International Association
for Cryptologic Research

The Department of Computer Science (CS) at the University of Alabama at Birmingham (UAB) is seeking candidates for a tenured faculty position who will assume the role of the Director of the Center for Cyber Security. Highly qualified candidates at both Associate Professor and Professor rank will be considered.

Further information on the position and how to apply can be found at:
https://uab.peopleadmin.com/postings/9605

Closing date for applications:

Contact: Yuliang Zheng, Professor & Chair (yzheng at uab.edu)

Responsibilities include analyzing various crypto algorithms and protocols to detect vulnerabilities. It is preferable to have an undergraduate degree in mathematics/statistics/computer science with a good understanding of cryptography. Salary starting at Rs 12 lakhs pa based on experience.

Closing date for applications:

Contact: Manindra Agrawal

We have (fully funded) multiple PhD positions in the areas of applied cryptography beginning from Fall 2022 (August 2022) or Spring 2022 (January 2022) at University of South Florida (USF). USF is a Rank-1 Research University (rank 31 of CS departments at US public universities per according to Academic Analytics on Scholarly Research Index) and offers a competitive salary with an excellent working environment, all within close proximity of high-tech industry and beautiful beaches of Sunny Florida. Tampa/Orlando area is a key part of the Florida High Technology Corridor and harbors major tech and research companies. The qualified candidate will have opportunities for research internships and joint projects with lead-industrial companies. Topics include:

Trustworthy Machine Learning (TML)

• Privacy-Preserving Machine Learning
• Secure multi-party computation for TML

Trustworthy Blockchains

• New cryptographic schemes for consensus and distributed transactions in Blockchains
• Practical quantum-safe cryptographic deployments for Blockchains

Secure Internet of Things and Systems (IoT) and Next Generation Wireless Networks

• Lightweight cryptography for IoT
• Efficient cryptography for vehicular and unmanned aerial systems
• Efficient digital signatures

Privacy-Enhancing Technologies

• Searchable encryption, Oblivious RAM, and multi-party computation

Requirements:

• A BS degree in ECE/CS with a high-GPA
• Very good programming skills (e.g., C, C++), familiarity with Linux
• MS degree in ECE/CS/Math is a big plus. Publications in security and privacy are highly desirable

Please send (by e-mail) to below contact information:

• Transcripts
• Curriculum vitae
• Three reference letters (send by referees)
• Research statement
• GRE and TOEFL

Closing date for applications:

Contact: Person to Contact: Dr. Attila A. Yavuz
Email: attilaayavuz@usf.edu
Webpage : http://www.csee.usf.edu/~attilaayavuz/

More information: http://www.csee.usf.edu/~attilaayavuz/article/PositionDescrption_at_USF.pdf

Research Associate for the project „Laboratory of energy transition in Northern Germany: Resilient operation management and ICT security of decentralised control concepts”
University of Hamburg is a University of Excellence and one of the most research-focused universities in Germany. The research group “Security in Distributed Systems” is working on the intersection of security and privacy research, with a focus on distributed systems, data protection, anonymity, and cryptography.
Your Profile
We are looking for a new member of our team that will be working as a full-time PhD student in research and teaching. Your tasks will include:

• Development, implementation, analysis, and evaluation of complex and secure IT-systems
• Academic services in a third-party funded project
• Working with bleeding-edge technology and research literature from security, cryptography, and privacy
• Publication of research results in national/international venues
• Support for teaching

Required Qualifications
Completed MSc degree (or equivalent) in IT-Security, computer science or a strongly related field. You are highly motivated, curious, reliable, and creative. You must be interested in system security, applied cryptography and/or privacy research. You must have experience in security in open and distributed communication systems and fundamental knowledge in cryptography and IT-Security. Experience with machine learning and advanced software engineering skills, especially with a focus on application security and cryptography are a bonus. Programming skills in higher languages like C/C++ and Python are required. Fluent English, spoken and written, and good communication skills are mandatory. Knowledge of German is helpful; we expect the willingness to learn German for non-native German speakers.
We offer great and flexible working conditions in a highly motivated team of researchers with many opportunities for collaboration. The university supports their employees with many interesting opportunities for personal development.

Closing date for applications:

Contact: Prof. Hannes Federrath
hannes.federrath@uni-hamburg.de
https://www.inf.uni-hamburg.de/inst/ab/snp/team/federrath.html

Horizen Labs is a blockchain technology company that designs, develops, and delivers powerful, scalable, and reliable distributed ledger solutions for business.

