International Association for Cryptologic Research

International Association
for Cryptologic Research


Updates on the COVID-19 situation are on the Announcement channel.

Here you can see all recent updates to the IACR webpage. These updates are also available:

RSS symbol icon
via RSS feed
Twitter bird icon
via Twitter
Weibo icon
via Weibo
Facebook icon
via Facebook

14 July 2022

Xiao Liang, Omkant Pandey, Takashi Yamakawa
ePrint Report ePrint Report
We provide the first $\mathit{constant}$-$\mathit{round}$ construction of post-quantum non-malleable commitments under the minimal assumption that $\mathit{post}$-$\mathit{quantum}$ $\mathit{one}$-$\mathit{way}$ $\mathit{functions}$ exist. We achieve the standard notion of non-malleability with respect to commitments. Prior constructions required $\Omega(\log^*\lambda)$ rounds under the same assumption.

We achieve our results through a new technique for constant-round non-malleable commitments which is easier to use in the post-quantum setting. The technique also yields an almost elementary proof of security for constant-round non-malleable commitments in the classical setting, which may be of independent interest.

As an application, when combined with existing work, our results yield the first constant-round post-quantum secure multiparty computation under the $\mathit{polynomial}$ hardness of quantum fully-homomorphic encryption and quantum learning with errors.
Marc Fischlin, Felix Rohrbach, Tobias Schmalz
ePrint Report ePrint Report
We introduce the notion of a universal random oracle. Analogously to a classical random oracle it idealizes hash functions as random functions. However, as opposed to a classical random oracle which is created freshly and independently for each adversary, the universal random oracle should provide security of a cryptographic protocol against all adversaries simultaneously. This should even hold if the adversary now depends on the random function. This reflects better the idea that the strong hash functions like SHA-2 and SHA-3 are fixed before the adversary decides upon the attack strategy.

Besides formalizing the notion of the universal random oracle model we show that the model is asymptotically equivalent to Unruh's auxiliary-input random oracle model (Crypto 2007). In Unruh's model the adversary receives some inefficiently computed information about the random oracle as extra input. Noteworthy, while security in the universal random oracle model implies security in the auxiliary-input random oracle model tightly, the converse implication introduces an inevitable security loss. This implies that the universal random oracle model provides stronger guarantees in terms of concrete security. Validating the model we finally show, via a direct proof with concrete security, that a universal random oracle is one-way.
Indian Institute of Technology Kharagpur
Job Posting Job Posting
Secured Embedded Architecture Lab, CSE, at Indian Institute of Technology Kharagpur ( invites strong PostDoc applications from highly motivated candidates working in the field of Hardware Security. The candidate should be a PhD holder in VLSI or Hardware Security related areas from a reputed institute with an excellent academic background. The candidate will be working in the Secured Embedded Architecture Laboratory ( with a group of PhD students and faculty focused in the area of secured system design. The research will be aimed at working on VLSI circuits and investigating both invasive and non-invasive techniques using state-of-the-art instruments, like SEM/FIBs and XRay Microscopes for developing a methodology for assurance of hardware designs. The candidate should have excellent publication track record in IACR conferences/workshops, as well as top journals (such as IEEE/ACM Transactions or IACR journals). The candidate will be expected to collaborate with and lead a team of excellent and highly motivated PhD candidates. The candidate is expected to work in conjunction with them and also disseminate the necessary knowledge among the group via suitable course material, tutorials and regular group talks. Good communication skills are hence desirable. The candidate will be provided with a competitive salary of INR 100,000 per month (~1200 USD), along with highly subsidized housing, subsidized food in cafeteria, free healthcare at IIT hospital, travel support for international conferences, comprehensive funding for papers at top conferences like CHES, DAC, etc. performance based top up grants, and other perks and amenities.

Lab websites:



3. Youtube Channel:

Closing date for applications:

Contact: Prof Debdeep Mukhopadhyay Computer Science and Engineering Indian Institute of Technology Kharagpur West Bengal, 721302, India

More information:

Ruhr-University Bochum and Max Planck Institute for Security and Privacy
Job Posting Job Posting
The Max Planck Institute for Security and Privacy (MPI-SP) and the Chair for Information Security (InfSec) at the Ruhr-University Bochum (RUB) are looking for outstanding Ph.D. candidates as part of the CASA cluster of excellence. The successful candidates will conduct research at the intersection of formal verification and system security. Examples of research areas include (but are not limited to):

  • Security of smart contracts
  • Formal verification of smart contracts
  • Security of blockchain consensus protocols
Eligible candidates must have:
  • A Master’s degree or equivalent (or be close to completing one) in computer science, mathematics, or related fields.
  • Outstanding candidates with a Bachelor’s degree will also be considered.
  • Excellent communication/writing skills in English; knowledge of German is not required.
  • An outstanding track record in classes related to IT security, cryptography, or formal methods/mathematics.
MPI-SP and the RUB are co-located in Bochum (Germany) and offer a vibrant atmosphere for research that spans many areas of IT security, computer science, and mathematics. The successful candidates will be a member of the research groups of Dr. Clara Schneidewind and/or Prof. Dr. Ghassan Karame.

