International Association
for Cryptologic Research

The efficient implementation of Boolean masking with minimal overhead in terms of latency has become a critical topic due to the increasing demand for physically secure yet high-performance cryptographic primitives. However, achieving low latency in masked circuits while ensuring that glitches and transitions do not compromise their security remains a significant challenge. State-of-the-art multiplication gadgets, such as the recently introduced HPC4 (CHES 2024), offer composable security against glitches and transitions, as proven under the robust d-probing model. However, these gadgets require at least one clock cycle per computation, resulting in a latency overhead that increases with the algebraic degree. In contrast, LMDPL gadgets (CHES 2014 & CHES 2020) can achieve fixed latency independent of the algebraic degree, effectively addressing this issue. However, they are limited to two shares, and extending them to guarantee composable security at order d with d+1 shares is considered an open challenge. In this work, we introduce CCHPC, a novel hardware masking scheme built on the concept of LMDPL. Specifically, CCHPC achieves a fixed latency of d clock cycles by masking a Boolean function of arbitrary algebraic degree with d+1 shares. CCHPC gadgets are secure and trivially composable, as formally proven under the RR d-probing model (CHES 2024). Using CCHPC gadgets, we design a masked AES encryption core which can be instantiated for an arbitrary number of d+1 shares with a total latency of 11 + d clock cycles.

The cube attack is one of the most powerful attacks on stream ciphers, with recovering the superpoly as its key step. The core monomial prediction is the state-of-the-art technique for superpoly recovery, which can reach 851 rounds for Trivium thus far (EUROCRYPT 2024). The core monomial prediction heavily relies on the trail enumeration which is the bottleneck for its efficiency.

This paper further explores the potential of the core monomial prediction for Trivium by constructing a composite representation for the superpoly. This representation allows us to detect the algebraic structure of the superpoly under specific conditions on the intermediate variables, without the computational burden of trail enumerations. Leveraging these discovered conditions, we successfully recovered weak-key superpolies for 852-round Trivium, establishing the first cryptanalytic result against 852-round Trivium in the literature to date.

We consider the multivariate scheme $\texttt{Pesto}$, which was introduced by Calderini, Caminata, and Villa. In this scheme, the public polynomials are obtained by applying a CCZ transformation to a set of quadratic secret polynomials. As a consequence, the public key consists of polynomials of degree $4$. In this work, we show that the public degree $4$ polynomial system can be efficiently reduced to a system of quadratic polynomials. This seems to suggest that the CCZ transformation may not offer a significant increase in security, contrary to what was initially believed.

We present a collection of protocols to perform privacy-preserving set operations in the third-party private set intersection (PSI) setting. This includes several protocols for multi-party third party PSI. In this model, there are multiple input parties (or clients) each holding a private set of elements and the receiver is an external party (termed as third-party) with no inputs. Multi-party third party PSI enables the receiver to learn only the intersection result of all input clients' private sets while revealing nothing else to the clients and the receiver. Our solutions include constructions that are provably secure against an arbitrary number of colluding parties in the semi-honest model. Additionally, we present protocols for third-party private set difference and private symmetric difference, whereby the learned output by the inputless third-party is the set difference and symmetric difference respectively of two other input parties, while preserving the same privacy guarantees. The motivation in the design of these protocols stems from their utilities in numerous real-world applications. We implemented our protocols and conducted experiments across various input and output set sizes.

Granular Synchrony (Giridharan et al. DISC 2024) is a new network model that unifies the classic timing models of synchrony and asynchrony. The network is viewed as a graph consisting of a mixture of synchronous, eventually synchronous, and asynchronous communication links. It has been shown that Granular Synchrony allows deterministic Byzantine agreement protocols to achieve a corruption threshold in between complete synchrony and complete asynchrony if and only if the network graph satisfies the right condition, namely, that no two groups of honest parties of size $n-2t$ can be partitioned from each other.

In this work, we show that the same network condition is also tight for Agreement on a Common Subset (ACS), Verifiable Secret Sharing (VSS), and secure Multi-Party Computation (MPC) with guaranteed output delivery, when the corruption threshold is between one-third and one-half. Our protocols are randomized and assume that all links are either synchronous or asynchronous. %(no partially synchronous links are needed). Our ACS protocol incurs an amortized communication cost of $O(n^3\lambda)$ bits per input, and our VSS and MPC protocols incur amortized communication costs of $O(n^3)$ and $O(n^4)$ field elements per secret and per multiplication gate, respectively. To design our protocols, we also construct protocols for Reliable Broadcast and Externally Valid Byzantine Agreement (EVBA), which are of independent interest.

