International Association
for Cryptologic Research

Sorting encrypted values is an open research problem that plays a crucial role in the broader objective of providing efficient and practical privacy-preserving online services. The current state of the art work by Mazzone, Everts, Hahn and Peter (USENIX Security '25) proposes efficient algorithms for ranking, indexing and sorting based on the CKKS scheme, which deviates from the compare-and-swap paradigm, typically used by sorting networks, using a permutation-based approach. This allows to build shallow sorting circuits in a very simple way. In this work, we follow up their work and explore different approaches to approximate the nonlinear functions required by the encrypted circuit (where only additions and multiplications can be evaluated), and we propose simpler solutions that allow for faster computations and smaller memory requirements.

In particular, we drastically reduce the upper bound on the depth of the circuits from 65 to 20, making our circuits usable in relatively small rings such as $N=2^{16}$, even for sorting values while preserving up to three decimal places. As an example, our circuit sorts 128 values with duplicates in roughly 20 seconds on a laptop, using roughly 1 GB of memory, maintaining a precision of 0.01. Furthermore, we propose an implementation of a swap-based bitonic network that is not based on approximations of the sgn$(x)$ function, which scales linearly with the number of values, useful when the number of available slots is small.

In this paper, we propose an improvement to the McEliece encryption scheme by replacing the Goppa code with a $(U+V,U+W)$ code. Specifically, we embed the generator matrices of a split Reed-Solomon code into the generator matrix of the $(U+V,U+W)$ code. This approach disrupts the algebraic structure of Reed-Solomon codes, thereby enhancing resistance against structural attacks targeting such codes, while simultaneously preserving their excellent error-correcting capabilities. As a result, the proposed scheme achieves a significant reduction in public key size. Under the hardness assumptions of the decoding problem and the code distinguishing problem for $(U+V,U+W)$ codes, we prove that the scheme achieves indistinguishability under chosen-plaintext attacks (IND-CPA security). Finally, we provide recommended parameters for various security levels and compare the proposed scheme with other code-based public key encryption schemes.

Observing the growing popularity of random permutation (RP)-based designs (e.g, Sponge), Bart Mennink in CRYPTO 2019 has initiated an interesting research in the direction of RP-based pseudorandom functions (PRFs). Both are claimed to achieve beyond-the-birthday-bound (BBB) security of $2n/3$ bits ($n$ being the input block size in bits) but require two instances of RPs and can handle only one-block inputs. In this work, we extend research in this direction by providing two new BBB-secure constructions by composing the tweakable Even-Mansour appropriately. Our first construction requires only one instance of an RP and requires only one key. Our second construction extends the first to a nonce-based Message Authentication Code (MAC) using a universal hash to deal with multi-block inputs. We show that the hash key can be derived from the original key when the underlying hash is the Polyhash. We provide matching attacks for both constructions to demonstrate the tightness of the proven security bounds.

Privacy is a growing concern for smart contracts on public ledgers. In recent years, we have seen several practical systems for privacy-preserving smart contracts, but they only target privacy of on-chain data, and rely on trusted off-chain parties with user data -- for instance, a decentralized finance application (e.g. exchange) relies on an off-chain matching engine to process client orders that get settled on-chain, where privacy only applies to the on-chain data. Privacy conscious users demand stronger notions of privacy, for their identity and their data, from all other parties in the ecosystem.

We propose a novel framework for smart contracts that ensures {\em doubly private} execution, addressing {both on-chain and off-chain privacy} requirements. In our framework, clients submit their requests in a privacy-preserving manner to a group of (potentially mutually untrusting) servers. These servers collaboratively match client requests without learning any information about the data or identities of the clients.

We then present {\em Jigsaw}, an efficient cryptographic realization of our proposed framework. {\em Jigsaw} builds on the ZEXE architecture (Bowe et al., S\&P 2020), which leverages zkSNARKs, and extends Collaborative zkSNARKs (Ozdemir and Boneh, USENIX 2022) to enable proof generation by a group of servers.

In Jigsaw, we introduce a novel collaborative zkSNARK construction that achieves low latency and reduced proving time, and showcase these advantages over sample applications ranging from trading in a decentralized exchange to auctions and voting. Our experiments demonstrate that {\em Jigsaw} is roughly $40-50$x faster in proof generation and uses orders-of-magnitude less bandwidth than the naive approach of using off-the-shelf Collaborative zkSNARKs.

