International Association
for Cryptologic Research

FARCry (Foundations & Applications of Resource-Restricted Cryptography) is a joint research project by the University of Vienna, Institute of Science and Technology Austria (ISTA), and TU Wien, funded by the Vienna Science and Technology Fund (WWTF) under grant ICT25-081

We invite applications for PhD positions in cryptography, privacy, and provable security. FARCry investigates cryptographic primitives and protocols whose security and privacy rest on bounded computational resources (work, time, space)—including verifiable delay functions (VDFs), proofs of space/work, memory‑hard functions, and privacy‑enhancing applications such as deniable communication and Sybil‑resistance.

Candidates with a strong background in theoretical computer science and/or mathematics are encouraged to apply. For more information, please contact the respective PI directly (with "FARCry [your name]" in the Subject).

The positions start from October 2026. For ISTA, applications go through the graduate school where the deadline is January 8th

Closing date for applications:

Contact:

• Ass.-Prof. Karen Azari, University of Vienna — karen.azari@univie.ac.at
• Prof. Krzysztof Pietrzak, ISTA — krzpie@gmail.com
  
• Prof. Dominique Schröder, TU Wien — dominique.schroeder@@tuwien.ac.at

More information: https://krzpie.github.io/FARCry/

The University of Luxembourg is an international research university with a distinctly multilingual and interdisciplinary character.

Your role

The successful candidate will join the APSIA Group (Applied Security and Information Assurance), led by Dr. Peter B. Roenne. For further information, you may refer to https://www.uni.lu/snt-en/research-groups/apsia.

The candidate will pursue a doctorate in computer science with a focus on the migration to Post-Quantum Cryptography (PQC) while collaborating with the Ministry for Digitalization in Luxembourg on a joint project. The project aims to provide guidance on the transformation of applications relying on classical cryptography, prone to attacks from quantum computers, to post-quantum cryptography.

Your profile

• Master’s degree in Computer Science, Computer Engineering, Software Engineering, Data Science, Information Systems (Engineering), Mathematics, or related fields with robust mathematical expertise

• Strong programming skills in at least one major programming language

• Good presentation and teamworking skills

• A collaborative team player with a desire to make a personal impact within our interdisciplinary research group 

• The commitment to participate in the design and implementation of high-quality solutions that solve significant problems 

• Self-initiative, creativity, curiosity, flexibility and enthusiasm to work 

We offer

• Multilingual and international character. Modern institution with a personal atmosphere. Staff coming from 90 countries. Member of the “University of the Greater Region” (UniGR)

• A modern and dynamic university. High-quality equipment. Close ties to the business world and to the Luxembourg labour market. A unique urban site with excellent infrastructure

• A partner for society and industry. Cooperation with European institutions, innovative companies, the Financial Centre and with numerous non-academic partners such as ministries, local governments, associations, NGOs …

More info & how to apply http://emea3.mrted.ly/40k7p

Closing date for applications:

Contact: For further information, please contact Peter B. Roenne (peter.roenne@uni.lu).

Overview Research Internships at Microsoft provide a dynamic environment for research careers with a network of world-class research labs led by globally-recognized scientists and engineers, who pursue innovation in a range of scientific and technical disciplines to help solve complex challenges in diverse fields, including computing, healthcare, economics, and the environment. The researchers and engineers in the Cryptography team pursue challenging research that has an impact at Microsoft and the world at large. Most recently we have focused on cryptographic identity, formally verified cryptography, encrypted communications, verifiable elections, zero-knowledge proofs, and high-performance hardware and software implementations of cryptography. We are spinning up new work related to Artificial Intelligence (AI) and the changes and challenges it brings related to cryptography.

Responsibilities Research Interns put inquiry and theory into practice. Alongside fellow doctoral candidates and some of the world’s best researchers, Research Interns learn, collaborate, and network for life. Research Interns not only advance their own careers, but they also contribute to exciting research and development strides. During the 12-week internship, Research Interns are paired with mentors and expected to collaborate with other Research Interns and researchers, present findings, and contribute to the vibrant life of the community. Research internships are available in all areas of research, and are offered year-round, though they typically begin in the summer.

