The sponge construction is one of the main modes of operation for hash functions. Using a permutation of width b = r + c, the sponge construction with rate r and capacity c is indifferentiable up to Ω(2c/2) permutation calls. In this paper we study variants of the sponge construction that use two permutations in parallel in order to increase the state size: the XOR combiner, and the double sponge construction of Lefevre and Mennink. We focus on the indifferentiability security, and we obtain new distinguishers on these constructions based on a variant of the 4-sum problem that we denote the multiple 4-sum problem.First, we show that the XOR combiner does not increase the indifferentiability bound when applied to sponge hash functions, with a tight generic attack with complexity ˜Õ(2c/2). This improves over folklore results that require ˜Õ(2b/2) operations to find internal state collisions, and justifies the more involved double sponge construction. Indeed, by mixing the two internal states after every permutation call, the double sponge achieves security beyond the birthday bound, with a security proof up to Ω(22c/3) permutation calls. However, the proof is not tight: the best generic attack has complexity O(2c+r/2), and Lefevre and Mennink show a simulator-specific attack with complexity O(22c/3+r/3). We reduce this gap by showing a dedicated attack against the double sponge, with complexity O(2c) in general, and O(max(23c/4, 2c−r/3)) with the specific mixing matrix used by Lefevre and Mennink. In particular, we observe that the complexity of our attack decreases with r (for a fixed c), while previous attacks have a complexity that increases with r.

Physical attacks are one of the potent threats to modern cryptography. Symmetric-key primitives are well-explored with respect to passive, active, and more recently combined (i.e., simultaneously leaking and faulting) adversaries. For symmetric key operating modes, there are many proposals for encryption (ENC), Message Authentication Codes (MAC), and Authenticated Encryption (AE) covering passive attacks. However, research on active or combined adversaries is more succinct and, to the best of our knowledge, boils down to combined secure MAC due to Berti et al. (ToSC 2023, issue 1), combined secure ENC due to Dobraunig et al. (CCS’22), and active secure AE named MEM due to Saha et al. (ToSC 2022, issue 4).Our first contribution is a security model to formally reason about the combined security of AE. The model extends the fault-then-leak security of MAC introduced by Berti et al. to AE and can also be seen as a natural extension of state-of-the-art leakage resistant notions in their so-called faulty matrix framework. Armed with this model, we show as a second contribution that all the leakage-resilient, including leakage-resistant, AE constructions and the fault-resilient MEM construction are vulnerable to a single fault injection within the composition of their building blocks. These decoupling attacks remain successful even for combined-secure building blocks. As a result, we finally present LEAF, the first AE construction secure against faultthen- leak adversaries with a single fault injection. In encryption, LEAF makes only one call to a MAC and two calls to an ENC that are combined secure.

In this paper, we propose new differential attacks against the block cipher GIFT-64. First we demonstrate how the parallel matching algorithm proposed by Naya-Plasencia at CRYPTO’11 as an advanced list-merging algorithm can be leveraged to enhance differential attacks, overcoming a previously assumed bottleneck. By reducing the complexity of the pairs generation process whenever a non-linear filter is available, this approach enabled us to mount a new differential attack against 25-round GIFT-64 in the related-key setting.Then we use the differential Meet-in-the-Middle cryptanalysis technique introduced by Boura et al. at CRYPTO’23 to improve the differential attacks recently proposed by Chang et al. at CT-RSA’25, leading to the best known attacks against GIFT-64 in the single-key setting, both in term of number of rounds and of complexity.

