International Association
for Cryptologic Research

We define and analyze the Leveled Isogeny Problem with Hints (LIPH), which is a generalization of the Isogeny Problem with Level Structure first introduced by De Feo, Fuoutsa and Panny at EUROCRYPT'24. In a LIPH instance we are tasked to recover a secret isogeny \(\varphi\) given masked torsion point images \(\Gamma\cdot(\varphi(P),\varphi(Q))^\top\) for some \((P,Q)\) of order \(N\) and unknown \(\Gamma\in GL_2(N)\). Additionally, we are provided a \emph{hint} on \(\Gamma\), revealing some bits of its entries. Instances of LIPH occur naturally in the case of modern isogeny-based key exchanges that use masked torsion points as part of their public key, when additionally some parts of the masking matrix \(\Gamma\) are revealed due to, for instance, a side-channel attack.

We provide efficient algorithms that solve various instances of LIPH, leading to efficient \emph{partial key recovery attacks} in practice. More specifically, we present Coppersmith-type attacks that are able to recover an M-SIDH/POKÉ secret key given \(50\%\) (resp. \(86\%\)) of the most-significant bits of an entry of \(\Gamma\), and a FESTA secret key given the 67\% of the most-significant bits of \(\Gamma\). In the case of FESTA we also present a tailored combinatorial attack running in subexponential time $O(2^{\sqrt{n}})$ when $50\%$ of the bits of $\Gamma$ leak at random.

Private Information Retrieval (PIR) is a crucial component in many privacy-preserving systems, with Offline/Online PIR attracting significant attention. Recent works have focused on eliminating offline communication overhead. However, existing constructions incur high online communication costs as a trade-off. To address this, we propose VIA, a single-server PIR scheme that eliminates offline communication while achieving $O{_\lambda}(\log N)$ online communication complexity. Experimental evaluations demonstrate that for a 32 GB database, VIA requires only 690 KB of online communication---a $3.7\times$ reduction compared to state-of-the-art schemes without offline communication---while attaining a throughput of 3.11 GB/s. Furthermore, we introduce VIA-C, a variant of VIA that allows offline communication. Compared to previous communication-efficient schemes, VIA-C achieves a $24.5\times$ reduction in online communication, requiring only 2.1 KB for a 32 GB database (with 14.8 MB offline communication). Moreover, VIA-C can naturally extend to VIA-B that supports batch queries. Compared to previous communication-efficient batch PIR schemes, VIA-B achieves a $3.5\times$ reduction in query size and a $127\times$ reduction in response size for a 1 GB database of 1-byte records. The designs of our schemes rely on a novel DMux-CMux structure and LWE-to-RLWE conversion techniques.

The Permuted Kernel Problem (PKP) is a computational problem for linear codes over finite fields that has emerged as a promising hard problem for constructing post-quantum cryptographic schemes, with its main application found in the digital signature scheme PERK, submitted to the NIST standardization process for quantum-secure additional signatures. Upon reviewing the first version of PERK, NIST recommended further research on the concrete complexity of PKP. In this work, we follow this recommendation and investigate algorithmic improvements to the known methods for solving PKP. Specifically, we build upon the state-of-the-art work of Santini, Baldi, and Chiaraluce (IEEE Trans. Inf. Theory, 2024), and introduce a new algorithm that outperforms it over a wide range of parameters, yielding double-digit bit reductions in estimated complexity on representative instances. Nevertheless, our analysis shows that these improvements do not affect the parameter-set choices in PERK, thereby reinforcing confidence in its security.

Fuzzy Message Detection, or FMD, outsources detection of messages to an untrusted server, Beck et. al. CCS 2021. In this paper, we extend FMD to the multi-key setting: several servers are given different detection keys, all extracted from a single secret key. Multi-key FMD allows to combine tests from multiple servers locally by each receiver. This allows to set high false-positive rates on the servers, while attaining low rates on the receiver side. Striking this way a better balance between privacy and efficiency. We further formalize the notion of stealth public keys in the FMD setting. Last, we provide two constructions, one with short public keys.

