International Association
for Cryptologic Research

We initiate the study of memory efficiency in proving the security of authenticated key exchange (AKE) protocols: We first revise the security model for AKE protocols in order to prove their security in a memory-efficient manner without comprising its capability of capturing usual attacks. We formally show that security in our model implies previous ones, and thus our model captures the same security as before.

After that we propose a generic construction of AKE from key encapsulation mechanisms (KEMs) and digital signature schemes, motivated by the signed Diffie-Hellman protocol. Under the multi-user security of the signature scheme and (relatively weak) oneway-security against plaintext checking attacks of the KEM, our generic construction is proven to be tightly secure (in terms of success probability) via memory-efficient reductions in the random oracle model. We refer to our reductions as memory-efficient rather than memory-tight, since their memory requirements grow proportionally with the number of users. This growth is not an artifact of our analysis, but rather stems from the necessity of solving the dictionary problem within our proof. By the result of Pagh (SIAM J. Computing, 2002), such user-dependent memory consumption is unavoidable. Nevertheless, our proof is more memory-efficient than the previous reductions for AKE, including even those that are non-tight. Given that most post-quantum assumptions (e.g., the Learning-With-Errors and Short-Integer-Solution assumptions) are memory-sensitive, our work holds significant value for post-quantum AKE protocols.

This paper proposes modular security proofs for some identification scheme (IDS)-based signature schemes in the multivariate quadratic (MQ) setting. More precisely, our contributions include concrete security reduction for both 3-pass and 5-pass MQDSS signature schemes in the random oracle model. Although no formal security argument for the former was available in the literature, the one for the latter provides only a qualitative treatment. Our concrete analysis shows that the 3-pass scheme enjoys a comparatively tighter reduction. This result, considered in conjunction with a reported attack on the 5-pass MQDSS from the NIST PQC competition, thus indicates that contrary to the initial suggestion, the 3-pass MQDSS could be a better choice at a concrete security level. Our next focus is on the only blind signature scheme available in the MQ-setting, proposed by Petzoldt et al. While the security of the original scheme was discussed in a non-standard and significantly weak model; we propose a concrete security reduction for a slightly modified scheme in the standard one-more unforgeability (OMF) model.

Central to all our modular proofs are new forking algorithms. The forking algorithm/lemma has been widely used in the formal security reduction of numerous cryptographic schemes, mainly in the discrete logarithm and RSA setting. The abstractions proposed here allow multiple forkings at the same index while satisfying certain additional conditions for the underlying IDS in the MQ-setting. Thus, the forking algorithms capture the nuances of the MQ-setting while being agnostic of the underlying structure.

In searchable encryption, a data owner outsources data to a server while allowing efficient search by clients. A multimap associates keywords with a variable number of documents. We consider the setting with multiple owners and multiple clients (Wang and Papadopolous, Cloud Computing 2023). The goal is for each owner to store a multimap and grant access to clients. Prior work shares three weaknesses:

* Restricting patterns of adversarial behavior, * Duplicating any data shared with a new client, and * Leaking each client's access pattern and share pattern.

We present MARS, the first SSE for multiple owners and clients that considers security for an arbitrary collection of adversarial parties. Our scheme only leaks the volume of the result size and the number of requested keywords, both of which can be padded. No data is replicated.

Our scheme combines 1) private information retrieval (PIR) to protect search patterns, 2) efficient delegation of the ability to index keywords and decrypt records, and 3) tabulation hashing to allow a single query for locations associated with a keyword. The first two items can be thought of as a keyword unkeyed PIR where the data owner gives the client the identifiers for individual keywords and keys to decrypt records.

Our system is implemented on multimaps up to size $24$ million (the Enron dataset) with total time of $1.2$s for keywords that match $100$ documents. This is in comparison to a time $.500$s for Wang and Papadapolous, which replicates data and has access, sharing, and query equality leakage.

Storage overhead is a factor of $6.6$. Our implementation uses FrodoPIR as the underlying PIR. Our system can incorporate batch or doubly-efficient unkeyed PIR as their performance improves.

