International Association
for Cryptologic Research

This work presents an improved attack on LWE with hints. Our attack follows a generic and efficient framework that converts an arbitrary number of perfect hints, modular hints, and approximate hints into a problem on lattice. Based on the approach, we give a complexity estimator for solving LWE with hints, and exploit the ``too many hints'' regime with a new method of converting this phenomenon to lattice. The essential component of our work is an improved hint integration method, which decomposes LWE with hints into the SIS part and the LWE part. This new perspective on LWE with hints offers an insight on how hints help us solve the problem, and motivates us to efficiently reduce its dimension via Gaussian elimination instead of LLL reduction. We demonstrate the performance of our attack on LWE instances up to cryptographic dimensions. Experiments show that our method runs significantly faster than the method proposed by May and Nowakowski at Asiacrypt 2023. For example, given 200 perfect hints about CRYSTALS-KYBER 512, our method reduces the running time from 7 hours to 1 hour. When we use our method to solve NTRU, we achieve a 10 times acceleration given 200-350 perfect hints. Furthermore, our method requires fewer hints to carry out successful attacks in the too many hints regime. These results stresses the importance to protect post-quantum cryptography schemes against leakage.

What would it take to operationalize UTXO-based settlement for central bank digital currency?I explore the advantages, trade-offs and challenges of a hypothetical adoption of the UTXO data model for representing currency values in a token-based central bank digital currency. The UTXO model potentially offers greater scalability, privacy, security and interoperability for CBDC than the traditional account model. However, some aspects, in particular with respect to liquidity and denomination management, would require careful design as to fit the prevailing regulatory and institutional requirements. I present possible solutions and conclude that there are no in-principle impediments to the adoption of UTXO-based tokens in a central bank digital currency context.

Banks publish daily axe lists of available securities/assets for selected clients, helping them locate Long or Short trades at reduced financing rates. This list aggregates the bank’s internal inventory, lowering costs but also revealing the bank’s holdings and potentially large client trades, risking competitive exposure. Atlas-X Axe Obfuscation, powered by novel differential privacy methods, obfuscates this list under continuous observation, balancing inventory Profit and Loss (P&L) with reduced client activity leakage. Atlas-X, live for two years across J.P. Morgan’s USA, Europe, and Asia branches, is the first differential privacy tool deployed in finance, with real and synthetic benchmarks confirming its production success."

Public randomness has many important applications, from games and state lotteries to allocation of visas and public housing or assignment of judges to legal cases. Yet today, most of these applications provide little or no public verifiability. This talk will survey the past ten years of work on using cryptography to generate publicly verifiable randomness, including the development of verifiable delay functions and modern randomness beacon protocols based on them. A highlight will be recent resarch showing that verifiable delay functions are the only way to achieve distributed randomness in a dishonest majority setting. It will also discuss the practical challenges in bringing these protocols into common use.

The Tor network enhances clients' privacy by routing traffic through an overlay network of volunteered intermediate relays. Tor employs a distributed protocol among nine hard-coded Directory Authority (DA) servers to securely disseminate information about these relays to produce a new consensus document every hour. With a straightforward voting mechanism to ensure consistency, the protocol is expected to be secure even when a minority of those authorities get compromised. However, the current consensus protocol is flawed: it allows an equivocation attack that enables only a single compromised authority to create a valid consensus document with malicious relays. Importantly the vulnerability is not innocuous: We demonstrate that the compromised authority can effectively trick a targeted client into using the equivocated consensus document in an undetectable manner. Moreover, even if we have archived Tor consensus documents available since its beginning, we cannot be sure that no client was ever tricked. We propose a two-stage solution to deal with this exploit. In the short term, we have developed and deployed TorEq, a monitor to detect such exploits reactively: the Tor clients can refer to the monitor before updating the consensus to ensure no equivocation. To solve the problem proactively, we first define the Tor DA consensus problem as the interactive consistency (IC) problem from the distributed computing literature. We then design DirCast, a novel secure Byzantine Broadcast protocol that requires minimal code change from the current Tor DA code base. Our protocol has near-optimal efficiency that uses optimistically five rounds and at most nine rounds to reach an agreement in the current nine-authority system. Our solutions are practical: our performance analysis shows that our monitor can detect equivocations without changing the authorities' code in five minutes; the secure IC protocol can generate up to 500 consensus documents per hour in a real-world scenario. We are communicating with the Tor security team to incorporate the solutions into the Tor project.

Recent years have exhibited an increase in applications that distribute trust across n servers to protect user data from a central point of attack using cryptographic primitives such as multi-party computation or private information retrieval. However, these deployments remain limited due to a core obstacle: establishing n distinct trust domains. An application provider, a single trust domain, cannot directly deploy multiple trust domains. As a result, application providers forge business relationships to enlist third-parties as trust domains, which is a manual, lengthy, and expensive process, inaccessible to many application developers. We introduce the on-demand distributed-trust architecture that enables an application provider to deploy distributed trust automatically and immediately without controlling the other trust domains. The insight lies in reversing the deployment method such that each user's client drives deployment instead of the application provider. While at a first glance, this approach appears infeasible due to cost, performance, and resource abuse concerns, our system Flock resolves these challenges. We implement and evaluate Flock on 3 major cloud providers and 8 distributed-trust applications. On average, Flock achieves 1.05x the latency and 0.68-2.27x the cloud cost of a traditional distributed-trust deployment, without reliance on third-party relationships.

While cryptographic systems gravitate toward more decentralized and distributed architectures, threshold signatures are gaining considerable renewed attention. Yet, Distributed Key Generation (DKG), with its heavy requirements on the underlying communication mechanisms such as secure channels and a secure broadcast mechanism, remains the Achilles heel of threshold signatures and holds back their deployment in the real world. In this talk, we will first take a detailed look at the obstacles that implementers and practitioners face in practice. We will foster an understanding of potential pitfalls and attacks, in particular those that can arise from the (mis)use of reliable broadcast protocols. We will then provide recommendations and guidelines on how to avoid these pitfalls and implement broadcast securely in practice. A key technical ingredient in our recommendations is a simple extension of the Goldwasser-Lindell echo broadcast protocol, which we have not seen proposed in the context of DKG so far. With these learnings in mind, we present ChillDKG, a DKG protocol that fully incorporates minimal but sufficient implementations of secure channels and reliable broadcast, and thereby hides this complexity from engineers entirely. The protocol addresses further practical problems by eliminating the need for fresh randomness per threshold setup and offering a practical solution for backups. To facilitate real-world adoption of this ChillDKG protocol, we have been working on a publicly available specification that aims to be comprehensive and easy to use. While our talk is geared towards Schnorr (incl. EdDSA) signatures, the main insights and learnings we present are equally applicable to other settings where DKG is required, e.g., BLS threshold signatures or threshold encryption.

For many users, a private key based wallet serves as the primary entry point to blockchains. Commonly recommended wallet authentication methods, such as mnemonics or hardware wallets, can be cumbersome. This difficulty in user onboarding has significantly hindered the adoption of blockchain-based applications. In this talk we will present zkLogin, a novel technique that leverages identity tokens issued by popular platforms (any OpenID Connect enabled platform e.g., Google, Facebook, etc.) to authenticate transactions. At the heart of zkLogin lies a signature scheme allowing the signer to sign using their existing OpenID accounts and nothing else. This improves the user experience significantly as users do not need to remember a new secret and can reuse their existing accounts. zkLogin provides strong security and privacy guarantees. Unlike prior works, zkLogin’s security relies solely on the underlying platform’s authentication mechanism without the need for any additional trusted parties (e.g., trusted hardware or oracles). As the name suggests, zkLogin leverages zero-knowledge proofs (ZKP) to ensure that the sensitive link between a user’s off-chain and on-chain identities is hidden, even from the platform itself. zkLogin enables a number of important applications outside blockchains. It allows billions of users to produce verifiable digital content leveraging their existing digital identities, e.g., email address. For example, a journalist can use zkLogin to sign a news article with their email address, allowing verification of the article’s authorship by any party. We have implemented and deployed zkLogin on the Sui blockchain as an additional alternative to traditional digital signature-based addresses. Due to the ease of web3 on-boarding just with social login, many hundreds of thousands of zkLogin accounts have already been generated in various industries such as gaming, DeFi, direct payments, NFT collections, sports racing, cultural heritage, and many more.

TLS Oracles allow a party to prove the properties of its payload to others without revealing it. The seminal work by Zhang et al. proposed a protocol based on active two-party computation with an overhead too high to be deployed in practice. In this talk, we will talk about the real-world deployment of TLS oracles by using recent interactive zero-knowledge proofs. - We will describe the high-level idea and the deployment of our recent work (Usenix24 Xie et al.). The underlying cryptographic protocol is packaged as a Chrome browser plugin and has successfully proven more than 200,000 TLS sessions so far for blockchain systems like Linea, Scroll, Arbitrum, Optimism and BNB Chain. - We will describe the performance when using the above MPCTLS protocol and a simplified iZKTLS protocol when proving AI-generated content (AIGC). We show that when using state-of-the-art iZK protocol, namely Quicksilver, we are able to prove a 200KB photo is actually generated by ChatGPT in 2 minutes - Finally, we will discuss the challenges that we encountered when deploying and expanding TLS oracle technologies to more context.

The Fiat-Shamir transform is a well-known and widely employed technique for converting sound public-coin interactive protocols into sound non-interactive protocols. Even though the transformation itself is relatively clear and simple, some implementations choose to deviate from the specifications, for example for performance reasons. In this work, we present a vulnerability arising from such a deviation in a KZG-based PLONK verifier implementation. This deviation stemmed from the incorrect computation of the last challenge of the PLONK protocol, where the KZG batching proof challenge was computed before, and, hence, independently from the KZG evaluation proofs. More generally, such a vulnerability may affect any KZG implementation where one uses batched KZG proof evaluations for at least two distinct evaluation points. We call an attack enabled by such a deviation a Last Challenge Attack. For concreteness, we show that when a PLONK verifier implementation presents such a deviation, a malicious PLONK prover can mount a Last Challenge Attack to construct verifiable proofs of false statements. The described vulnerability was initially discovered as part of an audit, and has been responsibly disclosed to the developers and fixed. A proof of concept of the vulnerability, in which a proof is forged for an arbitrary public input, was made available. Apart from the above attack, the talk will also describe other implementation vulnerabilities discovered while performing audits for ZK-based cryptographic systems used within the Ethereum ecosystem.

Key derivation functions (KDFs) are integral to many cryptographic protocols, turning raw (e.g., Diffie-Hellman) key material into strong cryptographic keys. Traditionally KDFs are designed and analyzed, for settings where they take a single key material input. Modern protocol designs, however, regularly need to combine multiple secrets (e.g., in hybrid key exchange for quantum-safe migration) with the guarantee that the derived key is secure as long as at least one of the inputs is good. Complex applications, especially in the setting where keys are user-managed, may even require threshold versions of KDFs. In this talk, we present lessons learned from analyzing such real-world proposals for multi-input KDFs. We first discuss combiner KDFs (aka key combiners), studying the designs in Signal's X3DH protocol, ETSI's TS 103-744 standard for hybrid key exchange, and MLS' combiner for pre-shared keys. Notably, the ETSI standard, widely recognized and recommended for use, for example by the German Federal Agency for IT Security, misuses the underlying HKDF salt input in a way that makes it insecure in its general form. We take the opportunity to revisit the syntax and security model for KDFs (mainly due to Krawczyk's HKDF paper, CRYPTO 2010) to give results on multiple-input KDFs. Taking an assertive stand on syntax, we do away with salts, which are needed in theory to extract from arbitrary sources in the standard model, but in practice, are almost never used (or even available) and sometimes even misused, as we saw. We then turn to the novel threshold primitive, which emerged as part of the multi-factor KDF (MFKDF) design (Nair and Song, USENIX 2023). We show how a naive implementation (such as the one proposed in MFKDF) leaves the scheme open to devastating cryptographic attacks and discuss ways forward.

Authenticated encryption (AE) is a cryptographic mechanism that allows communicating parties to protect the confidentiality and integrity of messages exchanged over a public channel, provided they share a secret key. In this work, we present new AE schemes leveraging the SHA-3 standard functions SHAKE128 and SHAKE256, offering 128 and 256 bits of security strength, respectively, and their “Turbo” counterparts. They support session-based communication, where a ciphertext authenticates the sequence of messages since the start of the session. The chaining in the session allows decryption in segments, avoiding the need to buffer the entire deciphered cryptogram between decryption and validation. And, thanks to the collision resistance of (Turbo)SHAKE, they provide so-called CMT-4 committing security, meaning that they provide strong guarantees that a ciphertext uniquely binds to the key, plaintext and associated data. The AE schemes we propose have the unique combination of advantages that 1) their security is based on the security claim of SHAKE, that has received a large amount of public scrutiny, that 2) they make use of the standard KECCAK-p permutation that not only receives more and more dedicated hardware support, but also allows competitive software-only implementations thanks to the TurboSHAKE instances, and that 3) they do not suffer from a 64-bit birthday bound like most AES-based schemes.

_Server authentication_ assures users that they are communicating with a server that genuinely represents a claimed domain. Today, server authentication relies on certification authorities (CAs), third parties who sign statements binding public keys to domains. CAs remain a weak spot in Internet security, as any faulty CA can issue a certificate for any domain. This talk describes the design, implementation, and experimental evaluation of NOPE [SOSP ’24], a new mechanism for server authentication that uses succinct proofs (for example, zero-knowledge proofs) to prove that a DNSSEC chain exists that links a public key to a specified domain. The use of DNSSEC dramatically reduces reliance on CAs, and the small size of the proofs enables compatibility with legacy infrastructure, including TLS servers, certificate formats, and certificate transparency. NOPE proofs add minimal performance overhead to clients, increasing the size of a typical certificate chain by about 10% and requiring just over 1 ms to verify. NOPE's core technical contributions (which generalize beyond NOPE) include efficient techniques for representing parsing and cryptographic operations within succinct proofs, which reduce proof generation time and memory requirements by nearly an order of magnitude.

