International Association
for Cryptologic Research

The existing lattice-based signature and IBE schemes suffer from the non-compactness of public keys or larger reduction loss in the security analysis. Thus we solve and improve those deficiencies as follows: – First, we construct a lattice-based short signature scheme with a compact verification key in the standard model based on the ring short integer solution (RSIS) assumption. Under the same com- pactness, the ring modulus of our signature scheme is significantly smaller than the compact sig- nature scheme of Alperin-Sheriff (PKC 2015). More importantly, our signature scheme achieves better reduction loss than all the previous confined guessing-based signatures. In other words, our signature scheme achieves better security and efficiency simultaneously. – Secondly, we further design a short signature scheme with a nearly compact public key size and an even smaller reduction loss. Our second signature scheme achieves even better reduction loss than our first signature scheme yet at the cost of increasing the public key to a super-constant number of ring vectors. – Last but not least, we construct an adaptively secure compact IBE scheme from the lattice as- sumptions and the truncation collision-resistant hash functions (TCRHF) introduced by Jager and Kurek (ASIACRYPT 2018). Note that the previous TCRHF-based IBE schemes are not even close to compactness. The above improvements mainly benefited from our compact design of the tag functions and their more compact homomorphic evaluations. We also believe that our newly designed tag function may find new applications in designing other cryptographic schemes, like ABE and others.

Designated Verifier zero-knowledge Succinct Non-Interactive Arguments of Knowledge (DV-zkSNARKs) are cryptographic argument systems in which the ability to verify proofs is restricted to a designated verifier. Unlike publicly verifiable zkSNARKs, these constructions ensure that only an authorized party can validate the correctness of the proof. Existing lattice-based DV-zkSNARK constructions typically rely on either linear-only encryption (LOE) or linear targeted malleability (LTM). The former does not guarantee security against quantum adversaries, while the latter restricts knowledge soundness to the non-adaptive setting. To address these limitations, we propose an inner product argument system that relies solely on the hardness of the Module Short Integer Solution (MSIS) assumption and achieves knowledge soundness in the random oracle model. This construction enables a designated verifier, holding a secret key, to succinctly verify inner product of a committed witness with an arbitrary vector. By combining our argument system with a linear probabilistic checkable proof (LPCP) compiler, to the best of our knowledge, we obtain the first DV-zkSNARK construction based on standard assumptions. Our implementation achieves prover and verification times comparable to the state of the art, while reducing public parameter size by a factor of 10, at the cost of a 2.5× increase in proof size.

Optical computing has garnered significant attention in recent years due to its high-speed parallel processing and low power consumption capabilities. It has the potential to replace traditional electronic components and systems for various computation tasks. Among these applications, leveraging optical techniques to address information security issues has emerged as a critical research topic. However, current attempts are predominantly focused on areas such as image encryption and information hiding, with limited exploration of other modern information security concepts, including zero-knowledge proof (ZKP). In this paper, we propose an optical ZKP method based on single-pixel imaging (SPI). By utilizing the flexibility of SPI, our proposed approach can directly acquire randomly permuted results of the source problem's solution in the form of encoded images, thereby encrypting and verifying the original solution. ZKP for the source problem can be realized with optical computing based on a proving protocol without disclosing additional information. Simulated and experimental results show that our proposed method can be effectively applied to two typical ZKP problems: Sudoku and Hamiltonian cycle problem.

Hash-based signatures are a strong candidate for post-quantum scenarios requiring authentication and integrity. Their security relies only on (well-studied) properties of hash functions, so they may be thought as being more robust than other schemes that (today) resist quantum attacks, like those based on lattices, coding or isogenies.

Recent works are also studying hash-based signature schemes with additional properties, like group, ring, threshold, or aggregate signature schemes. In this work we do the same for the important case of blind signatures. We describe a possible hash-based instantiation of Fischlin's generic scheme, we motivate our choices and we finally give some benchmarks for running times and memory requirements, resulting from our C implementation.

The interest in hash-based signatures (HBS) has increased since the need for post-quantum cryptography (PQC) emerged that could withstand attacks by quantum computers. Since their standardization, stateful HBS algorithms have been deployed in several products ranging from embedded devices up to servers.