One of the most fundamental problems in the field of hypothesis testing is the identity testing problem: whether samples from some unknown distribution $\mathcal{G}$ are actually from some explicit distribution $\mathcal{D}$. It is known that when the distribution $\mathcal{D}$ has support $[N]$, the optimal sample complexity for the identity testing problem is roughly $O(\sqrt{N})$. However, many distributions of interest, including those which can be sampled efficiently, have exponential support size, and therefore the optimal identity tester also requires exponential samples. In this paper, we bypass this lower bound by considering restricted settings. The above $O(\sqrt{N})$ sample complexity identity tester is constructed so that it is not fooled by any (even inefficiently-sampled) distributions. However, in most applications, the distributions under consideration are efficiently samplable, and therefore it is enough to consider only identity testers that are not fooled by efficiently-sampled distributions. In this setting we can hope to construct efficient identity testers. We investigate relations between efficient verification of classical/quantum distributions with classical/quantum cryptography, showing the following results:

\begin{itemize} \item Classically efficiently samplable distributions are verifiable if and only if one-way functions do not exist. \item Quantumly efficiently samplable distributions are verifiable by $\mathbf{P}^\mathbf{PP}$ with a polynomial number of samples. \item Sampling-based quantum advantage can be verified quantumly (with a polynomial number of samples) if one-way puzzles do not exist. \item If QEFID pairs exist, then some quantumly efficiently samplable distributions are not verifiable. \end{itemize}

At ASIACRYPT 2021, Baksi et al. introduced DEFAULT, a block cipher designed to algorithmically resist Differential Fault Attack (DFA), claiming 64-bit DFA security regardless of the number of injected faults. At EUROCRYPT 2022, Nageler et al. demonstrated that DEFAULT’s claimed DFA resistance can be broken by applying an information-combining technique. More recently, at ASIACRYPT 2024, Jana et al. improved DFA by searching for deterministic trails. They showed that, for DEFAULT with a simple key schedule, injecting five faults at the fifth-to-last round reduces the key space to one, and for BAKSHEESH, injecting twelve faults at the third-to-last round achieves the same result. In this paper, we propose a new DFA framework that utilizes a MixedInteger Linear Programming (MILP) solver. This framework makes it possible to attack more rounds than previously achieved, while simultaneously reducing the number of fault injections required for key recovery. Furthermore, we present a method to determine the most efficient fault injection bit positions by systematically analyzing the input differences from all possible single bit-flip faults, thereby further reducing the required number of faults. This systematic analysis has the significant advantage of allowing us to theoretically calculate the required number of faults. Applying our framework, for DEFAULT, injecting three faults at the sixth-to-last round and two faults at the seventh- and eighth-tolast rounds reduces the key space to one, and for BAKSHEESH, injecting six faults at the fourth-to-last round and nine faults at the fifth-to-last round achieves the same result.

The stateless hash-based digital signature algorithm (SLH-DSA) is a post-quantum signature scheme based on the SPHINCS+ framework that was recently standardized by NIST. Although it offers many benefits, a drawback of SLH-DSA is that it has relatively large signatures. Several techniques have been proposed to reduce the signature size of SPHINCS-like schemes, and NIST is actively evaluating variants with shorter signatures for possible future standardization.

We explore using forced pruning in the few-time signature scheme used by SPHINCS+ to reduce the overall signature size. Prior work suggested similar ideas, but claimed that the improvement from forced pruning was small. We re-visit this conclusion by performing a detailed theoretical analysis of forced pruning along with a more thorough exploration of its benefits. We show that forced pruning can improve upon SPHINCS+C (Oakland 2023) in all respects, and can reduce the overall signature size for the ''smaller SPHINCS+'' variants proposed by Fluhrer and Dang by up to 20% with minimal effect on signing time. Our results thus show that forced pruning can be a beneficial optimization for hash-based signatures.

Organizations increasingly need to collaborate by performing a computation on their combined dataset, while keeping their data hidden from each other. Certain kinds of collaboration, such as collaborative data analytics and AI, require a level of performance beyond what current cryptographic techniques for distributed trust can provide. This is because the organizations run software in different trust domains, which can require them to communicate over WANs or the public Internet. In this paper, we explore how to instead run such applications using fast datacenter-type LANs. We show that, by carefully redesigning distributed trust frameworks for LANs, we can achieve up to order-of-magnitude better performance than naïvely using a LAN. Then, we develop deployment models for Distributed But Proximate Trust (DBPT) that allow parties to use a LAN while remaining physically and logically distinct. These developments make secure collaborative data analytics and AI significantly more practical and set new research directions for developing systems and cryptographic theory for high-performance distributed trust.

