International Association
for Cryptologic Research

This work presents the first third-party cryptanalysis of Blink, a recent tweakable block cipher built on the Three-Hash Framework (THF) with an $\alpha$-reflection structure and a long-key design. We build our analysis on the idea of Superbox, in view of its natural support of local clustering and easy integration with automatic search tools. Thus, we first develop a deliberately lightweight theoretical model that captures the value correlations inside the Superbox of Blink when the value spaces are affine, the weak-key conditions, fixed-key probabilities and the local clustering behaviors. Our theory is only intended as a concrete, easy-to-follow specialization of existing generic frameworks adapted precisely to the structure of Blink. We then build a simple pattern-based automatic search model for weak tweak-key differentials. As a result, for Blink-64 with 448-bit key, we obtain a 10-round distinguisher for up to $2^{442}$ weak keys with probability $2^{-50.42}$; For Blink-128 with 1024-bit key, we obtain a 10-round distinguisher for up to $2^{1010}$ weak keys with probability $2^{-68.83}$, which can be extended to a 12-round multiple differential distinguisher with probability $2^{-96.83}$. The all-zero tweak is a convenient choice to maximize the weak key space. Based on the weak tweak-key distinguisher, we further mount a 13-round key recovery attack on Blink-64, recovering the full 448-bit master key with time complexity $2^{112.15}$ and $2^{56}$ chosen plaintexts. All these distinguishers and key recovery attacks work within the designers' claimed data and time bounds, and our analysis remains consistent with the security of the full-round design of Blink, while offering additional insight into the edge-case behaviors arising from the tweak-key interaction in Blink, and could be potentially informative for future refinements of tweakable block cipher constructions.

This paper introduces the ALF cipher family, designed for format-preserving encryption. The key strategy is to leverage AES-NI instructions to achieve a high software performance while also providing 128-bit security. As the input size may vary a lot between different cases, we present a family of ciphers, where different instances cover different domain sizes. While the included designs differ, the common theme is their use of AES-NI instructions in the designs. A central part of the paper is the design of an AES-related bit-oriented block cipher with varying block size in the interval 16-127 bits. The design is byte-oriented, but allows appending 0-7 bits to a byte-oriented input. We introduce an approach for efficient implementation using AES-NI, even though the block size is not 128 bits. The block cipher family is turned into a format-preserving encryption by a new cycle-sliding transformation, improving slightly on traditional cycle-walking. Performance evaluation shows improvements in speed of several orders of magnitude compared to the standardised algorithm FF1 and the previous FF3.

Private Set Intersection (PSI) has been widely studied, deployed, and demonstrated through various real-life use cases such as mobile private contact discovery, privacy-preserving contact tracing, etc. Nevertheless, the majority of existing solutions typically assume that the underlying datasets are static and require a fresh execution of PSI at each time the datasets are updated over time. In this work, similar to a recent solution by Badrinaryanan et. al' (ASIACRYPT 2024), we investigate the problem of designing efficient and secure updatable PSIs in the honest-but-curious model by adopting the approach of executing a small number of PSIs over smaller sets instead of one PSI over the entire, updated sets. We first identify that existing constructions suffer from two privacy leakages and further propose to mitigate them thanks to the use of circuit PSIs, which are variants of PSI protocols that instead of outputting the resulting intersection, output the secret shares of the intersection and nothing more, combined with secure shuffling when needed. We construct a generic framework for PSI over updated sets which can use any circuit-PSI. Additionally, we show that this framework can easily be extended to a protocol that outputs the cardinality of the intersection instead of the intersection, itself. Finally, we provide an in-depth discussion on the feasibility of circuit PSI over updated sets, with the main challenges to overcome and solutions for some particular cases. Our solutions are implemented in Rust and their performance is compared with the state of the art, achieving an improvement of $11\times$ to $40\times$ in updatable PSI and $14\times$ to $107\times$ in updatable cardinality PSI in computation time. The proposed framework is also demonstrated through a real-life use case, namely, a spam detection filter.

Zero-knowledge protocols allow a prover to prove possession of a witness for an NP-statement without revealing any information about the witness itself. This kind of protocol has found extensive applications in various fields, including secure computation and blockchain. However, in certain scenarios (e.g. when the statements are complicated), existing zero-knowledge protocols may not be well-suited due to their limited applicability or high computational overhead.

