International Association
for Cryptologic Research

Bootstrapping remains the primary bottleneck in most FHE schemes, significantly impacting their efficiency. To enhance both the speed and precision of bootstrapping, sparse secrets have been widely adopted, particularly in SIMD-style FHE schemes such as BGV, BFV, and CKKS. However, the security of sparse LWE secrets is not well understood, leading to their exclusion from standardization efforts. To address this gap between the potential security risks of sparse secrets and the inefficiency of dense-secret bootstrapping, we introduce the subring secret encapsulation method. This approach involves switching to a dense secret in a subring before bootstrapping, thereby improving bootstrapping performance while still basing security on dense secret LWE. The EvalMod and digit removal steps are accelerated due to the smaller Hamming weight of the subring secret. Furthermore, the algebraic structure of the subring secret enables faster CoeffsToSlots and SlotsToCoeffs operations through hoisted key switchings. When applied to the CKKS scheme, our method achieves a bootstrapping throughput increase of 46%–51% compared to state-of-the-art dense secret bootstrapping techniques. For BGV/BFV schemes, our approach demonstrates a 2.48x improvement in throughput when bootstrapping $2^{15}$ slots modulo $65537$.

Maximum distance separable (MDS) matrices are the main building blocks that provide the maximum possible diffusion in several block ciphers and cryptographic hash functions. In addition to using MDS matrices directly, there are also some indirect but simple and efficient methods that provide the maximum possible diffusion property. In particular, the subfield construction introduced by Barreto et al. in [DCC 56 (2-3) 141-162 (2010)] and its generalization examined by Otal in [IJISS 11 (2) 1-11 (2022)] make use of MDS matrices over smaller finite fields to provide the maximum possible diffusion property over larger finite fields.

ZK-friendly hash functions, in contrast to the classical cryptographic hash functions, use higher-dimensional MDS matrices over larger finite fields.

In this paper, we examine the applicability of the generalized subfield construction and the possibility of improvements on ZK-friendly hash functions. As a case study, we focus on a recent ZK-friendly hash function Vision Mark-32 presented by Ashur et al. in [IACR Preprint 2024/633]. In particular, instead of using a $24\times 24$ MDS matrix over $\mathbb{F}_{2^{32}}$ for a $24\times 1$ column input over $\{0,1\}^{{32}}$, we suggest separating the $24\times 1$ column input over $\{0,1\}^{{32}}$ into four $24\times 1$ subcolumns over $\{0,1\}^{{8}}$ and then using a $24\times 24$ MDS matrix over $\mathbb{F}_{2^8}$ for each subcolumn. This method still keeps the maximum diffusion property without any compromise and provides simplicity and efficiency. For example, it is possible to significantly decrease the required LUT values to 265 from about 9200 and FF values to 102 from about 4600 for the hardware implementation. We also highlight that we do not need any additional tricks such as NTT for field multiplications.

We also push the theoretical boundaries of the generalized subfield construction to see how much small finite fields we can use, examine the arithmetization complexity, and discuss its applicability to other ZK-friendly hash functions.

We are looking for a motivated PhD student to join the Cryptography Group in the Cybersecurity Engineering Section at the Department of Applied Mathematics and Computer Science (DTU Compute), located in the Copenhagen region, Denmark.

This fully funded 3-year PhD position, starting on 1 January 2026, will focus on advancing research in Multi-Party Computation and Zero-Knowledge Proofs. The PhD will be carried out under the supervision of Associate Professor Luisa Siniscalchi and the co-supervision of Associate Professor Carsten Baum. Additionally, the student will have the opportunity to spend some months at Chalmers University of Technology, working with Assistant Professor Elena Pagnin.

If you are curious, enthusiastic, and eager to learn, we would love to hear from you, and you can apply at https://lnkd.in/dC3ch5m5, including the following:

• A letter motivating the application (cover letter)
• Curriculum vitae
• Grade transcripts and BSc/MSc diploma (in English), including official description of grading scale

Closing date for applications:

Contact: For more information, do not hesitate to contact Luisa Siniscalchi (luisi[at]dtu.dk)

More information: https://lnkd.in/dC3ch5m5

Event date: 17 November to 20 November 2025
Submission deadline: 10 September 2025

We are recruiting for several open positions within the School of Computer Science, including in the area of Cybersecurity, and specifically in (applied) cryptography, implementation security, hardware security, and embedded security. Birmingham's School of Computer Science is ranked 3rd in the UK for research output (according to the national REF exercise).

