International Association
for Cryptologic Research

We revisit multivariate commitments based on the hardness of solving systems of multivariate quadratic (MQ) equations over finite fields. We analyze a simple construction where a message µ is committed as c = (µ + F(r), G(r)), with F and G random quadratic maps. We prove that the scheme is computationally hiding assuming the intractability of the MQ problem. Its binding property reduces to solving random bilinear systems. We prove that this problem is NP-complete and study the performance of existing algebraic and hybrid attacks. We show that this commitment is well-suited for integration with zero-knowledge proofs. Using the Threshold-computation-in-the-Head framework, we construct zero-knowledge efficient arguments of knowledge for the opening and arguments for relations on committed values. We apply this to construct an efficient blind signature scheme à la Fischlin, and we demonstrate that our techniques yield a fully multivariate construction of signatures with efficient protocols, enabling practical post-quantum anonymous credentials.

Healthcare data sharing is fundamental for advancing medical research and enhancing patient care, yet it faces significant challenges in privacy, data ownership, and interoperability due to fragmented data silos across institutions and strict regulations (e.g., GDPR, HIPAA). To bridge these gaps, we propose MtDB, a novel decentralized database architecture addressing secure data sharing in multi-tenant database ecosystems. MtDB employs blockchain for metadata coordination and sharing, IPFS for distributed data addressing, a universal SQL query interface for data access, and Intel SGX for integrity-protected query execution with enforced access control. We provide an open-source implementation demonstrating MtDB’s capabilities for secure, patient-centric healthcare data sharing while preserving ownership and enforcing policies. Experimental results show MtDB achieves 35 milliseconds query latency for indexed queries over 400M multi-tenant medical records while maintaining cryptographic security guarantees, with only 1.2–1.3× performance overhead compared to non-secure baselines.

Electronic voting systems claiming to provide verifiability are seeing increased adoption. Previous work on analyzing these systems has focused on vulnerabilities arising in the specification and implementation of the core protocol and primitives; once the system has been analyzed for these vulnerabilities and appropriate fixes deployed, one might have hoped that the systems would provide the claimed security.

In this paper, we discuss two categories of vulnerabilities which still seem prevalent in otherwise carefully designed, implemented, and audited systems. We present ten examples of vulnerabilities or weaknesses in these categories drawn from the SwissPost and Belenios systems. Our discussion covers why vulnerabilities in these categories maybe escaping detection and what can be done about it; all the solutions we considered are unsatisfactory and our aim is to highlight this area as an important open problem.

MEV (Maximal Extractable Value) remains one of the most corrosive forces in blockchain systems, enabling frontrunning, sandwiching, and other manipulations that directly exploit users. The core culprit is the transparent mempool: validators see transactions before they are ordered. Encrypted mempools are a promising solution by hiding transaction contents until after ordering.

We present the first integration of encrypted mempools with a high-performance BFT protocol. Our system uses a cryptographic scheme based on recent work on batched threshold encryption, and improves on the cryptographic state of the art in this line of work. The system ensures confidentiality of transactions during ordering while sustaining performance on par with leading BFT designs. Specifically, the proposal-to-execution latency of our system yields only a 27 ms overhead (14%) compared to the baseline. The result is a practical consensus layer that simultaneously defends against MEV and delivers the throughput and latency needed for real deployments. This work closes the gap between cryptographic defenses and production-ready consensus, showing that robust MEV protection and high performance can, in fact, coexist.

Anonymous payment protocols based on Zerocash (IEEE S&P 2014) have seen widespread deployment in decentralized cryptocurrencies, as have derivative protocols for private smart contracts. Despite their strong privacy properties, these protocols have a fundamental scaling limitation in that they require every consensus participant to maintain a perpetually growing set of nullifiers--- unlinkable revocation tokens used to detect double-spending---which must be stored, queried and updated by all validating nodes. This set grows linearly in the number of historic transactions and cannot be discarded without the undesirable effect of destroying unspent funds.

In this short note, we introduce a new technique that enables continual, permanent pruning of nullifiers by validators, without imposing significant computation, bandwidth or latency overhead for users, and without compromising privacy. Our main contribution is a general model we call oblivious synchronization whereby users ask untrusted remote services (which ingest and process the public ledger) to create succinct proofs that coins are unspent and otherwise valid. Crucially, these services are fully oblivious to their clients' transaction details and cannot link their clients to any transactions that ultimately appear on the public ledger. Moreover, these services only keep ephemeral state per client and users can freely switch between services without incurring redundant computational effort.

