Home
In recent years, important advances have been made in both zero-knowledge (ZK) and succinct proofs and in the design and cryptanalysis of symmetric cryptography (SC) primitives for privacy-preserving technologies. ZK and SC have traditionally developed in parallel – one rooted in complexity-theoretic and provable-security foundations, the other in symmetric-key cryptanalysis techniques and provable results over bit strings. Yet, today these areas are increasingly interconnected: the efficiency and security of modern ZK proofs and more general privacy-preserving systems often relies on the symmetric-key components in place.
The ZKSC 2026 Workshop aims to bring these areas closer together, bridging the zero-knowledge and symmetric-key cryptography communities to foster discussion, collaboration, to exchange perspectives, techniques, and open problems.
The topics of Interest for ZKSC include (non-exhaustive):
- Recursive proof systems: properties and proofs
- Proof systems whose languages are appropriate for symmetric-key (SK) primitives
- Post-quantum security: hash-based proof systems
- Lattice-based proof systems
- Provably secure and efficient SK Arithmetization-Oriented (AO) modes
- Efficiency of AO primitives
- Algebraic cryptanalysis of SK primitives relevant to (zero-knowledge) proof systems
- Cryptanalytic security bounds
- SK cryptography under new proof-driven security notions specific to the ZK setting
List of Speakers
For further information, click on the profile pictures:
Lorenzo Grassi
Talk title: Greek and Roman Gods in Symmetric-Key Crypto
Slides
Abstract
In order to work, Zero-Knowledge (ZK) protocols rely on the evaluation of hash functions. As the details of such hash functions have a big impact on the performances of the considered applications, several dedicated ZK-friendly symmetric primitives (defined especially over prime fields) have recently appeared in the literature. Among all, the Poseidon hash function has gained widespread adoption in verifiable computation protocols. Introduced in 2021, Poseidon uses only basic algebraic operations over a prime field, it is currently the fastest-to-prove hash functions, and among the fastest ones to compute natively.
In this presentation, we will analyze the Poseidon/Poseidon2/Poseidon(2)b family in detail, retracing the history of its design rationale, starting with the HadesMiMC cipher. Next, we will discuss more efficient variants of Poseidon/HadesMiMC, namely Neptune and Pluto.
Ziyi Guan
Talk title: On the Security of Succinct Arguments from Probabilistic Proofs
Slides
Abstract
Succinct arguments are fundamental cryptographic primitives with wide-ranging applications. A common approach to build succinct arguments is from probabilistic proofs, dating back to Kilian’s protocol that combines a PCP and a Merkle tree.
In this talk, I will present the tightest bound on the regular security of Kilian's protocol and show how to obtain similar bounds for more general argument systems, such as those based on polynomial commitment schemes. I'll conclude with results that achieve post-quantum security and Fiat-Shamir security for general classes of arguments.
Abhishek Jain
Talk title: IVC without Random Oracles
Dmitry Khovratovich
Talk title: Succinct proofs in the core Ethereum protocol
Ngoc Khanh Nguyen
Talk title: Recent Progress on Lattice-based Zero-Knowledge Proofs
Michele Orrù
Talk title: A Fiat–Shamir Transformation From Duplex Sponges
Abstract
We study a new Fiat-Shamir transformation based on an ideal permutation that minimizes permutation calls and aligns more closely with deployed systems. We show concrete bounds for soundness, knowledge soundness, and zero knowledge, revealing that indifferentiability — the standard notion used in this context for 20 years — falls short for providing security of Fiat-Shamir-based proofs. We fill this gap by introducing a stronger indifferentiability notion that captures the security requirements of modern proof systems.
Joint work with Alessandro Chiesa.
↗ ePrint
Léo Perrin
Talk title: When POlynomial System SOlving became a threat for symmetric primitives
Slides
Abstract
In the past, POlynomial System SOlving (POSSo) was seen as being of little relevance in symmetric cryptography: despite its simple low degree description, the AES itself was barely scratched by such techniques. This dramatically changed with the introduction of symmetric primitives intended for more advanced protocols, starting with LowMC more than 10 years ago. Since then, cryptanalysis techniques based on the resolution of a system of non-linear polynomial equations have proven devastating, in a surprising variety of ways.
In this talk, I will give an overview and a taxonomy of the techniques that fall under the (perhaps too broad) umbrella of "algebraic attacks", and try to sketch security arguments for the various cases considered.
Christian Rechberger
Arnab Roy
Talk title: When Polynomials Iterate: Structure and Security in Symmetric Cryptography
Markus Schofnegger
Talk title: Implementation Characteristics of Hash Functions in Modern Proof Systems
Abstract
While the algorithmic description of circuit-friendly hash functions is often straightforward, the underlying architecture allows for many different ways of implementing them. This talk will go over various implementation characteristics in certain scenarios, and how these change when using them in modern proof systems.
Justin Thaler
Talk title: Lessons from Jolt: When Do We Need SNARK-Friendly Primitives?
Stefano Trevisani
Talk title: New Modes on the Block: Security and Efficiency of Novel AO Compression Modes
Ivan Visconti
Talk title: A Few Stops in the Zero-Knowledge Journey
Georg Fuchsbauer
Registration
Registration is closed and the event is over.
As space is limited and to assist us in budget planning and cost estimation, we kindly request all interested participants to complete their registration by December 20, 2025.
The workshop offers financial support for early-career researchers in the form of lump-sum grants of up to 500 EUR, awarded on a demand basis.
Sponsors & Partners
Workshop Program
Day 1 — Mon, 9 Feb
Day 2 — Tue, 10 Feb
Day 3 — Wed, 11 Feb
Venue
The event took take place at TU Wien, Favoritenstraße 9-11, 1040 Vienna, Austria.
The main lecture hall was be FAV Hörsaal 3 Zemanek (map).