The role offers opportunities to contribute to teaching as well as pursue their own research agenda. This is a permanent position. For more information, please contact Prof. Elisabeth Oswald. The advert closes at the end of September.

Link to apply: https://www.jobs.ac.uk/job/DOI907/assistant-or-associate-professor-in-computer-science-research-and-education

Closing date for applications:

Contact: Elisabeth Oswald m.e.oswald AT bham.ac.uk

More information: https://www.jobs.ac.uk/job/DOI907/assistant-or-associate-professor-in-computer-science-research-and-education

We are looking for a candidate with proven scientific expertise in research areas related to Cybersecurity and Artificial Intelligence. Areas covering the intersection of Cybersecurity and Artificial Intelligence are of particular interest.

Examples of such intersections include:

• All research areas related to the Security, Privacy, and Safety of systems that include or that are based on Machine Learning, Federated Learning, or Generative AI
• All research areas where Machine Learning or Artificial Intelligence is applied to achieve Security, Privacy, or Safety

The successful candidate will cover one of these fields or any other field in Cybersecurity and Artificial Intelligence that complements the existing strengths in the department. The professorship will be part of the Institute of Information Security (ISEC), which is an internationally highly visible research environment with more than 60 researchers in information security. It has been active in this field for almost 40 years and performs research in the following four areas: Cryptology & Privacy, Formal Methods, System Security, and Secure Applications. It is planned to continue expanding the research in Information Security at Graz University of Technology. For this purpose, a new building, the Cybersecurity Campus Graz, will open in 2026.

The new professor will complement the existing strengths in the department and will build an internationally visible group. For this purpose, the position includes a competitive starting package. The sucessful candidate will be an engaged teacher in the Computer Science programs at the Bachelor’s, Master’s, and PhD level, and will actively participate in academic self-administration. At Graz University of Technology, undergraduate and graduate courses in Computer Science are taught in English.

Please send your application via this link:

https://jobs.tugraz.at/en/jobs/6fa9b0bd-0997-c19d-73dc-683fe309b114/apply

Closing date for applications:

Contact: For further questions, please contact Stefan Mangard (stefan.mangard@tugraz.at) or see the full job description here:

https://jobs.tugraz.at/en/jobs/6fa9b0bd-0997-c19d-73dc-683fe309b114

More information: https://jobs.tugraz.at/en/jobs/6fa9b0bd-0997-c19d-73dc-683fe309b114

The Department of Mathematics & Statistics at Florida Atlantic University invites applications for a tenure-track position at the assistant professor level in cryptology, starting in August 2026.

Strong candidates in all areas of cryptology will be considered. Preference will be given to candidates with several broad areas of interest in the mathematics of cybersecurity including, but not limited to, symmetric and public-key cryptography, post-quantum cryptography, quantum algorithms in cryptography, or a closely related area. Responsibilities for this position will be research, teaching, and professional service. The successful candidate is expected to apply for and secure external research funding, and actively participate in interdisciplinary programs.

The Department of Mathematics & Statistics is a collegial and research-active department demonstrating excellence in teaching, research, and service. We are home to 26 tenure-track or tenured faculty members, 18 faculty members in non-tenure-track positions, and more than 40 graduate teaching/research assistants from diverse backgrounds. Our department has an established national and international reputation for research innovation through our Center for Cryptology and Information Security (CCIS). FAU is also recognized as a National Center of Academic Excellence in Information Assurance/Cyber Defense Research (CAE-R) since 2019. More information about the department can be found at: http://www.math.fau.edu/

Review of applications will begin November 1, 2025, and will continue until the position is filled.

Minimum Qualifications: Candidates must possess an earned doctorate in mathematics or a closely related discipline at the time of application. Postdoctoral experience is preferred. Candidates should have a strong publication record commensurate with their experience, demonstrated potential for establishing programs of extramurally funded and independent research, and a clear promise of excellent instructional capacity. Candidates should be able to foster and create educational opportunities where all student populations thrive.

Closing date for applications:

Contact: Contact: Dr. Stephen C. Locke, Chair of the Search Committee, (lockes@fau.edu).

More information: https://fau.wd1.myworkdayjobs.com/en-US/FAU/details/Assistant-Professor--Cryptology_REQ20879

The Security Research Group at University College Cork (UCC) is looking for two highly motivated PhD students, as part of the "CyberUnite" research project, funded by the Higher Education Authority and hosted at several universities in Ireland and Northern Ireland.