TFHE bootstrapping is typically limited to a small plaintext space, with an exponential increase in cost for larger plaintext spaces. To bootstrap larger integers, one can use digit decomposition, a procedure that iteratively extracts and bootstraps a part of the larger plaintext space. Conventional state-of-the-art methods typically extract bits starting from the least significant bits (LSBs) and progress to the most significant bits (MSBs). However, we introduce a DirtyMSB extraction procedure that enables the digit decomposition from MSBs to LSB for the first time. However, this procedure introduces a small error during the extraction procedure. We demonstrate how to compensate this error in subsequent iterations. Compared to traditional LSB-to-MSB digit decomposition, our method improves the throughput, with for example an increase of 20% for a 5-bit plaintext and 50% increase for an 8-bit plaintext. In contrast to LSB-to-MSB methods, our extracted output ciphertexts have fresh noise, allowing us to directly use the extracted outputs for further computation without the need for an additional bootstrap or less efficient parameters. We demonstrate the applicability of our method by improving large-scale addition and scalar multiplication. Our method is particularly effective for vector addition operations, accelerating the addition of 1000 16-bit numbers by a factor of $\times2.75$. Furthermore, we demonstrate a $\times2.27$ speedup over the state-of-the-art implementation of scalar multiplication.

An integral distinguisher for a block cipher is defined by a nontrivial subset of plaintexts for which the bitwise sum of (parts of) a certain internal state is independent of the secret key. Such a distinguishing property can be turned into a key-recovery procedure by partially decrypting the ciphertexts under all possible keys and then filtering the key candidates using the integral distinguisher. The behavior of this filter has never been analyzed in depth, and we show that the ubiquitous hypothesis about its behavior is incorrect.

Fortunately, the deviation is either limited or can be lifted to improve the underlying attacks. By algorithmically determining the exact subspaces of key candidates to be guessed - whose dimensions are often lower than expected - we are able to improve upon the best known integral key-recovery attacks on various ciphers.

For each positive integer $c^*$, we construct an infinite sequence of Reed–Solomon codes $C \subset \mathbb{F}_q^n$, together with ball radii $z$, for which the proportion of $\mathbb{F}_q^n$ collectively covered by the radius-$z$ Hamming balls decays asymptotically more slowly than $\frac{n^{c^*}}{q}$ does. To pinpoint this decay rate, we develop various new, sharp combinatorial estimates, pertaining to the volumes of balls and their intersections.

Our result proves that the capacity conjecture of Ben-Sasson, Carmon, Ishai, Kopparty and Saraf (J. ACM '23) is false. Our code families' relative rates converge to 0 and their relative radii converge to 1. We suggest avenues by the means of which the capacity conjecture might be resuscitated; roughly, we suggest that that conjecture be restricted to the case of families whose relative rates are bounded from below by a positive constant. Our work shows that many deployed SNARKs may be less secure than they were formerly—optimistically—assumed to be.

Post-quantum cryptographic schemes like ML-KEM and ML-DSA have been standardized to secure digital communication against quantum threats. While their theoretical foundations are robust, we identify a critical implementation-level vulnerability in both: a single point of failure centered on the random seed pointer used in polynomial sampling. By corrupting this pointer, an attacker can deterministically compromise the entire scheme, bypassing standard countermeasures. We present the first practical fault-injection attacks exploiting this weakness and validate them on an STM32H7 microcontroller using laser fault injection. Our results demonstrate full key and message recovery for ML-KEM and signature forgery for ML-DSA, with success rates up to 100%. We further verify the presence of this vulnerable implementation style in widely used public libraries, including PQM4, LibOQS, PQClean, and WolfSSL, and propose effective countermeasures to mitigate this overlooked yet severe threat.

We build two-server private information retrieval (PIR) that achieves information-theoretic security and strong double-efficiency guarantees. On a database of $n > 10^6$ bits, the servers store a preprocessed data structure of size $1.5 \sqrt{\log_2 n} \cdot n$ bits and then answer each PIR query by probing $12 \cdot n^{0.82}$ bits in this data structure. To our knowledge, this is the first information-theoretic PIR with any constant number of servers that has quasilinear server storage $n^{1+o(1)}$ and polynomially sublinear server time $n^{1-\Omega(1)}$.

