International Association
for Cryptologic Research

This work presents an exact and compact formula for the probability of rotation-xor differentials (RX-differentials) through modular addition, for arbitrary rotation amounts, which has been a long-standing open problem. The formula comes with a rigorous proof and is also verified by extensive experiments.

Our formula uncovers error in a recent work from 2022 proposing a formula for rotation amounts bigger than 1. Surprisingly, it also affects correctness of the more studied and used formula for the rotation amount equal to 1 (from TOSC 2016). Specifically, it uncovers rare cases where the assumptions of this formula do not hold. Correct formula for arbitrary rotations now opens up a larger search space where one can often find better trails.

For applications, we propose automated mixed integer linear programming (MILP) modeling techniques for searching optimal RX-trails based on our exact formula. They are consequently applied to several ARX designs, including Salsa, Alzette and a small-key variant of Speck, and yield many new RX-differential distinguishers, some of them based on provably optimal trails. In order to showcase the relevance of the RX-differential analysis, we also design Malzette, a 12-round Alzette-based permutation with maliciously chosen constants, which has a practical RX-differential distinguisher, while standard differential/linear security arguments suggest sufficient security.

Digital identity wallets allow citizens to prove who they are and manage digital documents, called credentials, such as mobile driving licenses or passports. As with physical documents, secure and privacy-preserving management of the credential lifecycle is crucial: a credential can change its status from issued to valid, revoked or expired. In this paper, we focus on the analysis of cryptographic accumulators as a revocation scheme for digital identity wallet credentials. We describe the most well-established public key accumulators, and how zero-knowledge proofs can be used with accumulators for revocation of non-anonymous credentials. In addition, we assess the computational and communication costs analytically and experimentally. Our results show that they are comparable with existing schemes used in the context of certificate revocation.

HuFu is an unstructured lattice-based signature scheme proposed during the NIST PQC standardization process. In this work, we present a side-channel analysis of HuFu's reference implementation.

We first exploit the multiplications involving its two main secret matrices, recovering approximately half of their entries through a non-profiled power analysis with a few hundred traces. Using these coefficients, we reduce the dimension of the underlying LWE problem, enabling full secret key recovery with calls to a small block-sized BKZ.

To mitigate this attack, we propose a countermeasure that replaces sensitive computations involving a secret matrix with equivalent operations derived solely from public elements, eliminating approximately half of the identified leakage and rendering the attack unfeasible.

Finally, we perform a non-profiled power analysis targeting HuFu's Gaussian sampling procedure, recovering around 75\% of the remaining secret matrix's entries in a few hundred traces. While full key recovery remains computationally intensive, we demonstrate that partial knowledge of the secret significantly improves the efficiency of signature forgery.

Who you are:
The internship is ideally intended for senior undergraduate/master students, PhD candidates, or early postdocs in one of the fields with relevance to blockchain systems, such as computer science, applied mathematics, cryptography, or economics. It is a perfect opportunity for an early-stage researcher to gain valuable research experience by collaborating with members of the IOG Research team on current challenges in blockchain technologies.

What the role involves:
The intern will work on an Internship Project that will be defined prior to the commencement of the internship, taking into account the intern’s scientific background and skillset, as well as the research priorities within IOG.

The work will be done under the guidance of a supervisor, who will be one of the members of IOG Research. Supervisors will contribute to defining the scope of the Internship Project, track the intern’s progress, provide guidance, and ensure that the work done is aligned with the broader research carried out at IOG Research.

The duration of the internship is up to 3 months and is primarily intended to take place during summer 2025, although other time periods may be considered.

Closing date for applications:

Contact: Sandro Coretti-Drayton

More information: https://apply.workable.com/io-global/j/0BC29938F1/

EPITA : École d'Ingénieurs en Informatique is offering several teaching/research positions (MCF and PR profile) in computer science within the EPITA Research Laboratory (LRE) for the start of the 2025-2026 academic year.
The LRE, https://www.lre.epita.fr, is attached to the "EDITE doctoral school" in Paris (Sorbonne University). It was evaluated by Hcéres in 2017-2018, and is currently being evaluated (wave 2024-2025). We are recruiting to strengthen the five LRE teams, in particular the Security and Systems team (https://www.lre.epita.fr/systems/), for the Paris, Rennes and Toulouse sites in the following areas:

• For the Paris site :
• Cryptography
• Post-quantum standards, protocols and primitives
• Automatic analysis
• Blockchain
• Learning detection and security
• Attack detection and analysis
• Security of learning models
• Software and hardware security
• Virology and malware analysis
• Reverse engineering at assembler and hardware level
• Systems
• Operating systems and kernels
• Cloud computing and virtualisation
• Embedded systems
• For the Rennes site:
• Static and dynamic analysis of malicious software
• Instrumentation and tools for analysis and monitoring
with teaching interventions mainly in the DevSecOps major.
• For the Toulouse site:
• The dedicated job description for an HDR or ‘almost HDR’ profile is here: https://tinyurl.com/PosteEpitaToulouseHDR2025

Closing date for applications:

Contact: pierre.parrend@epita.fr; thierry.gerault@epita.fr

More information: https://tinyurl.com/PostesEpitaSECUSYST2025

Position 1: One or two casual researchers in the field of Privacy-preserving Machine Learning, for a few hundred hours each (the exact number of hours is negotiable and depends on the availability of the candidate/s).
Expectations: to produce top-tier journal paper/s in the field of Privacy-preserving Machine Learning.

Position 2 : A casual developer with the following skill set required, for a few hundred hours (the exact number of hours is negotiable and depends on the availability of the candidate):
1. Swift (for a task specifically for iOS), and
2. Java (for Android app development), and
3. TensorFlow.js (for a specific task), and
4. Java or PHP or C# (for web page development), and
5. HTML and CSS and JavaScript (for UI design).
Expectations : to continue with some existing development work by polishing and finalizing the mobile app development.

Note : The successful candidates for both the positions above must be physically based in Australia with working rights in Australia when the work is being done.

Closing date for applications:

Contact: Dr. Zhaohui (Linda) Tang at:
Zhaohui.Tang@unisq.edu.au

The zero-knowledge group (a subgroup of the cryptography group) at the Institute of Computer Science of the University of Tartu seeks one postdoctoral researcher and one Ph.D student in contemporary zk-SNARKs. The existing zero-knowledge group comprises Helger Lipmaa, Janno Siim, and Ph.D students. Our current research interests include the provable security of zk-SNARKs (including more stringent security notions and more realistic cryptographic assumptions), the design of pairing-based, code-based, and lattice-based zk-SNARKs, and the design of zk-SNARKs for applications like zkVM and zkML. We collaborate actively with local groups on coding theory and machine learning to further our aims. While primarily focused on academic publishing, we are interested in collaborating with ZK companies.

The postdoctoral researcher should have a strong track record in areas related to the design and analysis of efficient zero-knowledge proofs. We expect the candidate to have published a few papers at IACR conferences or venues of equivalent renown. The Ph.D student must have an MSc or equivalent by this spring, a strong mathematics and/or theoretical computer science background, and an existing cryptography background. We welcome all exceptional candidates. We especially welcome candidates with a background in PQ zk-SNARKs (hash-based or lattice-based) or applications like zkML; in the case of the Ph.D student, we interpret it as a background either in coding theory, lattice-based cryptography, or machine learning.

T apply for the positions, submit a letter of motivation (clearly stating why this project and the applicant are a good match), a full research CV, names of two references, and a research statement (obligatory for the postdoctoral researcher), clearly indicating the sought position (postdoc or Ph.D student).

The postdoc position starts on August 1, 2025, or later and lasts 2-4 years, depending on the candidate and negotiations. The Ph.D. position starts on September 1, 2025, and lasts four years. The candidates may later seek further employment, but this is not guaranteed in advance. Application deadline: 25.04.2025.

Closing date for applications:

Contact: Helger Lipmaa Professor of Cryptography, Head of Chair

https://kodu.ut.ee/~lipmaa/

helger dot lipmaa at ut dot ee

More information: https://crypto.cs.ut.ee/Main/OpenPositions

The Applied Crypto group of the University of Luxembourg is offering a Ph.D. student and a post-doc position in cryptography. Possible topics of interests are fully homomorphic encryption, public-key cryptanalysis, and side-channel attacks and countermeasures. We offer a competitive salary. The duration of the position is 3 years (+ 1 year extension) for Ph.D., and 3 years for post-doc.

