International Association for Cryptologic Research

ePrint Report: Post-Quantum Security of Tweakable Key-Alternating Feistel Ciphers in the Multi-Key Setting Rentaro Shiba, Tetsu Iwata In this paper, we prove the post-quantum security of the Tweakable Key-Alternating Feistel cipher (TKAF) with a public random function in the Q1 model, under the assumption that the adversary is given quantum access to the internal primitive. Specifically, our target is the TKAF studied in the classical setting by Yan et al. (ACNS 2020), where the tweak is injected into the round-key XOR via a hash function of $\epsilon$-AXU family. Our proof draws on the post-quantum security proof for the (non-tweakable) key-alternating Feistel ciphers by Basak et al. (ASIACRYPT 2025), and adapts it to the tweakable setting and further to the multi-key setting, where an adversary can access multiple classical oracles. As a result, we prove that the 3-round TKAF is post-quantum TPRP-secure and the 4-round TKAF is post-quantum STPRP-secure. Specifically, under the assumption that the adversary is given classical access to $\ell$ independently specified oracles, at least $\mathrm{\Omega} (2^{n/3}/\ell^{2/3})$ classical and quantum queries or $\mathrm{\Omega}(\epsilon^{-1/2})$ classical queries are required to break the post-quantum TPRP security of the 3-round TKAF and to break the post-quantum STPRP security of the 4-round TKAF.

ePrint Report: The Relative Trace-Zero Subgroup of the Barreto-Naehrig Curves Julius Zhang We prove a folklore characterization of the BN pairing subgroup as the kernel of a relative trace map on the $n$-torsion points.

ePrint Report: Designing Wallet-Based User Intervention for Approval Phishing Mitigation Maggie Yongqi Guan, Yuqi Xu, Yunlong Mao, Wei Tong, Xiaobo Zhou, Kanye Ye Wang Approval phishing is a form of Web3 phishing that exploits token approval mechanisms to trick users into granting attackers spending authority over their tokens. As attackers increasingly hijack legitimate websites, URL-based detection alone becomes insufficient, leaving crypto wallets as the last line of defense. Based on the characteristics of approval mechanisms, we propose four wallet-based interventions for mitigating approval phishing: Spending Cap Suggestion, Active Spender Warning, Passive Spender Warning, and Delayed Confirmation. We evaluate the interventions through a between-subjects experiment (n = 364) and semi-structured interviews (n = 23). Compared with the control group, the Spending Cap Suggestion condition significantly increases the likelihood that users set spending caps. The Active Spender Warning, Passive Spender Warning, and Delayed Confirmation conditions all increase cancellation rates of phishing tasks, although the increases are statistically significant only for Active Spender Warning and Delayed Confirmation conditions. The effectiveness of the interventions varies across users, as users may struggle to interpret suspicious cues and focus on transaction outcomes while overlooking approval details. Our findings highlight the need to strengthen defenses against such attacks by increasing users’ awareness of post-approval consequences and supporting approval-parameter verification at the moment of authorization.

ePrint Report: SUF-CMA SQISign via Canonical Response Encoding Dustin Ray SQIsign is the leading isogeny-based post-quantum digital signature scheme under consideration in NIST’s standardization process. All published security results, including the first complete proof (CRYPTO 2025), establish only existential unforgeability under chosen-message attack (EUF-CMA). It is known informally that SQIsign does not achieve strong unforgeability (SUF-CMA) due to the non-uniqueness of its two-dimensional isogeny representation. We make three contributions. First, we identify a concrete malleability vector in the SQIsign v2.0 specification: the basis change matrix $M_{\mathrm{chl}}$ in the signature can be negated modulo $2^N$ to produce a distinct valid signature for the same public key and message. This is the direct structural analog of ECDSA’s $(r,s)$ versus $(r,n-s)$ malleability. We provide a proof-of-concept against the C reference implementation at all three NIST security levels. Second, we propose a minimal fix: canonical matrix encoding, where the signer normalizes $M_{\mathrm{chl}}$ and the verifier rejects non-canonical forms. We prove that after canonicalization, the response encoding is injective (each mathematical response isogeny maps to exactly one byte string), using the structure of reducible gluings of abelian varieties. Third, we prove that the modified scheme achieves SUF-CMA in the quantum random oracle model: the sigma protocol’s honest-verifier zero-knowledge and special soundness together with computationally unique responses (established by our encoding injectivity result) imply SUF-CMA. This is the first SUF-CMA result for any SQIsign variant.

