International Association
for Cryptologic Research

A threshold signature allows one to delegate its signing rights to $n$ parties, such that any subset of size $t$ can sign a message on their behalf. In this work, we show how to construct threshold signatures for any $t$ and $n$ from one way functions, thus establishing the latter as a necessary and sufficient computational assumption. Our protocol makes non-black box use of one-way functions, and can be generalized to other access structures, such as monotone policies.

Quadratic functional encryption (QFE for short) is a cryptographic primitive which can output the value of a quadratic function between two vectors, without leaking other information on the plaintext vectors. Since the first breakthrough of Baltico et al. (Crypto 2017), there are already many constructions for QFE from bilinear groups. However, constructing more efficient QFE schemes and proving their security has always been a challenging task. While generic bilinear group model (GBGM for short) can be used to construct highly efficient QFE schemes and proving their security, obtaining a security proof under GBGM is difficult and may contain undiscovered mistakes. In this paper, we solve this problem by presenting new techniques which finally lead to an automated proof tool for QFE schemes, and can also be used to find potential attacks. Our automated proof tool shows that the RPB+19 scheme (Riffel et al, NIPS'19) which is the most efficient QFE scheme in the literature and already used in several works, is in fact insecure, and also gives an attack for the scheme. Finally, we present two new QFE schemes, each shares same efficiency with the RPB+19 scheme from one aspect, and prove their security using our automated proof tool. Our new schemes are more efficient than all existing QFE schemes other than the RPB+19 scheme, which means that they are most efficient among all existing ``secure'' QFE schemes.

The vast majority of work on the efficiency of lattice-based cryptography, including fully homomorphic encryption~(FHE), has relied on *cyclotomic* number fields and rings. This is because cyclotomics offer a wide variety of benefits, including good geometrical properties, fast ring arithmetic, and rich homomorphic operations like vectorized (SIMD) operations on "packed" plaintexts, automorphisms, and ring-switching. However, selecting a suitable cyclotomic that has the desired number and type of plaintext "slots," while also balancing security and efficiency, is a highly constrained problem that often lacks an ideal solution, resulting in wasted SIMD capacity and lost efficiency.

This work provides a suite of tools for instantiating ring-based lattice cryptography to work over *subfields* of cyclotomics, which provide more flexibility and better-fitting parameters for applications. A particular focus is on realizing FHE with *optimal plaintext packing* and homomorphic SIMD parallelism for *any* plaintext characteristic, along with efficient *packed bootstrapping* that fully exploits this parallelism.

Toward this end, this (two-part) work makes the following main technical contributions, all of which are catalyzed by Galois theory:

-- For sampling and decoding errors in encryption and decryption (respectively), we construct geometrically short, structured bases for the number rings of arbitrary subfields of prime-power cyclotomics (and hence their composites as well).

-- For fast ring arithmetic, we define and establish analogous structural properties for Chinese Remainder Theorem (CRT) bases in *abelian* number rings, and give specialized fast transforms that map between CRT bases and any similarly structured bases.

-- For packed bootstrapping and homomorphic linear algebra, we give a general framework for *homomorphic evaluation of structured linear transforms* in abelian number rings, and show that CRT transforms can be evaluated using relatively few homomorphic operations.

We are looking for a PhD student to work on Cryptographic Hardware and Design Automation. The project is oriented towards the development of a domain-specific design automation framework for cryptographic hardware. Your work will focus on identifying the mathematical knowledge and properties to guide hardware optimizations tailored to different environments. The optimizations range from algebraic optimizations (e.g., term rewriting) to algorithmic optimizations (e.g., group level algorithms), and to hardware optimizations (e.g., automated pipelining).

Closing date for applications:

Contact: Nusa Zidaric

More information: https://www.universiteitleiden.nl/en/vacancies/2025/q3/16010-phd-candidate-cryptographic-hardware-and-design-automation

TU Wien is Austria's largest institution of research and higher education in the fields of technology and natural sciences. At the Institute of Logic and Computation, in the Research Unit of Privacy Enhancing Technologies at TU Wien is offering a 40 hours/week position as university assistant (prae-doc) limited to expected 4 years. Expected start: November 2025.