Closing date for applications:

Contact: Jean-Sebastien Coron - jean-sebastien.coron@uni.lu

More information: http://www.crypto-uni.lu/vacancies.html

We are looking for a Ph.D. student to join the Digital Security group at Radboud University. The position is fully funded for 4 years.

The candidate will work on the hardware security of symmetric-key ciphers. Topics of interest include:

• hardware implementations
• side-channel analysis
• fault analysis
• investigation of countermeasures

You will spend about 10% of your time assisting with teaching at our department. This will typically include tutoring practical assignments, grading coursework, and supervising student projects.

Your profile You hold a Master’s degree in mathematics, computer science, engineering, or a related field or expect to obtain such a degree soon. You have good programming skills and some experience with at least one of the following: cryptography, side-channel attacks or hardware description languages. You have a strong interest in cryptography and embedded systems security and especially their real-world deployment.

To apply please visit: https://www.ru.nl/en/working-at/job-opportunities/phd-position-hardware-security-of-symmetric-key-ciphers
Only applications via the official portal will be considered. Application deadline: 31 March 2025 Start date: flexible

Closing date for applications:

Contact: Dr. S. Mella

More information: https://www.ru.nl/en/working-at/job-opportunities/phd-position-hardware-security-of-symmetric-key-ciphers

This paper presents a security analysis of the South Korean Format-Preserving Encryption (FPE) standards FEA-1 and FEA-2. In 2023, Chauhan \textit{et al.} presented the first third-party analysis of FEA-1 and FEA-2 against the square attack. The authors proposed new distinguishing attacks covering up to three rounds of FEA-1 and five rounds of FEA-2, with a data complexity of $2^8$ plaintexts. Additionally, using these distinguishers, they presented key recovery attacks for four rounds of FEA-1 and six rounds of FEA-2, for 192-bit and 256-bit key sizes. The complexities of both the four-round FEA-1 and six-round FEA-2 key recovery attacks are $2^{137.6}$. \\

In this work, we successfully extend the number of rounds attacked for both FEA-1 and FEA-2, using the square attack technique. Specifically, we present a four-round distinguishing attack against FEA-1 and six-round distinguishing attack against FEA-2. The data complexities of these distinguishers are $2^{64}$ plaintexts. Furthermore, we apply these distinguishers to perform key recovery attacks on five rounds of FEA-1 and seven rounds of FEA-2, targeting the 256-bit key size. The time complexities of the presented key recovery attacks are $2^{193.6}$.

The current landscape of system-on-chips (SoCs) security verification faces challenges due to manual, labor-intensive, and inflexible methodologies. These issues limit the scalability and effectiveness of security protocols, making bug detection at the Register-Transfer Level (RTL) difficult. This paper proposes a new framework named BugWhisperer that utilizes a specialized, fine-tuned Large Language Model (LLM) to address these challenges. By enhancing the LLM's hardware security knowledge and leveraging its capabilities for text inference and knowledge transfer, this approach automates and improves the adaptability and reusability of the verification process. We introduce an open-source, fine-tuned LLM specifically designed for detecting security vulnerabilities in SoC designs. Our findings demonstrate that this tailored LLM effectively enhances the efficiency and flexibility of the security verification process. Additionally, we introduce a comprehensive hardware vulnerability database that supports this work and will further assist the research community in enhancing the security verification process.

CHide is one of the most prominent e-voting protocols, which, while combining security and efficiency, suffers from having very long encrypted credentials. In this paper, starting from CHide, we propose a new protocol, based on multiparty Class Group Encryption (CGE) instead of discrete logarithm cryptography over known order groups, achieving a computational complexity of $O(nr)$, for $n$ votes and $r$ voters, and using a single MixNet. The homomorphic properties of CGE allow for more compact credentials while maintaining the same level of security at the cost of a small slowdown in efficiency.