ePrint Report: TETRIS: Automated Design Space Exploration of Randomness–Latency Trade-offs in Masked Hardware Nilotpola Sarma, Tapish Patidar, Nupur Brahamanya, Chandan Karfa Given a fixed security order, the randomness and latency of masked hardware present a trade-off. This trade-off has not been structurally examined well enough to enable an efficient search for a user-optimal (randomness/latency efficient) masked design. Gadget-based masking has simplified masking using masked functions called \textit{gadgets} corresponding to simpler (unmasked) functions as building blocks for larger masked designs. These gadgets, in turn, have masking-order dependent latency-randomness costs, lending a structure to the randomness and latency of gadget-based masked hardware. This structure enables automated Design-Space Exploration (DSE) of gadget-based masked hardware that takes in a user’s constraints on randomness (or latency) to arrive at the latency (randomness)- optimal assignment of gadgets with less area and vice versa. This article introduces a software-level DSE approach the basis of which are the two DSE algorithms – Minimize Latency under Randomness Constraints (MLRC) and Minimize Randomness under Latency Constraints (MRLC) which are duals of each other. While prior work solves the problem of optimizing masked hardware by formulating a global SAT optimization, our results show that gadget-based masked hardware using Probe-Isolating Non-Interference (PINI) gadgets embody a structured trade-off lending efficient heuristic-based solutions instead of relying on heavy global optimizations. This gives our tool comparable to superior area results in under a millisecond – a speedup of several orders of magnitude – to the SOTA.

ePrint Report: A Communication-Efficient Local-Verification Framework for Maliciously Secure MPC with a Two-Thirds Honest Majority Hanchao Ku, Hikaru Tsuchida, Mingwu Zhang, Takashi Nishide Secure Multi-Party Computation (MPC) is a cryptographic primitive that enables multiple parties to jointly compute a function over their inputs without revealing the inputs. An MPC protocol is required to provide security against adversarial behavior, typically considered in two classic models: the \textit{semi-honest} model, where adversaries follow the protocol but attempt to learn additional information from the transcript, and the \textit{malicious} model, where adversaries may arbitrarily deviate from the protocol. Protocols secure against semi-honest adversaries are often more efficient, but in many real-world applications the stronger guarantee of malicious security is required. In this work, we propose an efficient MPC protocol secure against static malicious adversaries controlling at most $t

ePrint Report: Trust the Voice, Hide the Source: Anonymous Provenance for Verifiably Edited Audio Xiyuan Fu, Zixing Wang, Hongbo Wang, Yu Chen Audio recordings are often used as evidence, but modern forgery tools make their origin harder to verify. Existing authentication methods require releasing the original signed recording, which exposes sensitive source content as well as provenance information. Redacting the audio avoids that disclosure, but doing so also invalidates the original signature. Revealing the edit operations to prove edit compliance can also disclose the redacted content. This creates a conflict for existing approaches: authenticating a released audio file requires disclosing the original audio, edit operations, or identity of the recording device, but preserving privacy requires keeping all three hidden. In this work, we propose $\textit{Privacy-Preserving Audio Authentication Systems}$ (PPAAS). PPAAS uses a single relation that binds source provenance and edit correctness to the same hidden witness. This witness includes both the attested source recording and device attestation, so the verifier can be convinced that the released audio came from an authorized device and was obtained through allowed edits, without learning the source recording, the edit operations, or which enrolled device produced it. We formalize this notion and provide two constructions adapted to different editing scenarios. The first is a $\textit{segmentation-based}$ construction that requires zero-knowledge proofs only for actively edited segments and is therefore well-suited to sparse edits. The second is an $\textit{iteration-based}$ construction that uses Incrementally Verifiable Computation (IVC) with zero-knowledge compression to fold repeated checks into a single proof, which is efficient for dense edits. Our evaluations show the practicality of both constructions: the segmentation-based approach minimizes cost for sparse edits, whereas the iteration-based approach becomes preferable as edit density increases.