Tasks:
- Research in the area of privacy enhancing technologies,
- cryptocurrencies, and (applied) cryptography
- proof systems
- Teaching tasks (exercises and exams), student guidance
- Assistance with thesis supervision
- Scientific publishing (journal and conference papers, dissertation)
Participation in scientific events
Assistance with organizational and administrative tasks


Your profile:
Master or diploma degree in computer science, math, or similar fields Knowledge of privacy-enhancing technologies, such as cryptography, differential privacy, and related areas Very good skills in spoken and written English Interest in academic research and teaching Advanced problem solving skills and scientific curiosity Team player with very good communication skills Very good skills in English communication and writing. Knowledge of German (level B2) or willingness to learn it

We offer:
A highly visible and connected international research group A broad range of opportunities in a thriving research area A range of attractive social benefits (see [Fringe-Benefit Catalogue of TU Wien](https://url.tuwien.at/cfjyv)) Internal and external training opportunities, various career options Central location of workplace as well as good accessibility (U1/U4 Karlsplatz)

!!!! Applications only via the website are considered!!!
https://jobs.tuwien.ac.at/Job/258176

Closing date for applications:

Contact: Univ.-Prof. Dr. Dominique Schröder

More information: http://pets.wien

Solving a long-standing open problem, Faonio, Fiore, and Russo proved that the widely used Plonk zk-SNARK is simulation extractable. However, their proof assumes both the random oracle model (ROM) and the algebraic group model. We prove that the same holds in the ROM under falsifiable assumptions. We combine the template of Faust et al., who proved that simulation extractability follows from knowledge soundness, (weak) unique response, and trapdoorless zero-knowledge, with the recent result of Lipmaa, Parisella, and Siim (Crypto 2025), who proved that Plonk has knowledge soundness in the ROM under falsifiable assumptions. For this, we prove that Plonk satisfies new variants of the weak unique response and trapdoorless zero-knowledge properties. We prove that several commonly used gadgets, like the linearization trick, are not trapdoorless zero-knowledge when considered as independent commit-and-prove zk-SNARKs.

WireGuard is a VPN based on the Noise protocol, known for its high performance, small code base, and unique security features. Recently, Hülsing et al. (IEEE S&P'21) presented post-quantum (PQ) WireGuard, replacing the Diffie-Hellman (DH) key exchange underlying the Noise protocol with key-encapsulation mechanisms (KEMs). Since WireGuard requires the handshake message to fit in one UDP packet of size roughly 1200 B, they combined Classic McEliece and a modified variant of Saber. However, as Classic McEliece public keys are notoriously large, this comes at the cost of severely increasing the server's memory requirement. This hinders deployment, especially in environments with constraints on memory (allocation), such as a kernel-level implementations.

In this work, we revisit PQ WireGuard and improve it on three fronts: design, (computational) security, and efficiency. As KEMs are semantically, but not syntactically, the same as DH key exchange, there are many (in hindsight) ad-hoc design choices being made, further amplified by the recent finding on the binding issues with PQ KEMs (Cremers et al., CCS'24). We redesign PQ WireGuard addressing these issues, and prove it secure in a new computational model by fixing and capturing new security features that were not modeled by Hülsing et al. We further propose 'reinforced KEM' (RKEM) as a natural building block for key exchange protocols, enabling a PQ WireGuard construction where the server no longer needs to store Classical McEliece keys, reducing public key memory by 190 to 390×. In essence, we construct a RKEM named 'Rebar' to compress two ML-KEM-like ciphertexts which may be of an independent interest.

