International Association
for Cryptologic Research

We describe a strategy for a nation to acquire majority stake in Bitcoin with zero cost to the taxpayers of the nation. We propose a bitcoin fork sponsored by the the government of the nation, and backed by the full faith of treasury of the nation, such that the genesis block of this fork attributes fixed large amount of new kinds of tokens called strategic-reserve-bitcoin tokens (SRBTC) to the nation's treasury, which is some multiple (greater than one) of the amount of all Bitcoin tokens (BTC) currently set in the Bitcoin protocol. The BTC tokens continue to be treated 1:1 as SRBTC tokens in the forked chain. The only capital that the nation puts up is its explicit guarantee that the SRBTC tokens of the fork will be accepted as legal tender, such as payment of tax to the treasury.

We suggest that this is a better approach than starting a new blockchain that mimics Bitcoin, as it will be partially fair to the current holders of Bitcoin, which in turn would make it competitive in the space of other such possible forks by other powerful nations. Moreover, such a proof-of-work blockchain retains its egalitarian and democratic nature, which competitively deters the said nation from any dilutions in the future.

To justify our proposal we setup three competitive games, and show strategies for different players that are in Nash equilibrium and which throw further light on these claims. In particular,

1. The first game shows that if the only two alternatives for investors is to invest in BTC or SRBTC, then individuals who have a certain fraction $\theta$ of their wealth already invested in BTC, will invest new money in the original chain, whereas the individuals whose current wealth invested in BTC is less than the $\theta$ fraction will invest new money in SRBTC. 2. The second game shows that if there is a third alternative for investment, which is cash that is losing value (inflation-adjusted) by a percentage $d$, then the investors who had less than $\theta$ fraction of wealth in Bitcoin, will invest in SRBTC only if the dilution of SRBTC is large enough (as an increasing (linear) function of $1/d$). Here by dilution we mean the new SRBTC tokens that are allowed to be eventually mined in the fork. 3. The third game shows that investors would prefer a fork of Bitcoin over a replica of Bitcoin that doesn't value original BTC, when both are available and even if both are backed similarly by one or more nations.

A secret sharing scheme starts with a secret and then derives from it certain shares (or shadows) which are distributed to users. The secret may be recovered only by certain predetermined groups. In case of compartmented secret sharing, the set of users is partitioned into compartments and the secret can be recovered only if the number of participants from any compartment is greater than or equal to a fixed compartment threshold and the total number of participants is greater than or equal to a global threshold.

In this paper we use the Chinese Remainder Theorem for Polynomial Rings in order to construct an ideal compartmented secret sharing scheme, inspired by the work from [20].

This work introduce a new approach called Max bias analysis for the entropy computation of structures of Free Ring Oscillator-based Physical Random Number Generator. It employs the stochastic model based on the well-established Wiener process, specifically adapted to only capture thermal noise contributions while accounting for potential non-zero bias in the duty cycle. Our analysis is versatile, applicable to combinations of multiple sampled Ring Oscillator (RO) filtering by any function. The entropy computation takes as inputs the parameters of the thermal stochastic model and delivers directly a proven bound for both Shannon entropy and min-entropy to fulfill AIS31 and NIST SP 800-90 B. As an example, we apply the new methodology on an enhanced structure of TRNG combining several free-running Ring Oscillators filtered by a vectorial function built from a linear error correcting code that optimizes the functional performance in terms of [entropy rate/silicium area used] and that maintains the mathematical proof of the entropy lower bound as simple as possible.

