International Association
for Cryptologic Research

One of the main shortcomings of classical distributed cryptography is its reliance on a certain fraction of participants remaining honest. Typically, honest parties are assumed to follow the protocol and not leak any information, even if behaving dishonestly would benefit them economically. More realistic models used in blockchain consensus rely on weaker assumptions, namely that no large coalition of corrupt parties exists, although every party can act selfishly. This is feasible since, in a consensus protocol, active misbehavior can be detected and "punished" by other parties. However, "information leakage", where an adversary reveals sensitive information via, e.g., a subliminal channel, is often impossible to detect and, hence, much more challenging to handle.

A recent approach to address this problem was proposed by Dziembowski, Faust, Lizurej, and Mielniczuk (ACM CCS 2024), who introduced a new notion called secret sharing with snitching. This primitive guarantees that as long as no large coalition of mutually trusting parties exists, every leakage of the shared secret produces a "snitching proof" indicating that some party participated in the illegal secret reconstruction. This holds in a very strong model, where mutually distrusting parties use an MPC protocol to reconstruct any information about the shared secret. Such a "snitching proof" can be sent to a smart contract (modeled as a "judge") deployed on the blockchain, which punishes the aving party financially.

In this paper, we extend the results from the work of CCS'24 by addressing its two main shortcomings. Firstly, we significantly strengthen the attack model by considering the case when mutually distrusting parties can also rely on a trusted third party (e.g., a smart contract). We call this new primitive strong secret sharing with snitching (SSSS). We present an SSSS protocol that is secure in this model. Secondly, unlike in the construction from CCS'24, our protocol does not require the honest parties to perform any MPC computations on hash functions. Besides its theoretical interest, this improvement is of practical importance, as it allows the construction of SSSS from any (even very "MPC-unfriendly") hash function.

Although studied for several years now, parameter extraction of Deep Neural Networks (DNNs) has seen the major advances only in recent years. Carlini et al. (Crypto 2020) and Canales-Martínez et al. (Eurocrypt 2024) showed how to extract the parameters of ReLU-based DNNs efficiently (polynomial time and polynomial number of queries, as a function on the number of neurons) in the raw-output setting, i.e., when the attacker has access to the raw output of the DNN. On the other hand, the more realistic hard-label setting gives the attacker access only to the most likely label after the DNN's raw output has been processed. Recently, Carlini et al. (Eurocrypt 2025) presented an efficient parameter extraction attack in the hard-label setting applicable to DNNs having a large number of parameters.

The work in Eurocrypt 2025 recovers the parameters of all layers except the output layer. The techniques presented there are not applicable to this layer due to its lack of ReLUs. In this work, we fill this gap and present a technique that allows recovery of the output layer. Additionally, we show parameter extraction methods that are more efficient when the DNN has contractive layers, i.e., when the number of neurons decreases in those layers. We successfully apply our methods to some networks trained on the CIFAR-10 dataset. Asymptotically, our methods have polynomial complexity in time and number of queries. Thus, a complete extraction attack combining the techniques by Carlini et al. and ours remains with polynomial complexity. Moreover, real execution time is decreased when attacking DNNs with the required contractive architecture.

At the core of the fastest known SNARKs is the sum-check protocol. In this paper, we describe two complementary optimizations that significantly accelerate sum-check proving in key applications.

The first targets scenarios where polynomial evaluations involve small values, such as unsigned 32-bit integers or elements of small subfields within larger extension fields. This setting is common in applications such as Jolt, a state-of-the-art zero-knowledge virtual machine (zkVM) built on the sum-check protocol. Our core idea is to replace expensive multiplications over large fields with cheaper operations over smaller domains, yielding both asymptotic speedups and significant constant-factor improvements.

The second optimization addresses a common pattern where sum-check is applied to polynomials of the form $g(x) = \mathsf{eq}(r, x) \cdot p(x)$, where $\mathsf{eq}$ is the multilinear extension of the equality function. We present a technique that substantially reduces the prover's cost associated with the equality polynomial component. We also describe how to combine both optimizations, which is essential for applications like Spartan within Jolt.

