Mina: Decentralized Cryptocurrency at Scale

We introduce the notion of a succinct blockchain, a replicated state machine in which each state transition (block) can be efficiently verified in constant time regardless of the number of prior transitions in the system. Traditional blockchains require verification time linear in the number of transitions. We show how to construct a succinct blockchain using recursively composed succinct non-interactive arguments of knowledge (SNARKs). Finally, we instantiate this construction to implement Coda (now known as Mina), a payment system (cryptocurrency) using a succinct blockchain. Coda offers payment functionality similar to Bitcoin, with a dramatically faster verification time of 200ms making it practical for lightweight clients and mobile devices to perform full verification of the system’s history

Short Pairing-based Non-interactive Zero-Knowledge Arguments

We construct non-interactive zero-knowledge arguments for circuit satisfiability with perfect completeness, perfect zero knowledge and computational soundness. The non-interactive zero-knowledge arguments have sublinear size and very efficient public verification. Their size can even be reduced to a constant number of group elements if we allow the common reference string to be large. Our constructions rely on groups with pairings, and security is based on two new cryptographic assumptions; we do not use the Fiat-Shamir heuristic or random oracles

The XHash Family for ZK-Friendly Hash Functions

Zero-knowledge proofs are widely used in real-world applications, such as authentication, access control, blockchains, and cryptocurrencies. The underlying hash function is a core element in these zero-knowledge proof systems, and it plays a vital role in its efficiency. While traditional hash functions, such as SHA3 or BLAKE, are efficient on CPU architectures, they perform poorly within proof systems. This is primarily because these systems require functions that operate efficiently over finite fields, without mixing operations from different algebras. To address this challenge, a new paradigm called Arithmetization-Orientation has emerged. These designs are tailored for efficiency within proof systems while providing reliable security guarantees. Several such hash functions have been proposed, many have been successfully targeted by algebraic attacks or fail to provide optimal performances. In this work, we provide a new framework to design such hash functions that prevent these attacks and allow a highly efficient implementation in various proof systems. To this end, we combine the Marvellous design strategy with a new type of S-boxes and propose a new security argument against algebraic attacks that relies on a single well-defined and reasonable conjecture of a novel type. Using these techniques in the framework, we construct four new hash functions, XHash12-Goldilocks, XHash8-Goldilocks, XHash24-M31, and XHash16-M31. These high-performance hash functions are designed for ZK-STARKs and Circle-STARKs

On Extractability of the KZG Family of Polynomial Commitment Schemes

We present a unifying framework for proving the knowledge-soundness of KZG-like polynomial commitment schemes, encompassing both univariate and multivariate variants. By conceptualizing the proof technique of Lipmaa, Parisella, and Siim for the univariate KZG scheme (EUROCRYPT 2024), we present tools and falsifiable hardness assumptions that permit black-box extraction of the multivariate KZG scheme. Central to our approach is the notion of a canonical Proof-of-Knowledge of a Polynomial (PoKoP) of a polynomial commitment scheme, which we use to capture the extractability notion required in constructions of practical zk-SNARKs. We further present an explicit polynomial decomposition lemma for multivariate polynomials, enabling a more direct analysis of interpolating extractors and bridging the gap between univariate and multivariate commitments. Our results provide the first standard-model proofs of extractability for the multivariate KZG scheme and many of its variants under falsifiable assumptions

On the Estonian Internet Voting System, IVXV, SoK and Suggestions

The Estonian i-voting experience is probably the richest to analyze; a country that is considered a pioneer in digitizing both the government and private sector since 2001 followed by online internet voting (i-voting) in 2005. However, there are still some complaints submitted, critics and remarks to consider about the IVXV system. In this paper, we introduce a Systemization of Knowledge of the Estonian IVXV i-voting system and propose some added security enhancements. The presented SoK discusses applications implemented by election observers in 2023 & 2024 elections, which, to our knowledge, have never been mentioned and/or analyzed in the academia before. We also point out to unnoticed automated formal verification analysis of IVXV; the researchers discovered a privacy attack that we show extendable to a possible large scale encrypted vote copying. In addition, we identify and analyze recent fixes and improvements in the June 2024 version used in the European Parliament elections connecting them to their academic sources. Then, we discuss the current system status, pointing out to risks that have never been discussed before like voting trojan horses and automated online attacks, propose our own suggestions to some remaining vulnerabilities, discuss the newest Estonian Cyber Security committee June 2025 report, then raise the inevitable question of the approaching quantum threat