ePrint Report: Forensic Cryptanalysis of the Backdoored UA-8295 Message Terminal Stijn Maatje, Marc Stevens Nation State Agencies go to great lengths to obtain signal intelligence, including backdooring cryptographic standards and equipment. Although the existence of these backdoor efforts is common knowledge, only few of known backdoored systems have been publicly analysed. In this paper we present the first detailed $\textit{forensic cryptanalysis}$ of the backdoored UA-8295 message terminal and we try to answer questions how the UA-8295’s backdoor was designed and for which attack. Towards a better understanding of real-world backdoor design, we posit a $\textit{Backdoor Conjecture}$ that provides handles to reason about the design of backdoors and the attacks they are designed for.

ePrint Report: TRIP: Thresholding in Regression with Input Privacy Chrysa Oikonomou, Katerina Sotiraki Secure computation allows multiple parties to jointly evaluate a function without leaking their individual inputs. An intrinsic issue with these techniques is that they do not offer any protection against parties which may contribute bad quality or even maliciously crafted data. We introduce TRIP, a protocol which protects against malicious manipulations of the input in secure computation of linear regression tasks. Linear regression is the cornerstone in many machine learning tasks, and hence creating secure protocols for this task is a crucial step towards secure machine learning. Our protocol utilizes a novel combination of techniques from secure computation, robust statistics, and differential privacy. On synthetic data, TRIP recovers the planted ground truth; on real-world datasets, its model remains close to the clean OLS baseline under up to 40\% target corruption. In terms of efficiency, our protocol runs up to $250\times$ faster than an MPC-only baseline for $10^6$ samples. Even in the smallest parameter setting, TRIP is $10\times$ faster than our baseline.

ePrint Report: Subspace Differential Uniformity Sondre Rønjom, Arne Sandrib, Joakim Sunde The main contribution of this paper is to introduce Subspace Differential Uniformity (SDU) for S-boxes and block ciphers. The SDU is essentially a measure of how well any function spreads input differences clustered in affine subspaces away from affine clusters in output differences. We provide some lower bounds for the SDU and describe an efficient algorithm for computing the SDU. Moreover, we provide results for some popular classes of S-boxes up to $n=8$.

ePrint Report: STRUCTURED LATTICES AND THEIR APPLICATIONS TO SECURITY LENNY FUKSHANSKY, CAMILLA HOLLANTI, RAHINATOU Y. NJAH NCHIWO Euclidean lattices are an interesting object of study in many regards and can have a rich structure arising from various constructions, e.g., from number field extensions. A particularly interesting class is the one of well-rounded lattices, as they relate to the well-known densest sphere packing problem in geometry, theta function minimization, and the famous Minkowski and Woods conjectures. In addition to being an important mathematical object in their own right, lattices also play a central role in many applications. This paper offers a survey of structured lattices and discusses their recent applications in lattice-based cryptography and secure wireless communications. Our goal is to spark the interest of mathematicians and adjacent communities in these fascinating topics in the intersection of lattices, number theory, cryptography, and wireless communications.

