International Association
for Cryptologic Research

In many areas of cybersecurity, we require access to Personally Identifiable Information (PII), such as names, postal addresses and email addresses. Unfortunately, this can lead to data breaches, especially in relation to data compliance regulations such as GDPR. An Internet Protocol (IP) address is an identifier that is assigned to a networked device to enable it to communicate over networks that use IP. Thus, in applications which are privacy-aware, we may aim to hide the IP address while aiming to determine if the address comes from a blacklist. One solution to this is to use homomorphic encryption to match an encrypted version of an IP address to a blacklisted network list. This matching allows us to encrypt the IP address and match it to an encrypted version of a blacklist. In this paper, we use the OpenFHE library \cite{OpenFHE} to encrypt network addresses with the BFV homomorphic encryption scheme. In order to assess the performance overhead of BFV, we implement a matching method using the OpenFHE library and compare it against partial homomorphic schemes, including Paillier, Damgard-Jurik, Okamoto-Uchiyama, Naccache-Stern and Benaloh. The main findings are that the BFV method compares favourably against the partial homomorphic methods in most cases.

Program verification ensures software correctness through formal methods but incurs substantial computational overhead. It typically encodes program execution into formulas that are verified using a SAT solver and its extensions. However, this process exposes sensitive program details and requires redundant computations when multiple parties need to verify correctness. To overcome these limitations, zero-knowledge proofs (ZKPs) generate compact, reusable proofs with fast verification times, while provably hiding the program’s internal logic. We propose a two-phase zero-knowledge protocol that hides program implementation details throughout verification. Phase I uses a zero-knowledge virtual machine (zkVM) to encode programs into SAT formulas without revealing their semantics. Phase II employs the encoding of resolution proofs for UNSAT instances and circuits for satisfying assignment verification for SAT instances through PLONKish circuits. Evaluation on the Boolector benchmark demonstrates that our method achieves verification time that is efficient and is independent of clause width for UNSAT instances and formula size for SAT instances. The resulting ZKPs enable efficient verification of program properties while providing strong end-to-end privacy guarantees.

We introduce a novel technique for verifying Schnorr signatures using fast endomorphisms. Traditionally, fast endomorphisms over prime field curves are used to decompose a scalar into two scalars of half of the size. This work shows that the context of the verification of signatures allows for the decomposition into three scalars of a third of the size. We apply our technique to three scenarios: verification of a single Schnorr signature, batch verification, and verification of BLS signatures within the Blind Diffie-Hellman key exchange protocol. Our experiments on AMD x86 and ARM Cortex-M4 platforms show performance improvements of approximately 20%, 13%, and 27%, respectively. The technique can also be used to accelerate the verification of ECDSA signatures, provided that one additional bit of information is appended to the signature.

As part of our work, we analyze the performance of 3-dimensional lattice reduction algorithms, which are critical for multi-scalar decompositions. To identify the most efficient approach, we experimentally compare Semaev’s algorithm --- known for its best asymptotic complexity --- with the simpler Lagrange’s algorithm. Our results reveal that, despite its simplicity, Lagrange’s algorithm is nearly twice as fast as Semaev’s in practice.

Sorting encrypted values is an open research problem that plays a crucial role in the broader objective of providing efficient and practical privacy-preserving online services. The current state of the art work by Mazzone, Everts, Hahn and Peter (USENIX Security '25) proposes efficient algorithms for ranking, indexing and sorting based on the CKKS scheme, which deviates from the compare-and-swap paradigm, typically used by sorting networks, using a permutation-based approach. This allows to build shallow sorting circuits in a very simple way. In this work, we follow up their work and explore different approaches to approximate the nonlinear functions required by the encrypted circuit (where only additions and multiplications can be evaluated), and we propose simpler solutions that allow for faster computations and smaller memory requirements.

In particular, we drastically reduce the upper bound on the depth of the circuits from 65 to 20, making our circuits usable in relatively small rings such as $N=2^{16}$, even for sorting values while preserving up to three decimal places. As an example, our circuit sorts 128 values with duplicates in roughly 20 seconds on a laptop, using roughly 1 GB of memory, maintaining a precision of 0.01. Furthermore, we propose an implementation of a swap-based bitonic network that is not based on approximations of the sgn$(x)$ function, which scales linearly with the number of values, useful when the number of available slots is small.

