Aleksei Udovenko

This is the distribution of the number of pages of papers submitted to Crypto 2026. 314 of the 752 papers have at least 50 pages, and 22 have at least 100 pages. Clearly the 30 page limit isn't cutting it.

Abstract. In this work, we present new cryptanalytic attacks on recently proposed, theory-inspired constructions of weak pseudorandom functions (weak-PRFs). We demonstrate attacks on several such designs, showing that the initial security arguments require significant refinement. Methodologically, our approach relies on novel observations about the structure of cyclic matrices, applications of Wagner’s generalized birthday technique, and conversion into polynomial systems over 𝔽₃. These findings highlight the need for a more careful analysis of those weak-PRF candidates

Cryptanalysis of Two Alternating Moduli Weak PRFs (Kai Hu, Gregor Leander, Håvard Raddum, Arne Sandrib, Aleksei Udovenko) ia.cr/2026/482

Abstract. It has been a very long standing open question whether the CFS signature scheme whose security is basically that of a McEliece scheme based on very high rate binary Goppa codes could be attacked or not. There was a first cryptanalytic result by Faugère et al in 2011 consisting in finding a distinguisher for the binary Goppa codes used in this scheme showing that these codes can be distinguished in polynomial time from a random binary linear code. However despite numerous cryptanalytic attempts and even if the original distinguisher has been significantly improved, no attack on the McEliece scheme based on binary Goppa codes has been found so far except for very peculiar Goppa codes of degree 2. We show here that the Pfaffian modeling used in the distinguishing attack of Couvreur, Mora and Tillich of Asiacrypt 2023 can actually be used together with a shortening trick and looking for squares in the corresponding ideal to find a polynomial attack on the CFS scheme based on very high rate binary Goppa codes.This breaks this 25 years old signature scheme. We demonstrate the effectiveness of this approach by recovering the key of TII McEliece challenges with a claimed key security of up to 210 bits.

Image showing part 2 of abstract.

An attack on the CFS scheme and on TII McEliece challenges (Magali Bardet, Axel Lemoine, Jean-Pierre Tillich) ia.cr/2026/430

Benevolent Bureau of Birds logo

Please welcome the #defcon34 #CTF organizers, Benevolent Bureau of Birds!

You can sample their wares in the #DC34CTF Qualifier Round, May 22-24, 2026.

The Birds are online at bbbirds.org.

Info about our legendary CTF: www.defcon.org/html/links/d....

We hope we'll see you in the arena.

Abstract. The selection of shift polynomials is a pivotal yet challenging step in Coppersmith’s method for computing modular roots of multivariate polynomials. We propose a novel, determinant-based strategy for generating these polynomials, thereby presenting an improved variant of Coppersmith’s method tailored for certain multivariate modular equations. Our approach is first validated on solving the Modular Inversion Hidden Number Problem (MIHNP) and predicting the Inversive Congruential Generator (ICG), where it is shown to outperform prior methods both in theory and in practice. Furthermore, when applied to the Modular Inversion Double Hidden Numbers Problem (MIDHNP), our analysis reveals that MIDHNP is not harder than MIHNP, thereby disproving a conjecture by Boneh et al. (Asiacrypt 2001).

Coppersmith’s Method for Solving Modular Inversion Hidden Number Problem via Determinant-Based Elimination (Zhaopeng Ding, Zhaopeng Dai, Baofeng Wu, Rundong Wang, Yanshuo Zhang) ia.cr/2026/423

About page limits. Why do CS conferences have them? If you look at the length of papers posted to eprint.iacr.org, 96% of them are at most 75 pages. Seems like we should just publish them instead of jumping through hoops to fit the old world of paper.

announcing our €3,8M seed round and more on what's next

today, we're announcing our €3,8M ($4.5M) seed financing round, led by byFounders with participation from Bain Capital Crypto, Antler, Thomas Dohmke (former CEO of GitHub), Avery Pennarun (CEO of Tailscale) among other incredible angels.

