Paper Analyses
In-depth breakdowns of cryptographic papers with formal definitions, proof reconstructions, and implementations.
Each paper page includes formal definitions extracted and explained, step-by-step proof reconstructions, code implementations in Lean 4, and cross-references to related work.
Our Vision
cryptography.academy is an open knowledge base that links definitions to definitions, formulas to formulas, and proofs to the precise results they depend on — across the entire cryptographic literature. Formalizations are progressively machine-checked in Lean 4. Read the full vision statement.
This project is and will always be free. No profit is made, no knowledge will ever be sold, and there will never be a paywall. The entire source code is publicly available.
Attribution & Copyright Notice
The paper content reproduced on this site belongs entirely to the original authors. Nothing is claimed as original work by BaDaaS or any contributor. Each page reproduces the paper for educational and academic study purposes, augmented with formal definitions in Lean 4 and explanatory annotations. We act in good faith to make verified knowledge freely accessible to everyone on the Internet.
We respect intellectual property and welcome any feedback. Always cite the original publications. Canonical sources are linked at the top of every paper page. If you are an author and would like your paper removed or amended, please open an issue. We will never add a paywall or charge for any content.
Papers (114)
The Algebraic CheapLunch: Extending FreeLunch Attacks on Arithmetization-Oriented Primitives Beyond CICO-1
Antoine Bak, Augustin Bariant, Aurélien Boeuf, Pierre Briaud, Morten Øygarden, Atharva Phanse
Poseidon(2)b: Binary Field Versions of Poseidon/Poseidon2
Lorenzo Grassi, Dmitry Khovratovich, Katharina Koschatko, Christian Rechberger, Markus Schofnegger, Verena Schröppel, Zhuo Wu
Poseidon and Neptune: Gröbner Basis Cryptanalysis Exploiting Subspace Trails
Lorenzo Grassi, Katharina Koschatko, Christian Rechberger
Breaking Poseidon Challenges with Graeffe Transforms and Complexity Analysis by FFT Lower Bounds
Ziyu Zhao, Jintai Ding
Attacking Poseidon via Graeffe-Based Root-Finding over NTT-Friendly Fields
Antonio Sanso, Giuseppe Vitto
Groebner Basis Cryptanalysis of Anemoi
Luca Campa, Arnab Roy
Improved Resultant Attack against Arithmetization-Oriented Primitives
Augustin Bariant, Aurélien Boeuf, Pierre Briaud, Maël Hostettler, Morten Øygarden, Håvard Raddum
KZH-Fold: Accountable Voting from Sublinear Accumulation
George Kadianakis, Arantxa Zapico, Hossein Hafezi, Benedikt Bünz
Blaze: Fast SNARKs from Interleaved RAA Codes
Martijn Brehm, Binyi Chen, Ben Fisch, Nicolas Resch, Ron D. Rothblum, Hadas Zeilberger
A Note on Ligero and Logarithmic Randomness
Guillermo Angeris, Alex Evans, Gyumin Roh
A note on the G-FFT
Ulrich Haböck
Modelling Ciphers with Overdefined Systems of Quadratic Equations: Application to Friday, Vision, RAIN and Biscuit
Fukang Liu, Mohammad Mahzoun, Willi Meier
Vision Mark-32: ZK-Friendly Hash Function Over Binary Tower Fields
Tomer Ashur, Mohammad Mahzoun, Jim Posen, Danilo Šijačić
Security Analysis of XHASH8/12
Léo Perrin
Polylogarithmic Proofs for Multilinears over Binary Towers
Benjamin E. Diamond, Jim Posen
The Algebraic Freelunch: Efficient Gröbner Basis Attacks Against Arithmetization-Oriented Primitives
Augustin Bariant, Aurélien Boeuf, Axel Lemoine, Irati Manterola Ayala, Morten Øygarden, Léo Perrin, Håvard Raddum
Circle STARKs
Ulrich Haböck, David Levit, Shahar Papini
Succinct Arguments over Towers of Binary Fields
Benjamin E. Diamond, Jim Posen
Proof-Carrying Data from Multi-folding Schemes