Differential cryptanalysis is one of the most powerful attacks on modern block ciphers. After many year of research, we have very good techniques for showing that the probability that an input difference leads to an output difference (i.e., the probability of a differential) is either significantly higher, or lower than expected, and such large deviations lead to attacks.

On the other hand, modern techniques cannot estimate with high accuracy the probability of a differential that spans many rounds of the cipher. Therefore, these techniques are sufficient to argue only limited resistance against differential cryptanalysis.

In particular, for the AES, Keliher and Sui proved in 2005 that any 4-round differential has probability at most (about) $2^{-114}$, under the assumption that the round-keys are chosen independently. This establishes limited security arguments against classical differential cryptanalysis. Stronger bounds are only known when considering thousands of AES rounds, whereas at most 14 rounds are used in practice by AES-256.

In this paper, we propose new techniques for estimating the probability of a differential under the assumption that the round-keys of the cipher are chosen independently. We apply our techniques to AES, and show that the probability of every differential in 8-round AES is within an additive factor of $2^{-128} \cdot \frac{1}{50}$ from the expected value of $\frac{1}{2^{128} - 1}$.

We further apply our techniques to prove that 8-round AES is at most $2^{-18}$-close to a pairwise independent permutation, while 40-round AES is at most $2^{-135}$-close. The latter result improves upon the work of Liu, Tessaro and Vaikuntanathan [CRYPTO 2021], who proved a similar bound for 9000-round AES.

To obtain our results, we develop and adapt a variety of techniques for analyzing differentials using functional analysis. We expect these techniques to be useful for analyzing differentials in additional block ciphers besides the AES.

Inner Product Arguments (IPA) [BCC+16,BBB+17] are a family of proof systems with $O(\log n)$ sized proofs, $O(n)$ time verifiers, and transparent setup. Bootle, Chiesa and Sotiraki [BCS21] observed that an IPA can be viewed as a sumcheck protocol [LFKN92] where the summed polynomial is allowed to have coefficients in a group rather than a field. We leverage this viewpoint to improve the performance of multi-linear polynomial commitments based on IPA. Specifically, - We introduce a simplified variant of Halo-style accumulation that works for multilinear evaluation claims, rather than only univariate ones as in [BGH19,BCMS20]. - We show that the size $n$ MSM the IPA verifier performs can be replaced by a ``group variant'' of $\mathsf{basefold}$[ZCF23]. This reduces the verifier complexity from $O(n)$ to $O_{\lambda}(\log^2 n)$ time at the expense of an additional $4n$ scalar multiplications for the IPA prover.

One of the main layers in the Advanced Encryption Standard (AES) is the substitution layer, where an $8 \times 8$ S-Box is used $16$ times. The substitution layer provides confusion and makes the algorithm resistant to cryptanalysis techniques. Therefore, the security of the algorithm is also highly dependent on this layer. However, the cost of implementing $8 \times 8$ S-Box on FPGA platforms is considerably higher than other layers of the algorithm. Since S-Boxes are repeatedly used in the algorithm, the cost of the algorithm highly comes from the substitution layer. In 2005, Canright used different extension fields to represent AES S-Box to get FPGA-friendly compact designs. The best optimization proposed by Canright reduced the gate-area of the AES S-Box implementation by $20\%$.

In this study, we use the same optimization methods that Canright used to optimize AES S-Box on hardware platforms. Our purpose is not to optimize AES S-Box; we aim to create another $8 \times 8$ S-Box which is strong and compact enough for FPGA platforms. We create an $8 \times 8$ S-Box using the inverse field operation as in the case of AES S-Box. We use another irreducible polynomial to represent the finite field and get an FPGA-friendly compact and efficient $8 \times 8$ S-Box. The finite field we propose provides the same level of security against cryptanalysis techniques with a $3.125\%$ less gate-area on Virtex-7 and Artix-7 FPGAs compared to Canright’s results. Moreover, our proposed S-Box requires $11.76\%$ less gate on Virtex-4 FPGAs. These gate-area improvements are beneficial for resource-constraint IoT devices and allow more copies of the S-Box for algorithm parallelism. Therefore, we claim that our proposed S-Box is more compact and efficient than AES S-Box. Cryptographers who need an $8 \times 8$ S-Box can use our proposed S-Box in their designs instead of AES S-Box with the same level of security but better efficiency.

Non-interactive batch arguments (BARGs) for NP allow a prover to prove $\ell$ NP statements with a proof whose size scales sublinearly with $\ell$. In this work, we construct a pairing-based BARG where the size of the common reference string (CRS) scales linearly with the number of instances and the prover's computational overhead is quasi-linear in the number of instances. Our construction is fully black box in the use of the group. Security relies on a $q$-type assumption in composite-order pairing groups.