ePrint Report: Security Analysis of One Lightweight Certificateless Mutual Authentication Scheme Based on Signatures for IIoT Zhengjun Cao, Lihua Liu We show that the certificateless signature scheme [IEEE ITJ, 26852-26865, 2024] is insecure against public key replacement attack. An adversary can forge signatures for any message by replacing the signer’s public key. We find the two components $\delta_A$ and $T_A$ of signature $\sigma_A=(m_A, ID_A, \delta_A, T_A)$ are not tightly bound to the target message $m_A$ and the singer’s identity $ID_A$. The inherent flaw results in that the adversary can find an efficient signing algorithm functionally equivalent to the valid signing algorithm. The findings could be helpful for researchers unfamiliar with the designing techniques for certificateless signatures.

ePrint Report: Thresholdizing Standardized FALCON Signatures Radhika Garg, Daniel Escudero, Antigoni Polychroniadou, Akira Takahashi, Xiao Wang Threshold signatures allow a quorum of parties to jointly produce a signature while preventing any smaller subset from doing so. Following NIST’s post-quantum standardization, designing threshold schemes compatible with the newly selected primitives is a pressing task. In particular, no prior threshold signature scheme produces signatures verifiable under the unmodified FALCON verification algorithm – the NIST-selected post-quantum scheme with the smallest signatures and keys. In this work, we present the first such threshold FALCON signing protocol, establishing its feasibility. Our technical contributions are threefold. First, we adapt the MPC-based discrete Gaussian sampling protocol of Wei et al. [CCS:WYFCW23] to support private centers and standard deviations, as required by FALCON’s signing process. Second, we carry out a Rényi divergence analysis of the Klein sampler under fixed-point arithmetic, showing that $73$ bits of precision suffice to achieve the same security as the FALCON specification. Third, we design an efficient MPC protocol for the Klein sampler that exploits the fixed trapdoor basis to construct a pseudorandom correlation generator for authenticated VOLE using only two-party DPFs, reducing per-signature communication significantly over standard authenticated triple generation. We implement and benchmark our protocol in two settings: $N$-party signing with all-but-one corruption, and 3-party signing with honest majority, demonstrating that threshold FALCON signing is feasible for applications where compatibility with the FALCON standard is required.

ePrint Report: Achieving Guaranteed Output Delivery MPC with Constant Rounds and Linear Communication in Minicrypt Junru Li, Yifan Song In this work, we study the communication complexity of constant-round MPC with guaranteed output delivery (GOD) in Minicrypt. We construct the first MPC protocol in this setting with linear communication complexity of $O(|C|n\kappa+Dn^3\kappa^3+W_I{\sf poly}(n,\kappa))$ bits under the assumption of a random oracle, where $|C|$ is the circuit size, $D$ is the circuit depth, $W_I$ is the number of input wires, and $\kappa$ is the security parameter. In comparison, the previously best-known construction with linear communication ($O(|C|n)$), presented by Goyal et al. (CRYPTO 2020), requires $O(D+n^2)$ round complexity. When targeting $O(D)$ round complexity, the best-known result by Agarwal et al. (ASIACRYPT 2024) still requires $O(|C|n^3)$ communication complexity. More communication is needed to achieve constant round complexity, even with non-black-box use of the underlying cryptographic primitives.