In practice, they are most applicable to verify the integrity and authenticity of data that rarely changes, such as the firmware of embedded devices. The verification procedure then takes place during a secure boot or firmware update process. In past works, the research community has investigated hardware and software optimizations for this use case and vendors brought forward products.

In this study, we practically evaluate a fault attack on the Winternitz One-Time Signature (WOTS) scheme. The attack can be mounted on different HBS schemes, such as LMS, XMSS, and SPHINCS+. Both, the verification as well as the signing operation can be targeted.

The study describes the preparation and implementation of the attack on a standard microcontroller as well as the difficulties the attacker has to overcome. Additionally it presents a countermeasure, which is easy to implement and can increase the effort for an attacker significantly.

Existing payment systems make fixed trade-offs between performance and security assumptions. Traditional centralized systems like Visa assume synchronous networks and crash faults to achieve high throughput, while blockchain-based systems (e.g., Algorand, Aptos) adopt Byzantine fault tolerance and partial synchrony for stronger security at the cost of performance. This rigid approach forces all users to accept the same security-performance trade-off regardless of their individual trust and threat models.

We present a flexible payment system where clients independently choose assumptions about (i) network timing (bounded or partial synchrony), (ii) corruption (static or adaptive), and (iii) faults (crash or Byzantine), supporting eight assumption combinations simultaneously. Unlike traditional systems requiring consensus, our approach uses a novel flexible variant of consistent broadcast where clients external to the protocol verify delivery through cryptographic proofs, eliminating the need for global ordering. We implemented our system in Rust and demonstrated that clients choosing partially synchronous network and crash assumptions achieve $+242.1\%$ higher throughput and $+70.4\%$ better latency compared to clients with synchronous network and Byzantine assumptions, confirming that our system enables users to optimize their individual security-performance trade-offs.

As digital identity verification becomes increasingly pervasive, existing privacy-preserving approaches are still limited by complex circuit designs, large proof sizes, trusted setups, or high latency. We present Vega, a practical zero-knowledge proof system that proves statements about existing credentials without revealing anything else. Vega is simple, does not require a trusted setup, and is more efficient than the prior state-of-the-art: for a 1920-byte credential, Vega achieves 212 ms proving time, 51 ms verification time, 150 kB proofs, and a 436 kB proving key. At the heart of Vega are two principles that together enable a lightweight proof system that pays only for what it needs. First, fold-and-reuse proving exploits repetition and folding opportunities (i) across presentations, by pushing repeated work to a rerandomizable precomputation; (ii) across uniform hashing steps, by folding many steps into a single step; and (iii) for zero-knowledge, by folding the public-coin transcript with a random one. Second, lookup-centric arithmetization extracts relevant values from credential bytes, both for extracting relevant fields without full in-circuit parsing, and to enable length-hiding hashing.

In this paper, we propose a new post-quantum lattice-based IND-CCA2-secure key encapsulation mechanism (KEM) named Lore. The scheme is based on a variant of MLWR problem following LPR structure with two new technologies called variable modulus and CRT compression, which provide a balance of decryption failure probability and ciphertext size. We prove its security in ROM/QROM and provide concrete parameters as well as reference implementation to show that our scheme enjoys high efficiency, compact bandwidth and proper decryption failure rate(DFR) corresponding to its security levels compared with former results.

We report on our experiences with the ongoing European standardisation efforts related to the EU Cyber Resilience Act (CRA) and provide interim (November 2025) estimates on the direction that European cryptography regulation may take, particularly concerning the algorithm ``allow list'' and PQC transition requirements in products.

We also outline some of the risks associated with the partially closed standardisation process, including active impact minimisation by vendors concerned with engineering costs, a lack of public review leading to lower technical quality, and an increased potential for backdoors.

The Cyber Resilience Act came into effect in December 2024, and its obligations will fully take effect for makers of ``products with digital elements'' from 2027. CRA compliance is a requirement for obtaining the CE mark and a prerequisite for selling products in the European Single Market, which comprises approximately 450 million consumers. The CRA has a wide-ranging set of security requirements, including security patching and the use of cryptography (data integrity, confidentiality for data at rest and data in transit). However, the Cyber Resilience Act itself is a legal text devoid of technical detail -- it does not specify the type of cryptography deemed appropriate to satisfy its requirements.