Our work builds on the PIR-with-preprocessing protocol of Beimel, Ishai, and Malkin (CRYPTO 2000). The insight driving our improvement is a compact data structure for evaluating a multivariate polynomial and its derivatives. Our data structure and PIR protocol leverage the fact that Hasse derivatives can be efficiently computed on-the-fly by taking finite differences between the polynomial's evaluations. We further extend our techniques to improve the state-of-the-art in PIR with three or more servers, building on recent work by Ghoshal, Li, Ma, Dai, and Shi (TCC 2025).

On a 55 GB database with 64-byte records, our two-server PIR encodes the database into a 1 TB data structure – which is 1,600,000$\times$ smaller than that of prior two-server PIR-with-preprocessing schemes, while maintaining the same communication and time per query. To answer a PIR query, the servers probe 102 MB from this data structure, requiring 550$\times$ fewer memory accesses than linear-time PIR. The main limitation of our protocol is its large communication complexity, which we show how to shrink to $n^{0.31} \cdot \mathsf{poly}(\lambda)$ using compact linearly homomorphic encryption.

Event date: to
Submission deadline: 30 June 2026

The USF Center for Cryptographic Research is recruiting multiple postdoctoral fellows to work on Applied Algebra with an emphasis on Cryptography, Coding Theory, and Quantum Computing. The successful candidates will be hosted by the USF Department of Mathematics & Statistics on our Tampa campus.

Our program is supported by an NSF Research Training Group (RTG) grant. More information about our RTG program is available at: http://usf-crypto.org/rtg-overview/.

Minimum qualifications include a Ph.D. from an accredited institution in mathematics, computer science, or a related field. ABD candidates are acceptable, but the degree must be conferred before the intended start date. Must meet university criteria for appointment to the rank of Postdoctoral Fellow. Preference will be given to candidates with an established record of publications in Applied Algebra; in particular, Cryptography, Coding Theory, or Quantum Computing.

The start date is negotiable, but must be before August 7, 2026. Position will remain open until filled.

Applications must be submitted online at http://jobs.usf.edu. Required documentation, submitted as a SINGLE document, includes a Cover Letter, CV, and a Statement of Research. In addition, candidates should have at least three letters of recommendation submitted through MathJobs.org. The Mathjobs links for the positions are below:

• Position 1 (Cryptography): https://www.mathjobs.org/jobs/list/27368
• Position 2 (Coding Theory): https://www.mathjobs.org/jobs/list/27367
• Position 3 (Quantum Computing): https://www.mathjobs.org/jobs/list/27370
• Position 4 (Open): https://www.mathjobs.org/jobs/list/27371

Positions 1 to 3 are for 3 years, and applicants must be U.S. citizens or permanent residents (Green Card). Position 4 is for 2 years, but carries no residency restriction.

Review of applications will begin on December 1, 2025.

Closing date for applications:

Contact: Jean-François Biasse

Open positions at all ranks (tenure track, associate and full professor) at our Department of Computer Science, Aarhus University! All topics welcome, including in particular: Quantum Information Processing, Quantum Cryptography, System/Network Security. Deadline Jan 5th 2026

Closing date for applications:

Contact: Claudio Orlandi

More information: https://international.au.dk/about/profile/vacant-positions/job/aarhus-university-is-hiring-assistant-associate-and-full-professors-for-the-department-of-computer-science

UCLouvain seeks to recruit a full-time faculty member in the fields of cybersecurity and software security.

The application deadline is on November 12, 2025, and details are available from the link in the title!

Closing date for applications:

Contact: Olivier Pereira -- olivier.pereira@uclouvain.be

More information: https://jobs.uclouvain.be/PersonnelAcademique/job/An-academic-in-Cybersecrurity-and-Software-Security/1244992801/

IOG, is a technology company focused on Blockchain research and development. We are renowned for our scientific approach to blockchain development, emphasizing peer-reviewed research and formal methods to ensure security, scalability, and sustainability. Our projects include decentralized finance (DeFi), governance, and identity management, aiming to advance the capabilities and adoption of blockchain technology globally.

