International Association
for Cryptologic Research

Achieving (at least) a worst-case correctness error is essential for an underlying public-key encryption (PKE) scheme to which the Fujisaki-Okamoto (FO) transformation is applied. There are three average-case to worst-case (ACWC) transformations—denoted as $\mathsf{ACWC}_{0}$, $\mathsf{ACWC}_{1}$ (PKC 2023), and $\mathsf{ACWC}_{2}$ (TIFS 2023)—which generically convert a PKE scheme with an average-case correctness error into one with a worst-case correctness error. However, in these ACWC transformations the \textit{$\gamma$-spreadness}, a critical factor in determining explicit rejection ($\mathsf{FO}^{\perp}$) or implicit rejection ($\mathsf{FO}^{\not\perp}$), has not been established with rigorous proofs. Existing analyses of $\gamma$-spreadness lack rigorous proofs, include analytical flaws, or fail to achieve the tightest possible bounds. In this work, we reprove the $\gamma$-spreadness of ACWC-transformed PKE schemes by leveraging two key facts: the random oracle is chosen at random and the encoding mechanism used in the ACWC framework is message-hiding. Our new proofs are applied to the previous NTRU-based PKE schemes, called $\mathsf{\mathsf{NTRU}\text{-}\mathsf{C}}$, $\mathsf{NTRU}\text{-}\mathsf{B}$, and $\mathsf{NTRU+}$, giving the corrected $\gamma$-spreaness for those PKE schemes with concrete parameters.

Hashing to elliptic curve groups is a fundamental operation used in many cryptographic applications, including multiset hashing and BLS signatures. With the recent rise of zero-knowledge applications, they are increasingly used in constraint programming settings. For example, multiset hashing enables memory consistency checks in zkVMs, while BLS signatures are used in proof of stake protocols. In such cases, it becomes critical for hash-to-elliptic-curve-group constructions to be constraint-friendly such that one can efficiently generate succinct proofs of correctness. However, existing constructions rely on cryptographic hash functions that are expensive to represent in arithmetic constraint systems, resulting in high proving costs.

We propose a constraint-efficient alternative: a map-to-elliptic-curve-group relation that bypasses the need for cryptographic hash functions and can serve as a drop-in replacement for hash-to-curve constructions in practical settings, including the aforementioned applications. Our relation naturally supports non-deterministic map-to-curve choices making them more efficient in constraint programming frameworks and enabling efficient integration into zero-knowledge proofs. We formally analyze the security of our approach in the elliptic curve generic group model (EC-GGM).

Our implementation in Noir/Barretenberg demonstrates the efficiency of our construction in constraint programming: it achieves over $23\times$ fewer constraints than the best hash-to-elliptic-curve-group alternatives, and, enables $50$-$100\times$ faster proving times at scale.

Multiple authentication solutions are widely deployed, such as OTP/TOTP/HOTP codes, hardware tokens, PINs, or biometrics. However, in practice, one sometimes needs to authenticate not only the user but also their location. The current state-of-the-art secure localisation schemes are either unreliable or insecure, or require additional hardware to reliably prove the user's location. This paper proposes CARPOOL, a novel, secure, and reliable approach to affirm the location of the user by solely relying on location-bounded interactions with commercial off-the-shelf devices. Our solution does not require any additional hardware, leverages devices already present in a given environment, and can be integrated effortlessly with existing security components, such as identity and access control systems. To demonstrate the feasibility of our work and to show that it can be deployed in a realistic closed environment setting, we implemented a proof of concept realisation of CARPOOL on an Android phone and multiple Raspberry Pi boards and integrated CARPOOL with Amazon Web Services (AWS) Cognito.

We give a public key encryption scheme that is provably secure against poly-size adversaries, assuming $n^{\log^\alpha n}$ hardness of the standard planted clique conjecture, for any $\alpha \in (0,1)$, and a relatively mild hardness conjecture about noisy $k\mbox{-}\mathsf{LIN}$ over expanders that is not known to imply public-key encryption on its own. Both of our conjectures correspond to natural average-case variants of NP-complete problems and have been studied for multiple decades, with unconditional lower bounds supporting them in a variety of restricted models of computation. Our encryption scheme answers an open question in a seminal work by Applebaum, Barak, and Wigderson [STOC'10].

