International Association
for Cryptologic Research

We present the first complete asynchronous MPC protocols for the YOSO (You Speak Only Once) setting. Our protocols rely on threshold additively homomorphic Paillier encryption and are adaptively secure. We rely on the paradigm of Blum et al. (TCC `20) in order to recursively refresh the setup needed for running future steps of YOSO MPC, but replace any use of heavy primitives such as threshold fully homomorphic encryption in their protocol with more efficient alternatives. In order to obtain an efficient YOSO MPC protocol, we also revisit the consensus layer upon which our protocol is built. To this end, we present a novel total-order broadcast protocol with subquadratic communication complexity in the total number $M$ of parties in the network and whose complexity is optimal in the message length. This improves on recent work of Banghale et al. (ASIACRYPT `22) by giving a simplified and more efficient broadcast extension protocol for the asynchronous setting that avoids the use of cryptographic accumulators.

Signature schemes from multi-round interactive proofs are becoming increasingly relevant in post-quantum cryptography. A prominent example is CROSS, recently admitted to the second round of the NIST on-ramp standardisation process for post-quantum digital signatures. While the security of these constructions relies on the Fiat-Shamir transform, in the case of CROSS the use of the fixed-weight parallel-repetition optimisation makes the security analysis fuzzier than usual. A recent work has shown that the fixed-weight parallel repetition of a multi-round interactive proof is still knowledge sound, but no matching result appears to be known for the non-interactive version. In this paper we provide two main results. First, we explicitly prove the EUF-CMA security of CROSS, filling a gap in the literature. We do this by showing that, in general, the Fiat-Shamir transform of an HVZK and knowledge-sound multi-round interactive proof is EUF-CMA secure. Second, we present a novel forgery attack on signatures obtained from fixed-weight repetitions of 5-round interactive proofs, substantially improving upon a previous attack on parallel repetitions due to Kales and Zaverucha. Our new attack has particular relevance for CROSS, as it shows that several parameter sets achieve a significantly lower security level than claimed, with reductions up to 24% in the worst case.

With the development of decentralized identity (DID), anonymous credential (AC) technology, as well as its traceability, is receiving more and more attention. Most works introduce a trusted party (regulator) that holds a decryption key or backdoor to directly deanonymize the user identity of anonymous authentication. While some cryptographic primitives can help regulators handle complex tracing tasks among large amounts of user profiles (stored by the issuer) and authentication records (stored by the service provider), additional security primitives are still needed to ensure the privacy of other users. Besides, hardware-binding anonymous credential (hbAC) systems have been proposed to prevent credential sharing or address platform resource constraints, the traceability of hbAC has yet to be discussed.

In this paper, we introduce a public key encryption with equality test as a regulatory text for each authentication record to address the above-mentioned challenges. The security of this feature is guaranteed by the verifiability, non-frameability, and round isolation of the proposed scheme. We compared the asymptotic complexity of our scheme with other traceable AC schemes and shows our scheme has advantages in tracing tasks as well as securely outsourcing them. The key feature of our scheme is that the ability of equality test of regulatory texts is independent of the public key, but rather depends on the round identifier of the authentication. We instantiate a traceable, hardware-binding AC scheme based on smart cards and BBS+ signature and give the performance analysis of it.

The Classical Bloom Filter (CBF) is a class of Probabilistic Data Structures (PDS) for handling Approximate Query Membership (AMQ). The Learned Bloom Filter (LBF) is a recently proposed class of PDS that combines the Classical Bloom Filter with a Learning Model while preserving the Bloom Filter's one-sided error guarantees. Bloom Filters have been used in settings where inputs are sensitive and need to be private in the presence of an adversary with access to the Bloom Filter through an API or in the presence of an adversary who has access to the internal state of the Bloom Filter. Prior work has investigated the privacy of the Classical Bloom Filter providing attacks and defenses under various privacy definitions. In this work, we formulate a stronger differential privacy-based model for the Bloom Filter. We propose constructions of the Classical and Learned Bloom Filter that satisfy $(\epsilon, 0)$-differential privacy. This is also the first work that analyses and addresses the privacy of the Learned Bloom Filter under any rigorous model, which is an open problem.