Our Core Engineering Team is an innovative and collaborative group of researchers and software engineers who are dedicated to the design and development of world-class blockchain-based products. We are looking for a cryptographer, or applied cryptographer, to join our growing crypto team based in Milan, Italy. Currently, the team is developing a protocol suite for SNARK-based proof-composition, but its duties reach beyond that, developing privacy-enhancing solutions for our sidechain ecosystem.

Responsabilities

• Design privacy-enhancing technology built on SNARK-based protocols
• Perform collaborative research and assist technical colleagues in their development work
• Participate in standards-setting

Requirements

• Ph.D. in mathematics, computer science, or cryptography
• Solid foundations in zero-knowledge and cryptographic protocols
• Publications in acknowledged venues on applied or theoretical cryptography, preferably cryptographic protocols or PETs
• Strong problem-solving skills
• The ability to work in a team setting as well as autonomously
• Foundations in blockchain technology and experience in reading Rust are a plus

We offer

• A competitive salary plus pre-series A stock options
• Flexible working hours, including the possibility of remote working
• The opportunity to work with talented minds on challenging topics in this field, including the most recent advancements in zero-knowledge
• A nice and informal team setting to conduct research and development of high-quality open source solutions

If you are interested in this position, you might want to take a look at our recent publications (IACR eprints 2021/930, 2021/399, 2020/123) and our latest podcast on zeroknowledge.fm (Episode 178). For further questions, please contact the email below.

Closing date for applications:

Contact: recruiting@horizenlabs.io

More information: https://horizenlabs.io/

Postdoctoral position in Blockchain and IoT Security The School of Computer Science at Mohammed VI Polytechnic University (UM6P), Benguerir, Morocco is currently looking for motivated and talented Postdoctoral researchers in the area of Blockchain and IoT Security. The successful candidates will primarily be working on the following topics (but not limited to):

• Blockchain and Cryptocurrencies
• Applications of Blockchain
• IoT Security

Key duties: The Postdoctoral researcher will be expected to:

• Publish in high impact journals in the field.
• Participate to the supervision of PhD students and research internships.

Criteria of the candidate:

• Ph.D. in the field of Cryptography, Computer security, or any related field.
• Strong publication record in high-impact conferences/journals.
• Very good programming skills (e.g., C, C++), familiarity with Linux
• Proficiency in English and ability to work in a team
• Outstanding analytical and problem-solving skills

Employment terms:
The successful candidate will be employed by Mohammed VI Polytechnic University (UM6P) based at Benguerir (50 km north of Marrakech), Morocco. The net salary per month is 2000 USD. The initial appointment as a Postdoctoral researcher will be for one year renewable depending on satisfactory performance.
Applications and selection procedure:
Applications must be sent using a single electronic zipped folder with the mention of the job title in the mail subject. The folder must contain:

• A 1-page cover letter with main research interests.
• A detailed CV.
• A 1-page brief research statement.
• Contact information of 2 references (Applicants are assumed to have obtained their references’ consent to be contacted for this matter).

The application should be filed online via: https://career2.successfactors.eu/sfcareer/jobreqcareer?jobId=1339&company=ump

Closing date for applications:

Contact: Contact: Assoc. Prof. Mustapha Hedabou (mustapha.hedabou@um6p.ma)

More information: https://www.um6p-cs.ma/en/home/

NYU Shanghai is currently inviting applications for Tenured or Tenure-Track positions in Computer Science. The search is not restricted to any rank and outstanding candidates at all levels are encouraged to apply. We seek candidates who have completed a Ph.D. in Computer Science, or a closely related discipline. We seek candidates in all sub-fields of Computer Science, with particular interest in Human-Computer Interaction (HCI), Operating and Distributed Systems, Blockchain, Quantum Computing, and Deep Learning. Applicants will submit a cover letter, curriculum vitae, statement of research, and a statement of teaching interests. Additionally, applicants will be prompted to enter the names and email addresses of at least three referees. Each referee will be contacted to upload a reference letter through Interfolio. Review of applications will begin on January 1, 2022 and will continue until the . To apply, please follow this link apply.interfolio.com/93616. If you have any questions, please email the NYU Shanghai NY Office of Faculty Recruitment shanghai.faculty.recruitment@nyu.edu. Terms of employment at NYU Shanghai are comparable to NYU New York and other U.S. institutions with respect to research start-up funds and compensation, and they include housing subsidies and educational subsidies for children. Faculty may in certain cases have the opportunity to spend time at NYU New York and other sites of the NYU Global Network, engaging in both research and teaching. NYU Shanghai is an equal opportunity employer committed to equity, diversity, and social inclusion. We strongly encourage applications from under-represented individuals in the profession, across color, creed, race, ethnic and national origin, physical ability, and gender and sexual identity. NYU Shanghai affirms the value of differing perspectives on the world as we strive to build the strongest possible university with the widest reach.