Registration-based encryption (RBE) is a recently developed alternative to identity-based encryption, that mitigates the well-known key-escrow problem by letting each user sample its own key pair. In RBE, the key authority is substituted by a key curator, a completely transparent entity whose only job is to reliably aggregate users' keys. However, one limitation of all known RBE scheme is that they all rely on one-time trusted setup, that must be computed honestly. In this work, we ask whether this limitation is indeed inherent and we initiate the systematic study of RBE in the plain model, without any common reference string. We present the following main results: - (Definitions) We show that the standard security definition of RBE is unachievable without a trusted setup and we propose a slight weakening, where one honest user is required to be registered in the system. - (Constructions) We present constructions of RBE in the plain model, based on standard cryptographic assumptions. Along the way, we introduce the notions of non-interactive witness indistinguishable (NIWI) proofs secure against chosen statements attack and re-randomizable RBE, which may be of independent interest. A major limitation of our constructions, is that users must be updated upon every new registration. - (Lower Bounds) We show that this limitation is in some sense inherent. We prove that any RBE in the plain model that satisfies a certain structural requirement, which holds for all known RBE constructions, must update all but a vanishing fraction of the users, upon each new registration. This is in contrast with the standard RBE settings, where users receive a logarithmic amount of updates throughout the lifetime of the system.

Due to their simple security assessments, permutation-based pseudo-random functions (PRFs) have become widely used in cryptography. It has been shown that PRFs using a single $n$-bit permutation achieve $n/2$ bits of security, while those using two permutation calls provide $2n/3$ bits of security in the classical setting. This paper studies the security of permutation-based PRFs within the Q1 model, where attackers are restricted to classical queries and offline quantum computations. We present improved quantum-time/classical-data tradeoffs compared with the previous attacks. Specifically, under the same assumptions/hardware as Grover's exhaustive search attack, i.e. the offline Simon algorithm, we can recover keys in quantum time $\tilde{O}(2^{n/3})$, with $O(2^{n/3})$ classical queries and $O(n^2)$ qubits. Furthermore, we enhance previous superposition attacks by reducing the data complexity from exponential to polynomial, while maintaining the same time complexity. This implies that permutation-based PRFs become vulnerable when adversaries have access to quantum computing resources. It is pointed out that the above quantum attack can be used to quite a few cryptography, including SoEM, PDMMAC, pEDM, as well as general instantiations like XopEM, EDMEM, EDMDEM, and others.

Event date: 18 September to 19 September 2025
Submission deadline: 15 May 2025
Notification: 8 July 2025

Event date: 27 October to 31 October 2025
Submission deadline: 30 June 2025
Notification: 15 August 2025

Applications are sought for a post-doc position in the cryptography group (CSE Department, UCSD) with Mihir Bellare. Dates are flexible.

Topics of interest include application-relevant theory of two-party computation that in particular continues work such as https://eprint.iacr.org/2024/1476, and provable security for symmetric cryptography, in particular authenticated encryption. Open to considering other topics as well.

Needed background is experience in, and facility with, formal definitions and proofs in the provable-security style.

Apply: To apply, please complete this Google form: https://docs.google.com/forms/d/1iOOKWI1kfU348b6Aw53FILEOu5qIDOnUoB9ngyK5wh8

Closing date for applications:

Contact: Mihir Bellare mbellare AT ucsd DOT edu

More information: https://cseweb.ucsd.edu/~mihir/

The Faculty of Informatics at Università della Svizzera italiana (USI) welcomes applications for a tenure-track Assistant Professor in Information and Computer Security. The faculty’s focus is always on excellence in both research and teaching – exceptional candidates in all areas of Security are strongly encouraged to apply. The position is available from autumn 2025. The targeted starting date for the position is as early as September 1, 2025. More information available here: https://content.usi.ch/sites/default/files/storage/attachments/inf/inf-assistant-professor-2025.pdf

Closing date for applications:

Contact: Stefan Wolf, http://usi.to/nbk

More information: https://content.usi.ch/sites/default/files/storage/attachments/inf/inf-assistant-professor-2025.pdf

The Research Training Group "Cybercrime and Forensic Computing" aims to systematically analyze research questions arising from the interaction between computer science and criminal law. More information about the project can be found at https://cybercrime.fau.de.

The following aspects are particularly relevant to the PhD position in the area of Hardware Security:

• Computer Architecture
• Embedded Systems
• System-level Design Automation
• Side-channel Analysis

Applicants should have an excellent academic record, hold an MSc or an equivalent university degree in computer science or related disciplines, and have the goal to finish a PhD degree within three years.