In this work, we report on the latest GPU implementations of the three well-known methods for the key switching operation, which is critical for Fully Homomorphic Encryption (FHE). Additionally, for the first time in the literature, we provide implementations of all three methods in GPU for leveled CKKS schemes. To ensure a fair comparison, we employ the most recent GPU implementation of the number-theoretic transform (NTT), which is the most time-consuming operation in key switching, and evaluate the performance across two fully homomorphic schemes: BFV and CKKS. Furthermore, we highlight the advantages and shortcomings of the three methods in the context of leveled HE schemes, and discuss other aspects such as memory requirements. Our GPU implementation is integrated with HEonGPU Library and delivers up to a ×380 improvement in execution time compared to the Microsoft SEAL Library. Since key switching is a specialized form of the external product common in many HE schemes, our results are directly relevant to time-intensive homomorphic operations such as relinearization and rotation. As homomorphic rotation is one of the most dominant operations in bootstrapping, our results are also applicable in bootstrapping algorithms of BFV, BGV and CKKS schemes.

This note reports new implementation results for the Falcon signature algorithm on an ARM Cortex-M4 microcontroller. Compared with our previous implementation (in 2019), runtime cost has been about halved.

In a single secret leader election (SSLE) protocol, all parties collectively and obliviously elect one leader. No one else should learn its identity unless it reveals itself as the leader. The problem is first formalized by Boneh \textit{et al.} (AFT'20), which proposes an efficient construction based on the Decision Diffie-Hellman (DDH) assumption. Considering the potential risk of quantum computers, several follow-ups focus on designing a post-quantum secure SSLE protocol based on pure lattices or fully homomorphic encryption. However, no concrete benchmarks demonstrate the feasibility of deploying such heavy cryptographic primitives.

In this work, we present Qelect, the first practical constant-round post-quantum secure SSLE protocol. We first adapt the commitment scheme in Boneh \textit{et al.} (AFT'23) into a \textit{multi-party randomizable commitment} scheme, and propose our novel construction based on an adapted version of ring learning with errors (RLWE) problem. We then use it as a building block and construct a \textit{constant-round} single secret leader election (crSSLE) scheme. We utilize the single instruction multiple data (SIMD) property of a specific threshold fully homomorphic encryption (tFHE) scheme to evaluate our election circuit efficiently. Finally, we built Qelect from the crSSLE scheme, with performance optimizations including a preprocessing phase to amortize the local computation runtime and a retroactive detection phase to avoid the heavy zero-knowledge proofs during the election phase. Qelect achieves asymptotic improvements and is concretely practical. We implemented a prototype of Qelect and evaluated its performance in a WAN. Qelect is at least two orders of magnitude faster than the state-of-the-art.

The paper is dedicated to Multivariate Cryptography over general commutative ring K and protocols of symbolic computations for safe delivery of multivariate maps. We consider itera-tive algorithm of generation of multivariate maps of prescribed degree or density with the trapdoor accelerator, i.e. piece of information which allows to compute the reimage of the map in polynomial time. The concept of Jordan-Gauss temporal graphs is used for the obfus-cation of known graph based public keys and constructions of new cryptosystems. We sug-gest use of the platforms of Noncommutative Cryptography defined in terms of Multivariate Cryptography over K for the conversion of Multivariate Public Keys into El Gamal type Cryptosystems. Some new platforms are introduced.

The Module Learning with Errors ($\mathsf{MLWE}$) problem is one of the most commonly used hardness assumption in lattice-based cryptography. In its standard version, a matrix $\mathbf{A}$ is sampled uniformly at random over a quotient ring $R_q$, as well as noisy linear equations in the form of $\mathbf{A} \mathbf{s}+ \mathbf{e} \bmod q$, where $\mathbf{s}$ is the secret, sampled uniformly at random over $R_q$, and $\mathbf{e}$ is the error, coming from a Gaussian distribution. Many previous works have focused on variants of $\mathsf{MLWE}$, where the secret and/or the error are sampled from different distributions. Only few works have focused on different distributions for the matrix $\mathbf{A}$. One variant proposed in the literature is to consider matrix distributions where the low-order bits of a uniform $\mathbf{A}$ are deleted. This seems a natural approach in order to save in bandwidth. We call it truncated $\mathsf{MLWE}$.

In this work, we show that the hardness of standard $\mathsf{MLWE}$ implies the hardness of truncated $\mathsf{MLWE}$, both for search and decision versions. Prior works only covered the search variant and relied on the (module) $\mathsf{NTRU}$ assumption, limitations which we are able to overcome. Overall, we provide two approaches, offering different advantages. The first uses a general Rényi divergence argument, applicable to a wide range of secret/error distributions, but which only works for the search variants of (truncated) $\mathsf{MLWE}$. The second applies to the decision versions, by going through an intermediate variant of $\mathsf{MLWE}$, where additional hints on the secret are given to the adversary. However, the reduction makes use of discrete Gaussian distributions.

