International Association
for Cryptologic Research

The advancement of quantum computing threatens traditional public-key cryptographic algorithms such as RSA and ECC, both vulnerable to Shor’s algorithm. As most Transport Layer Security (TLS) deployments still rely on these quantum-vulnerable algorithms for key exchange and digital signatures, the transition to Post-Quantum Cryptography (PQC), standardized by NIST, has become increasingly urgent. Given the critical role of TLS in securing Internet communications, identifying and replacing these algorithms in operational deployments is a key priority for ensuring long-term security.

We present an automated method for analyzing TLS network packets to detect the use of quantum-vulnerable algorithms. Our approach combines hierarchical packet filtering, protocol-aware parsing, and a hybrid certificate extraction technique that enables analysis of encrypted TLS~1.3 certificates without full decryption. The framework achieved over 96\% detection accuracy, and our certificate parsing strategy improves overall throughput. Applying it to domestic and international TLS deployments revealed that domestic systems lag behind in quantum-readiness, underscoring the need for greater adoption of TLS~1.3, hybrid key exchanges (RSA/ECC with PQC), and short-lived certificates. Beyond TLS, the underlying methodology can be extended to other secure communication protocols, offering a versatile foundation for post-quantum migration strategies. These results highlight the practicality of our method for large-scale, real-time TLS assessments and its potential to guide PQC adoption.

An aggregate signature scheme allows a user to take $N$ signatures from $N$ users and aggregate them into a single short signature. One approach to aggregate signatures uses general-purpose tools like indistinguishability obfuscation or batch arguments for NP. These techniques are general, but lead to schemes with very high concrete overhead. On the practical end, the seminal work of Boneh, Gentry, Lynn, and Shacham (EUROCRYPT 2003) gives a simple and practical scheme, but in the random oracle model. In the plain model, current practical constructions either rely on interactive aggregation or impose restrictions on how signatures can be aggregated (e.g., same-message aggregation, same-signer aggregation or only support sequential or synchronized aggregation).

In this work, we focus on simple aggregate signatures in the plain model. We construct a pairing-based aggregate signature scheme that supports aggregating an a priori bounded number of signatures $N$. The size of the aggregate signature is just two group elements. Security relies on the (bilateral) computational Diffie-Hellman (CDH) problem in a pairing group. To our knowledge, this is the first group-based aggregate signature in the plain model where (1) there is no restriction on what type of signatures can be aggregated; (2) the aggregated signature contains a constant number of group elements; and (3) security is based on static falsifiable assumptions in the plain model. The limitation of our scheme is that our scheme relies on a set of public parameters (whose size scales with $N$) and individual signatures (before aggregation) also have size that scale with $N$. Essentially, individual signatures contain some additional hints to enable aggregation.

Our starting point is a new notion of slotted aggregate signatures. Here, each signature is associated with a "slot" and we only support aggregating signatures associated with distinct slots. We then show how to generically lift a slotted aggregate signature scheme into a standard aggregate signature scheme at the cost of increasing the size of the original signatures.

Threshold cryptography is a standard technique for distributing trust by splitting cryptographic keys into multiple shares held by different parties. The classic model of threshold cryptography assumes either that a trusted dealer distributes the shares to the different parties (and in doing so, also knows the overall secret) or that the users participate in an interactive distributed key-generation protocol to derive their individual shares. In recent years, several works have proposed a new model where users can independently choose a public key, and there is a public and deterministic function that derives the joint public key associated with a group of users from their individual keys. Schemes with this silent (i.e., non-interactive) setup procedure allow us to take advantage of the utility of threshold cryptography without needing to rely on a trusted dealer or an expensive interactive setup phase.

Existing works have primarily focused on threshold policies. This includes notions like threshold signatures (resp., encryption) with silent setup (where only quorums with at least $T$ users can sign (resp., decrypt) a message) and distributed broadcast encryption (a special case of threshold encryption where the threshold is 1). Currently, constructions that support general threshold policies either rely on strong tools such as indistinguishability obfuscation and witness encryption, or analyze security in idealized models like the generic bilinear group model. The use of idealized models is due to the reliance on techniques for constructing succinct non-interactive arguments of knowledge (SNARKs).

