International Association
for Cryptologic Research

Recent progress on zero-knowledge proofs (ZKPs) based on vector oblivious linear evaluation (VOLE) offers a promising paradigm for scaling ZKPs over extremely large statements. In particular, VOLE-based ZK is currently the best choice in terms of end-to-end execution time. However, VOLE-based ZK incurs high communication overhead — it usually scales linearly with the circuit size.

To mitigate this, existing literature considers VOLE-based ZK over structured statements. In this work, we focus on the batched disjunctive statement — $\mathcal{P}$ and $\mathcal{V}$ agree on $B$ fan-in $2$ circuits $\mathcal{C}_1, \ldots, \mathcal{C}_{B}$ over a field $\mathbb{F}$; each circuit is of size $C$ with $n_{\mathit{in}}$ inputs. $\mathcal{P}$'s goal is to demonstrate the knowledge of $R$ witnesses $(\mathit{id}_j \in [B]$, $\boldsymbol{w}_j \in \mathbb{F}^{n_{\mathit{in}}})$ for each $j \in [R]$ s.t. $\forall j \in [R], \mathcal{C}_{\mathit{id}_j}(\boldsymbol{w}_j) = 0$ where neither $\boldsymbol{w}_j$ nor $\mathit{id}_j$ is revealed. Batched disjunctive statements are effective, e.g., in emulating the CPU execution inside ZK. Note, the naïve solution results in a circuit of size $\mathcal{O}(RBC)$.

To prove such a statement using VOLE-based ZK, the prior state-of-the-art protocol $\mathsf{Antman}$ (Weng et al., CCS'22) incurred $\mathcal{O}(BC + R)$ communication by additionally relying on AHE, whereas $\mathsf{Batchman}$ (Yang et al., CCS'23) achieved $\mathcal{O}(RC + B)$ communication using only VOLE.

In this work, we combine these two protocols non-trivially and present a novel protocol $\mathsf{Justvengers}$ — targeting the batched disjunctive statement — that incurs only $\mathcal{O}(R + B + C)$ communication and $\mathcal{O}(BC + (B + C)R\log R)$ computation for prover, using AHE and VOLE.

Event date: 14 September 2025
Submission deadline: 30 June 2025
Notification: 31 July 2025

Event date: 8 January to 10 January 2026
Submission deadline: 30 May 2025
Notification: 30 September 2025

I will join the Department of Computer Science at Illinois Tech as a tenure-track Assistant Professor in Fall 2025. My research focuses on Applied Cryptography, especially advancing cryptography to solve security and privacy issues in existing as well as emerging real-world applications. Please see (https://yanxue820.github.io) for more details about me.

I'm hiring 2-3 Ph.D. students starting in spring/fall 2026 with the following research areas:

• Secure Multi-Party Computation (MPC): MPC is a crucial technique to enhance data collaborations while protecting sensitive information. Our research provides highly efficient MPC solutions for real-world application scenarios (such as healthcare, risk management, biorecognition, etc).
• Blockchain: We build foundational infrastructures to ensure security and privacy in blockchain ecosystems. Our research addresses critical challenges, such as resource-constrained users, data confidentiality and verifiability, decentralized services, etc.
• Intersection between Cryptography and Machine Learning: We advance and accelerate cryptography techniques to protect the data/model security and privacy in machine learning. Conversely, we leverage machine learning techniques to assist in proving the security of cryptographic protocols.

Qualifications:

• Fully-funded Ph.D. students (Spring/Fall 2026) passionate about research
• Bachelor's or Master's degree in CS, Math, or related disciplines
• Solid programming/mathematical skills and/or a background in cryptographic research or study
• Curious and eager to explore new ideas and technologies

Closing date for applications:

Contact: Send the following to jiayanxue820@gmail.com:

• CV or resume
• Academic transcripts (unofficial is okay)
• Brief statement of research interest (informal is okay)

Please use the Email subject: Spring/Fall 2026 Application – Your Name – University

The cybersecurity group at Monash Information Technology has openings for PhD and PostDoc positions, fully funded by an Australian Research Council (ARC) project. We are looking for candidates in design, analysis, implementation and/or application aspects of the following areas.