PAKE protocols are used to establish secure communication channels using a relatively short, often human memorable, password for authentication. The currently standardized PAKEs however rely on classical asymmetric (public key) cryptography. Thus, these classical PAKEs may no longer maintain their security, should the expected quantum threat become a reality. Unlike prominent security protocols such as TLS, IKEv2 and VPN, quantum-safe PAKEs did not receive much attention from the ongoing PQC integration efforts. Thus, there is a significant gap in awareness compared to PQC schemes that are subject to the official governmental and institutional standardization processes. In the work at hand, we provide a comprehensive overview of the existing PQC PAKEs focusing on their design rationales, authentication methods and used asymmetric key agreement primitives. We highlight their performance and properties as per their assumed security assurances and practical usage in applications. Moreover, we address PAKE designs that are still non-present in the PQC realm and discuss the possibility of their adaptation. Thus, we offer a detailed reference and derive future work for quantum-safe PAKEs.

The Fiat-Shamir (FS) transform is a prolific and powerful technique for compiling public-coin interactive protocols into non-interactive ones. Roughly speaking, the idea is to replace the random coins of the verifier with the evaluations of a complex hash function. The FS transform is known to be sound in the random oracle model (i.e., when the hash function is modeled as a totally random function). However, when instantiating the random oracle using a concrete hash function, there are examples of protocols in which the transformation is not sound. So far all of these examples have been contrived protocols that were specifically designed to fail.

In this work we show such an attack for a standard and popular interactive succinct argument, based on the GKR protocol, for verifying the correctness of a non-determinstic bounded-depth computation. For every choice of FS hash function, we show that a corresponding instantiation of this protocol, which was been widely studied in the literature and used also in practice, is not (adaptively) sound when compiled with the FS transform. Specifically, we construct an explicit circuit for which we can generate an accepting proof for a false statement. We further extend our attack and show that for every circuit $C$ and desired output $y$, we can construct a functionally equivalent circuit $C^*$, for which we can produce an accepting proof that $C^*$ outputs $y$ (regardless of whether or not this statement is true). This demonstrates that any security guarantee (if such exists) would have to depend on the specific implementation of the circuit $C$, rather than just its functionality.

Lastly, we also demonstrate versions of the attack that violate non-adaptive soundness of the protocol -- that is, we generate an attacking circuit that is independent of the underlying cryptographic objects. However, these versions are either less practical (as the attacking circuit has very large depth) or make some additional (reasonable) assumptions on the underlying cryptographic primitives.

Post-quantum signatures have high costs compared to RSA and ECDSA, in particular for smart cards. A line of work originating from Even, Goldreich, and Micali (CRYPTO'89) aimed to reduce digital signature latency by splitting up signing into an online and offline phase. The online/offline paradigm combines an ordinary long-term signature scheme with a fast, generally one-time, signature scheme. We reconsider this paradigm in the context of lattice-based post-quantum signatures in the GPV framework, with an example instantiation based on Falcon.

CROSS is a post-quantum secure digital signature scheme submitted to NIST’s Call for Additional Signatures which was recently selected for round 2. It features signature and key sizes in the range of SLH-DSA while providing a substantially faster signing operation. Within this work, we provide the first passive side-channel attack on the scheme. The attack recovers the secret key from all except one parameter sets from a single power trace while requiring at maximum two power traces for the R-SDP(G) 1 Fast instance. To successfully mount the attack, we show how to recover the secret key from side-channel information gained from the syndrome computation in CROSS’ identification protocol. We furthermore show how the hypothesis space for the attack can be restricted using information from the published signature.

As part of the collaboration between the Okinawa Institute of Science and Technology (OIST) and Partisia (Aarhus, Denmark), the Applied Cryptography Unit at OIST is seeking to hire a postdoctoral scholar to conduct research on applications of Secure Multi-party Computation (MPC) to quantum cryptography.

The postdoc will investigate how MPC techniques may be used to enhance the security and functionality of Quantum Key Distribution (QKD) enabled networks. The project will be led by Prof. Carlos Cid at OIST, with close collaboration with researchers from Partisia. The ideal candidate will have experience in the design and analysis of secure computation protocols, and strong knowledge of quantum cryptography.