The PhD students will focus on one of the following topics:

• Quantum Safe Lightweight Cryptography, under the supervision of Dr. Paolo Palmieri
• Security & Protection of AI Algorithms, under the supervision of Dr. Krishnendu Guha

Candidates should have a background/strong interest in security, cryptography and/or privacy, as well as a good grasp of mathematics. Previous experience in artificial intelligence or post-quantum cryptography is an asset, but is not required. Applicants should hold a good honours undergraduate or Masters degree in computer science, computer engineering, mathematics, or other relevant subject.
The successful applicant will receive a stipend of €25,000 per year for up to four years (subject to successful annual progress reviews) and an annual contribution towards tuition fees. As part of the project, a travel budget is available to present at international conferences. The hired PhDs will be part of the CyberUnite team, and will also have the opportunity to work with the extensive network of national and international research collaborations of the Security Group.

Deadline: September 15

Recruited students will be expected to start in January 2026.

Closing date for applications:

Contact: Candidates are strongly encouraged to informally contact the supervisor by e-mail before applying: Dr. Paolo Palmieri at p.palmieri@cs.ucc.ie for the post-quantum cryptography project, and Dr. Krishnendu Guha at KGuha@ucc.ie for the AI security project.

More information: https://security.ucc.ie/vacancies.html

Oblivious RAM (ORAM) is a central cryptographic primitive that enables secure memory access while hiding access patterns. Among existing ORAM paradigms, hierarchical ORAMs were long considered impractical despite their asymptotic optimality. However, recent advancements (FutORAMa, CCS'23) demonstrate that hierarchical ORAM-based schemes can be made efficient given sufficient client-side memory. In this work, we present a new hierarchical ORAM construction that achieves practical performance without requiring large local memory.

From a theoretical standpoint, we identify that there is a gap in the literature concerning the asymmetric setting, where the logical word size is asymptotically smaller than the physical memory block size. In this scenario, the best-known construction (OptORAMa, J.\ ACM '23,) turns every logical query into $O(\log N)$ physical memory accesses (quantity known as ``I/O overhead''), whereas the lower bound of Komargodski and Lin (CRYPTO'21) implies that $\Omega(\log N /\log\log N)$ accesses are needed.

We close this gap by constructing an optimal ORAM for the asymmetric setting, achieving an I/O overhead of $O(\log N / \log\log N)$. Our construction features exceptionally small constants (between 1 and 4, depending on the block size) and operates without requiring large local memory. We implement our scheme and compare it to PathORAM (CCS'13) and FutORAMa, demonstrating significant improvement. For 1TB logical memory, our construction obtains $\times 10$-$\times 30$ reduction in I/O overhead and bandwidth compared to PathORAM, and $\times 7$--$\times 26$ improvement over FutORAMa. This improvement applies when those schemes weren't designed to operate on large blocks, as in our settings, and the exact improvement depends on the physical block size and the exact local memory available.

Energy-efficient edge devices are essential for the widespread deployment of machine learning (ML) services. However, their limited computational capabilities make local model training infeasible. While cloud-based training offers a scalable alternative, it raises serious privacy concerns when sensitive data is outsourced. Homomorphic Encryption (HE) enables computation directly on encrypted data and has emerged as a promising solution to this privacy challenge. Yet, current HE-based training frameworks face several shortcomings: they often lack support for complex models and non-linear functions, struggle to train over multiple epochs, and require cryptographic expertise from end users.

We present HE-SecureNet, a novel framework for privacy-preserving model training on encrypted data in a single-client–server setting, using hybrid HE cryptosystems. Unlike prior HE-based solutions, HE-SecureNet supports advanced models such as Convolutional Neural Networks and handles non-linear operations including ReLU, Softmax, and MaxPooling. It introduces a level-aware training strategy that eliminates costly ciphertext level alignment across epochs. Furthermore, HE-SecureNet automatically converts ONNX models into optimized secure C++ training code, enabling seamless integration into privacy-preserving ML pipeline—without requiring cryptographic knowledge.

Experimental results demonstrate the efficiency and practicality of our approach. On the Breast Cancer dataset, HE-SecureNet achieves a 5.2× speedup and 33% higher accuracy compared to ConcreteML (Zama) and TenSEAL (OpenMined). On the MNIST dataset, it reduces CNN training latency by 2× relative to Glyph (Lou et al., NeurIPS’20), and cuts communication overhead by up to 66× on MNIST and 42× on CIFAR-10 compared to MPC-based solutions.