In this work, we introduce a new pairing-based approach for constructing threshold signatures and encryption schemes with silent setup. On the one hand, our techniques directly allow us to support expressive policies like monotone Boolean formulas in addition to thresholds. On the other hand, we only rely on basic algebraic tools (i.e., a simple cross-term cancellation strategy), which yields constructions with shorter signatures and ciphertexts compared to previous pairing-based constructions. As an added bonus, we can also prove (static) security under $q$-type assumptions in the plain model. Concretely, the signature size in our distributed threshold signature scheme is 3 group elements and the ciphertext size in our distributed threshold encryption scheme is 4 group elements (together with a short tag).

Incrementally verifiable computation (IVC) [Valiant, TCC'08] allows one to iteratively prove that a configuration $x_0$ reaches another configuration $x_T$ after repeated applications of a (possibly non-deterministic) transition function $\mathcal{M}$. The key requirement is that the size of the proof and the time to update the proof is sublinear in the number of steps $T$. IVC has numerous applications, notably including proving correctness of virtual machine executions in blockchains.

Currently, IVC for $\mathsf{NP}$ is only known to exist in non-standard idealized models, or based on knowledge assumptions. No constructions are known from standard assumptions, or even in the random oracle model. Furthermore, as observed in prior works, since IVC for $\mathsf{NP}$ implies adaptive succinct non-interactive arguments for $\mathsf{NP}$, the work of Gentry-Wichs [STOC'11] seemingly poses barriers to constructing IVC for $\mathsf{NP}$ from falsifiable assumptions.

In this work, we observe that the Gentry-Wichs barrier can be overcome for IVC for NP. We show the following two results:

- Assuming subexponential $i\mathcal{O}$ and LWE (or bilinear maps), we construct IVC for all $\mathsf{NP}$ with proof size $\mathsf{poly}(|x_i|,\log T)$. - Assuming subexponential $i\mathcal{O}$ and injective PRGs, we construct IVC for trapdoor IVC languages where the proof-size is $\mathsf{poly}(\log T)$. Informally, an IVC language has a trapdoor if there exists a (not necessarily easy to find) polynomial-sized circuit that determines if a configuration $x_i$ is reachable from $x_0$ in $i$ steps.

A trivial ciphertext is decrypted per all its bits to a corresponding, singular plaintext. A non-trivial ciphertext (NTC) is comprising decryption-proper bits as well as decryption unfitting bits (decoys) with a decryption discrimination key needed to identify each category. A non-trivial ciphertext may also decrypt to different plaintext options, determined by choice of decryption keys. NTC offer important advantages: giving ad-hoc power to buy extra security paid for with an inflated ciphertext, prospectively changing the strategic balance between cryptography and cryptanalysis. NTC involve plaintext alphabet that includes a 'plaintext empty letter' (PEL). Using a particular decryption key, certain ciphertext bits may decrypt to the PEL, and hence have no impact on the decrypted plaintext message constructed from the other bits. Using a different key, different ciphertext bits will decrypt to the PEL while a different collection of the remaining bits will decrypt to a different plaintext message. Thereby one achieves contents discrimination and decryption variety. The number of decoy bits is open-ended and is unilaterally controlled by the transmitter who thus determines the level of projected security -- asymptotically up to Vernam's perfection.

Advanced research area related to quantum/digital security such as quantum security, post-quantum cryptography/system and security practice in general.

• Start of employment: February 1st, 2026 or any early possible date afterwards.
• Deadline for application: September 12th, 2025

• Employment status:
  • A full-time associate professor (tenured) or
  • A full-time assistant professor (non-tenured, 5-year term)*
  * the employment period may be renewed depending on performance
.

