No security results currently exist for forked IEM constructions with more than two rounds. We propose a generalized forked IEM construction called GIEM which integrates any tweakey schedule (including tweak-dependent round keys or constant keys) and thus encompasses IEM, FTEM and similar IEM-related constructions.

We define three forkcipher-related instantiations, FEM (2 branches and no tweaks), FTEMid (2 branches and idealized tweakey schedule) and MFTEM (unlimited branches and AXU-based tweakey schedule). We prove that each construction achieves security similar to the respective non-forked construction. This shows the soundness of the forking design strategy and can serve as a basis for new constructions with more than two branches.

In their work, Bogdanov et al. also propose an attack against IEM using $q \approx 2^{rn/(r+1)}$ queries, which is used in a number of follow-up works to argue the tightness of IEM-related security bounds. In this work, we demonstrate that the attack is ineffective with the specified query complexity. To salvage the purported tightness results, we turn to an attack by Gazi (CRYPTO 2013) against cascading block ciphers and provide the necessary parameters to apply it to IEM. This validates the tightness of the known IEM security bound.

We introduce an efficient SAT-based space partitioning technique that enables systematic exploration of large search spaces in cryptanalysis. The approach divides complex search spaces into manageable subsets through combinatorial necklace generation, allowing precise tracking of explored regions while maintaining search completeness.

We demonstrate the technique's effectiveness through extensive cryptanalysis of Ascon-Hash256. For differential-based collision attacks, we conduct an exhaustive search of 2-round collision trails, proving that no collision trail with weight less than 156 exists. Through detailed complexity analysis and parameter optimization, we present an improved 2-round collision attack with complexity $2^{61.79}$. We also discover new Semi-Free-Start (SFS) collision trails that enable practical attacks on both 3-round and 4-round Ascon-Hash256, especially improving the best known 4-round SFS trail from weight 295 to 250.

Furthermore, applying the technique to Meet-in-the-Middle structure search yields improved attacks on 3-round Ascon-Hash256. We reduce the collision attack complexity from $2^{116.74}$ to $2^{114.13}$ with memory complexity $2^{112}$ (improved from $2^{116}$), and the preimage attack complexity from $2^{162.80}$ to $2^{160.75}$ with memory complexity $2^{160}$ (improved from $2^{162}$).

Isogeny-based cryptosystems continue to show promise in post-quantum cryptography. In recent years, numerous constructions have been proposed, one of which is POKÉ, a compact and efficient public-key exchange system that uses higher-dimensional isogenies. This paper leverages a well-known adaptive attack on SIDH by Galbrath, Petit, Shani and Ti, and demonstrates a similar attack on POKÉ, when given a key exchange oracle with the same assumptions as those posed by Galbraith et al. This attack relies on the user to employ long-term static keys which is against the intent of the designers of POKÉ. Indeed, this attack provides further evidence that POKÉ should not be used with a long-term static key.

In video-centric applications, video objects and backgrounds often contain sensitive information, which raises serious privacy concerns. It is necessary to restrict access to certain objects or backgrounds in the video stream while allowing permitted users to view a specific subset of video content. However, masking the prohibited objects for each user, then encoding and delivering each individually processed video to the target user will generate multiple copies of the same video. This can lead to significant storage, processing, and communication overhead when the number of users is large. In this work, inspired by the idea of functional encryption, we propose a fine-grained and real-time video encryption and sharing scheme, named FVES$^+$. In FVES$^+$, we encode and encrypt the videos only once, and different users can decode and decrypt the encrypted videos to acquire different contents depending on their access authorities. Theoretically, FVES$^+$ achieve IND-CPA security.

We implement and evaluate FVES$^+$ using PC and mobile devices as end-devices. FVES$^+$ achieves real-time performance, averaging $35.1$ FPS across three public datasets, including the stages of object detection, encoding, and encryption. When there are $n$ different access requirements by end-users, FVES$^+$ improves video sharing speed by $\Theta(n)\times$ compared to the baseline methods. Our experiments validate the effectiveness and efficiency of FVES$^+$.