In this paper, we propose an improvement to the McEliece encryption scheme by replacing the Goppa code with a $(U+V,U+W)$ code. Specifically, we embed the generator matrices of a split Reed-Solomon code into the generator matrix of the $(U+V,U+W)$ code. This approach disrupts the algebraic structure of Reed-Solomon codes, thereby enhancing resistance against structural attacks targeting such codes, while simultaneously preserving their excellent error-correcting capabilities. As a result, the proposed scheme achieves a significant reduction in public key size. Under the hardness assumptions of the decoding problem and the code distinguishing problem for $(U+V,U+W)$ codes, we prove that the scheme achieves indistinguishability under chosen-plaintext attacks (IND-CPA security). Finally, we provide recommended parameters for various security levels and compare the proposed scheme with other code-based public key encryption schemes.

Observing the growing popularity of random permutation (RP)-based designs (e.g, Sponge), Bart Mennink in CRYPTO 2019 has initiated an interesting research in the direction of RP-based pseudorandom functions (PRFs). Both are claimed to achieve beyond-the-birthday-bound (BBB) security of $2n/3$ bits ($n$ being the input block size in bits) but require two instances of RPs and can handle only one-block inputs. In this work, we extend research in this direction by providing two new BBB-secure constructions by composing the tweakable Even-Mansour appropriately. Our first construction requires only one instance of an RP and requires only one key. Our second construction extends the first to a nonce-based Message Authentication Code (MAC) using a universal hash to deal with multi-block inputs. We show that the hash key can be derived from the original key when the underlying hash is the Polyhash. We provide matching attacks for both constructions to demonstrate the tightness of the proven security bounds.

Privacy is a growing concern for smart contracts on public ledgers. In recent years, we have seen several practical systems for privacy-preserving smart contracts, but they only target privacy of on-chain data, and rely on trusted off-chain parties with user data -- for instance, a decentralized finance application (e.g. exchange) relies on an off-chain matching engine to process client orders that get settled on-chain, where privacy only applies to the on-chain data. Privacy conscious users demand stronger notions of privacy, for their identity and their data, from all other parties in the ecosystem.

We propose a novel framework for smart contracts that ensures {\em doubly private} execution, addressing {both on-chain and off-chain privacy} requirements. In our framework, clients submit their requests in a privacy-preserving manner to a group of (potentially mutually untrusting) servers. These servers collaboratively match client requests without learning any information about the data or identities of the clients.

We then present {\em Jigsaw}, an efficient cryptographic realization of our proposed framework. {\em Jigsaw} builds on the ZEXE architecture (Bowe et al., S\&P 2020), which leverages zkSNARKs, and extends Collaborative zkSNARKs (Ozdemir and Boneh, USENIX 2022) to enable proof generation by a group of servers.

In Jigsaw, we introduce a novel collaborative zkSNARK construction that achieves low latency and reduced proving time, and showcase these advantages over sample applications ranging from trading in a decentralized exchange to auctions and voting. Our experiments demonstrate that {\em Jigsaw} is roughly $40-50$x faster in proof generation and uses orders-of-magnitude less bandwidth than the naive approach of using off-the-shelf Collaborative zkSNARKs.

Decentralized e-voting enables secure and transparent elections without relying on trusted authorities, with blockchain emerging as a popular platform. It has compelling applications in Decentralized Autonomous Organizations (DAOs), where governance relies on voting with blockchain-issued tokens. Quadratic voting (QV), a mechanism that mitigates the dominance of large token holders, has been adopted by many DAO elections to enhance fairness. However, current QV systems deployed in practice publish voters' choices in plaintext with digital signatures. The open nature of all ballots comprises voter privacy, potentially affecting voters' honest participation. Prior research proposes using cryptographic techniques to encrypt QV ballots, but they work in a centralized setting, relying on a trusted group of tallying authorities to administrate an election. However, in DAO voting, there is no trusted third party.

In this paper, we propose QV Network (QV-net), the first decentralized quadratic voting scheme, in which voters do not need to trust any third party other than themselves for ballot secrecy. QV-net is self-tallying with maximal ballot secrecy. Self-tallying allows anyone to compute election results once all ballots are cast. Maximal ballot secrecy ensures that what each voter learns from QV-net is nothing more than the tally and their own ballot. We provide an open-source implementation of QV-net to demonstrate its practicality based on real-world DAO voting settings, reporting only a few milliseconds for voting and a maximum of 255 milliseconds for tallying.

The exceptional efficiency of QV-net is attributed to the design of two new Zero-Knowledge Argument of Knowledge (ZKAoK) protocols for QV ballot secrecy and integrity. Previous works generally rely on pairing-friendly curves to prove the well-formedness of an encrypted QV ballot. But they incur heavy computation and large data sizes. We tackle the challenges of appropriately formalizing and proving ZKAoK relations for QV without using these curves. Specifically, we develop a succinct ZKAoK to prove a new relation: the sum of squares of a private vector's components equals a private scalar. We also introduce the first aggregated range proof to prove that values committed under different keys fall within their respective ranges. Together, these two new zero-knowledge protocols enable us to build an efficient decentralized QV scheme and are of independent interest.