We introduce the Affine Iterated Inversion Problem (AIIP), a new candidate hard problem for post-quantum cryptography, based on inverting iterated polynomial maps over finite fields. Given a polynomial f ∈ Fq[x] of degree d ≥ 2, an iteration parameter n, and a target y ∈ Fq, AIIP requires finding an input x such that f(n)(x) = y, where f(n) denotes the n-fold composi tion of f. We establish the computational hardness of AIIP through two independent analytical frameworks: first, by establishing a formal connection to the Discrete Logarithm Problem in the Jacobian of hyperelliptic curves of exponentially large genus; second, via a polynomial time reduction to solving structured systems of multivariate quadratic (MQ) equations. The f irst construction provides number-theoretic evidence for hardness by embedding an AIIP in stance into the arithmetic of a high-genus curve, while the second reduction proves worst-case hardness relative to the NP-hard MQ problem. For the quadratic case f(x) = x2 + α, we show that the induced MQ system is heuristically indistinguishable from a random system, and we formalize a sufficient condition for its pseudorandomness under a standard cryptographic assumption. We provide a detailed security analysis against classical and quantum attacks, derive concrete parameters for standard security levels, and discuss the potential of AIIP as a foundation for digital signatures and public-key encryption. This dual hardness foundation, rooted in both algebraic geometry and multivariate algebra, positions AIIP as a versatile and promising primitive for post-quantum cryptography.

We introduce a novel public-key cryptosystem based on the symmetric groups $S_{p_1} \times S_{p_2} $, where \( p_1, p_2 \) are large primes. The modulus \( N = f(\lambda_1) \cdot f(\lambda_2) \), with partitions \( \lambda_1 \in P(p_1) \), \( \lambda_2 \in P(p_2) \), and \( f(\lambda_i) = |C_{\lambda_i}| \cdot m_1(\lambda_i) \), leverages conjugacy class sizes to ensure large prime factors, including \( p_1, p_2 \). A partition selection strategy using non-repeated composition numbers guarantees robust security, surpassing RSA by supporting multiple large primes and deterministic key generation. Efficient decryption is achieved via known factorizations, and a lightweight symmetric hash primitive provides message authentication. We provide rigorous security analysis, practical implementation, and comparisons to multi-prime RSA, advancing algebraic cryptography for modern applications.

We present the first IOPP for a linear-time encodable code that achieves linear prover time and $O(\lambda)$ query complexity, for a broad range of security parameters $\lambda$. No prior work is able to simultaneously achieve this efficiency: it either supports linear-time encodable codes but with worse query complexity [FICS; ePrint 2025], or achieves $O(\lambda)$ query complexity but only for quasilinear-time encodable codes [Minzer, Zheng; FOCS 2025]. Furthermore, we prove a matching lower bound that shows that the query complexity of our IOPP is asymptotically optimal (up to additive factors) for codes with constant rate.

We obtain our result by tackling a ubiquitous subproblem in IOPP constructions: checking that a batch of claims hold. Our novel solution to this subproblem is twofold. First, we observe that it is often sufficient to ensure that, with all but negligible probability, most of the claims hold. Next, we devise a new `lossy batching' technique which convinces a verifier of the foregoing promise with lower query complexity than that required to convince it that all the claims hold. This method differs significantly from the line-versus-point test used to achieve query-optimal IOPPs (for quasilinear-time encodable codes) in prior work [Minzer, Zheng; FOCS 2025], and may be of independent interest.

Our IOPP can handle all codes that support efficient codeswitching [Ron-Zewi, Rothblum; JACM 2024], including several linear-time encodable codes. Via standard techniques, our IOPP can be used to construct the first (to the best of our knowledge) IOP for NP with $O(n)$ prover time and $O(\lambda)$ query complexity. We additionally show that our IOPP (and by extension the foregoing IOP) is round-by-round tree-extractable and hence can be used to construct a SNARK in the random oracle model with $O(n)$ prover time and $O(\lambda \log n)$ proof size.

Organizations increasingly need to pool their sensitive data for collaborative computation while keeping their own data private from each other. One approach is to use a family of cryptographic protocols called Secure Multi-Party Computation (MPC). Another option is to use a set of cloud services called clean rooms. Unfortunately, neither approach is satisfactory. MPC is orders of magnitude more resource-intensive than regular computation, making it impractical for workloads like data analytics and AI. Clean rooms do not give users the flexibility to perform arbitrary computations.