As a case study in cryptographic binding, we present a formal-methods analysis of the cryptographic channel binding mechanisms in the Fast IDentity Online (FIDO) Universal Authentication Framework (UAF) authentication protocol, which seeks to reduce the use of traditional passwords in favor of authentication devices. First, we show that UAF's channel bindings fail to mitigate protocol interaction by a Dolev-Yao adversary, enabling the adversary to transfer the server's authentication challenge to alternate sessions of the protocol. As a result, in some contexts, the adversary can masquerade as a client and establish an authenticated session with a server (e.g., possibly a bank server). Second, we implement a proof-of-concept man-in-the-middle attack against eBay's open source FIDO UAF implementation. Third, we propose and formally verify improvements to UAF. The weakness we analyze is similar to the vulnerability discovered in the Needham-Schroeder protocol over 25 years ago. That this vulnerability appears in the FIDO UAF standard highlights the strong need for protocol designers to bind messages properly and to analyze their designs with formal-methods tools. To our knowledge, we are first to carry out a formal-methods analysis of channel binding in UAF and first to exhibit details of an attack on UAF that exploits the weaknesses of UAF's channel binding. Our case study illustrates the importance of cryptographically binding context to protocol messages to prevent an adversary from misusing messages out of context.

With the rapid advancement of 5G networks and the increasing demand for secure application access, the Authentication and Key Management for Applications (AKMA) framework was developed by the 3rd Generation Partnership Project (3GPP) to provide unified authentication and key management for diverse 5G services. In response to the security and privacy concerns identified in the current AKMA protocol, as outlined in 3GPP TR 33.835, Yang et al. proposed an enhanced, standard-compatible 5G AKMA protocol known as AKMA+[14].

This paper presents a comprehensive analysis of AKMA+, discovering two critical vulnerabilities: (1) the compromise of the AKMA Anchor Function (AAnF), which enables adversaries to impersonate legitimate users; and (2) the persistent storage of multiple anchor keys, which heightens the risk of key exposure. These vulnerabilities arise from the reliance on the authentication framework inherent in existing AKMA+ models. This architectural dependency introduces fundamental security risks that cannot be adequately mitigated through incremental modifications to the current design.

Furthermore, we observe that AKMA+ faces challenges in aligning with the standard account-based authentication model, which is incompatible with existing user practices within information systems. Additionally, we find that providing account-based authentication functionality without compromising privacy poses significant difficulties.

A polynomial commitment scheme (PCS) enables a prover to succinctly commit to a large polynomial and later generate evaluation proofs that can be efficiently verified. In recent years, PCSs have emerged as a central focus of succinct non-interactive argument (SNARG) design.

We present TensorSwitch, a hash-based PCS for multilinear polynomials that improves the state-of-the-art in two fundamental bottlenecks: prover time and proof size.

We frame our results as an interactive oracle PCS, which can be compiled into a cryptographic PCS using standard techniques. The protocol uses any linear code with rate $\rho$, list-decoding and correlated agreement up to $\delta$, and encoding time $\tau \cdot \ell$, where $\ell$ is the block length. For a size $n$ polynomial, security parameter $\lambda$, and sufficiently large field, it has the following efficiency measures, up to lower order terms: - Commitment time: $(\tau/\rho^{2} + \tau/\rho + 3) \cdot n$ field multiplications. - Opening time: $6 n$ field multiplications. - Query complexity: $\frac{1}{-\log(1-\delta^{2})} \cdot \lambda$. - Verification time: $O(\lambda \log n)$. Moreover, the evaluation proof only contains $O(\log \log n)$ oracles of total size $(\lambda n)^{0.5 + o(1)}$.

With a Reed-Solomon code of rate $1/2$, the query complexity is $2.41 \lambda$ and commitment time is dominated by $(6 \log n + 3) \cdot n$ field multiplications. With an RAA code of rate $1/4$ and distance $0.19$, the query complexity is $19 \lambda$ and the commitment time is $42 n$ field additions and $3 n$ field multiplications. For both instantiations, the opening time is dominated by $6 n$ field multiplications.

The private set operation (PSO) scheme [Rafiee-Khazaei, Comput. J. 2020] is a cryptographic primitive that enables a user to securely outsource their dataset to cloud server, and then when needed, securely issue common set operation queries to the server and receive the results. This primitive has always been of interest to researchers because it supports set operations, which are the most basic mathematical operations and are used in a wide range of real-world applications. In previous research, security notions such as: naSIM and aIND have been introduced for it. In this paper, we develop the standard security notions for PSO schemes: an adaptive version of simulation-based security notion (aSIM) and a non-adaptive version of indistinguishability-based security notion (naIND). We also study the relation between these security notions and determine their implications and separations. In addition to these, we also provide a summary of the available PSO constructions and their security level, and introduce research potentials in this regard.