We are especially interested in applicants with expertise in one or more of the following:

• Efficient software and hardware cryptographic systems.
• Fully homomorphic encryption (FHE).
• Efficient zero-knowledge proofs.
• Encrypted and authenticated data structures.
• End-to-end encrypted communications.
• Formalization and formal verification of cryptography.
• Verifiable election technologies.

See the full job posting at the provided URL

Closing date for applications:

Contact: Greg Zaverucha (apply at the Microsoft careers website)

More information: https://apply.careers.microsoft.com/careers/job/1970393556640165

The last decade has seen remarkable success in designing and uncovering new applications of indistinguishability obfuscation (i$\mathcal{O}$). The main pressing question in this area is whether post-quantum i$\mathcal{O}$ exists. All current lattice-based candidates rely on new, non-standard assumptions, many of which are known to be broken. To make systematic progress on this front, we investigate the following question: can general-purpose i$\mathcal{O}$ be reduced, assuming only learning with errors (LWE), to obfuscating a smaller class of functions? The specific class of functions we consider are {\em pseudorandom functions} (PRFs), which constitute a natural functionality of independent interest. We show the following results: - We construct exponentially-efficient i$\mathcal{O}$ (xi$\mathcal{O}$) for general circuits based on LWE in the pseudorandom oracle model -- a variant of the Random Oracle model (Jain et al., CRYPTO'23). Our construction requires the pseudorandom oracle model heuristic to hold for a specific pseudorandom function and we prove its security against classical adversaries. - We construct (post-quantum) i$\mathcal{O}$ for general circuits in the standard model based on (post-quantum) sub-exponentially secure LWE and (post-quantum) sub-exponentially secure {\em average-case} i$\mathcal{O}$ -- a natural notion of i$\mathcal{O}$ for pseudorandom functions that we define.

To obtain these results, we generalize the ``encrypt-evaluate-decrypt'' paradigm used in prior works by replacing the use of fully homomorphic encryption with succinct secure two-party computation where parties obtain additive output shares (Boyle et al., EUROCRYPT'25 and Abram et al., STOC'25).

Fully Homomorphic Encryption (FHE) enables secure computation over encrypted data, offering a breakthrough in privacy-preserving computing. Despite its promise, the practical deployment of FHE has been hindered by the significant computational overhead, especially in general-purpose bootstrapping schemes. In this work, we build upon the recent advancements of [LY23] to introduce a variant of the functional/programmable bootstrapping. By carefully sorting the steps of the blind rotation, we reduce the overall number of external products without compromising correctness. To further enhance efficiency, we propose a novel modulus-switching technique that increases the likelihood of satisfying pruning conditions, reducing computational overhead. Extensive benchmarks demonstrate that our method achieves a speedup ranging from 1.75x to 8.28x compared to traditional bootstrapping and from 1.26x to 2.14x compared to [LY23] bootstrapping techniques. Moreover, we show that this technique is better adapted to the IND-CPA-D security model by reducing the performance downgrade it implies.

The meet-in-the-middle (MITM) attack is a powerful cryptanalytic technique leveraging time-memory tradeoffs to break cryptographic primitives. Initially introduced for block cipher cryptanalysis, it has since been extended to hash functions, particularly preimage attacks on AES-based compression functions.

Over the years, various enhancements such as superposition MITM (Bao et al., CRYPTO 2022) and bidirectional propagations have significantly improved MITM attacks, but at the cost of increasing complexity of automated search models. In this work, we propose a unified mixed integer linear programming (MILP) model designed to improve the search for optimal pre-image MITM attacks against AES-based compression functions.

Our model generalizes previous approaches by simplifying both the modeling and the corresponding attack algorithm. In particular, it ensures that all identified attacks are valid. The results demonstrate that our framework not only recovers known attacks on AES and Whirlpool but also discovers new attacks with lower memory complexities, and new quantum attacks.

