Paper Analyses

In-depth breakdowns of cryptographic papers with formal definitions, proof reconstructions, and implementations.

Each paper page includes formal definitions extracted and explained, step-by-step proof reconstructions, code implementations in Lean 4, and cross-references to related work.

Our Vision

cryptography.academy is an open knowledge base that links definitions to definitions, formulas to formulas, and proofs to the precise results they depend on — across the entire cryptographic literature. Formalizations are progressively machine-checked in Lean 4. Read the full vision statement.

This project is and will always be free. No profit is made, no knowledge will ever be sold, and there will never be a paywall. The entire source code is publicly available.

Attribution & Copyright Notice

The paper content reproduced on this site belongs entirely to the original authors. Nothing is claimed as original work by BaDaaS or any contributor. Each page reproduces the paper for educational and academic study purposes, augmented with formal definitions in Lean 4 and explanatory annotations. We act in good faith to make verified knowledge freely accessible to everyone on the Internet.

We respect intellectual property and welcome any feedback. Always cite the original publications. Canonical sources are linked at the top of every paper page. If you are an author and would like your paper removed or amended, please open an issue. We will never add a paywall or charge for any content.

Papers

POSEIDON

Grassi, Khovratovich, Rechberger, Roy, Schofnegger — 2019

A hash function for zero-knowledge proof systems using the HADES design strategy. Up to 8x fewer constraints per message bit than Pedersen Hash.

eprint 2019/458

HADES

Grassi, Luftenegger, Rechberger, Rotaru, Schofnegger — 2019

The HADES design strategy: a generalization of substitution-permutation networks mixing full and partial S-box layers.

eprint 2019/1107

Truncated-Differential AES

Bao, Guo, List — 2019

Extended truncated-differential distinguishers on round-reduced AES using the exchange attack framework.

eprint 2019/622

The Exchange Attack

Ghaedi Bardeh, Ronjom — 2019

How to distinguish six rounds of AES with 2^{122.83} chosen plaintexts using the exchange equivalence technique.

eprint 2019/652

PlonK

Gabizon, Williamson, Ciobotaru — 2019

Permutations over Lagrange-bases for oecumenical noninteractive arguments of knowledge. A universal SNARK with a trusted setup.

eprint 2019/953

Subspace Trails

Grassi, Rechberger, Schofnegger — 2020

Proving resistance against infinitely long subspace trails: bounding invariant-subspace and subspace-trail attacks for HADES-based designs.

eprint 2020/500

Griffin

Grassi, Hao, Rechberger, Schofnegger, Walch, Wang — 2022

Horst meets Fluid-SPN: a ZK-friendly permutation combining a Horst-like nonlinear layer with a Fluid-SPN linear layer.

eprint 2022/403

Anemoi

Bouvier, Briaud, Chaidos, Ciminelli, Eagen, et al. — 2022

Anemoi permutations and the Jive compression mode: efficient arithmetization-oriented primitives over prime and binary fields.

eprint 2022/840

Tip5

Szepieniec, Sauer, Threadbare — 2023

The Tip5 hash function for recursive STARKs: a lookup based design optimized for Triton VM and recursive proof composition.

eprint 2023/107

Poseidon2

Grassi, Khovratovich, Schofnegger — 2023

A faster version of the Poseidon hash function with optimized internal and external matrix choices for reduced constraint counts.

eprint 2023/323

TurboSHAKE

Bertoni, Daemen, Hoffert, Peeters, Van Assche, Van Keer, Viguier — 2023

A family of XOFs based on 12-round Keccak, exposing and generalizing the primitive inside KangarooTwelve for post-quantum and general use.

eprint 2023/342

Poseidon Binary

Grassi, Khovratovich, Koschatko, Lüftenegger, Rechberger, Schofnegger — 2025

Binary-field versions of Poseidon and Poseidon2 for efficient hashing over binary towers.

eprint 2025/1893

Partial Sums Square Attack

Tunstall — 2012

An improved partial sums approach to the Square attack on AES, reducing complexity of key recovery.

eprint 2012/280

FFT Key Recovery

Todo — 2014

FFT-based key recovery technique for the integral attack, applicable to AES and other block ciphers.

eprint 2014/187

SKINNY & MANTIS

Beierle, Jean, Kölbl et al. — 2016

Families of lightweight tweakable block ciphers following the TWEAKEY framework with strong security bounds.

eprint 2016/660

Mixture Differential

Grassi — 2017

Mixture differential cryptanalysis: a new approach to distinguishers and attacks on round-reduced AES.

eprint 2017/832

Scalable MPC for zk-SNARKs

Bowe, Gabizon, Miers — 2017

A multi-party computation protocol for generating zk-SNARK parameters that scales to large numbers of participants.

eprint 2017/1050

Improvements to LowMC

Kales, Perrin, Promitzer et al. — 2017

Reducing the cost of linear operations in LowMC, a block cipher designed for MPC and FHE.

eprint 2017/1148

Truncated Diff. Diagonal AES

Grassi, Rechberger — 2018

Truncated differentials of diagonal sets applied to 5-round AES distinguishers.