The positions are fully funded (100%) and paid according to the E-13 pay category. To apply, please send an email to both Dr. Schneidewind and Prof. Dr. Karame with the following documents in a single PDF:

  • CV, including transcripts.
  • A brief cover letter describing your research interests.
  • Contact details of 2-3 potential references
Applications received before August 15, 2022, will receive full consideration. Late applications will be considered until the position is filled. MPI-SP and InfSec stand for a collaborative, diverse, and inclusive workplace culture and promote equal opportunities. We strongly encourage applications from members of any underrepresented group in our research area. In particular, we invite and motivate women and individuals with disabilities to apply.

Closing date for applications:

Contact: Prof. Dr. Ghassan Karame ( and Dr. Clara Schneidewind (

More information:

Helsinki Institute for Information Technology, Helsinki, Finland
Job Posting Job Posting

The Helsinki Institute for Information Technology (HIIT) in cooperation with the Finnish Center for Artificial Intelligence (FCAI) invite applications for Postdoctoral Researchers for a term of two years with the possibility of a one year extension. HIIT offers a HIIT Postdoctoral Fellow position for two years, with the possibility of a one year extension. For more senior candidates, HIIT offers a HIIT Research Fellow position of three years, with the possibility of a two year extension. The length of the contract as well as the starting and ending dates are negotiable.

All excellent researchers in any area of ICT can be considered, but priority is given to candidates who support one (or more) of the HIIT strategic focus areas:

  • Artificial Intelligence
  • Computational Health
  • Cybersecurity
  • Data Science
  • Foundations of Computing

Closing date for applications:

Contact: Russell W. F. Lai (russell.lai at aalto dot fi)

More information:

Indian Institute of Science (IISc), Bangalore, India
Job Posting Job Posting
There are three postdoctoral positions open in Cryptography and Information Security (CrIS) Lab at IISc. CrIS lab is associated to the Department of Computer Science and Automation (CSA). The research focus of the lab include secure multiparty computation, fault-tolerant distributed computing, and privacy preserving machine learning, but is not limited to them.

The applicant is expected to have completed a PhD degree (recently) in Cryptography or a related subject with strong publication records. A background in theoretical aspects of secure multiparty computation and/or experience in coding for practical aspects of secure computation is expected. Postdoctoral fellows are expected to actively interact with PhD students and contribute to the lab's projects. The tenure of the position is for one year and can be extended further.

You can apply through and find further details regarding opportunities at CrIS here -

Closing date for applications:

Contact: Professor Arpita Patra

More information:

Indian Institute of Science (IISc), Bangalore, India
Job Posting Job Posting
The position for a research assistant is open in Cryptography and Information Security (CrIS) Lab at IISc. CrIS lab is associated to the Department of Computer Science and Automation (CSA). The research focus of the lab include secure multiparty computation, fault-tolerant distributed computing, and privacy preserving machine learning, but is not limited to them.

This position is open for post-graduate (BTech/MSc/MS/MTech/Dual degree/Integrated Mtech) students interested in getting more research experience. Applicants who have credited a cryptography course in their home institute and/or who have worked on a related topic for their master's thesis are preferred.

You can apply through and find further details regarding opportunities at CrIS here -

Closing date for applications:

Contact: Professor Arpita Patra

More information:

Chair of »Media Security« at Bauhaus-Universität Weimar
Job Posting Job Posting
We have an open position for a research assistant.
Research topics include:
  • primitives for symmetric cryptosystems (block ciphers, hash functions, ...)
  • algorithms for secret-key encryption, authentication, and authenticated encryption
  • quantum algorithms and their application in attacks on symmetric cryptosystems
  • hash-based signature schemes
  • language-theoretic security methods for the secure communication protocols
perform research to further the research assistant's own scientific qualification, publish and present results at workshops and conferences, participate in teaching and the university's self-administration, supervise students, and assist with external funding proposals.
Hiring requirements:
  • successfully completed university studies (diploma, master or equivalent) in computer science or a closely related field
  • an excellent track record in classes related to cryptography or quantum algorithms, or in general excellent results in mathematics and theoretical computer science
  • very good programming skills and very good knowledge of English, written and spoken
  • willingness to imparting specialized knowledge to students, own familiarization with new research areas and to the presentation of scientific results at international conferences
  • good knowledge of German is an advantage for carrying out teaching, but not required; also beneficial is experience with Linux, git, and LaTeX
The position is also open for recently graduated postdocoral researchers. Such candidates need a publication list with at least three outstanding publications, related to the above research topics.
Please send us your application with the usual documents (at least: cover letter, curriculum vitae, relevant degree certificates/grade overviews, research interests, if available: List of publications) and electronic contact details for at least two references by email (one PDF) or by post.
Deadline: August 31, 2022