Zero-knowledge proofs allow to encode a computation so that it can be verified without revealing any additional information beyond its correctness. In this work we focus on proofs that are statistically sound meaning that even an unbounded prover cannot make the verifier accept a false statement, except with negligible probability, and computationally zero-knowledge. The seminal result of Goldreich, Micali and Wigderson (CRYPTO 1986) shows that, assuming the existence of a one-way function, such zero-knowledge proofs exist for all languages in NP.

Some of the early protocols, such as that of GMW, have a large polynomial overhead in communication compared to the original NP witness. A line of works has shown that in many cases this communication overhead can be avoided. Most recently, Athamnah et al. (TCC 2024) constructed zero-knowledge proofs for all bounded-depth NP relations, where the communication complexity is only larger by an additive factor than the original NP witness. The main caveat of their result is that the protocol makes a non-blackbox use of the one-way function.

In this work we show that such succinct zero-knowledge proofs exist for the same class of NP relations, where the protocol makes only a blackbox use of a one-way function. Our protocol achieves a negligible soundness error, in contrast to recent works which can achieve, at best, an inverse polynomial error.

Embedded devices commonly rely on digital signatures to ensure both integrity and authentication. For example, digital signatures are typically verified during the boot process or firmware updates to verify the integrity of a system. They are also used to ensure authenticity of a communication party in secure protocols. Fault injection can be used to tamper with a device in order to cause malfunctioning during cryptographic computations. For example, fault injections can be used to disturb digital signing operations. With the right type of fault an attacker can compute private keys from faulted signatures. However, fault injections can also be used during verification to get maliciously crafted digital signatures accepted during signature verification with catastrophic consequences for the security of an embedded device. In this paper, we introduce new non-obvious fault injection attacks on the verification routines of Dilithium and Falcon signature schemes, which allow an attacker to get signatures for arbitrary messages accepted by fault injection. We demonstrate the feasibility of our attacks by simulations using an ARM Cortex-M4 and the pqm4 library as a target of evaluation and pinpoint vulnerable instructions. Finally, we propose and discuss possible countermeasures against these attacks.

This work improves upon the instruction set extension proposed in the paper "Towards ML-KEM and ML-DSA on OpenTitan", in short OTBNTW, for OpenTitan’s big number coprocessor OTBN. OTBNTW introduces a dedicated vector instruction for prime-field Montgomery multiplication, with a high multi-cycle latency and a relatively low utilization of the underlying integer multiplication unit. The design targets post-quantum cryptographic schemes ML-KEM and ML-DSA, which rely on 12-bit and 23-bit prime field arithmetic, respectively. We improve the efficiency of the Montgomery multiplication by fully exploiting existing integer multiplication resources and move modular multiplication from hardware back to software by providing more powerful and versatile integer-multiplication vector instructions. This enables us not only to reduce the overall computational overhead through lazy reduction in software but also to improve performance in other functions beyond finite-field arithmetic. We provide two variants of our instruction set extension, each offering different trade-offs between resource usage and performance. For ML-KEM and ML-DSA, we achieve a speedup of up to 17% in cycle count, with an ASIC area increase of up to 6% and an FPGA resource usage increase of up to 4% more LUT, 20% more CARRY4, 1% more FF, and the same number of DSP compared to OTBNTW. Overall, we significantly reduce the ASIC time-area product, if the designs are clocked at their individual maximum frequency, and at least match that of OTBNTW, if the designs are clocked at the same frequency.

The Brakerski-Gentry-Vaikuntanathan (BGV) scheme is one of the most significant fully homomorphic encryption (FHE) schemes. It belongs to a class of FHE schemes whose security is based on the presumed intractability of the Learning with Errors (LWE) problem and its ring variant (RLWE). Such schemes deal with a quantity, called noise, which increases each time a homomorphic operation is performed. Specifically, in order for the scheme to work properly, it is essential that the noise remains below a certain threshold throughout the process. For BGV, this threshold strictly depends on the ciphertext modulus, which is one of the initial parameters whose selection heavily affects both the efficiency and security of the scheme. For an optimal parameter choice, it is crucial to accurately estimate the noise growth, particularly that arising from multiplication, which is the most complex operation. In this work, we propose a novel average-case approach that precisely models noise evolution and guides the selection of initial parameters, improving efficiency while ensuring security. The key innovation of our method lies in accounting for the dependencies among ciphertext errors generated with the same key, and in providing general guidelines for accurate parameter selection that are library-independent.