A zero-knowledge proof of machine learning (zkML) enables a party to prove that it has correctly executed a committed model using some public input, without revealing any information about the model itself. An ideal zkML scheme should conceal both the model architecture and the model parameters. However, existing zkML approaches for neural networks primarily focus on hiding model parameters. For convolutional neural network (CNN) models, these schemes reveal the entire architecture, including number and sequence of layers, kernel sizes, strides, and residual connections.

In this work, we initiate the study of architecture-private zkML for neural networks, with a focus on CNN models. Our core contributions includes 1) parametrized rank-one constraint system (pR1CS), a generalization of R1CS, allowing the prover to commit to the model architecture in a more friendly manner; 2) a proof of functional relation scheme to demonstrate the committed architecture is valid.

Our scheme matches the prover complexity of BFG+23 (CCS'23), the current state-of-the-art in zkML for CNNs. Concretely, on VGG16 model, when batch proving 64 instances, our scheme achieves only 30% slower prover time than BFG+23 (CCS'23) and 2.3$\times$ faster than zkCNN (CCS'21). This demonstrates that our approach can hide the architecture in zero-knowledge proofs for neural networks with minor overhead. In particular, proving a matrix multiplication using our pR1CS can be at least 3$\times$ faster than using conventional R1CS, highlighting the effectiveness of our optimizations.

A zero-knowledge proof of machine learning (zkML) enables a party to prove that it has correctly executed a committed model using some public input, without revealing any information about the model itself. An ideal zkML scheme should conceal both the model architecture and the model parameters. However, existing zkML approaches for neural networks primarily focus on hiding model parameters. For convolutional neural network (CNN) models, these schemes reveal the entire architecture, including number and sequence of layers, kernel sizes, strides, and residual connections.

In this work, we initiate the study of architecture-private zkML for neural networks, with a focus on CNN models. Our core contributions includes 1) parametrized rank-one constraint system (pR1CS), a generalization of R1CS, allowing the prover to commit to the model architecture in a more friendly manner; 2) a proof of functional relation scheme to demonstrate the committed architecture is valid.

Our scheme matches the prover complexity of BFG+23 (CCS'23), the current state-of-the-art in zkML for CNNs. Concretely, on VGG16 model, when batch proving 64 instances, our scheme achieves only 30% slower prover time than BFG+23 (CCS'23) and 2.3$\times$ faster than zkCNN (CCS'21). This demonstrates that our approach can hide the architecture in zero-knowledge proofs for neural networks with minor overhead. In particular, proving a matrix multiplication using our pR1CS can be at least 3$\times$ faster than using conventional R1CS, highlighting the effectiveness of our optimizations.

In this paper, we revisit the problem of multi-client functional encryption (MCFE) for general functions. Specifically, we consider the setting of private-key MCFE for constant-arity functions where the input domain is polynomial in the security parameter. Surprisingly, we show that in this setting it is possible to construct a private-key MCFE scheme secure for a bounded number of key and encryption queries based only on the minimal assumption that one-way functions exist. In contrast, all prior constructions of MCFE for general functions require very strong assumptions such as indistinguishability obfuscation or multilinear maps. Our main technique is to show that private-key MCFE for polynomial input domain can be built from any private-key multi-input functional encryption (MIFE) while inheriting the security properties of the underlying MIFE. Instantiating our construction with the MIFE of Brakerski et al. (Eurocrypt 2016) gives us a construction based only on the existence of one-way functions.

Cube attack is one of the most powerful approaches for recovering keys of stream ciphers. Practical cube attacks generate several superpolys first and solve the system constructed by these superpolys afterward. Unlike previous practical attacks, we propose a new cube attack that transfers the difficulty of generating easy-solving superpolys to solving the system built by numerous nonlinear ones. In the offline phase, we recovered lots of nonlinear superpolys by improving the approach proposed by Delaune et al. at SAC 2022 in theory. In the online phase, taking advantage of the sparsity and asymmetry of these numerous superpolys, we present a new testing method to solve the constructed system efficiently. As applications, the latest attack could practically recover the keys for 820- and 832-round Trivium with the time complexity no more extensive than $2^{46}$ and $2^{50}$, while the previous highest number of rounds of Trivium that can be attacked practically is 830. We believe the proposed approach can be used to attack more rounds of Trivium and other stream ciphers.