Closing date for applications:

Contact: NYU Shanghai Office of Faculty Recruitment

More information: https://apply.interfolio.com/93616

Electromagnetic Fault Injection (EMFI) is a well known method of introducing faults for security analysis of digital devices. Such faults can be seen as analogous to the faults which are known to naturally occur in digital devices, a known problem with designing safety-critical systems.

Numerous standards have been developed for safety-critical systems, including the development of standards for increasing the rate of naturally occurring faults using particle sources. In this work, we demonstrate that desktop EMFI tooling can be used to accomplish similar testing, but with more control, effectively speeding up the evaluation process. We demonstrate that using EMFI tooling for safety evaluation allows us to recreate a highly publicized safety issue present in an automotive ECU -- one that could not easily be recreated previously with other techniques.

In this paper, we present solutions to some open problems for constructing efficient deep learning-based side-channel attacks (DL-SCAs) through a theoretical analysis. There are two major open problems in DL-SCAs: (i) the effect of the difference in secret key values used for profiling and attack phases is unclear, and (ii) the optimality of the negative log-likelihood (NLL) loss function used in the conventional learning method is unknown. These two problems have hindered the accurate performance evaluation and optimization of DL-SCAs. To address the problem (i), we clarified the strict conditions under which the use of different correct keys in profiling and attack phases affects the performance of DL-SCA. For the problem (ii), we then analyzed the relationship between the NLL loss and direct performance metrics of DL-SCAs (i.e., success rate (SR)/guessing entropy (GE)) and proved that the minimum NLL loss is sufficient but not necessary to achieve the optimal distinguisher of DL-SCA. This explains why DL-SCA succeeds even when the NLL loss is large and motivated us to design a new loss function. Based on the above analysis result, we also propose a new loss function called the probability concentration inequality (PCI) loss function. We derive the PCI loss as an upper bound of GE and a lower bound of the SR using a probability concentration inequality. Minimizing the PCI loss during training can directly optimize the GE and SR of the subsequent attack phase. In this paper, we describe the characteristics of PCI loss and NLL loss and introduce a new learning method that takes full advantage of the characteristics. We also analytically investigate the difference between the PCI loss and ranking loss reported in a previous work for a similar purpose and explain the advantage of PCI loss over the ranking loss. Finally, we validate the analysis and demonstrate the effectiveness of the proposed DL-SCA using the PCI loss through experimental attacks on public datasets.

Since the sign function can be used to implement the comparison operation, max function, and rectified linear unit (ReLU) function, several studies have been conducted to efficiently evaluate the sign function in the Cheon-Kim-Kim-Song (CKKS) scheme, one of the most promising fully homomorphic encryption schemes. Recently, Lee et al. (IEEE Trans. Depend. Sec. Comp.) proposed a practically optimal approximation method of sign function on the CKKS scheme using a composition of minimax approximate polynomials. However, homomorphic comparison, max function, and ReLU function algorithms that use this approximation method have not yet been successfully implemented on the residue number system variant CKKS (RNS-CKKS) scheme, and the sets of degrees of the component polynomials used by the algorithms are not optimized for the RNS-CKKS scheme. In this paper, we propose the optimized homomorphic comparison, max function, and ReLU function algorithms on the RNS-CKKS scheme using a composition of minimax approximate polynomials for the first time. We propose a fast algorithm for inverse minimax approximation error, a subroutine required to find the optimal set of degrees of component polynomials. This proposed algorithm makes it possible to find the optimal set of degrees of component polynomials with higher degrees than the previous study. In addition, we propose a method to find the degrees of component polynomials optimized for the RNS-CKKS scheme using the proposed algorithm for inverse minimax approximation error. We successfully implement the homomorphic comparison, max function, and ReLU function algorithms on the RNS-CKKS scheme with a low comparison failure rate ($< 2^{-15}$) and provide the various parameter sets according to the precision parameter $\alpha$. We reduce the depth consumption of the homomorphic comparison, max function, and ReLU function algorithms by one depth for several $\alpha$. In addition, the numerical analysis demonstrates that the proposed homomorphic comparison, max function, and ReLU function algorithms reduce running time by 6%, 7%, and 6% on average compared with the previous best-performing algorithms, respectively.