We propose and develop an approach and system called a secure agent and utilize it to create a virtual clean room, Flexroom, that is both performant and flexible. Secure agents enable parties to create a phantom identity that they can collectively control, using maliciously secure MPC, which issues API calls to external services with parameters that remain secret from all participating parties. Importantly, in Flexroom, the secure agent uses MPC not to perform the computation itself, but instead merely to orchestrate the computation in the cloud, acting as a distinct trusted entity jointly governed by all parties. As a result, Flexroom enables collaborative computation with unfettered flexibility, including the ability to use convenient cloud services. By design, the collaborative computation runs at plaintext speeds, so the overhead of Flexroom will be amortized over a long computation.

We consider FB-PRF, one of the key derivation functions defined in NIST SP 800-108 constructed from a pseudorandom function in a feedback mode. The standard allows some flexibility in the specification, and we show that one specific instance of FB-PRF allows an efficient distinguishing attack.

Recently, Hanzlik, Lai, Paracucchi, Slamanig, Tang proposed several blind signature frameworks, collectively named Tanuki(s) (Asiacrypt'25), built upon cryptographic group actions. Their work introduces novel techniques and culminates in a concurrently secure blind signature framework. Straightforward instantiations based on CSIDH (CSI-FiSh) and LESS yield signature sizes of 4.5 KB and 64 KB respectively, providing the first efficient blind signatures in the isogeny-based and code-based literature allowing concurrent executions. In this work, we improve the code-based instantiations by using the canonical form of linear equivalent codes by a careful treatment. However, the canonical form does not naturally support a group action structure, which is central to the security proofs of Tanuki(s). Consequently and unfortunately, the original security guarantees do not directly apply. To address this, we develop two distinct non-black-box reductions for both blindness and the one-more unforgeability. In the end, the improvements do not compromise the security. This results in a concurrently secure code-based blind signature scheme with a compact signature size of 4.4 KB, which is approximately 1% smaller than the isogeny-based one. We also provide a C implementation where the signing time in 99ms and 268 Mcycles on an Intel i7 2.3~GHz CPU. We also look forward to our approaches benefiting advanced constructions built on top of LESS in the future.

Service discovery is a fundamental process in wireless networks, enabling devices to find and communicate with services dynamically, and is critical for the seamless operation of modern systems like 5G and IoT. This paper introduces PriSrv+, an advanced privacy and usability-enhanced service discovery protocol for modern wireless networks and resource-constrained environments. PriSrv+ builds upon PriSrv (NDSS'24), by addressing critical limitations in expressiveness, privacy, scalability, and efficiency, while maintaining compatibility with widely-used wireless protocols such as mDNS, BLE, and Wi-Fi.

A key innovation in PriSrv+ is the development of Fast and Expressive Matchmaking Encryption (FEME), the first matchmaking encryption scheme capable of supporting expressive access control policies with an unbounded attribute universe, allowing any arbitrary string to be used as an attribute. FEME significantly enhances the flexibility of service discovery while ensuring robust message and attribute privacy. Compared to PriSrv, PriSrv+ optimizes cryptographic operations, achieving 7.62$\times$ faster for encryption and 6.23$\times$ faster for decryption, and dramatically reduces ciphertext sizes by 87.33$\%$. In addition, PriSrv+ reduces communication costs by 87.33$\%$ for service broadcast and 86.64$\%$ for anonymous mutual authentication compared with PriSrv. Formal security proofs confirm the security of FEME and PriSrv+. Extensive evaluations on multiple platforms demonstrate that PriSrv+ achieves superior performance, scalability, and efficiency compared to existing state-of-the-art protocols.