The best black-box pairing-based BARG prior to this work has a nearly-linear size CRS (i.e., a CRS of size $\ell^{1 + o(1)}$) and the prover overhead is quadratic in the number of instances. All previous pairing-based BARGs with a sublinear-size CRS relied on some type of recursive composition and correspondingly, non-black-box use of the group. The main technical insight underlying our construction is to substitute the vector commitment in previous pairing-based BARGs with a polynomial commitment. This yields a scheme that does not rely on cross terms in the common reference string. In previous black-box pairing-based schemes, the super-linear-size CRS and quadratic prover complexity was due to the need for cross terms.

Event date: to
Submission deadline: 1 October 2025

Event date: 4 May to 7 May 2026

COSIC, an internationally renowned research group, provides broad expertise in digital security and strives for innovative cyber security solutions. Join this team as a research professor in hardware security. COSIC owns and operates an advanced electronics security evaluation lab, available to the team.
This position is an 'open BOFZAP' position and requires a support letter from the host. Pre-application deadline is September 1, 2025.

link to COSIC: https://esat.kuleuven.be/cosic
link to the lab: https://www.esat.kuleuven.be/cosic/security-evaluations-lab/

Closing date for applications:

Contact: Ingrid Verbauwhede

More information: https://research.kuleuven.be/en/career/research-staff/bofzap

Postdoc in PQC: Some new standards have been established already, but a lot of work is still needed for a successful migration, ranging from a wider portfolio of post-quantum secure primitives (both in functionality and footprint), increased confidence in the underlying assumptions through advanced cryptanalysis, improved implementations with high assurance (e.g. against microarchitectural or side-channel attacks), and integration of primitives in wider protocols and products. The successful applicant will be able to explore and contribute to these exciting research and development questions, with an opportunity to set their own research agenda. (Application deadline 15 August)

PhD Position: Do you want to contribute to making our increasingly digitised world safer by diving into the exciting field of cryptographic analysis? This research topic aims to build confidence in the cryptography we all rely on in our daily lives. The successful applicant will have the opportunity to explore and contribute to groundbreaking research in the cryptanalysis of novel symmetric encryption algorithms designed for advanced protocols, so-called STAPs. (Application deadline 1 September)

Read more on both open positions here:

https://www.simula.no/careers/job-openings/postdoctoral-fellow-in-post-quantum-cryptography https://www.simula.no/careers/job-openings/phd-position-in-stap-cryptanalysis

Closing date for applications:

Contact: bergen@simula.no

More information: https://www.simula.no/careers/job-openings/postdoctoral-fellow-in-post-quantum-cryptography

The Department of Computer Science at Stevens Institute of Technology near New York City is seeking applicants for PhD Student positions in the area of theoretical and applied cryptography. Stevens Computer Science is a rapidly expanding department, and we are looking for talented researchers to join. Successful applicants are expected to participate in a rigorous research program on topics such as encrypted data structures, provable security, and cryptography for AI.

Research:

Successful applicants will join the cryptography researchers at Stevens and, specifically, work with Prof. Alex Hoover (https://axhoover.com/about) on projects including topics such as:

• Private Information Retrieval (PIR)
• Encrypted data structures (e.g., ORAM, Structured Encryption)
• Cryptography for AI (e.g., Watermarking)

We have an active group of students, postdoctoral researchers, and faculty. New students will collaborate with current researchers and students at Stevens, as well as with other faculty members active in the area of cryptography.

How to apply:

Applicants must have a BS degree in Computer Science or a closely related field. An MS degree is not required, and students can start in the fall or spring semester. All PhD students are fully funded, including their tuition and stipend. Interested applicants should submit an application on Steven's website (https://www.stevens.edu/academics/graduate-study/phd-application-process) and email a CV and short bio to the contact below.

Closing date for applications:

Contact: Alex Hoover (ahoover@stevens.edu)

More information: https://www.stevens.edu/academics/graduate-study/phd-application-process

Do you like solving challenges in cyber security? Do you want to become part of a growing team of cybersecurity researchers at the University of Amsterdam whose research contributes to securing our digital world? The Informatics Institute is looking for a new assistant professor in cyber security. You will be able to hire a PhD student as part of the startup-package.

What are you going to do?
You will conduct research in the “Challenges in Cyber Security” project, one of the few projects receiving funding in the prestigious NWO Gravitation program. In cooperation with researchers from TU Eindhoven, Radboud University, VU Amsterdam, and CWI, you will work on the grand challenges of cybersecurity in areas such as cryptography, software security, or physical security. Besides cutting-edge research, you will also contribute to education – for example, in the top-rated Security and Network Engineering MSc program – and other activities, including acquisition and management of funded research projects, supervision of PhD students, and supervision of BSc/MSc graduation projects.