We study the problem of obtaining 2-round interactive arguments for NP with weak zero-knowledge (weak ZK) [Dwork et al., 2003] or with strong witness indistinguishability (strong WI) [Goldreich, 2001] under polynomially hard falsifiable assumptions. We consider both the delayed-input setting [Jain et al., 2017] and the standard non-delayed-input setting, where in the delayed-input setting, (i) prover privacy is only required to hold against delayed-input verifiers (which learn statements in the last round of the protocol) and (ii) soundness is required to hold even against adaptive provers (which choose statements in the last round of the protocol).

Concretely, we show the following black-box (BB) impossibility results by relying on standard cryptographic primitives.

1. It is impossible to obtain 2-round delayed-input weak ZK arguments under polynomially hard falsifiable assumptions if BB reductions are used to prove soundness. This result holds even when non-black-box techniques are used to prove weak ZK.

2. It is impossible to obtain 2-round non-delayed-input strong WI arguments and 2-round publicly verifiable delayed-input strong WI arguments under polynomially hard falsifiable assumptions if a natural type of BB reductions, called "oblivious" BB reductions, are used to prove strong WI.

3. It is impossible to obtain 2-round delayed-input strong WI arguments under polynomially hard falsifiable assumptions if BB reductions are used to prove both soundness and strong WI (the BB reductions for strong WI are required to be oblivious as above). Compared with the above result, this result no longer requires public verifiability in the delayed-input setting.

We introduce a novel generic ring signature construction, called DualRing, which can be built from several canonical identification schemes (such as Schnorr identification). DualRing differs from the classical ring signatures by its formation of two rings: a ring of commitments and a ring of challenges. It has a structural difference from the common ring signature approaches based on accumulators or zero-knowledge proofs of the signer index. Comparatively, DualRing has a number of unique advantages.

Considering the DL-based setting by using Schnorr identification scheme, our DualRing structure allows the signature size to be compressed into logarithmic size via an argument of knowledge system such as Bulletproofs. We further improve on the Bulletproofs argument system to eliminate about half of the computation while maintaining the same proof size. We call this Sum Argument and it can be of independent interest. This DL-based construction, named DualRing-EC, using Schnorr identification with Sum Argument has the shortest ring signature size in the literature without using trusted setup.

Considering the lattice-based setting, we instantiate DualRing by a canonical identification based on M-LWE and M-SIS. In practice, we achieve the shortest lattice-based ring signature, named DualRing-LB, when the ring size is between 4 and 2000. DualRing-LB is also 5x faster in signing and verification than the fastest lattice-based scheme by Esgin et al. (CRYPTO'19).

The SPEEDY block cipher suite announced at CHES 2021 shows excellent hardware performance. However, SPEEDY was not designed to be efficient in software implementations. SPEEDY's 6-bit sbox and bit permutation operations generally do not work efficiently in software. We implemented SPEEDY block cipher by applying the implementation technique of bit slicing. As an implementation technique of bit slicing, SPEEDY can be operated in software very efficiently and can be applied in microcontroller. By calculating the round key in advance, the performance on ARM Cortex-M3 for SPEEDY-5-192, SPEEDY-6-192, and SPEEDY-7-192 are 65.7, 75.25, and 85.16 clock cycles per byte (i.e. cpb), respectively. It showed better performance than AES-128 constant-time implementation and GIFT constant-time implementation in the same platform. Through this, we conclude that SPEEDY can show good performance on embedded environments.

With the advent of quantum computers, revisiting the security of cryptography has been an active research area in recent years. In this paper, we estimate the cost of applying Grover's algorithm to SPEEDY block cipher. SPEEDY is a family of ultra-low-latency block ciphers presented in CHES'21. It is ensured that the key search equipped with Grover's algorithm reduces the $n$-bit security of the block cipher to $\frac{n}{2}$-bit. The issue is how many quantum resources are required for Grover's algorithm to work. NIST estimates the post-quantum security strength for symmetric key cryptography as the cost of Grover key search algorithm. SPEEDY provides 128-bit security or 192-bit security depending on the number of rounds. Based on our estimated cost, we present that increasing the number of rounds is insufficient to satisfy the security against attacks on quantum computers. To the best of our knowledge, this is the first implementation of SPEEDY as a quantum circuit.