ePrint Report: Breaking the $\Omega(|C|\kappa)$ Barrier on Garbled Circuit Size in the Random Oracle Model Junru Li, Yifan Song In this paper, we study garbled circuits in the random oracle model against a computationally unbounded adversary with $T$ queries to a (programmable) random oracle. From Yao’s garbled circuits (SFCS 1986) to Three-Halves (CRYPTO 2021), the garbled circuit size has been reduced from $8|C|(\log T+\kappa)$ bits to $1.5|C|(\log T+\kappa)$ bits for achieving a statistical error of $2^{-\kappa}$, where $|C|$ is the circuit size and $\kappa$ is the statistical security parameter. However, no known result achieves $o(|C|\kappa)$ bits of garbled circuit size by now, and it is widely believed that a garbled circuit must have $\Omega(|C|\kappa)$ bits in the random oracle model. In this work, we present the first garbling scheme that achieves $o(|C|\kappa)$ bits of garbled circuit size in the random oracle model. In particular, for a circuit $C$ of size $|C|$ and depth $D$, the achieved garbled circuit size is $O(|C|\log T+D\kappa^2\log T)$ bits. This breaks the long-standing $\Omega(|C|\kappa)$ barrier on the garbled circuit size. We extend our garbling scheme to a maliciously secure two-party computation protocol with communication of $O(|C|\log T+D(\log T+\kappa)^2\log T+{\sf poly}(\kappa,\log T))$ bits against any $T$-query adversary assuming parallel oblivious transfers and a (programmable) random oracle. The protocol only requires 1 OT round and 3 one-way communication rounds. If only requiring one of the two parties to have output, a similar communication complexity can be achieved for constructing a non-interactive secure computation (NISC) protocol, which only relies on the preprocessing of bit-OT correlations and a random oracle. Compared to a concurrent work on NISC by Ishai et al. (EUROCRYPT 2026) in the same setting, we achieve a better amortized communication cost per gate at the cost of an additional term related to the circuit depth. The NISC protocol with a similar communication cost can also be constructed from a (slightly stronger version of) semi-malicious 2-round OT protocol.

ePrint Report: Weak Keys Break the BUFF Security of HAWK Quang Dao HAWK is a signature scheme based on the module lattice isomorphism problem, and the only lattice-based candidate in the third round of NIST’s call for additional post-quantum signatures. Its specification claims that HAWK achieves the BUFF (Beyond UnForgeability Features) security properties “as is”, without applying the generic BUFF transform, citing the analysis of Aulbach, Düzlü, Meyer, Struck, and Weishäupl (PQCrypto’24). We refute this claim for HAWK exactly as specified. Several of the BUFF games let the adversary register a public key of its own choosing, yet the HAWK reference verifier performs almost no validity check on a key beyond decoding it. We exhibit degenerate “weak” public keys under which the all-zero signature verifies for all random-oracle challenges except the negligible symmetry-breaking corner case, and use them to break the three BUFF properties whose games let the adversary supply both the verification key and the signature: message-bound signatures, malicious strong universal exclusive ownership, and weak non-resignability. We trace these breaks to gaps in the BUFF proofs for HAWK of Aulbach et al.: one missing case analysis, and three steps that silently assume properties of the adversarially chosen keys as if they come from honest key generation. Honest key generation already enforces bounds that would reject our weak-key family on the attacks we exhibit. We prove that enforcing this norm floor at verification yields message-bound security for constant keys, but we make no claim that it fully restores BUFF security.

ePrint Report: Decomposition of compressions on elliptic curves and point recovery Robert Dryło Let $E$ be an elliptic curve over a perfect field $K$. A function $f\in K(E)$ is a compression of degree 2 on $E$ if $f(-P) = f(P)$ for all $P\in E$, and the field extension $K(f)\subset K(E)$ is of degree 2. For a finite subgroup $G\subset E$ over $K$ a function $w\in K(E)$ we will call a $G$-compression if $w(\pm P +G) = w(P)$ for all $P\in E$, and the field extension $K(w)\subset K(E)$ is of degree $2|G|$. We will show that $w\in K(E)$ is a $G$-compression if and only if $w = f\circ \Phi$ for a separable isogeny $\Phi:E\to E’$ over $K$ with $\ker \Phi=G$, an elliptic curve $E’/K$, and a compression $f\in K(E’)$ of degree 2 on $E’$. This allows to obtain a doubling, a differential addition, and a method for point recovery for $G$-compressions using known properties of compressions of degree 2. For $G$-compressions $w$ studied in the literature on an extended Jacobi quartic, a twisted Edwards curve, a twisted Jacobi intersection, and a twisted Hessian curve (for the first and third model additional conditions on coefficients are assumed) we will give the decomposition $w = f\circ \Phi$ as above, and the function induced by the dual isogeny $\widehat{\Phi}$ and compressions of degree 2, which can be used for point recovery. For the first three models this isogeny $\Phi$ is to a Montgomery curve over $K$, and has the first coordinate $x(\Phi)=1/w$. We also give isomorphisms from some models of elliptic curves to a Montgomery curve.

