International Association
for Cryptologic Research

Vertical federated learning (VFL) enables a cohort of parties with vertically partitioned data to collaboratively train a machine learning (ML) model without requiring them to centralise their data. Each party feeds its data to its local model, with output fed to a global model. However, this configuration requires parties to share some intermediary results during training, which include the output and the gradients of the local models. These intermediary results can reveal insights into the parties' data, and can be protected by secret sharing them with secure multiparty computation (MPC). However, this increases the total number of communications and makes the VFL training significantly slower. In this work, we introduce MUSE-VFL to accelerate the computation of the local gradients by using homomorphic encryption on top of MPC for parties to directly complete this computation during backpropagation. We show theoretically that MUSE-VFL improves the complexity of the MPC baseline. Our experiments, conducted on four different ML tasks, show that the runtime needed to compute the gradients of the local models significantly outweighs the combined runtime of all other steps. This highlights the significance of MUSE-VFL, with experiments demonstrating a training runtime faster by 30% to 35% for LAN and 32% to 50% for WAN.

This work presents a provably-secure lattice-based multisignature scheme which requires only a single round of communication, whereas the existing works need two or three rounds. The reduction in the number of rounds for the proposed scheme is achieved by utilizing lattice trapdoors. In order to generate multisignatures securely, our scheme however requires an honest centralized server that maintains the trapdoor of a shared matrix used in the scheme.

We present a fully homomorphic encryption scheme which natively supports arithmetic and logical operations over large "machine words", namely plaintexts of the form $\mathbb{Z}_{2^n}$ (e.g. $n=64$). Our scheme builds on the well-known BGV framework, but deviates in the selection of number field and in the encoding of messages. This allows us to support large message spaces with only modest effect on the noise growth.

Arithmetic operations (modulo $2^n$) are supported natively similarly to BGV-style FHE schemes, and we present an efficient bootstrapping procedure for our scheme. Our bootstrapping algorithm has the feature that along the way it decomposes our machine word into bits, so that during bootstrapping it is possible to perform logical operations (essentially addressing each bit in the message independently). This means that during a single bootstrapping cycle we can perform logical operations on $n$ bits. For example, a "greater than" operation (if $x> y$ output $1$, otherwise $0$), only requires a single subtraction and a single bootstrapping cycle.

Along the way we present a number of new tools and techniques, such as a generalization of the BGV modulus switching to a setting where the plaintext and ciphertext moduli are ideals (and not numbers).

We study the approximate Hermite Shortest Vector Problem (HSVP) in ideal lattices in orders of cyclic algebras. For one- and two-sided ideals respectively, we show that for almost all ideals we may solve HSVP in a sublattice of dimension at most one half (respectively, one quarter) of the original lattice dimension, with only small losses in the approximation factor. For two-sided ideals in a cryptographically-relevant family of maximal orders, we obtain approximation factors independent of the algebraic norm of the ideal. For one-sided ideals, we obtain a similar result for a large and natural family of ideal lattices. Finally, we turn our mathematical results into algorithms, and in the case of quaternion algebras, give an unconditional quantum polynomial time algorithm to solve HSVP in ideals of maximal orders of quaternion algebras, given an oracle for HSVP in ideals of maximal orders of number fields, in lower dimension.

Privacy-preserving decision tree inference is a fundamental primitive in privacy-critical applications such as healthcare and finance, yet existing protocols still pay a heavy price for oblivious selection at every node. We introduce a new paradigm that eliminates this limitation by representing the entire tree as a permutation rather than an explicit set of nodes. Under this representation, we can efficiently generate a shuffled randomized decision tree during the offline phase, where the indices can be directly revealed without leaking any information about the original tree structure. Our scheme significantly reduces both the online and offline computation and communication overhead compared to SOTA. Comprehensive benchmarks show an 86 % reduction in online communication versus the state-of-the-art FSS protocol by Ji et al., and a 99.9 % reduction versus the OT-based protocol of Ma et al. Overall, our benchmark shows that our protocol achieves a performance improvement of $20\times$ over Ma et al.’s scheme and $4.5\times$ over Ji et al.’s scheme.