Decentralized e-voting enables secure and transparent elections without relying on trusted authorities, with blockchain emerging as a popular platform. It has compelling applications in Decentralized Autonomous Organizations (DAOs), where governance relies on voting with blockchain-issued tokens. Quadratic voting (QV), a mechanism that mitigates the dominance of large token holders, has been adopted by many DAO elections to enhance fairness. However, current QV systems deployed in practice publish voters' choices in plaintext with digital signatures. The open nature of all ballots comprises voter privacy, potentially affecting voters' honest participation. Prior research proposes using cryptographic techniques to encrypt QV ballots, but they work in a centralized setting, relying on a trusted group of tallying authorities to administrate an election. However, in DAO voting, there is no trusted third party.

In this paper, we propose QV Network (QV-net), the first decentralized quadratic voting scheme, in which voters do not need to trust any third party other than themselves for ballot secrecy. QV-net is self-tallying with maximal ballot secrecy. Self-tallying allows anyone to compute election results once all ballots are cast. Maximal ballot secrecy ensures that what each voter learns from QV-net is nothing more than the tally and their own ballot. We provide an open-source implementation of QV-net to demonstrate its practicality based on real-world DAO voting settings, reporting only a few milliseconds for voting and a maximum of 255 milliseconds for tallying.

The exceptional efficiency of QV-net is attributed to the design of two new Zero-Knowledge Argument of Knowledge (ZKAoK) protocols for QV ballot secrecy and integrity. Previous works generally rely on pairing-friendly curves to prove the well-formedness of an encrypted QV ballot. But they incur heavy computation and large data sizes. We tackle the challenges of appropriately formalizing and proving ZKAoK relations for QV without using these curves. Specifically, we develop a succinct ZKAoK to prove a new relation: the sum of squares of a private vector's components equals a private scalar. We also introduce the first aggregated range proof to prove that values committed under different keys fall within their respective ranges. Together, these two new zero-knowledge protocols enable us to build an efficient decentralized QV scheme and are of independent interest.

Group Signatures are fundamental cryptographic primitives that allow users to sign a message on behalf of a predefined set of users, curated by the group manager. The security properties ensure that members of the group can sign anonymously and without fear of being framed. In dynamic group signatures, the group manager has finer-grained control over group updates while ensuring membership privacy (i.e., hiding when users join and leave). The only known scheme that achieves standard security properties and membership privacy has been proposed by Backes et al. CCS 2019. However, they rely on an inefficient revocation mechanism that re-issues credentials to all active members during every group update, and users have to rely on a secure and private channel to join the group. In this paper, we introduce a dynamic group signature that supports verifier-local revocation, while achieving strong security properties, including membership privacy for users joining over a public channel. Moreover, when our scheme is paired with structure-preserving signatures over equivalence class it enjoys a smaller signature size compared to Backes et al. Finally, as a stand-alone contribution we extend the primitive Asynchronous Remote Key Generation (Frymann et al. CCS 2020) with trapdoors and introduce new security properties to capture this new functionality, which is fundamental to the design of our revocation mechanism

Fully Homomorphic Encryption (FHE) is a key technology to enable privacy-preserving computation. While optimized FHE implementations already exist, the inner workings of FHE are technically complex. This makes it challenging, especially for non-experts, to develop highly-efficient FHE programs that can exploit the advanced hardware of today. Although several compilers have emerged to help in this process, due to design choices, they are limited in terms of application support and the efficiency levels they can achieve.

In this work, we showcase how to make FHE accessible to non-expert developers while retaining the performance provided by an expert-level implementation. We introduce Parasol, a novel end-to-end compiler encompassing a virtual processor with a custom Instruction Set Architecture (ISA) and a low-level library that implements FHE operations. Our processor integrates with existing compiler toolchains, thereby providing mainstream language support. We extract parallelism at multiple levels via our processor design and its computing paradigm. Specifically, we champion a Circuit Bootstrapping (CBS)-based paradigm, enabling efficient FHE circuit composition with multiplexers. Furthermore, Parasol’s underlying design highlights the benefits of expressing FHE computations at a higher level—producing highly compact program representations. Our experiments demonstrate the superiority of Parasol, in terms of runtime (up to 17x faster), program size (up to 22x smaller), and compile time (up to 32x shorter) compared to the current state-of-the-art. We expect the FHE computing paradigm underlying Parasol to attract future interest since it exposes added parallelism for FHE accelerators to exploit.