We have implemented and integrated our optimizations into the Jolt zkVM. Our benchmarks show consistent $2\text{-}3\times$ speedups for proving the first sum-check of Spartan within Jolt, with performance gains reaching 20$\times$ or more when baseline methods approach their memory limits.

Protocols for State-Machine-Replication (sometimes called 'blockchain' protocols) generally make use of rotating leaders to drive consensus. In typical protocols (henceforth called 'single-sender' protocols), the leader is a single processor responsible for making and disseminating proposals to others. Since the leader acts as a bottleneck, apparently limiting throughput, a recent line of research has investigated the use of 'multi-sender' protocols in which many processors distribute proposals in parallel. Examples include DAG-based protocols such as DAG-Rider, Bullshark, Sailfish, Cordial Miners, Mysticeti, and variants such as Autobahn. However, existing models do not allow for a formal analysis to determine whether these protocols can actually handle higher throughputs than single-sender protocols such as PBFT, Tendermint, and HotStuff.

In this paper, we describe a very simple model that allows for such an analysis. For any given protocol, the model allows one to calculate latency as a function of network bandwidth, network delays, the number of processors $n$, and the incoming transaction rate. Each protocol has a latency bottleneck: an incoming transaction rate at which latency becomes unbounded over the protocol execution, i.e., a maximum throughput that the protocol can handle without unbounded latency.

With the aim of building to an analysis for state-of-the-art State-Machine-Replication (SMR) protocols, we begin by considering protocols for simpler primitives, such as Best-effort Broadcast and Reliable Broadcast. For Best-effort Broadcast, we establish a tight lower bound on latency for single-sender and multi-sender protocols when blocks are distributed without the use of techniques such as erasure coding. Perhaps unsurprisingly, a key difference between the single-sender and multi-sender approaches in this case is a factor $n$ in the point at which the latency bottleneck appears. However, for other primitives such as Reliable Broadcast, our results may be more surprising: the factor $n$ difference now disappears, and maximum throughput for the two approaches differs by a constant factor, while multi-sender approaches will generally have latency that grows more quickly with $n$. For state-of-the-art SMR protocols, the picture that emerges is one with seemingly inherent trade-offs. If one compares single-sender protocols that use pipelining and erasure coding, such as DispersedSimplex, with DAG-based protocols such as Sailfish or Bullshark, the former are seen to have lower latency for a wide range of throughputs, while the benefit of the latter protocols is that they have a latency bottleneck which is higher by a constant factor.

Throughput, i.e., the amount of payload data processed per unit of time, is a crucial measure of scalability for blockchain consensus mechanisms. This paper revisits the design of secure, high-throughput proof-of-stake (PoS) protocols in the \emph{permissionless} setting. Existing high-throughput protocols are either analyzed using overly simplified network models or are designed for permissioned settings, with the task of adapting them to a permissionless environment while maintaining both scalability and adaptive security (which is essential in permissionless environments) remaining an open question.

Two particular challenges arise when designing high-throughput protocols in a permissionless setting: \emph{message bursts}, where the adversary simultaneously releases a large volume of withheld protocol messages, and---in the PoS setting---\emph{message equivocations}, where the adversary diffuses arbitrarily many versions of a protocol message. It is essential for the security of the ultimately deployed protocol that these issues be captured by the network model.

Therefore, this work first introduces a new, realistic network model based on the operation of real-world gossip networks---the standard means of diffusion in permissionless systems, which may involve many thousands of nodes. The model specifically addresses challenges such as message bursts and PoS equivocations and is also of independent interest.

The second and main contribution of this paper is Leios, a blockchain protocol that transforms any underlying low-throughput base protocol into a blockchain achieving a throughput corresponding to a $(1-\delta)$-fraction of the network capacity---while affecting latency only by a related constant. In particular, if the underlying protocol has constant expected settlement time, this property is retained under the Leios overlay. Combining Leios with any permissionless protocol yields the first near-optimal throughput permissionless ``layer-1'' blockchain protocol proven secure under realistic network assumptions.