Plaintext-awareness of AEAD schemes is one of the more obscure and easily misunderstood notions. Originally proposed by Andreeva et al., Mennink and Talnikar showed in 2025 that the original definitions are vague and leave too much room for interpretation. They presented new definitions and analyzed the three main AEAD compositions relative to the new definitions. In particular, they showed that MAC-then-Encrypt (MtE) is not plaintext-aware. However, they showed that an SIV-style variant is indeed plaintext-aware. In this work, we first show that their analysis contains a gap, voiding their proof. We show this by showing several attacks; against their choice of extractor, with trivial complexity, and against any extractor, with birthday-bound complexity. Next, we re-establish their results by designing a new extractor that captures their intended goal and prove a tight PA1 security bound. We also show that the result is not dependent on the encryption scheme used, by showing that an extractor can also be designed for sMtE[ΘCB3], a variant where the encryption step is done by an ΘCB3-like scheme. Afterwards, we strengthen their results, by revisiting other compositions. In particular, we show that Encrypt-then-MAC (EtM) is in fact PA2-secure. Furthermore, we show that SIV-style MtE cannot be PA2-secure. Additionally, we show that Encode-then-Encipher is also PA2-secure, but not beyond the first successful forgery. More importantly, we show that up to some necessary assumptions, PA2 and RAE are equivalent. This result, while positive, holds only up to the first successful forgery. This indicates that the PA2 formalization maybe too strong for practical schemes, since we believe RAE sufficient for intuitive security.Last but not least, we investigate the value of the notion of plaintext awareness. We look deeper into the relation between plaintext awareness and confidentiality. We show that the problem of confidentiality in the presence of release of unverified plaintext can be seen as a confidentiality-with-leakage problem in the simulatable leakage framework. In this regard, we start, by showing that PA1 security cannot imply confidentiality with leakage. Similarly, we compare our results to the AERUP notion of TOSC 2019. We show that a scheme can be AERUP secure but not secure against a somewhat straightforward left-or-right attack in the same model. This puts into question the meaning and relevance of the PA1 and AERUP security notions. Results based on these notions can be seen as providing security in a two-phase game, where the adversary does not observe any leakage after the first challenge query, as we argue in the paper. On the positive side, we show that if a scheme achieves IND-CPA, INT-RUP and PA2, then it achieves confidentiality with leakage for the appropriate leakage function. This closes a gap in the literature on the relation between confidentiality with leakage and RUP notions.

In this paper, we present a novel framework for cube attacks named cube attacks with elimination strategy. The core idea is to find specific key conditions and cubes such that their superpolies under these key conditions can be efficiently computed. By recovering these conditional superpolies, we can solve the corresponding equation system and thereby retrieve key information. If a sufficient number of such key conditions can be found, the attack can be extended to a larger key space. To apply this framework in practical attacks, we propose the following techniques.First, we propose a nested coefficient solver that combines variable substitution and symbolic computation to efficiently recover superpolies, and present the conditional monomial prediction technique to rapidly recover conditional superpolies. Second, by combining numeric mapping with monomial prediction techniques, we propose an automated cube search algorithm that is capable of generating a large number of good cubes for attacks. Finally, we develop two kinds of testing methods, which are used to efficiently extract substantial key information from large-scale equation systems.To illustrate the power of our techniques, we apply them to Trivium. As a result, for 840 rounds of Trivium, a practical key recovery attack is mounted with complexity below 255 and a success rate 77.8%. For 845 rounds, we present a practical key recovery attack with complexity below 256 and a success rate 98.1% for 280 x 59.1% keys. For 855 rounds, we present a theoretical weak-key recovery attack for 274 keys. To the best of our knowledge, these are the best practical and theoretical attacks on Trivium. The improvements in the number of rounds reached are 13 for practical attacks and 4 for theoretical attacks, respectively.

Linear Feedback Shift Registers (LFSRs) combined with non linear filtering functions have long been a fundamental design for stream ciphers, offering a wellunderstood structure that remains easy to analyze. However, the introduction of algebraic attacks in 2003 shifted the focus toward more complex designs, as filtered LFSRs required larger registers to maintain security. While this was seen as a drawback at the time, it is no longer a limiting factor, and emerging cryptographic applications benefit from specialized designs—challenges that filtered LFSRs can effectively address. In this work, we propose a new filtered LFSR design, called Nostalgia, tailored for Hybrid Homomorphic Encryption (HHE). We use a weightwise quadratic function as filtering function, leveraging its efficiency in the HHE setting while ensuring security against classical attacks. We also discuss the parameter selection of our design and demonstrate its efficiency in this setting by providing a proof-of-concept implementation. In terms of latency, our HHE solution outperforms current state-of-the-art for TFHE-based HHE (Baudrin et al., Crypto 2025) by a factor of 6.1 times. By revisiting filtered LFSRs in light of modern security requirements, we aim to renew interest in their potential applications and stimulate further cryptanalysis efforts.