Closing date for applications:

Contact: Frau Thielken:

More information:

TU Darmstadt, Germany
Job Posting Job Posting
The Cryptography and Privacy Engineering Group (ENCRYPTO) @CS Department @Technical University of Darmstadt offers a fully funded position as Doctoral Researcher (Research Assistant/PhD Student) in Cryptography and Privacy Engineering to be filled as soon as possible until June 30, 2026 with the possibility of extension.
Job description: You'll work in the collaborative research center CROSSING funded by the German Research Foundation (DFG). In our subproject E4 Compiler for Privacy-Preserving Protocols, we build compilers to automatically generate optimized secure multi-party computation protocols for privacy-preserving applications. See for details. You conduct research, implement prototypes, and publish&present the results at top venues. You'll participate in teaching and supervise thesis students & student assistants.
We offer: We demonstrate that privacy is efficiently protectable in real-world applications via cryptographic protocols. Our open and international working environment facilitates excellent research in a sociable team. TU Darmstadt is a top research university for IT security, cryptography and CS in Europe. Darmstadt is a very international, livable and well-connected city in the Rhine-Main area around Frankfurt. Knowledge of German is beneficial, but not required, and TU Darmstadt offers corresponding support.
Your profile:
  • Completed Master's degree (or equivalent) at a top university with excellent grades in IT security, computer science, or a similar area.
  • Extensive knowledge in applied cryptography/IT security and very good software development skills. Knowledge in cryptographic protocols (ideally MPC) is a plus.
  • • Experience in hardware synthesis/compiler construction is beneficial.
  • Self-motivated, reliable, creative, can work independently, and want to do excellent research.
  • Our working language is English: able to discuss/write/present scientific results in English. German is beneficial but not required.
Application deadline: Jul 31, 2022. Later applications are considered.

Closing date for applications:

Contact: Thomas Schneider (

More information:


13 July 2022

CHES 2022 will take place in Leuven, Belgium in September 18-21, 2022.

The registration site is now open. Early registration is until August 18th.