Private set intersection (PSI) allows two participants to compute the intersection of their private sets without revealing any additional information beyond the intersection itself. It is known that oblivious linear evaluation (OLE) can be used to construct the online efficient PSI protocol (Kerschbaum \textit{et al.}, NDSS'23). However, oblivious transfer (OT) and fully homomorphic encryption (FHE)-based offline OLE generation are expensive, and the online computational complexity is super-linear and still a heavy burden for large-scale sets.

In this paper, we propose VCR, an efficient PSI protocol from vector OLE (VOLE) with the offline-online paradigm. Concretely, we first propose the batched short VOLE protocol to reduce offline overhead for generating VOLE tuples. Experiments demonstrate that VCR outperforms prior art. Then, we design a batched private membership test protocol from pre-computed VOLE to accelerate the online computation. Compared to the previous work of Kerschbaum \textit{et al.} (NDSS'23), we reduce the total communication costs (resp. running time) by $341\times$ and $9.1\times$ (resp. $6.5\times$ and $2.5\times$) on average for OT- and FHE-based protocols.

The Jean-Monnet University (UJM) at Saint-Etienne in France is now seeking excellents candidates for tenure-track (Associate Professor) position starting in november 2025.

This is a special position in France, as it is a first 5-year contract, and if the indicators are met the position automatically becomes that of a Full Professor. For 5 years, the person recruited is only required to carry out 64 hours of teaching per year, with dedicated financial resources. It's a research-oriented position in one of Europe's leading hardware security teams (the SESAM team at Laboratoire Hubert Curien).

The objective of this position is to ensure the long-term security of embedded systems by developing countermeasure mechanisms that can defend against sophisticated attacks at the intersection of software and hardware, starting from the design phase. This will result in new protection concepts being proposed that take into account the evolving cyber threat and the complexity of attack paths that exploit vulnerabilities in both software and hardware.

We are therefore looking for excellent candidates with at least 5 years' post-doctoral experience and an excellent list of scientific contributions and publications in the field of hardware security.

Closing date for applications:

Contact: Prof. Lilian BOSSUET - lilian.bossuet@univ-st-etienne.fr

More information: file:///C:/Users/bl16388h/Downloads/UJM%202025%20CPJ%20Appel%20%C3%A0%20candidatures%20CAYSE.pdf

I am looking for a PhD student in the 6-year project CAVE, funded by the German Research Foundation (Deutsche Forschungsgemeinschaft, DFG) through the Emmy Noether Programme.

Why should you apply? The position involves exploring innovative methods in the field of Computer-Aided Security Verification, with the goal of publishing in leading international venues, broadening the research network, initiating global collaborations, and formulating independent research inquiries. For this, I work closely with my PhD students, including regular one-to-one meetings, to support and foster your research.

Location: The newly established junior research group on Computer-Aided Verification of Physical Security Properties (CAVE) is affiliated with the Faculty of Computer Science at Ruhr University Bochum (RUB). RUB has been a leader in IT security in Europe for more than two decades, and this expertise is integral to the Faculty of Computer Science.

Requirements: A Master’s Degree or a strong Bachelor's Degree in Computer Science or related fields. Excellent interpersonal and communication skills in English as well as solid background in any of the following fields are expected: cryptographic engineering, hardware security, physical implementation attacks (SCA & FIA) or profound knowledge of formal verification techniques.

Deadline: Reviewing of applications will continue until the position is filled.