The argument size of succinct non-interactive arguments (SNARG) is a crucial metric to minimize, especially when the SNARG is deployed within a bandwidth constrained environment.

We present a non-recursive proof compression technique to reduce the size of hash-based succinct arguments. The technique is black-box in the underlying succinct arguments, requires no trusted setup, can be instantiated from standard assumptions (and even when $\mathsf{P} = \mathsf{NP}$!) and is concretely efficient.

We implement and extensively benchmark our method on a number of concretely deployed succinct arguments, achieving compression across the board to as much as $60\%$ of the original proof size. We further detail non-black-box analogues of our methods to further reduce the argument size.

In recent years and with the emergence of the industrial revolution, the secure data sharing schemes have been developed in IoT platforms and have been recognized as a hot topic in industry and academia. These schemes enable IoT devices to securely share their sensed data in industrial environments with clients through an appropriate infrastructure and intermediary entities. The research conducted in this field shows the existence of various security challenges and solutions. Data privacy, data authentication, fairness and accountability are some of the most important security features presented. Recently, in paper [Sengupta-Ruj-Bit, TNSM 2023] proposed a secure sharing scheme and claimed that it covers all the mentioned security features even when entities collude with each other. In this paper, we investigate the security analysis of this scheme, and show that it does not cover the claimed fairness property. Therefore, the mentioned scheme is vulnerable and cannot be used as a valid scheme in real-world applications.

Transitioning secure information systems to post-quantum cryptography (PQC) comes with certain risks, such as the potential for switching to PQC schemes with as yet undiscovered vulnerabilities. Such risks can be mitigated by combining multiple schemes in such a way that the resulting hybrid scheme is secure provided at least one of the ingredient schemes is secure. In the case of key-encapsulation mechanisms (KEMs), this approach is already in use in practice, where the PQC scheme ML-KEM is combined with “traditional” X25519 key exchange. Combining multiple KEMs to construct a single hybrid KEM is largely straightforward, except for the crucial choice of how to derive the final shared secret key. A generic method for doing this in a manner that preserves IND-CCA security is to include the keys and ciphertexts of all ingredient KEMs in an appropriate key derivation step. In the specialized X-Wing construction, one instead relies on a special property of ML-KEM to avoid including its ciphertext in key derivation. In this work, we show that this optimization can be done in a more general setting. Specifically, when combining multiple KEMs one need not include the ciphertext of any KEM that satisfies ciphertext second preimage resistance (C2PRI)—provided the key combination step is performed using a split-key pseudorandom function. We also prove that any KEM constructed from a certain set of Fujisaki-Okamoto (FO) transforms satisfies C2PRI in the random oracle model. This applies to KEMs such as BIKE, Classic McEliece, HQC, and ML-KEM.

In Neural Cryptanalysis, a deep neural network is trained as a cryptographic distinguisher between pairs of ciphertexts $(F(X), F(X \oplus \delta))$, where $F$ is either a random permutation or a block cipher, $\delta$ is a fixed difference. The AutoND framework aims to se neural distinguishers that are treated as a generic tool and discourages cipher-specific optimizations. On the other hand, works such as $[\text{LLS}^+24]$ obtain superior distinguishers by adding dedicated features, such as selected parts of the difference in the previous rounds, to the input of the neural distinguishers. In this paper, we study $\text{Generic Partial Decryption}$ as a feature engineering technique and integrate it within a fully automated pipeline, where we evaluate its effect independently of the number of pairs per sample, with which feature engineering is often combined. We show that this technique matches state-of-the-art dedicated approaches on Simon and Simeck. Additionally, we apply it to Aradi, and present a practical neural-assisted key recovery for 5 rounds, as well as a 7-rounds key recovery with $2^{70}$ time complexity. Additionally, we derive useful information from the neural distinguishers and propose a non-neural version of our 5-round key recovery.