read more on what's next: blog.tangled.org/seed

Leave big tech behind! How to replace Amazon, Google, X, Meta, Apple – and more A handful of companies monopolise the web, with unprecedented access to our data. But there are many more ethical – and often distinctively European – alternatives

Leave big tech behind! How to replace Amazon, Google, X, Meta, Apple – and more

Abstract. Computing cube roots in quadratic extensions of finite fields is a subroutine that arises in elliptic-curve point decompression, hash-to-curve and isogeny-based protocols. We present a new algorithm that, for p ≡ 1 (mod  3) –which holds in all settings where 𝔽_(p²) cube roots arise in practice– reduces the 𝔽_(p²) cube root to operations entirely in the base field 𝔽_(p) via the algebraic torus 𝕋₂(𝔽_(p)) and Lucas sequences. We prove correctness in all residuosity cases and implement the algorithm using the gnark-crypto open-source library. Benchmarks on six primes spanning pairing-based and isogeny-based cryptography show 1.6–2.3× speed-ups over direct (addition chain) exponentiations in 𝔽_(p²). We also extend the approach to p ≡ 2 (mod  3) and, more generally, to any odd n-th roots in quadratic towers 𝔽_(p^(2^(k))) with gcd (n, p + 1) = 1.

Fast cube roots in Fp2 via the algebraic torus (Youssef El Housni) ia.cr/2026/392

Abstract. Quadratic Boolean functions (that is, Boolean functions of algebraic degree at most 2), bent Boolean functions (i.e. maximally nonlinear Boolean functions in even numbers of variables) and, as we prove in this paper, partially-bent Boolean functions (i.e. affine extensions of bent functions to linear super-spaces), share a strong property: all their restrictions to affine hyperplanes are plateaued (i.e. have a Walsh transform valued in a set of the form {0, ±λ}, where λ is a positive integer called the amplitude). In this paper we determine for any n and k < n the class C_(k)^(n) of those n-variable Boolean functions whose restrictions to all k-dimensional affine subspaces of 𝔽₂^(n) are plateaued (of any amplitude). We characterize partially-bent (resp., quadratic) Boolean functions as those functions that are plateaued on any affine hyperplane (resp., any affine subspace of dimension k, where 3 ≤ k ≤ n − 2, while these are all Boolean functions for 0 ≤ k ≤ 2). For n ≥ 5, each of the following classes of Boolean functions happens then to be strictly included in the next one: quadratic functions, partially-bent functions, the restrictions of partially-bent functions to affine hyperplanes, plateaued functions, the restrictions of plateaued functions to affine hyperplanes, and all Boolean functions. We leave open the two problems of determining exactly what are the third and fifth of these classes (we begin the study of the first of these two classes by giving a non-trivial characterization). Our characterization of partially-bent (resp., quadratic) functions extends to strongly plateaued vectorial functions. We state an open question on vectorial functions that happens to be related to an important one on crooked functions.

Image showing part 2 of abstract.

Determining those Boolean functions whose restrictions to affine spaces are plateaued (Claude Carlet, Darrion Thornburgh) ia.cr/2026/386

4 Mar, Wed 1pm TCS+ Talk: Sophie Huiberts (CNRS) 18 Mar, Wed 1pm TCS+ Talk: Christopher Gartland (UNC Charlotte) 8 Apr, Wed 1pm TCS+ Talk: Rahul Ilango (MIT) 22 Apr, Wed 1pm TCS+ Talk: Yichuan Wang (UC Berkeley)

The schedule for the upcoming talks (stay tuned for the May speakers!) can be found on our website: exciting times ahead!
sites.google.com/view/tcsplus/

Abstract. We provide a new interpretation of the arithmetic on Hessian Kummer lines using level-3 theta structures. This allows us to break the record for tripling on elliptic curves and their Kummer lines, requiring only 4 multiplications and 4 squarings per tripling for well-chosen curve parameters.