Standard symmetric encryption schemes, such as AES and block ciphers and their modes in general, are highly effective for many standard scenarios. But what if the situation is somewhat different from the standard: e.g., the encrypting process may fail to update the ciphertext at some limited number of times, can the decryption recover the message in full, nevertheless? Or, another situation is when encrypting a bulk of messages that should be packed together within the same ciphertext space (i.e., encryption done holographically)? Can a process compress the messages this way? Another issue may be that we want to hide the ciphertext and camouflage it as some other cryptographic exchange (like exchanging an encrypted set to perform a protocol like “private set intersection”), or when we want to hide the number of messages packed together? Can a paradigm be developed that allows these non-standard properties that, under specific working conditions, may become necessary? Can it be based directly on a simple symmetric key cryptographic tool (and preferably be post-quantum)? This paper introduces Encryption via Hash (EvH), a symmetric randomized cipher built upon keyed cryptographic hash (i.e., MAC) functions and Bloom Filters. EvH’s core novelty lies in its prefix decryption capability. This unique property enables a paradigm in which encryption is tightly integrated with online compression and robust resilience to omission errors. By representing message prefixes in a Bloom filter, EvH allows a receiver to decrypt the initial part of a message even if subsequent data is lost and recover from an omission of a prefix decryption in the middle of the encipherment process, a significant advantage over conventional block cipher modes. Furthermore, this prefix-based approach facilitates simultaneous compression during the decryption phase by dynamically pruning invalid message continuations, using shared k-gram dictionaries or Large Language Models (LLMs). The result is a stateless and parallelizable cipher that, while computationally distinct from traditional ciphers, offers unique functional benefits for such specific use cases, and the price is that its correctness is ensured probabilistically (but the error can be well controlled and made small).

We present the first systematic study on communication-efficient evaluation of the lightweight cipher family Ascon within secure multi-party computation (MPC). By leveraging Ascon’s parallel, bit-oriented structure, we adapt its design using Reverse Multiplication-Friendly Embeddings (RMFEs, introduced by Cascudo et al.\ in CRYPTO'18) in a single-circuit evaluation, enabling efficient packing of groups of bits into field elements.

Our protocol, which uses relatively small RMFEs, achieves substantial reductions in communication cost compared to baseline MPC protocols. For example, in a medium-sized setting (with $n = 13$ MPC parties), our protocol reduces the communication cost for an Ascon permutation by roughly $38\%$. For large amounts of parties (e.g., $n=255$), the reduction can reach $50\%$. These improvements are achieved even though RMFEs only pack a few bits per field element, due to favorable amortization of both substitution and linear layers. We also provide a Boolean circuit implementation of Ascon in the MP-SPDZ framework, enabling straightforward benchmarking.

Our findings are particularly beneficial for bandwidth-constrained environments where the use of lightweight ciphers, such as Ascon, is necessary due to the resource limitations of client devices, as in the case of transciphering data from IoT sensors. Since our optimizations target the Ascon permutation, they naturally extend to all cryptographic modes (encryption, decryption, hashing) defined for the standard.

Privacy-preserving machine learning (PPML) is a powerful tool for multiple parties to collaboratively train a model or perform model inference without exposing their private data in the context of Internet of things. A key challenge in PPML is the efficient evaluation of non-polynomial functions. In this work, we propose NASE, a neat and accurate secure exponentiation protocol for radius basis function (RBF) kernel evaluation. Leveraging the property of the RBF kernel, NASE enjoys a lightweight construction that reduces computation overhead by up to 1.65$\times$ and communication overhead by up to 3.97$\times$ compared to SIRNN, the prior SOTA framework for secure exponentiation published in IEEE S\&P 2021.

Taking NASE as the foundation stone, we propose a privacy-preserving two-party kernel SVM training protocol. Based on BFV scheme and MPC technique, we introduce group-batch sampling for sampling in ciphertext and propose the partial rotation method tailored to our scenario to optimize dot product computation. Additionally, we propose an error-tolerant $DReLU$ protocol for secure sign evaluation of secret sharings over a prime field that reduces the communication cost by around $\frac{1}{3}$ compared to the existing method. Our protocol achieves model accuracy comparable to plaintext training according to experiments on real-world datasets, and an order-of-magnitude reduction in both communication and computation overhead is attained compared to the previous work.

