International Association
for Cryptologic Research

Password-based Authenticated Key Exchange (${\sf PAKE}$) is a widely acknowledged, promising security mechanism for establishing secure communication between devices. It enables two parties to mutually authenticate each other over insecure networks and generate a session key using a low-entropy password. However, the existing $\mathsf{PAKE}$ protocols encounter significant challenges concerning both security and efficiency in the context of the \textit{Internet of Things} (IoT). In response to these challenges, we contribute to the advancement of post-quantum secure $\mathsf{PAKE}$ protocols tailored for IoT applications, enriching the existing landscape. In this study, we introduce two novel protocols, $\mathsf{PAKE}$-\textup{I} and $\mathsf{PAKE}$-\textup{II}, designed to address these concerns and enhance the security standards of $\mathsf{PAKE}$ protocol. While $\mathsf{PAKE}$-\textup{I} is secure under lattice-based hardness assumptions, $\mathsf{PAKE}$-\textup{II} derives its security from isogeny-based hard problems. Our lattice-based protocol $\mathsf{PAKE}$-\textup{I} is secure based on the \textit{Pairing with Errors} ($\mathsf{PWE}$) assumption and the \textit{Decision Ring Learning with Errors} ($\mathsf{DRLWE}$) assumption and our isogeny-based protocol $\mathsf{PAKE}$-\textup{II} is secure based on the hardness of the \textit{Group Action Inverse Problem} ($\mathsf{GAIP}$) and the \textit{Commutative SuperSingular Diffie-Hellman} ($\mathsf{CSSDH}$) problem in the Random Oracle Model $(\mathsf{ROM})$. We present a comprehensive security proof in a conventional game-based indistinguishability security model that addresses offline dictionary attacks, replay attacks, compromise attacks for both parties (client and server) and perfect forward secrecy. Additionally, our proposed $\mathsf{PAKE}$ protocols are the first post-quantum secure $\mathsf{PAKE}$s that achieve identity privacy and resistance to pre-computation attacks. Through rigorous performance evaluations, the paper demonstrates that the proposed $\mathsf{PAKE}$ schemes are ultralight and exhibit notable advantages in terms of total computation cost and enhanced security properties when compared to the existing protocols. More positively, both the proposed $\mathsf{PAKE}$ are optimal in the sense that they achieve mutual authentication explicitly in only three rounds which is the least number of rounds required for acquiring mutual authentication between two parties.

Smart contract-based decentralized applications (dApps) have become an ever-growing way to facilitate complex on-chain operations. Oracle services strengthened this trend by enabling dApps to access real-world data and respond to events happening outside the blockchain ecosystem. A large number of academic and industrial oracle solutions have emerged, capturing various designs, capabilities, and security assumptions/guarantees. This rapid development makes it challenging to comprehend the landscape of oracles, understand their trade-offs, and build on them.

To address these challenges, we develop a systematization of knowledge for blockchain oracle services. To the best of our knowledge, our work is the first to provide extensive study of oracles while empirically investigating their capabilities in practice. After examining the general design framework of oracles, we develop a multi-dimensional systematization framework assessing existing solutions based on their capabilities, trust and security assumption/guarantees, and their underlying design architecture. To further aid in this assessment, we conduct a number of empirical experiments to examine oracle deployed in practice, thus offering additional insights about their deployment maturity, usage popularity, performance, and ease-of-use. We go on to distill a number of insights and gaps, thus providing a guide for practitioners (on the use of these oracles) and researchers (by highlighting gaps and open problems).

With the rapid advancement of cloud computing technology, outsourcing massive datasets to cloud servers has become a prominent trend, making secure and efficient data sharing mechanisms a critical requirement. Attribute-based proxy re-encryption (ABPRE) has emerged as an ideal solution due to its support for fine-grained, one-to-many access control and robust ciphertext transformation capabilities. However, existing ABPRE schemes still exhibit shortcomings in addressing forward security issues caused by long-term private key leakage, threats from quantum computer attacks, and vulnerabilities to honest re-encryption attacks (HRA). To simultaneously resolve these challenges, this paper introduces a novel cryptographic primitive termed puncturable attribute-based proxy re-encryption with switchable tags (PABPRE-ST), constructing a secure cloud data sharing scheme that supports fine-grained revocation. By integrating puncturable encryption (PE) mechanisms into the ABPRE framework, the scheme achieves fine-grained ciphertext revocation based on tags. In PABPRE-ST, data owners embed tags into ciphertexts, enabling data users to puncture specific tags and thereby revoke access to corresponding ciphertexts at a granular level. Furthermore, the scheme allows delegators to switch ciphertext tags, enhancing sharing flexibility. We formalize the security definitions for the proposed puncturable attribute-based proxy re-encryption scheme and prove its security under the learning with errors (LWE) assumption, which is widely believed to be resistant to quantum computer attacks. Security analysis demonstrates that the proposed scheme achieves HRA security in the standard model.