Topics of interest

• Zero-knowledge proof (ZKP)
• SNARKs
• Lattice-based cryptography
• Fully-homomorphic encryption (FHE)
• Some combination of the above

The candidates will have the opportunity to work in an excellent research environment and collaborate with experts in cryptography and with CryptoLab industry partners.

Why join Monash?

Monash University is among the leading universities in Australia and is located in Melbourne, one of the most liveable cities in the world. See more at: https://mfesgin.github.io/supervision/

PhD Position

Applicants should have (or be expected to complete in the next 6 months) a masters or honours equivalent degree in mathematics, computer science, cryptography, engineering or closely related areas. Some research experience in cryptography is required.

Apply by filling out the following form: https://docs.google.com/forms/d/e/1FAIpQLSetFZLvDNug5SzzE-iH97P9TGzFGkZB-ly_EBGOrAYe3zUYBw/viewform

PostDoc Position

Applicants should have (or be expected to complete in the next 6 months) a PhD in mathematics, computer science, cryptography, engineering or closely related areas. Research experience in at least one of lattice-based cryptography, zero-knowledge proofs, or FHE is required.

Apply by filling out the following form: https://docs.google.com/forms/d/e/1FAIpQLSf8T2xlMbtKB6B7Lqn_VvV1-PpRzQrcl2Xe8oRnNZQVHqiPSg/viewform

Closing date for applications:

Contact: Muhammed Esgin

More information: https://mfesgin.github.io/supervision/

Job Title: Senior Applied Cryptography Rust Developer

Location: Remote (EU Timezone preferred, open to other timezones)

Company: Silence Laboratories

About Us:

Silence Laboratories is at the forefront of privacy-preserving and cryptographic computing, specializing in Multi-Party Computation (MPC) and Privacy-Enhancing Technologies (PETs) for industries like finance, digital assets, and trade finance. We are building secure solutions for a future of compliant, privacy-first data collaboration.

Role Overview:

We are seeking a Senior Applied Cryptography Rust Developer with a deep cryptographic background to design and implement cutting-edge cryptographic protocols, particularly in MPC and PETs. This is a high-impact role where you’ll work with world-leading cryptographers and deploy production-level code for top financial institutions globally.

Key Responsibilities:

• Develop cryptographic algorithms and protocols in Rust.
• Convert Independently cryptographic research papers into production-level code.
• Work on Multi-Party Computation (MPC) and Privacy-Enhancing Technologies (PETs).
• Ensure high performance, scalability, and security of cryptographic solutions.

Required Skills:

• 7+ years experience in Rust development with high-quality production deployments.
• Strong expertise in cryptography, including MPC, ZKPs, and homomorphic encryption.
• Proven ability to turn research papers into production code with minimal guidance.
• Solid mathematical foundation in cryptography-related fields.
• Remote work experience and effective collaboration across time zones.

More details: https://md.silencelaboratories.com/s/OqxmPty6O

Closing date for applications:

Contact: Jay Prakash jp@silencelaboratories.com

DGIST Crypto Group has multiple fully funded PhD and postdoc positions open in various areas of cryptography, including:

Post-Quantum Cryptography

Symmetric-Key Cryptography

Multi-Party Computation

Privacy-Enhancing Technologies such as Differential Privacy or Fully Homomorphic Encryption

PhD applicants should have a strong background in cryptography, mathematics, theoretical computer science, or related areas. Postdoc applicants should have a proven publication record in established venues in cryptography or security (e.g., IACR conferences/journals, CCS, USENIX Security, IEEE S&P). Salary will be determined according to DGIST's internal regulations and the applicant’s experience, with top-level compensation guaranteed based on qualifications and achievements. The position will remain open until filled.

About DGIST: DGIST is a rapidly growing institution with strong global recognition. DGIST ranked 33rd in the world and 1st among new universities in the Times Higher Education (THE) Emerging University Rankings. It recently placed 7th globally in research power in its first QS World University Rankings participation and ranked 12th in THE’s World University Rankings for small universities (under 5,000 students).