SNARKs enable compact proofs that an NP statement is true and that the prover knows a valid witness. They have become a key building block in modern smart contract applications, including rollups and privacy-focused cryptocurrencies. In the widely used Groth16 framework, however, long statements incur high costs. A common workaround is to pass the statement’s hash to the SNARK and move the statement into the witness. The smart contract then hashes the statement first, and the circuit that is proven additionally checks consistency of the hash and the statement. Unfortunately, virtually any hash function is expensive to call either in a smart contract (in terms of gas) or in the proven circuit (in terms of prover time).

We demonstrate a novel solution to this dilemma, which we call hybrid compression. Our method allows us to use two different hash functions—one optimized for the proof circuit, and another optimized for on-chain verification—thereby combining the efficiency advantages of both. We prove the security of this approach in the standard model under reasonable assumptions about the two hash functions, and our benchmarks show that it achieves near-optimal performance in both gas usage and prover time. As an example, compressing an 8 KB statement with our approach results in a 10-second prover time and a smart contract spending 270K gas, whereas the existing approaches either need a much longer proof generation (290 seconds for SHA-256 hashing) or a much more expensive contract (5M gas for Poseidon hashing).

Along the way, we develop a two-party protocol of independent interest in communication complexity: an efficient deterministic method for checking input equality when the two parties do not share the same hash function.

The threshold secret sharing scheme enables a dealer to distribute the share to every participant such that the secret is correctly recovered from a certain amount of shares. The traditional $(k, n)$ threshold secret sharing scheme requires that the number of participants $n$ is known in advance. In contrast, the evolving secret sharing scheme allows that $n$ can be uncertain and even ever-growing. In this paper, we consider the evolving secret sharing scenario. Based on the prefix codes, we propose a brand-new construction of evolving $k$-threshold secret sharing scheme for an $\ell$-bit secret over a polynomial ring, with correctness and perfect security. The proposed scheme is the first evolving $k$-threshold secret sharing scheme by generalizing Shamir's scheme onto a polynomial ring. Besides, the proposed scheme also establishes the connection between prefix codes and the evolving schemes for $k\geq2$. The analysis shows that the size of the $t$-th share is $(k-1)(\ell_t-1)+\ell$ bits, where $\ell_t$ denotes the length of a binary prefix code of encoding integer $t$. In particular, when $\delta$ code is chosen as the prefix code, the share size is $(k-1)\lfloor\lg t\rfloor+2(k-1)\lfloor\lg ({\lfloor\lg t\rfloor+1}) \rfloor+\ell$, which improves the prior best result $(k-1)\lg t+6k^4\ell\lg{\lg t}\cdot\lg{\lg {\lg t}}+ 7k^4\ell\lg k$, where $\lg$ denotes the binary logarithm. Specifically, when $k=2$, the proposal also provides a unified mathematical decryption for prior evolving $2$-threshold secret sharing schemes and also achieves the minimal share size for a single-bit secret, which is the same as the best-known scheme.

Motivated by LowMC cryptanalysis challenge, research in recent years focuses more on attacking LowMC in \PICNIC application setting, \ie an attacker can see only a single plaintext/ciphertext pair. It can be noted that in the security proof of \PICNIC, LowMC is required to be secure under two plaintexts, it is thus meaningful to investigate the security of LowMC in this direction. Pioneered by Liu, Isobe and Meier at Crypto 2021, they combined algebraic techniques with difference enumeration attack, which could attack all three 4-round LowMC instances adopting full S-Box layers in \PICNIC with only two chosen plaintexts. However, the research on cryptanalysis of LowMC using two plaintext/ciphertext pairs is yet far from complete. Previous works using a single known plaintext are better than those with two plaintexts in terms of attack complexity or attacked rounds when considering a comparable success probability.