Quantum voting allows us to design voting scheme by quantum mechanics. The existing quantum voting protocols mainly use quantum entangled states. However, the existing protocols rarely consider the problem of repeated voting and tampered voting by malicious voters, and hybrid quantum voting protocol has not been discussed. In this paper, we use EFI pairs (Entity-Friendly Integer pairs) instead quantum entangled states to address the shortage of existing protocols, and propose a new quantum voting protocol. Our protocol is structured to avoid repeated voting by any voter, and can prevent the leakage of voters' voting information. The security of our protocol can be finally reduced to a classical assumption i.e. BQP = QMA. Combined with quantum key distribution (QKD), we further optimize the protocol to prevent malicious adversaries from interfering with the final voting results. Moreover, we use extended noisy trapdoor claw-free function (ENTCF) to construct the first hybrid quantum voting protocol, which allows a classical voter to interact with a quantum center through a classical channel to complete the voting process.

In a batched identity-based encryption (IBE) scheme, ciphertexts are associated with a batch label $\mathsf{tag}^*$ and an identity $\mathsf{id}^*$ while secret keys are associated with a batch label $\mathsf{tag}$ and a set of identities $S$. Decryption is possible whenever $\mathsf{tag} = \mathsf{tag}^*$ and $\mathsf{id}^* \in S$. The primary efficiency property in a batched IBE scheme is that the size of the decryption key for a set $S$ should be independent of the size of $S$. Batched IBE schemes provide an elegant cryptographic mechanism to support encrypted memory pools in blockchain applications.

In this work, we introduce a new algebraic framework for building pairing-based batched IBE. Our framework gives the following:

First, we obtain a selectively-secure batched IBE scheme under a $q$-type assumption in the plain model. Both the ciphertext and the secret key consist of a constant number of group elements. This is the first pairing-based batched IBE scheme in the plain model. Previous pairing-based schemes relied on the generic group model and the random oracle model.

Next, we show how to extend our base scheme to a threshold batched IBE scheme with silent setup. In this setting, users independently choose their own public and private keys, and there is a non-interactive procedure to derive the master public key (for a threshold batched IBE scheme) for a group of users from their individual public keys. We obtain a statically-secure threshold batched IBE scheme with silent setup from a $q$-type assumption in the plain model. As before, ciphertexts and secret keys in this scheme contain a constant number of group elements. Previous pairing-based constructions of threshold batched IBE with silent setup relied on the generic group model, could only support a polynomial number of identities (where the size of the public parameters scaled linearly with this bound), and ciphertexts contained $O(\lambda / \log \lambda)$ group elements, where $\lambda$ is the security parameter.

Finally, we show that if we work in the generic group model, then we obtain a (threshold) batched IBE scheme with shorter ciphertexts (by 1 group element) than all previous pairing-based constructions (and without impacting the size of the secret key).

Our constructions rely on classic algebraic techniques underlying pairing-based IBE and do not rely on the signature-based witness encryption viewpoint taken in previous works.

We present a generic, automatable framework to reduce the demand for fresh randomness in first-order masked circuits while preserving security in the glitch-extended probing model. The method analyzes the flow of randomness through a circuit to establish security rules based on the glitch-extended probing model. These rules are then encoded as an interference graph, transforming the optimization challenge into a graph coloring problem, which is solved efficiently with a DSATUR heuristic. Crucially, the optimization only rewires randomness inputs without altering core logic, ensuring seamless integration into standard EDA flows and applicability to various gadgets like DOM-indep (Domain-Oriented Masking) and HPC (Hardware Private Circuits). On 32-bit adder architectures, the framework substantially reduces randomness requirements by 79–90%; for instance, the Kogge–Stone adder's requirement of 259 unique random inputs is reduced to 27. All optimized designs were evaluated using PROLEAD, with the leakage results indicating compliance with first-order glitch-extended probing security.