We are looking for an Applied Cryptographer to join the Hashgraph engineering team. You will design, build, and integrate privacy-by-design features for enterprise solutions built on Hedera technology. This is a greenfield initiative at the cutting edge of decentralized systems and applied cryptography, with a focus on confidentiality, anonymity, history masking, and end-to-end security at scale.

This is a highly technical role where you will transform the newest research ideas into practical applications by designing, implementing, and optimizing cryptographic primitives and protocols (e.g., ZKPs, MPC, homomorphic encryption, Trusted Execution Environments) and secure smart contracts. You will collaborate closely with existing in-house cryptography researchers, partner with Product to translate customer privacy requirements into a clear roadmap, evaluate emerging solutions across the ecosystem, and work side-by-side with our Hashgraph engineers to prototype, benchmark, and produtize capabilities in HashSphere.

If you enjoy deep technical challenges, have a strong command of modern cryptography, and have experience turning advanced research into reliable, high-performance systems while navigating confidentiality-performance trade-offs, this is an exciting, impact-driven role shaping the privacy foundation for some of the world’s largest enterprises.

Apply here: https://www.hashgraph.com/careers/?gh_jid=8284328002

Closing date for applications:

Contact: pratyay.m@hashgraph.com; rohit@hashgraph.com

More information: https://www.hashgraph.com/careers/?gh_jid=8284328002

Since this position requires Swedish citizenship, the below description of the position is available in Swedish only.

Centrum för cyberförsvar och informationssäkerhet (CDIS) vid KTH — som är ett samarbete mellan KTH och Försvarsmakten, samt vissa andra myndigheter — söker doktorander. Det rör sig om en bred utlysning inom cybersäkerhetsområdet. Vi vill här särskilt peka ut en möjlig specialisering inom kryptologiområdet.

Mer specifikt har KTH i samarbete med avdelningen för krypto och IT-säkerhet vid Must pågående spetsforskning som syftar till att möta de utmaningar som följer av kvantdatorutvecklingen. Vi söker nu inom ramen för CDIS utlysning en doktorand som kan bidra till den forskningen.

Doktoranden kommer att handledas av Johan Håstad och Martin Ekerå. Tjänsten kommer att omfatta 80% doktorandstudier vid KTH och 20% placering vid Must där möjlighet ges att arbeta med några av Sveriges främsta kryptologer. Resultatet för doktoranden blir en unik kombination av teori och praktik inom kryptologiområdet.

För ytterligare information, kontakta Johan Håstad (johanh@kth.se) eller Martin Ekerå (ekera@kth.se).

Sista ansökningsdag är den 15 december 2025. Observera att svenskt medborgarskap är ett krav för tjänsten, och att tjänsten medför krav på säkerhetsprövning.

Closing date for applications:

Contact: For more information about the position, please contact Johan Håstad (johanh@kth.se) or Martin Ekerå (ekera@kth.se).

More information: https://www.kth.se/lediga-jobb/857957

TU Wien is Austria's largest institution of research and higher education in the fields of technology and natural sciences.

The Security and Privacy Research Unit at TU Wien, as part of the TU Wien Cybersecurity Center (https://cysec.wien/), is offering a PhD student position in provable symmetric cryptography for privacy-friendly protocols within the WWTF CrossPings (Cross-Domain Privacy-Preserving Protocols and Symmetric Cryptography) project.

Our research unit is internationally renowned for its expertise in cryptography, security, and privacy. Our working language is English.

Candidate Profile

• Motivated candidates with excellent academic records
• Completed Master or Diploma in Mathematics, Computer Science, or related fields
• Experience in cryptography or security is a plus

Application

Formal applications must be submitted via the link below. We look forward to receiving your application until 20.12.2025.

Closing date for applications:

Contact: Elena Andreeva

More information: https://academicpositions.com/ad/tu-wien/2025/project-assistant-all-genders-at-the-institute-of-logic-and-computation/240957

Fully-funded competitive PhD studentship, highly suitable for UK candidates, is available.

Brief Description: Weather forecasting and environmental prediction are vital for managing risks such as flooding, extreme temperatures, and poor air quality. However, most forecasting systems rely on centralised data processing, raising concerns about privacy, data ownership, and resilience to cyber attacks or system failures. These challenges have been largely overlooked in both the UK and globally.

This project builds on recent work by Dr Aydin Abadi and colleagues at Newcastle University, who developed a decentralised weather forecasting framework combining Federated Learning (FL) and blockchain. The approach enables multiple organisations to train shared forecasting models without exchanging raw data. Blockchain ensures transparent model validation, while privacy-preserving methods protect sensitive local observations.