The eIDAS regulation of the European Commission establishes a framework for digital identity and authentication. The regulation entered into force in May 2024, and proposes the EU Digital Identity Wallet (EUDI) which shall be a ``fully mobile, secure and user-friendly'' service, enabling users to identify themselves to public and private online services. All member states are now required to offer such an EUDI wallet to all their citizens and residents by end of 2026. The eIDAS regulation mandates several privacy requirements for the EUDI, such as selective disclosure, unlinkability, unobservability and the right to pseudonymous authentication. While this sounds like *the* application anonymous credentials were invented for, they are not considered in the currently proposed Architecture Reference Framework (ARF). Instead, the plan is to use batch issuance of single-use ECDSA credentials with individually hashed attributes. The shortcomings of this approach and the recommendation of anonymous credentials, such as BBS+, have been voiced in the Cryptographers' Feedback on the EU Digital Identity’s ARF. The talk will give an overview of the eIDAS regulation, and the real-world impact this will have. It will also outline the currently proposed technical solution, and the limitations and open challenges therein. For anonymous credentials, a brief overview on their technical advances is given, and why they are not used in the current ARF. We will then look at the remaining challenges in implementing anonymous credentials in EUDI, and how the cryptographic community can contribute to ensuring that our future digital identity system is as privacy-preserving and secure as technically feasible.

With the advent of Blockchains, there has been reinvigorated interest in deploying ZK-proof systems in the form of ZKSNARKs, an attractive, non-interactive, succinct variant. Yet, current deployments require heavy hardware / huge running times / very large memory. In this talk, I will discuss new applications of zero-knowledge from verifiable credentials to zk-email, zktls, and zklogin that demand scalable client-side proving systems. I will present the Ligetron platform that can allow to build and deploy an end-to-end system for these applications. Crucially, the platform relies on the recent Ligetron system developed by Ligero Inc. that showcases speed on the browser that stands competitive against all known ZKSNARK implementations executed on heavy machines to date! Furthermore, I will show how the platform leverages the ZK-WASM feature of the Ligetron system, allowing developers to implement their zkApps from the browser by coding in standard high-level languages such as C/C++/Rust.

Anonymous credentials are a type of digital credential that allow a user to prove possession of an attribute that has been asserted by an identity issuer without revealing any extra information about themselves. For example, a user who has received a passport credential can prove their “age is >18” without revealing any other attributes such as their date of birth. Despite their inherent value towards privacy-preserving authentication and authorization, anonymous credential schemes have been difficult to deploy and have therefore seen little use in large-scale applications. Part of the difficulty stems from the fact that efficient anonymous credential schemes in the literature, such as the popular BBS+ scheme use pairing-friendly elliptic curve cryptography, and therefore require changes to existing security infrastructure used by issuers before it can be deployed. In addition, state-level identity issuers often require digital identity credentials to be device-bound by incorporating the device’s secure element into the presentation flow. As a result, schemes like BBS+ also require new hardware secure elements on mobile phones to be securely deployed. In this paper, we propose a new anonymous credential scheme for the widely deployed Elliptic Curve Digital Signature Algorithm (ECDSA) signature scheme. Producing ZK proofs about ECDSA signatures has traditionally been a bottleneck for other ZK proof systems because standardized curves such as P256 use finite fields which do not support efficient number theoretic transforms. We overcome part of this bottleneck by designing a ZK proof system around sumcheck and the Ligero ZKargument system, by designing efficient methods for Reed-Solomon encoding over the required fields, and by designing specialized circuits for ECDSA and SHA that are more efficient for sumcheck. Our scheme is roughly 50x more efficient than prior work: proofs for ECDSA can be generated in 140ms on mobile phones. By building an efficient NARG for statements about ECDSA signatures, SHA256 hashing, and document format parsing for standardized identity formats such as MDOC, our anonymous credential scheme can be deployed without changing any issuer processes or without requiring any changes to mobile devices. When incorporated into a fully standardized identity protocol such as the ISO MDOC standard, we can generate a zero-knowledge proof for the MDOC presentation flow in 0.7–1.3 seconds on mobile devices depending on the credential size. These advantages make our scheme a promising candidate for privacy-preserving digital identity applications.

The US is currently rolling out the mDL, a digital version of the driver’s license, a primary form of identity credential, and credentials relating to employment and healthcare are also becoming more common (in the US and globally). Their potential to enhance online authentication is exciting—yet their privacy implications remain a significant concern. This talk will describe how we can “upgrade” the privacy features of these credentials, adding selective disclosure and unlinkability, without help from credential issuers. In cryptographic terms, we construct an anonymous credential system based on zero knowledge proofs and existing credentials. The system has practical performance, offering fast proof generation and verification times (10--20ms) after a once-per-credential setup phase. We give demos for two practical scenarios, proof of employment for benefits eligibility, and online age verification, and provide an open-source implementation to enable further research and experimentation.

Digital signatures underpin identity, authenticity, and trust in modern systems. Advanced variants of signatures—such as proofs of possession, ring signatures, and threshold signatures—offer security, privacy, and anonymity benefits but are rarely deployed due to incompatibility with widely used legacy schemes. This talk explores how to transform these legacy signatures— concretely, RSA, ECDSA, Ed25519, and the new NIST standards Falcon and Dilithium— into advanced variants using zkSNARKs. Making our zkSNARK-based schemes practical requires closing a huge efficiency gap that stems from, roughly, the cost of proving signature verification using the zkSNARK. We will present optimized protocols for expensive parts of signature verification, such as hashing and elliptic curve scalar multiplication. Using our techniques, we can generate a 240-byte proof of possession of an RSA signature over a message the size of a typical TLS certificate—two kilobytes—in only three seconds; the proof takes only 28 milliseconds to verify.

We have conducted a field study on post-quantum DNSSEC [1], involving RIPE ATLAS measurements with around 10,000 probes. Using implementations of post quantum signing schemes (Falcon, Dilithium, SPHINCS+, XMSS) in both BIND and PowerDNS, DNS response success and failure rates depending on the signing scheme and other parameters were investigated. In addition to the above algorithms, we present new results on a novel class of DNSSEC signatures, using Merkle trees for optimizing signature sizes. Besides measurement results, we also provide context on our implementation approach. We find that depending on circumstances, a significant fraction of clients choke. Failure rates are mainly a function of response packet size, which is mediated by parameters such as DNSSEC configuration (KSK/ZSK vs. CSK, NSEC vs. NSEC3, or compact DoE) and DO bit presence, with some variation depending on transport. This is qualitatively in line with the "educated guess", but adds quantitative detail. We also find surprising results, such as that a number of resolvers claim to have validated PQC signatures, even though it is implausible for resolvers to support these algorithms. Between now and RWC 2025 we will be evaluating all of the above algorithms in the context of a large enterprise’s DNS environment, which will further enhance our understanding of the implications of transitioning to quantum safe algorithms. Implementation included adding both signing and validation support to PowerDNS recursor and BIND resolver. Both functions can be tested using a do-it-yourself frontend [2], which the public can use to work and familiarize themselves with our testbed. We hope that this study helps inform future PQC engineering developments not just in the context of DNS but also other UDP based protocols [1]: https://nlnet.nl/project/PQ-DNSSEC-Testbench/ [2]: https://pq-dnssec.dedyn.io/

The Secure Shell (SSH) protocol is one of the first security protocols on the Internet to upgrade itself to resist attacks against future quantum computers, with the default adoption of the "quantum (otherwise, classically)" secure hybrid key exchange in OpenSSH from April 2022. However, there is a lack of a comprehensive security analysis of this quantum-resistant version of SSH in the literature: related works either focus on the hybrid key exchange in isolation and do not consider security of the overall protocol, or analyze the protocol in security models which are not appropriate for SSH — especially in the "post-quantum" setting. This talk describes how we remedy the state of affairs by providing a thorough post-quantum cryptographic analysis of SSH. We follow a "top-down" approach wherein we first prove security of SSH in a more appropriate model — namely, our post-quantum extension of the so-called authenticated and confidential channel establishment (ACCE) protocol security model; our extension which captures "harvest now, decrypt later" attacks could be of independent interest. Then we establish the cryptographic properties of SSH's underlying primitives, as concretely instantiated in practice, based on our protocol-level ACCE security analysis: for example, we prove relevant cryptographic properties of "Streamlined NTRU Prime" — a key encapsulation mechanism (KEM) which is used in recent versions of OpenSSH and TinySSH — and address open problems related to its analysis in the literature. Notably, our ACCE security analysis of post-quantum SSH relies on the weaker notion of IND-CPA security of the ephemeral KEMs used in the hybrid key exchange. This is in contrast to prior works which rely on the stronger assumption of IND-CCA secure ephemeral KEMs. Hence, our talk will focus on potentially replacing IND-CCA secure KEMs in current post-quantum implementations of SSH with simpler and faster IND-CPA secure counterparts, thereby resulting in reduced financial and ecological costs.

Elligator is widely used to encode elliptic-curve public keys in protocols that require random-looking bytestrings. These include password authenticated key exchange protocols (e.g., EKE) as well as protocols which attempt to avoid fingerprinting (e.g., Tor's obfs4 pluggable transport). We consider a replacement for Elligator in the post-quantum setting. We present Kemeleon: novel encodings for ML-KEM public keys and ciphertexts into bytestrings which are computationally indistinguishable from random. Kemeleon includes variants that allow for optimized implementations or deterministic encodings. We then consider how to combine traditional and post-quantum obfuscated key encapsulation mechanisms (KEMs). In contrast with hybrid key exchange where simple concatenation yields a secure solution, hybrid obfuscation is more subtle, and can require a nested construction when computational assumptions are involved. From Kemeleon and hybrid obfuscated KEMs, we show how to construct obfuscated key exchange as well as the first known hybrid password authenticated key exchange protocol which is secure in the adaptive-corruptions model.

In an attempt to provide organizations with access to correct and bug-free implementations of the new NIST-selected PQC algorithms, Cryspen and Google have joined forces to produce formally verified, open source implementations of these algorithms. In this talk we will cover our cutting-edge approach to formally verifying ML-KEM, the challenges encountered during the verification process, and the timing side channel attack uncovered by the process. We will also discuss the way forward for formal verification of PQC algorithms, the impact of formal verification on the development workflow, and the subsequent deployment of secure and optimized PQC implementations.

Let’s Encrypt: Ten Years Encrypting the WebPeople deserve a secure and privacy-respecting Internet. Ubiquitous HTTPS is an essential part of delivering on that vision. To that end, our public benefit certificate authority has been issuing TLS certificates free of cost in a reliable, automated, and trustworthy manner for ten years. We went from issuing our first certificate in 2015 to servicing over 500,000,000 websites in 2025, and we’ve got big plans for the future. We’ll talk about how we got here and some lessons learned. We’ll also talk about what’s coming, from short lived certificates to the future of revocation and root generation.

Open sourcing cryptographic code is widely considered to be imperative for security. However, it can be challenging to properly open source software: there are licenses, IP, security reporting, and many other issues that need to be addressed. In this talk, we will discuss the best practices for open source software development learned from almost 25 years of experience at the Linux Foundation. Attendees will learn about how to set up their open source software projects for a variety of potential goals, including things like maximizing security and community building, with a focus on cryptographic code.

CRLite is a low-bandwidth, low-latency, privacy-preserving mechanism for distributing certificate revocation data. The system was originally described by Larisch, Choffnes, Levin, Maggs, Mislove, and Wilson at IEEE S&P in 2017. It was implemented by Mozilla shortly thereafter, and aspects of Mozilla’s implementation were presented by Thyla van der Merwe at RWC 2020. Firefox users have had the option to enable CRLite since September 2019 / Firefox 69. However, until very recently, the system was only enabled by default for Firefox Nightly users and 1% of Firefox Release users. The bandwidth costs of the system, while modest in theory, were not low enough for Mozilla, or Firefox users, to accept. This talk will highlight a combination of technical innovations and policy changes that have put us on the path to enabling CRLite for all of our users. Our new implementation of CRLite encodes the set of all revoked certificates in a 6.7 MB package—54% smaller than our original implementation of CRLite, and 21% smaller than a widely-cited lower bound. Our implementation also produces differential updates that describe the certificates that were revoked in the previous 6 hours. The average size of these differential updates is about 25 kB. This talk will also describe the path ahead of us. If CT log operators switch to the Static CT API and the CA/B Forum reduces the maximum validity period of WebPKI certificates to 90 days, we believe that a software client will be able to track all revocations, at 6 hour latency, by downloading approximately 100 kB of revocation data per day.

In 2023, WhatsApp announced its deployment of key transparency, a feature which aims to decrease the trust placed on a centralized server when distributing public keys used for end-to-end encrypted messaging. Similar deployments have been announced for Apple iMessage and ProtonMail.This talk discusses the integration between WhatsApp and Cloudflare to audit the key transparency data structure within a live environment.

Over the last two decades, researchers have repeatedly demonstrated that microarchitectural attacks, and in particular cache attack, pose a significant risk to the security of cryptographic implementations. One of the main defenses against such attacks is to follow the constant-time programming paradigm, which ensures that the memory addresses a program accesses do not depend on secret data. While effective, constant-time programming can incur a significant performance penalty. Consequently, when constant-time programming is deemed to be too hard, developer may choose to use heuristic defenses that aim to limit the attacker's ability to observe the memory access patterns of the victim. For example, web browser reduced the resolution of the timer they provide, based on the observation that a high resolution timer is required to distinguish cache hits from cache misses. Moreover, as cache attacks have a limited temporal resolution, implementations whose access patterns are indistinguishable except at a high sampling rate are considered more secure. In this talk we show that such restrictions are insufficient to protect against cache attacks. We start by representing the cache status of a memory address as a Boolean value. This allows us to express cache attacks as computing a logical function of the cache state. We then design ``weird gates'' that compute logical functions of cache state and store the result in the cache. We demonstrate that through composing these gates, we can perform arbitrary computations on cache state. Finally, we leverage our gates to perform two attacks against cryptographic implementations. Our first attack shows that an implementation of ElGamal remains vulnerable even when the clock resolution is reduced by six orders of magnitude. Our second attack shows that we can increase the frequency of cache probing to a level that allows key recovery from an S-box-based AES implementation. This talk is based on the USENIX Security'23 publication ``The Gates of Time: Improving Cache Attacks with Transient Execution'' and the CCS'24 distinguished paper ``Spec-o-Scope: Cache Probing at Cache Speed''.