Bitcoin DeFi is about unlocking real utility for the world’s most trusted digital asset without ever compromising user control. For developers and innovators, this means finding a way to use Bitcoin in decentralized finance without forcing holders to hand their BTC to a third party. Until now, most attempts at Bitcoin DeFi have relied on “wrapped” tokens that essentially represent a promise – you send your BTC away and trust someone else to issue a proxy token on another chain. In all these custodial models, users effectively give up custody of their bitcoin to an intermediary in exchange for a tokenized representation. This status quo runs counter to Bitcoin’s core ethos of self-sovereignty and security.

What the role involves:

As an experienced Cryptographic Engineer, you will contribute to the design, implementation, and integration of secure cryptographic protocols and primitives across diverse projects. This role sits at the intersection of applied research and engineering, turning advanced cryptographic designs into robust, production-ready systems. You will work closely with researchers, protocol designers, software architects, and QA teams to ensure cryptographic correctness, performance, and maintainability, with a strong emphasis on high-assurance coding and practical deployment.

Design and implement cryptographic constructions, such as digital signatures, zero-knowledge proofs, verifiable random functions (VRFs), commitment schemes, and accumulators.

Develop and maintain cryptographic libraries, primarily using Rust and Haskell with attention to safety, clarity, performance, and auditability.

Translate academic research & formal specifications into reliable code.

Closing date for applications:

Contact:

Marios Nicolaides

More information: https://apply.workable.com/io-global/j/1308F174CD/

We are looking for a 2-years postdoc on Neuro-Symbolic learning in secure multi-party computation. The Villum Experiment research project “Neuro-Symbolic Federated Learning with Secure Multi-Party Computation” aims to explore the feasibility of training neural networks with logical constraints using secure MPC. The project addresses critical domains such as finance and healthcare, where data privacy is paramount and traditional data sharing is not an option. The research will focus on: Investigating differentiable logics (DLs) such as DL2, fuzzy logics, and logics of the Lawvere quantale, to evaluate their tractability and numerical stability under MPC frameworks, with formal correctness guarantees. Developing novel multi-valued logics tailored for MPC if existing ones prove inadequate. Implementing and benchmarking neuro-symbolic models trained under secure MPC protocols. The postdoc will: Conduct theoretical and empirical research on DLs and MPC. Develop prototype implementations using existing MPC frameworks or custom solutions. Collaborate across disciplines including cryptography, machine learning, logic, formal methods. Contribute to publications in top-tier venues and help shape a new research frontier. We seek a candidate with: A PhD in Computer Science, Mathematics, Data Science, or a related field. Strong background in at least some of the following: machine learning, logic, cryptography and secure multi-party computation, formal verification. Experience with federated learning, differentiable programming, or symbolic AI is a plus. Proficiency with various programming languages such as Python, C++/Rust, functional languages. Experience with interactive theorem provers such as Rocq, Lean or Isabelle is a plus. Ability to work independently and collaboratively in an interdisciplinary environment.

Closing date for applications:

Contact: Alessandro Bruni

More information: https://candidate.hr-manager.net/ApplicationInit.aspx?cid=119&ProjectId=181828&DepartmentId=3439&M

• Field of specification: Advanced research area related to quantum/digital security such as quantum security, post-quantum cryptography/system and security practice in general.
• Start of employment: April 1st, 2026 or any early possible date afterwards
• Deadline for application: November 7th, 2025

Further information: https://www.se.kanazawa-u.ac.jp/wp-content/uploads/2025/10/20251107_ec_en.pdf

Closing date for applications:

Contact: Masahiro Mambo

More information: https://www.se.kanazawa-u.ac.jp/wp-content/uploads/2025/10/20251107_ec_en.pdf

Event date: 17 August to 20 August 2026

Event date: 18 May to 21 May 2026

Event date: 8 June to 12 June 2026
Submission deadline: 15 January 2026
Notification: 26 March 2026