We suggest post quantum secure protocol based on pseudorandom walk on infinite q-regular forest D(q) where q = 2^m, m > 1. Correspondents share positive integer n, pseudorandom tuple from (Fq) ^n and two pseudorandom input words in the alphabet F_q of length O(1). They use the group of cubic multivariate transformations of the vector space of points of D(q) induced by walks on the forest of even length as the platform for the implementation of modified Twisted Diffie-Hellman protocol of Noncommutative Cryptography based on the complexity of the Conjugacy Power Problem. The output of the protocol is a vector from (F_q)^n. In fact the action of the group on the partition set of the bipartite homomorphic image D(n, q) of the forest is used. Correspondents elaborate the collision vector in time O(n^2) in the case when the length of input words is O(1) and the size of private integer parameters is O(n). If length of the input words is also O(n) then the complexity of protocol will be O(n^3). We suggest also the obfuscation of the scheme with hidden graph of the 1complexity O(n^5) for which the output of the algorithm is a symbolic cubic transformation F of (Fq)^n. It can be used symbiotically with the symmetric encryption via the adding to the ciphertext from (F_q)^n the vector F(b_1, b_2, . . . , b_n) where the tuple (b_1, b_2, . . . , b_n) of pseudorandom nature is known publicly.

When neural networks are trained to classify a dataset, one finds a set of weights from which the network produces a label for each data point. We study the algorithmic complexity of finding a collision in a single-layer neural net, where a collision is defined as two distinct sets of weights that assign the same labels to all data. For binary perceptrons with oscillating activation functions, we establish the emergence of an overlap gap property in the space of collisions. This is a topological property believed to be a barrier to the performance of efficient algorithms. The hardness is supported by numerical experiments using approximate message passing algorithms, for which the algorithms stop working well below the value predicted by our analysis. Neural networks provide a new category of candidate collision resistant functions, which for some parameter setting depart from constructions based on lattices. Beyond relevance to cryptography, our work uncovers new forms of computational hardness emerging in large neural networks which may be of independent interest.

Bandwidth remains a major bottleneck for post-quantum cryptography, especially in authenticated key exchange (AKE). We propose DAKE, a bandwidth-efficient AKE protocol built from double-KEM constructions. DAKE comes in two main versions, achieving weak and full perfect forward secrecy, and admits two further variants: a unilateral version, and one where a signature replaces a KEM on one side. DAKE is proven secure in the standard model under strong variants of the extended Canetti--Krawczyk framework, namely eCKw and eCK-PFS.

At the heart of DAKE lies the double-KEM, a primitive that encapsulates one key under two public keys. To broaden the range of double-KEMs compatible with DAKE, we introduce the chosen-key Fujisaki--Okamoto transform (CK-FO), which upgrades IND-CPA security to IND-CCA and one-sided chosen-key security, proven in the QROM.

As a concrete instantiation, we present Maul, a compact double-KEM derived from ML-KEM and based on the Hint-MLWE assumption. Maul reuses ciphertext components to cut size by up to 40\% compared to two parallel ML-KEMs, while achieving the left-sided chosen-key IND-CCA security required by DAKE via our CK-FO. Instantiating DAKE with Maul yields global communication reductions of about 17% in the mutual setting and 21% in the unilateral setting, outperforming both the double-KEM AKE of Xue et al. (ASIACRYPT 2018) and standard ML-KEM-based AKEs. These results show that double-KEMs offer a practical path toward bandwidth-efficient post-quantum key exchange.

The transition to post-quantum cryptography (PQC) is accelerating due to the potential of quantum computing to compromise classical public-key cryptosystems. While standardized schemes such as CRYSTALS-Kyber, CRYSTALS-Dilithium, and SPHINCS+ offer strong theoretical security, practical deployments remain susceptible to physical-layer vulnerabilities, notably side-channel attacks (SCAs). SCAs exploit unintentional leakages in hardware and software implementations—such as power traces, electromagnetic emissions, and timing variations—to recover secret keys without altering the target system. These attacks are non-invasive, cost-effective, and applicable across diverse platforms, making them a critical threat vector for PQC in embedded and resource-constrained environments.