Provably Secure Hybrid Inner Product and Boolean Masking via Composable Conversion

Masking is a representative side-channel countermeasure that provides provable security. Among masking schemes, Boolean masking (BM) is widely adopted due to its simple sharing structure, while inner product masking (IPM) and code-based masking (CM) have been studied as alternatives that achieve a higher security order with the same number of shares---a property known as security order amplification in the bit-probing model. Recent work by Gaspoz and Dhooghe (TCHES 2025) proposed an IPM multiplication gadget and CM gadgets with provable bit-level security; however, the overhead of CM gadgets for linear operations, the overhead of IPM multiplication, and the lack of a complete provably secure implementation exploiting IPM security order amplification remain open challenges. In this paper, we address all three challenges. First, we propose BM-to-IPM and IPM-to-BM conversion gadgets satisfying bit $t$-MIMO-SNI in the bit-probing model, enabling composable and provably secure interoperation between the two masking domains. Second, we optimize the TCHES 2025 IPM multiplication gadget via Row Packing and Reduction in Rows, reducing the fresh random bit requirement from $\frac{1}{2}t(n^2-1)k^2(k+1)$ to $tk(n-1)(kn+W)$ bits with a proportional reduction in XOR gates, while maintaining bit $t$-SNI security. Third, we present a hybrid IPM-BM framework in which multiplications are performed in IPM with fewer shares and all Boolean linear operations are handled share-wise in BM at no additional randomness cost, and show that this hybrid approach requires significantly fewer gates and random bits than a pure CM approach. As a concrete instantiation, we implement a second-order masked AES-128 with a 2-share IPM / 3-share BM hybrid architecture, prove that the implementation satisfies bit 2-PINI, and evaluate its practical side-channel security via first- and second-order TVLA on an ARM Cortex-M4 with up to one million traces. To the best of our knowledge, this is the first end-to-end cryptographic implementation that provably preserves IPM\u27s security order amplification in the bit-probing model

SIR: A Sparse-Interaction Keystream Generator with a Hardware-Oriented Architecture

Lightweight keystream generators are widely used in resource-constrained digital systems, where implementation efficiency in area, power, and logic structure is a primary design concern. Conventional designs predominantly employ shift-register-based state propagation, in which diffusion is inherently coupled with sequential data movement. This work investigates an alternative architectural approach in which state mixing is achieved through sparse interaction among state variables, enabling a decoupling between diffusion and register propagation. We present \emph{SIR}, a sparse-interaction keystream generator with a 128-bit internal state composed of a nonlinear 64-bit primary state and a 64-bit auxiliary linear state. The primary state is updated using a compact four-input Boolean function applied over a fixed sparse neighbourhood, while the auxiliary state provides lightweight round-dependent perturbation. This structure realizes diffusion through parallel combinational interaction, leading to a distinct hardware profile characterized by reduced reliance on sequential storage and increased distributed logic. The architectural behaviour is evaluated through diffusion and statistical experiments, showing rapid propagation of local perturbations across the state within 14--15 rounds and no observable low-order dependence between internal state variables and output in the tested regime. Hardware implementation on a Xilinx Artix-7 FPGA requires 183 LUTs and 177 flip-flops, while ASIC synthesis using a 45\,nm standard-cell library results in an area of 3079 gate equivalents. Comparative evaluation with Grain-128, Trivium, and Espresso under identical implementation conditions demonstrates that the proposed architecture provides a competitive trade-off between combinational logic and sequential resources. The results indicate that sparse-interaction-based state evolution constitutes a viable architectural alternative for lightweight keystream generation, particularly in hardware-oriented and FPGA-based design settings