End-to-end encrypted (E2EE) messaging platforms serving hundreds of millions of users face a fundamental vulnerability: users must trust service providers to distribute authentic public keys. This problem creates opportunities for sophisticated man-in-the-middle attacks and surveillance. While key transparency systems promise to eliminate this trust requirement, existing solutions have failed to achieve practical deployment due to prohibitive cost in computation and bandwidth, and inadequate infrastructure. Our main innovation is the integration of a zero-knowledge virtual machine to create a “rollup” architecture on a third-party data availability layer via which every user automatically checks the integrity of the whole key directory. Counterintuitively, this approach yields substantial performance improvements over custom-built zk proof circuits and enables verification of targeted policies within the cryptographic proof system. We introduce PRISM, the first practically deployable key transparency protocol that eliminates hidden backdoors in E2EE services through automatic, trust-minimized verification. Our system advances beyond previous approaches by proving not just structural validity of key directory updates, but their semantic correctness as well. Previous solutions require some form of manual interaction by the user. This burden prevented wide spread adoption. Our solution however eliminates user intervention entirely. This paper is intended as an overview rather than an exhaustive specification. Our implemented system already integrates additional components whose full complexity exceeds the scope of this short presentation.

Cryptography is a fundamental building block of many security features like secure boot, remote attestation, trusted platform module (TPM), memory/disk encryption, and secure communication, providing confidentiality, data integrity, authentication, and non-repudiation. Post-Quantum Cryptography (PQC) marks an important milestone in the history of modern cryptography. It encompasses cryptographic algorithms designed to withstand cryptanalytic attacks from both quantum and classical computers.

Organizations around the world are currently in the process of migrating to the PQC algorithms standardized by the National Institute of Standards and Technologies (NIST). Compared to the previous changes of cryptographic algorithms, the transition to PQC poses new challenges. We exemplify some of them by analyzing implementation attacks (e.g., side-channel and fault injection) and countermeasures applicable to the signature generation of the Elliptic Curve Digital Signature Algorithm (ECDSA), a widely used cryptographic algorithm, and the Module-Lattice-Based Digital Signature Algorithm (ML-DSA), a quantum-resistant algorithm set to replace the former.

We compare three recent works on collusion deterrence mechanisms [SP'24, Eurocrypt'25, CCS'25] in privacy-preserving multi-party computations. They follow the same whistleblowing structure where an evidence collection module collects collusion evidence, and a mechanism assigns payments to deter incentive-driven parties from collusion.

For evidence collection module, two works [SP'24, Eurocrypt'25] provide a general method for generating collusion evidence while tolerating pre-existing leakage. The other work [CCS'25] abstracts evidence generation away, except for transparent service applications where the output is treated as the evidence.

For the incentive mechanisms, two works [SP'24, Eurocrypt'25] consider a mix of rational and malicious parties, and rational parties can act as an individual or as a member of a strong coalition, inside which parties trust each other and never harm other members. When parties act as individuals, given bounded malicious parties, one can design mechanisms to disincentivize collusion. When parties act as a coalition, the mechanisms can only limit the size of coalitions for exclusive secrets, i.e., more parties learning the secret reduces the value received by individuals. The most recent work [CCS'25] only models rational parties but considers colluding parties establishing retaliatory contracts to discourage betrayal among colluders. It was shown to be impossible to maintain non-collusion outcome if retaliatory contracts can impose unbounded penalties, and feasible to guarantee non-collusion otherwise. This is weaker than a strong coalition but admits mechanisms protecting secrets of a general nature.

We are looking for a cybersecurity professor to strengthen Estonia's existing expertise. Our computer science department (http://www.cs.ut.ee) has two related research groups: cryptography (led by Helger Lipmaa) and security engineering (led by Raimundas Matulevicius). We are looking for an ambitious researcher (with a steady presence at big four security conferences) with demonstrated leadership skills who can build a larger team. The professor and the team are expected to actively participate in teaching, research, supervision, and external activities. Application deadline: 15.12.2025. Official information is available at the provided URL https://ut.ee/en/job-offer/professor-cybersecurity; the application URL is available there. The salary has to be factored against Estonia's low taxes and low living costs. (More than 5000 euros monthly net salary, with 700-1500 euros rent for a three-bedroom modern apartment close to the department and the city center). About Estonia. Estonia is part of Northern Europe but shares many similarities with German culture. It is part of the EU and NATO. The country is ranked high in the Press Freedom Index and the Democracy Index. Estonia is well-known to be an "IT-country", with early adoption of IT at the state level and many IT companies (including startups). About Tartu. Tartu is a small university town. The University of Tartu is a research university with a strong computer science department. While the city is small, it is vibrant with student life. About the department. The university and the department have many foreign faculty members and graduate students. The department is located in a modern building in the center of Tartu. We have strong research groups in many areas, ranging from cryptography and coding theory to machine learning and information systems.