The technical implications of CRA are being detailed in approximately 40 new standards from the three European standardisation organisations, CEN, CENELEC, and ETSI. While the resulting ETSI standards can be expected to be available for free even in the drafting stage, the CEN and CENELEC standards will probably require a per-reader license fee. This, despite recent legal rulings asserting that product security and safety standards are part of EU law due to their legal effects.

Taking a recent (2024) example of cryptographic requirements in such standards, we observe that the definitions and language in the Radio Equipment Directive (RED DA) harmonised standard (EN 18031 series) may allow vendors to take an approach where weak cryptography is considered ``best practice'' right until exploitation is feasible.

Recognising recent developments such as the EU Post-Quantum Cryptography transition roadmap, many CRA standardisation working groups are moving towards a ``State-of-the-Art Cryptography'' (SOTA Cryptography) model where approved mechanism listings are published by the European Cybersecurity Certification Group (ECCG). CRA-compliant products may still support other cryptographic mechanisms, but only SOTA is permitted as a safe default for Internet-connected products.

Blockchain protocols based on the popular ``Proof-of-Work'' mechanism yield public transaction ledgers maintained by a group of distributed participants who solve computationally hard puzzles to earn the right to add a block. The success and widespread adoption of this mechanism has led to staggering energy consumption devoted to solving such (otherwise) ``useless'' puzzles. While the environmental impacts of the framework have been widely criticized, this has been the dominant distributed ledger paradigm for years.

The Ofelimos ``Proof-of-Useful-Work'' protocol (Fitzi et al., CRYPTO 2022) addressed this by establishing that useful combinatorial problems could replace the conventional hashing puzzles, yielding a provably secure blockchain that meaningfully utilizes the computational work that underlies the protocol. The usefulness to wastefulness ratio of Ofelimos hinges on the properties of its underlying generic distributed local-search algorithm---Doubly Parallel Local Search (DPLS). We observe that this search procedure is particularly wasteful when exploring steep regions of the solution space.

To address this issue, we introduce Frequently Rerandomized Local Search (FRLS), a new generic distributed local search algorithm that we show to be consistent with the Ofelimos architecture. While this algorithm retains ledger security, we show that it also provides compelling performance on benchmark problems arising in practice: Concretely, state-of-art local-search algorithms for cumulative scheduling and warehouse location can be directly adapted to FRLS and we experimentally demonstrate the efficiency of the resulting algorithms.

The advent of quantum computing necessitates a rigorous reassessment of classical cryptographic primitives, particularly lightweight block ciphers (LBCs) deployed in resource-constrained environments. This work presents a comprehensive quantum implementation and security analysis of the Feistel-based LBC MIBS against quantum cryptanalysis. Using the inherent reversibility of its structure, we develop a novel ancilla-free quantum circuit that optimizes qubit count and depth. For MIBS-64 and MIBS-80, our implementation achieves quantum costs of 23,371 and 24,363, requiring 128 and 144 qubits, respectively, with a depth of 4,768. We subsequently quantify the cipher's vulnerability to Grover’s key-search algorithm under the NIST PQC security constraint $\texttt{MAXDEPTH}$. By constructing Grover oracles using inner parallelization with multiple plaintext-ciphertext pairs to suppress false positives, we demonstrate total quantum attack costs of approximately $2^{94}$ for MIBS-64 and $2^{111}$ for MIBS-80. These values fall below NIST’s Level-1 security threshold ($2^{170}$), confirming the susceptibility of both MIBS variants to quantum key-recovery attacks despite their classical lightweight efficiency.

Event date: 8 July to 10 July 2026

Event date: to
Submission deadline: 30 June 2026

The Applied Cryptography Group at Technical University of Darmstadt offers a fully funded position as PhD student in Cryptography. The positions is to be filled as soon as possible for 3 years with the possibility of extension. You will conduct research and publish/present the results at top venues for research in cryptography and IT Security.