Closing date for applications:

Contact: Contact: Youngsik Kim (ysk@dgist.ac.kr), Wonseok Choi (wonseok@dgist.ac.kr)

The Department of Mathematics at the University of Genova is advertising an open position as Associate Professor (Professore di Seconda Fascia) in Algebra, with an emphasis on applications (e.g., Cryptography, Coding Theory). The deadline for applications is June 3, 2025. To be eligible, an applicant must satisfy at least one of the following requirements: - Be in possession of the Italian Habilitation as "Professore di Seconda Fascia" or "Professore di Prima Fascia" ( https://abilitazione.mur.gov.it/public/index.php?lang=eng ) - Already hold a position as Associate Professor (or equivalent level) at another institution.

Closing date for applications:

Contact: For questions, please contact Alessandro De Stefani alessandro.destefani@unige.it

More information: https://concorsi.unige.it/home/procedure/5169/?__language=en

Constant-time implementations are a cornerstone of secure cryptographic systems, particularly in the context of key exchange protocols and digital signature schemes. These implementations are designed to eliminate timing side-channel vulnerabilities by ensuring that the program’s execution time is independent of secret data. A fundamental building block for achieving constant-time behavior is the conditional move operation. Unlike traditional branching constructs (such as if statements), which may introduce data-dependent timing variations, conditional moves allow developers to write logic that behaves identically at the hardware level regardless of input values. As a result, they are widely used in cryptographic libraries and standards to ensure both functional correctness and resistance to timing attacks. In this work, we describe our efforts to implement elliptic curve cryptography with some immunity against certain power leakage side-channel attacks, using standard C and Rust code.

Introduced by Canetti in 2001, Universal Composability (UC) is a widely adopted security model that enables the specification and proof of security for a broad range of protocols, offering strong security guarantees. At its core lies the universal composition theorem (UC theorem), which ensures that protocols proven secure within the framework remain secure even when deployed in real-world environments with multiple instances of them.

In this work, we present two key contributions. First, we identify several problems with the UC framework, in particular the UC Theorem. They include counterexamples, limitations that make it unusable for important classes of protocols, and weaknesses in its proof. These problems reveal flaws in nearly all the fundamental concepts of UC.

Secondly, we update the main concepts of UC to address these problems. Although these revisions are nontrivial, our updated definitions are intended to stay as closely aligned with the original model as possible, while providing greater simplicity overall. To ensure the validity of these updates, we present a proof of the updated UC theorem, which is more detailed and modular than the original.

Proof systems of arbitrary computations have found many applications in recent years. However, the proving algorithm has a consequent complexity tied to the size of the computation being proved. Thus, proving large computations is quite inefficient. One of these large computations is the scalar multiplication over an elliptic curve. In this work, we provide new techniques for reducing the time corresponding to proving a scalar multiplication, using integer lattice reduction or a (half) extended Euclidean algorithm in a ring of integers. We investigate optimizations in the case of small (complex multiplication) discriminant curves, and its generalization for multi scalar multiplications as used in signature verification. We provide an optimized Golang implementation for different elliptic curves in different proof systems settings. The speed-up in proving time is between 22% and 53% compared to the previous state-of-the-art.

Integral and ultrametric integral cryptanalysis are generalized to finite rings of prime characteristic $p$ that are isomorphic to a product of fields. This extends, for instance, the complete state of the art in integral cryptanalysis from $\mathbf{F}_2^n$ to $\mathbf{F}_q^n$, for all prime powers $q$. A compact representation of transition matrices, based on convex polyhedra, is introduced to ensure that the proposed methods are computationally efficient even for large $p$. Automated tools are developed and applied to a few generic and several concrete primitives. The analysis shows that previous degree estimates for Feistel-GMiMC, HadesMiMC, AES-Prime, small-pSquare and mid-pSquare are overly optimistic. Furthermore, except for AES-Prime, these primitives do not meet their design criteria unless their number of rounds is substantially increased.