This survey provides a structured, in-depth review of SCAs targeting PQC implementations, encompassing both classical methods—such as Simple Power Analysis, Differential Power Analysis, Correlation Power Analysis, Template Attacks, and Mutual Information Analysis—and emerging machine learning (ML)-driven approaches. Special attention is given to deep learning models, including CNNs, RNNs, and MLPs, which have demonstrated superior performance in profiling attacks by automatically learning leakage patterns from high-dimensional trace data, even in the presence of countermeasures like masking and desynchronization.

We categorize and compare recent attack strategies, analyze their effectiveness against various PQC schemes, and examine the limitations of existing countermeasures. Finally, we identify open research challenges and outline hybrid defense strategies that integrate classical protections with adaptive, ML-aware mitigation techniques. This comprehensive synthesis aims to bridge the gap between PQC algorithm design and secure, implementation-level deployment in the quantum era.

Bootstrapping, introduced by Gentry at STOC 2009, remains the only known method for realizing fully homomorphic encryption (FHE). Since Alperin-Sheriff and Peikert’s 2014 breakthrough on symmetric group accumulator (ACC) based bootstrapping, algebraic ACC designs have offered the lowest bootstrapping latency. The work of Ducas and Micciancio further advanced this paradigm by embedding $\mathbb{Z}_q$ into the multiplicative subgroup of the cyclotomic ring $\mathcal{R}_N$ and exploiting FFT/NTT for fast computation, leading to the milestone constructions FHEW and TFHE. Despite their efficiency, these ring-based schemes face a fundamental limitation: correctness requires $q < 2N$, rigidly coupling precision, performance, and key size to the polynomial dimension.

We address this limitation by introducing a new accumulator structure - a free $\mathcal{R}_N$-module $\bigoplus_{i=0}^{\tau-1} \mathcal{R}_N X^i$. This generalization decouples $q$ and $N$ through a tunable factor $\tau$, with the classical ring-based construction recovered as the special case $\tau=1$. The computation over resulting $\mathcal{R}_N$-algebra enables efficient computation over $\bigoplus_{i=0}^{\tau-1} \mathcal{R}_N X^i$ can be effectively reduced to the base ring $\mathcal{R}_N$. Based on this structure, we design a bootstrapping scheme that achieves asymptotic improvements in precision, performance, and key size. Experimental results further demonstrate significant concrete gains, confirming the practicality of our approach.

Group signatures enable users to sign on behalf of a group while preserving anonymity, with accountability provided by a designated opener. The first rigorous model for dynamic groups (Bellare, Shi, Zhang, CT--RSA '05) captured anonymity, non-frameability, and traceability, later extended with trace-soundness (Sakai et al., PKC '12) and non-claimability (introduced as ``opening-soundness'' by Bootle et al., ACNS '16 & JoC '20).

In practice, issuer and opener are often distinct entities, often implemented by different organizations and/or hardware modules. We therefore formalize and prove the consequences of a model that enforces their complete separation, allows key reuse across groups, treats issuer and opener as stateless, and makes both joining and opening non-interactive.

This separation makes it necessary to reformulate traceability against a corrupt issuer and to introduce three additional unforgeability notions-key-unforgeability, certificate-unforgeability, and opening-unforgeability-for the case of a corrupt opener. Following this line of reasoning, we also develop strengthened formulations of trace-soundness and non-claimability.

We prove that in this model the eight resulting properties are fully distinct: even the conjunction of any seven does not imply the eighth. This yields the first comprehensive map of group signature security in a stateless, reusable-key, and non-interactive framework, and formally demonstrates the impact of complete issuer--opener separation.