Topics of particular interest include (but are not limited to):

• Distributed cryptography
• Cryptography for blockchains and cryptocurrencies
• Cryptography for privacy

Your profile:

• Completed Master's degree (or equivalent) with excellent grades in computer science, mathematics or a similar area.
• Strong mathematical and/or algorithmic/theoretical CS background
• Good knowledge of cryptography. Knowledge in concepts of provable security is a plus.
• Fluent written and verbal communication skills in English

TU Darmstadt is a top research university for IT Security, Cryptography and Computer Science in Europe. We offer excellent working environment in the heart of the Frankfurt Metropolitan Area, which is internationally well-known for a high quality of life.

Review of applications starts immediately until the position is filled. For further information please visit: https://www.informatik.tu-darmstadt.de/cac/cac/index.en.jsp

Please send your application including a CV, transcripts from your Bachelor and Master and a letter of motivation to: job@cac.tu-darmstadt.de

Closing date for applications:

Contact: Sebastian Faust

More information: https://www.informatik.tu-darmstadt.de/cac/cac/index.en.jsp

The Princeton DeCenter invites applications for its inaugural cohort of Postdoctoral Fellows, and more senior researchers with academic or industry experience beginning in Fall 2026.

The DeCenter is a newly established interdisciplinary hub at Princeton University devoted to exploring the decentralization of power and trust through blockchain (and similar) technology.

We seek to create a truly interdisciplinary cohort of postdoctoral fellows to jointly lead research projects. Fellows' primary responsibilities will therefore be to conduct research and collaborate with others in cross-disciplinary research initiatives. We also seek to maintain a vibrant interdisciplinary community, and fellows will also be responsible for co-organizing weekly seminars, occasional workshops, etc. that are of interest to the broader DeCenter community. An ideal candidate would satisfy the following selection criteria:

A strong record of research in their primary discipline.
A demonstrated ability to lead independent projects.
A demonstrated ability (ideal) or demonstrated interest (necessary) in interdisciplinary engagements, and the ability to serve as a strong bridge between their primary discipline and others.
A strong record of research (ideal) or demonstrated interest (necessary) in foundational research concerning blockchain technology or similar technologies that support the decentralization of trust.

Closing date for applications:

Contact: Matt Weinberg, smweinberg@princeton.edu

More information: https://puwebp.princeton.edu/AcadHire/apply/application.xhtml?listingId=40762

The Cryptography Group at ISTA invites applications for a Postdoctoral Researcher in theoretical and applied cryptography. For part (about one year) this position can be funded by the SPYCODE project (https://spycode.at/).

Potential research topics include:

• blockchain related topics, including consensus protocols, scaling.
• proofs of resources, like proofs of work, proofs of space, proofs of time (verifiable delay functions).
• public-key cryptography.
• lower bounds.

Position details:

• Full-time, fully funded.
• Initial term: 2 years, extendable.
• Flexible start (ideally asp).
• Working language: English (no German required).

About IST Austria:
The Institute of Science and Technology Austria, near Vienna, offers a vibrant, international research environment, strong interdisciplinary exchange, and competitive compensation.

Application:
Please send a CV and optionally a research statement and contact details of one or two referees to pietrzak@ista.ac.at with the subject Postdoc Application – SPYCODE.
Applications will be reviewed until the position is filled.

Closing date for applications:

Contact: pietrzak@ista.ac.at

More information: https://ist.ac.at/en/research/pietrzak-group

The Computer Science Department at the New Jersey Institute of Technology (NJIT) invites applications for a tenure-track faculty position starting in Fall 2026. Exceptional candidates will be considered in all areas of Computer Science, but priority will be given to those that can build synergies in Cybersecurity, defined broadly. We aim to hire at the rank of Assistant Professor, but exceptional candidates at higher ranks will also be considered.

NJIT is a Carnegie R1 Doctoral University (Very High Research Activity), with $178M research expenditures in FY24. The Computer Science Department has 34 tenured/tenure track faculty, with nine NSF CAREER, one DARPA Young Investigator, and one DoE Early Career awardees. The Computer Science Department enrolls over 2,000 students at all levels across six programs of study and is part of the Ying Wu College of Computing (YWCC), alongside the Departments of Informatics and Data Science. YWCC has an enrollment of more than 3,800 students in computing disciplines and is the largest producer of computing talent in the tri-state (NY, NJ, CT) area.