Zibo Zhou, Zongyang Zhang, Zhiyu Zhang, Jin Dong
XHash: Efficient STARK-friendly Hash Function
Tomer Ashur, Amit Singh Bhati, Al Kindi, Mohammad Mahzoun, Léo Perrin
Monolith: Circuit-Friendly Hash Functions with New Nonlinear Layers for Fast and Constant-Time Implementations
Lorenzo Grassi, Dmitry Khovratovich, Reinhard Lüftenegger, Christian Rechberger, Markus Schofnegger, Roman Walch
Algebraic Cryptanalysis of HADES Design Strategy: Application to POSEIDON and Poseidon2
Tomer Ashur, Thomas Buschman, Mohammad Mahzoun
SAFE: Sponge API for Field Elements
JP Aumasson, Dmitry Khovratovich, Bart Mennink, Porçu Quine
TurboSHAKE
Guido Bertoni, Joan Daemen, Seth Hoffert, Michaël Peeters, Gilles Van Assche, Ronny Van Keer, Benoît Viguier
Poseidon2: A Faster Version of the Poseidon Hash Function
Lorenzo Grassi, Dmitry Khovratovich, Markus Schofnegger
The Tip5 Hash Function for Recursive STARKs
Alan Szepieniec, Alexander Lemmens, Jan Ferdinand Sauer, Bobbin Threadbare, Al-Kindi
Rescue-Prime Optimized
Tomer Ashur, Al Kindi, Willi Meier, Alan Szepieniec, Bobbin Threadbare
Multivariate lookups based on logarithmic derivatives
Ulrich Haböck
An efficient verifiable state for zk-EVM and beyond from the Anemoi hash function
Jianwei Liu, Harshad Patil, Akhil Sai Peddireddy, Kevin Singh, Haifeng Sun, Huachuang Sun, Weikeng Chen
flookup: Fractional decomposition-based lookups in quasi-linear time independent of table size
Ariel Gabizon, Dmitry Khovratovich
A summary on the FRI low degree test
Ulrich Haböck
Caulk+: Table-independent lookup arguments
Jim Posen, Assimakis A. Kattis
New Design Techniques for Efficient Arithmetization-Oriented Hash Functions:Anemoi Permutations and Jive Compression Mode
Clémence Bouvier, Pierre Briaud, Pyrros Chaidos, Léo Perrin, Robin Salen, Vesselin Velichkov, Danny Willems
New optimization techniques for PlonK’s arithmetization
Miguel Ambrona, Anne-Laure Schmitt, Raphael R. Toledo, Danny Willems
Horst Meets Fluid-SPN: Griffin for Zero-Knowledge Applications
Lorenzo Grassi, Yonglin Hao, Christian Rechberger, Markus Schofnegger, Roman Walch, Qingju Wang
EcGFp5: a Specialized Elliptic Curve
Thomas Pornin
Invertible Quadratic Non-Linear Layers for MPC-/FHE-/ZK-Friendly Schemes over $\\mathbb F_p^n$
Lorenzo Grassi, Silvia Onofri, Marco Pedicini, Luca Sozzi
fflonk: a Fast-Fourier inspired verifier efficient version of PlonK
Ariel Gabizon, Zachary J. Williamson
Reinforced Concrete: A Fast Hash Function for Verifiable Computation
Lorenzo Grassi, Dmitry Khovratovich, Reinhard Lüftenegger, Christian Rechberger, Markus Schofnegger, Roman Walch
On the Use of the Legendre Symbol in Symmetric Cipher Design
Alan Szepieniec
Darlin: Recursive Proofs using Marlin
Ulrich Haböck, Alberto Garoffolo, Daniele Di Benedetto
Rescue-Prime: a Standard Specification (SoK)
Alan Szepieniec, Tomer Ashur, Siemen Dhooghe
On the security of the Rescue hash function
Tim Beyne, Anne Canteaut, Gregor Leander, María Naya-Plasencia, Léo Perrin, Friedrich Wiemer
Proving Resistance Against Infinitely Long Subspace Trails: How to Choose the Linear Layer
Lorenzo Grassi, Christian Rechberger, Markus Schofnegger
Constructing hidden order groups using genus three Jacobians
Steve Thakur
plookup: A simplified polynomial protocol for lookup tables
Ariel Gabizon, Zachary J. Williamson
Out of Oddity -- New Cryptanalytic Techniques against Symmetric Primitives Optimized for Integrity Proof Systems
Tim Beyne, Anne Canteaut, Itai Dinur, Maria Eichlseder, Gregor Leander, Gaëtan Leurent, María Naya-Plasencia, Léo Perrin, Yu Sasaki, Yosuke Todo, Friedrich Wiemer
Mind the Middle Layer: The HADES Design Strategy Revisited