For the particular position in hardware security, applicants should have an understanding of computer architectures (particularly RISC-V), hardware description languages, SoC design, and FPGA tools. Applicants should be team-oriented, open-minded, and communicative, with an interest in both theoretical and practical aspects of hardware security and embedded system design.

Closing date for applications:

Contact: Felix Freiling (felix.freiling@fau.de) for general questions and the application process, Jürgen Teich (juergen.teich@fau.de) and Stefan Wildermann (stefan.wildermann@fau.de) for questions about the position on hardware security.

More information: https://www.jobs.fau.de/jobs/7-phd-positions-m-f-d-salary-level-13-tv-l-in-computer-science-full-time-and-3-phd-position-m-f-d-salary-level-13-tv-l-in-law-part-time-75-91680455/

The newly established junior research group on Computer-Aided Verification of Physical Security Properties (CAVE) is looking for excellent Ph.D. candidates in the area of hardware security, particularly (but not limited to) those specialized in:

• Hardware Security Verification: We explore how to perform efficient pre-silicon security verification with respect to physical implementation attacks (Side-Channel Analysis / Fault-Injection Analysis).
• Physical Implementation Attacks: We deepen the (theoretical) understanding of active and passive physical implementation attacks to build formal attacker models for security verification.
• Secure Hardware Design: We investigate how to build secure hardware circuits that can resist physical implementation attacks.

If you are interested in applying, please send an email to Dr. Pascal Sasdrich (pascal.sasdrich@rub.de) with the following documents in a single PDF (max. 10 MB) and subject line "[CAVE] Application for PhD position":

1. Your CV, including a transcript of records.
2. A brief cover letter describing your research interests.
3. Contact details of 2-3 potential references.

HGI and RUB stand for a collaborative, diverse, and inclusive workplace culture and promote equal opportunities. We strongly encourage applications from members of any underrepresented group in our research area. In particular, we invite and motivate women and individuals with disabilities to apply.

Closing date for applications:

Contact: Pascal Sasdrich (pascal.sasdrich@rub.de)

Information Security and Machine Learning Lab (https://ai-security.github.io/index_e.htm) has conducted research in a range of areas including artificial intelligence, cyber security and cryptography. We are also extending our areas to emerging areas such as quantum computing and parallel computing. Post-doctoral research fellows are welcome from computer science/engineering, electric/electronics, and mathematics/statistics. Applicants with good high-impact journal publication records are encouraged to send their CVs, publication lists and research statements to Professor Seong Oun Hwang (seongoun.hwang at gmail.com) by April 25, 2025.

Closing date for applications:

Contact: Professor Seong Oun Hwang

More information: https://ai-security.github.io/index_e.htm

We are looking for a Post Doctoral researcher to join the Crypto Team in the information Security Unit at Chalmers, under the guidance of Asst. Prof. Elena Pagnin. The applicant will have the opportunity to contribute to one or more research projects carried out in the team and to work together with all team members. Topics of interest include: provable security, post-quantum security, transparency logs, fine-grained and bounded space cryptography, and foundational cryptography. The position is fully funded for 2 years, with a 80-20 split between research and teaching duties (including supervising master thesis and helping in course-related teaching activities)

Closing date for applications:

Contact: Only applications via the official portal are considered valid.

More information: https://www.chalmers.se/en/about-chalmers/work-with-us/vacancies/

The Department of Engineering of the public Pompeu Fabra University, Barcelona, Catalonia, Spain, invites applications for a Tenure Track faculty position on Computer Security. Details about the formal requirements, the selection criteria, the selection process, and further essential information are given in the official regulations of the call. Approximated gross salary: 42.268,90 EUR per year. Applications must include an electronic copy of the PhD certificate. Furthermore, in order to illustrate the applicant's match with the requirement and selection criteria, it is strongly recommended to include a cover letter (1 page maximum), a curriculum vitae (providing common academic IDs such as Orcid or Web of Science Researcher ID), as well as a teaching and research statement (1 page maximum each). Equal Employment Opportunity Statement: UPF promotes a diverse and inclusive environment and welcomes applicants regardless of age, disability, gender, nationality, race, religion or sexual orientation.