Closing date for applications:

Contact: Masahiro Mambo

More information: https://www.se.kanazawa-u.ac.jp/wp-content/uploads/2025/07/2025091202_ec_en.pdf

Eindhoven University of Technology (TU/e) is among the top research universities in the Netherlands, specialized in engineering science and technology.

We are currently looking for an outstanding candidate for a 4-year PhD researcher position in the area of symmetric-key cryptography. The successful candidate will work under the supervision of Dr. Lorenzo Grassi, towards a PhD degree from the Eindhoven University of Technology.

The research topics will focus on
- design dedicated symmetric-key primitives operating over prime fields and/or integer rings, that can provide efficient solutions for rising applications of practical importance such as Format Preserving Encryption, Multi-Party Computation, Homomorphic Encryption, and Zero-Knowledge;
- analyze the security of those symmetric-key primitives, with the goals to improve the current cryptanalytic results, and to develop new innovative security arguments.
(The implementation of those schemes will *not* be part of the PhD.)

We are looking for a candidate who has recently completed, or is about to complete, a master's degree in cryptography, mathematics, computer sciences, or a closely related field. The master's degree must have been awarded, with good results, before starting the PhD. The candidate must be highly motivated and be able to demonstrate their potential for conducting original research in cryptography.

The vacancy is open until a suitable candidate has been found. Applications will be screened continuously, and we will conclude the recruitment as soon as we find the right candidate. The starting date is negotiable (not before March 2026).

Interested and qualified candidates should apply at https://www.tue.nl/en/working-at-tue/vacancy-overview/phd-on-symmetric-cryptography-over-prime-fields-and-integer-rings?_gl=1*sdu9b*_up*MQ..*_ga*MTI2MTQxMjkxNy4xNzU2NDQ5ODI3*_ga_JN37M497TT*czE3NTY0NDk4MjYkbzEkZzAkdDE3NTY0NDk4MjYkajYwJGwwJGgw

Closing date for applications:

Contact: For specific inquiries relating to the position, please email Dr. Lorenzo Grassi - email: l.grassi@tue.nl
(Important: Do *not* send your application via email!)

More information: https://www.tue.nl/en/working-at-tue/vacancy-overview/phd-on-symmetric-cryptography-over-prime-fields-and-integer-rings?_gl=1*sdu9b*_up*MQ..*_ga*MTI2MTQxMjkxNy4xNzU2NDQ5ODI3*_ga_JN37M497TT*czE3NTY0NDk4MjYkbzEkZzAkdDE3NTY0NDk4MjYkajYwJGwwJGgw

The Division of Mathematical Sciences in the School of Physical and Mathematical Sciences at NTU invites applications for an Asst/Assoc Prof (Tenure Track/Tenured) position specializing in Post-Quantum Cryptography (PQC).

Closing date for applications:

Contact: Prof Wang Huaxiong: hxwang@ntu.edu.sg

More information: https://ntu.wd3.myworkdayjobs.com/Careers/job/NTU-Main-Campus-Singapore/Assistant-Professor-Associate-Professor--Tenure-Track-Tenured--in-Post-Quantum-Cryptography--PQC-_R00018013

Who are we?

IOG, is a technology company focused on Blockchain research and development. We are renowned for our scientific approach to blockchain development, emphasizing peer-reviewed research and formal methods to ensure security, scalability, and sustainability. Our projects include decentralized finance (DeFi), governance, and identity management, aiming to advance the capabilities and adoption of blockchain technology globally.

About Partner Chains: IOG’s Partner chains Tribe is an innovation project built using Substrate. It aims to simplify blockchain deployment, operation and interoperability by combining modular technology with proven security, liquidity, and reliability. Partner Chains empowers developers and validators to create optimized blockchains without network or technology stack lock-in, fostering a new era of interoperable and scalable solutions.