A multi-valued broadcast protocol allows a sender $P_s$ to broadcast an $\ell$-bit message $m$ to $n$ recipients. For all relevant models, multi-valued broadcast protocols with asymptotically optimal communication complexity $\mathcal{O}(\ell n)+\mathrm{Poly}(n)$ have been published.

Despite their very low communication complexity, these protocols perform poorly in modern networks. Even if the network allows all $n$ parties to send messages at the same time, the execution time of the protocols is proportional to $\ell n$ (instead of $\ell$). Even if the network allows to use all bilateral channels at the same time, the execution time is still proportional to $\ell$ (instead of $\ell/n$). We ask the natural question whether multi-valued broadcast protocols exist which take time proportional to $\ell$ if parties can simultaneously send messages, and even take time proportional to $\ell/n$ if the bilateral channels can be used simultaneously. We provide a complete characterization of multi-valued broadcast with a two-fold answer:

On the negative side, we prove that for $t
On the positive side, we prove that for $t < (1-\epsilon)n$ (for any fixed $\epsilon$), multi-valued broadcast in time proportional to $\ell$ (when parties can send messages simultaneously), respectively proportional to $\ell/n$ (if bilateral channels can be used simultaneously) is possible. We provide such protocols both with cryptographic security as well as with statistical security.

Secure Multi-Party Computation (MPC) allows multiple parties to perform privacy-preserving computation on their secret data. MPC protocols based on secret sharing have high throughput which makes them well-suited for batch processing, where multiple instances are evaluated in parallel. So far, practical implementations of secret sharing-based MPC protocols mainly focus on runtime and communication efficiency, so the memory overhead of protocol implementations is often overlooked. Established techniques to reduce the memory overhead for constant-round garbled circuit protocols cannot be directly applied to secret sharing-based protocols because they would increase the round complexity. Additionally, state-of-the-art implementations of secret sharing-based MPC protocols are implemented in C/C++ and may exhibit memory unsafety and memory leaks, which could lead to undefined behavior.

In this paper, we present SEEC: SEEC Executes Enormous Circuits, a framework for secret sharing-based MPC with a novel approach to address memory efficiency and safety without compromising on runtime and communication efficiency. We realize SEEC in Rust, a language known for memory-safety at close-to-native speed. To reduce the memory footprint, we develop an in-memory representation for sub-circuits. Thus, we never inline sub-circuit calls during circuit evaluation, a common issue that blows up memory usage in MPC implementations. We compare SEEC with the state-of-the-art secret sharing-based MPC frameworks ABY (NDSS'15), MP-SPDZ (CCS'20), and MOTION (TOPS'22) w.r.t. runtime, memory, and communication efficiency. Our results show that our reliable and memory-safe implementation has competitive or even better performance.

Dispute resolution has been a significant challenge in verifiable election protocols since such protocols were first proposed more than forty years ago. This work explores the problem from a new perspective and offers strong dispute resolution for in-person voting by depending on observers.

It proposes a simple definition of dispute resolution as a property of a voting protocol---a definition that is independent of any other security goal. It also presents the DROP protocol, a verifiable, in-person voting protocol that runs in the presence of observers who will always reach a correct conclusion in the case of a dispute without ever being able to compromise privacy or facilitate coercion.

The search rank-2 module Lattice Isomorphism Problem (smLIP), over a cyclotomic ring of degree a power of two, can be reduced to an instance of the Lattice Isomorphism Problem (LIP) of at most half the rank if an adversary knows a nontrivial automorphism of the underlying integer lattice. Knowledge of such a nontrivial automorphism speeds up the key recovery attack on HAWK at least quadratically, which would halve the number of security bits.

Luo et al. (ASIACRYPT 2024) recently found an automorphism that breaks omSVP, the initial underlying hardness assumption of HAWK. The team of HAWK amended the definition of omSVP to include this so-called symplectic automorphism in their submission to the second round of NIST's standardization of additional signatures. This work provides confidence in the soundness of this updated definition, assuming smLIP is hard, since there are plausibly no more trivial automorphisms that allow winning the omSVP game easily.