Proving statements over integers is crucial in modern cryptographic protocols because certain computations, such as range proofs and Diophantine satisfiability, are more efficiently expressed over integers. Currently, the prevailing approach to achieve this is to convert the integer relations into statements tractable for proof systems over a finite field $\mathbb{Z}_p$. However, finding these corresponding tractable statements over $\mathbb{Z}_p$ is not always straightforward, and in practical schemes, the conversion often introduces computational overheads. Therefore, there is a growing interest in proving the statements directly over integers.

Due to the significant applicability of inner-product arguments (IPA) in constructing succinct proof systems, in this work, we extend them to work natively in the integer setting. We introduce and construct inner-product commitment schemes over integers that allow a prover to open two committed integer vectors to a claimed inner product. The commitment size is constant and the verification proof size is logarithmic in the vector length. The construction significantly improves the slackness parameter of witness extraction, surpassing the existing state-of-the-art approach. Our construction is based on the folding techniques for Pedersen commitments defined originally over $\mathbb{Z}_p$. We develop general-purpose techniques to make it work properly over $\mathbb{Z}$, which may be of independent interest.

Building upon our IPAs, we first present a novel batchable argument of knowledge of nonnegativity of exponents that can be used to further reduce the proof size of Dew-PCS (Arun et al., PKC 2023). Second, we present a construction for range proofs that allows for extremely efficient batch verification of a large number of range proofs over much larger intervals. We also provide a succinct zero-knowledge argument of knowledge with a logarithmic-size proof for more general arithmetic circuit satisfiability over integers.

Sigma protocols are fundamental cryptographic tools, serving as the foundation of many practical schemes—most notably, the Schnorr identification and signature schemes. To prove the security of Sigma protocols, one typically reduces breaking a Sigma protocol to solving a presumed hard problem (e.g., computing the discrete logarithm in a certain group). In many settings, however, these reductions are not tight: given an adversary that breaks a Sigma protocol with probability $\varepsilon$, the reduction only yields an adversary for the underlying problem with probability $\varepsilon^2$. This quadratic loss affects efficiency, as it forces choosing larger security parameters to reach a target security level.

In this work, we show that this quadratic loss is inherent for two natural classes of reductions. For interactive protocols, we prove it for uniform-challenge, black-box reductions, which query the adversary using uniformly sampled challenges. For non-interactive protocols (i.e., in the random-oracle model), we prove it for weakly programmable, black-box reductions, which answer the adversary’s oracle queries with uniformly sampled outputs. Applying our bounds to the reductions from Schnorr identification and signatures to discrete logarithm yields lower bounds that match known positive results—namely, the classical worst-case reduction of Pointcheval and Stern (Journal of Cryptology, 2000) and the higher-moment reduction of Rotem and Segev (Journal of Cryptology, 2024).

Our approach reduces the analysis of such reductions to the values of simple hitting games—combinatorial games that we introduce. Bounding these games is our main technical contribution, and we believe these bounds can enable more modular proofs of related results.

A major bottleneck in secure neural network inference using Fully Homomorphic Encryption (FHE) is the evaluation of non-linear activation functions like ReLU, which are inefficient to compute under FHE. State-of-the-art solutions approximate ReLU using high-degree polynomials, incurring significant computational overhead. We propose novel methods for functional bootstrapping with CKKS, and based on these methods we present RBOOT, an optimized framework that seamlessly integrates ReLU evaluation into CKKS bootstrapping, significantly reducing multiplication depth and boosting efficiency. Our key insight is that the EvalMod step in CKKS bootstrapping is composed of trigonometric functions, which can be transformed into various common non-linear functions. By co-optimizing these components, we can exploit such non-linearity to construct ReLU (and other non-linear functions) within the bootstrapping process itself, greatly reducing the computation overhead. Results on four widely used CNN models show that RBOOT achieves $2.77\times$ faster end-to-end inference and $81\%$ lower memory usage compared to previous polynomial approximation works, while maintaining comparable accuracy.

Mix networks (mix-nets) offer strong anonymity by routing client packets through intermediary hops, where they are shuffled with other packets to obscure their origins from a global adversary monitoring all communication exchanges. However, this anonymity is achieved at the expense of increased end-to-end latency, as packets traverse multiple hops (incurring routing delays) and experience additional delays at each hop for shuffling purposes. Consequently, the overall latency for delivering a message—comprising multiple packets—is determined by the packet with the highest combined routing and shuffling delay, which can significantly degrade the client experience, particularly in latency-sensitive applications.