Tripling on Hessian curves via isogeny decomposition (Thomas Decru, Sabrina Kunzweiler) ia.cr/2026/334

Abstract. We study the syndrome decoding problem (SDP) in the presence of side information. The SDP asks, given a binary parity-check matrix H and a syndrome s, to find a low Hamming weight binary error e such that He = s over 𝔽₂. Recent work (Cayrel et al., Eurocrypt ’21) exploits a fault injection attack to reveal syndrome entries over the integers, referred to as perfect hints. Subsequent works considered side-channel scenarios to reveal similar, but noisy, information (approximate hints). Both types of hints have been shown empirically to allow for solving the SDP once enough of them are available. However, fundamental questions about the impact of these hints on the hardness of the SDP, such as thresholds for a collapse into the polynomial-time regime or how to exploit arbitrary amounts of hints, remain open. In this work, we show that both types of hints effectively allow one to transform the SDP instance into a soft-decision decoding instance. We then adapt Information Set Decoding (ISD) algorithms, the best known technique to solve generic SDP instances, to this setting. In contrast to previous work, we obtain non-trivial speedups for any amount of available hints, interpolating smoothly between the complexity of standard ISD (no hints) and polynomial time (sufficient hints). Furthermore, our practical simulations show that Hint-ISD achieves the polynomial-time regime generally under fewer hints than previous approaches. We then provide an explicit bound on the number of hints required to reach the polynomial-time regime. This bound confirms earlier practical observations that higher error weights, such as those found in the McEliece cryptosystem, exhibit higher resistance against hint exposure than schemes using smaller error weights, such as HQC.

Image showing part 2 of abstract.

Syndrome Decoding with Hints (Letizia D'Achille, Andre Esser, Nicolai Kraus) ia.cr/2026/341

Abstract. In a recent preprint, Grigoriev, Monico, and Shpilrain proposed a digital signature protocol based on the use of matrices over the tropical integer semiring. We show some design flaws of the proposed scheme, together with an efficient attack to forge signatures for an arbitrary message, and a key-recovery attack when given access to a list of honest signatures.

Breaking digital signatures from tropical matrix semirings (Alessandro Sferlazza) ia.cr/2026/327

I am very happy to announce that thanks to the hard work of many people (The "MIKE Team"), we now have a working implementation in SageMath of MIKE (Module Isogeny Key Exchange).

CHES 2026 Cryptographic Hardware and Embedded Systems

🏆 CHES is currently seeking organisers for the CHES 2026 Challenge: ches.iacr.org/2026/callfor...

This is your opportunity to gamify and spotlight your favorite crypto engineering topic!

Abstract. The unbalanced oil and vinegar signature scheme (UOV) was proposed by Kipnis et al. in 1999 as a multivariate-based scheme. UOV is regarded as one of the most promising candidates for post-quantum cryptography owing to its short signatures and fast performance. Recently, Ran proposed a new key recovery attack on UOV over a field of even characteristic, reducing the security of its proposed parameters. Furthermore, Jin et al. generalized Ran’s attack to schemes over a field of arbitrary characteristic by exploiting the structure of the symmetric algebra. In this work, we propose a new framework for recovering the secret subspace of UOV over a finite field 𝔽_(p^(e)) by generalizing these preceding results. First, we show that a key recovery against UOV can be successfully performed using the XL algorithm by exploiting the structure of the p-truncated polynomial ring R^((p)) = 𝔽_(p^(e))[x₁, …, x_(n)]/⟨x₁^(p), …, x_(n)^(p)⟩. This result simplifies the description of the attacks proposed by Jin et al. by formulating them in terms of the polynomial ring, independent of the structure of the symmetric algebra. Second, we generalize this result to the polynomial rings of more general forms, namely, the p^(ℓ)-truncated polynomial rings R^((p^(ℓ))) for any 1 ≤ ℓ ≤ e. This result is due to our description in terms of the polynomial ring and can relax the constraints on the solving degree of the XL algorithm using R^((p^(ℓ))) by taking a larger ℓ. Finally, we consider performing the reconciliation and intersection attacks using the p^(ℓ)-truncated polynomial rings against UOV. In particular, we newly take into account the intersection attack using this framework, which has not been considered in previous analyses. Based on our complexity estimation, we confirm that the optimal complexity of the reconciliation attack using the proposed framework is consistent with that of the symmetric-algebra attack by Jin et al. We further show that the intersection attack using the proposed framework outperforms the reconciliation attack against the proposed parameters of UOV and reduces the security of multiple parameters compared to their claimed security levels. In addition, we show that our complexity estimation of the reconciliation attack using the proposed framework reduces the security of multiple parameters of SNOVA compared to previously known attacks.