Outsourced Private Set Intersection for Pairwise Analytics

This paper studies privacy-preserving data analytics in settings where multiple parties hold sensitive datasets and want to compute global statistics without revealing their data. We focus on computing the total number of common elements (cardinality of intersections) across multiple pairs of datasets, while ensuring that only the final aggregated result is disclosed and no intermediate information (such as individual intersections) is leaked. To address this problem, we introduce a new cryptographic primitive called outsourced cardinality private set intersection with secret-shared outputs (CaOPSI-SS). Our solution is extremely simple and uses pseudorandom functions and two non-colluding servers to offload computation, making it suitable for environments with heterogeneous resources. Building on this primitive, we design a protocol for aggregated pairwise analytics that computes the sum of intersection cardinalities across many parties. We apply our framework to a real-world use case: privacy-preserving mail analytics in large organizations with multiple subsidiaries. The system allows useful fine-grained queries over email logs while protecting sensitive HR data. We also extend the solution with differential privacy mechanisms to further protect individual records. Finally, we implement and evaluate the protocol, showing its scalability and practicality for large datasets. Our solution enables parties to obliviously offload their datasets to two non-colluding servers using pseudorandom functions and further execute a circuit-PSI among these two servers to obtain secret shares of the output

HIGH: Harnessing GPU Parallelism for Optimized HQC Performance

Hamming Quasi-Cyclic (HQC) was a candidate algorithm in the fourth round of the National Institute of Standards and Technology (NIST) post-quantum cryptography (PQC) standardization process and was ultimately selected as a standardized cryptographic scheme in the latest round. To date, although HQC has been optimized for FPGA, CPU, and other platforms, research on GPU-based parallel acceleration remains significantly underexplored. Given this, our research aims to investigate the feasibility and efficiency of hand-optimized HQC implementations on GPU, addressing the current research gap in GPU-based implementations of code-based cryptographic algorithms. In this paper, we introduce a High-performance Implementation of GPU-based HQC, named HIGH. First, we propose a novel architecture for coding-based PQC implementations, significantly reducing redundant global memory access through core fusion. Second, we design a HIKD structure for HIGH, combining a high-order multiplication scheme (HIK) and a low-order multiplication scheme (HID), achieving an impressive 85.6\% improvement over Official fourth round Optimized Implementation. Third, through extensive experimentation, we sought the optimal HIKD combination and identified the optimal parallel parameters, leveraging these optimizations, HIGH surpasses current state-of-the-art benchmarks, with Key Generation, Encapsulation, and Decapsulation performance increased by 20$\times$, 32$\times$, and 39$\times$, respectively

Equivocal Broadcast Encryption: Adaptively-Secure Optimal Distributed Broadcast Encryption from Lattices

We present the first Distributed Broadcast Encryption (DBE) scheme from falsifiable lattice assumptions that achieves adaptive security with optimal parameters (short public/secret keys and ciphertexts). Our construction enjoys transparent setup and offers flexible instantiation: we achieve a succinct CRS in the Random Oracle Model, or a long CRS in the standard model. Previously, no lattice-based DBE simultaneously achieved adaptivity and optimal parameters in either setting. To achieve this, we introduce a new methodology for proving adaptive security: $\textit{Equivocal Encryption Systems}$. This framework operates in two indistinguishable modes: a \u27real\u27 mode utilizing standard algorithms, and a \u27fake\u27 mode where keys and ciphertexts are jointly sampled with auxiliary trapdoors, enabling the dynamic equivocation of ciphertexts to arbitrary challenge values. While our approach is technically distinct from the celebrated Dual System Encryption (Waters, CRYPTO\u2709), we believe it could serve as a similarly powerful paradigm for realizing adaptive security across a broad class of lattice-based encryption systems