Closing date for applications:

Contact: randp.dtic@upf.edu

More information: https://www.upf.edu/documents/1656590/294524599/Bases+ENG-TTPT-2025-8+ENGLISH.docx.pdf/8d0201ec-ba05-868e-699b-0db42e026f85?t=1741351921540

The Young Investigator Group “COSYS - Control Systems and Cyber Security Lab” at the Chair of IT Security at the Brandenburg University of Technology Cottbus-Senftenberg has an open PhD/Postdoc position in the following areas:

AI-based Network Attack Detection and Simulation.

AI-enabled Penetration Testing.

Privacy-Enhancing Technologies in Cyber-Physical Systems.

The available position is funded as 100% TV-L E13 tariff in Germany and limited until 31.07.2026, with possibility for extension. Candidates must hold a Master’s degree (PhD degree for Postdocs) or equivalent in Computer Science or related disciplines, or be close to completing it. If you are interested, please send your CV, transcript of records from your Master studies, and an electronic version of your Master's thesis (if possible), as a single pdf file. Applications will be reviewed until the position is filled.

Closing date for applications:

Contact: Ivan Pryvalov (ivan.pryvalov@b-tu.de)

DNA edit distance (ED) measures the minimum number of single nucleotide insertions, substitutions, or deletions required to convert a DNA sequence into another. ED has broad applications in healthcare such as sequence alignment, genome assembly, functional annotation, and drug discovery. Privacy-preserving computation is essential in this context to protect sensitive genomic data. Nonetheless, the existing secure DNA edit distance solutions lack efficiency when handling large data sequences or resort to approximations and fail to accurately compute the metric.

In this work, we introduce secureED, a protocol that tackles these limitations, resulting in a significant performance enhancement of approximately $2-24\times$ compared to existing methods. Our protocol computes a secure ED between two genomes, each comprising $1,000$ letters, in just a few seconds. The underlying technique of our protocol is a novel approach that transforms the established approximate matching technique (i.e., the Ukkonen algorithm) into exact matching, exploiting the inherent similarity in human DNA to achieve cost-effectiveness. Furthermore, we introduce various optimizations tailored for secure computation in scenarios with a limited input domain, such as DNA sequences composed solely of the four nucleotide letters.

Side-channel analysis (SCA) is a growing field in hardware security where adversaries extract secret information from embedded devices by measuring physical observables like power consumption and electromagnetic emanation. SCA is a security assessment method used by governmental labs, standardization bodies, and researchers, where testing is not just limited to standardized cryptographic circuits, but it is expanded to AI accelerators, Post Quantum circuits, systems, etc. Despite its importance, SCA is performed on an ad hoc basis in the sense that its flow is not systematically optimized and unified among labs. As a result, the current solutions do not account for fair comparisons between analyses. Furthermore, neglecting the need for interoperability between datasets and SCA metric computation increases students’ barriers to entry. To address this, we introduce SCAPEgoat, a Python-based SCA library with three key modules devoted to defining file format, capturing interfaces, and metric calculation. The custom file framework organizes side-channel traces using JSON for metadata, offering a hierarchical structure similar to HDF5 commonly applied in SCA, but more flexible and human-readable. The metadata can be queried with regular expressions, a feature unavailable in HDF5. Secondly, we incorporate memory-efficient SCA metric computations, which allow using our functions on resource-restricted machines. This is accomplished by partitioning datasets and leveraging statistics-based optimizations on the metrics. In doing so, SCAPEgoat makes the SCA more accessible to newcomers so that they can learn techniques and conduct experiments faster and with the possibility to expand on in the future.