12 July 2022

Avijit Dutta, Mridul Nandi, Suprita Talnikar
ePrint Report ePrint Report
Yasuda proposed a variable input-length PRF in CRYPTO 2011, called $\textsf{PMAC\_Plus}$, based on an $n$-bit block cipher. $\textsf{PMAC\_Plus}$ is a rate-$1$ construction and inherits the well-known $\textsf{PMAC}$ parallel network with a low additional cost. However, unlike $\textsf{PMAC}$, $\textsf{PMAC\_Plus}$ is secure roughly up to $2^{2n/3}$ queries. Zhang et al. proposed \textsf{3kf9} in ASIACRYPT 2012, Naito proposed \textsf{LightMAC\_Plus} in ASIACRYPT 2017, and Iwata et al. proposed \textsf{GCM-SIV2} in FSE 2017 -- all of them secure up to around $2^{2n/3}$ queries. Their structural designs and corresponding security proofs were unified by Datta et al. in their framework {\em Double-block Hash-then-Sum} (\textsf{DbHtS}). Leurent et al. in CRYPTO 2018 and then Lee et al. in EUROCRYPT 2020 established a tight security bound of $2^{3n/4}$ on \textsf{DbHtS}. That $\textsf{PMAC\_Plus}$ provides security for roughly up to $2^{3n/4}$ queries is a consequence of this result. In this paper, we propose a public permutation-based variable input-length PRF called ${\textsf{pPMAC\_Plus}}$. We show that ${\textsf{pPMAC\_Plus}}$ is secure against all adversaries that make at most $2^{2n/3}$ queries. We also show that the bound is essentially tight. It is of note here that instantiation of each block cipher of ${\textsf{pPMAC\_Plus}}$ with the two-round iterated Even-Mansour cipher can yield a beyond the birthday bound secure PRF based on public permutations. Altogether, the solution incurs $(2\ell + 4)$ permutation calls, whereas our proposal requires only $(\ell+2)$ permutation calls, $\ell$ being the maximum number of message blocks.
Fabio Campos, Michael Meyer, Krijn Reijnders, Marc Stöttinger
ePrint Report ePrint Report
Recent works have started side-channel analysis on SIKE and show the vulnerability of isogeny-based systems to zero-value attacks. In this work, we expand on such attacks by analyzing the behavior of the zero curve $E_0$ and six curve $E_6$ in CSIDH and SIKE. We demonstrate an attack on static-key CSIDH and SIKE implementations that recovers bits of the secret key by observing via zero-value-based resp. exploiting correlation-collision-based side-channel analysis whether secret isogeny walks pass over the zero or six curve. We apply this attack to fully recover secret keys of SIKE and two state-of-the-art CSIDH-based implementations: CTIDH and SQALE. We show the feasibility of exploiting side-channel information for the proposed attacks based on simulations with various realistic noise levels. Additionally, we discuss countermeasures to prevent zero-value and correlation-collision attacks against CSIDH and SIKE in our attacker model.
Nils Wisiol, Patrick Gersch, Jean-Pierre Seifert
ePrint Report ePrint Report
This paper presents an approach to uncover and analyze power side-channel leakages on a processor cycle level precision. By carefully designing and evaluating the measurement setup, accurate trace timing is enabled, which is used to overlay the trace with the corresponding assembly code. This methodology allows to expose the sources of leakage on a processor cycle scale, which allows for evaluating new implementations. It also exposes that the default ChipWhisperer configuration for STM32F4 targets used in prior work includes wait cycles that are rarely used in real-world applications, but affect power side-channel leakage. As an application for our setup, we target the widely used Sign-Flip function of Gaussian sampling code used in multiple Post-Quantum Key-Exchange Mechanisms and Signature schemes. We propose new implementations for the Sign-Flip function based on our analysis on the original implementation and further evaluate their leakage. Our findings allow the conclusion that unmasked cryptographic implementations of schemes based on Gaussian random numbers for STM32F4 cannot be secure against power side-channel, and that masking just the Gaussian sampler is not a viable option.
Bar Alon, Moni Naor, Eran Omri, Uri Stemmer
ePrint Report ePrint Report
In the current digital world, large organizations (sometimes referred to as tech giants) provide service to extremely large numbers of users. The service provider is often interested in computing various data analyses over the private data of its users, which in turn have their incentives to cooperate, but do not necessarily trust the service provider.

In this work, we introduce the \emph{Gulliver multi-party computation model} (GMPC) to realistically capture the above scenario. The GMPC model considers a single highly powerful party, called the {\em server} or {\em Gulliver}, that is connected to $n$ users over a star topology network (alternatively formulated as a full network, where the server can block any message). The users are significantly less powerful than the server, and, in particular, should have both computation and communication complexities that are polylogarithmic in $n$. Protocols in the GMPC model should be secure against malicious adversaries that may corrupt a subset of the users and/or the server.

Designing protocols in the GMPC model is a delicate task, since users can only hold information about $\operatorname{polylog}(n)$ other users (and, in particular, can only communicate with $\operatorname{polylog}(n)$ other users). In addition, the server can block any message between any pair of honest parties. Thus, reaching an agreement becomes a challenging task. Nevertheless, we design generic protocols in the GMPC model, assuming that at most $\alpha<1/6$ fraction of the users may be corrupted (in addition to the server). Our main contribution is a variant of Feige's committee election protocol [FOCS 1999] that is secure in the GMPC model. Given this tool we show: \begin{enumerate} \item Assuming fully homomorphic encryption (FHE), any computationally efficient function with $O\left(n\cdot\operatorname{polylog}(n)\right)$-size output can be securely computed in the GMPC model.

\item Any function that can be computed by a circuit of $O(\operatorname{polylog}(n))$ depth, $O\left(n\cdot\operatorname{polylog}(n)\right)$ size, and bounded fan-in and fan-out can be securely computed in the GMPC model {\em without assuming FHE}.

\item In particular, {\em sorting} can be securely computed in the GMPC model without assuming FHE. This has important applications for the {\em shuffle model of differential privacy}, and resolves an open question of Bell et al. [CCS 2020]. \end{enumerate}

11 July 2022

Itamar Levi, Carmit Hazay
ePrint Report ePrint Report
Garbling schemes, invented in the 80's by Yao (FOCS'86), have been a versatile and fundamental tool in modern cryptography. A prominent application of garbled circuits is constant round secure two-party computation, led to a long line of study of this object, where one of the most influential optimizations is Free-XOR (Kolesnikov and Schneider ICALP'08), introducing a global offset $\Delta$ for all garbled wire values where XOR gates are computed directly without garbling them.