Post-quantum cryptography (PQC) is essential to securing data in the quantum computing era, and standardization efforts led by NIST have driven extensive research on practical and efficient implementations. With the emerging deployment of ARMv9-A processors in mobile and edge devices, optimizing PQC algorithms for this architecture is becoming increasingly important. Among the NIST-selected digital signature schemes, ML-DSA stands out due to its strong security and efficiency, making it suitable for general purposes. In this work, we present a highly optimized implementation of ML-DSA for the ARMv9-A architecture, leveraging the SVE2 vector instruction set. We propose a vector-friendly sparse polynomial multiplication scheme and introduce an early-check mechanism that significantly reduces redundant computation in the signature validity check. We also design a tailored conditional instruction pipeline to further enhance efficiency. Our implementation achieves a 70.7% performance improvement in signature generation compared to the baseline implementation, establishing the first highly vectorized ML-DSA implementation on ARMv9-A by SVE2 extension. These results demonstrate the practicality of deploying high-performance post-quantum signatures on next-generation mobile and edge platforms.

We present a unified framework for constructing registered attribute-based encryption (RABE) and registered functional encryption (RFE) from the standard (bilateral) $k$-Lin assumption in asymmetric bilinear pairing groups. Specifically, our schemes capture the following functionalities.

- RABE for logspace Turing machines. We present the first RABE for deterministic and nondeterministic logspace Turing machines (TMs), corresponding to the uniform complexity classes $\mathsf L$ and $\mathsf{NL}$. That is, we consider policies $g$ computable by a TM with a polynomial time bound $T$ and a logarithmic space bound $S$. The public parameters of our schemes scale only with the number of states of the TM, but remain independent of the attribute length and the bounds $T,S$. Thus, our system is capable of verifying unbounded-length attributes $\mathbf y$ while the maximum number of states needs to be fixed upfront.

- RFE for attribute-based attribute-weighted sums (AB-AWS). Building upon our RABE, we develop RFE for AB-AWS. In this functionality, a function is described by a tuple $f=(g,h)$, takes $(\mathbf y, \{(\mathbf x_j, \mathbf z_j)\}_{j\in[N]})$ as input for an unbounded integer $N$, and outputs $\sum_{j\in[N]}\mathbf z_jh(\mathbf x_j)^\top$ if and only if $g(\mathbf y) = 0$. Here, $\{\mathbf z_j\}_j$ are private inputs that are hidden in the ciphertext, whereas $\mathbf y$ and $\{\mathbf x_j\}_j$ can be public. Our construction can instantiate $g,h$ with deterministic logspace TMs, while a previous construction due to [Pal and Schädlich, Eprint 2025] only supports arithmetic branching programs (ABPs), i.e. a non-uniform model of computation.

- RFE for attribute-based quadratic functions (AB-QF). Furthermore, we build the first RFE for AB-QF with compact ciphertexts. In this functionality, a function is described by a tuple $f=(g,\mathbf h)$, takes input $(\mathbf y,(\mathbf z_1,\mathbf z_2))$ and outputs $(\mathbf z_1\otimes\mathbf z_2)\mathbf h^\top$ if and only if $g(\mathbf y)=0$. Here, $(\mathbf z_1, \mathbf z_2)$ are private inputs whereas the attribute $\mathbf y$ is public. Policies can be computed by ABPs or deterministic logspace TMs. Prior to our work, the only known construction of RFE for quadratic functions from standard assumptions [Zhu et al., Eurocrypt 2024] did not provide any access control.