The Unbalanced Oil and Vinegar (UOV) construction is the foundation of several post-quantum digital signature algorithms currently under consideration in NIST's standardization process for additional post-quantum digital signature schemes. This paper introduces new single fault injection attacks against the signing procedure of deterministic variants of signature schemes based on the UOV construction. We show how these attacks can be applied to attack MAYO and PROV, two signature schemes submitted to the NIST call for additional post-quantum signature schemes. The attacks are demonstrated with reference implementations that run on an ARM Cortex-M4 processor. Our attacks do not require precise triggering or precise fault injection capabilities. Any type of fault in large portions of the code has the potential to result in successful key recovery. We demonstrate our attacks with very cheap equipment and simple clock glitching techniques, enabling the recovery of the secret key with either two faulty signatures or one correct signature and one faulty signature in the case of MAYO and one correct signature and two faulty signatures in case of PROV. The fact that our attacks do not require precise fault injection capabilities and can be successful with only a few signatures makes them particularly powerful, hence harmful for the implementation security of post-quantum digital signature schemes.

The existing lattice-based signature and IBE schemes suffer from the non-compactness of public keys or larger reduction loss in the security analysis. Thus we solve and improve those deficiencies as follows: – First, we construct a lattice-based short signature scheme with a compact verification key in the standard model based on the ring short integer solution (RSIS) assumption. Under the same com- pactness, the ring modulus of our signature scheme is significantly smaller than the compact sig- nature scheme of Alperin-Sheriff (PKC 2015). More importantly, our signature scheme achieves better reduction loss than all the previous confined guessing-based signatures. In other words, our signature scheme achieves better security and efficiency simultaneously. – Secondly, we further design a short signature scheme with a nearly compact public key size and an even smaller reduction loss. Our second signature scheme achieves even better reduction loss than our first signature scheme yet at the cost of increasing the public key to a super-constant number of ring vectors. – Last but not least, we construct an adaptively secure compact IBE scheme from the lattice as- sumptions and the truncation collision-resistant hash functions (TCRHF) introduced by Jager and Kurek (ASIACRYPT 2018). Note that the previous TCRHF-based IBE schemes are not even close to compactness. The above improvements mainly benefited from our compact design of the tag functions and their more compact homomorphic evaluations. We also believe that our newly designed tag function may find new applications in designing other cryptographic schemes, like ABE and others.

Designated Verifier zero-knowledge Succinct Non-Interactive Arguments of Knowledge (DV-zkSNARKs) are cryptographic argument systems in which the ability to verify proofs is restricted to a designated verifier. Unlike publicly verifiable zkSNARKs, these constructions ensure that only an authorized party can validate the correctness of the proof. Existing lattice-based DV-zkSNARK constructions typically rely on either linear-only encryption (LOE) or linear targeted malleability (LTM). The former does not guarantee security against quantum adversaries, while the latter restricts knowledge soundness to the non-adaptive setting. To address these limitations, we propose an inner product argument system that relies solely on the hardness of the Module Short Integer Solution (MSIS) assumption and achieves knowledge soundness in the random oracle model. This construction enables a designated verifier, holding a secret key, to succinctly verify inner product of a committed witness with an arbitrary vector. By combining our argument system with a linear probabilistic checkable proof (LPCP) compiler, to the best of our knowledge, we obtain the first DV-zkSNARK construction based on standard assumptions. Our implementation achieves prover and verification times comparable to the state of the art, while reducing public parameter size by a factor of 10, at the cost of a 2.5× increase in proof size.

Optical computing has garnered significant attention in recent years due to its high-speed parallel processing and low power consumption capabilities. It has the potential to replace traditional electronic components and systems for various computation tasks. Among these applications, leveraging optical techniques to address information security issues has emerged as a critical research topic. However, current attempts are predominantly focused on areas such as image encryption and information hiding, with limited exploration of other modern information security concepts, including zero-knowledge proof (ZKP). In this paper, we propose an optical ZKP method based on single-pixel imaging (SPI). By utilizing the flexibility of SPI, our proposed approach can directly acquire randomly permuted results of the source problem's solution in the form of encoded images, thereby encrypting and verifying the original solution. ZKP for the source problem can be realized with optical computing based on a proving protocol without disclosing additional information. Simulated and experimental results show that our proposed method can be effectively applied to two typical ZKP problems: Sudoku and Hamiltonian cycle problem.