To address this issue, our work \textbf{first} derives the theoretical statistics of the total latency experienced by a message, revealing a clear correlation between latency and the number of packets. \textbf{Second}, we propose two approaches to reduce this total latency. First, we present a method to adjust the shuffling delays at each hop, offsetting potential anonymity loss by integrating client-generated noise, backed by differential privacy guarantees. Next, we introduce packet-aware routing techniques, offering two novel methods that prioritize messages with more packets, forwarding them through faster links. However, this may cause certain nodes to be overloaded with disproportionate traffic. To solve this, we \textbf{third} introduce an efficient load-balancing algorithm to redistribute traffic without compromising the packet-aware nature of the routing. \textbf{Finally}, through comprehensive analytical and simulation experiments, we validate our theoretical latency bounds and evaluate the efficacy of our latency management strategies. The results confirm both methods substantially reduce latency with minimal impact on anonymity, while the strategic routing method remains robust against advanced adversarial attacks.

Note that this paper is an extended version of PARSAN-Mix (accepted and presented at ACNS 2025), mainly aimed at providing full proofs of the theorems together with additional empirical analysis.

This paper presents an efficient framework for private Transformer inference that combines Homomorphic Encryption (HE) and Secure Multi-party Computation (MPC) to protect data privacy. Existing methods often leverage HE for linear layers (e.g., matrix multiplications) and MPC for non-linear layers (e.g., Softmax activation functions), but the conversion between HE and MPC introduces significant communication costs. The proposed framework, dubbed BLB, overcomes this by breaking down layers into fine-grained operators and further fusing adjacent linear operators, reducing the need for HE/MPC conversions. To manage the increased ciphertext bit width from the fused linear operators, BLB proposes the first secure conversion protocol between CKKS and MPC and enables CKKS-based computation of the fused operators. Additionally, BLB proposes an efficient matrix multiplication protocol for fused computation in Transformers. Extensive evaluations on BERT-base, BERT-large, and GPT2-base show that BLB achieves a $21\times$ reduction in communication overhead compared to BOLT (S&P'24) and a $2\times$ reduction compared to Bumblebee (NDSS'25), along with latency reductions of $13\times$ and $1.8\times$, respectively, when leveraging GPU acceleration.

As an ISO/IEC standard, RIPEMD-160 has been extensively studied for (Semi-Free-Start) collision attacks. A significant breakthrough was achieved at FSE 2024 with the first 41-, 42-, and 43-step SFS collision attacks, which leveraged an automatic search model (EUROCRYPT 2023) and a message modification strategy (FSE 2020). However, these attacks are limited by reliance on heuristic objective functions and suboptimal message modification techniques. This paper enhances the existing framework from two perspectives. Firstly, we refine the automatic search model by incorporating a holistic objective function that considers all critical probability components, moving beyond simple Hamming weight. Secondly, we introduce two generic techniques to further improve (SFS) collision attacks: the first application of differential clustering and a dedicated message modification strategy. As a result, we present the first valid SFS collision attack on 44-step RIPEMD-160. Additionally, we significantly reduce the time complexities of existing attacks on 41-, 42-, and 43-step variants, making it feasible to find colliding message pairs for 41- and 42-step versions within practical time for the first time.

In this work, we propose a novel framework called PolySys for modeling and designing leakage attacks as constraint-solving algorithms over polynomial systems. PolySys formalizes the design of attacks using invertible encodings, structural and leakage equations, and efficient constraint-solving algorithms including SAT and constraint solvers. It is capable of modeling resolution, known-data, and inference attacks for common leakage patterns. To demonstrate the practicality of our framework, we implement a PolySys attack engine in Python and apply it to state-of-the-art query recovery, data resolution, and query inference attacks on point and range multi-maps. Our results show that PolySys outperforms all existing attacks under identical assumptions, achieving up to 60× higher recovery rates in some scenarios. While scalability remains a challenge for larger datasets, PolySys represents a promising step toward a general-purpose framework for designing leakage attacks. We believe future work can further enhance its efficiency to scale to larger and more complex workloads.