Conceptually, we transfer the framework of [Lin and Luo, Eurocrypt 2020], which combines linear FE with information-theoretic garbling schemes, from standard to registered FE. At the core of our constructions, we introduce a novel RFE for inner products with user-specific pre-constraining of the functions which enables the on-the-fly randomization of garbling schemes akin to standard inner-product FE. This solves an open question raised in [Zhu et al., Asiacrypt 2023] who constructed RABE from predicate encodings but left open the problem of building RABE in a more general setting from linear garbling schemes.

Event date: 11 July 2026
Submission deadline: 12 March 2026
Notification: 10 April 2026

We are looking for a bright post-doc researcher with strong interest and suitable experience in any of the following research areas:

• Advanced public-key encryption: e.g. Homomorphic Encryption (HE), Updatable Public-Key Encryption (UPKE), KEMs with extra propeties, and their use in the design of protocols.
• Lattice-based cryptography: Design, analysis, and prototyping of cryptographic schemes based on hard problems in lattices.

The successful candidate will be leading on research activities in an ongoing EU research project on post-quantum cryptography. They will work closely with members of the Privacy and Applied Cryptography (PACY) lab, led by Prof. Mark Manulis, and the Quantum-Safe and Advanced Cryptography (QuSAC) lab, led by Prof. Daniel Slamanig. The candidate will benefit from our modern infrastructure and availability of funds to support own research. Also, Munich is amongst best places to live in Germany.

This position is available for a start in April 2026 and is fully funded at federal salary level TVöD E13 (~59k to 64k EUR p.a. depending on qualifications and experience). The initial contract will be for 1.5 years with a possibility of extension. Candidates without doctoral degree but with sufficient research experience, e.g. final-year doctoral students, are also welcome to apply. (More info via URL below.)

Requirements:

• At least a completed Master degree in cryptography, mathematics or computer science
• Strong background knowledge / experience in privacy-enhancing cryptography research and development
• Publications in top-tier cryptography / security / privacy venues
• Fluency in written and spoken English, (German is not essential)

Application deadline: January 25, 2026. The search will continue until the position is filled.

Please send your application including a cover letter, CV, transcripts of grades, and two contacts for academic references as a single PDF document per email with subject line ”Application PACY“.

Closing date for applications:

Contact: Prof. Mark Manulis (mark.manulis [at] unibw.de)

More information: https://www.unibw.de/pacy-en/vacancies

AAU is seeking to appoint a full professor in cybersecurity (candidates from all technical areas are welcome). Depending on the candidate's academic credentials, the professorship can either be open-ended or fixed-term (with option of a permanent extension).

The professorship is located at the Department of Artificial Intelligence and Cybersecurity, and takes a central role in the department, as well as the delivery of the MSc in AI and Cybersecurity.

A starting date of September 1st 2026 is envisioned. Salary, as well as associated positions (pre-doc and post-doc) are negotiable. For further information about the position please follow the link, and/or get in touch via the context supplied below.

Applications must be made by 14th of January 2026 via: https://jobs.aau.at/en/job/5-2/

Closing date for applications:

Contact: Elisabeth . Oswald AT aau.at

More information: https://jobs.aau.at/en/job/5-2/

We are looking for multiple interns to work with us on research projects around the real-world implementation security of MPC protocols, in particular, the gap between assumptions on the theory side and implementation choices made in practice. The internships are expected to take place at Aarhus University between May and August 2026.

Candidate profile:
Interns are expected to be current or recent PhD students with a relevant background in at least one of the following research areas:

• Modeling of MPC (security) in general, or of real-world aspects of other types of cryptographic protocols
• Attacks on implementations of advanced cryptographic protocols such as MPC, ZK, or related protocols
• Implementations of MPC protocols and related protocols

In exceptional cases, we may also consider master or bachelor students with relevant expertise.

Application:
The application deadline is 7 January 2026. Please see the project website (https://mpcinthewild.github.io) for further instructions.

Closing date for applications:

Contact: For more information about the internships, please contact Sabine Oechsner (s.a.oechsner@vu.nl) or Peter Scholl (peter.scholl@cs.au.dk).