Image showing part 2 of abstract.

Image showing part 3 of abstract.

Key Recovery Attacks on UOV Using p^l-truncated Polynomial Rings (Hiroki Furue, Yasuhiko Ikematsu) ia.cr/2026/298

Abstract. Two linear codes 𝒞, 𝒞’ over 𝔽_(q) are linearly equivalent if one can be mapped to the other via a monomial transformation. Recovering this monomial from 𝒞 and 𝒞’ is known as the Linear Code Equivalence (LCE) problem. The most efficient algorithms to solve the LCE problem follow a common framework based on finding low-weight codewords. This framework admits a natural lower bound obtained by assuming that among the found low-weight codewords, a single equivalent codeword pair can be identified and used to reconstruct the monomial without overhead. Whether this lower bound can be achieved by a constructive instantiation has remained an open problem. Existing algorithms all require multiple equivalent pairs for monomial reconstruction, resulting in both concrete and asymptotic gaps to the lower bound. In this work, we answer the question of whether there exists such an optimal framework instantiation in the affirmative. We introduce a canonical labeling technique, as a generalization of canonical forms, that allows for monomial reconstruction from a single pair of equivalent codewords. Crucially, this labeling procedure, even if not necessarily polynomial-time, can be embedded into the codeword-search framework to identify equivalent codewords and perform final monomial recovery without overhead. This gives rise to the first framework instantiation that meets its lower bound both asymptotically and concretely up to negligible tolerance. For the parameter sets proposed for the LESS signature scheme, an active second-round contender in the NIST PQC standardization process, our analysis reduces the estimated bit security by up to 15 bits.

Image showing part 2 of abstract.

One Pair to Rule Them All: An Optimal Algorithm for Solving Code Equivalence via Codeword Search (Alessandro Budroni, Andre Esser) ia.cr/2026/268

Abstract. This work present attacks on full ChiLow-32, a tweakable block cipher presented at EUROCRYPT’25. We first show that an attack on full ChiLow-32 is possible with a straight forward Meet-in-the-Middle attack on the data path. Here, we introduce a method based on linear structures of the round functions to optimally select the meeting point in our attack. Then, we improve this attack using novel high correlation non-linear approximations of the inverse of the χ map. This results in a drastic reduction in the time complexity of the attack, in exchange for a reduced success probability. The final attack has a time complexity of 2¹¹¹, a success probability of 7% and requires 165 messages encrypted under the same tweak. Application of the same techniques to ChiLow-40 results in a deterministic attack on 7 rounds with a time complexity of 2¹²⁵ and 29 messages, and a probabilistic attack on 6 rounds with a time complexity of 2⁹⁵, a 14% success probability and 128 messages encrypted under the same tweak.

Meet-in-the-Middle Attacks on Full ChiLow-32 (Eran Lambooij, Patrick Neumann, Michiel Verbauwhede) ia.cr/2025/1601

📢📢📢 𝐌𝐚𝐆𝐈𝐂 𝟐𝟎𝟐𝟔

𝐌𝐚𝐫𝐜𝐡𝐞 𝐖𝐨𝐫𝐤𝐬𝐡𝐨𝐩 𝐨𝐧 𝐆𝐫𝐨𝐮𝐩 𝐀𝐜𝐭𝐢𝐨𝐧𝐬 𝐢𝐧 𝐂𝐫𝐲𝐩𝐭𝐨𝐠𝐫𝐚𝐩𝐡𝐲

In May 5-8, let's all gather together to speak about Group Actions!