Event date: 8 March 2026
Submission deadline: 1 November 2025
Notification: 19 December 2025

Event date: 16 December to 18 December 2025
Submission deadline: 22 August 2025
Notification: 12 October 2025

Tasks:

• Active research in the area of intrusion detection systems (IDS) for critical infrastructures, secure cyber-physical systems, and artificial intelligence / machine learning for traffic analysis
• Implementation and evaluation of new algorithms and methods
• Cooperation and knowledge transfer with industrial partners
• Publication of scientific results
• Assistance with teaching

The employment takes place with the goal of doctoral graduation (obtaining a PhD degree).

Requirements:

• Master’s degree (or equivalent) in Computer Science or related disciplines
• Strong interest in IT security and/or networking and distributed systems
• Knowledge of at least one programming language (C++, Java, etc.) and one scripting language (Perl, Python, etc.) or strong willingness to quickly learn new programming languages
• Linux/Unix skills
• Knowledge of data mining, machine learning, statistics and result visualization concepts is of advantage
• Excellent working knowledge of English; German is of advantage
• Excellent communication skills

For more information about the vacant position please contact Prof. A. Panchenko (E-Mail: itsec-jobs.informatik@lists.b-tu.de). We value diversity and therefore welcome all applications – regardless of gender, nationality, ethnic and social background, religion/belief, disability, age, sexual orientation, and identity. The BTU Cottbus-Senftenberg strives for a balanced gender relation in all employee groups. Applicants with disabilities will be given preferential treatment if they are equally qualified.

Applications containing the following documents:

A detailed Curriculum Vitae

Transcript of records from your Master studies

An electronic version of your Master thesis, if possible should be sent in a single PDF file as soon as possible, but not later than 07.09.2025 at itsec-jobs.informatik@lists.b-tu.de

Closing date for applications:

Contact: Prof. Andriy Panchenko (E-Mail: itsec-jobs.informatik@lists.b-tu.de)

More information: https://www.b-tu.de/en/fg-it-sicherheit

Shandong University (SDU) stands as a prestigious beacon of academic excellence in China, renowned for its rich history, diverse academic programs, and commitment to fostering innovation and leadership. The School of Cyber Science and Technology (CST) has a faculty devoted to high-level research and teaching, led by Prof. Wang Xiaoyun, an academician of the Chinese Academy of Sciences.

About NSFC Excellent Young Scholars Fund (Overseas)

The fund aims to encourage talented overseas scholars who have demonstrated notable accomplishments in natural science, engineering technology, and other fields, to return to or join China for employment. For more detailed information, please refer to: "https://www.nsfc.gov.cn/publish/portal0/tab434/info95371.htm" (in Chinese).

Eligibility

• Applicants must be born on or after January 1, 1985, and have a doctoral degree.
• During the period after obtaining the doctoral degree and prior to September 15, 2025, the applicant should generally have obtained a formal teaching or research position in renowned overseas universities, scientific research institutions, or corporate R&D units, and have worked for no less than 36 consecutive months. The time limit can be relaxed as appropriate for those who obtained their doctoral degree overseas.

Research Areas

SDU encourages global young talents to apply in the following (and related) research areas:

• Cryptography
• Cybersecurity
• AI Security
• Theoretical CS
• Computer Architecture and Trustworthy Systems
• Information and Coding Theory

Benefits

For successful applicants, the following benefits are provided:

• Position: Appointed to a tenured professor position.
• Funding: Substantial research funding.
• Salaries: Competitive salaries and comprehensive benefits package, Opportunities for career advancement and professional growth within dynamic and supportive academic environment

Closing date for applications:

Contact:

For any inquiries or further information, please contact Prof. Sihuang Hu:

• Email: husihuang@sdu.edu.cn
• WeChat: sihuanghu

Post-Doc in IoT/Smart-City/AV Security – 300 k RMB/yr, Tax-Free – Deadline 15 Aug 2025 – Apply Now! Dear colleagues, A fully-funded, 2-year Post-Doctoral Researcher position is open at Shaoxing University in the area of Security & Privacy for Internet-of-Things, Smart Cities, or Autonomous Vehicles. Key facts • Duration: 24 months, earliest start 1 Oct 2025 • Salary: 300 000 RMB per year – tax-exempt for most nationalities • Location: Shaoxing, China – vibrant tech hub, 40 min to Alibaba HQ and West Lake • Lab: new Secure-Intelligent Systems Lab, generous travel & publication funds What we seek • PhD in CS, or related, awarded ≤ 3 years ago • ≥ 3 Q1 journal papers (JCR/Web-of-Science) in IoT/smart-city/AV security, privacy, or applied cryptography • Strong background in one or more: secure firmware, C-V2X/DSRC security, AI-based intrusion detection, lightweight crypto, blockchain for smart-city data, formal verification, side-channel analysis, TEEs • Open-source or dataset contributions are a plus Application – single PDF to mehdi.gheisari@yandex.ru Subject line (exactly): Postdoc position – Your Name – JournalName Contents (in order): 1. 1-page cover letter (motivation + fit) 2. CV (max 4 pages, list Q1 papers with JCR rank & cites) 3. Live links to 3 best Q1 papers (DOI or open PDF) 4. 2 referees (name + e-mail) Deadline • 20 August 2025 – 23:59 (UTC+8) • Only complete applications will be reviewed; shortlisted candidates contacted for online interview. Please forward to promising recent PhDs!

Closing date for applications:

Contact: Dr Mehdi Gheisari

The shuffle model is a widely used abstraction for non-interactive anonymous communication. It allows $n$ parties holding private inputs $x_1,\dots,x_n$ to simultaneously send messages to an evaluator, so that the messages are received in a random order. The evaluator can then compute a joint function $f(x_1,\dots,x_n)$, ideally while learning nothing else about the private inputs. The model has become increasingly popular both in cryptography, as an alternative to non-interactive secure computation in trusted setup models, and even more so in differential privacy, as an intermediate between the high-privacy, little-utility local model and the little-privacy, high-utility central curator model.

The main open question in this context is which functions $f$ can be computed in the shuffle model with statistical security. While general feasibility results were obtained using public-key cryptography, the question of statistical security has remained elusive. The common conjecture has been that even relatively simple functions cannot be computed with statistical security in the shuffle model.

We refute this conjecture, showing that all functions can be computed in the shuffle model with statistical security. In particular, any differentially private mechanism in the central curator model can also be realized in the shuffle model with essentially the same utility, and while the evaluator learns nothing beyond the central model result.

This feasibility result is obtained by constructing a statistically secure additive randomized encoding (ARE) for any function. An ARE randomly maps individual inputs to group elements whose sum only reveals the function output. Similarly to other types of randomized encoding of functions, our statistical ARE is efficient for functions in $NC^1$ or $NL$. Alternatively, we get computationally secure ARE for all polynomial-time functions using a one-way function. More generally, we can convert any (information-theoretic or computational) ``garbling scheme'' to an ARE with a constant-factor size overhead.

This paper proposes DIMSEPP, a decentralized identity management system that enhances privacy while preserving blockchain verifiability. The system cryptographically enforces data minimal disclosure principles by storing attribute commitments on-chain and validating them through zero-knowledge proofs, allowing users to demonstrate attribute validity without revealing sensitive values. The architecture maintains full compatibility with existing DID standards through standard document structures and verification methods. Security analysis demonstrates provable guarantees under standard cryptographic assumptions. Practical evaluation confirms the system's efficiency for resource-constrained environments, supporting deployment in applications where both privacy and verifiability are essential.

We design a fast and efficient fully homomorphic encryption for radix power modulus. We mainly rely on the CKKS modular reduction by Kim and Noh [CiC'25] and the intermediate CKKS encoding from NeuJeans [Ju et al.;CCS'24]. Our construction is a direct improvement of the homomorphic integer computer by Kim [TCHES'25]: The asymptotic latency reduces from $O(k)$ to $O(\log k)$ for a given plaintext modulus $b^k$ for a fixed radix base $b$, while keeping the throughput. Our experiments show that the latency of our $64$ bit multiplication is $\approx 6$ times faster than Kim and slightly faster than TFHE-rs, while being three orders of magnitude better in terms of throughput than TFHE-rs. The performance gap widens for larger precision. Our work also concretely outperforms the work by Boneh and Kim [Crypto'25], by a factor of $4.70$ better latency and $75.3$ times better throughput for $256$ bit multiplication.