We address these limitations by incorporating the notion of publicly verifiable covert (PVC) security into zero-knowledge protocols. PVC security, recently emerging from secure computation, effectively balances security and efficiency in practical scenarios. With PVC security, while a malicious party may attempt to cheat, such cheating will be detected and become publicly verifiable with a significant probability (called deterrence factor, e.g. ${>}90\%$). This notion is well-suited for practical scenarios involving reputation-conscious parties (e.g. companies) and offers substantial efficiency improvements.

In this paper, we present the first definition of zero-knowledge protocols with PVC security. We then propose a generic transformation to convert Sigma protocols with $1$-bit challenge, a kind of protocol widely used for zero-knowledge, into efficient zero-knowledge protocols with PVC security. By applying our transformation, we can substantially improve the efficiency of existing protocols for reputation-sensitive parties. For instance, applying the transformation to achieve a deterrence factor of $93.75\%$ incurs a cost of only around $20\%$ compared to the original protocol. Therefore, our results contribute to significant advancements in practical zero-knowledge protocols.

We present a derivative-free Richelot (2,2)-isogeny formulation using first subresultants and a canonical quadratic lift. Over odd characteristic, we prove its algebraic equivalence in Fp[x] to the classical Wronskian under natural normalization. Leveraging this, we introduce the Guarded Subresultant Route (GSR): a deterministic evaluator with constant-size algebraic guards, a lightweight post-check, and at most one affine retry. It returns a certified triple (U, V, W) or rejects non-admissible inputs, eliminating differentiation while enforcing admissibility and auditable control flow. Prototypes show the core is 1.46–1.70 times faster than the classical Wronskian across varied primes, with GSR adding about 5–10 microseconds of constant overhead. The backend-agnostic design suits batched and hierarchical genus-2 isogeny pipelines for reproducible computation.

The butterfly structures were introduced by Perrin et al. as a generalization of the Dillon's APN permutation operated in 6 bits. It was proved by several authors independently that such butterflies are differentially 4-uniform and have best known nonlinearity among functions over $\mathbb{F}_{2^{2k}}$. In [LLHQ21, LHXZ22] authors provided sufficient coefficient conditions such that the closed butterfly is a permutation and they further prove that such functions have boomerang uniformity 4 and are linear equivalent to Gold functions. In this paper, we adopt techniques from [DZ23] and [GK] to classify closed butterfly structures satisfying more general conditions in terms of EA-equivalence and CCZ-equivalence.

Many Identity-Based Encryption (IBE) schemes rely on the hardness of the Discrete Logarithm Problem, making them vulnerable to quantum attacks like Shor's algorithm. In recent years, lattice-based cryptography has emerged as a source of Post-Quantum cryptosystems, for example with Kyber, Dilithium and Falcon chosen by NIST to be standardized as ML-KEM, ML-DSA and FN-DSA. In the meantime, some IBEs have also been proposed over lattices. However, they can still be considered as interesting theoretical constructions, the community's attention having been more on the NIST competition than on optimizing IBEs, assessing their security, and protecting them against physical attacks.

So, in this paper, we build a new IBE scheme from the highly studied ML-KEM, ML-DSA and ModFalcon. More precisely, we leverage the Module-NTRU trapdoor from ModFalcon to enable extraction of secret keys, we use the encryption and decryption algorithms from ML-KEM, and the modular arithmetic and Number-Theoretic Transform from ML-DSA. Therefore, being able to reuse some of their code, our scheme is easy to implement, and can benefit from existing and future and side-channel protections. In this paper, we also prove the IND-sID-CPA-security of our scheme under the Ring-LWE and Module-NTRU assumptions, and we precisely describe the choice of appropriate parameters. As a work that can be of independent interest, we also provide an efficient estimator for the decryption failure probability of a LWE-based scheme, which allows us to concretely check the negligible failure probability of our scheme, at a standard security level.

This paper presents a security analysis of the ARX-based lightweight block cipher proposed by Mohanapriya and Nithish (Sci Rep 15, 36060 (2025)) for image encryption in IoT environments. The cipher employs a 64-bit key and a 64-bit block size, relying on Addition, Rotation, and XOR (ARX) operations. Our analysis demonstrates that the full-round version of this cipher is vulnerable to differential cryptanalysis. In fact, the cipher can be distinguished from a random permutation using $2^{41}$ chosen plaintexts. Consequently, the designers' security claims are not fully supported.