In this paper, to address such counter-intuitive gaps between existing attacks on LowMC with full S-box layers using a single and two plaintext/ciphertext pairs, we first develop an algebraic key-derived attack framework, where an algebraic property of the key-derived difference is utilized to build an equation system with lower algebraic degree. This directly contributes to less cost for solving equation system and naturally works under known-plaintext setting, which can be further enhanced with chosen-plaintext attack setting. We then present an improved difference enumeration attack framework. Instead of enumerating all possible differences in the second round, variables for part of S-boxes in the second and third rounds are introduced to derive cubic equations, which will lead to fewer variables for the last round. Finally, applying our new attack frameworks to LowMC, we propose \text{8-round} attacks on LowMC for the very first time, which remain under known-plaintext setting. Moreover, we give the first attacks on three LowMC instances, \ie 129-bit block size of 6 rounds and 129-/192-bit block size of 7 rounds, which cannot be obtained using previous attacking methods. Also, previous attacks on LowMC from 4 to 7 rounds could be improved for almost all three LowMC instances in this paper. All these results, we believe, could be a positive answer that given one more pair, more information indeed can be gained to improve attacks on LowMC when compared to those using only a single plaintext. As well as our newly proposed algebraic key-derived attack framework, we hope that, could provide more insights into the cryptanalysis of LowMC with low allowable data complexity.

We consider the question of whether worst-case hardness of the time-bounded Kolmogorov complexity problem, $\KpolyA$---that is, determining whether a string is time-bounded Kolmogorov random ($K^t$-random) or not---suffices to imply the existence of one-way functions (OWF).

Roughly speaking, our main result shows that under a natural strengthening of standard-type derandomization assumptions, worst-case hardness of the \emph{boundary} version of this classic problem characterizes OWFs.

In more detail, let $\bKtA$ denote the problem of, given an instance $x$, deciding whether (a) $K^{t_2}(x)\geq n-1$, or (b) $K^{t_1}(x) < n-1$ \emph{but} $K^{t_2}> n - \log n$; that is, deciding whether $x$ is $K^t$-random, or just ``near" $K^t$-random. We say that $\bKpolyA \notin \ioBPP$ if $\bKpolyA \notin \ioBPP$ for all polynomials $t_1,t_2$.

We show that under a natural strengthening of standard derandomization assumptions (namely, there exists a constant $\varepsilon > 0$ such that $\E \not\subseteq {\sf ioNTIME}[2^{kn}] \slash 2^{\varepsilon n}$ for every $k \in \N$), OWF exist iff $\bKpolyA \notin \ioBPP$. Along the way, we also demonstrate that if we consider the probabilistic version of Kolmogorov complexity (referred to as $pK^t$) instead, then the characterization holds unconditionally.

We finally observe that for most standard optimization problems, hardness ``along boundary" is equivalent to ``plain" worst-case hardness, indicating that assuming hardness along the boundary may be WLOG.

Plaintext-checking (PC) oracles are among the most prominent types of attacks against the recently standardized ML-KEM. Previous works have drastically reduced the number of queries to recover the secret key. While the number of traces is close to the information theoretic bound, current attacks have not yet been adapted to setting with increased noise and highly imperfect oracles. In attacks targeting real-world protected implementations, we have to expect noisy information leading to oracles that only give a small advantage over guessing. In this work, we show how to deal with imperfect oracles arising from side-channels under a high noise level. We present several new highly noise-tolerant parallel PC-oracle attacks. Our attacks rely on soft-analytic techniques and can deal with just a slight advantage over guessing. We present several attacks that either optimally update the sub-key distribution or compute approximations to the marginals. In addition, we extend the generic framework for side-channel information from Eurocrypt 2025.

We then discuss several oracle instantiations based on the noisy Hamming weight model. These oracles rely on widely accepted assumptions while also being easy to simulate and allowing for fair comparisons between different attacks. Furthermore, we take masking countermeasures into account. Our evaluations in these and previous models show that PC-oracle attacks are highly noise-tolerant -- on an entirely different scale compared to previous work. These improvements are of algorithmic nature and orthogonal to the fact that the Fujisaki-Okamoto transform in ML-KEM offers a large attack surface. We discuss the implications of our findings for protected ML-KEM implementations.