The development of cryptographic schemes which remain secure in the post-quantum era is an urgent challenge, particularly in light of the growing ubiquity of low-power devices and the looming threat of quantum computing. Identity-Based Encryption (IBE) offers a compelling alternative to traditional Public Key Infrastructures by simplifying key management, but most classical IBE schemes rely on number-theoretic assumptions that are vulnerable to quantum attacks. In response, Koshiba and Takashima proposed a novel approach based on Isogenous Pairing Groups (IPGs) [11], claiming partial quantum resistance. In this work, we critically examine their construction and security claims. We show that the proposed scheme, despite its theoretical elegance, reduces to the Elliptic Curve Discrete Logarithm Problem (ECDLP) on supersingular curves, which can be broken in polynomial time by quantum algorithms and in subexponential time classically. Our analysis reveals structural weaknesses inherent to the IPG framework, such as the use of explicit group elements in prime-order groups and exploitable isogeny homomorphisms, which undermine its claimed security guarantees. These findings suggest that IPG-based constructions, in their current form, are unlikely to provide robust post-quantum security.

This paper addresses the challenge of best arm identification in stochastic multi-armed bandit (MAB) models under privacy-preserving constraints, such as in dynamic spectrum access networks where secondary users must privately detect underutilized channels. While previous network security research has explored securing MAB algorithms through techniques such as homomorphic encryption or differential privacy, these methods often suffer from high computational overhead or introduce noise that strictly decreases accuracy. In contrast, this work focuses on lightweight solutions that ensure data confidentiality without compromising the accuracy of best arm identification. We introduce two secure protocols that leverage additive secret sharing and threshold secret sharing. The proposed model, employing aggregation nodes and a comparator node, securely distributes computations to prevent any entity from accessing complete reward or ranking data. Furthermore, the protocol ensures resistance to collusion and fault tolerance, while maintaining computational efficiency. These contributions establish a scalable and robust framework for privacy-preserving best arm identification, offering practical and secure solutions that use MAB methods for network security.

Continuous Group Key Agreement (CGKA) is a primitive with which members of a group can continuously establish shared keys. With every interaction, these members also update their individual, local secrets such that temporary corruptions of these secrets only affect the security of shared keys established shortly before (Forward Security; FS) and after the corruption (Post-Compromise Security; PCS). Due to these interactive updates–possibly enriched by dynamic group membership changes–, CGKA is a very powerful but also very complex primitive.

In this work, we limit the power of CGKA to identify and analyze its core components. More concretely, we consider the case that all members of a group are always either senders or receivers. Thus, the interaction is strictly unidirectional from the former to the latter: a group of senders Alice establishes shared keys with a group of receivers Bob. With every shared key, Alice updates her local state to achieve FS and PCS; when receiving an established key, each Bob also updates their local state to achieve FS. This notion naturally lifts the so called Unidirectional Ratcheted Key Exchange concept (Bellare et al., Crypto 2017; Poettering and Rösler, Crypto 2018) to the group setting and, thereby, captures and generalizes Signal's Sender Key Mechanism, which is the core of WhatsApp and Signal's group chat protocols. We modularize this concept of Group Unidirectional RKE (GURKE) by considering either single or multiple senders, single or multiple receivers, and static or dynamic membership on each of both sides of the group.

To instantiate these new primitives, we develop a building block called Updatable Broadcast KEM (UB-KEM). Using UB-KEM, our GURKE constructions for static groups only use standard Key Encapsulation Mechanisms (KEMs) and induce only a constant communication overhead. Our GURKE constructions for dynamic groups are based on general Non-Interactive Key Exchange (NIKE) and offer a constant communication overhead as long as the set of members is unchanged; only for adding and removing users, a communication overhead logarithmic in the group size is induced. We discuss the benefits of replacing the Sender Key Mechanism in Signal and WhatsApp with our constructions, and demonstrate their practicality with a performance evaluation of our proof of concept UB-KEM implementation.