The Unbalanced Oil and Vinegar construction (UOV) has been the backbone of multivariate cryptography since the fall of HFE-based schemes. In fact, 7 UOV-based schemes have been submitted to the NIST additional call for signatures, and 4 of these made it to the second round. For efficiency considerations, most of these schemes are defined over a field of characteristic 2. This has as a side effect that the polar forms of the UOV public maps are not only symmetric, but also alternating.

In this work, we propose a new key-recovery attack on UOV in characteristic 2 that makes use of this property. We consider the polar forms of the UOV public maps as elements of the exterior algebra. We show that these are contained in a certain subspace of the second exterior power that is dependent on the oil space. This allows us to define relations between the polar forms and the image of the dual of the oil space under the Plücker embedding. With this, we can recover the secret oil space using sparse linear algebra.

This new attack has an improved complexity over previous methods and reduces the security by 4, 11, and 20 bits for uov-Ip, uov-III, and uov-V, respectively. Furthermore, the attack is applicable to MAYO$_2$ and improves on the best attack by 28 bits.

This paper presents OnionPIRv2, an efficient implementation of OnionPIR incorporating standard orthogonal techniques and engineering improvements. OnionPIR is a single-server PIR scheme that improves response size and computation cost by utilizing recent advances in somewhat homomorphic encryption (SHE) and carefully composing two lattice-based SHE schemes to control the noise growth of SHE. OnionPIRv2 achieves $2.5$x-$3.6$x response overhead for databases with moderately large entries (around $4$ KB or above) and up to $1600$ MB/s server computation throughput.

In many fields, the need to securely collect and aggregate data from distributed systems is growing. However, designs that rely solely on encrypted data transmission make it difficult to trace malicious users. To address this challenge, we have enhanced the secure aggregation (SA) protocol proposed by Bell et al. (CCS 2020) by introducing verification features that ensure compliance with user inputs and encryption processes while preserving data privacy. We present LZKSA, a quantum-safe secure aggregation system with input verification. LZKSA employs seven zero-knowledge proof (ZKP) protocols based on the Ring Learning with Errors problem, specifically designed for secure aggregation. These protocols verify whether users have correctly used SA keys and their $L_{\infty}$, $L_2$ norms and cosine similarity of data, meet specified constraints, to exclude malicious users from current and future aggregation processes. The specialized ZKPs we propose significantly enhance proof efficiency. In practical federated learning scenarios, our experimental evaluations demonstrate that the proof generation time for $L_{\infty}$ and $L_2$ constraints is reduced to about $10^{-3}$ of that required by the current state-of-the-art method, RoFL (S\&P 2023), and ACORN (USENIX 2023). For example, the proof generation/verification time of RoFL, ACORN and LZKSA for $L_{\infty}$ is 94s/29.9s, 78.7s/33.9s, and 0.02s/0.0062s for CIFAR10, respectively.

One-Time Pad (OTP), introduced by Shannon, is well-known as an unconditionally secure encryption algorithm and has become the cornerstone of modern cryptography. However, the unconditional security of OTP applies solely to confidentiality and does not extend to integrity. Hash functions such as SHA2, SHA3 or SM3 applies only to integrity but not to confidentiality and also can not obtain unconditional security. Encryption and digital signatures based on asymmetric cryptography can provide confidentiality, integrity and authentication, but they can only achieve computational security. Leveraging the fundamental principles of quantum mechanics，Quantum key distribution（QKD）can achieve unconditional security in theory. However, due to limitations in eavesdropping detection, the use of classical channels and imperfections in quantum devices, it cannot reach unconditional security in practical applications. In this paper, based on polynomial rings and the theory of probability, we propose an unconditionally secure encryption algorithm with unified confidentiality and integrity. The main calculation of the encryption algorithm is Cyclic Redundancy Check(CRC). Theoretical analysis proves that the encryption algorithm not only meets the unconditional security of confidentiality, but also guarantees the unconditional security of integrity, especially suitable for high-security communications such as finance, military, government and other fields.

Event date: 11 August 2025

Event date: 12 August to 13 August 2025

COSIC is looking for a motivated researcher who fit into the following profile: PhD candidate to work on Hardware implementations secured against physical attacks.

Job Description : The position is funded by Flemish Research Funds (FWO). The PhD candidate will work in collaboration with the research group of Prof. Amir Moradi from University of Darmstadt. The research program is defined in a joint research project jointly funded by FWO (Belgium) and DFG (Germany). The title of the project is MatSec – Maturing Physical Security Models in Realistic Scenarios. The PIs of the project in COSIC are Dr. Svetla Nikova and Prof. Vincent Rijmen.

