International Association
for Cryptologic Research

Cryptocurrencies, which have gained significant adoption in recent years, face ongoing challenges in scalability and privacy. Payment Channel Hubs (PCHs) constitute a solution to both issues by shifting transactions off the public ledger. Various PCH constructions have been proposed, offering different degrees of unlinkability, efficiency, and inter- operability. However, regulatory compliance remains a significant con- cern, particularly under emerging frameworks like the EU’s Markets in Crypto-Assets (MiCA) regulation and FATF Travel Rule requirements. This work addresses a gap in existing PCH constructions: the lack of regulatory-compliant auditability mechanisms. While concurrent work AuditPCH attempts to address this challenge, it suffers from fundamen- tal limitations, including reliance on channel closures for auditing, vul- nerability to unilateral de-anonymization by the hub, and lack of formal security guarantees for the auditing process. Our approach fundamen- tally differs by providing targeted, non-disruptive auditability that al- lows auditability for high-risk payments while preserving unlinkability for the rest. To achieve this, we present Verifiable Linkable Randomiz- able Puzzles (VLRP), a new cryptographic primitive that enables a party to commit to a secret using two distinct keys: a verifiability key (VK) and an auditability key (AK). This primitive provides (i) verifiability that the owner of the VK issued the commitment, (ii) the ability to ran- domize the commitment to ensure unlinkability, even for the owner of the VK, while still allowing traceability using the AK, and (iii) collaborative auditing that prevents unilateral de-anonymization. We then present Auditable Unlinkable Payment Channel Hubs, AUPCH, a PCH built on VLRP that offers auditability guarantees with stronger se- curity guarantees than existing approaches. AUPCH provides modular integration with existing PCH frameworks (A2L, BlindHub), operates without requiring channel closures, and ensures that auditing requires collaboration between hub and auditing agent, preventing abuse by ei- ther party alone. Crucially, our approach acts as a wrapper around exist- ing PCH implementations, requiring only replacing randomizable puzzle calls with VLRP calls, a minimal change that dramatically reduces de- ployment complexity compared to building new systems from scratch.

Information Set Decoding (ISD) refers to a class of algorithms designed to decode arbitrary linear codes over finite fields. It is among the state-of-the-art methods for solving the Syndrome Decoding Problem (SDP), which lies at the core of code-based cryptography. Since most cryptographic systems operate over the binary field, ISD algorithms are generally designed for this setting. However, emerging cryptographic systems, such as SDitH, that rely on the SDP over non-binary fields, make research into non-binary ISD increasingly relevant. While there have been numerous improvements to ISD algorithms for binary fields, generalizations of these improvements to non-binary fields have resulted in only modest runtime improvements. The only technique which applies specifically to non-binary fields was proposed only last year by Carrier, Hatey and Tillich and consists in solving the SDP over the projective space.

In this paper we continue along this line of research and introduce a novel technique to perform ISD in non-binary fields. Our key idea consists in speeding-up the enumeration of low weight vectors by enumerating only the supports and not the actual values, since these can be recovered by solving a (small) linear system. This idea is at the core of LA-ISD, the first algorithm we propose in the paper. We further enhance it by exploiting a meet-in-the-middle search leading to MitM-LA, the second algorithm we propose in this paper. We analyze our algorithms in both the finite and asymptotic regimes and show that they compare well with competitive solutions. In particular, LA-ISD results in the best memory-less algorithm, while MitM-LA is (slightly) faster than the state-of-the-art algorithm by Carrier, Hatey and Tillich for many parameter-sets as well as asymptotically.