eprint 2018/182

Feistel Structures for MPC

Albrecht, Grassi, Perrin et al. — 2019

Ciminion and related Feistel-based designs optimized for multi-party computation.

eprint 2019/397

Spartan

Setty — 2019

Efficient and general-purpose zkSNARKs without trusted setup using sum-check and commitment schemes.

eprint 2019/550

AuroraLight

Gabizon — 2019

An improved Aurora-like argument of knowledge with shorter proofs via univariate sumcheck.

eprint 2019/601

Offline Simon’s Algorithm

Bonnetain, Hosoyamada, Naya-Plasencia et al. — 2019

Quantum attacks on symmetric primitives using offline Simon’s algorithm and related techniques.

eprint 2019/614

Weight Probability in SPNs

Ronjom — 2019

Analysis of the probability distribution of column weights in substitution-permutation networks.

eprint 2019/750

Key-Independent 6-Round AES

Ghaedi Bardeh — 2019

A key-independent distinguisher for 6-round AES extending the exchange-equivalence approach.

eprint 2019/945

Collisions on Feistel-MiMC

Bonnetain — 2019

Collision attacks on Feistel-MiMC and generalized MiMC (GMiMC) hash functions.

eprint 2019/951

Halo (Recursive Proofs)

Bowe, Grigg, Hopwood — 2019

Recursive proof composition without a trusted setup using nested amortization of inner product arguments.

eprint 2019/1021

HADES Revisited

Keller, Rosemarin — 2020

Revisiting the middle layer of HADES: improved analysis and tighter security bounds for the partial S-box rounds.

eprint 2020/179

Out of Oddity

Beyne, Canteaut, Dinur et al. — 2020

Cryptanalysis of arithmetization-oriented primitives over fields of odd characteristic.

eprint 2020/188

plookup

Gabizon, Williamson — 2020

A simplified polynomial protocol for lookup tables in zero-knowledge proof systems.

eprint 2020/315

Security of Rescue

Beyne, Canteaut, Leander et al. — 2020

Security analysis of the Rescue hash function against algebraic and statistical attacks.

eprint 2020/820

Rescue-Prime

Szepieniec, Ashur, Dhooghe — 2020

Standard specification for Rescue-Prime, an arithmetization-friendly hash function over prime fields.

eprint 2020/1143

Reinforced Concrete

Grassi, Khovratovich, Rechberger et al. — 2021

A hash function combining lookup-based S-boxes with decomposition over prime fields for fast ZK proving.

eprint 2021/1038

EcGFp5

Pornin — 2022

A specialized elliptic curve over a degree-5 extension of a Goldilocks-like prime field, designed for recursive STARKs.

eprint 2022/274

PlonK Optimization

Ambrona, Schmitt, Toledo, Willems — 2022

Techniques for optimizing PlonK arithmetization including custom gates and wire permutations.

eprint 2022/462

Caulk+

Posen, Kattis — 2022

Table-independent lookup arguments with sublinear prover time, extending the Caulk framework.

eprint 2022/957

Flookup

Gabizon, Khovratovich — 2022

Fractional decomposition lookup: quasi-linear time lookup arguments for SNARK systems.

eprint 2022/1447

Verifiable State for zk-EVM

Liu, Patil, Peddireddy et al. — 2022

Using Anemoi-based hashing to build verifiable state data structures for zk-EVM applications.

eprint 2022/1487

LogUp (Multivariate Lookups)

Haboeck — 2022

Multivariate lookup arguments based on logarithmic derivatives, enabling efficient table lookups in SNARKs.

eprint 2022/1530

Rescue-Prime Optimized

Ashur, Al Kindi, Meier et al. — 2022

An optimized version of Rescue-Prime with improved round constants and faster implementations.

eprint 2022/1577

SAFE (Sponge API)

Aumasson, Khovratovich, Mennink, Quine — 2023

A standardized sponge API for field elements with formal security analysis for algebraic hash functions.

eprint 2023/522

Binius (Polylog Proofs)

Diamond, Posen — 2024

Polylogarithmic proofs for multilinears over binary tower fields, enabling efficient SNARKs over small fields.

eprint 2024/504

Security of XHASH

Perrin — 2024

Security analysis of XHASH8 and XHASH12 hash functions over binary fields.

eprint 2024/605

Vision Mark-32

Ashur, Mahzoun, Posen, Sijacic — 2024

A ZK-friendly hash function designed for binary tower fields with 32-bit cells.

eprint 2024/633

Attacking Poseidon (Graeffe)

Sanso, Vitto — 2025

Algebraic attacks on Poseidon using Graeffe root-finding transforms to solve the CICO problem.

eprint 2025/937

Breaking Poseidon (Graeffe)

Zhao, Ding — 2025

Breaking Poseidon challenge instances using Graeffe transforms and improved algebraic techniques.

eprint 2025/950

Algebraic CheapLunch

Bak, Bariant, Boeuf et al. — 2025

The algebraic CheapLunch attack: a new framework for cryptanalysis of arithmetization-oriented primitives.

eprint 2025/2040