Hash-based signatures are a strong candidate for post-quantum scenarios requiring authentication and integrity. Their security relies only on (well-studied) properties of hash functions, so they may be thought as being more robust than other schemes that (today) resist quantum attacks, like those based on lattices, coding or isogenies.

Recent works are also studying hash-based signature schemes with additional properties, like group, ring, threshold, or aggregate signature schemes. In this work we do the same for the important case of blind signatures. We describe a possible hash-based instantiation of Fischlin's generic scheme, we motivate our choices and we finally give some benchmarks for running times and memory requirements, resulting from our C implementation.

The interest in hash-based signatures (HBS) has increased since the need for post-quantum cryptography (PQC) emerged that could withstand attacks by quantum computers. Since their standardization, stateful HBS algorithms have been deployed in several products ranging from embedded devices up to servers.

In practice, they are most applicable to verify the integrity and authenticity of data that rarely changes, such as the firmware of embedded devices. The verification procedure then takes place during a secure boot or firmware update process. In past works, the research community has investigated hardware and software optimizations for this use case and vendors brought forward products.

In this study, we practically evaluate a fault attack on the Winternitz One-Time Signature (WOTS) scheme. The attack can be mounted on different HBS schemes, such as LMS, XMSS, and SPHINCS+. Both, the verification as well as the signing operation can be targeted.

The study describes the preparation and implementation of the attack on a standard microcontroller as well as the difficulties the attacker has to overcome. Additionally it presents a countermeasure, which is easy to implement and can increase the effort for an attacker significantly.

Existing payment systems make fixed trade-offs between performance and security assumptions. Traditional centralized systems like Visa assume synchronous networks and crash faults to achieve high throughput, while blockchain-based systems (e.g., Algorand, Aptos) adopt Byzantine fault tolerance and partial synchrony for stronger security at the cost of performance. This rigid approach forces all users to accept the same security-performance trade-off regardless of their individual trust and threat models.

We present a flexible payment system where clients independently choose assumptions about (i) network timing (bounded or partial synchrony), (ii) corruption (static or adaptive), and (iii) faults (crash or Byzantine), supporting eight assumption combinations simultaneously. Unlike traditional systems requiring consensus, our approach uses a novel flexible variant of consistent broadcast where clients external to the protocol verify delivery through cryptographic proofs, eliminating the need for global ordering. We implemented our system in Rust and demonstrated that clients choosing partially synchronous network and crash assumptions achieve $+242.1\%$ higher throughput and $+70.4\%$ better latency compared to clients with synchronous network and Byzantine assumptions, confirming that our system enables users to optimize their individual security-performance trade-offs.

As digital identity verification becomes increasingly pervasive, existing privacy-preserving approaches are still limited by complex circuit designs, large proof sizes, trusted setups, or high latency. We present Vega, a practical zero-knowledge proof system that proves statements about existing credentials without revealing anything else. Vega is simple, does not require a trusted setup, and is more efficient than the prior state-of-the-art: for a 1920-byte credential, Vega achieves 212 ms proving time, 51 ms verification time, 150 kB proofs, and a 436 kB proving key. At the heart of Vega are two principles that together enable a lightweight proof system that pays only for what it needs. First, fold-and-reuse proving exploits repetition and folding opportunities (i) across presentations, by pushing repeated work to a rerandomizable precomputation; (ii) across uniform hashing steps, by folding many steps into a single step; and (iii) for zero-knowledge, by folding the public-coin transcript with a random one. Second, lookup-centric arithmetization extracts relevant values from credential bytes, both for extracting relevant fields without full in-circuit parsing, and to enable length-hiding hashing.

In this paper, we propose a new post-quantum lattice-based IND-CCA2-secure key encapsulation mechanism (KEM) named Lore. The scheme is based on a variant of MLWR problem following LPR structure with two new technologies called variable modulus and CRT compression, which provide a balance of decryption failure probability and ciphertext size. We prove its security in ROM/QROM and provide concrete parameters as well as reference implementation to show that our scheme enjoys high efficiency, compact bandwidth and proper decryption failure rate(DFR) corresponding to its security levels compared with former results.

We report on our experiences with the ongoing European standardisation efforts related to the EU Cyber Resilience Act (CRA) and provide interim (November 2025) estimates on the direction that European cryptography regulation may take, particularly concerning the algorithm ``allow list'' and PQC transition requirements in products.

