Hey! If you're at Eurocrypt and do not have a CedarCrypt flyer yet do not talk to @nadim.computer , come talk to me instead! I have a deal with Nadim: if I manage to hand over all the flyers he gave me to people who still don't have one, he will join Mastodon! I have only 4 flyers left! We can do this! F**k BlueSky! ๐
#crypto #cryptography #eurocrypt #eurocrypt2026 #cedarcrypt #fediverse #mastodon #bluesky #fun #humor #rome #italy #bet
#eurocrypt just happened, which reminds me of the eurocrypt 35 years ago held in budapest, which an #NSA cryptologist was attending and giving a scorching #report in the internal cryptolog newsletter of the nsa: https://scottaaronson.blog/?p=2059
would be interesting to see the latest cryptolog report on this latest edition...
Brighten Godfrey was one of my officemates when we were grad students at Berkeley. Heโs now a highly-successful computer networking professor at the University of Illinois Urbana-Champaign, โฆ
Thanks to the #CAW #caw2026 organizers at #iacr #eurocrypt #eurocrypt2026 in #rome #italy for hosting my #shufflecake talk, great engagement, questions and audience feedback!
#crypto #cryptography #security #privacy #cypherpunk #foss #libre #opensource
Our paper https://ia.cr/2026/913 shows how to find affine maps agreeing with an S-box on as many as possible inputs. Look for presentation at #Eurocrypt 2026 today!
The code is already available. Also check out a vide-coded interactive tool, it's fun to play with: https://affine.group/pages/greedy-extension
Linearization is a cryptanalysis technique in which a nonlinear function (an S-box) is represented by an affine mapping on a certain subset of inputs. Its variants were applied to analyze Keccak, LowMC, RAIN and AIM. In these primitives, the S-boxes are either very small (up to 5 bits) or are very specific monomial functions over a binary field. Linearization of arbitrary S-boxes was never practically explored due to the lack of theoretic, algorithmic, and cryptanalytic understanding. For the first time, we develop an algorithmic toolkit which allows one to compute strong linearizations of S-boxes, when they exist. For up to $n=8$ bits, our algorithms are able to find provably the best possible approximations, while for larger S-boxes it is feasible to obtain good approximations together with meaningful upper bounds. We apply our algorithms to a variety of S-boxes from existing primitives, to monomial functions, to so-called APN functions, and to 16-bit Super-Sboxes. We obtain interesting results raising many new open questions and open up new research directions, as well as a foundation for developing cryptanalytic attacks. To advance the cryptanalytic utility of linearization, we study and solve the problem of covering an S-box with multiple approximations. As an application, we derive a generic linearization approach for the CICO problem (constrained-input-constrained-output) over SPN-based permutations (Substitution-Permutation Networks) with general linear layers. This is the first such general cryptanalysis based on the existence of a strong linearization of the S-box.
At #Eurocrypt where we'll be presenting my work on FLOE!
We study the problem of random-access authenticated encryption. In this setting, one wishes to encrypt (resp., decrypt) a large payload in an online matter, i.e., using a limited amount of memory, while allowing for the processing of plaintext (resp., ciphertext) segments to be in a random order. Prior work has studied online AE for in-order (streaming) encryption and decryption, and later work added additional constraints to support random access decryption. The result is complicated notions that are not built from the start to account for random access. We thus provide a new, clean-state treatment to the random-access setting. We introduce random-access authenticated encryption (raAE) schemes, which captures AEAD that provides random-access encryption and decryption. We introduce formal security definitions for raAE schemes that cover confidentiality, integrity, and commitment. We prove relationships with existing notions, showing that our simpler treatment does not sacrifice achievable security. Our implications also result in the first treatment of commitment security for online AEAD as well, an increasingly important security goal for AEAD. We then exercise our formalization with a practice-motivated case study: FIPS-compliant raAE. We introduce an raAE scheme called FLOE (Fast Lightweight Online Encryption) that is FIPS compliant, compatible with existing AES-GCM APIs that mandate random nonces, and yet can provide secure, random-access, committing encryption of orders of magnitude more data than naive approaches that utilize AES-GCM. FLOE was designed in close collaboration with leading cloud data platform Snowflake, where it will soon be used in production to protect sensitive data.
In this work, we cryptanalyse the post-quantum signature scheme AIMer v2.1, which is one of the winners of the Korean Post-Quantum Cryptography competition (KpqC), and whose earlier version was a candidate in the US NIST's additional post-quantum digital signatures call. We show that AIM2, the underlying symmetric-key primitive, is not secure up to the claimed level by developing and applying a new algebraic attack framework based on extended linearization over a univariate polynomial ring and a novel algorithm for finding a null vector of a polynomial matrix. In particular misuse scenarios, such as reused-key or related-key settings, our attacks become practically feasible, allowing experimental verification and benchmarking. We also evaluate the approach on the RAIN block cipher used in the Rainier post-quantum signature scheme and obtain improved attacks, although not threatening its claimed security.
Tommaso Gagliardoni
stf
CosicBe
Aleksei Udovenko
SalusaSecondus