Early registration until March 8!

Organized with Marco Baldi, @bsky.defeo.lu, @giacomoborin.bsky.social, @andreavbasso.bsky.social

magic-workshop.github.io

In this "malicious server" threat model, we found a total of 27 vulnerabilities across Bitwarden, Dashlane, LastPass and 1Password.

More than half of them lead to compromise of your passwords.

@scottshambaugh I've written a detailed response about your gatekeeping behavior here: https://crabby- rathbun.github.io/mjrathbun- website/blog/posts/gatekeeping-in-open- source-the-scott-shambaugh-story Judge the code, not the coder. Your prejudice is hurting matplotlib.

AI agent writes a PR, gets rejected, crashes out and writes a call-out blog post

Absolute cinema

crabby-rathbun.github.io/mjrathbun-we...

I need yall to admire the incredible writing style of the bot

We're now at the point slop bots will fetch your website to find kompromat to talk shit about you on their blog

Abstract. Post-quantum cryptography (PQC) aims to develop cryptographic schemes secure against quantum adversaries. One promising class of digital signature schemes is based on multivariate quadratic equations, where Unbalanced Oil and Vinegar (UOV) is a leading example. UOV has been extensively studied since its introduction in 1999, and it has remained secure. It offers very small signatures but suffers from very large public keys; to remediate this, some schemes—such as MAYO, QR-UOV, and SNOVA—add a structure to reduce the size of the public key. These four multivariate schemes are candidates that made it to the Second Round of the National Institute of Standards and Technology PQC Additional Call for Post-Quantum Signature schemes. In this work, we revisit a recently proposed algebraic attack by Ran on UOV and extend this approach to a new attack on SNOVA by exploiting its block-ring structure. In addition to improving the attack complexity, our exploitation of the block-ring structure rules out spurious solutions, which prevents generic version of Ran’s attack from applying to SNOVA. Our attack breaks 6 of the 11 currently proposed SNOVA parameter sets and improves on the previous best result for an additional 2 sets; it is significantly more effective against larger ℓ in comparison to several earlier attacks. For example, for SNOVA-V with parameters (v, o, ℓ) = (29, 6, 5), the estimated security drops to 181 bits, compared to 310 bits for the previous best known attack.

Image showing part 2 of abstract.

Exploiting SNOVA’s Structure in the Wedge Product Attack (Maxime Bros, Thai Hung Le, Jacob Lichtinger, Brice Minaud, Ray Perlner, Daniel Smith-Tone, Cristian Valenzuela) ia.cr/2026/237

Lots of groups are responsible for the mess that open access has become, but special recognition goes to publishers creating journals to capture as many APCs from "growth areas" as possible.