The ETSI Technical Specification 104 015 proposes a framework to build Key Encapsulation Mechanisms (KEMs) with access policies and attributes, in the Ciphertext-Policy Attribute-Based Encryption (CP-ABE) vein. Several security guarantees and functionalities are claimed, such as pre-quantum and post-quantum hybridization to achieve security against Chosen-Ciphertext Attacks (CCA), anonymity, and traceability. In this paper, we present a formal security analysis of a more generic construction, with application to the specific Covercrypt scheme, based on the pre-quantum ECDH and the post-quantum ML-KEM KEMs. We additionally provide an open-source library that implements the ETSI standard, in Rust, with high effiency.

In order to compute a multiple of a point on an elliptic curve in Weierstrass form one can use formulas in only one of the two coordinates of the points. When one computes with these $x$-only formulas one says that one computes on the Kummer line. Similarly, it is easy to define the Kummer line of an elliptic curve in theta coordinates. In this article we give a unified definition of what is a Kummer line.

Using Mumford's theory of the theta group and defining the isomorphism of Kummer lines, we obtain that there are only two types of Kummer lines. The same theory allows to give conversion formulas between Kummer models in a unified manner.

We also classify curves that admit these different models via Galois representation and modular curves. When an elliptic curve is viewed inside a $2$-volcano we give criteria to say if it has a given Kummer model based solely on its position in the volcano. We give applications to the ECM factorization algorithm.

Over two decades since their introduction in 2005, all major verifiable pairing delegation protocols for public inputs have been designed to ensure information-theoretic security. However, we note that a delegation protocol involving only ephemeral secret keys in the public view can achieve everlasting security, provided the server is unable to produce a pairing forgery within the protocol’s execution time. Thus, computationally bounding the adversary’s capabilities during the protocol’s execution, rather than across its entire lifespan, may be more reasonable, especially when the goal is to achieve significant efficiency gains for the delegating party. This consideration is particularly relevant given the continuously evolving computational costs associated with pairing computations and their ancillary blocks, which creates an ever-changing landscape for what constitutes efficiency in pairing delegation protocols. With the goal of fulfilling both efficiency and everlasting security, we present AmorE, a protocol equipped with an adjustable security and efficiency parameter for sequential pairing delegation, which achieves state-of-the-art amortized efficiency in terms of the number of pairing computations. For example, delegating batches of 10 pairings on the BLS48-575 elliptic curve via our protocol costs to the client, on average, less than a single scalar multiplication in G2 per delegated pairing, while still ensuring at least 40 bits of statistical security.

Power side-channel (PSC) vulnerabilities present formidable challenges to the security of ubiquitous microelectronic devices in mission-critical infrastructure. Existing side-channel assessment techniques mostly focus on post-silicon stages by analyzing power profiles of fabricated devices, suffering from low flexibility and prohibitively high cost while deploying security countermeasures. While pre-silicon PSC assessments offer flexibility and low cost, the true nature of the power signatures cannot be fully captured through RTL or gate-level design. Although physical design-level analysis provides precise power traces, collecting data is time and resource-consuming at the layout level. To address this challenge, we propose, for the first time, a fast and efficient physical design-level PSC assessment framework using a graph neural network (GNN). This framework predicts dynamic power traces for new layouts, using them to assess physical design security through metrics evaluation. Our experiments on AES-GF layout implementations achieve a tremendous 133 times speedup compared to conventional simulation-based flow without sacrificing substantial accuracy.

SNARKs are frequently used to prove encryption, yet the circuit size often becomes large due to the intricate operations inherent in encryption. It entails considerable computational overhead for a prover and can also lead to an increase in the size of the public parameters (e.g., evaluation key). We propose an encryption-friendly SNARK framework, $\textsf{Tangram}$, which allows anyone to construct a system by using their desired encryption and proof system. Our approach revises existing encryption schemes to produce Pedersen-like ciphertext, including identity-based, hierarchical identity-based, and attribute-based encryption. Afterward, to prove the knowledge of the encryption, we utilize a modular manner of commit-and-prove SNARKs, which uses commitment as a `bridge'. With our framework, one can prove encryption significantly faster than proving the whole encryption within the circuit. We implement various $\textsf{Tangram}$ gadgets and evaluate their performance. Our results show 12x - 3500x times better performance than encryption-in-the-circuit.