As a Cryptographic Engineer you will contribute to the design, implementation, and integration of secure cryptographic protocols across Partner Chain initiatives. This role bridges applied research and engineering, focusing on translating cutting-edge cryptographic designs into robust, production-grade systems. The cryptography engineer will collaborate closely with researchers, protocol designers, software architects, product managers, and QA teams to ensure cryptographic correctness, performance, and system alignment. A strong emphasis is placed on high assurance coding, cryptographic soundness, and practical deployment readiness.

Who you are:

Degree in Computer Science, Cryptography, Mathematics, or a closely related field

Practical experience in applied cryptographic engineering through industry work, academic research, or open-source contributions

Strong proficiency in Rust for systems-level cryptographic development; familiarity with C is a plus

Experience designing or implementing protocols involving digital signatures, multi-signatures, commitments, or zero-knowledge proofs

Familiarity with blockchain cryptography, consensus mechanisms, or secure distributed systems

Closing date for applications:

Contact: Marios Nicolaides

More information: https://apply.workable.com/io-global/j/831252A3E6/

Eamonn Postlethwaite and Martin Albrecht are looking to hire an intern for four months to work on the Lattice Estimator. The internship will be based at King’s College London and is funded by a gift from Zama. We are ideally looking for someone in a PhD programme also working on lattice cryptanalysis who is happy to interrupt their studies for a few months to help us improve the estimator. We’re offering a salary of roughly £4,400 per month before tax.

This would involve reviewing and closing tickets, reviewing the literature for what is currently missing from the estimator to add it and reviewing the code already there for correctness.

If you’re interested, please get in touch to discuss this position. We are somewhat flexible on timing.

Closing date for applications:

Contact: Eamonn Postlethwaite <eamonn.postlethwaite@kcl.ac.uk> and Martin R. Albrecht <martin.albrecht@kcl.ac.uk>

More information: https://martinralbrecht.wordpress.com/2025/08/27/internship-position-on-the-lattice-estimator/

We’re looking for a passionate software engineer to join the NVIDIA Cryptography team on groundbreaking solutions. You will develop and integrate cryptographic algorithms and low-level mathematical primitives within the cuPQC SDK, focusing on Post-Quantum Cryptography (PQC) and Privacy-Enhancing Technologies (PETs).

What you will be doing:

• Develop and optimize scalable high-performance cryptographic primitives, algorithms, and building blocks on the latest GPU hardware architectures.
• Emphasize robust long-term software architectures and designs that effectively utilize many generations of hardware.
• Work closely with internal teams (product management, engineering) and external partners to understand feature and performance requirements and deliver timely cuPQC releases.

What we need to see:

• PhD or MSc degree in Applied Mathematics, Computer Science, or a related science or engineering field is preferred (or equivalent experience).
• 5+ years of experience designing and developing software for cryptography in low-latency or high-throughput environments.
• Strong mathematical foundations.
• Advanced C++ skills, including modern design paradigms (e.g., template meta-programming, SFINAE, RAII, constexpr, etc.).
• Strong collaboration, communication, and documentation habits.

Ways to stand out from the crowd:

• Experience developing libraries consumed by many users.
• Experience with CUDA C++ and GPU computing.
• Programming skills with contemporary automation setups for both building software (e.g., CMake) and testing (e.g., CI/CD, sanitizers).
• Strong understanding of mathematical foundations and algorithms used in cryptography, including but not limited to finite field arithmetic, lattice-based cryptography, and cryptographic hash functions.

Interested candidates, please apply following the link: https://nvidia.wd5.myworkdayjobs.com/en-US/NVIDIAExternalCareerSite/job/Senior-Math-Libraries-Engineer--Post-Quantum-Cryptography_JR2002083

Closing date for applications:

Contact: Lukasz Ligowski

More information: https://nvidia.wd5.myworkdayjobs.com/en-US/NVIDIAExternalCareerSite/job/Senior-Math-Libraries-Engineer--Post-Quantum-Cryptography_JR2002083

We are recruiting a postdoc to work with us on “practical advanced post-quantum cryptography from lattices”.