Abstract. Linear algebraic relations, such as inner products ⟨a, b⟩, underlie a wide range of cryp- tographic constructions, including zero-knowledge proofs, SNARKs, polynomial commitment schemes, and more. In this work, we consider group-scalar relations, i.e., statements of the form ⟨A, b⟩, where A is a vector of group elements and b is a vector of field elements. In many crypto- graphic settings, it is necessary to prove relationships between group elements like public keys, or other cryptographic objects without access to the underlying discrete logarithms. Our results are as follows:

– At the protocol level, we introduce the first Inner Product Argument (IPA) that specifically fo- cuses on group-scalar relations in bilinear groups. It achieves constant-size proofs and constant- time verification, maintaining commitments and arguments entirely in the source group. Our techniques enable new applications and significantly improve efficiency compared to state-of- the-art IPAs such as Dory (TCC ’21) and GIPA (Asiacrypt ’21), which rely on recursive folding techniques and thus have logarithmic proofs and verification time. We prove security in the Algebraic Group Model under the q-DHE and q-DL assumptions.

– At the primitive level, we present a new class of functional commitments for linear functions over group-scalar elements. It enables even more applications such as polynomial commit- ments for values hidden inside group exponentiations.

– To showcase our contributions, we demonstrate new applications—most notably, we introduce the notion of dynamic threshold verifiable random functions, which we believe to be a valuable tool for distributed randomness generation. We further present dynamic threshold signatures without random oracles, polynomial commitments over group-encoded inputs, and their ap- plications to oblivious proofs.

Our results provide modular and efficient tools to build cryptographic protocols without typical SNARK frameworks, simplifying real-world deployments. To demonstrate the practicality of our contributions, we provide an implementation and related benchmarks.

Subversion-resilient cryptography has garnered increasing attention in recent years due to growing concerns about cryptographic subversions in real-world applications. Among the existing countermeasures, the notion of cryptographic reverse firewalls (RFs), initially proposed by Mironov and Stephens-Davidowitz (EUROCRYPT 2015) and later extended by Chakraborty et al. (EUROCRYPT 2022) to the universally composable (UC) model, has proven to be a powerful tool for building subversion-resilient cryptographic protocols. In this work, we focus on designing subversion-resilient authenticated key exchange (AKE) protocols, which are critical components of secure Internet communication. We present the f irst generic framework for subversion-resilient UC-secure AKE protocols leveraging RFs. In spired by the state-of-the-art advancements by Chakraborty et al. (ASIACRYPT 2024), we address subversions: where a party’s implementation is covertly altered to exfiltrate secrets or behave unpredictably when triggered by adversarial inputs. A key contribution of our work is the introduction of a new AKE functionality which, for the first time, incorporates security against key control, an essential aspect of achieving subversion resilience. We also provide a concrete instantiation of our framework, demonstrating its feasibility in practice. Notably, the RFs in our proposed AKE protocol are transparent, an important property of RF as defined originally, which allows deployment of RF without all parties explicitly knowing about it and allows robust security. Achieving transparency for RFs has been widely regarded as challenging, particularly when addressing broader subversion attacks (e.g., input-trigger attacks) in the UC model. Our approach, thus, not only advances the state of AKE protocol design, but also offers insights into building other subversion-resilient protocols in the UC model using transparent RFs.

This paper introduces DAWN, a compact and efficient NTRU encryption utilizing double encoding, which is provably secure under the NTRU assumption and the Ring-LWE assumption. We propose a novel technique for NTRU encryption called the zero divisor encoding. Unlike the polynomial encoding technique proposed by Hoffstein and Silverman (2001) and the vector encoding technique proposed by Zhang, Feng, and Yan in NEV (Asiacrypt 2023), our zero divisor encoding technique leverages the algebraic structure of the ring used in NTRU, enabling greater ciphertext compression while maintaining negligible decryption failure.

We further develop a paradigm for NTRU encryption called the double encoding paradigm to maximize the potential of the zero divisor encoding. This paradigm transforms optimizing an NTRU-based encryption into constructing a better encoding within the NTRU context, providing more concrete direction for scheme development. Several previous NTRU encryptions can be situated within this paradigm with different parameters, facilitating direct comparison. We instantiate this paradigm based on the provably IND-CPA secure NTRU variant by Stehlé and Steinfeld (Eurocrypt 2011) to achieve an IND-CPA secure PKE, and subsequently employ the Fujisaki-Okamoto transformation to achieve an IND-CCA secure KEM.