Security models for side-channel analysis and combined attacks for HW implementations exist, but they often make unrealistic assumptions or are inaccurate in modeling physical effects. This results in countermeasures that are either overdesigned, unnecessarily increasing the costs, or still vulnerable to attacks when deployed. The main objective of this project is to provide security models that accurately abstract attacks against cryptographically secured physical devices and that allow for the creation of efficient countermeasures on hardware guaranteeing security in practice.

We are looking for people to work on the following topics: (1) Realistic side-channel models capturing the circuit’s real behavior and achieving a balance between security and efficiency and providing improved countermeasures. (2) Security models and randomness generation: to develop procedures for constructing masked HW/SW implementations with low randomness requirements (3) Combined security models extending known fault/combined adversaries.

Specific Skills Required: For the PhD position: The candidates should hold a master’s degree in Engineering, Mathematics or Computer Science with very good grades, very good knowledge and experience with programing with C/C++ and Verilog/VHDL. Preferably to have passed courses in Cryptography and/or Computer Security.

Closing date for applications:

Contact: Dr. Svetla Nikova

More information: https://www.esat.kuleuven.be/cosic/wp-content/uploads/2025/06/PhD-position_FWO-DFG.pdf

The Department of Combinatorics and Optimization at the University of Waterloo invites applications from qualified candidates for a 2-year position as a Cryptographic Research Architect on the Open Quantum Safe project (https://openquantumsafe.org/).

This position is available immediately in Professor Stebila’s research group. You will be working with a world-wide team of researchers and developers from academia and industry on the Open Quantum Safe project. You will have the opportunity to push the boundaries of applied post-quantum cryptography and contribute to various open-source projects. You will help integrate new post-quantum cryptographic algorithms into the liboqs open-source library, and design and implement techniques for evaluating and benchmarking these cryptographic algorithms in a variety of contexts.

The field of post-quantum cryptography is rapidly evolving, and you will need to track ongoing changes to algorithms due to peer review and advances by researchers via the the NIST Post-Quantum Cryptography project forum. In addition to algorithm research, tasks cover all aspects of the software development lifecycle and include design, programming cryptographic algorithms, integrating other cryptographic implementations into the liboqs framework, integrating liboqs into 3rd party open-source projects, testing, benchmarking and documentation. You may be asked to take an ownership role in coordinating the development of various sub-component of the Open Quantum Safe project.

The appointment will be a full-time position for 2 years. The salary range is $80,000–$115,000/year and commensurate with experience.

Canadians, Canadian Permanent Residents, and those who are legally entitled to work in Canada will be given priority consideration for this position.

For more information on the position and how to apply, please see https://openquantumsafe.org/team/open-positions

Closing date for applications:

Contact: Douglas Stebila (dstebila@uwaterloo.ca)

More information: https://openquantumsafe.org/team/open-positions

Context Our team develops pre-silicon analysis tools to: 1) identify exploitable vulnerabilities at the software level based on these interactions between a software and a microarchitecture, or 2) formally prove the security, for a given attacker model, of a system embedding hardware/software countermeasures against fault injections. These tools implement a methodology that has shown to be successful to find microarchitectural vulnerabilities and/or prove the robustness, for a given fault model, of various RISC-V based processors [1]. For instance, we have formally proven the security of OpenTitan's processor to single bit-flip injections [2].

[1] S. Tollec et al. μArchiIFI: Formal Modeling and Verification Strategies for Microarchitectural Fault Injections. FMCAD 2023

[2] S. Tollec et al.. Fault-Resistant Partitioning of Secure CPUs for System Co-Verification against Faults. TCHES 2024

Objectives

Your main missions will be:

- To design and extend our pre-silicon methodology and associated tools to support different secured processors. In particular, leverage the specificities of the countermeasures embedded by such secured processors to speedup analysis techniques, but also integrate in our methodology and tools post-synthesis netlist level analyses of hardware architectures.

- To participate to a project-scale experimental evaluation aiming to fill the gap between pre-silicon tools and post-silicon security evaluations.

Location Saclay (Paris area) or Grenoble.

Requirements PhD or a Masters’s Degree in Electronics or Computer Science. Excellent interpersonal and communication skills, and a solid background in any of the following fields is expected: computer architecture, programming languages, formal methods, cyber-security. Knowledge or French (spoken or written) is not required but may be helpful on a day-to-day basis.

Application Please send the following documents: CV, cover letter (in French or English), transcrpit of records

Closing date for applications:

Contact: Mathieu Jan (mathieu.jan@cea.fr) and Damien Couroussé (damien.courousse@cea.fr). Reviewing of applications will continue until the position is filled.