Here “advanced” does not mean Functional Encryption or Indistinguishability Obfuscation, but OPRFs, Blind Signatures, Updatable Public-Key Encryption, even NIKE (sadly!).

We are quite flexible on what background applicants bring to the table

• Do you like breaking newfangled (and not so newfangled) lattice assumptions?
• Do you like to build constructions from those assumptions?
• Do you like to reduce lattice problems to each other?
• Do you think we can apply tricks from iO or FE to less fancy protocols?

All of that is in scope. If in doubt, drop us an e-mail and we can discuss.

Closing date for applications:

Contact: Martin Albrecht <martin.albrecht@kcl.ac.uk>

More information: https://martinralbrecht.wordpress.com/2025/08/24/postdoc-position-in-lattice-based-cryptography-2/

Salary 47,389GBP - 56,535GBP

The School of Computer Science and Electronic Engineeringis seeking to recruit a full-time lecturer in Cyber Security to expand our team of dynamic and highly skilled security faculty and researchers. This post is part of a strategic investment of six academic posts across the School in the areas of Cyber Security, AI, Robotics, and Satellite Communications.

The Surrey Centre for Cyber Security (SCCS), within the School, has an international reputation in cyber security and resilience research excellence in applied and post-quantum cryptography, security verification and analysis, security and privacy, distributed systems, and networked systems. SCCS is recognised by the National Cyber Security Centre as an Academic Centre of Excellence for Cyber Security Research (ACE-CSR) and as an Academic Centre of Excellence for Cyber Security Education (ACE-CSE). Its research was also a core contributor to Surrey’s 7th position in the UK for REF2021 outputs within Computer Science. Surrey was recognised as Cyber University of the Year 2023 at the National Cyber Awards and is again shortlisted for 2025.

This post sits within the Surrey Centre for Cyber Security and this role encourages applications in the areas of systems security, web security, cyber-physical systems, cyber resilience, ethical hacking, and machine learning for security. We welcome research with applications across diverse domains, particularly communications, space, banking, and autonomous systems. Candidates with practical security experience and skills will complement our existing strengths in cryptography and formal verification.

Closing date for applications:

Contact: Professor Steve Schneider s.schneider@surrey.ac.uk

More information: https://jobs.surrey.ac.uk/Vacancy.aspx?id=14998

We introduce the rotational-add diffusion layers aimed for applications in the design of arithmetization-oriented (AO) symmetric ciphers, such as fully homomorphic encryption (FHE)-friendly symmetric ciphers. This generalizes the rotational-XOR diffusion layers which have been utilized in the design of many important conventional symmetric ciphers like SHA-256, SM4, ZUC and Ascon. A rotational-add diffusion layer is defined over the finite field $\mathbb{F}_{p}$ for arbitrary prime $p$, enabling implementations using only rotations and modular additions/subtractions. The advantage of using such diffusion layers in AO ciphers is that, the costs of scalar multiplications can be reduced since the appearing scalars include only $\pm 1$, thus the total costs depend on sizes of the rotation offsets. In this paper, we investigate characterizations and constructions of lightest rotational-add diffusion layers over $(\mathbb{F}_{p}^{m})^{n}$ that are maximum distance separable (MDS) with a focus on the case $n=4$. It turns out that the minimum achievable size of the rotation offsets is 5 subject to the MDS property constraint. We specify a large class of rotational-add diffusion layers with 5 rotations and traverse all possible patterns of appearance of the scalars $\pm1$. In four cases we can derive computationally tractable necessary and sufficient conditions for the rotational-add diffusion layers to attain the MDS property. These conditions enable explicit characterization of suitable primes $p$ for given parameters. Leveraging these results, we construct three distinct families of rotational-add MDS diffusion layers applicable to AO ciphers. Although a rotational-add diffusion layer with 7 rotations and only additions has already been used in the design of the FHE-friendly block cipher YuX recently, to our knowledge, our work presents the first systematic theoretical characterization of rotational-add MDS diffusion layers and provides explicit constructions of them.