More information: https://mpcinthewild.github.io

In the Web2 world, users control their accounts using credentials such as usernames and passwords, which can be reset or recovered by centralized servers if the user loses them. In the decentralized Web3 world however, users control their accounts through cryptographic private-public key pairs which are much more complex to manage securely. In addition, the decentralized nature of Web3 makes account recovery impossible in the absence of predetermined recovery mechanisms. With the proliferation of blockchains and cryptocurrencies over the last years, it is crucial to provide users secure, usable and reliable ways to recover their accounts and assets. However, up to this day, no Web3 recovery method has adequately achieved all three of the above required properties. For instance, conventional ``mnemonic" backups which can deterministically reconstruct a private key require verbatim recall of a fixed word list, creating an unpleasant usability/security trade-off.

In this work, we present a fully-offline protocol called LifeXP$^{+}$, that allows a user to reconstruct a cryptographically-secure private key from a natural-language story, which a user always remembers, such an memorable life event. To ensure usability of our protocol, key reconstruction can work even when the story is later retold with different wording or grammar, only requiring to preserve the semantics. The protocol combines pre-trained sentence embeddings to capture semantics, locality-sensitive hashing to quantize embeddings into stable bit strings, a cryptographic fuzzy extractor that corrects bit errors caused by paraphrasing, and a biometric factor that is fused with the linguistic factor to boost entropy and enhance security. In our paper we describe the design, show that the protocol achieves the required properties, and provide an evaluation based on publicly-available datasets which runs completely offline on commodity hardware, showcasing its feasibility.

This paper introduces an ML-guided scoring heuristic for differential trail beam search in substitution--permutation network (SPN) ciphers. Instead of replacing classical search procedures or relying on heavy learning architectures, we take a residual-learning approach: a gradient boosting regressor is trained to predict the error of a simple nibble-count lower bound on the remaining trail cost. At search time, the predicted residual is fused multiplicatively into the beam scoring function, using per-layer robust normalization and a conservative floor to preserve safety. This design keeps the underlying search structure such as beam width, pruning rules, and lower-bound guarantees unchanged, while aiming to improve the ranking of partial trails. We instantiate the method on the 64-bit block cipher GIFT-64 under the classical Markov differential model. Our implementation reproduces state of the art differential trails with identical weights and round by round differences, and achieves 10--40\% reductions in the number of expanded nodes in moderate-depth searches, with runtime trade-offs analyzed across different model horizons. The results suggest a practical, non-invasive paradigm for enhancing classical cryptanalytic search with learned corrections, without redesigning existing algorithms or probability models, and are in principle applicable to a range of SPN designs.

Zero-knowledge virtual machines (zkVMs) rely on tabular constraint systems whose verification semantics include gate, lookup, and permutation relations, making correctness auditing substantially more challenging than in arithmetic-circuit DSLs such as Circom. In practice, ensuring that witness-generation code is consistent with these constraints has become a major source of subtle and hard-to-detect bugs. To address this problem, we introduce a high-level semantic model for tabular constraint systems that provides a uniform, circuit-irrelevant interpretation of row-wise constraints and their logical interactions. This abstraction enables an inductive, row-indexed reasoning principle that checks consistency without expanding the full circuit, significantly improving scalability. We implement this methodology in ZIVER and show that it faithfully captures real zkVM designs and automatically validates the consistency of diverse SP1 chip components.

Hash-based signature schemes offer a promising post-quantum alternative for Bitcoin, as their security relies solely on hash function assumptions similar to those already underpinning Bitcoin's design. We provide a comprehensive overview of these schemes, from basic primitives to SPHINCS+ and its variants, and investigate parameter selection tailored to Bitcoin's specific requirements. By applying recent optimizations such as SPHINCS+C, TL-WOTS-TW, and PORS+FP, and by reducing the allowed number of signatures per public key, we achieve significant size improvements over the standardized SPHINCS+ (SLH-DSA).We provide public scripts for reproducibility and discuss limitations regarding key derivation, multi-signatures, and threshold signatures.