We show that $4r + 4$ rounds of a variant of the AES with independent and uniform random round keys are $\varepsilon$-pairwise independent with $\varepsilon = 2^{14}\, 2^{-30r}$. We deduce this bound from a two-norm version of pairwise-independence for SHARK-type ciphers based on the third-largest singular value of the difference-distribution table of the S-box. This approach was worked out in the master thesis of Immo Schütt. Our bounds leave room for improvement, both in the constant prefactor $2^{14}$ — due to a rough conversion between norms — and in the exponent. These improvements will be worked out in an extended version of this note.

Symmetric cryptography is confronting threats posed by quantum computing, including Grover's search algorithm and Simon's algorithm. In the fault-tolerant quantum computation, the limited qubit count, connectivity constraints, and error rates of quantum hardware impose stringent requirements on the implementation of cryptographic quantum circuits. Constructing low-resource quantum circuit models forms the foundation for evaluating algorithmic resistance to quantum threats. In this work, we address the fundamental limitations in in-place implementations of AES quantum circuits by proposing a set of in-place synthesis methods centered on DW-cost optimization. First, we prove that within the composite field arithmetic framework, intermediate circuit states can be utilized to uncompute S-box input states, and introduce a novel design pathway and circuit structure for in-place S-box quantum circuits. Second, we establish the necessary conditions for maximizing parallelization of Toffoli gates under minimal-width constraints in binary field multiplication. Through co-design and optimization of multiple nonlinear components, we construct a compact in-place S-box with a DW-cost of merely 276. Finally, building on this, we achieve quantum circuit implementations for AES-128, AES-192, and AES-256 via co-optimization of key expansion and round functions, reducing their DW-cost values to 65,280, 87,552, and 112,896 respectively. These results indicate a reduction of at least 46%, 45%, and 45% compared to existing state-of-the-art solutions. Building upon these advancements, this study establishes new technical benchmarks for low-quantum-resource and fault-tolerant implementations of symmetric cryptography in the post-quantum era.

The efficiency of a cryptographic algorithm's circuit implementation is critical for its practical deployment. The implementation cost of the linear layer can be evaluated by the number of XOR operations, typically measured in terms of s-\xor (serial \xor) and g-\xor (generalized \xor). In this work, we reduce the g-\xor count of the AES linear layer from 91 to 90 by enhancing the Boyar–Peralta (BP) algorithm and incorporating sub-graph reconstruction. We propose an improved framework for the BP algorithm that significantly accelerates the optimization process. Furthermore, we improve the local optimization strategy introduced in \cite{LinDa2021} by sub-graph reconstruction, implemented by solving a mixed-integer linear programming (MILP) model using Gurobi. As a result, we achieve the first implementation of the AES linear layer with 90 g-XOR operations, improving upon the previous best result of 91 reported in \cite{LinDa2021}.

We show the key ideas of the above-referenced work for lattice Gaussian sampling are not new; the same ideas have been proposed by Ling et al. in 2014.

Event date: 8 March 2026
Submission deadline: 1 November 2025
Notification: 19 December 2025

Event date: 6 July to 10 July 2026
Submission deadline: 27 January 2026
Notification: 20 April 2026

Event date: 1 June to 6 June 2026
Submission deadline: 25 August 2025
Notification: 19 November 2025

atsec is looking for cryptography experts to join our team in Austin, TX as product-oriented information security analysts. These positions may be at an entry, senior or principal level, depending on your applicable work experience and skill sets.

As an analyst, you are expected to:
• Learn and use security concepts and techniques such as entropy, access control, authentication, auditing, side-channel analysis, etc.
• Become fluent in security standards such as FIPS 140 and Common Criteria
• Master and serve as an authority in technical domains such as cryptography, network protocols/security, hardware security, software engineering, database, mobile devices, virtualization and operating systems
• Apply your knowledge and talents to scrutinize the security architecture, implementation, and deployment of a variety of cutting-edge IT products
• Support atsec customers in security related areas and become, or continue to be, a recognized industry expert in your field

Qualifications:
Candidates possessing a solid understanding of cryptography and its use in data protection will have an advantage in our hiring process.