We are seeking candidates with excellent post-graduate academic formation in cryptography, mathematics, computer science, or a closely related field, with research strong experience in the design and analysis of secure computation, and in quantum cryptography. Candidates must have a PhD at the time of commencing the position. This is a full-time, fixed-term appointment for 2 years, potentially extended depending of performance and other circumstances.

Starting Date: as soon as possible.

Closing date for applications:

Contact: Carlos Cid (carlos.cid_[at]_oist.jp)

More information: https://www.oist.jp/careers/postdoctoral-scholar-multi-party-computation-and-quantum-cryptography-applied-cryptography-unit

The Applied Cryptography Unit at the Okinawa Institute of Science and Technology (OIST) is seeking to hire a postdoctoral scholar to conduct research on quantum-resistant cryptography.

The postdoc will work on a project, part of a collaboration between Prof. Carlos Cid at OIST and Prof. Ludovic Perret at EPITA Research Lab, EPITA, Paris, France, focusing on the design and benchmarking of novel hybrid protocols for secure satellite communication that use classical and post-quantum cryptography combined with space-based Quantum Key Distribution (QKD). The successful candidate will have experience in the design and analysis of protocols in post-quantum or quantum cryptography, with a strong motivation to work at the intersection of these two domains.

We are seeking candidates with excellent post-graduate academic formation in cryptography, mathematics, computer science, or a closely related field, with research experience in the design and analysis of protocols in post-quantum or quantum cryptography. Candidates must have a PhD at the time of commencing the position. This is a full-time, fixed-term appointment for 2 years, potentially extended depending of performance and other circumstances.

Starting Date: as soon as possible.

Closing date for applications:

Contact: Carlos Cid (carlos.cid_[at]_oist.jp) and Ludovic Perret (ludovic.perret_[at]_epita.fr)

More information: https://www.oist.jp/careers/postdoctoral-scholar-quantum-resistant-cryptography-applied-cryptography-unit

Since our founding, IDEMIA has been on a mission to unlock the world and make it safer through our cutting-edge identity technologies.

The IDEMIA Smart Identity (ISI) Division of the IDEMIA Group is looking for a Cryptography/Security Engineer to help us secure our products and thus protect your identity from external threats.

The candidate has strong interest and suitable experience in any of the following areas:
• Integration of state-of-the-art cryptography algorithms in embedded systems.
• Physical attacks on embedded systems / smart-cards.
• Automatic vulnerability detection in embedded devices and/or firmware.

Responsabilities: The candidate will support R&D development teams, lead our research in ongoing / upcoming, and contribute to the growth of our activities through working groups.

Requirements:
• Master's degree (or equivalent) or PhD in Mathematics, Cryptography, Computer Science, or Embedded Electronic.
• Solid knowledge and demonstrable experiences in any of the aforementioned areas.
• Experience in developing/analyzing cryptographic primitives’ implementations in one high-level language (e.g., Python, MATLAB) and C/C++. (essential)
• Experience with vulnerabilities research. (desirable)
• Proficiency in English (essential) and French. (essential)
• Problem-solving, independence, communication skills. (essential)
• Knowledge in Side-channel attacks or Fault Injections attacks. (desirable)
• Post-quantum Cryptography (PQC) techniques for any of the aforementioned areas. (desirable)

The candidate will work at our Paris-La Defense office, closely with members of our R&D team in France and abroad. Travel may be required.

Applications will be processed continuously until the position is filled.

Due to the confidential and sensitive nature of the projects we work on, this position requires an on-site presence five days a week.

Closing date for applications:

Contact: Applicants are invited to submit a digital application on our career portal.

More information: https://careers.idemia.com/job/Courbevoie-Ing%C3%A9nieur-en-S%C3%A9curit%C3%A9-2-92400/1162028901/

The School of Computer Science is further investing in its already strong Security and Privacy Research group.

We seek to recruit an outstanding researcher with a specific interest in applied cryptography in the context of hardware and embedded systems security. We are particularly interested in researchers with a track record in pre-silicon leakage and/or fault analysis, secure embedded software development, statistical side channel and fault evaluation techniques, machine and deep learning for side channels.

You will be expected to develop your own research agenda over time, and you can expect to contribute to all aspects of school life (teaching, administration), initially guided and supported by Prof. Elisabeth Oswald

The University of Birmingham offers permanent positions, with a defined pathway for progression and promotion.