We present two parameter settings of DAWN: DAWN-$\alpha$ minimizes ciphertext size, achieving lengths of 436 bytes under NIST-I security and 973 bytes under NIST-V security; DAWN-$\beta$ minimizes the combined size of the public key and ciphertext, attaining combined sizes of 964 bytes under NIST-I security and 2054 bytes under NIST-V security. DAWN achieves superior compactness and performance among current lattice-based KEMs without introducing additional security assumptions. Compared to NEV (Asiacrypt 2023), the previously leading NTRU-based KEM in balancing compactness and performance, DAWN demonstrates 20\%--29\% greater compactness at approximate security levels and decryption failure probabilities, while executing 1.1X--2.0X faster in a complete ephemeral key exchange process.

A Password-Authenticated Key Exchange (PAKE) protocol allows two parties to jointly establish a cryptographically strong key, in the setting where the only information shared in advance is a low-entropy "password". The two standard security definitions for PAKE are the game-based one by Bellare, Pointcheval and Rogaway (BPR-security, EUROCRYPT 2000) and the Universally Composable (UC) one by Canetti et al. (EUROCRYPT 2005). It is well-known that UC-security implies BPR-security; however, there are a large number of variants of both definitions, and the relation between them is not entirely clear.

In this work, we thoroughly study a variant of BPR-security by Katz, Ostrovsky and Yung (KOY-security, JACM 2009):

1. We show, via a counterexample, that UC-security does \emph{not} imply KOY-security;

2. We then prove that a variant of UC-security, called implicit-only UC-security (Dupont et al., EUROCRYPT 2018), implies KOY-security.

Interestingly, we make the observation that KOY- and implicit-only UC-security essentially strengthen their standard counterparts in the same manner. We also present detailed explanations of all four security notions.

The notion of indifferentiability was proposed by Maurer et al. to bound the distinguishing advantage of a construction built on a public primitive, from a public random function. In Indocrypt'10, Mandal et al. have shown that the sum of two independent permutations is indifferentiable from a public random function up to $2^{2n/3}$ queries. Later in ACNS'15, Mennink and Preneel identified an analytical flaw of Mandal et al's result and revised the security bound to $2^{2n/3}/n$. In Eurocrypt'18, Bhattacharya and Nandi have improved their indifferentiable bound to $2^n$ queries, which was again identified as incorrect in the analysis by Gunsing et al. In this paper, we study the indifferentiability of a few other PRF constructions, namely STH and EDM constructions. We will show that neither STH nor STH2 is indifferentiable, which led us to propose a generalized version called gSTH. We have shown that gSTH achieves a tight $l$-bit security bound, where $l$ denotes the size of the constants in terms of bits used in the construction. While we show that EDM achieves a tight $n/2$-bit indifferentiable bound with respect to our proposed simulator, single-keyed EDM is not indifferentiable from a public random function. We would like to mention that all the proofs and the attacks have been done in the sequential indifferentiability model.

Layer-2 protocols are pivotal in enhancing the scalability of blockchain systems, enabling faster off-chain transactions while maintaining security. These protocols can bridge consensus-based blockchain systems and advanced applications, such as Multiparty Computation (MPC) protocols, often defined within the Universal Composability (UC) Framework. However, despite the existence of some UC-defined protocols, there is currently no comprehensive UC definition for isomorphic multiparty state channels, in particular that are not dependent on the ledger model: account or UTxO based ledger. These protocols depend heavily on timelock mechanisms and the accurate representation of time, which are challenging to model within the UC Framework. Our work addresses this gap by proposing a UC-based definition, i.e., functionality, for isomorphic multi-party state channels that realistically model timely actions of honest users, a critical feature for the security of the channel protocol. Moreover our definition is agnostic with respect to the ledger model. Additionally, we introduce an extended timelock-aided global ledger functionality and demonstrate the security of existing protocols, namely Hydra proposed by Chakravarty et al. (FC'21), under the UC Framework and our proposed functionalities. This contribution provides a robust foundation for developing secure and scalable off-chain protocols in blockchain ecosystems. Finally, we concretely provide the construction of the extension of the Hydra Protocol, only outlined by the original work, and also prove it secure under our framework.