Closing date for applications:

Contact: Helger Lipmaa (firstname lastname gmail)

More information: https://ut.ee/en/job-offer/professor-cybersecurity

We are looking for a Ph.D. student who is interested in one of the following areas:

• Secure Multi-Party Computation (MPC): MPC enables multiple parties to jointly compute on their data without revealing private information. Our research develops highly efficient MPC protocols for real-world applications such as healthcare analytics, cyber risk management, and biometric authentication.
• Hardware-Accelerated Cryptography: We design cryptographic schemes optimized for hardware acceleration and explore co-design strategies between cryptography and hardware (e.g., GPU, FPGA). The goal is to achieve secure and privacy-preserving computation with high performance and scalability.
• Blockchain Security and Privacy: We build secure and privacy-preserving blockchain infrastructures. Our research addresses challenges including resource-constrained users, confidential yet verifiable data, and trustworthy decentralized services.

Advisor information: https://yanxue820.github.io/

Closing date for applications:

Contact: Send the following to jiayanxue820@gmail.com with the subject "Fall 2026 Application – Your Name – Your University":

• CV or resume
• Academic transcripts (unofficial is okay)
• Brief statement of research interest (informal is okay)

We focus on foundations of cryptography and are searching for a motivated PhD candidate to join our team. We develop new security definitions which match practical applications, explore complexity-theoretic relations, develop novel, sophisticated proof techniques, and design schemes that provably satisfy strong security guarantees. Hence, strong mathematics skills are advantageous and arguing by formal mathematical proofs is essential.

Besides research (including attendance and presentation at workshops and conferences), the candidate will be involved in a small amount of teaching, according to the university regulations.

The position is fully funded for 4 years with a competitive salary and available from March 2026; the exact starting date is negotiable. For eligibility, an MSc degree in Computer Science or Mathematics (or a related field) is required. Applications must contain all required documents and be done exclusively through the linked job portal of University of Vienna.

University of Vienna is located centrally and public transport is extraordinarily good. Vienna is internationally very well connected by train, plane and bus. There are several cryptography research groups in and around Vienna and we encourage regular exchange through a joint reading group.

Closing date for applications:

Contact: Karen Azari (karen.azari(at)univie.ac.at)

More information: https://jobs.univie.ac.at/job/University-assistant-predoctoral/1263554201/

Private Set Intersection (PSI) protocols allow a querier to determine whether an item exists in a dataset without revealing the query or exposing non-matching records. It has many applications in fraud detection, compliance monitoring, healthcare analytics, and secure collaboration across distributed data sources. In these cases, the results obtained through PSI can be sensitive and even require some kind of downstream computation on the associated data before the outcome is revealed to the querier, computation that may involve floating-point arithmetic, such as the inference of a machine learning model. Although many such protocols have been proposed, and some of them even enable secure queries over distributed encrypted sets, they fail to address the aforementioned real-world complexities.

In this work, we present the first encrypted label selection and analytics protocol construction, which allows the querier to securely retrieve not just the results of intersections among identifiers but also the outcomes of downstream functions on the data/label associated with the intersected identifiers. To achieve this, we construct a novel protocol based on an approximate CKKS fully homomorphic encryption that supports efficient label retrieval and downstream computations over real-valued data. In addition, we introduce several techniques to handle identifiers in large domains, e.g., 64 or 128 bits, while ensuring high precision for accurate downstream computations.

Finally, we implement and benchmark our protocol, compare it against state-of-the-art methods, and perform evaluation over real-world fraud datasets, demonstrating its scalability and efficiency in large-scale use case scenarios. Our results show up to 1.4$\times$ to 6.8$\times$ speedup over prior approaches and select and analyze encrypted labels over real-world datasets in under 65 sec., making our protocol practical for real-world deployments.