How will future microarchitectures impact the security of existing cryptographic implementations? As we cannot keep reducing the size of transistors, chip vendors have started developing new microarchitectural optimizations to speed up computation. A recent study (Sanchez Vicarte et al., ISCA 2021) suggests that these optimizations might open the Pandora’s box of microarchitectural attacks. However, there is little guidance on how to evaluate the security impact of future optimization proposals. To help chip vendors explore the impact of microarchitectural optimizations on cryptographic implementations, we develop (i) an expressive domain-specific language, called LmSpec, that allows them to specify the leakage model for the given optimization and (ii) a testing framework, called LmTest, to automatically detect leaks under the specified leakage model within the given implementation. Using this framework, we conduct an empirical study of 18 proposed microarchitectural optimizations on 25 implementations of eight cryptographic primitives in five popular libraries. We find that every implementation would contain secret-dependent leaks, sometimes sufficient to recover a victim’s secret key, if these optimizations were realized. Ironically, some leaks are possible only because of coding idioms used to prevent leaks under the standard constant-time model.

In this talk, we present a side-channel attack on a Bluetooth chip embedded in millions of devices worldwide, from wearables and smart home products to industrial IoT. The attack marks a significant milestone as previous attempts to recover the encryption key from the proprietary hardware AES-CCM accelerator in this chip were unsuccessful. Our approach leverages side-channel information from AES computations that is unintentionally transmitted by the chip together with the RF signals. Unlike traditional side-channel attacks based on power or near-field EM emissions, the presented one leaves no evidence of tampering, eliminating the need for package removal, chip decapsulation, or additional soldered components. However, side-channel signals which we extract from RF signals are considerably weaker and noisier, requiring more traces for successful key recovery. The presented attack requires 180,000 traces, with each trace computed by averaging 10,000 measurements per encryption.

The area of modern zero-knowledge proof systems has seen a significant rise in popularity over the last couple of years, with new techniques and optimized constructions emerging on a regular basis. As the field matures, the aspect of implementation attacks becomes more relevant, however side-channel attacks on zero-knowledge proof systems have seen surprisingly little treatment so far. In this paper we give an overview of potential attack vectors and show that some of the underlying finite field libraries, and implementations of heavily used components like hash functions, are vulnerable w.r.t. cache attacks on CPUs. On the positive side, we demonstrate that the computational overhead to protect against these attacks is relatively small.

In this talk I will present a side-channel vulnerability in the cryptographic library of Infineon Technologies, one of the most important secure element manufacturers. This vulnerability – that went unnoticed for 14 years and about 80 highest-level Common Criteria certification evaluations – is due to a non constant-time modular inversion. The attack requires physical access to the secure element (few local electromagnetic side-channel acquisitions, i.e. few minutes, are enough) in order to extract an ECDSA secret key. The attack is performed on a FIDO hardware token from Yubico where it allows to create a clone of the FIDO device. Yubico acknowledged that all YubiKey 5 Series (with firmware version below 5.7) are impacted by the attack and in fact we show that all Infineon security microcontrollers (including TPMs) that run the Infineon cryptographic library are vulnerable to the attack.

With the growing prevalence of software-based cryptographic implementations in high-level languages, understanding the role of architectural and micro-architectural components in side-channel security is critical. The role of compilers in case of software implementations towards contribution to side-channel leaks is not investigated. While timing-based side-channel leakage due to compiler effects has been extensively studied, the impact of compiler optimizations on power-based leakage remains underexplored, primarily due to challenges in isolating the architectural power component. In this work, we present ARCHER, an architecture-level tool for side-channel analysis and root cause identification of cryptographic software on RISC-V processors. ARCHER integrates two key functionalities: (1) Side-Channel Analysis using TVLA and its variants to detect leakage, and (2) Data Flow Analysis to track intermediate values and explain observed leaks. ARCHER supports pre-silicon analysis of high-level and assembly code, offering algorithm-agnostic insights through interactive visualizations and detailed reports on execution statistics, leakage points, and their causes. Using ARCHER, we analyze binary transformations across five optimization levels (-O0, -O1, -O2, -O3, -Os) to isolate the architectural effects of compiler optimizations from the micro-architectural influences of the target device. This study, spanning both unprotected and masked AES implementations, reveals actionable insights into how optimizations affect power-based leakage. Notably, we identify a previously undocumented vulnerability in the ShiftRow operation of masked AES, introduced by compiler optimizations. This vulnerability, confirmed through correlation analysis on simulated power traces, is validated on physical hardware using an ASIC implementation of the PicoRV32 core, confirming that architectural-level vulnerabilities translate to real-world leakage. To enhance practical applicability, we introduce two dataflow metrics, remanence and revive, for predicting side-channel leakage based on binary transformations. These metrics, coupled with ARCHER’s analysis and visualization capabilities, provide designers with effective tools to assess and mitigate power-based side-channel vulnerabilities at the software optimization stage, advancing the security of cryptographic implementations in resource-constrained environments.

Two years ago, at RWC 2023 in Tokyo, we presented attacks on Mega—an end-to-end encrypted (E2EE) cloud storage provider with over 300 million users—and challenges on the path to designing a secure cloud storage protocol with end-to-end guarantees. Now, it is time for an update. In the past two years, analyses of multiple E2EE cloud storage providers revealed serious flaws in most systems, showing that the entire ecosystem is largely broken. At the same time, Google and Apple launched optional client-side encryption for Google Drive and iCloud, thereby making E2EE cloud storage available to their users (albeit with limited functionality). This is great news for privacy-minded users, but given the vulnerabilities that were discovered in most of the smaller providers, one may ask: how do we know if they are secure? Moreover, the vast majority of cloud storage providers still only use server-side encryption, which provides no protection against server compromise. Why is this the case? And what can we do about it? In this talk, we present the first cryptographic model for secure cloud storage in the malicious server threat model, formalizing E2EE cloud storage. Our model and security notions are motivated by our study of real-world E2EE cloud storage providers. We begin by briefly recapping our insights from analyzing MEGA and Nextcloud, identifying the main challenges that they struggled with. We then give a formal syntax for the core functionality of a cloud storage system, focusing on how we tailored the model to capture the real-world complexity of such systems. We continue by showing how we define the expected end-to-end security guarantees against a potentially compromised or malicious cloud server. Finally, we present the first provably secure E2EE cloud storage protocol. Along the way, we hope to inspire a discussion between academia and industry on the remaining challenges of bringing provably secure E2EE cloud storage to practice.

End-to-end encryption (E2EE) allows data to be outsourced and stored on an untrusted server, such as in the cloud, without compromising its privacy. The need for stronger cryptographic guarantees for outsourced persistent data (such as encrypted files in cloud storage) has been highlighted by recent attacks on E2EE cloud storage providers, which all identify sharing as one of the main challenges. But even recently proposed E2EE cloud storage protocols which address this challenge suffer from another problem: when data is shared between a group of users, they all share access to the same, static, key material used for data encryption. This means that when the group membership changes, access control is only enforced by the server; security breaches or compelled disclosure would let even a removed member decrypt both current and future shared data. In this talk, we explore stronger security guarantees for groups of users and the data they share, and implement a practical system that delivers them. We propose to move away from the use of static keys for data encryption in the setting of file sharing. Taking inspiration from the related setting of continuous group key agreement (CGKA) [3] and the MLS standardization effort for group messaging, we introduce a new primitive, called group key progression, that enables a dynamic group of users to agree on a persistent sequence of keys. With our efficient instantiation of this primitive, called Grappa, group members can secure future and past data from former and future group members, respectively, while themselves retaining access to all of their data. We avoid expensive data re-encryption and ensure that all users in Grappa only need to keep a compact cryptographic state. Grappa uses CGKA as a core building block to transport key updates between users, hence finding a use-case for MLS beyond group messaging. In this talk, we want to share our take-aways from the journey of developing a file sharing system with strong security, from the novel theoretical building blocks, to challenges on the path to practice. On the theoretical side, we begin by showing that forward security (FS) and post-compromise security (PCS)—which are standard security notions for data in transit—are fundamentally more challenging to achieve for data at rest. Persistent data hence necessitates tailored methods to ensure strong end-to-end security. Instead of aiming for FS and PCS, we propose the new security notion of cryptographically-enforced interval access control (IAC), which gives similar guarantees in the common setting of persistent data applications where a group of users share access to the outsourced data, such as file sharing. On the practical side, we spent significant engineering effort to implement a file sharing system which utilizes Grappa to achieve both end-to-end security and IAC. In doing so, we uncovered several interesting limitations of the current cryptography ecosystem that we believe to be of interest to the RWC audience. These include the lack of support for low-level cryptographic primitives in the Web Crypto API, barriers to using MLS outside of the secure messaging context as a transport layer for Grappa, and challenges with developing new cryptographic applications for cross-platform usage.

In this talk, we present a new approach using Fully Homomorphic Encryption (FHE), which enables end-to-end encryption for group voice calls. Concretely, we introduce blind audio mixing, an FHE-compatible compression technique, and an encrypted watermarking approach.

We raise concerns for end-to-end encryption (E2EE) security in light of the remarkable recent advances and explosion of interest in large language models and generative artificial intelligence (AI). Apple has already announced an initiative to feed E2EE messages into AI systems, and other major platforms may be considering similar efforts. Combining expertise across cryptography, AI, and law, we (1) examine a wide range of technical configurations that could fall under the broad umbrella of “feeding E2EE content to AI models,” taking into consideration the state of the art in cryptography, privacy technologies, and AI/ML, (2) assess these configurations’ technical compatibility with E2EE; (3) overview potentially relevant areas of law, and provide a detailed analysis of the circumstances under which E2EE service providers are likely to be able to offer AI features which use E2EE content; and (4) offer four key recommendations, which amount to a framework for how to think about offering AI features in E2EE systems.

Most applications that deduplicate data first split said data in smaller blocks, called chunks, using content-defined chunking (CDC). CDC cuts the chunks based on a local context window in the data: this means that chunks boundaries are preserved when the data is changed, and enables significant deduplication efficiency gains across applications dealing with large redundant dataset such as backup solutions, software patching systems, and file hosting platforms like IPFS and HuggingFace. However, CDC also introduces a subtle leakage: the length of each chunk leaks information about the data being chunked. This enables fingerprinting attacks, where adversaries exploit chunk length patterns to infer the presence or structure of specific data. Such attacks threaten confidentiality in scenarios ranging from encrypted backups on untrusted cloud servers to data transmitted over encrypted channels. To address these risks, many systems - mainly in the cloud backup setting - have developed bespoke mitigations by mixing a cryptographic key inside the chunking process. We demonstrate the ineffectiveness of these mitigations by presenting efficient key recovery attacks that rely solely on a known plaintext assumption. These attacks entirely circumvent all folklore mitigations except one, re-enabling fingerprinting attacks. To address this, we introduce a formal treatment for Keyed Content-Defined Chunking (KCDC) schemes and propose a provably secure construction that fulfills a strong notion of security. In doing so, we take a step towards making these real-world systems more resilient against leakage.

In this talk, we report on our experience in producing machine-checked security proofs for cryptographic protocol standards in all their gory detail, and more specifically for Messaging Layer Security (MLS). We outline the methodology we used to tackle this beast of a protocol, talk about the formal verification tools we developed along the way, and give some insights on protocol design, analysis, and standardization that we learned during this journey.

Protests are an important tool in the fight against authoritarian power structures around the world. Authoritarian governments often respond to a large protest by shutting down the Internet in an attempt to stifle this communication. Smartphone mesh messaging has been considered a promising solution to this problem by academics. Given this research interest, it should be the case that mesh messaging is on the path to deployment to counter Internet shutdowns during large-scale protests. So why hasn't it? In this talk, we try to answer this question. We describe the challenges of mesh messaging in detail, and discuss the shortcomings of prior work. We also present our work, Amigo (https://eprint.iacr.org/2024/1872), which represents a step towards a deployable system. But, more work is needed. During this talk, we will journey deep into the network stack of mesh messaging, and show how improvements to cryptographic constructions may not translate to optimized performance. The goal of this talk is to convince the audience that mesh messaging requires more than just better cryptography to achieve deployment; we need cryptography that is tailored to the low-level challenges of a mesh network.

Secure group messaging applications have been widely deployed to protect the everyday conversations of billions of users worldwide. These applications use different cryptographic algorithms to provide varying privacy and authenticity guarantees. Due to their widespread use, particularly in sensitive contexts like protests and conflicts, analyzing the security of these applications has been the focus of numerous academic works. Most of these focus on analyzing the more "novel" key agreement primitive. Due to the inherent complexities, few works attempt to rigorously analyze an application as a whole, and even fewer focus on the chat encryption primitive specifically. The latter may be attributed to the assumption that, after decades of cryptographic research, encrypting conversations (using symmetric/asymmetric primitives) is well understood, rendering chat encryption a seemingly trivial or "folklore" primitive. Despite its perceived simplicity, throughout our work across two papers, we find that some widely used group messaging applications implement chat encryption insecurely, potentially exposing them to exploitable attacks. This talk highlights the importance of analyzing the compositions of symmetric encryption and digital signatures used in several group chat encryption algorithms. Isolating chat encryption allows one to systematically identify potential attacks that result from the lack of proper "binding" between the signing and encryption components. This is reflected in our analysis of chat encryption in three widely deployed group messaging applications: Keybase, MLS, and Session. While Keybase had a good intuition for combining symmetric encryption and digital signatures, their solution was brittle; its security relied on non-cryptographic elements such as message serialization formats. MLS and Session did not implement proper binding in their compositions, exposing them to attacks where a group member can impersonate another by replaying their messages. Additionally, Session is susceptible to message re-ordering attacks by non-group members such as the platform server. Independent analysis of chat encryption allowed us to narrowly target the corresponding security goals and specify a set of conditions required for proper binding between the signing and encryption components. Developers of chat encryption algorithms need only check that these conditions are met to ensure that the security goals are achieved.

