IACR News
If you have a news item you wish to distribute, they should be sent to the communications secretary. See also the events database for conference announcements.
Here you can see all recent updates to the IACR webpage. These updates are also available:
13 July 2025
Input-Output Global
IOG, is a technology company focused on blockchain research and development. We are renowned for our scientific approach to blockchain development, emphasizing peer-reviewed research and formal methods to ensure security, scalability, and sustainability.
What the role involves:
As a Cryptography Engineer you'll contribute to design, implementation, & integration of secure cryptographic protocols across Cardano-related initiatives, such as Cardano Core Cryptographic Primitives, Mithril, ALBA, Leios etc. This role bridges applied research & engineering, focusing on translating cutting-edge cryptographic designs into robust, production-grade systems. The cryptography engineer will collaborate closely with researchers, protocol designers, architects, product managers, & QA teams to ensure cryptographic correctness, performance, and system alignment.
Closing date for applications:
Contact: Marios Nicolaides
More information: https://apply.workable.com/io-global/j/70FC5D8A0C/
12 July 2025
Gildas Avoine, Xavier Carpent, Diane Leblanc-Albarel
In this paper, we establish a comprehensive set of security properties that should be guaranteed by any cloud-based password manager. We demonstrate that none of the widely deployed mainstream password managers fulfill these fundamental requirements. Nevertheless, we argue that it is feasible to design a solution that is resilient against covert adversaries while allowing users to synchronize their credentials across devices. To support our claims, we propose a password manager design that fulfills all the required properties.
Pierre Civit, Daniel Collins, Vincent Gramoli, Rachid Guerraoui, Jovan Komatovic, Manuel Vidigueira, Pouriya Zarbafian
This paper introduces simple and efficient techniques to address this challenge by proposing a new generic transformation, $\mathcal{ABC}^{++}$. The transformation leverages two key primitives: the ratifier and the propagator. By sequentially composing these primitives with any closed-box Byzantine Agreement (or Reliable Broadcast) protocol, $\mathcal{ABC}^{++}$ produces a robust counterpart that provides both (adaptively secure) forensic support and ($1$-delayed adaptively-secure) accountability. The transformation incurs a subquadratic additive communication overhead, with only $1$ round of overhead for decision and forensic support, and $2$ additional rounds for detection in case of a safety violation (or $O\big(\log(n)\big)$ additional rounds with optimized communication).
The generality of $\mathcal{ABC}^{++}$ offers a compelling general alternative to the subquadratic forensic support solution by Sheng et al. (FC'23) tailored to HotStuff-like protocols, while being more efficient than the (strongly-adaptively-secure) quadratic $\mathcal{ABC}$ accountable transformation (IPDPS'22, JPDC'23). Moreover, it provides the first subquadratic accountable Byzantine Agreement (or Reliable Broadcast) protocols against a ($1$-delayed) adaptive adversary.
Finally, any subquadratic accountable Reliable Broadcast protocol can be integrated into the $\tau_{scr}$ transformation (ICDCS'22) to produce an improved variant, $\tau_{scr}^{++}$. This new version compiles any deterministic (and even beyond) protocol into its accountable counterpart with subquadratic multiplicative communication overhead, significantly improving upon the original quadratic overhead in $\tau_{scr}$.
11 July 2025
Suvradip Chakraborty, James Hulett, Dakshita Khurana
As an application, we obtain NIZK amplification theorems based on very mild worst-case complexity assumptions. Specifically, [Bitansky-Geier, CRYPTO'24] showed that $(\epsilon_\mathsf{s}, \epsilon_{\mathsf{zk}})$-weak NIZK proofs (with $\epsilon_\mathsf{s}$ and $\epsilon_{\mathsf{zk}}$ constants such that $\epsilon_\mathsf{s} + \epsilon_{\mathsf{zk}} < 1$) can be amplified to make their errors negligible, but needed to assume the existence of one-way functions. Our results can be used to remove the additional one-way function assumption and obtain NIZK amplification theorems that are (almost) unconditional; only requiring the mild worst-case assumption that if $\mathsf{NP} \subseteq \mathsf{ioP/poly}$, then $\mathsf{NP} \subseteq \mathsf{BPP}$.
Paula Arnold, Sebastian Berndt, Thomas Eisenbarth, Sebastian Faust, Marc Gourjon, Elena Micheli, Maximilian Orlt, Pajam Pauls, Kathrin Wirschem, Liang Zhao
In this work, we improve the security of this construction significantly by adapting it. We present a new refresh gadget designed specifically for combined attacks. This gadget does not only counteract passive side-channel attacks but additionally randomizes the effect of faults in a detectable but secret-independent manner. We introduce sufficient and attainable security definitions which are stronger than in the work of Berndt et al. to achieve this. Further, we apply the principle to the LaOla construction and prove the stronger security notions for the adapted multiplication gadget, as well as the original properties of composability and strong security against adaptive attacks combining side-channel and faults.