We also outline some of the risks associated with the partially closed standardisation process, including active impact minimisation by vendors concerned with engineering costs, a lack of public review leading to lower technical quality, and an increased potential for backdoors.

The Cyber Resilience Act came into effect in December 2024, and its obligations will fully take effect for makers of ``products with digital elements'' from 2027. CRA compliance is a requirement for obtaining the CE mark and a prerequisite for selling products in the European Single Market, which comprises approximately 450 million consumers. The CRA has a wide-ranging set of security requirements, including security patching and the use of cryptography (data integrity, confidentiality for data at rest and data in transit). However, the Cyber Resilience Act itself is a legal text devoid of technical detail -- it does not specify the type of cryptography deemed appropriate to satisfy its requirements.

The technical implications of CRA are being detailed in approximately 40 new standards from the three European standardisation organisations, CEN, CENELEC, and ETSI. While the resulting ETSI standards can be expected to be available for free even in the drafting stage, the CEN and CENELEC standards will probably require a per-reader license fee. This, despite recent legal rulings asserting that product security and safety standards are part of EU law due to their legal effects.

Taking a recent (2024) example of cryptographic requirements in such standards, we observe that the definitions and language in the Radio Equipment Directive (RED DA) harmonised standard (EN 18031 series) may allow vendors to take an approach where weak cryptography is considered ``best practice'' right until exploitation is feasible.

Recognising recent developments such as the EU Post-Quantum Cryptography transition roadmap, many CRA standardisation working groups are moving towards a ``State-of-the-Art Cryptography'' (SOTA Cryptography) model where approved mechanism listings are published by the European Cybersecurity Certification Group (ECCG). CRA-compliant products may still support other cryptographic mechanisms, but only SOTA is permitted as a safe default for Internet-connected products.

Blockchain protocols based on the popular ``Proof-of-Work'' mechanism yield public transaction ledgers maintained by a group of distributed participants who solve computationally hard puzzles to earn the right to add a block. The success and widespread adoption of this mechanism has led to staggering energy consumption devoted to solving such (otherwise) ``useless'' puzzles. While the environmental impacts of the framework have been widely criticized, this has been the dominant distributed ledger paradigm for years.

The Ofelimos ``Proof-of-Useful-Work'' protocol (Fitzi et al., CRYPTO 2022) addressed this by establishing that useful combinatorial problems could replace the conventional hashing puzzles, yielding a provably secure blockchain that meaningfully utilizes the computational work that underlies the protocol. The usefulness to wastefulness ratio of Ofelimos hinges on the properties of its underlying generic distributed local-search algorithm---Doubly Parallel Local Search (DPLS). We observe that this search procedure is particularly wasteful when exploring steep regions of the solution space.

To address this issue, we introduce Frequently Rerandomized Local Search (FRLS), a new generic distributed local search algorithm that we show to be consistent with the Ofelimos architecture. While this algorithm retains ledger security, we show that it also provides compelling performance on benchmark problems arising in practice: Concretely, state-of-art local-search algorithms for cumulative scheduling and warehouse location can be directly adapted to FRLS and we experimentally demonstrate the efficiency of the resulting algorithms.

The advent of quantum computing necessitates a rigorous reassessment of classical cryptographic primitives, particularly lightweight block ciphers (LBCs) deployed in resource-constrained environments. This work presents a comprehensive quantum implementation and security analysis of the Feistel-based LBC MIBS against quantum cryptanalysis. Using the inherent reversibility of its structure, we develop a novel ancilla-free quantum circuit that optimizes qubit count and depth. For MIBS-64 and MIBS-80, our implementation achieves quantum costs of 23,371 and 24,363, requiring 128 and 144 qubits, respectively, with a depth of 4,768. We subsequently quantify the cipher's vulnerability to Grover’s key-search algorithm under the NIST PQC security constraint $\texttt{MAXDEPTH}$. By constructing Grover oracles using inner parallelization with multiple plaintext-ciphertext pairs to suppress false positives, we demonstrate total quantum attack costs of approximately $2^{94}$ for MIBS-64 and $2^{111}$ for MIBS-80. These values fall below NIST’s Level-1 security threshold ($2^{170}$), confirming the susceptibility of both MIBS variants to quantum key-recovery attacks despite their classical lightweight efficiency.

Event date: 8 July to 10 July 2026

Event date: to
Submission deadline: 30 June 2026