LightMAC is a lightweight MAC designed by Luykx et al. and recently standardized by ISO/IEC. In this paper, we refine LightMAC and suggest two simple variants called LedMAC1 and LedMAC2. Compared to LightMAC, our first scheme LedMAC1 avoids unnecessary padding without sacrificing the security. Our second scheme LedMAC2 further reduces the number of keys from two to one, and achieves the same level security as that of LightMAC.

We study the problem of batch verification for verifiable delay functions (VDFs), focusing on proofs of correct exponentiation (PoCE), which underlie recent VDF constructions. We show how to compile any PoCE into a batch PoCE, offering significant savings in both communication and verification time. Concretely, given any PoCE with communication complexity $c$, verification time $t$ and soundness error $\delta$, and any pseudorandom function with key length ${\sf k}_{\sf prf}$ and evaluation time $ t_{\sf prf}$, we construct:

-- A batch PoCE for verifying $n$ instances with communication complexity $m\cdot c +{\sf k}_{\sf prf}$, verification time $m\cdot t + n\cdot m\cdot O(t_{\sf op} + t_{\sf prf})$ and soundness error $\delta + 2^{-m}$, where $\lambda$ is the security parameter, $m$ is an adjustable parameter that can take any integer value, and $t_{\sf op}$ is the time required to evaluate the group operation in the underlying group. This should be contrasted with the naive approach, in which the communication complexity and verification time are $n \cdot c$ and $n \cdot t$, respectively. The soundness of this compiler relies only on the soundness of the underlying PoCE and the existence of one-way functions.

-- An improved batch PoCE based on the low order assumption. For verifying $n$ instances, the batch PoCE requires communication complexity $c +{\sf k}_{\sf prf}$ and verification time $t + n\cdot (t_{\sf prf} + \log(s)\cdot O(t_{\sf op}))$, and has soundness error $\delta + 1/s$. The parameter $s$ can take any integer value, as long as it is hard to find group elements of order less than $s$ in the underlying group. We discuss instantiations in which $s$ can be exponentially large in the security parameter $\lambda$.

If the underlying PoCE is constant round and public coin (as is the case for existing protocols), then so are all of our batch PoCEs. This implies that they can be made non-interactive using the Fiat-Shamir transform.

Additionally, for RSA groups with moduli which are the products of two safe primes, we show how to efficiently verify that certain elements are not of order $2$. This protocol, together with the second compiler above and any (single-instance) PoCE in these groups, yields an efficient batch PoCE in safe RSA groups. To complete the picture, we also show how to extend Pietrzak's protocol (which is statistically sound in the group $QR_N^+$ when $N$ is the product of two safe primes) to obtain a statistically-sound PoCE in safe RSA groups.

We introduce the notion of \emph{elementary MPC} reductions that allow us to securely compute a functionality $f$ by making a single call to a constant-degree ``non-cryptographic'' functionality $g$ without requiring any additional interaction. Roughly speaking, ``non-cryptographic'' means that $g$ does not make use of cryptographic primitives, though the parties can locally call such primitives.

Classical MPC results yield such elementary reductions in various cases including the setting of passive security with full corruption threshold $t<n$ (Yao, FOCS'86; Beaver, Micali, and Rogaway, STOC'90), the setting of full active security against a corrupted minority $t<n/2$ (Damg{\aa}rd and Ishai, Crypto'05), and, for $\NCone$ functionalities, even for the setting of full active (information-theoretic) security with full corruption threshold of $t<n$ (Ishai and Kushilevitz, FOCS'00). This leaves open the existence of an elementary reduction that achieves full active security in the dishonest majority setting for all efficiently computable functions.

Our main result shows that such a reduction is unlikely to exist. Specifically, the existence of a computationally secure elementary reduction that makes black-box use of a PRG and achieves a very weak form of partial fairness (e.g., that holds only when the first party is not corrupted) would allow us to realize any efficiently-computable function by a \emph{constant-round} protocol that achieves a non-trivial notion of information-theoretic passive security. The existence of the latter is a well-known 3-decade old open problem in information-theoretic cryptography (Beaver, Micali, and Rogaway, STOC'90).

On the positive side, we observe that this barrier can be bypassed under any of the following relaxations: (1) non-black-box use of a pseudorandom generator; (2) weaker security guarantees such as security with identifiable abort; or (3) an additional round of communication with the functionality $g$.