In this paper we provide new theoretical and empirical evidences that gradient-based deep learning profiling attacks (DL-SCA) suffer from masking schemes. This occurs through an initial stall of the learning process: the so-called plateau effect. To understand why, we derive an analytical expression of a DL-SCA model targeting simulated traces which enables us to study an analytical expression of the loss. By studying the loss landscape of this model, we show that not only do the magnitudes of the gradients decrease as the order of masking increases, but the loss landscape also exhibits a prominent saddle point interfering with the optimization process. From these observations, we (1) propose the usage of a second-order optimization algorithm mitigating the impact of low-gradient areas. In addition, we show how to leverage the intrinsic sparsity of valuable information in SCA traces to better pose the DL-SCA problem. To do so, we (2) propose to use the implicit regularization properties of the sparse mirror descent. These propositions are gathered in a new publicly available optimization algorithm, Scoop. Scoop combines second-order derivative of the loss function in the optimization process, with a sparse stochastic mirror descent. We experimentally show that Scoop pushes further the current limitations of DL-SCA against simulated traces, and outperforms the state-of-the-art on the ASCADv1 dataset in terms of number of traces required to retrieve the key, perceived information and plateau length. Scoop also performs the first non-worst-case attack on the ASCADv2 dataset. On simulated traces, we show that using Scoop reduces the DL-SCA time complexity by the equivalent of one masking order.

Scloud+ is an unstructured LWE-based key encapsulation mechanism (KEM) with conservative quantum security, in which ternary secrets and lattice coding are incorporated for higher computational and communication efficiency. However, its efficiencies are still much inferior to those of the structured LWE-based KEM, like ML-KEM (standardized by NIST). In this paper, we present a configurable hardware architecture for Scloud+.KEM to improve the computational efficiency. Many algorithmic and architectural co-optimizations are proposed to reduce the complexity and increase the degree of parallelism. Specially, the matrix multiplications are computed by a block in serial and the block is calculated in one cycle, without using any multipliers. In addition, the random bits all are generated by an unfolded Keccak core, well matched with the data flow required by the block matrix multiplier. The proposed design is coded in Verilog and implemented under the SMIC 40nm LP CMOS technology. The synthesized results show that Scloud+.KEM-128 only costs 23.0 $us$, 24.3 $us$, and 24.6 $us$ in the KeyGen, Encaps, and Decaps stages, respectively, with an area consumption of 0.69 $mm^2$, significantly narrowing the gap with the state-of-the-art of Kyber hardware implementation.

Recently, Differential Fault Attacks (DFAs) have proven highly effective against stream ciphers designed for Hybrid Homomorphic Encryption (HHE). In this work, we present a table-based DFA framework called the \textit{shortcut attack}, which generalizes the attack proposed by Wang and Tang on the cipher \textsf{Elisabeth}. The framework applies to a broad sub-family of ciphers following the Group Filter Permutator (GFP) paradigm and enhances previous DFAs by improving both the fault identification and path generation steps. Notably, the shortcut attack circumvents the issue of function representation, allowing successful attacks even when the cipher's filter function cannot be represented over the ring it is defined on.

Additionally, we provide complexity estimates for the framework and apply the shortcut attack to \textsf{Elisabeth-4} and its patches. As a result, we optimize the DFA on \textsf{Elisabeth-4}, requiring fewer keystreams and running faster than previous methods. Specifically, we achieve a DFA that requires only $3000$ keystreams, which is one-fifth of the previous best result. We also successfully mount a practical DFA on \textsf{Gabriel-4} and provide a theoretical DFA for \textsf{Elisabeth-b4}.

For the latest patch, \textsf{Margrethe-18-4}, which follows the more general Mixed Filter Permutator (MFP) paradigm, we present a DFA in a stronger model. To the best of our knowledge, these are the first DFA results on the patches of \textsf{Elisabeth-4}. Finally, we derive security margins to prevent shortcut attacks on a broad sub-family of MFP ciphers, which can serve as parameter recommendations for designers.