Secure Messaging apps have seen growing adoption, and are used by billions of people daily. However, due to imminent threat of a "Harvest Now, Decrypt Later" attack, secure messaging providers must react know in order to make their protocols hybrid-secure: at least as secure as before, but now also post-quantum (PQ) secure. Since many of these apps are internally based on the famous Signal's Double-Ratchet (DR) protocol, making Signal hybrid-secure is of great importance. In fact, Signal and Apple already put in production various Signal-based variants with certain levels of hybrid security: PQXDH (only on the initial handshake), and PQ3 (on the entire protocol), by adding a PQ-ratchet to the DR protocol. Unfortunately, due to the large communication overheads of the KYBER scheme used by PQ3, real-world PQ3 performs this PQ-ratchet approximately every 50 messages. As we observe, the effectiveness of this amortization, while reasonable in the best-case communication scenario, quickly deteriorates in other still realistic scenarios; causing many consecutive (rather than 1 in 50) re-transmissions of the same KYBER public keys and ciphertexts (of combined size 2272 bytes!). In this presentation, we will talk about a new Signal-based, hybrid-secure secure messaging protocol, which significantly reduces the communication complexity of PQ3. We call our protocol "the Triple Ratchet" (TR) protocol. First, TR uses erasure codes to make the communication inside the PQ-ratchet provably balanced. This results in much better worst-case communication guarantees of TR, as compared to PQ3. Second, we design a novel "variant" of KYBER, called KATANA, with significantly smaller combined length of ciphertext and public key (which is the relevant efficiency measure for "PQ-secure ratchets"). For 192 bits of security, KATANA improves this key efficiency measure by over 37%: from 2272 to 1416 bytes. In doing so, we identify a critical security flaw in prior suggestions to optimize communication complexity of lattice-based PQ-ratchets, and fix this flaw with a novel proof relying on the recently introduced hint-MLWE assumption. This protocol has been developed with the Signal team, and they are actively evaluating bringing a variant of it into production in a future iteration of the Signal protocol.

The problem is that cryptographic primitives are typically designed to run on digital computers that use Boolean gates to map sequences of bits to sequences of bits, whereas DNNs are a special type of analog computer that uses linear mappings and ReLUs to map vectors of real numbers to vectors of real numbers. In the past, this discrepancy between the discrete and continuous computational models had led to many interesting side channel attacks. In this talk I will describe a new theory of security when digital cryptographic primitives are implemented as ReLU-based DNNs. I will then show that the natural implementations of block ciphers as DNNs can be broken in linear time by using nonstandard inputs whose “bits” are real numbers. Finally, I will develop a new and completely practical method for implementing any desired cryptographic functionality as a standard ReLU-based DNN in a provably secure and correct way.

The primary objective of this talk is to report to the community about Apple’s successful real-world deployment of efficient Homomorphic Encryption (HE) systems while overcoming key challenges encountered at this scale. Specifically, this talk will walk through the details on Apple’s implementation of HE, Private Information Retrieval (PIR) and Private Nearest Neighbor Search (PNNS) in features such as Photos, Safari, Mail, and the Phone app, addressing key optimizations applied to the algorithms and end-to-end system design.

Today, humanitarian distribution heavily relies on manual processes that can be slow, error-prone, and costly. Humanitarian aid organizations therefore have a strong incentive to digitalize the aid distribution process. This would allow them to scale up their operations, reduce costs, and increase the impact of their limited resources. Digitalizing the aid distribution process introduces new challenges, especially in terms of privacy and security. These challenges are particularly acute in the context of humanitarian aid, where the recipients are often vulnerable populations, and where the aid distribution process is subject to a high degree of scrutiny by the public, the media, and the donors. This is compounded by a very strong threat model, with adversaries ranging from corrupt officials to armed groups, and by the fact that the recipients themselves may not be able to protect their own privacy. This talk we propose is split into three main parts: first, we stress the need for assessments when deploying privacy-preserving applications in the real world, using concrete examples. In particular, we discuss the tension between supporting assessments and the security and privacy of the application's users. Second, we reflect on our experience in designing privacy-preserving applications for various use cases, and discuss how we go from an informal, high-level need expressed by our partners, to a formal model and a concrete protocol. Here, we stress common pitfalls, and outline a methodology that we have synthesized from our experience. Finally, we discuss how we tackled the use case of a privacy-preserving aid distribution system with statistics, in collaboration with partners from the International Committee of the Red Cross. We present a general framework to collect and evaluate statistics in a privacy-preserving way (including one-time functional evaluation, a new primitive that we introduce), and we present three concrete instantiations of this framework (based on trusted execution environments, linear secret sharing, and threshold fully homomorphic encryption, respectively).

In this talk, we will describe how we use Multiparty Computation (MPC) to bridge a significant gap in the Account Aggregator (AA) framework in India. Briefly, AA is a regulated Open Finance framework in India that enables users to authorize licensed entities to view their financial information, in order to receive financial services. The AA ecosystem already has tens of millions of users, but suffers a gap in trust: financial data once revealed for one purpose (eg. applying for a loan) may be duplicated and reused by third parties for unauthorized purposes. We present a solution wherein user data is instead secret shared amongst a consortium of independent non-colluding parties, so that they may reveal only explicitly consented functions upon it via MPC. Our solution is designed to be a drop-in replacement—i.e. fully compatible with existing AA standards so that it can be used out of the box—and is currently being deployed by leading financial institutions and digital public infrastructure bodies. The talk will establish what is to our knowledge a new use case for MPC, and explore the technical challenges we faced in designing such a system to be compatible with existing "MPC-unfriendly" standards.

This talk presents Argos: a viable path to make fully homomorphic encryption (FHE) deployable in real world scenarios where attackers cannot be assumed to be semi-honest. We demonstrate that trusted hardware can be securely used to provide integrity for FHE and other FHE-based protocols that implement functionalities such as private information retrieval (PIR) or private set intersection (PSI). We show that the major security pitfall of trusted hardware, \emph{microarchitectural} side channels, can be completely mitigated by excluding any secrets from the CPU and the memory hierarchy. This is made possible by focusing on building a platform that only enforces program and data \emph{integrity} and \emph{not} confidentiality (all that is required for verifiable FHE). All secrets can be kept in a separate co-processor (e.g., a TPM) inaccessible to an attacker. While relying on an off-CPU chip for attestation typically incurs significant performance overheads, our modified protocol turns it into a fixed-cost. Argos requires no dedicated hardware extensions and is supported on commodity processors from 2008 onward. Our hardware prototype executes 80 times faster than state-of-the-art on SGX, while introducing only 7\% overhead for FHE evaluation and 22\% for more complex protocols. By demonstrating how to combine cryptography with trusted hardware, Argos paves the way for widespread deployment of FHE-based protocols beyond the semi-honest setting.

Compressing Proofs using Cryptography:  A Triumph of Theory and PracticeIn this talk, I will survey a line of work that demonstrates how to take a long proof and make it succinct using cryptographic magic. I will highlight the deep and ongoing interplay between theoretical advancements, practical implementations, and real-world deployment, showcasing key milestones and addressing the challenges encountered along the way.

The RADIUS protocol is the de facto standard lightweight protocol for authentication, authorization, and accounting for networked devices. It is used to support remote access for diverse use cases including network routers, industrial control systems, VPNs, enterprise Wi-Fi including the Eduroam network, Linux Pluggable Authentication Modules, and mobile roaming and Wi-Fi offload. This talk presents the Blast-RADIUS vulnerability which allows a man-in-the-middle attacker to authenticate themselves to a device using RADIUS. Even in 2024, many of the above-mentioned applications still run RADIUS over UDP within an enterprise network (and in some cases even over the public Internet), and are hence affected by this vulnerability. RADIUS has previously escaped the scrutiny of the cryptography community, likely because it is predominately used in enterprise contexts and hidden from end users. Only deployments using the EAP authentication method or the not-yet-standardized RADIUS over TLS are unaffected. In a typical RADIUS deployment, a user sends their credentials to the RADIUS client, which then contacts the RADIUS server that validates the credentials. On success, the RADIUS server sends an Access-Accept packet back to the RADIUS client (e.g., a router), which will then grant the user access. The RADIUS protocol predates modern cryptographic guarantees and is typically unencrypted and unauthenticated. However, the protocol does attempt to authenticate server responses using an ad hoc construction based on the MD5 hash function and a fixed shared secret between a RADIUS client and server. Our attack exploits an MD5 chosen-prefix collision to produce Access-Accept and Access-Reject packets with identical Response Authenticators. This allows our attacker to transform a reject into an accept without knowledge of the shared secret. We show how to fit the collision blocks within RADIUS attributes that will be echoed back from the server. We improved and optimized the MD5 chosen-prefix attack to produce collisions online in less than five minutes (which could be reduced with further engineering efforts). This talk discusses proof of concept applications of our attack against popular RADIUS implementations, and the large-scale disclosure process and mitigation efforts in collaboration with CERT and IETF.

Liskov, Rivest, and Wagner, in their seminal work, formulated tweakable blockciphers and proposed two blockcipher-based design paradigms, LRW1 and LRW2, where the basic design strategy is to xor the masked tweak to the input and output of a blockcipher. The 2-round cascaded LRW2 and 4-round cascaded LRW1 have been proven to be secure up to $O(2^{3n/4})$ queries, but $n$-bit optimal security still remains elusive for these designs. In their paper, Liskov also posed an open challenge of embedding the tweak directly in the blockcipher, and to address this, Goldenberg et al. introduced the tweakable Luby-Rackoff (LR) constructions. They showed that if the internal primitives are random functions, then for tweaks with $t$ blocks, the construction needs $t + 6$ rounds to be optimally $n$-bit CPA secure and $2t + 8$ rounds to be optimally $n$-bit CCA secure, where respectively $t$ and $2t$ rounds were required to process the tweaks. Since blockciphers can be designed much more efficiently than pseudorandom functions, in many practical applications the internal primitives of LR ciphers are instantiated as blockciphers, which however would lead to a birthday-bound factor, which is not ideal for say lightweight cryptography. This paper addresses the following two key questions affirmatively: (1) Can Goldenberg et al.'s results be extended to LR constructions with random permutations as internal primitives without compromising the optimal $n$-bit security? (2) Can the number of rounds required for handling long tweaks be reduced? We formally define TLR-compatible functions, for processing the tweak, which when composed with 4-rounds and 5-rounds of LR construction with random permutations as internal primitives gives us respectively $n$-bit CPA and CCA secure tweakable permutations. For the security analysis, we proved general Mirror Theory result for three permutations. We also propose instantiating TLR-compatible functions with one round LR where a permutation (resp, two AXU hash functions) is used to mask single-block tweaks (resp., variable-length tweaks), thus proposing the $n$-bit CPA (resp., CCA) secure tweakable permutation candidates, $\mathsf{TLRP5}$ and $\mathsf{TLRP5+}$ (resp., $\mathsf{TLRP7}$ and $\mathsf{TLRP7+}$), using $5$ (resp., $7$) LR rounds, which is a significant reduction from the tweak-length-dependent results of Goldenberg et al. As a corollary, we also show $n$-bit CPA (resp., CCA) security of $5$-rounds (resp. $7$-rounds) permutation-based LR construction, which is quite an improvement over the existing $2n/3$-bit security proved by Guo et al.

We study the problem of minimizing round complexity in the context of succinct classical argument systems for quantum computation. All prior works either require at least 8 rounds of interaction between the quantum prover and classical verifier, or rely on the idealized quantum random oracle model (QROM). We design: 1. A 4-round public-coin (except for the first message) argument system for batchQMA languages. Under the post-quantum hardness of functional encryption and learn- ing with errors (LWE), we achieve optimal communication complex- ity (i.e., all messages sizes are independent of batch size). If we only rely on the post-quantum hardness of LWE, then we can make all messages except the verifier’s first message to be independent of the batch size. 2. A 6-round private-coin argument system for monotone policy batchQMA languages, under the post-quantum hardness of LWE. The commu- nication complexity is independent of the batch size as well as the monotone circuit size. Unlike all prior works, we do not rely on “state-preserving” succinct arguments of knowledge (AoKs) for NP for proving soundness. Our main technical contribution is a new approach to prove soundness without rewinding cheating provers. We bring the notion of straight-line partial extractability to argument systems for quantum computation.

HQC is a code-based cryptosystem that has recently been announced for standardization after the fourth round of the NIST post-quantum cryptography standardization process. During this process, the NIST specifically required submitters to provide two kinds of implementation: a reference one, meant to serve lisibility and compliance with the specifications; and an optimized one, aimed at showing the performance of the scheme alongside other desirable properties such as resilience against implementation misuse or side-channel analysis. While most side-channel attacks regarding PQC candidates running in this process were mounted over reference implementations, very few consider the optimized, allegedly side-channel resistant (at least, constant-time), implementations. Unfortunately, HQC optimized version only targets x86-64 with Single Instruction Multiple Data~(SIMD) support, which reduces the code portability, especially for non-generalist computers. In this work, we present two power side-channel attacks on the optimized HQC implementation with just the SIMD support deactivated. We show that the power leaks enough information to recover the private key, assuming the adversary can ask the target to replay a legitimate decryption with the same inputs. Under this assumption, we first present a key-recovery attack targeting standard Instruction Set Architectures~(ARM T32, RISC-V, x86-64) and compiler optimization levels. It is based on the well known Hamming Distance model of power consumption leakage, and exposes the key from a single oracle call. During execution on a real target, we show that a different leakage, stemming from to the micro-architecture, simplifies the recovery of the private key. This more direct second attack, succeeds with a 99\% chance from 83 executions of the same legitimate decryption. While the weakness leveraged in this work seems quite devastating, we discuss simple yet effective and efficient countermeasures to prevent such a key-recovery.

Indistinguishability obfuscation (iO) turns a program unintelligible without altering its functionality and is a powerful cryptographic primitive that captures the power of most known primitives. Recent breakthroughs have successfully constructed iO from well-founded computational assumptions, yet these constructions are unfortunately insecure against quantum adversaries. In the search of post-quantum secure iO, a line of research investigates constructions from fully homomorphic encryption (FHE) and tailored decryption hint release mechanisms. Proposals in this line mainly differ in their designs of decryption hints, yet all known attempts either cannot be proven from a self-contained computational assumption, or are based on novel lattice assumptions which are subsequently cryptanalysed. In this work, we propose a new plausibly post-quantum secure construction of iO by designing a new mechanism for releasing decryption hints. Unlike prior attempts, our decryption hints follow a public Gaussian distribution subject to decryption correctness constraints and are therefore in a sense as random as they could be. To generate such hints efficiently, we develop a general-purpose tool called primal lattice trapdoors, which allow sampling trapdoored matrices whose Learning with Errors (LWE) secret can be equivocated. We prove the security of our primal lattice trapdoors construction from the NTRU assumption. The security of the iO construction is then argued, along with other standard lattice assumptions, via a new Equivocal LWE assumption, for which we provide evidence for plausibility and identify potential targets for further cryptanalysis.