This paper introduces and formalizes new, stringent security notions for elliptic curves, establishing a higher benchmark for cryptographic strength. We define two new classes of secure elliptic curves, which offer resilience against a broader range of known attacks, including those leveraging the curve's endomorphism ring or the twist's group structure. To construct curves satisfying these exceptional criteria, we develop a highly scalable, parallel framework based on the complex multiplication method. Our approach efficiently navigates the vast parameter space defined by safe primes and fundamental discriminants. The core of our method is an efficient scanning algorithm that postpones expensive curve construction until after orders are confirmed to meet our security definitions, enabling significant search efficiency. As a concrete demonstration of our definitions and techniques, we conducted a large-scale computational experiment. This resulted in the first known construction of 91 very strong 256-bit curves with extreme twist order (i.e., curve order is a safe prime and twist order is prime) and cofactor $u=1$ along with 4 such 512-bit curves meeting the extreme twist order criteria. Among these, one 512-bit curve has both its order (a safe prime) and its twist order being prime, while the other three have a small cofactor ($u=7$) but their twist orders are primes. All curves are defined over finite fields whose orders are safe primes. These results not only prove the existence of these cryptographically superior curves but also provide a viable path for their systematic generation, shifting the paradigm from constructing curves faster to constructing curves that are fundamentally stronger.

Emails are one of the main forms of digital communication. They were designed to provide many guarantees that have surprisingly not yet been formalized in cryptography. Yet many of the guarantees emails were designed to provide have not been formalized in cryptography. This paper models an important feature of email applications: the plausible deniability of including Bcc recipients. Concretely, . we define a basic (theoretical) email application capturing these guarantees in Constructive Cryptography (Maurer and Renner, ICS '11) . we introduce Email Encryption: a new cryptographic primitive that is tailor-made to construct our email application . we define game-based notions for Email Encryption schemes, proving that their combination is sufficient to construct our simple email application and . we give a generic (proof-of-concept) construction of an Email Encryption scheme that provides all these guarantees.

Our work identifies and formalizes missing theoretical foundations for the security of emails providing the first step towards practical solutions.

We revisit the BUFF transform, which was proposed by Cremers et al. (S&P'21) as a means to achieve security properties beyond standard unforgeability for digital signature schemes. One of these properties, non-resignability (NR), has recently drawn some attention due to a strong impossibility result for the original definition of the property. Recent follow-up work then considered a variant (sNR) of the original definition, and showed that it is satisfied by the BUFF transform when the underlying hash function is modeled as a random oracle - while the original impossibility result still applies for the plain model. This raises the natural question of whether the BUFF transform satisfies sNR in a more fine-grained use of the random oracle model, when we consider a real-life iterative-hash-function design (such as Merkle-Damgaard or Sponge) and instead idealize the round function. Our discoveries in this direction are two-fold:

First, contrary to what one might expect, we show that there is a simple attack on the non-resignability property sNR of the BUFF-transform when instantiated with an iterative hash function. The attack relies on leaking an intermediate result of the hash computation to the adversary who is challenged to "resign" the message. This negative result once more shows the subtlety in the non-resignability property.

Second, on the positive side, we propose a small modification to the original BUFF transform, which we call Sandwich BUFF (for reasons to become clear), and prove the non-resignability property sNR of Sandwich BUFF both for Merkle-Damgaard-based hash functions in the random oracle model, and for Sponge-based hash functions in the random permutation model.

TLS 1.3 is at the heart of secure modern internet communications. With the rise of quantum attacks, post-quantum TLS 1.3, built on post-quantum key encapsulation mechanisms (KEMs), has naturally become a major research focus. At Eurocrypt 2022, Huguenin-Dumittan and Vaudenay demonstrated that KEMs secure against chosen-plaintext attacks (CPA) are sufficient to construct a secure TLS 1.3 handshake in the random oracle model (ROM), but their security reduction incurs an $\mathcal{O}(q^6)$ loss, where $q$ is the number of random oracle queries. Improving their security bounds was left as an open problem. To address this problem, Zhou et al. took the first step at Asiacrypt 2024, improving the loss factor to $\mathcal{O}(q^2)$ in the ROM and $\mathcal{O}(q^4)$ in the quantum ROM (QROM) for OW-CPA secure KEMs, and to $\mathcal{O}(q)$ (ROM) and $\mathcal{O}(q^2)$ (QROM) for IND-CPA secure KEMs.