Closing date for applications:

Contact: Pascal Sasdrich (pascal.sasdrich@rub.de). If you are interested, please send an email with the following documents in a single PDF (max. 10 MB) and subject line "[CAVE] Application for PhD position": CV, transcript of records, brief cover letter, contact details of 2-3 references.

https://jobs.comcast.com/job/philadelphia/comcast-cybersecurity-senior-embedded-researcher-pqc-engineering/45483/82098825456

Closing date for applications:

Contact: bahman_rashidi@comcast.com

More information: https://jobs.comcast.com/job/philadelphia/comcast-cybersecurity-senior-embedded-researcher-pqc-engineering/45483/82098825456

https://jobs.comcast.com/job/philadelphia/comcast-cybersecurity-sr-principal-advanced-cryptographic-solutions/45483/82098826128

Closing date for applications:

Contact: bahman_rashidi@comcast.com

More information: https://jobs.comcast.com/job/philadelphia/comcast-cybersecurity-sr-principal-advanced-cryptographic-solutions/45483/82098826128

Who we are: IOG is a technology company focused on blockchain research and development. We are renowned for our scientific approach to blockchain development, emphasizing peer-reviewed research and formal methods to ensure security, scalability, and sustainability. Our projects include the Cardano blockchain, as well as other products in the areas of decentralized finance (DeFi), governance, and identity management, aiming to advance the capabilities and adoption of blockchain and Web3 technology globally.

What the role involves: As a Research Fellow at IOG, you will be responsible for conducting high-quality research, combining your well-developed research skills with a passion for collaborating in innovative research projects. We are looking for someone who is interested in blockchain technologies specifically to conduct research on post-quantum cryptographic solutions for enhancing the security and scalability of decentralized ledger technologies, and potentially harnessing quantum computation to develop novel, future-proof cryptographic protocols. You will join our team of research fellows contributing directly to our diverse development efforts.

Further information: For additional information as well as submitting your application, follow the link in the ad title.

Closing date for applications:

Contact: Sheridan Williams, sheridan.williams@iohk.io (for general questions)

More information: https://apply.workable.com/io-global/j/9ED65A53EA/

The research group for Cryptographic Protocols located at the University of Luxembourg is looking for one PostDoc as well as one PhD student working on cryptographic primitives and protocols enabling privacy, accountability, and transparency.

A background in post-quantum cryptography and secure multi-party computation is expected, demonstrated by corresponding publications for the PostDoc or successfully attended courses or a master’s thesis on the subject for the PhD student.

The candidates will be based at the University of Luxembourg but also profit from regular visits at the KASTEL Security Research Labs at KIT, Germany. Their research will be dealing with the design and implementation of privacy-enhancing cryptographic protocols in the scope of the EU Q-FENCE project (https://www.uni.lu/fstm-en/research-projects/q-fence/).

If you are interested in joining our group, please send an email including your CV, transcripts, and two references to andy.rupp@uni.lu. The starting date for both positions is November 2025. Your application will be considered promptly.

Closing date for applications:

Contact: Andy Rupp (andy.rupp@uni.lu)

More information: https://www.uni.lu/fstm-en/research-groups/cryptographic-protocols/

The Cryptography group at University of Vienna is searching for a motivated PhD candidate to join our team. We develop new security definitions which match practical applications, explore complexity-theoretic relations, develop novel, sophisticated proof techniques, and design schemes that provably satisfy strong security guarantees. Hence, strong mathematics skills are advantageous and arguing by formal mathematical proofs is essential.

Besides research (including attendance and presentation at workshops and conferences), the candidate will be involved in a small amount of teaching, according to the university regulations.

The position is fully funded for 4 years with a competitive salary and available from September 2025; the exact starting date is negotiable. For eligibility, an MSc degree in Computer Science or Mathematics (or a related field) is required. Applications must contain all requested documents and be done exclusively through the linked job portal at University of Vienna.

University of Vienna is located centrally and public transport is extraordinarily good. Also internationally, Vienna is very well connected by train, plane and bus. There are several cryptography research groups in and around Vienna and we encourage regular exchange through a joint reading group.