At the current state of the art, algebraic attacks are the most efficient method for finding preimages and collisions for arithmetization-oriented hash functions, such as the closely related primitives Poseidon/Poseidon2 and Neptune. In this paper, we revisit Gröbner basis (GB) attacks that exploit subspace trails to linearize some partial rounds, considering both sponge and compression modes.Starting from Poseidon’s original security evaluation, we identified some inaccuracies in the model description that may lead to misestimated round requirements. Consequently, we reevaluate and improve the proposed attack strategy. We find that depending on the concrete instantiation, the original security analysis of Poseidon under- or overestimates the number of rounds needed for security. Moreover, we demonstrate that GB attacks leveraging subspace trails can outperform basic GB attacks for Poseidon/Poseidon2 and Neptune.We propose a variant of the previous attack strategy that exploits a crucial difference between Poseidon/Poseidon2 and Neptune: while Poseidon’s inverse round functions have a high degree, Neptune’s inverse external rounds maintain the same degree as the forward rounds. Using this new model, we demonstrate that Neptune’s security in compression mode cannot be reduced to its security against the Constrained-Input-Constrained-Output (CICO) problem. To the best of our knowledge, this is the first time a concrete example has been provided where finding preimages is easier than solving the corresponding CICO problem.Our results emphasize the importance of considering the mode of operation in security analysis while confirming the overall security of Poseidon/Poseidon2 and Neptune against the presented algebraic attacks.

Arithmetization-Oriented hash functions are optimized for their verification to be efficiently implemented within various proof systems, but they are often too slow when evaluated on a regular machine. To solve this problem for some specific protocols, some recent proposals introduced a new type of operations: the Split- And-Lookup. The idea in this case is to “split” prime field elements into smaller integers, e.g. by simply considering their binary representations, and then applying a permutation on each such integer before rebuilding a field element from them. Such operations are fast to evaluate, and of a very high degree in the field, which hopefully implies a high resistance against algebraic attacks.In this paper, we investigate the security offered by such components using two distinct approaches. First, we provide a detailed analysis of the cryptographic properties of the Split-And-Lookup construction. In particular, we present technique to efficiently compute its Fourier coefficients and linear approximation probabilities, and use them to show linear approximations of the S-boxes of Skyscraper, Monolith, Tip5, and Reinforced Concrete with surprisingly high probabilities. We also present our own S-boxes that could be used as a drop-in replacement for those of Monolith and Tip5, and would provide enhanced security and performances in some contexts. Finally, we turn our attention to the primitives themselves, and present a freestart partial preimage attack on a version of Tip5 reduced to four out of five rounds, where the attacker is allowed to control only one word in the initialization vector. This can be turned into a collision attack against a four-round version of Tip5 with a capacity reduced to 320 bits out of 384, though it should still provide the same security level as the original hash function. Despite the high degree of the Split-And- Lookup construction, we use an algebraic attack that essentially goes “around” these components.While these results do not directly threaten the security of full-round primitives, they further the understanding of the cryptographic properties of these new operations, and of the actual impact they have on the security against various attacks.

This paper studies quantum linear key-recovery attacks on block ciphers. The first such attacks were last-rounds attacks proposed by Kaplan et al. (ToSC 2016), which combine a linear distinguisher with a guess of a partial key. However, the most efficient classical attacks use the framework proposed by Collard et al. (ICISC 2007), which computes experimental correlations using the Fast Walsh-Hadamard Transform. Recently, Schrottenloher (CRYPTO 2023) proposed a quantum version of this technique, in which one uses the available data to create a quantum correlation state, which is a superposition of subkey candidates where the amplitudes are the corresponding correlations. A limitation is that the good subkey is not marked in this state, and cannot be found easily.In this paper, we combine the correlation state with another distinguisher. From here, we can use Amplitude Amplification to recover the right key. We apply this idea to Feistel ciphers and exemplify different attack strategies on LOKI91 before applying our idea on the CAST-128 and CAST-256 ciphers. We demonstrate the approach with two kinds of distinguishers, quantum distinguishers based on Simon’s algorithm and linear distinguishers. The resulting attacks outperform the previous Grover-meet-Simon attacks.

Over the past decades, extensive research has been conducted on lightweight cryptographic primitives. The linear layer plays an important role in their security. In this paper, we propose a family of linear layers consisting of XORs and rotations, which is called multiple rows mixers (MRM). It is a family designed for LS-type ciphers, but mixing elements from several rows. We investigate the impact of the linear layers on the 3-round trail weight of permutations and explore the properties of the inverse of the linear layers with a low XOR count. We employ a generic and extensible approach to determine the parameters of MRM. This approach can automatically generate linear layers that meet the requirements of a given branch number.By applying these design principles and methods, we derive a linear layer that has a dimension of 5 x 64, a differential branch number of 12, a linear branch number of 5 and a computational cost of 2.6 XOR operations per bit. MRM is not limited to fixed dimension and can be extended to other dimensions. In addition, we present a concrete instantiation of a 320-bit permutation using a more efficient instance of MRM, named Hsilu. Its non-linear layer employs the χ operating on columns. Compared with the permutations of Gaston and NIST lightweight standard Ascon, the round function of Hsilu requires fewer XOR operations. Hsilu exhibits competitive security and performance with Ascon and Gaston. We demonstrate that the best-found 3-round differential and linear trails of Hsilu have much higher weights than those of Ascon. Hsilu outperforms Gaston and Ascon in terms of both software and hardware performance.

In ToSC 2025(1), Jia et al. proposed an SAT-aided automatic search tool for the S-box design. A part of the functionality of this tool is to search for implementations of an S-box with good area and gate-depth complexity. However, it is well-known that the gate depth complexity cannot precisely reflect the latency of an implementation. To overcome this problem, Rasoolzadeh introduced the concept of latency complexity, a more precise metric for the latency cost of implementing an S-box than the gate depth complexity in the real world.In this addendum, we adapt Jia et al.’s tool to prioritize latency as the primary metric and area as the secondary metric to search for good implementations for existing S-boxes. The results show that the combination of Jia et al.’s tool and Rasoolzadeh’s latency complexity can lead to lower-latency S-box implementations. For S-boxes used in LBlock, Piccolo, SKINNY-64, RECTANGLE, PRESENT and TWINE, which are popular targets in this research line, we find new implementations with lower latency. We conducted synthesis comparisons of the area and latency under multiple standard libraries, where our results consistently outperformed in terms of latency. For example, for LBlock-S0, our solution reduces latency by around 50.0% ∼ 73.8% compared to previous implementations in TSMC 90nm library with the latency-optimized synthesis option.

RIPEMD-128 is an ISO/IEC standard hash function based on a doublebranch Merkle-Damgård structure. Its compression function includes two branches with distinct Boolean functions and message expansion permutations. To perform a collision attack, differential characteristics must be constructed simultaneously for both branches under the same message word difference, and the message modification order must align with conditions in both branches. These factors make collision attacks on (reduced) RIPEMD-128 highly challenging.In 2014, an attack on 40 steps of RIPEMD-128 was achieved by Wang with no state differences in round 3. In this work, we analyze message permutation properties and propose two new structures for creating message differences. These structures enable high-probability local collisions in both branches of round 3, extending the attack to more steps. Notably, the second structure can eliminate all state differences in round 3, allowing the attack to cover more than three whole rounds.To ensure practical attacks, we limit the number of conditions based on our message modification strategy and use multi-step message modification techniques to control more conditions. As a result, we successfully generate colliding message pairs for 46-step and 54-step reduced RIPEMD-128, with time complexities of approximately 242 and 254, respectively.

The growing adoption of secure multi-party computation (MPC) has driven the development of efficient symmetric key primitives tailored for MPC. Recent advances, such as the alternating moduli paradigm, have shown promise but leave room for cryptographic and practical improvements. In this paper, we analyze a family of weak pseudorandom functions (wPRF) proposed at Crypto 2024, focusing on their One-to-One parameter sets. We demonstrate that these configurations fail to achieve their intended one-to-one mappings and exploit this observation to develop an efficient key recovery attack.Our analysis reveals critical vulnerabilities, reducing the complexity of key recovery to O(2λ/2 log2 λ) for the Standard One-to-One wPRF and O(20.84λ) for the Reversed Moduli variant – both substantially below their claimed λ-bit security. We validate our findings through experimental evaluation, confirming alignment between predicted and observed attack complexities.

A common drawback of secure vector summation protocols in the single-server model is that they impose at least one synchronization point between all clients contributing to the aggregation. This results in clients waiting on each other to advance through the rounds of the protocol, leading to large latency (or failures due to too many dropouts) even if the protocol is computationally efficient. In this paper we propose protocols in the single-server model where clients contributing data to the aggregation (i) send a single message to the server and (ii) can join aggregation sessions dynamically whenever they have resources, i.e., without the need for synchronizing their reporting time with any other clients. Our approach is based on a committee of parties that aid in the computation by running a setup phase before data collection starts, and a verification/decryption phase once it ends. Unlike existing committee-based protocols such as Flamingo (S&P 2023), the cost for committee members can be made sub-linear in the number of clients, and does not depend on the size of the input client vectors. Our experimental evaluation shows that our protocol, even while allowing dynamic client participation, is competitive with the state of the art protocols that do not have that feature in both computation and communication.

This paper introduces a new one-more computational problem for lattice-based cryptography, which we refer to as the Algebraic One-More MISIS Problem, or AOM-MSIS for short. It is a modification of the AOM-MLWE problem recently introduced by Espitau et al. (CRYPTO '24) to prove security of new two-round threshold signatures. Our first main result establishes that the hardness of AOM-MSIS is implied by the hardness of MSIS and MLWE (with suitable parameters), both of which are standard assumptions for efficient lattice-based cryptography. We prove this result via a new generalization of a technique by Tessaro and Zhu (EUROCRYPT '23) used to prove hardness of a one-more problem for linear hash functions assuming their collision resistance, for which no clear lattice analogue was known. Since the hardness of AOM-MSIS implies the hardness of AOM-MLWE, this resolves the main open question from the work of Espitau et al., who only provided a similar result for AOM-MLWE restricted to {\em selective} adversaries, a class which does not cover the use for threshold signatures. Furthermore, we show that our novel formulation of AOM-MSIS offers a better interface to develop tighter security bounds for state-of-the-art two-round threshold signatures. We exemplify this by providing new proofs of security, assuming the hardness of MLWE and MSIS, for two threshold signatures, the one proposed in the same work by Espitau et al., as well as a recent construction by Chairattana-Apirom et al. (ASIACRYPT 2024). For the former scheme, we also show that it satisfies the strongest security notion (TS-UF-4) in the security hierarchy of Bellare et al. (CRYPTO '22), as a result of independent interest.

We consider the question of whether worst-case hardness of the time-bounded Kolmogorov complexity problem, $\KpolyA$---that is, determining whether a string is time-bounded Kolmogorov random ($K^t$-random) or not---suffices to imply the existence of one-way functions (OWF). Roughly speaking, our main result shows that under a natural strengthening of standard-type derandomization assumptions, worst-case hardness of the \emph{boundary} version of this classic problem characterizes OWFs. In more detail, let $\bKtA$ denote the problem of, given an instance $x$, deciding whether (a) $K^{t_2}(x)\geq n-1$, or (b) $K^{t_1}(x) < n-1$ \emph{but} $K^{t_2}> n - \log n$; that is, deciding whether $x$ is $K^t$-random, or just ``near" $K^t$-random. We say that $\bKpolyA \notin \ioBPP$ if $\bKpolyA \notin \ioBPP$ for all polynomials $t_1,t_2$. We show that under a natural strengthening of standard derandomization assumptions (namely, there exists a constant $\varepsilon > 0$ such that $\E \not\subseteq {\sf ioNTIME}[2^{kn}] \slash 2^{\varepsilon n}$ for every $k \in \N$), OWF exist iff $\bKpolyA \notin \ioBPP$. Along the way, we also demonstrate that if we consider the probabilistic version of Kolmogorov complexity (referred to as $pK^t$) instead, then the characterization holds unconditionally. We finally observe that for most standard optimization problems, hardness ``along boundary" is equivalent to ``plain" worst-case hardness, indicating that assuming hardness along the boundary may be WLOG.

Witness encryption (WE) (Garg et al, STOC’13) is a powerful cryptographic primitive that is closely related to the notion of indistinguishability obfuscation (Barak et, JACM’12, Garg et al, FOCS’13). For a given NP-language L, WE for L enables encrypting a message m using an instance x as the public-key, while ensuring that efficient decryption is possible by anyone possessing a witness for x in L, and if x \notin L, then the encryption is hiding. We show that this seemingly sophisticated primitive is equivalent to a communication-efficient version of one of the most classic cryptographic primitives—namely that of a zero-knowledge argument (Goldwasser et al, SIAM’89, Brassard et al, JCSS’88): for any NP-language L, the following are equivalent: – There exists a witness encryption for L; – There exists a laconic (i.e., the prover communication is bounded by O(log n)) special-honest verifier zero-knowledge (SHVZK) argumentfor L. Our approach is inspired by an elegant (one-sided) connection between (laconic) zero-knowledge arguments and public-key encryption established by Berman et al (CRYPTO’17) and Cramer-Shoup (EuroCrypt’02), and the equivalence between a notion of so-called “predictable arguments” and witness encryption by Faonio, Nielsen, and Venturi (PKC’17).

We present new constructions of succinct non-interactive functional commitments and arguments for circuits, based on the SIS assumption without random oracles. For boolean circuits of depth $d$ and size $s$ over $\ell$-bit inputs, we obtain * a non-interactive functional commitment scheme with $O(1)$-sized transparent CRS, $O(1)$-sized commitment, and $O(d)$-sized openings; * a non-interactive succinct argument (SNARG for P/poly) with $O(1)$-sized transparent CRS, and $O(d)$-sized unambiguous proofs. Here, $O(\cdot)$ hides $\poly(\lambda,\log \ell, \log s)$ factors. Moreover, both schemes support fast online verification, after a circuit-dependent pre-processing phase; do not impose a bound on circuit parameters during set-up; and avoid non-black-box use of cryptography. * Our functional commitment scheme achieves a substantial improvement over the lattice-based schemes of Albrecht, et.~al (CRYPTO 22), Wee and Wu (EUROCRYPT 2023), Balbas, et.~al (TCC 2023), and Wee (EUROCRYPT 2025), all of which (i) rely on strong, non-standard variants of SIS, (ii) require a structured CRS, (iii) impose an a-priori bound on the depth or width of the circuit during set-up. * Our SNARG constitutes the first non-trivial SNARG for general computation based a standard search assumption (without random oracles). Prior works relied on a decisional assumption like LWE, sub-exponential DDH, or $k$-Lin; or non-standard variants of SIS.