Nathan Keller, Asaf Rosemarin
On a Generalization of Substitution-Permutation Networks: The HADES Design Strategy
Lorenzo Grassi, Reinhard Lüftenegger, Christian Rechberger, Dragos Rotaru, Markus Schofnegger
Recursive Proof Composition without a Trusted Setup
Sean Bowe, Jack Grigg, Daira Hopwood
PLONK: Permutations over Lagrange-bases for Oecumenical Noninteractive arguments of Knowledge
Ariel Gabizon, Zachary J. Williamson, Oana Ciobotaru
Collisions on Feistel-MiMC and univariate GMiMC
Xavier Bonnetain
A Key-Independent Distinguisher for 6-round AES in an Adaptive Setting
Navid Ghaedi Bardeh
A Short Note on a Weight Probability Distribution Related to SPNs
Sondre Rønjom
The Exchange Attack: How to Distinguish Six Rounds of AES with $2^{88.2}$ chosen plaintexts
Navid Ghaedi Bardeh, Sondre Rønjom
Extended Truncated-differential Distinguishers on Round-reduced AES
Zhenzhen Bao, Jian Guo, Eik List
Quantum Attacks without Superposition Queries: the Offline Simon's Algorithm
Xavier Bonnetain, Akinori Hosoyamada, María Naya-Plasencia, Yu Sasaki, André Schrottenloher
AuroraLight: Improved prover efficiency and SRS size in a Sonic-like system
Ariel Gabizon
Spartan: Efficient and general-purpose zkSNARKs without trusted setup
Srinath Setty
Poseidon: A New Hash Function for Zero-Knowledge Proof Systems
Lorenzo Grassi, Dmitry Khovratovich, Christian Rechberger, Arnab Roy, Markus Schofnegger
Feistel Structures for MPC, and More
Martin R. Albrecht, Lorenzo Grassi, Leo Perrin, Sebastian Ramacher, Christian Rechberger, Dragos Rotaru, Arnab Roy, Markus Schofnegger
DEEP-FRI: Sampling Outside the Box Improves Soundness
Eli Ben-Sasson, Lior Goldberg, Swastik Kopparty, Shubhangi Saraf
Linear Equivalence of Block Ciphers with Partial Non-Linear Layers: Application to LowMC
Itai Dinur, Daniel Kales, Angela Promitzer, Sebastian Ramacher, Christian Rechberger
Simple Verifiable Delay Functions
Krzysztof Pietrzak
Truncated Differential Properties of the Diagonal Set of Inputs for 5-round AES
Lorenzo Grassi, Christian Rechberger
Improvements to the Linear Operations of LowMC: A Faster Picnic
Daniel Kales, Léo Perrin, Angela Promitzer, Sebastian Ramacher, Christian Rechberger
Scalable Multi-party Computation for zk-SNARK Parameters in the Random Beacon Model
Sean Bowe, Ariel Gabizon, Ian Miers
Mixture Differential Cryptanalysis and Structural Truncated Differential Attacks on round-reduced AES
Lorenzo Grassi
The SKINNY Family of Block Ciphers and its Low-Latency Variant MANTIS
Christof Beierle, Jérémy Jean, Stefan Kölbl, Gregor Leander, Amir Moradi, Thomas Peyrin, Yu Sasaki, Pascal Sasdrich, Siang Meng Sim
Side-Channel Analysis Protection and Low-Latency in Action - case study of PRINCE and Midori
Amir Moradi, Tobias Schneider
Invariant Subspace Attack Against Full Midori64
Jian Guo, Jérémy Jean, Ivica Nikolić, Kexin Qiao, Yu Sasaki, Siang Meng Sim
Complete addition formulas for prime order elliptic curves
Joost Renes, Craig Costello, Lejla Batina
Counter-in-Tweak: Authenticated Encryption Modes for Tweakable Block Ciphers
Thomas Peyrin, Yannick Seurin
Extended Tower Number Field Sieve: A New Complexity for the Medium Prime Case
Taechan Kim, Razvan Barbulescu
Construction of Lightweight S-Boxes using Feistel and MISTY structures (Full Version)
Anne Canteaut, Sébastien Duval, Gaëtan Leurent
SIMON and SPECK: Block Ciphers for the Internet of Things
Ray Beaulieu, Douglas Shors, Jason Smith, Stefan Treatman-Clark, Bryan Weeks, Louis Wingers
Verifiable computation using multiple provers
Andrew J. Blumberg, Justin Thaler, Victor Vu, Michael Walfish
Scalable Zero Knowledge via Cycles of Elliptic Curves
Eli Ben-Sasson, Alessandro Chiesa, Eran Tromer, Madars Virza