The Iterated Even-Mansour (IEM) construction was introduced by Bogdanov et al. at EUROCRYPT 2012 and can be seen as an abstraction or idealization of blockciphers like AES. IEM provides insights into the soundness of this blockcipher structure and the best possible security for any number of rounds. IEM with $r$ permutations on $n$-bit blocks is secure up to $q \approx 2^{rn/(r+1)}$ queries to the cipher and each permutation.

Forkciphers, introduced at ASIACRYPT 2019 as expanding symmetric ciphers, have since found applications in encryption, authenticated encryption and key derivation. Kim et al. (ToSC 2020) proposed the first IEM-style forkcipher, FTEM, but their security proof is limited to a 2-round design with tweak processing based on XORing AXU hashes. This offers limited insight into practical forkciphers like ForkSkinny, which use 40 to 56 rounds and a different tweak schedule. No security results currently exist for forked IEM constructions with more than two rounds. We propose a generalized forked IEM construction called GIEM which integrates any tweakey schedule (including tweak-dependent round keys or constant keys) and thus encompasses IEM, FTEM and similar IEM-related constructions.

We define three forkcipher-related instantiations, FEM (2 branches and no tweaks), FTEMid (2 branches and idealized tweakey schedule) and MFTEM (unlimited branches and AXU-based tweakey schedule). We prove that each construction achieves security similar to the respective non-forked construction. This shows the soundness of the forking design strategy and can serve as a basis for new constructions with more than two branches.

In their work, Bogdanov et al. also propose an attack against IEM using $q \approx 2^{rn/(r+1)}$ queries, which is used in a number of follow-up works to argue the tightness of IEM-related security bounds. In this work, we demonstrate that the attack is ineffective with the specified query complexity. To salvage the purported tightness results, we turn to an attack by Gazi (CRYPTO 2013) against cascading block ciphers and provide the necessary parameters to apply it to IEM. This validates the tightness of the known IEM security bound.

We introduce an efficient SAT-based space partitioning technique that enables systematic exploration of large search spaces in cryptanalysis. The approach divides complex search spaces into manageable subsets through combinatorial necklace generation, allowing precise tracking of explored regions while maintaining search completeness.

We demonstrate the technique's effectiveness through extensive cryptanalysis of Ascon-Hash256. For differential-based collision attacks, we conduct an exhaustive search of 2-round collision trails, proving that no collision trail with weight less than 156 exists. Through detailed complexity analysis and parameter optimization, we present an improved 2-round collision attack with complexity $2^{61.79}$. We also discover new Semi-Free-Start (SFS) collision trails that enable practical attacks on both 3-round and 4-round Ascon-Hash256, especially improving the best known 4-round SFS trail from weight 295 to 250.

Furthermore, applying the technique to Meet-in-the-Middle structure search yields improved attacks on 3-round Ascon-Hash256. We reduce the collision attack complexity from $2^{116.74}$ to $2^{114.13}$ with memory complexity $2^{112}$ (improved from $2^{116}$), and the preimage attack complexity from $2^{162.80}$ to $2^{160.75}$ with memory complexity $2^{160}$ (improved from $2^{162}$).

Isogeny-based cryptosystems continue to show promise in post-quantum cryptography. In recent years, numerous constructions have been proposed, one of which is POKÉ, a compact and efficient public-key exchange system that uses higher-dimensional isogenies. This paper leverages a well-known adaptive attack on SIDH by Galbrath, Petit, Shani and Ti, and demonstrates a similar attack on POKÉ, when given a key exchange oracle with the same assumptions as those posed by Galbraith et al. This attack relies on the user to employ long-term static keys which is against the intent of the designers of POKÉ. Indeed, this attack provides further evidence that POKÉ should not be used with a long-term static key.