A set of unacquainted parties, some of which may misbehave, communicate with each other over an unauthenticated and unreliable gossip network. They wish to jointly replicate a state machine $\Pi$ so that each one of them has fair access to its operation. Specifically, assuming parties' computational power is measured as queries to an oracle machine $H(\cdot)$, parties can issue symbols to the state machine in proportion to their queries to $H(\cdot)$ at a given fixed rate. Moreover, if such access to the state machine is provided continuously in expected constant time installments we qualify it as fast fairness. A state machine replication (SMR) protocol in this permissionless setting is expected to offer consistency across parties and reliably process all symbols that honest parties wish to add to it in a timely manner despite continuously fluctuating participation and in the presence of an adversary who commands less than half of the total queries to $H(\cdot)$ per unit of time. A number of protocols strive to offer the above guarantee together with fast settlement --- notably, the Bitcoin blockchain offers a protocol that settles against Byzantine adversaries in polylogarithmic rounds, while fairness only holds in a fail-stop adversarial model (due to the fact that Byzantine behavior can bias access to the state machine in the adversary's favor). In this work, we put forth the first Byzantine-resilient protocol solving SMR in this setting with both expected-constant-time settlement and fast fairness. Furthermore, our protocol is self-sufficient in the sense of performing its own time keeping while tolerating an adaptively fluctuating set of parties.

We show that the widely-used Schnorr signature scheme meets existential unforgeability under chosen-message attack (EUF-CMA) in the random oracle model (ROM) if the circular discrete-logarithm (CDL) assumption holds in the underlying group. CDL is a new, non-interactive and falsifiable variant of the discrete-logarithm (DL) assumption that we introduce. Our reduction is completely tight, meaning the constructed adversary against CDL has essentially the same running time and success probability as the assumed forger. This serves to justify the size of the underlying group for Schnorr signatures used in practice. To our knowledge, we are the first to exhibit such a reduction. Indeed, prior work required interactive and non-falsifiable assumptions (Bellare and Dai, INDOCRYPT 2020) or additional idealized models beyond the ROM like the algebraic group model (Fuchsbauer, Plouviez and Seurin, EUROCRYPT 2020). To further demonstrate the applicability of CDL, we show that Sparkle+ (Crites, Komlo and Maller, CRYPTO 2023), a threshold signing scheme for Schnorr, is tightly secure (under static corruptions) assuming CDL. Finally, we justify CDL by showing it holds in two carefully chosen idealized models that idealize different aspects of the assumption.

Our work minimizes interaction in secure computation, addressing the high cost of communication rounds, especially with many clients. We introduce One-shot Private Aggregation $\mathsf{OPA}$, enabling clients to communicate only once per aggregation evaluation in a single-server setting. This simplifies dropout management and dynamic participation, contrasting with multi-round protocols like Bonawitz et al. (CCS'17) (and subsequent works) and avoiding complex committee selection akin to YOSO. $\mathsf{OPA}$'s communication behavior \emph{closely} mimics learning-in-the-clear where each client party speaks only once. $\mathsf{OPA}$, built on LWR, LWE, class groups, and DCR, ensures single-round communication for all clients while also achieving sub-linear overhead in the number of clients, making it asymptotically efficient and practical. We achieve malicious security with abort and input validation to defend against poisoning attacks, which are particularly relevant in Federated Learning, where adversaries attempt to manipulate the gradients to degrade model performance or introduce biases. We build two flavors of $\mathsf{OPA}$ (1) from (threshold) key homomorphic PRF and (2) from seed homomorphic PRG and secret sharing. The threshold Key homomorphic PRF addresses shortcomings observed in previous works that relied on DDH and LWR in the work of Boneh~\textit{et al.}(CRYPTO, 2013), marking it as an independent contribution to our work. Our other contributions include new constructions of (threshold) key-homomorphic PRFs and seed-homomorphic PRGs that are secure under the LWE, DCR Assumption, and other Class Groups of Unknown Order.

FROST and its variants are state-of-the-art protocols for threshold Schnorr signatures that are used in real-world applications. While static security of these protocols has been shown by several works, the security of these protocols under adaptive corruptions—where an adversary can choose which parties to corrupt at any time based on information it learns during protocol executions—has remained a notorious open problem that has received renewed attention due to recent standardization efforts for threshold schemes. We show adaptive security (without erasures) of FROST and several variants under different corruption thresholds and computational assumptions. Let n be the total number of parties, t+1 the signing threshold, and t_c an upper bound on the number of corrupted parties. 1. We prove adaptive security when t_c = t/2 in the random oracle model (ROM) based on the algebraic one-more discrete logarithm assumption (AOMDL)—the same conditions under which FROST is proven statically secure. 2. We introduce the low-dimensional vector representation (LDVR) problem, parameterized by t_c, t, and n, and prove adaptive security in the algebraic group model (AGM) and ROM based on the AOMDL assumption and the hardness of the LDVR problem for the corresponding parameters. In some regimes (including some t_c >t/2) we show the LDVR problem is unconditionally hard, while in other regimes (in particular, when t_c = t) we show that hardness of the LDVR problem is necessary for adaptive security to hold. In fact, we show that hardness of the LDVR problem is necessary for proving adaptive security of a broad class of threshold Schnorr signatures.

The leader election problem requires a set of $n$ parties, out of which up to $t$ can be Byzantine, to elect a leader uniformly at random such that no two parties disagree on the elected leader and an honest leader is elected with constant probability. The Scalable Leader Election protocol published in SODA'2006 is an important breakthrough in solving this problem efficiently for all but $o(1)$ of the parties. They achieve a protocol for $t < (\frac{1}{3} - \epsilon)n$ (for $\epsilon = o(1)$) in the full-information setting such that every party only sends $\polylog(n)$ bits. In this paper, we revisit their work and show that there are subtleties in the protocol that are not dealt with in the analysis. In particular, two mechanisms related to ``silencing'' parties and dealing with ``bad nodes'' are at odds with each other, which is why the existing analysis is insufficient. We present these concerns in detail and subsequently present a modification to their protocol with a corresponding analysis to solve leader election with the desired metrics.

Continuous Group Key Agreement (CGKA) is a primitive with which members of a group can continuously establish shared keys. With every interaction, these members also update their individual, local secrets such that temporary corruptions of these secrets only affect the security of shared keys established shortly before (Forward Security; FS) and after the corruption (Post-Compromise Security; PCS). Due to these interactive updates–possibly enriched by dynamic group membership changes–, CGKA is a very powerful but also very complex primitive. In this work, we limit the power of CGKA to identify and analyze its core components. More concretely, we consider the case that all members of a group are always either senders or receivers. Thus, the interaction is strictly unidirectional from the former to the latter: a group of senders Alice establishes shared keys with a group of receivers Bob. With every shared key, Alice updates her local state to achieve FS and PCS; when receiving an established key, each Bob also updates their local state to achieve FS. This notion naturally lifts the so called Unidirectional Ratcheted Key Exchange concept (Bellare et al., Crypto 2017; Poettering and Rösler, Crypto 2018) to the group setting and, thereby, captures and generalizes Signal's Sender Key Mechanism, which is the core of WhatsApp and Signal's group chat protocols. We modularize this concept of Group Unidirectional RKE (GURKE) by considering either single or multiple senders, single or multiple receivers, and static or dynamic membership on each of both sides of the group. To instantiate these new primitives, we develop a building block called Updatable Broadcast KEM (UB-KEM). Using UB-KEM, our GURKE constructions for static groups only use standard Key Encapsulation Mechanisms (KEMs) and induce only a constant communication overhead. Our GURKE constructions for dynamic groups are based on general Non-Interactive Key Exchange (NIKE) and offer a constant communication overhead as long as the set of members is unchanged; only for adding and removing users, a communication overhead logarithmic in the group size is induced. We discuss the benefits of replacing the Sender Key Mechanism in Signal and WhatsApp with our constructions, and demonstrate their practicality with a performance evaluation of our proof of concept UB-KEM implementation.

There is a gap between the security of constrained PRFs required in some applications and the security provided by existing definitions. This gap is typically patched by only considering nonadaptive security or manually mixing the CPRF with a random oracle (implicitly constructing a new CPRF) to achieve adaptive security. We fill this gap with a new definition for constrained PRFs with strong adaptive security properties and proofs that it is achieved by practical constructions based on the cascade PRF (which generalized GGM) and AMAC. We apply the definition for analyzing searchable symmetric encryption and puncturable key wrapping.

One of the main shortcomings of classical distributed cryptography is its reliance on a certain fraction of participants remaining honest. Typically, honest parties are assumed to follow the protocol and not leak any information, even if behaving dishonestly would benefit them economically. More realistic models used in blockchain consensus rely on weaker assumptions, namely that no large coalition of corrupt parties exists, although every party can act selfishly. This is feasible since, in a consensus protocol, active misbehavior can be detected and ``punished'' by other parties. However, ``information leakage'', where an adversary reveals sensitive information via, e.g., a subliminal channel, is often impossible to detect and, hence, much more challenging to handle. A recent approach to address this problem was proposed by Dziembowski, Faust, Lizurej, and Mielniczuk (ACM CCS 2024), who introduced a new notion called \emph{secret sharing with snitching}. This primitive guarantees that as long as no large coalition of mutually trusting parties exists, every leakage of the shared secret produces a ``snitching proof'' indicating that some party participated in the illegal secret reconstruction. This holds in a very strong model, where mutually distrusting parties use an MPC protocol to reconstruct any information about the shared secret. Such a ``snitching proof'' can be sent to a smart contract (modeled as a ``judge'') deployed on the blockchain, which punishes the misbehaving party financially. In this paper, we extend the results from the work of CCS'24 by addressing its two main shortcomings. Firstly, we significantly strengthen the attack model by considering the case when mutually distrusting parties can also rely on a trusted third party (e.g., a smart contract). We call this new primitive \emph{strong} secret sharing with snitching (SSSS). We present an SSSS protocol that is secure in this model. Secondly, unlike in the construction from CCS'24, our protocol does not require the \emph{honest} parties to perform any MPC computations on hash functions. Besides its theoretical interest, this improvement is of practical importance, as it allows the construction of SSSS from any (even very "MPC-unfriendly") hash function.

Modern efficient secure multi-party computation (MPC) protocols typically follow an offline-online design, where offline protocols produce a sufficient amount of correlated randomness that would be consumed during the online phases. The past decades have witnessed maturing of efficient online protocols, for computing circuits over either arbitrary finite fields or rings $\mathbb{Z}_{p^k}$. In particular, protocols tailored for $\mathbb{Z}_{2^k}$ arithmetic have achieved better concrete efficiency in most real-life applications, as it naturally captures modern CPU architectures. On the other hand, a recent paradigm of {\em pseudorandom correlation generator} (PCG) initiated by Boyle et al. (CCS'18, Crypto'19) opens a door to efficient preprocessing with sublinear communication. Since then, PCGs have been extensively studied and developed to produce various types of correlations required from online protocols. Although Li et al. (EuroCrypt'25) recently put a significant step forward and propose efficient PCGs for arbitrary finite fields, the current state of PCGs for rings is not satisfying at all. Towards the great demand for efficiently generating correlations over rings, we investigate PCGs for general Galois rings, which simultaneously unify finite fields and integer rings modulo $p^k$. In summary, we establish the following results: (i) We generalize the state-of-the-art PCG constructions for oblivious linear evaluations (OLE) over Galois fields to {\em arbitrary Galois rings}, basing on Galois theory and the Hensel lift. Moreover, our PCGs for Galois rings are as efficient as PCGs for fields. Concretely, for $mN$ OLE correlations over $\mathbb{Z}_{2^k}$, we require $O(m\log{N})$ communication and $O(m^2N\log{N})$ computation, where $m$ is an arbitrary integer $\geq 2$. In comparison, to our best knowledge, previous approaches incur communication at least linear in $N$. (ii) We extend the above OLE construction to provide various types of correlations over any Galois ring. One of the fascinating applications is an efficient PCG for two-party SPD$\mathbb{Z}_{2^k}$ authenticated multiplication triples (Crypto'18). For $mN$ SPD$\mathbb{Z}_{2^k}$ triples, our approach requires only $O(m\log{N})$ communication and $O(m^2N\log{N})$ computation. Concrete evaluations show that our method significantly outperforms existing schemes based on homomorphic encryption. (iii) In addition, our PCGs for Galois rings also enable multi-party multiplication triple generation, yielding the first efficient MPC protocol for arithmetic circuits over $\mathbb{Z}_{2^k}$ with \emph{silent} and \emph{sublinear} preprocessing. Additional applications include circuit-dependent preprocessing and matrix multiplication triples, etc, which are of independent interest.

The matrix code equivalence problem consists, given two matrix spaces $\mathcal{C},\mathcal{D} \subset \Fq^{m\times n}$ of dimension $k$, in finding invertible matrices $P\in\mathrm{GL}_m(\mathbb{F}_q)$ and $Q\in\mathrm{GL}_n(\mathbb{F}_q)$ such that $\mathcal{D}=P\mathcal{C} Q^{-1}$. Recent signature schemes such as MEDS and ALTEQ relate their security to the hardness of this problem. Recent works by Narayanan, Qiao and Tang on the one hand and by Ran and Samardjiska on the other hand tackle this problem. The former is restricted to the ``cubic'' case $k = m =n$ and succeeds in $\widetilde{\mathcal{O}}(q^{\frac k 2})$ operations. The latter is an algebraic attack on the general problem whose complexity is not fully understood and which succeeds only on $\mathcal{O}(1/q)$ instances. We present a novel algorithm which solves the problem in the general case. Our approach consists in reducing the problem to the matrix code conjugacy problem, \emph{i.e.} the case $P=Q$. For the latter problem, similarly to the permutation code equivalence problem in Hamming metric, a natural invariant based on the \emph{Hull} of the code can be used. Next, the equivalence of codes can be deduced using a usual list collision argument. For $k=m=n$, our algorithm achieves the same time complexity as Narayanan \emph{et al.} but with a lower space complexity. Moreover, ours extends to a much broader range of parameters.