The Generalized Birthday Problem ($\textsf{GBP}$) serves as a cornerstone for a broad spectrum of cryptanalytic research. The classical solution, Wagner’s $k$-tree algorithm (CRYPTO’02), is characterized by inherently high memory complexity. Subsequently, Biryukov and Khovratovich (NDSS’16) introduced $\textsf{Equihash}$, a memory-hard proof-of-work scheme constructed upon a single-list variant of Wagner’s algorithm. Due to its robust resistance to ASIC mining, $\textsf{Equihash}$ has emerged as one of the most widely adopted proof-of-work schemes in blockchain. However, memory optimization for Wagner-style algorithms remains a persistent challenge in cryptographic research. Conventional approaches primarily focus on reducing list size to lower memory consumption, yet this strategy typically incurs a prohibitive time penalty. For instance, halving the peak memory usage of the $\textsf{Equihash}(200, 9)$ mining algorithm increases its theoretical time complexity by a factor of $2^{24.6}$.

In this work, we investigate a novel optimization vector: List Item Reduction (LIR), which facilitates practical and fine-grained memory-time trade-offs. We systematize existing LIR techniques and propose novel optimization methods integrated into a new hybrid framework. While our approach does not improve asymptotic memory complexity, it achieves a near-linear trade-off in practice, offering substantial benefits for the concrete design of efficient Wagner-style algorithms. Specifically, our techniques reduce peak memory usage by nearly 50% (from $2nN$ to $nN$ bits) across all $\textsf{Equihash}$ parameters, with only an approximate twofold time penalty. Furthermore, we present concrete implementations, including the first realization of an in-place $\textsf{merge}$. Building on these results, we propose an ASIC-friendly framework leveraging an external-memory caching mechanism.

Linear Feedback Shift Registers (LFSRs) combined with non linear filtering functions have long been a fundamental design for stream ciphers, offering a well-understood structure that remains easy to analyze. However, the introduction of algebraic attacks in 2003 shifted the focus toward more complex designs, as filtered LFSRs required larger registers to maintain security. While this was seen as a drawback at the time, it is no longer a limiting factor, and emerging cryptographic applications benefit from specialized designs—challenges that filtered LFSRs can effectively address. In this work, we propose a new filtered LFSR design, called Nostalgia, tailored for Hybrid Homomorphic Encryption (HHE). We use a weightwise quadratic function as filtering function, leveraging its efficiency in the HHE setting while ensuring security against classical attacks. We also discuss the parameter selection of our design and demonstrate its efficiency in this setting by providing a proof-of-concept implementation. In terms of latency, our HHE solution outperforms current state-of-the-art for TFHE-based HHE (Baudrin et. al. Crypto 2025) by a factor of 6.1 times. By revisiting filtered LFSRs in light of modern security requirements, we aim to renew interest in their potential applications and stimulate further cryptanalysis efforts.

Ethereum has established itself as a world computer, enabling general-purpose, decentralized, and verifiable computation via smart contracts on a globally replicated state. However, because all computations and state are public by default, it is fundamentally unsuitable for confidential smart contracts that jointly process private data from multiple users. This motivates the notion of a private world computer: an ideal future form of Ethereum that preserves its integrity and availability guarantees while supporting such confidential smart contracts. Prior constructions based on implementable cryptographic primitives such as fully homomorphic encryption (FHE) inevitably rely on committees that hold secret shares and perform computations using those shares, a capability that is not provided by today's Ethereum validators. We cannot simply modify the Ethereum protocol so as to shift the committee’s role onto the Ethereum validators, because the computational and communication costs borne by the committee grow with the demand for confidential smart contracts, forcing higher hardware requirements for participation, undermining decentralization, and increasing the risk of malicious collusion. Hence, there remains a fundamental trade-off between committee decentralization and scalability for confidential smart contracts.