Seunghu Kim, Seongbong Choi, Hyung Tae Lee
In this paper, we present a novel homomorphic matrix multiplication algorithm optimized for matrix-packed ciphertexts, requiring only a multiplicative depth of two. Building on this foundation, we propose an efficient algorithm for homomorphic matrix inversion. Experimental results show that our method outperforms the state-of-the-art: for $8\times 8$ matrices, it achieves a $6.8\times$ speedup over the method by Ahn et al., and enables inversion of larger matrices that were previously infeasible. We further compare our homomorphic matrix multiplication technique against existing matrix-packed homomorphic matrix multiplication algorithms. When used for iterative inversion, our method consistently outperforms prior approaches. In particular, for $16\times 16$ and $32\times 32$ matrices, it achieves $1.88\times$ and $1.43\times$ speedups, respectively, over the algorithm by Aikata and Roy. Finally, we demonstrate the practical benefits of our method by applying it to privacy-preserving linear regression. For a dataset of $64$ samples with $8$ features, our approach achieves a $1.13\times$ speedup in training time compared to the state-of-the-art homomorphic matrix inversion solution.
Ahmet Ramazan Ağırtaş, Emircan Çelik, Oğuz Yayla
Karthik Garimella, Austin Ebel, Brandon Reagen
In this work we ask: can we build an FHE tensor system with a straightforward and transparent packing strategy regardless of the tensor operation? We answer affirmatively and develop a packing strategy based on Einstein summation (einsum) notation. We find einsum notation to be ideal for our approach since the notation itself explicitly encodes the dimensional structure and operation directly into its syntax, naturally exposing how tensors should be packed and manipulated in FHE. We make use of einsum's explicit language to decompose einsum expressions into a fixed set of FHE-friendly operations: dimension expanding and broadcasting, element-wise multiplication, and a reduction along the contraction dimensions.
We implement our design and present EinHops, which stands for Einsum Notation for Homomorphic Tensor Operations. EinHops is a minimalist system that factors einsum expressions into a fixed sequence of FHE operations, enabling developers to perform complex tensor operations using RNS-CKKS while maintaining full visibility into the underlying packing strategy. We evaluate EinHops on a range of tensor operations from a simple transpose to complex multi-dimensional contractions. We show that the explicit nature of einsum notation allows us to build an FHE tensor system that is simple, general, and interpretable. We open-source EinHops at the following repository: https://github.com/baahl-nyu/einhops.
Yusuf Ozmiş
Nathan Maillet, Cyrius Nugier, Vincent Migliore, Jean-Christophe Deneuville
Noor Athamnah, Noga Ron-Zewi, Ron D. Rothblum
State-of-the-art IOPs achieve a linear-size prover and a poly-logarithmic verifier but require a relatively large, logarithmic, number of rounds. While the Fiat-Shamir heuristic can be used to eliminate the need for actual interaction, in modern highly-parallelizable computer architectures such as GPUs, the large number of rounds still translates into a major bottleneck for the prover, since it needs to alternate between computing the IOP messages and the Fiat-Shamir hashes. Motivated by this fact, in this work we study the round complexity of linear-prover IOPs.
Our main result is an IOP for a large class of Boolean circuits, with only $O(\log^*(S))$ rounds, where $\log^*$ denotes the iterated logarithm function (and $S$ is the circuit size). The prover has linear size $O(S)$ and the verifier runs in time $\mathrm{polylog}(S)$ and has query complexity $O(\log^*(S))$. The protocol is both conceptually simpler, and strictly more efficient, than prior linear prover IOPs for Boolean circuits.
Sayon Duttagupta, Arman Kolozyan, Georgio Nicolas, Bart Preneel, Dave Singelee
Xander Pottier, Jan-Pieter D'Anvers, Thomas de Ruijter, Ingrid Verbauwhede
Tom Godden, Ruben De Smet, Kris Steenhaut, An Braeken
Christina Boura, Patrick Derbez, Baptiste Germon, Rachelle Heim Boissier, María Naya-Plasencia
Fuyuki Kitagawa, Takashi Yamakawa
We also propose a new security notion for unclonable puncturable obfuscation (UPO), which primarily extends prior definitions to support challenge inputs drawn from arbitrary high min-entropy distributions, along with some additional refinements. We construct a UPO satisfying this notion from polynomially secure iO and the LWE assumption, thereby avoiding the subexponential assumptions and unproven conjectures required in previous constructions, even in the uniform-challenge setting. In fact, in the uniform-challenge case, we show that iO and OWFs alone suffice, further removing the need for LWE. Again, our constructions and security proofs are arguably simpler than existing ones. As applications, we show that a UPO satisfying this notion is sufficient to copy-protect a variety of puncturable functionalities beyond those studied in the prior work.