FFT-Based Key Recovery for the Integral Attack
Yosuke Todo
SNARKs for C: Verifying Program Executions Succinctly and in Zero Knowledge
Eli Ben-Sasson, Alessandro Chiesa, Daniel Genkin, Eran Tromer, Madars Virza
The SIMON and SPECK Families of Lightweight Block Ciphers
Ray Beaulieu, Douglas Shors, Jason Smith, Stefan Treatman-Clark, Bryan Weeks, Louis Wingers
Time-Optimal Interactive Proofs for Circuit Evaluation
Justin Thaler
How to Run Turing Machines on Encrypted Data
Shafi Goldwasser, Yael Kalai, Raluca Ada Popa, Vinod Vaikuntanathan, Nickolai Zeldovich
Improved ``Partial Sums"-based Square Attack on AES
Michael Tunstall
Implementing Pairings at the 192-bit Security Level
Diego F. Aranha, Laura Fuentes-Castañeda, Edward Knapp, Alfred Menezes, Francisco Rodríguez-Henríquez
Duplexing the sponge: single-pass authenticated encryption and other applications
Guido Bertoni, Joan Daemen, Michaël Peeters, Gilles Van Assche
Attractive Subfamilies of BLS Curves for Implementing High-Security Pairings
Craig Costello, Kristin Lauter, Michael Naehrig
Linear Hulls with Correlation Zero and Linear Cryptanalysis of Block Ciphers
Andrey Bogdanov, Vincent Rijmen
Non-Interactive Verifiable Computing: Outsourcing Computation to Untrusted Workers
Rosario Gennaro, Craig Gentry, Bryan Parno
On the Security of UOV
Jean-Charles Faugère, Ludovic Perret
Optimal Irreducible Polynomials for GF(2^m) Arithmetic
Michael Scott
Probability distributions of Correlation and Differentials in Block Ciphers
Joan Daemen, Vincent Rijmen
Pairing-Friendly Elliptic Curves of Prime Order
Paulo S. L. M. Barreto, Michael Naehrig
Password-Based Authenticated Key Exchange in the Three-Party Setting
Michel Abdalla, Pierre-Alain Fouque, David Pointcheval
Theoretical Use of Cache Memory as a Cryptanalytic Side-Channel
D. Page
Elliptic curves suitable for pairing based cryptography
Friederike Brezing, Annegret Weng
On Small Characteristic Algebraic Tori in Pairing-Based Cryptography
R. Granger, D. Page, M. Stam
Request for Review of Key Wrap Algorithms
Morris Dworkin
Ordinary abelian varieties having small embedding degree
Steven D. Galbraith, J. McKee, P. Valenca
Efficient Pairing Computation on Supersingular Abelian Varieties
Paulo S. L. M. Barreto, Steven Galbraith, Colm O hEigeartaigh, Michael Scott
Scaling security in pairing-based protocols
Michael Scott
On Computing Products of Pairings
R Granger, N. P. Smart
Multiplication and Squaring on Pairing-Friendly Fields
Augusto Jun Devegili, Colm Ó~hÉigeartaigh, Michael Scott, Ricardo Dahab
Another Look at Square Roots and Traces (and Quadratic Equations) in Fields of Even Characteristic
Roberto Avanzi
Security Reductions of the Second Round SHA-3 Candidates
Elena Andreeva, Bart Mennink, Bart Preneel
Squaring in cyclotomic subgroups
Koray Karabina
Two Simple Code-Verification Voting Protocols
Helger Lipmaa
On the Efficient Implementation of Pairing-Based Protocols
Michael Scott
Delegation of Computation without Rejection Problem from Designated Verifier CS-Proofs
Shafi Goldwasser, Huijia Lin, Aviad Rubinstein
Functional Encryption: New Perspectives and Lower Bounds
Shweta Agrawal, Sergey Gorbunov, Vinod Vaikuntanathan, Hoeteck Wee
Enforcing Language Semantics Using Proof-Carrying Data
Stephen Chong, Eran Tromer, Jeffrey A. Vaughan
Zero Knowledge Protocols from Succinct Constraint Detection
Eli Ben-Sasson, Alessandro Chiesa, Michael A. Forbes, Ariel Gabizon, Michael Riabzev, Nicholas Spooner
Zero-Knowledge Proofs of Proximity
Itay Berman, Ron D. Rothblum, Vinod Vaikuntanathan
Baloo: Nearly Optimal Lookup Arguments
Arantxa Zapico, Ariel Gabizon, Dmitry Khovratovich, Mary Maller, Carla Ràfols