Further information, (salary, application requirements, etc.) as well as a link for applicants, can be found below. The closing date for applications in 2.3.2025. If you have questions around (working in) Birmingham, then please use the contact provided below.

Closing date for applications:

Contact: Prof. Elisabeth Oswald, m.e. oswald@bham.ac.uk

More information: https://edzz.fa.em3.oraclecloud.com/hcmUI/CandidateExperience/en/sites/CX_6001/job/6099/?utm_medium=jobshare&utm_source=External+Job+Share

We are inviting talented and highly motivated applicants to submit applications for a PhD studentship at School of Computing, Newcastle University for a project titled:

"Enhancing Privacy-Preserving Federated Learning with Incentives"

This research aims to design secure, reward-based mechanisms that incentivize data contributors to provide their sensitive input data to a collaborative, privacy-preserving federated learning process while ensuring the integrity and privacy of the process.
This has the potential to yield a fairer system and advance the goals of ethical machine learning and responsible AI.
By leveraging techniques from federated learning, cryptography, and game theory, the project will develop technical solutions that fairly reward participants based on their contributions and protect against malicious actors. The expected outcomes include secure formal models, provably secure protocols, practical implementation, and real-world applications in sectors like healthcare and finance, ultimately enhancing the real world adoption of Federated Learning.
Start date and Stipend: You will be expected to start in October of the academic year 2025/2026, the studentship will cover 100% fees and stipend at UKRI level for 4 years full time PhD studies. (2024-2025 UKRI rate £19,237).
Applicant skills/background: Candidates should possess or be highly motivated to acquire, strong knowledge in the following areas: (1) cryptography, (2) Privacy-enhancing technologies, such as FL, (3) mathematics (including number theory and game theory), and (4) computer programming in C++, Java, or Python.
Supervisors: You will be supervised by Dr Aydin Abadi (Newcastle University) and Dr Mohammad Naseri (Flower Labs). There is an opportunity to collaborate with researchers at the National Edge AI Hub, at Newcastle University.
Note: Use code COMPDLA01 when submitting an application.
Deadline: 28 Feb, 2025.

Closing date for applications:

Contact: Aydin Abadi

More information: https://www.ncl.ac.uk/computing/study/postgraduate-research/dla-studentships/

We are looking for a motivated PhD student to contribute to research in public-key cryptography and provable security.

We explore topics including, but not limited to:

• Key exchange and secure messaging
• Public-key encryption with advanced functionalities

Our research typically includes the following aspects:

• Formalizing new cryptographic primitives and security models
• Modularizing complex primitives
• Developing techniques to achieve concrete (and tight) security bounds
• Designing and analyzing practical instantiations (e.g., based on elliptic curves, lattices, or isogenies)

For more details and to apply please refer to
https://jobs.cispa.saarland/jobs/detail/phd-positions-in-cryptography-and-provable-security-m-f-d-group-riepel-265.

Closing date for applications:

Contact: Doreen Riepel (riepel[at]cispa.de)

More information: https://jobs.cispa.saarland/jobs/detail/phd-positions-in-cryptography-and-provable-security-m-f-d-group-riepel-265

The Faculty of Mathematics, Informatics and Mechanics of the University of Warsaw (MIM UW) invites applications for the positions of Assistant Professor in Computer Science, starting on 1st October 2025 or 1st February 2026.

MIM UW is one of the leading Computer Science faculties in Europe. It is known for talented students (e.g., two wins and multiple top tens in the ACM International Collegiate Programming Contest) and strong research teams, especially in algorithms, logic and automata, algorithmic economy, and computational biology. There is also a growing number of successful smaller groups in diverse areas including cryptography, databases and knowledge representation, distributed systems, and machine learning. Seven ERC grants in Computer Science are running at MIM UW at the moment.

In the current call, 7 positions are offered (follow the links for more details):

• Samuel Eilenberg Assistant Professor (2 positions; reduced teaching and increased salary),
• Assistant Professor (3 positions; research and teaching),
• Assistant Professor in Distributed Systems or Programming Languages (1 position; research and teaching),
• Assistant Professor (1 position; teaching only).

Deadline for applications: 14th February 2025.

Closing date for applications:

Contact: Filip Murlak (f.murlak@uw.edu.pl), Oskar Skibski (o.skibski@uw.edu.pl).

More information: https://jobs.uw.edu.pl/en-gb/offer/WMIM_2025/field/ADIUNKT/