Blockchain advancements, currency digitalization, and declining cash usage have fueled global interest in Central Bank Digital Currencies (CBDCs). The BIS states that the hybrid model, where central banks authorize intermediaries to manage distribution, is more suitable than the direct model. However, designing a CBDC for practical implementation requires careful consideration. First, the public blockchain raises privacy concerns due to transparency. While zk-SNARKs can be a solution, they can introduce significant proof generation overhead for large-scale transactions. Second, intermediaries that provide user-facing services on behalf of the central bank commonly performs Proof of Liabilities on customers' static liabilities. However, in real-world scenarios where user liabilities can arbitrarily increase or decrease, the static nature poses such as window attacks.

In this paper, we propose a new smart contract-based privacy-preserving CBDC framework based on zk-SNARKs, called $\textbf{Aegis}$. our framework introduces a transaction batching technique to enhance scalability and defines a new dynamic PoL which is near-real time. We formally define the security models for our system and provide rigorous security proofs to demonstrate its robustness. To evaluate the system’s performance, we instantiate our proposed framework and measure its efficiency. The result indicates that, the end-to-end process, including proof generation for 512 transactions, takes approximately 2.8 seconds, with a gas consumption of 74,726 per user.

Digital signatures underpin identity, authenticity, and trust in modern computer systems. Cryptography research has shown that it is possible to prove possession of a valid message and signature for some public key, without revealing the message or signature. These proofs of possession work only for specially-designed signature schemes. Though these proofs of possession have many useful applications to improving security, privacy, and anonymity, they are not currently usable for widely deployed, legacy signature schemes such as RSA, ECDSA, and Ed25519. Unlocking practical proofs of possession for these legacy signature schemes requires closing a huge efficiency gap.

This work brings proofs of possession for legacy signature schemes very close to practicality. Our design strategy is to encode the signature's verification algorithm as a rank-one constraint system (R1CS), then use a zkSNARK to prove knowledge of a solution. To do this efficiently we (1) design and analyze a new zkSNARK called Dorian that supports randomized computations, (2) introduce several new techniques for encoding hashes, elliptic curve operations, and modular arithmetic, (3) give a new approach that allows performing the most expensive parts of ECDSA and Ed25519 verifications outside R1CS, and (4) generate a novel elliptic curve that allows expressing Ed25519 curve operations very efficiently. Our techniques reduce R1CS sizes by up to 200$\times$ and prover times by 3-22$\times$.

We can generate a 240-byte proof of possession of an RSA signature over a message the size of a typical TLS certificate (two kilobytes) in only three seconds.

In recent years, the intersection of deep learning and differential cryptanalysis has given rise to the emerging field of differential neural cryptanalysis, providing an efficient data-driven paradigm for security evaluation of modern cryptographic algorithms. Traditional differential cryptanalysis relies on manual search for high-probability differential characteristics, a process limited by the nonlinearity complexity of the algorithm. In contrast, differential neural cryptanalysis improves the efficiency and automation of the analysis by training neural networks to automatically extract statistical features from ciphertext pairs. As research advances, Lu et al. proposed improved related-key neural distinguishers for the SIMON and SIMECK algorithms. However, current methodologies for constructing related-key distinguishers remain highly specialized, lacking a generalized optimization framework to address diverse cryptographic structures.

This paper proposes a novel framework for constructing related-key neural differential distinguishers that optimizes three key components: dataset construction (multi-ciphertext multi-difference formats), differential path selection (structural filtering), and network architecture (DRSN for noise suppression). By applying this framework to two standardized algorithms, DES and PRESENT, our experiments demonstrate significant advancements. For DES, the framework achieves an 8-round related-key neural distinguisher and improves 6/7-round distinguisher accuracy by over 40%. For PRESENT, we construct the first 9-round related-key neural distinguisher, which outperforms existing single-key distinguishers in both round coverage and accuracy. Additionally, we employ kernel principal component analysis (KPCA) and K-means clustering to evaluate the quality of differential datasets for DES and PRESENT, revealing that clustering compactness strongly correlates with distinguisher performance. Furthermore, we propose a validation algorithm to verify differential combinations with cryptographic advantages from a machine learning perspective, identifying 'good' plaintext-key differential combinations. We apply this approach to the SIMECK algorithm, demonstrating its broad applicability. These findings validate the framework’s effectiveness in bridging cryptographic analysis with data-driven feature extraction and offer new insights for automated security evaluation of block ciphers.