To formally apply for the position, please submit your application materials at https://academicjobsonline.org/ajo/jobs/30654. Applications received by December 31, 2025 will receive full consideration. However, applications are reviewed until all the positions are filled. Contact address for inquiries: cs-faculty-search@njit.edu.

At NJIT, diversity is a core value. We foster a sense of belonging by celebrating individual differences and ensuring that every member of our community feels included and empowered.

Closing date for applications:

Contact: cs-faculty-search@njit.edu

More information: https://cs.njit.edu/open-faculty-positions

A recent work by Kate et al. [EPRINT 2025] proposes a community-based social recovery scheme (SKR), where key-owners can use a subset of other community members as guardians, and in exchange, they play guardians to support other participants' key recovery. Their construction relies on a new concept called bottom-up secret sharing (BUSS). However, they do not consider a crucial feature, called traceability, which ensures that if more than a threshold number of the guardians collude, at least some colluders' identities can be traced -- thereby deterring participants from colluding. In this paper, we incorporate traceability into the community social key recovery as an important feature.

We first introduce the notion of traceable BUSS, which allows tracing colluders by accessing a reconstruction box. Then, extending the work of Boneh et al. [CRYPTO 2024], we propose the first traceable BUSS construction. Finally, we show how to generically use a traceable BUSS scheme to construct a traceable SKR in the aforementioned community setting. Overall, this is the first scheme combining decentralized key management with traceability, marrying BUSS’s scalability with the deterrence of traceable secret sharing.

While passive probing attacks and active fault attacks have been studied for multiple decades, research has only started to consider combined attacks that use both probes and faults relatively recently. During this period, polynomial masking became a promising, provably secure countermeasure to protect cryptographic computations against such combined attacks. Unlike other countermeasures, such as duplicated additive masking, polynomial masking can be implemented using a linear number of shares, as shown by Berndt et al. at CRYPTO '23. Based upon this fact, Arnold et al. noted at CHES '24 that polynomial masking is particularly well-suited for parallel computation. This characteristic is especially effective in scenarios involving multiple circuits with identical structures, such as the 16 SBoxes in AES. Just recently, Faust et al. showed at CHES '25 that one can also incorporate the technique of packed secret sharing into these masking schemes, given that the state-of-the-art polynomial masking scheme is secure against combined attacks.

In this work, we present provably secure advancements regarding this state-of-the-art scheme in both computational and randomness efficiency, reducing the randomness complexity by up to 50% and the computational complexity even more by going from a quadratic term to a linear one for many parameters. Moreover, we present the first implementation of a polynomial masking scheme against combined attacks along with an extensive experimental evaluation for a wide range of parameters and configurations as well as a statistical leakage detection to evaluate the security of the implementation on an Arm Cortex-M processor. Our implementation is publicly available to encourage further research in practical combined resilience.

Private Set Union (PSU) enables two parties to compute the union of their input sets without revealing anything else. Depending on set sizes, PSU is studied in balanced and unbalanced settings. Tu et al. (USENIX Security 2025) presented state-of-the-art enhanced PSU (ePSU) protocols under a unified framework in both settings, achieving enhanced security by preventing during-execution leakage. However, we observe that directly applying hash-to-bin on input sets within their framework introduces potential privacy risks. Moreover, the communication of their unbalanced ePSU still scales with the larger set size, rather than being linear in only the smaller set size. In this work, we address these open problems.

We employ a combination of oblivious pseudorandom function (OPRF) and shuffling to mitigate the potential privacy leakage that arises when directly applying the hash-to-bin within the framework of Tu et al. (USENIX Security 2025). Building upon this, we further optimize their balanced ePSU protocol by leveraging a bidirectional oblivious key-value store (OKVS). Compared with the corrected version of Tu et al.'s balanced ePSU, ours achieves a $1.1-3.0\times$ shrinking in communication and a $1.2-1.6\times$ speedup in runtime.

We design the first unbalanced ePSU whose communication is linear solely in the smaller set size. Since no hash-to-bin is used, it is inherently free from the associated privacy leakage. With the smaller set size fixed at $2^{10}$, ours reduces communication by $1.5-45.8\times$ compared with corrected version of Tu et al.'s unbalanced ePSU, while achieving $1.3-6.7\times$ runtime speedups.