Quasi-cyclic moderate-density parity check (QC-MDPC) code-based encryption schemes under iterative decoders offer highly-competitive performance in quantum-resistant cryptography, but their IND-CCA2 security is an open question because the decoding failure rate (DFR) of these algorithms is not well-understood. The DFR decreases extremely rapidly as the blocklength increases, then decreases much more slowly in regimes known as the waterfall and error floor, respectively. The waterfall behavior is rather well predicted by a Markov model introduced by Sendrier and Vasseur \cite{SV19} but it does not capture the error floor behavior. Assessing precisely for which blocklength this error floor begins is crucial for the low DFRs sought the context of cryptography. By enriching the Markov model \cite{SV19} with information about near codewords we are able to capture this error-floor behavior for a step-by-step decoder. This decoder displays worse decoding performance than the parallel decoders used in practice but is more amenable to a Markov chain analysis. We already capture the error floor with a simplified model. A refined model taking into account certain structural features of the secret key is even able to give accurate key dependent predictions both in the waterfall and error floor regimes. We show that the error floor behavior is governed by convergence to a near codeword when decoding fails. We ran this model for the BIKE cryptosystem with this simpler step by step decoder to better ascertain whether the DFR is low enough to achieve IND-CCA2 security. Our model gives a DFR below $2^{-131.2}$, using a block length $r=13477$ instead of the BIKE parameter $r=12323$. This paper gives some strong evidence that the IND-CCA2 requirement can be met at the cost of a modest increase of less than 10\% in the key size.

The dual attacks on the Learning With Errors (LWE) problem are currently a subject of controversy. In particular, the results of [28], which claim to significantly lower the security level of Kyber [35], a lattice-based cryptosystem currently being standardized by NIST, are not widely accepted. The analysis behind their attack depends on a series of assumptions that, in certain scenarios, have been shown to contradict established theorems or well-tested heuristics [19]. In this paper, we introduce a new dual lattice attack on LWE, drawing from ideas in coding theory. Our approach revisits the dual attack proposed by [28], replacing modulus switching with an efficient decoding algorithm. This decoding is achieved by generalizing polar codes over Z/qZ, and we confirm their strong distortion properties through benchmarks. This modification enables a reduction from small-LWE to plain-LWE, with a notable decrease in the secret dimension. Additionally, we replace the enumeration step in the attack by assuming the secret is zero for the portion being enumerated, iterating this assumption over various choices for the enumeration part. We make an analysis of our attack without using the flawed independence assumptions used in [28] and we fully back up our analysis with experimental evidences. Lastly, we assess the complexity of our attack on Kyber; showing that the security levels for Kyber-512/768/1024 are 3.5/11.9/12.3 bits below the NIST requirements (143/207/272 bits) in the same nearest-neighbor cost model as in [35,28]. All in all the cost of our attack matches and even slightly beat in some cases the complexities originally claimed by the attack of [28].

Oblivious Pseudorandom Functions (OPRFs) are fundamental cryptographic primitives essential for privacy-enhancing technologies such as private set intersection, oblivious keyword search, and password-based authentication protocols. We present the first fully adaptive, partially oblivious threshold pseudorandom function that supports proactive key refresh and provides composable security under the One-More Gap Diffie-Hellman assumption in the random oracle model. Our construction is secure with respect to a new ideal functionality for OPRFs that addresses three critical shortcomings of previous models--specifically, key refresh and non-verifiability issues that rendered them unrealizable. In addition, we identify a gap in a prior work's proof of partial obliviousness and develop a novel proof technique to salvage their scheme.

Randomness is a fundamental requirement in cryptographic systems, enabling secure encryption, commitments, and zero-knowledge proofs. However, real-world randomness sources often suffer from weaknesses that adversaries can exploit, leading to significant security vulnerabilities. While deterministic randomness extraction from a single min-entropy source is impossible, two-source extractors provide a robust solution by generating nearly uniform randomness from two independent weak sources. Moreover, cryptographic systems must also be resilient to leakage and tampering attacks, necessitating the development of non-malleable two-source extractors. In this work, we construct a two-source non-malleable extractor in the Common Reference String (CRS) model, where a random low-degree polynomial is sampled once and made accessible to independent random sources, the distinguisher, and the tamperer. Our extractor requires only linear min-entropy in both sources and doesn't rely on strong computational assumptions, in contrast to prior constructions requiring computational assumptions such as sub-exponential hardness of the Decisional Diffie-Hellman (DDH) problem. Notably, our construction builds upon and relies on the recent breakthrough proof of the polynomial Freiman-Ruzsa conjecture. Our results advance the state of non-malleable cryptographic primitives, with applications in secure storage, leakage-resilient cryptography, and privacy amplification. By eliminating the need for strong computational hardness assumptions, our techniques provide a more foundational and widely applicable method for randomness extraction.

Several recent works have shown lower bounds on the communication cost of secure messaging protocols based on specific primitives. However, these bounds no longer apply if stronger primitives are allowed, such as succinct multi-party non-interactive key exchange (SMNIKE). This is a setup-free primitive where all messages are independent of the number $N$ of parties. Boneh and Zhandry (BZ, CRYPTO'14) present an iO-based MNIKE whose setup (or one message from a designated party) depends on $N$, but all other messages are short. SMNIKE is a strengthening of their primitive that forgoes the setup and where no message depends on $N$, thereby enabling applications in secure messaging. Jain and Jin (JJ, FOCS'22) build indistinguishability obfuscation (iO) for Turing machines with unbounded input length, opening the possibility of SMNIKE via iO and puncturable PRFs (PPRFs). Unfortunately, the punctured keys of known PPRFs grow with their input length $n$; e.g., for the Goldreich--Goldwasser--Micali (GGM) PPRF they have size $n \lambda$. We introduce succinct PPRFs (SPPRFs), a weakened form of PPRFs satisfying a relaxed correctness notion. Notably, SPPRFs have punctured keys whose size is independent of the input size, as long as the punctured point has a short description. We then combine SPPRFs with JJ to show that a variant of the BZ construction is an SMNIKE. At the heart of our SPPRF construction is a novel memory-tight reduction for GGM. While the original GGM reduction requires space $q \lambda$, our proof only needs $5 \lambda$ memory, where $q$ is the number of PRF queries. Our technique allows to show that GGM is an SPPRF, and also that GGM as a (standard) PRF has a memory-tight reduction against adversaries that do not repeat oracle queries, a restriction we prove to be inherent.

This paper studies the security of {\em key derivation functions} (KDFs), a central class of cryptographic algorithms used to derive {\em multiple} independent-looking keys (each associated with a particular context) from a {\em single} secret. The main security requirement is that these keys are pseudorandom (i.e., the KDF is a pseudorandom function). This paper initiates the study of an additional security property, called {\em key control} (KC) security, first informally put forward in a recent update to NIST Special Publication (SP) 800-108 standard for KDFs. Informally speaking, KC security demands that, given a {\em known} key, it is hard for an adversary to find a context that forces the KDF-derived key for that context to have a property that is specified a-priori and is hard to satisfy (e.g., that the derived key consists mostly of 0s, or that it is a weak key for a cryptographic algorithm using it). We provide a rigorous security definition for KC security, and then move on to the analysis of the KDF constructions specified in NIST SP 800-108. We show, via security proofs in the random oracle model, that the proposed constructions based on XOFs or hash functions can accommodate for reasonable security margins (i.e., 128-bit security) when instantiated from KMAC and HMAC. We also show, via attacks, that all proposed block-cipher based modes of operation (while implementing mitigation techniques to prevent KC security attacks affecting earlier version of the standard) only achieve {\em at best} 72-bit KC security for 128-bit blocks, as with AES.

We present the first construction of multiparty distributed point functions based on one-way functions, where the share sizes remain sublinear in the domain size and grow only polynomially with the number of parties. In contrast, existing multiparty distributed point function constructions in Minicrypt have share sizes that grow exponentially with the number of parties.

Non-interactive zero-knowledge (NIZK) proofs enable a prover to convince a verifier of an NP statement’s validity using a single message, without disclosing any additional information. These proofs are widely studied and deployed, especially in their succinct form, where proof length is sublinear in the size of the NP relation. However, efficient succinct NIZKs typically require an idealized setup, such as a a common reference string, which complicates real-world deployment. A key challenge is developing NIZKs with simpler, more transparent setups. A promising approach is the random-oracle (RO) methodology, which idealizes hash functions as public random functions. It is commonly believed that UC NIZKs cannot be realized using a non-programmable global RO—the simplest incarnation of the RO as a form of setup—since existing techniques depend on the ability to program the oracle. We challenge this belief and present a methodology to build UC-secure NIZKs based solely on a global, non-programmable RO. By applying our framework we are able to construct a NIZK that achieves witness-succinct proofs of logarithmic size, breaking both the programmability barrier and polylogarithmic proof size limitations for UC-secure NIZKs with transparent setups. We further observe that among existing global RO formalizations put forth by Camenisch et al. (Eurocrypt 2018), our choice of setup is necessary to achieve this result. From the technical standpoint, our contributions span both modeling and construction. We leverage the shielded (super-poly) oracle model introduced by Broadnax et al. (Eurocrypt 2017) to define a UC NIZK functionality that can serve as a drop-in replacement for its standard variant—it preserves the usual soundness and zero-knowledge properties while ensuring its compositional guarantees remain intact. To instantiate this functionality under a non-programmable RO setup, we follow the framework of Ganesh et al. (Eurocrypt 2023) and provide new building blocks for it, around which are some of our core technical contributions: a novel polynomial encoding technique and the leakage analysis of its companion polynomial commitment, based on Bulletproofs-style folding. We also provide a second construction, based on a recent work by Chiesa and Fenzi (TCC 2024), and show that it achieves a slightly weaker version of the NIZK functionality.

Fully Homomorphic Encryption (FHE) enables computation on encrypted data without decryption, demonstrating significant potential for privacy-preserving applications. However, FHE faces several challenges, one of which is the significant plaintext-to-ciphertext expansion ratio, resulting in high communication overhead between client and server. The transciphering technique can effectively address this problem by first encrypting data with a space-efficient symmetric cipher, then converting symmetric ciphertext to FHE ciphertext without decryption.Numerous FHE-friendly symmetric ciphers and transciphering methods have been developed by researchers, each with unique advantages and limitations. These often require extensive knowledge of both symmetric cryptography and FHE to fully grasp, making comparison and selection among these schemes challenging. To address this, we conduct a comprehensive survey of over 20 FHE-friendly symmetric ciphers and transciphering methods, evaluating them based on criteria such as security level, efficiency, and compatibility. We have designed and executed experiments to benchmark the performance of the feasible combinations of symmetric ciphers and transciphering methods across various application scenarios. Our findings offer insights into achieving efficient transciphering tailored to different task contexts. Additionally, we make our example code available open-source, leveraging state-of-the-art FHE implementations.

It is a widely accepted standard practice to implement cryptographic software so that secret inputs do not influence the cycle count. Software following this paradigm is often referred to as “constant-time” software and typically involves following three rules: 1) never branch on a secret-dependent condition, 2) never access memory at a secret-dependent location, and 3) avoid variable-time arithmetic operations on secret data. The third rule requires knowledge about such variable-time arithmetic instructions, or vice versa, which operations are safe to use on secret inputs. For a long time, this knowledge was based on either documentation or microbenchmarks, but critically, there were never any guarantees for future microarchitectures. This changed with the introduction of the data-operand-independent-timing (DOIT) mode on Intel CPUs and, to some extent, the data-independent-timing (DIT) mode on Arm CPUs. Both Intel and Arm document a subset of their respective instruction sets that are intended to leak no information about their inputs through timing, even on future microarchitectures if the CPU is set to run in a dedicated DOIT (or DIT) mode.In this paper, we present a principled solution that leverages DOIT to enable cryptographic software that is future-proof constant-time, in the sense that it ensures that only instructions from the DOIT subset are used to operate on secret data, even during speculative execution after a mispredicted branch or function return location. For this solution, we build on top of existing security type systems in the Jasmin framework for high-assurance cryptography.We then use our solution to evaluate the extent to which existing cryptographic software built to be “constant-time” is already secure in this stricter paradigm implied by DOIT and what the performance impact is to move from constant-time to future-proof constant-time.

The topic of verifying postquantum cryptographic software has never been more pressing than today between the new NIST postquantum cryptosystem standards being finalized and various countries issuing directives to switch to postquantum or at least hybrid cryptography in a decade. One critical issue in verifying lattice-based cryptographic software is range-checking in the finite-field arithmetic assembly code which occurs frequently in highly optimized cryptographic software. For the most part these have been handled by Satisfiability Modulo Theory (SMT) but so far they mostly are restricted to Montgomery arithmetic and 16-bit precision. We add semi-automatic range-check reasoning capability to the CryptoLine toolkit via the Integer Set Library (wrapped via the python package islpy) which makes it easier and faster to verify more arithmetic crypto code, including Barrett and Plantard finite-field arithmetic, and show experimentally that this is viable on production code.

AES New Instructions (AES-NI) is a set of hardware instructions introduced by Intel to accelerate AES encryption and decryption, significantly improving efficiency across various cryptographic applications. While AES-NI effectively mitigates certain side-channel attacks, its resilience against faults induced by active or malicious fault injection remains unclear.In this paper, we conduct a comprehensive security analysis of AES-NI. By analyzing the opcodes of AES-NI, we identify six pairs of instructions with only a single-bit difference, making them susceptible to bit-flip-type attacks. This vulnerability allows attackers to recover AES keys in both Electronic Codebook (ECB) and Cipher Block Chaining (CBC) modes. We introduce a novel Opcode-based Fault Analysis (OFA) method, employing Gaussian elimination to reduce the search space of the last round key. In particular, with one pair of correct and faulty ciphertexts, OFA can reduce the key search space to 232 for a 128-bit key length. To further reduce the key space for AES-192 and AES-256, we propose the Enhanced Opcode-based Fault Analysis (EOFA), which, compared to exhaustive search, reduces the key space by factors of 2160 and 2192, respectively.Finally, we demonstrate the feasibility of our findings by conducting physical endto- end attacks. Specifically, Rowhammer is leveraged to flip vulnerable opcodes and OFA as well as EOFA techniques are applied to recover secret keys from AES implementations. Our experimental results for AES-ECB-128, AES-ECB-192, and AES-CBC-128 demonstrate that key recovery can be efficiently achieved within 1.03 to 1.36 hours, varying with the cipher. This work highlights a critical vulnerability in AES-NI and outlines a new and novel pathway for fault-based attacks against modern cryptographic implementations.