This work presents a joint design of encoding and encryption procedures for public key encryptions (PKEs) and key encapsulation mechanism (KEMs) such as Kyber, without relying on the assumption of independent decoding noise components, achieving reductions in both communication overhead (CER) and decryption failure rate (DFR). Our design features two techniques: ciphertext packing and lattice packing. First, we extend the Peikert-Vaikuntanathan-Waters (PVW) method to Kyber: $\ell$ plaintexts are packed into a single ciphertext. This scheme is referred to as P$_\ell$-Kyber. We prove that the P$_\ell$-Kyber is IND-CCA secure under the M-LWE hardness assumption. We show that the decryption decoding noise entries across the $\ell$ plaintexts (also known as layers) are mutually independent. Second, we propose a cross-layer lattice encoding scheme for the P$_\ell$-Kyber, where every $\ell$ cross-layer information symbols are encoded to a lattice point. This way we obtain a \emph{coded} P$_\ell$-Kyber, where the decoding noise entries for each lattice point are mutually independent. Therefore, the DFR analysis does not require the assumption of independence among the decryption decoding noise entries. Both DFR and CER are greatly decreased thanks to ciphertext packing and lattice packing. We demonstrate that with $\ell=24$ and Leech lattice encoder, the proposed coded P$_\ell$-KYBER1024 achieves DFR $<2^{-281}$ and CER $ = 4.6$, i.e., a decrease of CER by $90\%$ compared to KYBER1024. If minimizing CPU runtime is the priority, our C implementation shows that the E8 encoder provides the best trade-off among runtime, CER, and DFR. Additionally, for a fixed plaintext size matching that of standard Kyber ($256$ bits), we introduce a truncated variant of P$_\ell$-Kyber that deterministically removes ciphertext components carrying surplus information bits. Using $\ell=8$ and E8 lattice encoder, we show that the proposed truncated coded P$_\ell$-KYBER1024 achieves a $10.2\%$ reduction in CER and improves DFR by a factor of $2^{30}$ relative to KYBER1024. Finally, we demonstrate that constructing a multi-recipient PKE and a multi-recipient KEM (mKEM) using the proposed truncated coded P$_\ell$-KYBER1024 results in a $20\%$ reduction in bandwidth consumption compared to the existing schemes.

Cryptographic protocols often make honesty assumptions---e.g., fewer than $t$ out of $n$ participants are adversarial. In practice, these assumptions can be hard to ensure, particularly given monetary incentives for participants to collude and deviate from the protocol.

In this work, we explore combining techniques from cryptography and mechanism design to discourage collusion. We formalize protocols in which colluders submit a cryptographic proof to whistleblow against their co-conspirators, revealing the dishonest behavior publicly. We provide general results on the cryptographic feasibility, and show how whistleblowing fits a number of applications including secret sharing, randomness beacons, and anonymous credentials.

We also introduce smart collusion---a new model for players to collude. Analogous to blockchain smart contracts, smart collusion allows colluding parties to arbitrarily coordinate and impose penalties on defectors (e.g., those that blow the whistle). We show that unconditional security is impossible against smart colluders even when whistleblowing is anonymous and can identify all colluding players. On the positive side, we construct a whistleblowing protocol that requires only a small deposit and can protect against smart collusion even with roughly $t$ times larger deposit.

Proposed in EUROCRYPT~2025, \chilow is a family of tweakable block ciphers and a related PRF built on the novel nonlinear $\chichi$ function, designed to enable efficient and secure embedded code encryption. The only key-recovery results of \chilow are from designers which can reach at most 4 out of 8 rounds, which is not enough for a low-latency cipher like \chilow: more cryptanalysis efforts are expected. Considering the low-degree $\chichi$ function, we present three kinds of cube-like attacks on \chilow-32 under both single-tweak and multi-tweak settings, including \begin{itemize} \item[-] a \textit{conditional cube attack} in the multi-tweak setting, which enables full key recovery for 5-round and 6-round instances with time complexities $2^{32}$ and $2^{120}$, data complexities $2^{23.58}$ and $2^{40}$, and negligible memory requirements, respectively. \item[-] a \textit{borderline cube attack} in the multi-tweak setting, which recovers the full key of 5-round \chilow-32 with time, data, and memory complexities of $2^{32}$, $2^{18.58}$, and $2^{33.56}$, respectively. For 6-round \chilow-32, it achieves full key recovery with time, data, and memory complexities of $2^{34}$, $2^{33.58}$, and $2^{54.28}$, respectively. Both attacks are practical. \item [-] an \textit{integral attack} on 7-round \chilow-32 in the single-tweak setting. By combining a 4-round borderline cube with three additional rounds, we reduce the round-key search space from $2^{96}$ to $2^{73}$. Moreover, we present a method to recover the master key based on round-key information, allowing us to recover the master key for 7-round \chilow-32 with a time complexity of $2^{127.78}$. \end{itemize}

All of our attacks respect security claims made by the designers. Though our analysis does not compromise the security of the full 8-round \chilow, we hope that our results offer valuable insights into its security properties.