Group Signatures are fundamental cryptographic primitives that allow users to sign a message on behalf of a predefined set of users, curated by the group manager. The security properties ensure that members of the group can sign anonymously and without fear of being framed. In dynamic group signatures, the group manager has finer-grained control over group updates while ensuring membership privacy (i.e., hiding when users join and leave). The only known scheme that achieves standard security properties and membership privacy has been proposed by Backes et al. CCS 2019. However, they rely on an inefficient revocation mechanism that re-issues credentials to all active members during every group update, and users have to rely on a secure and private channel to join the group. In this paper, we introduce a dynamic group signature that supports verifier-local revocation, while achieving strong security properties, including membership privacy for users joining over a public channel. Moreover, when our scheme is paired with structure-preserving signatures over equivalence class it enjoys a smaller signature size compared to Backes et al. Finally, as a stand-alone contribution we extend the primitive Asynchronous Remote Key Generation (Frymann et al. CCS 2020) with trapdoors and introduce new security properties to capture this new functionality, which is fundamental to the design of our revocation mechanism

Fully Homomorphic Encryption (FHE) is a key technology to enable privacy-preserving computation. While optimized FHE implementations already exist, the inner workings of FHE are technically complex. This makes it challenging, especially for non-experts, to develop highly-efficient FHE programs that can exploit the advanced hardware of today. Although several compilers have emerged to help in this process, due to design choices, they are limited in terms of application support and the efficiency levels they can achieve.

In this work, we showcase how to make FHE accessible to non-expert developers while retaining the performance provided by an expert-level implementation. We introduce Parasol, a novel end-to-end compiler encompassing a virtual processor with a custom Instruction Set Architecture (ISA) and a low-level library that implements FHE operations. Our processor integrates with existing compiler toolchains, thereby providing mainstream language support. We extract parallelism at multiple levels via our processor design and its computing paradigm. Specifically, we champion a Circuit Bootstrapping (CBS)-based paradigm, enabling efficient FHE circuit composition with multiplexers. Furthermore, Parasol’s underlying design highlights the benefits of expressing FHE computations at a higher level—producing highly compact program representations. Our experiments demonstrate the superiority of Parasol, in terms of runtime (up to 17x faster), program size (up to 22x smaller), and compile time (up to 32x shorter) compared to the current state-of-the-art. We expect the FHE computing paradigm underlying Parasol to attract future interest since it exposes added parallelism for FHE accelerators to exploit.

The Unbalanced Oil and Vinegar construction (UOV) has been the backbone of multivariate cryptography since the fall of HFE-based schemes. In fact, 7 UOV-based schemes have been submitted to the NIST additional call for signatures, and 4 of these made it to the second round. For efficiency considerations, most of these schemes are defined over a field of characteristic 2. This has as a side effect that the polar forms of the UOV public maps are not only symmetric, but also alternating.

In this work, we propose a new key-recovery attack on UOV in characteristic 2 that makes use of this property. We consider the polar forms of the UOV public maps as elements of the exterior algebra. We show that these are contained in a certain subspace of the second exterior power that is dependent on the oil space. This allows us to define relations between the polar forms and the image of the dual of the oil space under the Plücker embedding. With this, we can recover the secret oil space using sparse linear algebra.

This new attack has an improved complexity over previous methods and reduces the security by 4, 11, and 20 bits for uov-Ip, uov-III, and uov-V, respectively. Furthermore, the attack is applicable to MAYO$_2$ and improves on the best attack by 28 bits.

This paper presents OnionPIRv2, an efficient implementation of OnionPIR incorporating standard orthogonal techniques and engineering improvements. OnionPIR is a single-server PIR scheme that improves response size and computation cost by utilizing recent advances in somewhat homomorphic encryption (SHE) and carefully composing two lattice-based SHE schemes to control the noise growth of SHE. OnionPIRv2 achieves $2.5$x-$3.6$x response overhead for databases with moderately large entries (around $4$ KB or above) and up to $1600$ MB/s server computation throughput.