Asynchronous complete secret sharing (ACSS) and asynchronous dynamic proactive secret sharing (ADPSS) are fundamental primitives for secret sharing and resharing in threshold systems. They serve broad applications in distributed key management (DKM), multi-party computation, and blockchain. However, ACSS constructions that employ homomorphic commitments incur notable computational overhead, especially in batched executions. Conversely, lightweight variants require quadratic per-secret communication, which grows rapidly with the committee size. Building upon instances of ACSS, ADPSS constructions inevitably inherit these inefficiencies.

To address these limitations, we introduce GoSSamer, a concretely and asymptotically efficient protocol suite, where both GoSSamer-ACSS and GoSSamer-ADPSS achieve (1) lightweight computation with only finite-field arithmetic and hash functions, (2) asymptotically optimal, linear per-secret communication, (3) optimal resilience in asynchronous networks, a nd (4) post-quantum security.Leveraging our proposed share propagation and verification mechanisms, GoSSamer-ACSS reduces the runtime by 97% against the linear-communication scheme hbACSS (NDSS'22), and lowers the bandwidth usage by 75% compared to the lightweight solution SS24 (JoC'24) in a 64-node committee. By decoupling the ADPSS framework from the commitment-based ACSS through a new consistency verification technique, GoSSamer-ADPSS boosts key resharing throughput by 16-22$\times$ compared to LongLive (Usenix Security'23), and reduces its bandwidth by 47.6% in 16-node committees. GoSSamer directly accelerates real-world applications like distributed key management. Specifically, the runtime in GoSSamer-ACSS-based distributed key generation outperforms DXK+23 (Usenix Security'23) by 7-11$\times$, while GoSSamer-ADPSS-based key resharing outperforms LongLive by 9-13$\times$.

In recent years, federated learning has gained significant momentum as a collaborative machine learning approach, particularly in the field of medicine. While the decentralized nature of federated learning boasts greater security guarantees compared to traditional machine learning methods, it is still susceptible to myriad attacks. Moreover, as federated learning becomes increasingly ubiquitous in medicine, its use for classification tasks is expected to increase; however, maintaining patient data confidentiality remains a significant challenge, especially for genetic data. In this work, we introduce a novel framework for secure federated inference on nucleotide-based genotype data and provide a gateway to private inference through fully homomorphic encryption. A federated model with five local clients was created and trained before being encrypted with the TFHE cryptosystem and placed for inference. This framework successfully identified promoter sequences encoded within given DNA sequences, showing its potential applications in secure genomic data analysis in a federated context. Our work represents a crucial step in privacy-preserving federated inference on nucleotide-based data.

We present the first algorithm for computing class groups and unit groups of arbitrary number fields that provably runs in probabilistic subexponential time, assuming the Extended Riemann Hypothesis (ERH). Previous subexponential algorithms were either restricted to imaginary quadratic fields, or relied on several heuristic assumptions that have long resisted rigorous analysis.

The heart of our method is a new general strategy to provably solve a recurring computational problem in number theory (assuming ERH): given an ideal class $[\mathfrak a]$ of a number field $K$, sample an ideal $\mathfrak b \in [\mathfrak a]$ belonging to a particular family of ideals (e.g., the family of smooth ideals, or near-prime ideals). More precisely, let $\mathcal{S}$ be an arbitrary family of ideals, and $\mathcal{S}_B$ the family of $B$-smooth ideals. We describe an efficient algorithm that samples ideals $\mathfrak b \in [\mathfrak a]$ such that $\mathfrak b \in \mathcal{S}\cdot\mathcal{S}_B$ with probability proportional to the density of $\mathcal{S}$ within the set of all ideals.

The case where $\mathcal{S}$ is the set of prime ideals yields the family $\mathcal{S}\cdot\mathcal{S}_B$ of near-prime ideals, of particular interest in that it constitutes a dense family of efficiently factorable ideals. The case of smooth ideals $\mathcal{S} = \mathcal{S}_B$ regularly comes up in index-calculus algorithms (notably to compute class groups and unit groups), where it has long constituted a theoretical obstacle overcome only by heuristic arguments.