Implementation-level countermeasures like masking can be applied to any cryptographic algorithm in order to mitigate Differential Power Analysis (DPA). Leveraging re-keying with a Leakage-Resilient PRF (LR-PRF) is an alternative countermeasure that requires a change of primitive. Both options rely on different security mechanisms: signal-to-noise ratio amplification for masking, signal reduction for LRPRFs. This makes their general comparison difficult and suggests the investigation of relevant case studies to identify when to use one or the other as an interesting research direction. In this paper, we provide such a case study and compare the security that can be obtained by using an unprotected hardware coprocessor, to be integrated into a leakage-resilient PRF, and a certified one, protected with implementation-level countermeasures. Both are available on “commercial off-the-shelf” devices and could be used for lightweight IoT applications. We first perform an in-depth analysis of these targets. It allows us to put forward the different evaluation challenges that they raise, and the similar to slightly better cost vs. security tradeoff that the leakage-resilient PRF offers in our experiments. We then discuss the advantages and limitations of both types of countermeasures. While there are contexts where the higher flexibility of masking is needed, we conclude that there are also applications that would strongly benefit from the simplicity of the LR-PRF’s design and evaluation. Positing that the lack of standards is the main impediment to their more widespread deployment, we therefore hope that our results can motivate such standardization efforts.

Transciphering (or Hybrid-Homomorphic Encryption, HHE) is an established technique for avoiding ciphertext expansion in HE applications, saving communication and storage resources. Recently, it has also been shown to be a fundamental component in the practical construction of HE-based multi-party computation (MPC) protocols, being used both for input data and intermediary results (Smart, IMACC 2023). In these protocols, however, ciphers are used with keys that are jointly generated by multiple (possibly malicious) parties, which may require additional security assumptions that have been so far overlooked in the HHE literature. In this paper, we formalize this issue as a security against related-key attacks (RKA) problem and provide efficient solutions for it. We start by presenting an efficient method for homomorphically evaluating Mixed-Filter-Permutator (MFP) ciphers in leveled mode, enabling speedups of up to thousands of times compared to previous literature. For the multi-party scenario, we focus specifically on the Margrethe cipher (Hoffmann et al., INDOCRYPT 2023). We show that, contrary to other commonly used HHE ciphers (e.g. FLIP), Margrethe is out-of-the-box secure for any protocols that allow malicious parties to learn up to two related key streams, enabling security for the vast majority of static MPC protocols. For other cases, we quantify the loss of security based on the number of related key streams (which often depends on the number of malicious parties and specific protocol). Performance-wise, our implementation of Margrethe takes just 3.9 ms to transcipher 4-bit messages, being significantly faster than the state of the art in terms of latency.

Hardware intellectual property (IP) blocks have been subjected to various forms of confidentiality and integrity attacks in recent years due to the globalization of the semiconductor industry. System-on-chip (SoC) designers are now considering a zero-trust model for security, where an IP can be attacked at any stage of the manufacturing process for piracy, cloning, overproduction, or malicious alterations. Hardware redaction has emerged as a promising countermeasure to thwart confidentiality and integrity attacks by untrusted entities in the globally distributed supply chain. However, existing redaction techniques provide this security at high overhead costs, making them unsuitable for real-world implementation. In this paper, we propose HIPR, a fine-grain redaction methodology that is robust, scalable, and incurs significantly lower overhead compared to existing redaction techniques. HIPR redacts security-critical Boolean and sequential logic from the hardware design, performs interconnect randomization, and employs multiple overhead optimization steps to reduce overhead costs. We evaluate HIPR on open-source benchmarks and reduce area overheads by 1 to 2 orders of magnitude compared to state-of-the-art redaction techniques without compromising security. We also demonstrate that the redaction performed by HIPR is resilient against conventional functional and structural attacks on hardware IPs. The redacted test IPs used to evaluate HIPR are available at: https://github.com/UF-Nelms-IoT-Git-Projects/HIPR.

In this work, we introduce ToFA, the first fault attack (FA) strategy that attempts to leverage the classically well-known idea of impossible differential cryptanalysis to mount practically verifiable attacks on bit-oriented ciphers like GIFT and BAKSHEESH. The idea stems from the fact that truncated differential paths induced due to fault injection in certain intermediate rounds of the ciphers lead to active SBox-es in subsequent rounds whose inputs admit specific truncated differences. This leads to a (multi-round) impossible differential distinguisher, which can be incrementally leveraged for key-guess elimination via partial decryption. The key-space reduction further exploits the multi-round impossibility, capitalizing on the relations due to the quotient-remainder (QR) groups of the GIFT and BAKSHEESH linear layer, which increases the filtering capability of the distinguisher. Moreover, the primary observations made in this work are independent of the actual SBox. Clock glitch based fault attacks were mounted on 8-bit implementations of GIFT- 64/GIFT-128 using a ChipWhisperer Lite board on an 8-bit ATXmega128D4-AU micro-controller. Unique key recovery was achieved for GIFT-128 with 3 random byte faults, while for GIFT-64, key space was reduced to 232, the highest achievable for GIFT-64, with a single level fault due to its key-schedule. To the best of our knowledge, this work also reports the highest fault injection penetration for any variant of GIFT and BAKSHEESH. Finally, this work reiterates the role of classical cryptanalysis strategies in fault vulnerability assessment by showcasing the most efficient fault attacks on GIFT.

In this paper we provide new theoretical and empirical evidences that gradient-based deep learning profiling attacks (DL-SCA) suffer from masking schemes. This occurs through an initial stall of the learning process: the so-called plateau effect. To understand why, we derive an analytical expression of a DL-SCA model targeting simulated traces which enables us to study an analytical expression of the loss. By studying the loss landscape of this model, we show that not only do the magnitudes of the gradients decrease as the order of masking increases, but the loss landscape also exhibits a prominent saddle point interfering with the optimization process. From these observations, we (1) propose the usage of a second-order optimization algorithm mitigating the impact of low-gradient areas. In addition, we show how to leverage the intrinsic sparsity of valuable information in SCA traces to better pose the DL-SCA problem. To do so, we (2) propose to use the implicit regularization properties of the sparse mirror descent. These propositions are gathered in a new publicly available optimization algorithm, Scoop. Scoop combines second-order derivative of the loss function in the optimization process, with a sparse stochastic mirror descent. We experimentally show that Scoop pushes further the current limitations of DL-SCA against simulated traces, and outperforms the state-of-theart on the ASCADv1 dataset in terms of number of traces required to retrieve the key, perceived information and plateau length. Scoop also performs the first nonworst- case attack on the ASCADv2 dataset. On simulated traces, we show that using Scoop reduces the DL-SCA time complexity by the equivalent of one masking order.

Bit-wise Fully Homomorphic Encryption schemes like FHEW and TFHE offer efficient functional bootstrapping, enabling concurrent function evaluation and noise reduction. While advantageous for secure computations, these schemes suffer from high data expansion, posing significant performance challenges in practical ap- plications due to massive ciphertexts. To address these issues, we propose VeloFHE, a CUDA-accelerated design to enhance the efficiency of FHEW and TFHE schemes on GPUs. We develop a novel hybrid four-step Number Theoretic Transform (NTT) approach for fast polynomial multiplication. By decomposing large-scale NTTs into highly parallelizable submodules, incorporating cyclic and negacyclic convolutions, and introducing several memory-oriented optimizations, we significantly reduce both the computational complexity and memory requirements. For blind rotation, besides the gadget decomposition approach, we also apply a recent proposed modulus raising technique to both schemes to alleviate memory pressure. We further optimize it by refining computational flow to reduce noise from scaling and maintain accumulator compatibility. For key switching, we address input-output parallelism mismatches, and offloading suitable computations to the CPU, effectively hiding latency through asynchronous execution. Additionally, we explore batching in bootstrapping, de- veloping a general framework that accommodates both schemes with either gadget decomposition or modulus raising method.Our experimental results demonstrate significant performance improvements. The proposed NTT implementation shows over 35% improvement compared to recent GPU implementations. On an RTX 4090 GPU, we achieve speedups of 371.86x and 390.44x for FHEW and TFHE gate bootstrapping, respectively, compared to OpenFHE running on a 48-thread CPU at a 128-bit security level. The corresponding throughputs are 7,007 and 11,378 operations per second. Furthermore, relative to the state-of-the-art GPU implementation [XLK+25], our approach provides speedups of 2.56x, 2.24x, and 2.33x for TFHE gate bootstrapping, homomorphic evaluation of arbitrary functions, and homomorphic flooring operation, respectively. Our VeloFHE surpasses some current hardware designs, offering an effective solution for more practical and efficient privacy-preserving computations.

Trusted Execution Environments (TEEs) have become a pivotal technology for securing a wide spectrum of security-sensitive applications. With modern computing systems shifting to heterogeneous architectures, integrating TEE support into these systems is paramount. One promising line of research has proposed leveraging FPGA technology to provide promising TEE solutions. Despite their potential, current implementations of FPGA-based TEEs have a set of drawbacks. Some solutions (i.e., MeetGo and ShEF) prioritize the secure loading of reconfigurable modules but lack compatibility with established legacy TEE specifications and services. On the other hand, those that aim to establish legacy compatibility (i.e., TEEOD and BYOTee) fail to fully utilize the dynamic reconfigurability and parallel processing capabilities inherent in FPGAs. In this context, we introduce Trusted Reconfigurable Execution Environments (TREE), a novel framework that fulfills the gaps existing in current FPGA-based TEE approaches. TREE enables system designers to fully leverage the reconfigurability capabilities of FPGAs without compromising compatibility with existing TEE specifications. Our reference TREE implementation ensures secure execution of user-customized hardware, legacy software trusted applications (TAs), and TAs that combine both custom hardware and software components, by fully exploiting the FPGA’s dynamic partial reconfiguration capabilities. TREE’s root of trust relies on conventional SoC-FPGA mechanisms including secure initial reconfiguration and memory protection, to ensure the initial bitstream integrity is kept after loaded and that reconfiguration access is restricted to the FPGA fabric after boot. Additionally, TREE provides essential TEE services within the FPGA fabric, including secure storage and cryptographic functions, enabling TAs to securely store sensitive data and perform critical operations in an isolated environment. Our evaluation on an entry-level FPGA, involved assessing TREE using microbenchmarks and real-world applications to compare its hardware costs and performance speedups against OP-TEE. The results showed that TREE’s hardware costs are minimal, while it achieves significant performance speedups, especially when compared to hardware TAs. For empirical demonstrations, we assess two real-world TA examples on TREE: an access control authenticator and a Bitcoin wallet.

Compared to elliptic curve cryptography, a primary drawback of latticebased schemes is the larger size of their public keys and ciphertexts. A common procedure for compressing these objects consists essentially of dropping some of their least significant bits. Albeit effective for compression, there is a limit to the number of bits to be dropped before we get a noticeable decryption failure rate (DFR), which is a security concern. To address this issue, this paper presents a family of error-correction codes that, by allowing an increased number of dropped bits while preserving a negligible DFR, can be used for both ciphertext and publickey compression in modern lattice-based schemes. To showcase the impact and practicality of our proposal, we use the highly optimized ML-KEM, a post-quantum lattice-based scheme recently standardized by NIST. We provide detailed procedures for tailoring our codes to ML-KEM’s specific noise distributions, and show how to analyze the DFR without independence assumptions on the noise coefficients. Among our results, we achieve between 4% and 8% ciphertext compression for MLKEM. Alternatively, we obtain 8% shorter public keys compared to the current standard. We also present isochronous implementations of the decoding procedure, achieving negligible performance impact in the full ML-KEM decapsulation even when considering optimized implementations for AVX2, Cortex-M4, and Cortex-A53.

The benefits of using Deep Learning techniques to enhance side-channel attacks performances have been demonstrated over recent years. Most of the work carried out since then focuses on discriminative models. However, one of their major limitations is the lack of theoretical results. Indeed, this lack of theoretical results, especially concerning the choice of neural network architecture to consider or the loss to prioritize to build an optimal model, can be problematic for both attackers and evaluators. Recently, Zaid et al. addressed this problem by proposing a generative model that bridges conventional profiled attacks and deep learning techniques, thus providing a model that is both explicable and interpretable. Nevertheless the proposed model has several limitations. Indeed, the architecture is too complex, higher-order attacks cannot be mounted and desynchronization is not handled by this model. In this paper, we address the first limitation namely the architecture complexity, as without a simpler model, the other limitations cannot be treated properly. To do so, we propose a new generative model that relies on solid theoretical results. This model is based on conditional variational autoencoder and converges towards the optimal statistical model i.e. it performs an optimal attack. By building on and extending the state-of-the-art theoretical works on dimensionality reduction, we integrate into this neural network an optimal dimensionality reduction i.e. a dimensionality reduction that is achieved without any loss of information. This results in a gain of O(D), with D the dimension of traces, compared to Zaid et al. neural network in terms of architecture complexity, while at the same time enhancing the explainability and interpretability. In addition, we propose a new attack strategy based on our neural network, which reduces the attack complexity of generative models from O(N) to O(1), with N the number of generated traces. We validate all our theoretical results experimentally using extensive simulations and various publicly available datasets covering symmetric, asymmetric pre and post-quantum cryptography implementations.

Masking is one of the most prevalent and investigated countermeasures against side-channel analysis. As an alternative to the simple (e.g., additive) encoding function of Boolean masking, a collection of more algebraically complex masking types has emerged. Recently, inner product masking and the more generic codebased masking have proven to enable higher theoretical security properties than Boolean masking. In CARDIS 2017, Poussier et al. connected this “security order amplification” effect to the bit-probing model, demonstrating that for the same shared size, sharings from more complex encoding functions exhibit greater resistance to higher-order attacks. Despite these advantages, masked gadgets designed for code-based implementations face significant overhead compared to Boolean masking. Furthermore, existing code-based masked gadgets are not designed for efficient bitslice representation, which is highly beneficial for software implementations. Thus, current code-based masked gadgets are constrained to operate over words (e.g., elements in F2k ), limiting their applicability to ciphers where the S-box can be efficiently computed via power functions, such as AES. In this paper, we address the aforementioned limitations. We first introduce foundational masked linear and non-linear circuits that operate over bits of code-based sharings, ensuring composability and preserving bit-probing security, specifically achieving t-Probe Isolating Non-Interference (t-PINI). Utilizing these circuits, we construct masked ciphers that operate over bits, preserving the security order amplification effect during computation. Additionally, we present an optimized bitsliced masked assembly implementation of the SKINNY cipher, which outperforms Boolean masking in terms of randomness and gate count. The third-order security of this implementation is formally proven and validated through practical side-channel leakage evaluations on a Cortex-M4 core, confirming its robustness against leakages up to one million traces.