The CRO Trilemma formalizes the inherent incompatibility between confidentiality, reliability, and legal opposability in proof systems. This paper provides the complete Universal Composability (UC) security proof for the ZK-NR protocol, a layered architecture designed to approach this bound. We model each dialectical layer (Iron, Gold, Clay) as an ideal functionality with erasure semantics and prove indistinguishability between real and ideal executions under post-quantum assumptions. The results establish the composable security of ZK-NR and formally achieve a CRO index Γ_CRO < 0.4 + negl(λ) against adaptive contextual adversaries.

Many data types, such as video and audio, consist of sequential elements where both integrity and order are essential for authenticity. In practice, verifiers often access only partial sequences due to privacy or volume constraints, as in surveillance, journalism, and public records. Vector commitment (VC) schemes that support verifiable partial disclosures address this need, but constructing and maintaining such VCs is challenging for resource-constrained devices such as cameras. For example, in CCTV systems, a trusted module updating the VC for millions of frames must store and process hundreds of megabytes, which is often infeasible.

We propose a proving system that enables trustless reconstruction of VCs from only the chained hash of the sequence. The data source computes and signs a cumulative hash. An untrusted prover then constructs the VC from the raw data and proves that the data used for construction is consistent with the signed hash chain. The constructed VC subsequently enables authentication of partial disclosures. The main challenge is that proving the full VC construction in zero-knowledge is computationally expensive. To address this, we design a folding-based zkSNARK tailored to this task.

We analyze the construction in a realistic setting with a constrained source device (Raspberry Pi Zero) and a consumer-grade prover (midrange laptop). Our results show that even for relatively short sequences (e.g., 30 minutes of video footage), handling the VC within the source device's trusted module is infeasible due to both storage and computational limitations. In contrast, the proposed trustless offloading imposes only a few minutes of local computation on the prover to generate a proof for full VC construction (around 2 minutes for the 30 minutes of footage). Our implementation is available as open source at: https://github.com/zero-savvy/proven-view.

While consistency and liveness are the defining properties of ledger consensus, fair ordering has emerged as an independent consideration whose importance is underscored by the observation of real world transaction inclusion strategies that manipulate fairness such as Miner Extractable Value. Receiver-order fairness is a fine-grain notion of fairness that determines the order of any two submitted transactions based on the two sequences of reception timestamps for the two transactions across all nodes in the network. Given this information, ledger serialization can be viewed as the social choice problem of producing the most agreeable transaction order based on the "preferences" of the miners or validators. In this work, our contribution is three-fold: (i) We put forward a formal Universally Composable definition for order fairness that encompasses receiver order fairness as well as input causality. (ii) We design a novel ledger protocol that preserves input causality and receiver order fairness. (iii) We capture in our composable definition and construction the role that transaction fees play when dealing with fairness.

Our protocol is based on a novel YOSO-style approach that allows encrypting transactions for a short period of time. Notably, the communication complexity required to decrypt the transactions is independent of the number of encrypted transactions. To the best our our knowledge, we are the first to provide a YOSO-style approach with such asymptotic complexity while relying on standard cryptographic assumptions.

We study a secondary construction of Boolean functions, which generalizes the direct sum and the indirect sum. We detail how these two classic secondary constructions are particular cases of this more general one, as well as two known generalizations of the indirect sum. This unifies the known secondary constructions of Boolean functions. We study very precisely the Walsh transform of the constructed functions. This leads us to an interesting observation on the Walsh transforms $W_g,W_{g'},W_{g''}$, and $W_{g\oplus g'\oplus g''}$ when $g,g',g''$ are Boolean functions such that $(g\oplus g')(g\oplus g'')$ equals the zero function.

Recent work showed that ML-based attacks on Learning with Errors (LWE), a hard problem used in post-quantum cryptography, outperform classical algebraic attacks in certain settings. Although promising, ML attacks struggle to scale to more complex LWE settings. Prior work connected this issue to the difficulty of training ML models to do modular arithmetic, a core feature of the LWE problem. To address this, we develop techniques that significantly boost the performance of ML models on modular arithmetic tasks—enabling the models to sum up to $N=128$ elements modulo $q \le 974269$. Our core innovation is the use of custom training data distributions and a carefully designed loss function that better represents the problem structure. We apply an initial proof of concept of our techniques to LWE specifically and find that they allow recovery of 2x harder secrets than prior work. Our techniques also help ML models learn other well-studied problems better, including copy, associative recall, and parity, motivating further study.