In this paper we present a Schnorr-like linkable ring signature scheme we call d/v-CLSAG that is an extension of the d-CLSAG scheme proposed in 2019 by Brandon Goodell, Sarang Noether, and Arthur Blue. The proposed extension allows the use of different group generators for different layers of ring members: $\mathbf{pk} := \mathbf{sk} \circ \mathbf{G},\ \mathbf{G} = (G_{k_0},\dots,G_{k_{d-1}}) \in \texttt{G}^d$, while the original scheme assumes the use of the same generator $G$ across all layers: $\mathbf{pk} := \mathbf{sk} \circ \mathbf{G},\ \mathbf{G} = (G,\dots,G) \in \texttt{G}^d$. To improve the signature size, we use key aggregation techniques in the same way, but for distinct group generators $\{G_k\}$ individually. Note that we don't require the absence of efficiently-computable discrete logarithm relations between $\{G_k\}$. However, it might be possible, that adding such a limitation would allow us to reduce the signature size. This is the subject of future studies. We provide the security statements for the proposed updated scheme.

Doctolib is a popular healthcare platform, used by over 90 million users across France, Italy, and Germany. One of its main features is the secure data exchange between patients and doctors, with 7 million documents shared per month. Doctolib claims to provide the "world's first end-to-end encryption platform built for health applications". The encryption protocol, described in a Whitepaper and Github repository, relies on envelope encryption and lets users upload ciphertexts for the secure data exchange. The ciphertexts are stored and retrieved through a distributed system, consisting of a data server and a key server. To access the data, recipients fetch the ciphertexts and decrypt them with their private key. However, the platform does not require end-users to maintain any cryptographic keys themselves and instead relies on a virtual device that leverages the two-server setting. The virtual device splits the user's private key over both servers, and uses password-based authentication for its retrieval. Overall, the goal of the protocol is to ensure confidentiality of the uploaded medical records as long as at most one server is corrupt. In this work, we analyze the security of Doctolib's distributed encryption protocol. First, we define a set of formal security models for such password-based distributed envelope encryption, that capture the optimal security properties under different corruption settings. We then analyze the protocol - abstracted from the available information - in our model, and show that it does not achieve the desired security guarantees. We finally propose a simple modification that strengthens the original protocol through the use of a distributed oblivious pseudorandom function that provably achieves all our security properties.

Asymmetric Password-Authenticated Key Exchange (aPAKE) enables secure key establishment between a client and a server using a pre-shared password, while providing security against offline attacks. However, aPAKE does not guarantee any precomputation resistance, and considers passwords to become immediately available upon server compromise. A recent work by Dayanikli and Lehmann (EuroS&P'24) observed that many existing aPAKE protocols provide stronger precomputation attack resistance than what is guaranteed through the aPAKE model: they often rely on salted password hashes, where a unique salt makes precomputation attacks more difficult. While these salts are sent in clear to the client during authentication, and thus trivial to obtain for an attacker, this makes a difference in multi-user settings with millions of user accounts per server. In order to run bulk precomputation attacks on all users' passwords, the attacker needs to start an authentication session on behalf of every user to obtain their salts. However, this protection is still limited as salts are static, and the attacker can gradually extract all salt values for precomputation attacks.

In this work, we build upon the observation that many aPAKE protocols include salts for their password protection, and propose a new aPAKE variant that makes such bulk precomputation attacks practically infeasible. We propose updatable aPAKE which employs updatable salts. In updatable aPAKE, the salt is implicitly refreshed with each successful user authentication, forcing an attacker to rebuild their precomputation table after every honest user's login -- offering a level of precomputation resistance similar to that of strong aPAKE protocols. We formalize the security of updatable aPAKE in the Universal Composability framework and show how OKAPE-HMQV, the currently most efficient aPAKE protocol, can be lifted to the updatable aPAKE setting in a provably secure way. The core idea is that this salt update can be integrated through relying on the password-based server-side authentication, that is already guaranteed through aPAKE. We also observe that OKAPE-HMQV is very similar to SRP-6a, the currently most widely deployed aPAKE protocol, and explain how the same idea can be used to upgrade this legacy protocol to achieve strong bulk precomputation attack resistance with minimal overhead.