CAPTCHA is a ubiquitous challenge-response system for preventing spam (typically bots) on the internet. Requiring users to solve visual challenges, its design is inherently cumbersome, and can unfairly punish those using low reputation IP addresses, such as anonymous services e.g. TOR.

To minimise the frequency in which a user must solve CAPTCHAs, Privacy Pass (PETS 2018) allows users to collect and spend anonymous tokens instead of solving challenges. Despite 400,000 reported monthly users and standardisation efforts by the IETF, it has not been subject of formal verification, which has been proven to be a valuable tool in security analysis.

In this paper we perform the first analysis of Privacy Pass using formal verification tools, and verify standard security properties hold in the symbolic model. Motivated by concerns of Davidson et al. and the IETF contributors, we also explore a stronger attack model, where additional key leakage uncovers a potential token forgery. We present a new protocol, Privacy Pass Plus, in which we show the attack fails in the symbolic model and give new cryptographic reductions to show our scheme maintains the security properties. Moreover, our work also highlights the complementary nature of analysing protocols in both symbolic and computational models.

Secure communication in the Internet of Things (IoT) requires lightweight protocols that scale across unicast, multicast, and broadcast settings. Existing solutions typically depend on centralized gateways, which introduce single points of failure and scalability limitations. We present TreeCast, a decentralized group key establishment protocol that organizes devices in a binary tree and derives communication keys through hybrid key exchange. The protocol achieves efficient and scalable key management, supporting dynamic membership with localized rekeying. We provide a formal security analysis and proof, showing that TreeCast achieves authentication, session key confidentiality, post-compromise security, and partial forward secrecy. In addition, we evaluate computational and storage costs of the protocol, demonstrating logarithmic scalability in both communication overhead and device state. By enabling a single framework for unicast, multicast, and broadcast communication, our approach bridges the gap between cryptographic rigor and practical IoT deployment. TreeCast provides a deployable, communication-oriented solution to secure large-scale IoT networks.

With the widespread deployment of machine learning services, concerns about potential misconduct by service providers have emerged. Providers may deviate from their promised methodologies when delivering their services, undermining customer trust. Zero-knowledge proofs (ZKPs) offer a promising solution for customers to verify service integrity while preserving the intellectual property of the model weights. However, existing ZKP systems for convolutional neural networks (CNNs) impose significant computational overhead on the prover, hindering their practical deployment.

To address this challenge and facilitate real-world deployment of ZKPs for CNNs, we introduce VerfCNN, a novel and efficient ZKP system for CNN inference. The core innovation of VerfCNN lies in a specialized protocol for proving multi-channel convolutions, achieving optimal prover complexity that matches the I/O size of the convolution. Our design significantly reduces the prover overhead for verifiable CNN inference. Experiments on VGG-16 demonstrate that our system achieves a prover time of just 12.6 seconds, offering a 6.7× improvement over zkCNN (CCS'21). Remarkably, VerfCNN incurs only a 10× overhead compared to plaintext inference on CPU, whereas general-purpose zkSNARKs typically impose overheads exceeding 1000×. These results underscore VerfCNN's strong potential to enhance the integrity and transparency of real-world ML services.

Multi-party Private Set Intersection (mPSI) enables $n(n\geq3)$ parties, each holding a set of size $m$, to jointly compute their intersection while preserving the confidentiality of each set, which is essential for privacy-preserving data analysis and secure database queries. Existing mPSI protocols have limitations in achieving both sufficient security and practical efficiency.

This paper presents a novel and efficient mPSI construction in the semi-honest model while resisting arbitrary collusion attacks. Our construction works in the offline/online paradigm. Given the corruption threshold $t$, the online phase achieves linear total computational and communication complexity, that is $O((n+t)m)$, and solely uses symmetric operations. This makes our construction theoretically outperform the existing works. The technical core of the construction is our newly extracted primitive called reducible zero-sharing, which allows $t(t
With extensive experiments, we demonstrate that our construction outperforms state-of-the-art works in terms of online running time and communication cost. Specifically, compared to works with sufficient security, the online running time of our mPSI construction is $9.57-114.46\times$ faster in the LAN setting, $2.69-28.41\times$ faster in the WAN setting, while the communication cost is $0.29-28.70\times$ lower. Notably, the total performance (offline+online) still obtains up to $18.73\times$ improvement. Compared with works with practical efficiency, our mPSI construction achieves similar performance while providing stronger security.