To date, garbling sachems were not studied per their side-channel attacks (SCA) security characteristics, even though SCA pose a significant security threat to cryptographic devices. In this research we demonstrate that adversaries utilizing advanced SCA tools such as horizontal attacks, mixed with advanced hypothesis building and standard (vertical) SCA tools, can jeopardize garbling implementations.

Our main observation is that garbling schemes utilizing a global secret $\Delta$ open a door to quite trivial side-channel attacks. We model our side-channel attacks on the garbler's device and discuss the asymmetric setting where various computations are not performed on the evaluator side. This enables dangerous leakage extraction on the garbler and renders our attack impossible on the evaluator's side.

Theoretically, we first demonstrate on a simulated environment, that such attacks are quite devastating. Concretely, our attack is capable of extracting $\Delta$ when the circuit embeds only $8$ input non-linear gates with fifth/first-order attack Success-Rates of $0.65$/$0.7$. With as little as $3$ such gates, our attack reduces the first-order Guessing Entropy of $\Delta$ from $128$ to $\sim48$-bits. We further demonstrate our attack via an implementation and measurements data over an STM 32-bit processor software implementing circuit garbling, and discuss their limitations and mitigation tactics on logical, protocol and implementation layers.
Hiroshi Onuki
ePrint Report ePrint Report
SQISign is an isogeny-based signature scheme that has short keys and signatures and is expected to be a post-quantum scheme. Its security depends on the hardness of the problem to find an isogeny between given two elliptic curves over $\mathbb{F}_{p^2}$, where $p$ is a large prime. For efficiency reasons, a public key in SQISign is taken from a set of supersingular elliptic curves with a particular property. In this paper, we investigate the security related to public keys in SQISign. First, we show some properties of the set of public keys. Next, we show that a key generation procedure used in implementing SQISign could not generate all public keys and propose a modification for the procedure. In addition, we confirm the latter result through an experiment.
Xiaoning Liu, Yifeng Zheng, Xingliang Yuan, Xun Yi
ePrint Report ePrint Report
In this paper, we propose CryptMed, a system framework that enables medical service providers to offer secure, lightweight, and accurate medical diagnostic service to their customers via an execution of neural network inference in the ciphertext domain. CryptMed ensures the privacy of both parties with cryptographic guarantees. Our technical contributions include: 1) presenting a secret sharing based inference protocol that can well cope with the commonly-used linear and non-linear NN layers; 2) devising an optimized secure comparison function that can efficiently support comparison-based activation functions in NN architectures; 3) constructing a suite of secure smooth functions built on precise approximation approaches for accurate medical diagnoses. We evaluate CryptMed on 6 neural network architectures across a wide range of non-linear activation functions over two benchmark and four real-world medical datasets. We comprehensively compare our system with prior art in terms of end-to-end service workload and prediction accuracy. Our empirical results demonstrate that CryptMed achieves up to respectively $413\times$, $19\times$, and $43\times$ bandwidth savings for MNIST, CIFAR-10, and medical applications compared with prior art. For the smooth activation based inference, the best choice of our proposed approximations preserve the precision of original functions, with less than 1.2\% accuracy loss and could enhance the precision due to the newly introduced activation function family.
Joseph Bebel, Dev Ojha
ePrint Report ePrint Report
A distributed network has Mempool Privacy if transactions remain en- crypted until their inclusion is finalized, and inclusion guarantees decryption and execution. Mempool Privacy is highly desirable to prevent transaction censorship and a broad class of MEV attacks. We present Ferveo, a fast protocol for Mempool Privacy on BFT consensus blockchains, such as those based on Tendermint. Blockchain validators use new Distributed Key Generation and Threshold Public Key Encryption schemes to decrypt transactions encrypted to a threshold public key, closely aligning security assumptions with Tendermint and providing concrete scalability up to thousands of transactions per block. The blockchain security and efficiency models are quite different than typically studied in the academic literature, requiring several new ideas for both the abstract scheme and implementation.
Zachary A Kissel
ePrint Report ePrint Report
In this paper we resolve the question of whether or not constrained pseudorandom functions (CPRFs) can be built directly from pseudorandom synthesizers. In particular, we demonstrate that the generic PRF construction from pseudorandom synthesizers due to Naor and Reingold can be used to construct CPRFs with bit-fixed predicates using the "direct-line'' approach. We further introduce a property of CPRFs that may be of independent interest.

09 July 2022

Los Angeles, USA, 7 November 2022
Event Calendar Event Calendar
Event date: 7 November 2022
Submission deadline: 16 July 2022
Notification: 31 August 2022
◄ Previous Next ►