Transformer-based models like BERT and GPT have achieved state-of-the-art performance across a wide range of AI tasks but raise serious privacy concerns when deployed as cloud inference services. To address this, secure multi-party computation (MPC) is commonly employed, encrypting both user inputs and model parameters to enable inference without revealing any private information. However, existing MPC-based secure transformer inference protocols are predominantly designed under the semi-honest security model. Extending these protocols to support malicious security remains a significant challenge, primarily due to the substantial overhead introduced by securely evaluating complex non-linear functions required for adversarial resilience. We introduce Mosformer, the first maliciously secure three-party (3PC) inference framework that efficiently supports large transformers such as BERT and GPT. We first design constant-round comparison and lookup table protocols with malicious security, leveraging verifiable distributed point functions (VDPFs). Building on these, we develop a suite of 3PC protocols for efficient and secure evaluation of complex non-linear functions in transformers. Together with optimized modulus conversion, our approach substantially reduces the overhead of secure transformer inference while preserving model accuracy. Experimental results on the vanilla transformer block show that Mosformer achieves up to a $5.3\times$ speedup and a $4.3\times$ reduction in communication over prior maliciously secure protocols. Despite offering stronger security guarantees, Mosformer achieves comparable or even superior online performance to state-of-the-art semi-honest 2PC and 3PC frameworks, including BOLT (Oakland 2024), BumbleBee (NDSS 2025), SHAFT (NDSS 2025), and Ditto (ICML 2024), on full-scale models such as BERT and GPT-2.

At EUROCRYPT2012, Banerjee, Peikert, and Rosen introduced Ring Learning With Rounding (RLWR) problem and constructed lattice-based pseudorandom functions for the first time. Subsequently, Banerjee, Brenner, Leurent, Peikert, and Rosen named this family of lattice-based pseudorandom functions as SPRING, reanalyzed the security, and gave two practical instances. Building upon the SPRING family, Bouillaguet, Delaplace, Fouque, and Kirchner further extended it to a pseudorandom number generator called SPRING-RS. It is quite fast but still has a certain gap compared with the classical pseudorandom number generator based on symmetric cryptography, and the key size is large. In this work, we present LEAP, a lattice-based pseudorandom number generation scheme characterized by high performance, adaptable parameter selection, and extensive support for parallel processing. Unlike the RLWR problem used in public key cryptography, LEAP treats the public parameter in the RLWR problem as the key as well. Hiding the public parameters leads to larger lattice dimensions and higher standard deviations of error in the concrete security analysis compared to RLWR under identical parameters. These adjustments imply enhanced security, allowing smaller parameters while maintaining the same security level, thereby improving performance. Additionally, we introduce a novel framework that reuses multiple parameters, significantly enhancing overall performance. To mitigate the issue of increased key size caused by treating the public parameter as the key, we design a pseudorandom number generator leveraging the small key size characteristic of a variant of the NTRU assumption, which provides the key required for the high-performance pseudorandom number generator. Compared with the SPRING-RS, the LEAP can reduce the key size by 1.71X while improving performance by 3.30X at the same security level. Under the AVX2 and AVX512 implementations, the performance reaches 1.61 Cycles/byte and 1.14 Cycles/byte, and the throughput reaches 16.12 Gbps and 22.60 Gbps, respectively.

Secure Multi-Party Computation (MPC) in the classical setting requires parties to stay online through the whole computation, which engenders significant inconvenience, especially when dealing with large-scale and complex tasks. The notion of fluid MPC, introduced by Choudhuri et al. (Crypto 2021), aims to tackle this obstacle by presenting a dynamic participation model where parties have the flexibility to join and leave as needed. The best-known honest-majority MPC protocol by Bienstock et al. (Crypto 2023) in the fluid setting achieves linear communication complexity, but still requires significantly larger communication than MPC in the classical setting.

