Cryptology ePrint Archive

Round-reduced variants of AES are widely used as building blocks in the design of cryptographic schemes. The study of non-random properties and distinguishers for round-reduced AES has always been an important research topic. The longest known secret-key distinguishers on AES cover 6 rounds. Related differences and related differentials were introduced by the designers of AES in 2009, but researc…

We present a highly scalable instantiation of ZKML via proof of a verifiable decision forest inference circuit using a structured version of the GKR protocol [GKR15], [Tha13]. Through a combination of data parallel GKR over a structured improvement to [ZFZS20]'s circuit, we are able to create GKR proofs for a decision forest of 128 trees, each of height 9, over a set of 128 inputs, each with 64 f…

Group signatures (GSs; Chaum and van Heyst, EUROCRYPT 1991) are digital signatures that allow a signer to anonymously prove group membership, while still enabling a special authority, called the opener, to identify the signer when necessary. Group Signatures with Message-Dependent Opening (GS-MDO; Sakai et al., Pairing 2012) weaken the power of the opener by introducing another authority, the adm…

As zero-knowledge proofs are increasingly deployed in real-world systems, they face new security threats beyond traditional theoretical guarantees. One important threat is resetting attacks, where an adversary exploits side-channel vulnerabilities or fault injection to manipulate a prover's randomness generation. While resettable zero-knowledge has been extensively studied for interactive protoco…

Most symmetric modes of encryption that rely on PRP primitives are limited by the birthday bound over the block size (can’t encrypt more than $2^{n/2}$ blocks). This could be a severe limitation if current block width of 128 is used (can’t encrypt more than $2^{64}$ blocks) for cloud systems that transact a large amount of data. This limitation can be overcome by either realizing a mode of encryp…

In response to the National Institute of Standards and Technology (NIST)'s 2024 call for wider variants of the Advanced Encryption Standard (AES), this paper presents the first FPGA-based hardware evaluation of Vistrutah, a recently proposed wide-block cipher constructed from AES round primitives. Vistrutah is implemented on a Xilinx Kintex UltraScale+ KCU116 FPGA and evaluated under identical co…

We introduce a new construction method for one-time multi-client functional encryption schemes that support noisy quadratic functions, are resistant against corruption and allow for labels. Such schemes can be used as building blocks in many practical applications, e.g., privacy preserving machine learning on arbitrarily split data. In contrast to earlier constructions, ours uses a different str…

Implementing post-quantum signatures correctly in production cryptographic libraries remains challenging even after standardization. ML-DSA implementations rely on NTT-based polynomial arithmetic with lazy Montgomery reductions, and omitting a reduction may be either a valid optimization or a latent arithmetic defect. In practice, reduction calls are often removed for performance, memory, or embe…

SQIsign is an isogeny-based post-quantum signature scheme whose public keys and signatures are remarkably compact. However, since SQIsign relies on arithmetic in quaternion algebras over the field of rational numbers, no fixed-precision integer arithmetic for SQIsign had been established until recently, hindering constant-time implementation and deployment on memory-constrained devices. Recent wo…

Let $E$ and $E'$ be two supersingular elliptic curves and let $\varphi: E\to E'$ be an isogeny of known degree $d$. Given a basis $(P, Q)$ of $E[N]$ together with $(\varphi(P), \varphi(Q))$, it is possible to recover $\varphi$ provided that $N$ is sufficiently large and smooth, and that the torsion basis can be represented over a small extension of the base field. In this work, we consider the …

The current on-ramp NIST Competition for Additional Post-Quantum Digital Signature Schemes features two MPCitH variants: TCitH and VOLEitH. While VOLEitH yields shorter signatures and more stack memory, making it less suitable for constrained devices. In this work, we demonstrate that TCitH-based schemes are viable on embedded systems, such as Cortex-M4 devices. We present a simple, unified Zero-…

Anamorphic encryption introduced by Persiano et al. (Eurocrypt'22) enables covert communication through innocent-looking ciphertexts, even under strong censorship where a dictator has the power to compel citizens to surrender their private decryption keys. In this work, we study the asymmetric form of anamorphic encryption proposed by Catalano et al. (Eurocrypt'24), where the covert channel opera…

Coppersmith's method is a foundational technique for finding small roots of modular polynomial equations, and determining asymptotic bounds for the recoverable roots is a central and challenging part of its analysis. In this paper, we transform the computation of asymptotic bounds for the Automated Coppersmith method, proposed by Meers and Nowakowski (ASIACRYPT 2023), into a linear programming pr…

Discrete CKKS is a promising approach for performing high-throughput homomorphic computations over encrypted discrete data. Although it relies on CKKS, an approximate FHE scheme, as the computation engine, discrete CKKS can achieve exact correctness. The core operation of discrete CKKS is functional bootstrapping, a mechanism which enables evaluating an arbitrary function over a bounded discrete …

Neural network model extraction has recently emerged as a critical security issue. In 2020, Carlini et al. categorized model extraction into signature extraction and sign extraction. In 2024, Canales-Martínez et al. proposed a polynomial-time sign extraction method. In 2026, Liu et al. achieved the first successful model extraction of 8-layer deep neural networks. However, existing signature extr…

The security of cryptographic constructions that enforce resource usage, such as Proofs of Work or Proofs of Space, is often shown in the random oracle model. This model restricts the class of possible adversaries, because it assumes that the adversary can access some function RO only as a black box, via queries. When the resource in question is space, the random oracle model is often further ide…

CKKS bootstrapping is a central tool for restoring the available modulus budget of approximate ciphertexts, thereby enabling homomorphic computations beyond a fixed leveled circuit. A key component is the pair of linear transformations CoeffToSlot and SlotToCoeff, which move data to the slot representation for homomorphic modular reduction and then back to the coefficient representation. In the s…

When estimating the decryption failure rate (DFR) of structured lattice-based cryptography, some schemes implicitly assume that the coefficients of the decryption noise are independent. In practice, however, the decryption noise typically contains terms arising from convolutions of small polynomials, which introduce correlations among coefficients. These correlations can create a non-negligible g…

A UOV public key hides a distinguished linear subspace: the public-coordinate image of the central oil-coordinate subspace. In central coordinates, the homogeneous quadratic part of each UOV polynomial contains no oil-oil monomials. Consequently, for every honestly generated UOV public key, each public homogeneous quadratic form vanishes when restricted to this hidden oil subspace. We formalize t…

The Message Queuing Telemetry Transport (MQTT) protocol is highly preferable for Internet of Things (IoT) environments due to its lightweight architecture, but routing sensitive medical data through a central broker introduces severe privacy risks if the broker is untrusted or compromised. To address this, we propose secure MQTT, a high performance end to end encrypted (E2EE) protocol tailored fo…