In video-centric applications, video objects and backgrounds often contain sensitive information, which raises serious privacy concerns. It is necessary to restrict access to certain objects or backgrounds in the video stream while allowing permitted users to view a specific subset of video content. However, masking the prohibited objects for each user, then encoding and delivering each individually processed video to the target user will generate multiple copies of the same video. This can lead to significant storage, processing, and communication overhead when the number of users is large. In this work, inspired by the idea of functional encryption, we propose a fine-grained and real-time video encryption and sharing scheme, named FVES$^+$. In FVES$^+$, we encode and encrypt the videos only once, and different users can decode and decrypt the encrypted videos to acquire different contents depending on their access authorities. Theoretically, FVES$^+$ achieve IND-CPA security.

We implement and evaluate FVES$^+$ using PC and mobile devices as end-devices. FVES$^+$ achieves real-time performance, averaging $35.1$ FPS across three public datasets, including the stages of object detection, encoding, and encryption. When there are $n$ different access requirements by end-users, FVES$^+$ improves video sharing speed by $\Theta(n)\times$ compared to the baseline methods. Our experiments validate the effectiveness and efficiency of FVES$^+$.

Standard symmetric encryption schemes, such as AES and block ciphers and their modes in general, are highly effective for many standard scenarios. But what if the situation is somewhat different from the standard: e.g., the encrypting process may fail to update the ciphertext at some limited number of times, can the decryption recover the message in full, nevertheless? Or, another situation is when encrypting a bulk of messages that should be packed together within the same ciphertext space (i.e., encryption done holographically)? Can a process compress the messages this way? Another issue may be that we want to hide the ciphertext and camouflage it as some other cryptographic exchange (like exchanging an encrypted set to perform a protocol like “private set intersection”), or when we want to hide the number of messages packed together? Can a paradigm be developed that allows these non-standard properties that, under specific working conditions, may become necessary? Can it be based directly on a simple symmetric key cryptographic tool (and preferably be post-quantum)? This paper introduces Encryption via Hash (EvH), a symmetric randomized cipher built upon keyed cryptographic hash (i.e., MAC) functions and Bloom Filters. EvH’s core novelty lies in its prefix decryption capability. This unique property enables a paradigm in which encryption is tightly integrated with online compression and robust resilience to omission errors. By representing message prefixes in a Bloom filter, EvH allows a receiver to decrypt the initial part of a message even if subsequent data is lost and recover from an omission of a prefix decryption in the middle of the encipherment process, a significant advantage over conventional block cipher modes. Furthermore, this prefix-based approach facilitates simultaneous compression during the decryption phase by dynamically pruning invalid message continuations, using shared k-gram dictionaries or Large Language Models (LLMs). The result is a stateless and parallelizable cipher that, while computationally distinct from traditional ciphers, offers unique functional benefits for such specific use cases, and the price is that its correctness is ensured probabilistically (but the error can be well controlled and made small).

We present the first systematic study on communication-efficient evaluation of the lightweight cipher family Ascon within secure multi-party computation (MPC). By leveraging Ascon’s parallel, bit-oriented structure, we adapt its design using Reverse Multiplication-Friendly Embeddings (RMFEs, introduced by Cascudo et al.\ in CRYPTO'18) in a single-circuit evaluation, enabling efficient packing of groups of bits into field elements.

Our protocol, which uses relatively small RMFEs, achieves substantial reductions in communication cost compared to baseline MPC protocols. For example, in a medium-sized setting (with $n = 13$ MPC parties), our protocol reduces the communication cost for an Ascon permutation by roughly $38\%$. For large amounts of parties (e.g., $n=255$), the reduction can reach $50\%$. These improvements are achieved even though RMFEs only pack a few bits per field element, due to favorable amortization of both substitution and linear layers. We also provide a Boolean circuit implementation of Ascon in the MP-SPDZ framework, enabling straightforward benchmarking.

Our findings are particularly beneficial for bandwidth-constrained environments where the use of lightweight ciphers, such as Ascon, is necessary due to the resource limitations of client devices, as in the case of transciphering data from IoT sensors. Since our optimizations target the Ascon permutation, they naturally extend to all cryptographic modes (encryption, decryption, hashing) defined for the standard.