This position does requires the following:
• A degree in Mathematics or Electric Engineering with Computer Science emphasis or vice versa (equivalent experience may be acceptable)
• Knowledge of cryptographic algorithms, and the mathematical concepts behind them
• Strong programming and code analysis skills
• Familiarity with Unix-based command line environments (e.g., Linux)
• Knowledge of network protocols (e.g., TLS/SSL, SSH, IPsec, IKE, SRTP, SNMP)
• Knowledge of information security (e.g., authentication, access control, network security)
• Strong technical report writing skills
• Team player who can work independently
• Eagerness to delve into technical subjects
• Enthusiasm, good customer interface skills, positive attitude, strong communication skills (written and verbal), and effective teamwork and technical collaboration skills
• The flexibility to travel



Closing date for applications:

Contact: Send resume to us-jobs@atsec.com

More information: https://www.atsec.com/

This is an urgent call for interested applicants. A funded Ph.D. student position is available for Spring 2026 (Deadline Oct. 15, 2025 but apply earlier) to work on different aspects of Cryptographic Engineering in the Bellini College at USF (Tampa, FL) with Dr. Mehran Mozaffari Kermani.

The required expertise includes:

- Master’s in Computer Engineering or Computer Science with hardware background (do not contact if you have not obtained a Master’s degree, this position is not for direct Bachelor’s to Ph.D.)

- Solid background in cryptographic engineering and theory of cryptography

- Solid HDL and FPGA/ARM expertise

- Outstanding English (if English tests are taken) to be eligible for funding

- Motivation to work beyond the expectations from an average Ph.D. student and publish in top tier venues Please closely observe the admission requirement details before emailing.

We are looking for motivated, talented, and hardworking applicants who have background and are interested in working on different aspects of Cryptographic Engineering with emphasis on hardware/software implementation, and side-channel attacks.

Please send email me your updated CV (including list of publications, language test marks, and references), transcripts for B.Sc. and M.Sc., and a statement of interest to: mehran2 (at) usf.edu as soon as possible. NOTE: The successful candidate will be asked to apply formally very soon to the college, so all the material has to be ready. We do not require GRE.

Research Webpage: https://cse.usf.edu/~mehran2/

Closing date for applications:

Contact: Mehran Mozaffari Kermani

The Danish Advanced Research Academy (DARA) is offering fully funded three-year PhD fellowships starting in 2025. As part of this program, you can join the Coding and Visual Communication research group at DTU Electro, Denmark. Our group conducts research at the intersection of information theory and cryptography, with applications in communications, data processing, and visual media. We are seeking motivated candidates with a strong background in mathematics, computer science, or engineering, and an interest in theoretical foundations and secure systems. Interested candidates should contact Assistant Professor Stanislav Kruglik at stakr@dtu.dk by 22 August 2025 to discuss proposal ideas and supervision possibilities.

Closing date for applications:

Contact: stakr@dtu.dk

We invite applications for a Lecturer/Senior Lecturer position in Cybersecurity. The level of appointment will depend on the successful candidate's relevant experience.

We welcome applications from candidates conducting cutting-edge research in any area of cybersecurity. Areas of interest include, but are not limited to: adversarial machine learning, post-quantum cryptography, privacy-enhancing technologies, software and supply chain security, secure systems and memory-safe languages, cloud and virtualization security, human-centred and usable security, and the security implications of AI systems. We are particularly interested in candidates whose work addresses emerging threats, combines theory and practice, or takes an interdisciplinary approach to security and privacy.

You will contribute to teaching in core cybersecurity and computer networking subjects, as well as being encouraged to develop a strong, externally funded research programme, supervise undergraduate and postgraduate students, and collaborate with other academics in the department's teaching and research activities. The appointee will be expected to develop links with and contribute to the wider computer science and/or software engineering profession at local, national and international levels.

More information on eligibility criteria and how to apply here: https://jobs.canterbury.ac.nz/jobdetails/ajid/TFkG9/Lecturer-Senior-Lecturer-Computer-Security,26437

Closing date for applications:

Contact:

We do not accept applications by email, however, we are happy to answer any queries at WorkatUC@canterbury.ac.nz.

For further information specifically about the role, please contact: Ben Adams, benjamin.adams@canterbury.ac.nz.

More information: https://jobs.canterbury.ac.nz/jobdetails/ajid/TFkG9/Lecturer-Senior-Lecturer-Computer-Security,26437