In this position paper, we make two contributions toward a scalable private world computer. First, we show how indistinguishability/ideal obfuscation (iO), combined with FHE and succinct non-interactive arguments of knowledge (SNARK), yields a private world computer that, after a one-time obfuscation process, introduces no additional ongoing trust assumptions beyond Ethereum’s validators, incurring no additional overhead for validators to process confidential smart contracts compared to public smart contracts. In this design, a single application-agnostic obfuscated circuit, called root iO, suffices to realize arbitrary confidential smart contracts. The outputs of root iO can be verified on-chain at a cost comparable to signature verification, and the obfuscation process can be distributed among multiple parties while remaining secure as long as at least one party is honest. As the second contribution, we outline our roadmap toward a practical implementation of root iO. Assuming that the underlying assumptions of our lattice-based iO construction remain secure, the remaining missing pieces are technically concrete: namely, practical implementations of verifiable FHE and of homomorphic evaluation of a pseudorandom function (PRF) and SNARK verification over key-homomorphic encodings, which together would allow us to implement root iO without incurring prohibitive overhead.

We present the Synergeia (Συνεργία) protocol, a novel, permissionless blockchain protocol that synergistically integrates Proof-of-Work (PoW) and a dynamically regulated Proof-of-Stake (PoS) mechanism. Traditional Nakamoto protocols exhibit consistency violations decaying as $\epsilon \approx exp(-\Omega(k))$ leading to long finality times. Our primary contribution is leveraging a Local Dynamic Difficulty (LDD) scheme to reshape the block inter-arrival time distribution towards a Rayleigh distribution. We prove this yields a full consistency bound of $\epsilon(k) \le exp(-C_{1}k^{2}) + exp(-C_{2}k)$. While this provides a quadratic asymptotic advantage, we demonstrate that for practical security parameters, the bound is dominated by the linear term. Our LDD mechanism achieves a superior constant factor ($C_{2}$) in this linear exponent, requiring only $k=26$ blocks against a 40% adversary for enterprise-grade security ($\epsilon \le 10^{-9}$). Furthermore, we introduce the Decentralized Consensus Service ($\mathcal{F}_{DCS}$) providing BFT-robust consensus on network time, stake, delay, and load via on-chain beacons. This enables a fully autonomous LDD system that dynamically adapts its Slot Gap ($\psi$) and target block time ($\mu_{target}$) to measured network conditions, ensuring the security assumption $\psi > \Delta$ holds robustly. The protocol utilizes an Accumulated Synergistic Work (ASW) metric incorporating Proof-of-Burn for PoS block commitment. As a result of this constant-factor improvement, Synergeia achieves probabilistic finality in approximately 6.5 minutes under typical Bitcoin-like network conditions ($\mathbb{E}[\Delta] \approx 8s$). Additionally, we introduce Burst Finality, an optional mechanism triggered by high transaction fees (secured by Proof-of-Burn) that provides execution-driven confirmation for instant finality. Synergeia establishes a new paradigm for adaptive consensus, offering a significant constant-factor improvement for probabilistic finality alongside optional near-instant settlement.

Applications are invited for a 12-month fixed-term Postdoctoral Research Fellow in the Mathematics Department at the University of Auckland. The research fellow will assist Professor Steven Galbraith with their duties in research in post-quantum cryptography, teaching, and supervision. The ideal candidate will have a track record of publications at IACR conferences on lattice-based, code-based and/or isogeny-based post-quantum crypto. The duties will include: Research in post-quantum cryptography; Writing reports; Teaching parts of COMPSCI 727, COMPSCI 225, and/or other courses in discrete mathematics, cryptography, and number theory; Helping supervise PhD students.

Closing date for applications:

Contact: Steven Galbraith

More information: https://jobs.smartrecruiters.com/TheUniversityOfAuckland/744000095025276-post-doctoral-fellow-12-month-fixed-term-school-of-mathematics-

Event date: 14 September to 16 September 2026
Submission deadline: 28 February 2026
Notification: 28 April 2026

Event date: 6 March 2026
Submission deadline: 15 December 2025
Notification: 19 January 2026

Event date: 27 January to 31 January 2026

Category Labs (https://www.category.xyz/) is a team of systems engineers and researchers on a mission to design and build at the frontier of decentralized technology. We strive to design and build step-function improvements over existing blockchain solutions. After raising $225M in series A funding, led by Paradigm, we are growing our team. - We are seeking Summer Research Interns to join our team and engage in advanced research in the fields of mechanism design, cryptoeconomics, distributed systems, programming languages, cryptography, and governance. This list is not exhaustive; if you have valuable and relevant perspectives, we encourage you to apply. -This internship provides a unique opportunity to gain perspective of cutting edge technology, to advance the science and technology of decentralized systems, and deliver impact at a large scale in industry. -Research projects will be inspired by the challenges of building a first-of-its-kind blockchain and exploring new research directions unlocked by decentralized systems. You will have the opportunity to propose your own research projects. -While you will learn from Category Labs’ researchers, engineers and other interns, you will also collaborate as an independent and equal peer. -The research internship can be extended to part-time employment as per your availability and the needs of the research project, and may foster future collaborations. What You'll Do: -Conduct novel and best-in-class research on above mentioned topics. -Contribute to the creation of technical content, including academic peer-reviewed papers, blog posts and white papers. -Collaborate with the engineering team to implement prototypes, build simulations, and conduct experiments to test your design, models and assumptions. -Engage in discussions with team members and visitors to refine research ideas and share insights from your own research. More in the job description:

Closing date for applications:

Contact: recruiting@category.xyz

More information: https://jobs.ashbyhq.com/category-labs/62558e75-42bb-4c9e-b8e5-64227db7e444

Securely shuffling a secret-shared list is a vital sub-protocol in numerous applications, including secure sorting, secure list merging, secure graph proessing, oblivious RAM, and anonymous broadcast. We demonstrate how to convert the folklore constant-round protocol for secure shuffling, which employs a delegated Fisher-Yates shuffle using rerandomizable encryption, into a maliciously secure constant-round protocol. This gives the first protocol that has a linear end-to-end time for a two-party secret-shared shuffle with malicious security.

We prove the security of our protocol under the ``linear-only'' assumption on the homomorphic encryption system. We also demonstrate that another assumption, namely weak predicability, is sufficient and that it is both weaker than the linear-only assumption and sufficient for security.

On the road to eliminating censorship from modern blockchain protocols, recent work in consensus has explored protocol design choices that delegate the duty of block assembly away from a single consensus leader and instead to multiple parties, referred to as includers. As opposed to the traditional leader-based approach, which guarantees transaction inclusion in a block produced by the next correct leader, the multiple includer approach allows blockchain protocols to provide a strong censorship-resistance property for users: A timely submitted transaction is guaranteed to be included in the next confirmed block, regardless of the leader's behavior. Such a guarantee, however, comes at the cost of 2 additional rounds of latency to block confirmation, compared to the leader-based approach. Is this cost necessary? We introduce the Censorship Resistant Byzantine Broadcast (CRBB) problem, a one-shot variant that distills the core functionality underlying the multiple-includer design paradigm. We then provide a full characterization, both in synchrony and partial synchrony, of the achievable latency of CRBB in executions with a correct leader, which is the most relevant case to practice. Our main result is an inherent latency cost of two additional rounds compared to the classic Byzantine Broadcast (BB) problem. For example, synchronous protocols for CRBB require 4 rounds whenever BB requires 2 rounds. Similarly, up to a small constant in the resilience, partial synchrony protocols for CRBB require 5 rounds whenever BB requires 3 rounds.

In this paper, we present an MPC protocol in the preprocessing model with essentially the same concrete online communication and rounds as the state-of-the-art MPC protocols such as online-BGW (with precomputed Beaver tuples) for $t < n/3$ malicious corruptions. However, our protocol additionally guarantees robustness and correctness against up to $t < n/2$ malicious corruptions while the privacy threshold remains at $n/3$. This is particularly useful in settings (e.g. commodity/stock market auctions, national elections, IACR elections) where it is paramount that the correct outcome is certified, while maintaining the best possible online speed. In addition, this honest-majority correctness allows us to use optimistic Berlekamp-Welch decoding in contrast to BGW. Moreover, just like online-BGW, our protocol is responsive until a final attestation phase.

We also give a complementary verifiable input-sharing scheme for the multi-client distributed-server setting which satisfies both robustness and correctness against up to $t < n/2$ malicious servers. This is accomplished by having the servers first run a preprocessing phase that does not involve the clients. The novelty of this input-sharing scheme is that a client only interacts for one round, and hence need not be online, which, again, is highly desirable in applications such as elections/auctions.

We prove our results in the universally-composable model with statistical security against static corruptions. Our protocol is achieved by combining global authenticators of SPDZ with an augmented Reed-Solomon code in a novel manner. This augmented code enables honest-majority decoding of degree $n/2$ Reed-Solomon codes. Our particular augmentation (often referred to as robust sharing) has the additional property that the preprocessing phase can generate this augmented sharing with a factor $n$ speedup over prior information-theoretic robust sharing schemes.