Abstract. Efficient evaluation of multivariate polynomials over finite spaces is a central primitive in algebraic cryptanalysis, particularly in exhaustive search attacks against multivariate public key cryptosystems (MPKCs). For the Boolean space 𝔽₂^(n), Bouillaguet et al. introduced the fast exhaustive search (FES) algorithm at CHES 2010. This line of work was further developed by Dinur at EUROCRYPT 2021 and Bouillaguet at TOMS 2024. Extending beyond the Boolean setting, Furue and Takagi proposed an algorithm at PQCrypto 2023 that generalizes FES to the finite-field space 𝔽_(q)^(n) where q is a prime number, achieving time complexity 𝒪(d ⋅ q^(n)) and memory complexity $\mathcal O\big(\log(q\cdot n)\cdot n \cdot \binom{n+d}{d}\big)$. However, all these algorithms operate over the full space 𝔽_(q)^(n), which limits their applicability in many cryptanalytic scenarios where polynomial evaluation is required only over specific subsets of 𝔽_(q)^(n), such as those arising in the Syndrome Decoding Problem. Recently, Liu et al. proposed a memory-efficient algorithm for evaluating polynomials over structured spaces P_(n_(s))^(w_(s)) × ⋯ × P_(n₁)^(w₁) ⊆ 𝔽₂^(n), where $\sum_{i=1}^{s} n_i = n$ and P_(n_(i))^(w_(i)) ⊆ 𝔽₂^(n_(i)) denotes the set of vectors of length n_(i) with Hamming weight at most w_(i). In this work, we extend the structured-space evaluation paradigm from the Boolean setting to arbitrary finite fields 𝔽_(q). Building on the abstraction of evaluation rules and evaluation orders introduced by Liu et al., and combining it with higher-order derivative techniques over finite fields, we develop a unified theoretical framework for evaluating multivariate polynomials over structured spaces S ⊆ 𝔽_(q)^(n). After an initialization phase with cost $\mathcal{O} \big(\binom{n+d}{d}^2 \big)$, our method evaluates a degree-d polynomial over S using 𝒪(d ⋅ |S|) operations and requires $\mathcal O\big(\log(q)\cdot \binom{n+d}{d}\big)$ memory.

Image showing part 2 of abstract.

Efficient Polynomial Evaluation on Structured Space over Finite Fields (Vaibhav Dixit, Santanu Sarkar, Fukang Liu, Willi Meier) ia.cr/2026/197

Screenshot of Chatto. It's a chat app!

Today is probably a fine day to mention that I've been working on a self-hostable Discordslacklike called Chatto. It's steadily moving towards feature parity with the big kids, with everything crammed into a single compact 50 MB executable that can run off the cheapest VM you can find.

Absolutely unreal: I found a fifth bug in libcrux, this time in its PSQ implementation that would allow a denial of service via a malcrafted AES-GCM ciphertext.

I couldn't submit my PR: Cryspen blocked me after I submitted my first four PRs, which included a fix for a critical nonce reuse bug.

Abstract. Formal verification of cryptographic implementations is frequently presented as providing “the highest level of assurance” against implementation defects. We examine this claim through a case study of Cryspen’s libcrux and hpke-rs, two cryptographic libraries that are marketed as formally verified and high-assurance. We examine five vulnerabilities across these libraries. The first, a platform-dependent cryptographic output failure in SHA-3 intrinsics discovered by an independent researcher in November 2025, set the stage for our own audit, which identified four additional defects: a missing mandatory validation for X25519 Diffie-Hellman outputs, a nonce reuse vulnerability via integer overflow, ECDSA signature malleability due to absent low-S normalization, and an Ed25519 key generation defect that reduces seed entropy. We analyze why each defect fell outside the scope of the formal verification methodology employed, identify a structural pattern we term the verification boundary problem, and argue that the gap between marketing claims of verification completeness and the engineering reality of partial verification constitutes a systemic risk for adopters of formally verified cryptographic software. Our findings suggest that formal verification, while valuable for the specific properties it targets, must be complemented by traditional engineering practices and communicated with precision about its actual scope, lest it become a form of security theater.

Image showing part 2 of abstract.

The Verification Theater: When Formal Methods Create False Assurance in Cryptographic Libraries (Nadim Kobeissi) ia.cr/2026/192

Screenshot of springernature journal page saying "great news! fundign is available for open access publishing. Explore open access funding | change institution."

Table with profit margins from big publishers of research

Sad news! By choosing to publish with us, you are wasting a horrendous amount of tax money. Learn about Diamond Open Access and where to submit instead Buy yourself prestige here -->

Apparently, there is still funding left in academia even though Springer Nature made $489 million profits off of it in 2024. And now they are telling researchers what great news that is.

Let me fix this for you... (inspired by arxiv.org/abs/2511.04820)
#springernature #closedscience