Unpaid, part-time fellowship (3–6 months), with potential to evolve into a fully-funded, startup-style venture We invite applied cryptographers to join a part-time, unpaid pilot fellowship focused on zero-knowledge proofs, MPC, and secure data pipelines for biosecurity. No prior biosecurity experience is required—just strong crypto skills and curiosity. You’ll work collaboratively with fellow cryptographers, developers, and biosecurity experts to develop tangible, economically sustainable prototypes, with the goal of launching a funded venture by program’s end. This role is designed to run alongside your current commitments—no need to pause full-time work.

Fellow Responsibilities
- Design zk‑SNARK/STARK or MPC circuits to verify epidemiological data integrity and outbreak modeling
- Prototype privacy-preserving alert systems for decentralized biosurveillance
- Collaborate with peer cryptographers and cross-disciplinary fellows on open-source proof-of-concept systems
- Co-author deliverables: circuit specs, threat models, implementation evaluations

Qualifications:
- Master’s or PhD in cryptography, computer science, mathematics, or related field
- Strong programming and mathematical background
- Experience with zk frameworks (e.g., Circom, snarkjs, arkworks) or MPC is a plus
- No prior biosecurity/domain expertise required—we’ll provide domain support
-Available to work part-time alongside existing commitments

Program Structure & Benefits:
- Unpaid and part-time: built to fit around ongoing work or study
- Goal-driven: produce a self-sustaining prototype or venture by program end
- Collaborative environment: work alongside other cryptographers with mentorship from senior crypto and domain experts
- Opportunity to transition into a funded startup or project launch post-fellowship

Application Instructions:
Send us an email with a brief overview of your background and skills

Closing date for applications:

Contact: bharat@causality.network

More information: https://musematrix.xyz/

Secure Computation Technologies, such as Multiparty Computation, allow the purposeful processing of private data (distilling value from such data), without compromising the privacy of this data. Today’s interconnected world, smart applications, and global business, necessitating the use of collaborative analytics, require the collection and processing of private information. In this PhD trajectory you will be exploring ways and developing protocols and primitives that enhance the security, functionality, and efficiency of secure computation technologies (e.g., multiparty computation – MPC), when designed for particular application scenarios, such as private machine learning use-cases.

In this 4-year PhD trajectory, you are expected to:

Conduct original and novel research in the field of Secure Computation Technologies;

Design novel protocols for privacy-preserving (machine learning) applications;

Publish and present scientific articles at international journals and conferences;

Engage in collaborations in academia and industry;

Assist in relevant teaching activities.

The position is fully funded for 4 years.

Closing date for applications:

Contact: Eleftheria Makri

More information: https://www.universiteitleiden.nl/en/vacancies/2025/q2/15751-phd-candidate-secure-computation-technologies-and-applications-to-machine-learning

This paper presents the first generic compiler that transforms any permissioned consensus protocol into a proof-of-stake permissionless consensus protocol. For each of the following properties, if the initial permissioned protocol satisfies that property in the partially synchronous setting, the consequent proof-of-stake protocol also satisfies that property in the partially synchronous and quasi-permissionless setting (with the same fault-tolerance): consistency; liveness; optimistic responsiveness; every composable log-specific property; and message complexity of a given order. Moreover, our transformation ensures that the output protocol satisfies accountability (identifying culprits in the event of a consistency violation), whether or not the original permissioned protocol satisfied it.

This paper introduces ZK-NR, a modular cryptographic protocol designed to ensure privacy-preserving non-repudiation in the co-production of digital public services. By integrating Merkle commitments, zero-knowledge proofs (STARKs), threshold BLS signatures, and post-quantum Dilithium authentication, ZK-NR enables the creation of secure, verifiable, and auditable evidence across decentralized infrastructures. Unlike traditional digital signatures or blockchain-based logs, ZK-NR provides formally verifiable attestations without disclosing sensitive content, making it suitable for public finance, e-government, and regulated digital ecosystems. The protocol is modeled in Tamarin and implemented as a proof-of-concept using open cryptographic tools. This contribution offers a reproducible foundation for future infrastructures requiring long-term trust, data minimization, and legal admissibility, particularly in contexts where citizens and institutions share responsibility for digital evidence. ZK-NR addresses the tension between confidentiality and accountability, providing an interoperable and future-ready layer for trustworthy public service delivery. This preliminary work focuses on architectural composition and implementation feasibility. It does not include formal security proofs.