ePrint Report: A new attack to RSA with small private exponent and partial information. Jorge Jimenez Urroz We give a new algorithm to attack RSA with small private exponent, when some partial information of $p + q$ is given. The algorithm is a very simple modification of original Wiener’s attack with continued fractions, and allows us to factor $n$ whenever $d

ePrint Report: A Compact Signature Scheme Based on QC-MDGM Codes Alessandro Annechini, Alessandro Barenghi, Gerardo Pelosi Constructing a post-quantum signature scheme that is simultaneously compact and efficient remains a central challenge in code-based cryptography. Existing schemes based on turning a zero-knowledge identification scheme into a signature exhibit either large signatures or slow verification procedures. On the other hand, the design of hash-and-sign code-based schemes initiated by Courtois, Finiasz and Sendrier in $2001$ has led to schemes such as Wave and MIRANDA, that provide small signatures at the cost of massive public key sizes, with comparatively demanding signature algorithms. In this work, we present ASTRA-Sign: a quASi-cyclic code-based full-distance decoding TRApdoor Signature Scheme, combining the hash-and-sign paradigm with quasi-cyclic moderate density generator matrix codes to obtain small signatures and small public keys. The security of our scheme is based on the hardness of finding low weight codewords in quasi-cyclic codes, and on the hardness of finding a codeword that has full Hamming distance from a given random vector. We analyse key recovery and signature forgery attacks against ASTRA, and we propose several parameter sets achieving $128$-, $192$- and $256$-bit security. Our scheme exhibits public keys and signatures below $1$kB for $128$ bits of security, with sub $50\mu$s verification times.

ePrint Report: Refined OJ Attacks: Tight Complexity for Rank Decoding Problems and Their Cryptographic Implications Yongcheng Song, Rongmao Chen, Xinyi Huang, Jiang Zhang, Chao Lin The Rank Decoding (RD) problem lies at the core of rank-based cryptography. To enable efficient constructions, several variants have been introduced, notably the Non-Homogeneous RD (NHRD) problem and the Blockwise RD (BRD) problem. The \emph{quantum} security of these systems is currently considered to be determined by the complexity of combinatorial attacks such as AGHT, PRR, and Ourivski–Johansson (OJ) attacks. However, for the OJ attack, the modeling, soundness, and relative complexities remain poorly understood, particularly for the NHRD and BRD variants, thereby limiting confidence in security claims and hindering the design of compact schemes. In this work, we refine the modelings for the OJ attack (PIT, 2002) and the Improved OJ (IOJ, IEEE TIT 2025) attack, and obtain general and tight complexities on the RD, NHRD, and BRD problems. We show that the IOJ attack rests on optimistic assumptions that do not hold in practical random decoding scenarios, and thus its advantage over OJ should be disregarded in security assessments. For the RD problem, the OJ attack remains a strong candidate for the most powerful combinatorial attack in certain parameter regions, particularly when the code dimension $k$ is small and the extension degree $m$ is large. For the NHRD problem, we show that the OJ attack is the most powerful combinatorial attack for the parameters of NH-Multi-UR-AG, yielding up to a 100-bit improvement over the adapted AGHT attack (IEEE TIT 2024), while still preserving the claimed security level. For the BRD problem, we derive complexity formulas for general block structures, resolving questions posed in prior works (Asiacrypt 2023, IEEE TIT 2025, PQC 2024). Our analysis also reveals that the OJ attack is previously underestimated by about $\gamma^2$ bits, where $\gamma$ denotes the minimum block weight. We further show that the OJ attack outperforms AGHT and PRR attacks in certain parameter regions, achieving up to a 136-bit advantage over PRR (IEEE TIT 2025). Our work advances the understanding of decoding problems in the rank metrics and reinforces the security of related cryptosystems.