In this paper, we present two concretely efficient fluid MPC protocols with semi-honest security and linear communication in the honest majority setting. To achieve low concrete communication, we propose a separation-generation approach for random double sharings, along with a linear-communication resharing technique for transmitting sharings across two committees. For evaluating multiplication gates, our protocols in the fluid setting achieve the (almost) same communication as the state-of-the-art protocol ATLAS by Goyal et al. (Crypto 2021) in the classical setting. We also extend the two protocols to achieve malicious security while doubling the communication cost. Compared to the best-known fluid MPC protocol, we reduce the communication cost per multiplication gate by a factor of 6 ∼ 9× (resp., 19 ∼ 28×) for semi-honest security (resp., malicious security). As a trade-off, we relax the maximal fluidity where the parties only need to be active in a single round to the submaximal fluidity allowing an extra internal communication round for each committee. We believe that the new setting is a reasonable relaxation for applications and allows us to achieve practical efficiency for fluid MPC.

In this paper, we specifically review Xu et al.’s quantum blind signature scheme for distributed e-voting systems, which primarily focuses on simulating real-life e-voting. The scheme aims to ensure voter anonymity in an e-voting system. However, we found that it not only suffers from identity impersonation attacks but also lacks the blindness property essential to a blind quantum signature. To address these shortcomings, we propose a new quantum blind signature scheme that leverages quantum mechanical properties and a one-way hash function. Considering that a voting scheme naturally involves an election committee member blindly signing a ballot embedded with the name of the selected candidate, we use our quantum blind signature as the foundation to design a quantum voting system. This system effectively prevents the repudiation and counterfeiting issues present in Xu et al.’s scheme. Additionally, we provide relevant security analyses to support our theoretical framework. The results demonstrate that our scheme outperforms existing literature not only in terms of e-voting security properties—such as undeniability, anonymity, and untraceability—but also in conceptual simplicity and computational efficiency.

Quantum security most commonly encompasses only offline passive quantum attacks, where a quantum computer is used by an adversary to solve some computationally hard problem, e.g. factoring or discrete logarithm. However, we are witnessing major efforts for the development and deployment of quantum communication networks, and in this environment, cryptographic protocols may also be implemented in quantum devices. In this new setting, a wider range of online active attacks may become possible, for example against targets that may, either deliberately or inadvertently, run a cryptographic scheme in superposition. In this work, we demonstrate that authentication protocols whose security is based on the difficulty of learning linear functions subject to errors, may be vulnerable to attacks where adversaries can make queries in superposition -- that is, under the so-called "Q2" adversarial model. We do so by describing superposition attacks against a family of symmetric-key authentication protocols based on the LPN problem, a post-quantum cryptography assumption. Our attacks against the HB+ and HB# protocols, both of which have classical proofs of security against active attacks, are based on the Bernstein-Vazirani algorithm, and can efficiently recover the secret key. Despite being conceptually simple, we suggest that our attack techniques might be extended and adapted to also allow for superposition attacks against some modern lattice-based identification and post-quantum signature schemes.

The problem of finding a minimal circuit to implement a given function is one of the oldest in electronics. It is known to be NP-hard. Still, many tools exist to find sub-optimal circuits to implement a function. In electronics, such tools are known as synthesisers. However, these synthesisers aim to implement very large functions (a whole electronic chip). In cryptography, the focus is on small functions, hence the necessity for new dedicated tools for small functions.

Several tools exist to implement small functions. They differ by their algorithmic approach (some are based on Depth-First-Search as introduced by Ullrich in 2011, some are based on SAT-solvers like the tool desgined by Stoffelen in 2016, some non-generic tools use subfield decomposition) and by their optimisation criteria (some optimise for circuit size, others for circuit depth, and some for side-channel-protected implementations). However, these tools are limited to functions operating on less than 5 bits, sometimes 6 bits for quadratic functions, or to very simple functions. The limitation lies in a high computing time.

We propose a new tool to implement quadratic functions up to 9 bits within AND-depth 1, minimising the number of AND gates. This tool is more time-efficient than previous ones, allowing to explore larger implementations than others on 6 bits or less and allows to reach larger sizes, up to 9 bits.