In many fields, the need to securely collect and aggregate data from distributed systems is growing. However, designs that rely solely on encrypted data transmission make it difficult to trace malicious users. To address this challenge, we have enhanced the secure aggregation (SA) protocol proposed by Bell et al. (CCS 2020) by introducing verification features that ensure compliance with user inputs and encryption processes while preserving data privacy. We present LZKSA, a quantum-safe secure aggregation system with input verification. LZKSA employs seven zero-knowledge proof (ZKP) protocols based on the Ring Learning with Errors problem, specifically designed for secure aggregation. These protocols verify whether users have correctly used SA keys and their $L_{\infty}$, $L_2$ norms and cosine similarity of data, meet specified constraints, to exclude malicious users from current and future aggregation processes. The specialized ZKPs we propose significantly enhance proof efficiency. In practical federated learning scenarios, our experimental evaluations demonstrate that the proof generation time for $L_{\infty}$ and $L_2$ constraints is reduced to about $10^{-3}$ of that required by the current state-of-the-art method, RoFL (S\&P 2023), and ACORN (USENIX 2023). For example, the proof generation/verification time of RoFL, ACORN and LZKSA for $L_{\infty}$ is 94s/29.9s, 78.7s/33.9s, and 0.02s/0.0062s for CIFAR10, respectively.

One-Time Pad (OTP), introduced by Shannon, is well-known as an unconditionally secure encryption algorithm and has become the cornerstone of modern cryptography. However, the unconditional security of OTP applies solely to confidentiality and does not extend to integrity. Hash functions such as SHA2, SHA3 or SM3 applies only to integrity but not to confidentiality and also can not obtain unconditional security. Encryption and digital signatures based on asymmetric cryptography can provide confidentiality, integrity and authentication, but they can only achieve computational security. Leveraging the fundamental principles of quantum mechanics，Quantum key distribution（QKD）can achieve unconditional security in theory. However, due to limitations in eavesdropping detection, the use of classical channels and imperfections in quantum devices, it cannot reach unconditional security in practical applications. In this paper, based on polynomial rings and the theory of probability, we propose an unconditionally secure encryption algorithm with unified confidentiality and integrity. The main calculation of the encryption algorithm is Cyclic Redundancy Check(CRC). Theoretical analysis proves that the encryption algorithm not only meets the unconditional security of confidentiality, but also guarantees the unconditional security of integrity, especially suitable for high-security communications such as finance, military, government and other fields.

Event date: 11 August 2025

Event date: 12 August to 13 August 2025

COSIC is looking for a motivated researcher who fit into the following profile: PhD candidate to work on Hardware implementations secured against physical attacks.

Job Description : The position is funded by Flemish Research Funds (FWO). The PhD candidate will work in collaboration with the research group of Prof. Amir Moradi from University of Darmstadt. The research program is defined in a joint research project jointly funded by FWO (Belgium) and DFG (Germany). The title of the project is MatSec – Maturing Physical Security Models in Realistic Scenarios. The PIs of the project in COSIC are Dr. Svetla Nikova and Prof. Vincent Rijmen.

Security models for side-channel analysis and combined attacks for HW implementations exist, but they often make unrealistic assumptions or are inaccurate in modeling physical effects. This results in countermeasures that are either overdesigned, unnecessarily increasing the costs, or still vulnerable to attacks when deployed. The main objective of this project is to provide security models that accurately abstract attacks against cryptographically secured physical devices and that allow for the creation of efficient countermeasures on hardware guaranteeing security in practice.

We are looking for people to work on the following topics: (1) Realistic side-channel models capturing the circuit’s real behavior and achieving a balance between security and efficiency and providing improved countermeasures. (2) Security models and randomness generation: to develop procedures for constructing masked HW/SW implementations with low randomness requirements (3) Combined security models extending known fault/combined adversaries.

Specific Skills Required: For the PhD position: The candidates should hold a master’s degree in Engineering, Mathematics or Computer Science with very good grades, very good knowledge and experience with programing with C/C++ and Verilog/VHDL. Preferably to have passed courses in Cryptography and/or Computer Security.

Closing date for applications:

Contact: Dr. Svetla Nikova

More information: https://www.esat.kuleuven.be/cosic/wp-content/uploads/2025/06/PhD-position_FWO-DFG.pdf

The Department of Combinatorics and Optimization at the University of Waterloo invites applications from qualified candidates for a 2-year position as a Cryptographic Research Architect on the Open Quantum Safe project (https://openquantumsafe.org/).

This position is available immediately in Professor Stebila’s research group. You will be working with a world-wide team of researchers and developers from academia and industry on the Open Quantum Safe project. You will have the opportunity to push the boundaries of applied post-quantum cryptography and contribute to various open-source projects. You will help integrate new post-quantum cryptographic algorithms into the liboqs open-source library, and design and implement techniques for evaluating and benchmarking these cryptographic algorithms in a variety of contexts.