Closing date for applications:

Contact: Karen Azari (karen.azari(at)univie.ac.at)

More information: https://jobs.univie.ac.at/job/University-assistant-predoctoral/1212855201/

Event date: 10 September to 12 September 2025

Event date: 30 March to 1 April 2026
Submission deadline: 27 June 2025

Recent advancements in machine learning accuracy and utility have been driven by the effective combination of sophisticated models with high-performance computational scaling. As the development of large-scale models shifts away from commodity hardware to outsourced computation, it becomes paramount to ensure that the training process is executed with integrity and transparency. This encompasses verifying that adequate computational resources were expended and that the resulting model is accurate, rather than the product of skipped steps or resource-saving shortcuts by the external provider. Building on our previous efforts, which demonstrated the computational feasibility of using this system to argue correctness for differentially-private linear regression, we extend those results to achieve fully provable back-propagation—a cornerstone operation in modern machine learning training. Our system achieves complete zero-knowledge, revealing nothing about the input data during training, and ensures quantum security by relying on no weak cryptographic primitives. Efficiency is substantially increased through the use of a fixed-point decimal representation, reducing the computational overhead typically associated with floating-point arithmetic. Notably, our solution is doubly efficient, achieving a logarithmic-time verifier and a linear-time prover. Implemented entirely in Rust without reliance on external machine learning libraries, and executed within a cryptographically secure virtual machine, this work represents a significant advancement toward verifiable, secure, and efficient outsourced machine learning computations.

We present Hydrangea, a partially synchronous Byzantine fault-tolerant state machine replication protocol that achieves a latency of two rounds optimistically while maintaining high adversarial resilience. In particular, for a system of $n = 3f + 3p + 1$ parties, if up to $p$ parties are faulty, then the protocol can obtain a latency of two rounds. Otherwise, the protocol can obtain a latency of three rounds while tolerating $f$ Byzantine faults and $p$ crash faults {\em simultaneously}.

Secure evaluation of non-linear functions is one of the most expensive operations in secure two-party computation, particularly for activation functions in privacy preserving machine learning (PPML). This work introduces SEAF, a novel framework for efficient Secure Evaluation on Activation Functions. SEAF is based on the linear approximation approach, but enhances it by introducing two key innovations: Trun-Eq based interval test protocols and linear approximation with dynamic precision, which have the potential for broader applicability. Furthermore, we classify common activation functions into several categories, and present specialized methods to evaluate them using our enhanced techniques. Our implementation of SEAF demonstrates $3.5 \times$ to $5.9 \times$ speedup on activation functions $\mathsf{Tanh}$ and $\mathsf{Sigmoid}$ compared to SirNN (S\&P'21). When applied on $\mathsf{GELU}$, SEAF outperforms Iron (NeurIPS'22) by more than $10 \times$ and Bolt (S\&P'24) by up to $3.4 \times$. For end-to-end secure inference on BERT, the original $\mathsf{GELU}$ accounts for $31.3 \%$ and $22.5 \%$ of the total runtime in Iron and Bolt, respectively. In contrast, our optimized $\mathsf{GELU}$ reduces these proportions to $4.3 \%$ and $9.8 \%$, eliminating $\mathsf{GELU}$ as a bottleneck in secure inference.

In this work, we develop a framework for compiling languages into efficient Interactive Oracle Proofs (IOPs, or ‘circuits’), motivated by applications in verifiable Virtual Machine (zkVM) design. We provide a set of sufficient conditions on a language under which it can be compiled into an efficient IOP, alongside corresponding performance costs. We identify a subclass of languages, which we denote as traversable, and demonstrate how traversable languages can be efficiently compiled as circuits using established techniques.

To demonstrate the efficacy of our compilation framework, we develop a zkVM for the Nock programming language by (1) formalizing the existing Nock specification, and (2) applying our techniques to design an efficient IOP representation for the Nock VM. The resulting circuit is small, on par with existing state-of-the-art zkVM designs and can be generated for any traversable language in a generic way.

Regardless of the choice of parameters, knowledge of a single signed message, i.e., a pair message/signature, produced by Kahrobaei-Koupparis digital signature scheme is sufficient to forge a valid signature for any other message.