Although this work does not affect the security of HAWK, it opens up a new attack avenue involving the automorphism group that may be theoretically interesting on its own.

Meme tokens represent a distinctive asset class within the cryptocurrency ecosystem, characterized by high community engagement, significant market volatility, and heightened vulnerability to market manipulation. This paper introduces an innovative approach to assessing liquidity risk in meme token markets using entity-linked address identification techniques. We propose a multi-dimensional method integrating fund flow analysis, behavioral similarity, and anomalous transaction detection to identify related addresses. We develop a comprehensive set of liquidity risk indicators tailored for meme tokens, covering token distribution, trading activity, and liquidity metrics. Empirical analysis of tokens like BabyBonk, NMT, and BonkFork validates our approach, revealing significant disparities between apparent and actual liquidity in meme token markets. The findings of this study provide significant empirical evidence for market participants and regulatory authorities, laying a theoretical foundation for building a more transparent and robust meme token ecosystem.

Conventional hash functions are often inefficient in zero-knowledge proof settings, leading to design of several ZK-friendly hash functions. On the other hand, lookup arguments have recently been incorporated into zero-knowledge protocols, allowing for more efficient handling of ``ZK-unfriendly'' operations, and hence ZK-friendly hash functions based on lookup tables.

In this paper, we propose a new ZK-friendly hash function, dubbed $\mathsf{Polocolo}$, that employs an S-box constructed using power residues. Our approach reduces the numbers of gates required for table lookups, in particular, when combined with Plonk, allowing one to use such nonlinear layers over multiple rounds. We also propose a new MDS matrix for the linear layer of $\mathsf{Polocolo}$. In this way, $\mathsf{Polocolo}$ requires fewer Plonk gates compared to the state-of-the-art ZK-friendly hash functions. For example, when $t = 8$, $\mathsf{Polocolo}$ requires $21\%$ less Plonk gates compared to Anemoi, which is currently the most efficient ZK-friendly hash function, where $t$ denotes the size of the underlying permutation in blocks of $\mathbb F_p$. For $t = 3$, $\mathsf{Polocolo}$ requires $24\%$ less Plonk gates than Reinforced Concrete, which is one of the recent lookup-based ZK-friendly hash functions.

In this paper, we introduce SCMAC, a general framework that transforms large-memory stream ciphers into AEAD schemes. It represents an intermediate design paradigm between Encrypt-then-MAC and dedicated single-pass AEAD, partially integrating encryption and authentication mechanisms while mitigating the risk of state leakage associated with immediate absorption and squeezing. Consequently, this approach harmonizes high performance with enhanced security. Additionally, we propose LOL2.0, an enhanced version of the blockwise stream cipher design framework LOL. This new framework improves security through modifications to the FSM update and output functions, and increases flexibility in constructing LFSR components. Based on SCMAC}$ and LOL2.0, we present two AEAD ciphers, LOL2.0-Mini and LOL2.0-Double, which support both stream cipher and AEAD modes. These ciphers are tailored to Beyond 5G/6G environments, offering 256-bit key length and resistance to known cryptanalysis methods, including differential, linear, and integral attacks. They also provide 128-bit security against forgery attacks in the nonce-respecting setting. Due to their compatibility with AES-NI and SIMD instructions, LOL2.0-Mini and LOL2.0-Double achieve software performance of 90 Gbps and 144 Gbps in stream cipher mode, respectively. In AEAD mode, they perform at 59 Gbps and 110 Gbps, significantly faster than their predecessor's Encrypt-then-MAC versions.

Card-based cryptography is a research area for realizing cryptographic functionality, such as secure multiparty computation and zero-knowledge proofs, by using a deck of physical cards and/or other non-electrical tools. Motivated by zero-knowledge proofs for solutions in pencil puzzles, there is a direction of recent studies on card-based protocols to verify connectivity of a set of cells or edges on lattice-shaped boards. In this paper, we generalize the problem to counting connected components of subsets on any graph, and propose a card-based protocol for the problem.