In this work, we further advance the state-of-the-art by providing tighter security reductions for the post-quantum TLS 1.3 handshake based on CPA-secure KEMs. We introduce a new security notion, \textit{IND-1CCA-1MAC}, and demonstrate that the loss factors can be further improved with a slight ciphertext expansion, i.e., $\mathcal{O}(q)$ (ROM) and $\mathcal{O}(q^2)$ (QROM) for OW-CPA secure KEMs, and only $\mathcal{O}(1)$ in both models for IND-CPA secure KEMs. Furthermore, we prove that without ciphertext expansion, the loss factor of $\mathcal{O}(q)$ (ROM) and $\mathcal{O}(q^2)$ (QROM) is unavoidable. Given the above theoretical results, we investigate the security of TLS 1.3 based on CPA-secure KEMs in the hybrid key exchange and experimentally demonstrate that ciphertext expansion is indeed a viable trade-off for mitigating reduction losses.

Designing practically secure masked circuits remains a central problem in the field of cryptographic implementation. While most masking schemes have been proven secure in the classical probing model, this model fails to capture more advanced side-channel attacks such as horizontal attacks. In recent years, the community has shifted toward the more realistic random probing model, which offers stronger guarantees. Yet, balancing strong security with practical efficiency continues to be a significant challenge. In this work, we introduce new tools and constructions that significantly improve the design and analysis of random probing secure circuits. First, we formalize new security notions that combine the benefits of cardinal and general Random Probing Composability (RPC), two recently introduced notions enabling more flexible and efficient composition of secure gadgets. We then show how uniformly random permutations can be applied to transform any cardinal or general RPC gadget into a so-called uniformly cardinal RPC gadget, thereby enhancing security at low cost. Using these techniques, we propose the first non-linear multiplication gadget, inspired by the recursive construction from CHES 2016, that achieves concrete cardinal RPC security. We provide a detailed comparison with state-of-the-art multiplication gadgets in terms of both random probing advantage and implementation complexity. Building upon this gadget, we design a tighter random probing compiler that strategically uses permutations to improve security bounds while preserving efficiency. Finally, we apply our compiler to the AES and demonstrate improved performance and security compared to existing methods.

Payment channels are a cornerstone of a scalable blockchain infrastructure that enables transacting parties to lock assets on the blockchain and perform rapid off-chain updates with minimal latency and overhead. These protocols dramatically reduce on-chain interaction and improve throughput, with blockchain consensus only invoked in the event of disputes or final closure. While widely adopted in single-chain settings—such as in the Lightning Network for Bitcoin—existing constructions have several limitations, in particular they suffer from at least one of the following limitations:

1) No cross-chain. They do not enable fast trading of assets that reside on multiple isolated blockchains. 2) Non-optimal round complexity. The off-chain round complexity is not optimal (i.e., parties require more than two rounds to update the channel). 3) No bitcoin compatibility. They require a more advanced scripting language that prevents cross-chain interaction between chains that only have a simple (Bitcoin-like) scripting language.

In this work, we introduce a novel payment channel protocol that breaks through all the above limitations. Our construction supports bidirectional, multiasset, and off-chain interaction across an arbitrary set of blockchains, where each update of the channel requires the parties to send only one message each. Our protocol is fully compatible with Bitcoin and can be deployed on chains with only minimal scripting capabilities, making it broadly applicable to real-world blockchain networks.

Crucially, our design ensures atomic settlement across blockchains without relying on trusted intermediaries. We formally prove the security of our protocol together with a novel definition of the cross-chain payment channel that we introduce. Finally, we empirically validate our protocol, showing the minimal costs that our payment channel incurs in the setting where two parties make multiple exchanges of assets that reside on three different blockchains.

In this work, we present two fault attacks against MPCitH-based signature schemes: we present a key recovery attack and a signature forgery attack, both of which only need a single successful fault injection to succeed. We analyze all five MPCitH-based schemes which are currently analyzed in round 2 of NIST's additional signature standardization process: Mirath, MQOM, PERK, RYDE, and SDitH. Our analysis shows that all five schemes are vulnerable to at least one of the attacks. We validate the practicality of our attacks using the ChipWhisperer setup and discuss countermeasures to prevent the attacks.