The field of post-quantum cryptography is rapidly evolving, and you will need to track ongoing changes to algorithms due to peer review and advances by researchers via the the NIST Post-Quantum Cryptography project forum. In addition to algorithm research, tasks cover all aspects of the software development lifecycle and include design, programming cryptographic algorithms, integrating other cryptographic implementations into the liboqs framework, integrating liboqs into 3rd party open-source projects, testing, benchmarking and documentation. You may be asked to take an ownership role in coordinating the development of various sub-component of the Open Quantum Safe project.

The appointment will be a full-time position for 2 years. The salary range is $80,000–$115,000/year and commensurate with experience.

Canadians, Canadian Permanent Residents, and those who are legally entitled to work in Canada will be given priority consideration for this position.

For more information on the position and how to apply, please see https://openquantumsafe.org/team/open-positions

Closing date for applications:

Contact: Douglas Stebila (dstebila@uwaterloo.ca)

More information: https://openquantumsafe.org/team/open-positions

Context Our team develops pre-silicon analysis tools to: 1) identify exploitable vulnerabilities at the software level based on these interactions between a software and a microarchitecture, or 2) formally prove the security, for a given attacker model, of a system embedding hardware/software countermeasures against fault injections. These tools implement a methodology that has shown to be successful to find microarchitectural vulnerabilities and/or prove the robustness, for a given fault model, of various RISC-V based processors [1]. For instance, we have formally proven the security of OpenTitan's processor to single bit-flip injections [2].

[1] S. Tollec et al. μArchiIFI: Formal Modeling and Verification Strategies for Microarchitectural Fault Injections. FMCAD 2023

[2] S. Tollec et al.. Fault-Resistant Partitioning of Secure CPUs for System Co-Verification against Faults. TCHES 2024

Objectives

Your main missions will be:

- To design and extend our pre-silicon methodology and associated tools to support different secured processors. In particular, leverage the specificities of the countermeasures embedded by such secured processors to speedup analysis techniques, but also integrate in our methodology and tools post-synthesis netlist level analyses of hardware architectures.

- To participate to a project-scale experimental evaluation aiming to fill the gap between pre-silicon tools and post-silicon security evaluations.

Location Saclay (Paris area) or Grenoble.

Requirements PhD or a Masters’s Degree in Electronics or Computer Science. Excellent interpersonal and communication skills, and a solid background in any of the following fields is expected: computer architecture, programming languages, formal methods, cyber-security. Knowledge or French (spoken or written) is not required but may be helpful on a day-to-day basis.

Application Please send the following documents: CV, cover letter (in French or English), transcrpit of records

Closing date for applications:

Contact: Mathieu Jan (mathieu.jan@cea.fr) and Damien Couroussé (damien.courousse@cea.fr). Reviewing of applications will continue until the position is filled.

Unpaid, part-time fellowship (3–6 months), with potential to evolve into a fully-funded, startup-style venture We invite applied cryptographers to join a part-time, unpaid pilot fellowship focused on zero-knowledge proofs, MPC, and secure data pipelines for biosecurity. No prior biosecurity experience is required—just strong crypto skills and curiosity. You’ll work collaboratively with fellow cryptographers, developers, and biosecurity experts to develop tangible, economically sustainable prototypes, with the goal of launching a funded venture by program’s end. This role is designed to run alongside your current commitments—no need to pause full-time work.

Fellow Responsibilities
- Design zk‑SNARK/STARK or MPC circuits to verify epidemiological data integrity and outbreak modeling
- Prototype privacy-preserving alert systems for decentralized biosurveillance
- Collaborate with peer cryptographers and cross-disciplinary fellows on open-source proof-of-concept systems
- Co-author deliverables: circuit specs, threat models, implementation evaluations

Qualifications:
- Master’s or PhD in cryptography, computer science, mathematics, or related field
- Strong programming and mathematical background
- Experience with zk frameworks (e.g., Circom, snarkjs, arkworks) or MPC is a plus
- No prior biosecurity/domain expertise required—we’ll provide domain support
-Available to work part-time alongside existing commitments

Program Structure & Benefits:
- Unpaid and part-time: built to fit around ongoing work or study
- Goal-driven: produce a self-sustaining prototype or venture by program end
- Collaborative environment: work alongside other cryptographers with mentorship from senior crypto and domain experts
- Opportunity to transition into a funded startup or project launch post-fellowship

Application Instructions:
Send us an email with a brief overview of your background and skills

Closing date for applications:

Contact: bharat@causality.network

More information: https://musematrix.xyz/