In this paper, we propose Dialga, a family of low-latency tweakable block ciphers designed to support 128/256-bit tweaks and 256-bit keys. Dialga achieves significantly small latency by leveraging multiple novel strategies. These include the use of multiple linear layers with efficient cell permutations, which enhance security against differential and linear attacks with negligible hardware overhead. We also identify the optimal choice of S-boxes for these permutations using state-ofthe- art evaluation methods by SAT, enabling us to further reduce the delay of the round function. Besides, we design a reflection tweakey schedule that ensures strong security in the related-tweak setting and allows for encryption and decryption without delay overhead, reducing the circuit area. We conducted comprehensive hardware benchmarks involving Dialga and other primitives. As a result, Dialga achieves nearly half the delay of QARMAv2, while achieving approximately a 40% reduction in area, with the same claimed security.

We introduce the Three-Hash Framework (THF), a new instantiation of the LRW+ paradigm that employs three hash functions to process tweak inputs. We prove that THF achieves beyond-birthday-bound security under standard assumptions. By extending the general practical cryptanalysis framework to the multiple-tweak setting, we further demonstrate that THF offers balanced resistance to both singleand multiple-tweak attacks, thereby enabling the potential for lower latency compared to existing constructions. Building on this framework, we design Blink, a family of tweakable block ciphers optimized for ultra-low latency. Blink features logarithmic-depth Toeplitz-based hashing, which ensures efficient diffusion and scalability with varying tweak lengths. Our cryptanalysis shows that Blink achieves strong security with fewer rounds, while hardware evaluations confirm its superior latency performance. Notably, Blink maintains comparable latency even when the tweak length is doubled, underscoring the scalability advantage of THF.

Fully homomorphic encryption (FHE) enables computation on encrypted data without decryption, providing strong guarantees for privacy-preserving applications. However, its practicality heavily depends on the efficiency of the underlying cryptographic primitives. To this end, FHE-friendly symmetric ciphers have been designed to achieve a balance between security and homomorphic efficiency. Among them, FASTA (a variant of Rasta) and HERA are two FHE-friendly symmetric-key primitives proposed at CT-RSA 2022 and ASIACRYPT 2021, respectively. Previous cryptanalytic results of FASTA and HERA were achieved by peeling off the last nonlinear layer. In this paper, we present an improved algebraic cryptanalysis of FASTA by exploiting structural properties of its affine layers through chosen-IV algebraic attacks. We demonstrate that both the first and last nonlinear layers of FASTA can be removed, which significantly reduces the algebraic degree of the resulting system. As a result, we achieve the first key-recovery attack on 4-round FASTA, with time complexity about 2118.8, memory complexity 294.2, and data complexity 234.1, improving the best attack by 1 round. Overall, our findings reveal exploitable algebraic weaknesses in the affine layer of FASTA. For HERA, our refined chosen-IV algebraic attack based on the eXtended Linearization (XL) algorithm significantly enlarges the feasible parameter range, enabling attacks on prime moduli that were previously considered out of reach. This is mainly because the integration of the XL algorithm further decreases the number of keystream words required during the online phase of the chosen-IV algebraic attack, thus reducing the cost of its offline phase, i.e., a better tradeoff between the offline and online complexity can be achieved in our improved attack. This highlights the central role of the XL algorithm in enabling efficient algebraic attacks on FHE-friendly symmetric ciphers.

In modern CPU architectures, various security features to mitigate software attacks can be found. Examples of such features are logical isolation, memory tagging or shadow stacks. Basing such features on cryptographic isolation instead of logical checks can have many advantages such as lower memory overhead and more robustness against misconfiguration or low-cost physical attacks. The disadvantage of such an approach is however that the cipher that has to be introduced has a severe impact on the system performance, either in terms of additional cycles or a decrease of the maximum achievable frequency. Finally, as of today, there is no suitable low-latency cipher design available for encrypting 32-bit words as is common in microcontrollers. In this paper, we propose a 32-bit tweakable block cipher tailored to memory encryption for microcontroller units. We optimize this cipher for low latency, which we achieve by a careful selection of components for the round function and leveraging an attack scenario similar to the one used to analyze the cipher SCARF. To mitigate some attack vectors introduced by this attack scenario, we deploy a complex tweak-key schedule. Due to the shortage of suitable 32-bit designs, we compare our design to various low-latency ciphers with different block sizes. Our hardware implementation shows competitive latency numbers.