The PhD will extend that research by improving the scalability, accuracy, and security of decentralised environmental forecasting. It will explore advanced cryptographic techniques such as secure aggregation, privacy-preserving consensus, and private set intersection (PSI) to protect participants’ data and evaluate performance on real and synthetic meteorological datasets.

The goal is to deliver a scalable and secure collaborative forecasting framework that strengthens environmental resilience and benefits society.

Closing date for applications:

Contact: Aydin Abadi

More information: https://iapetus.ac.uk/studentships/secure-and-decentralized-federated-learning-for-environmental-forecasting/

Among standardization efforts for space and interplanetary network security, the Internet Engineering Task Force (IETF) is driv- ing work on space network security, accounting for the unique proper- ties of space environments that make space communication challenging. This includes long, variable-length delays, packet loss, and intermittent end-to-end connectivity. Within these efforts, there is a focus on using IP-based protocols for security, and in particular the use of the QUIC protocol. This is unsurprising given QUIC’s growing popularity and of- fer of optimization intended for reducing latency. However, QUIC uses the Transport Layer Security (TLS) key exchange handshake protocol, which was originally designed for ‘connect and forget’ style Internet con- nections at scale. It is also session-based, where protocol participants require reestablishment of the session for each reconnection – a costly maneuver in the space setting. Furthermore, TLS by default does not achieve strong post-compromise security properties within sessions, ex- hibiting a risk under long-lived connections, and need for synchronous handshakes to counteract this are in functional contrast to the space environment, which has intermittent end-to-end connectivity. We address both drawbacks of QUIC by introducing QUIC-MLS: a vari- ant of QUIC which replaces the session-based, synchronous TLS hand- shake with the standardized continuous key agreement protocol, Mes- saging Layer Security (MLS), which achieves asynchronous forward se- crecy and post-compromise security. In addition to the design itself, we implement our design and provide benchmarks, and analyze our new construction in a formal cryptographic model.

We present a cryptanalysis of a multi-party key exchange protocol over a modified supertropical semiring, as proposed in a recent work of R. Ponmaheshkumar, J. Ramalingam, and R. Perumal. Building on the established methods for solving linear systems $A \otimes x=b$ over the tropical semiring, as well as on our recent work on solving such systems over layered semirings such as the symmetrized and supertropical semirings, we develop a method to compute a solution of $A \otimes x=b$ over the above mentioned modified supertropical semiring. This method enables the attacker to recover the shared secret key by solving the one-sided linear system derived from the public messages of the protocol. Our findings show that this modified supertropical platform does not provide the intended security and motivate further exploration of secure semiring-based constructions.

We propose a new multivariate digital signature scheme whose central mapping arises from the product of two one-variate polynomials over a finite field $\mathbb{F}_q$. The resulting quadratic transformation is efficiently invertible through polynomial factorization, defining the trapdoor mechanism. The public key comprises $m$ bilinear forms in $2n$ variables, obtained by masking the central map with secret linear transformations. A reference implementation targeting NIST security level 1 achieves a 24-byte signature and a 23-kilobyte public key. This signature size is among the smallest ever proposed for level 1 security and the scheme achieves verification efficiency comparable to the fastest existing designs. Security relies on the hardness of solving certain bilinear systems, for which it seems no efficient classical or quantum algorithms are known.

Algebraic cryptanalysis is an important and versatile tool in the evaluation of the security of various cryptosystems especially in multivariate cryptography. Its effectiveness can be determined by analyzing the Polynomial System Solving problem (PoSSo). However, the polynomial systems arising from cryptanalytic algebraic models often exhibit structure that is crucial for the solving complexity and is often not well understood.

In this paper we turn our focus to multi-homogeneous systems that very often arise in algebraic models. Despite their overwhelming presence, both the theory and the practical solving methods are not complete. Our work fills this gap. We develop a theory for multi-homogeneous systems that extends the one for regular and semi-regular sequences. We define "border-regular" systems and provide exact statements about the rank of a specific submatrix of the Macaulay that we associate to these systems. We then use our theoretical results to define Multi-homogeneous XL - an algorithm that extends XL to the multi-homogeneous case. We further provide fully optimized implementation of Multi-homogeneous XL that uses sparse linear algebra and can handle a vast parameter range of multi-homogeneous systems. To the best of our knowledge this is the first implementation of its kind, and we make it publicly available.