Vector commitments (VCs), enabling to commit to a vector and locally reveal any of its entries, play a key role in a variety of both classic and recently-evolving applications. However, security notions for VCs have so far focused on passive attacks, and non-malleability notions considering active attacks have not been explored. Moreover, existing frameworks that may enable to capture the non-malleability of VCs seem either too weak (non-malleable non-interactive commitments that do not account for the security implications of local openings) or too strong (non-malleable zero-knowledge sets that support both membership and non-membership proofs).

We put forward a rigorous framework capturing the non-malleability of VCs, striking a careful balance between the existing weaker and stronger frameworks: We strengthen the framework of non-malleable non-interactive commitments by considering attackers that may be exposed to local openings, and we relax the framework of non-malleable zero-knowledge sets by focusing on membership proofs. In addition, we strengthen both frameworks by supporting (inherently-private) updates to entries of committed vectors, and discuss the benefits of non-malleable VCs in the context of both UTXO-based and account-based stateless blockchains, and in the context of simultaneous multi-round auctions (that have been adopted by the US Federal Communications Commission as the standard auction format for selling spectrum ranges).

Within our framework we present a direct approach for constructing non-malleable VCs whose efficiency essentially matches that of the existing standard VCs. Specifically, we show that any VC can be transformed into a non-malleable one, relying on a new primitive that we put forth. Our new primitive, locally-equivocable commitments with all-but-one binding, is evidently both conceptually and technically simpler compared to multi-trapdoor mercurial trapdoor commitments (the main building block underlying existing non-malleable zero-knowledge sets), and admits more efficient instantiations based on the same number-theoretic assumptions.

Secure computation enables $n$ mutually distrustful parties to compute a function over their private inputs jointly. In 1988 Ben-Or, Goldwasser, and Wigderson (BGW) demonstrated that any function can be computed with perfect security in the presence of a malicious adversary corrupting at most $t< n/3$ parties. After more than 30 years, protocols with perfect malicious security, with round complexity proportional to the circuit's depth, still require sharing a total of $O(n^2)$ values per multiplication. In contrast, only $O(n)$ values need to be shared per multiplication to achieve semi-honest security. Indeed sharing $\Omega(n)$ values for a single multiplication seems to be the natural barrier for polynomial secret sharing-based multiplication.

In this paper, we close this gap by constructing a new secure computation protocol with perfect, optimal resilience and malicious security that incurs sharing of only $O(n)$ values per multiplication, thus, matching the semi-honest setting for protocols with round complexity that is proportional to the circuit depth. Our protocol requires a constant number of rounds per multiplication. Like BGW, it has an overall round complexity that is proportional only to the multiplicative depth of the circuit. Our improvement is obtained by a novel construction for {\em weak VSS for polynomials of degree-$2t$}, which incurs the same communication and round complexities as the state-of-the-art constructions for {\em VSS for polynomials of degree-$t$}.

Our second contribution is a method for reducing the communication complexity for any depth-1 sub-circuit to be proportional only to the size of the input and output (rather than the size of the circuit). This implies protocols with \emph{sublinear communication complexity} (in the size of the circuit) for perfectly secure computation for important functions like matrix multiplication.

In this paper we propose FASTA, a stream cipher design optimised for implementation over popular fully homomorphic encryption schemes. A number of symmetric encryption ciphers have been recently proposed for FHE applications, e.g. the block cipher LowMC, and the stream ciphers Rasta (and variants), FLIP and Kreyvium. The main design criterion employed in these ciphers has typically been to minimise the multiplicative complexity of the algorithm. However, other aspects affecting their efficient evaluation over common FHE libraries are often overlooked, compromising their real-world performance. Whilst FASTA may also be considered as a variant of Rasta, it has its parameters and linear layer especially chosen to allow efficient implementation over the BGV scheme, particularly as implemented in the HElib library. This results in a speedup by a factor of 25 compared to the most efficient publicly available implementation of Rasta. FASTA’s target is BGV, as implemented in HElib, however the design ideas introduced in the cipher could also be potentially employed to achieve improvements in the homomorphic evaluation in other popular FHE schemes/libraries. We do consider such alternatives in this paper (e.g. BFV and BGVrns, as implemented in SEAL and PALISADE), but argue that, unlike BGV in HElib, it is more challenging to make use of their parallelism in a Rasta-like stream cipher design.