Application deadline: 15 September 2025

Closing date for applications:

Contact: Christian Schaffner

More information: https://werkenbij.uva.nl/en/vacancies/assistant-professor-in-cyber-security-netherlands-13320

Finite field arithmetic is central to several cryptographic algorithms on embedded devices like the ARM Cortex-M4, particularly for elliptic curve and isogeny-based cryptography. However, rapid algorithm evolution, driven by initiatives such as NIST’s post-quantum standardization, might frequently render hand-optimized implementations obsolete. We address this challenge with m4-modarith, a library generating C code with inline assembly for the Cortex-M4 that rivals custom-tuned assembly, enabling agile development in this ever-changing landscape. Our generated modular multiplications obtains fast performances, competitive with hand-optimized assembly implementations published in the literature, even outperforming some of them for Curve25519. Two contributions are pivotal to this success. First, we introduce a novel multiplication strategy that matches the memory access complexity of the operand caching method while being applicable to a larger cache size for Cortex-M4 implementations. Second, we generalize an efficient pseudo-Mersenne reduction strategy, and formally prove its correctness and applicability for most primes of cryptographic interest. Our generator allowed agile optimization of SQIsign’s NIST PQC Round 2 submission, improving level 1 verification from 123 Mcycles to only 54 Mcycles, a $2.3\times$ speedup. As an additional case study, we use our generator to improve performance of portable implementations of RFC~7748 by up to $2.2\times$.

Proving the validity of ballots is a central element of verifiable elections. Such proofs can however create challenges when one desires to make a protocol receipt-free. We explore the challenges raised by validity proofs in the context of protocols where threshold receipt-freeness is obtained by secret sharing an encryption of a vote between multiple authorities. In such contexts, previous solutions verified the validity of votes by decrypting them after passing them through a mix-net. This approach however creates subtle privacy risks, especially when invalid votes leak structural patterns that threaten receipt-freeness. We propose a different approach of threshold receipt-free voting in which authorities re-randomize ballot shares then jointly compute a ZK proof of ballot validity before letting the ballots enter a (possibly homomorphic) tallying phase. Our approach keeps the voter computational costs limited while offering verifiability and improving the ballot privacy of previous solutions. We present two protocols that enable a group of servers to verify and publicly prove that encrypted votes satisfy some validity properties: Minimix, which preserves prior voter-side behavior with minimal overhead, and Homorand, which requires voters to submit auxiliary data to facilitate validation over large vote domains. We show how to use our two protocols within a threshold receipt-free voting framework. We provide formal security proofs and efficiency analyses to illustrate trade-offs in our designs.

Physical attacks pose a major challenge to the secure implementation of cryptographic algorithms. Although significant progress has been made in countering passive attacks such as side-channel analysis (SCA), protection against fault attacks is still less developed. One reason for this is the broader and more complex nature of fault attacks, which makes it difficult to create standardized fault evaluation methodologies for countermeasures like those used for SCA. This makes it easier to overlook potential vulnerabilities that attackers could exploit. RS-Mask, published at HOST 2020, is such a countermeasure that has been affected by the absence of a systematic analysis method. The fundamental concept behind the countermeasure is to maintain a uniform distribution of variables, regardless of whether they are faulty or correct. This property is particularly effective against Statistical Ineffective Fault Attacks (SIFA), which exploit the dependency between fault propagation and the secret data.

In this work, we present several fault scenarios involving single fault injections on the AES implementation protected with RS-Mask, where the fault propagation depends on the secret data. This happens because the random space mapping used in RS-Mask countermeasure retains a dependency on the secret data, as it is derived based on the S-box input. To address this, we propose a new countermeasure based on the core concept of RS-Mask, implementing a single mapping for all S-box inputs, involving an intrinsic duplication. Next, we evaluate the effectiveness of the new countermeasure against fault attacks by comparing the fault detection rate across all possible fault locations and values for every input. Additionally, we examine the output differences between faulty and correct outputs for each input. Our results show that the detection rate is uniform for each input, which ensures security against statistical attacks utilizing both effective and ineffective faults. Moreover, the output differences being uniform for each input ensures security against differential fault attacks.

Homomorphic encryption (HE) offers strong privacy guarantees by enabling computation over encrypted data. However, the performance of tensor operations in HE is highly sensitive to how the plaintext data is packed into ciphertexts. Large tensor programs introduce numerous possible layout assignments, making it both challenging and tedious for users to manually write efficient HE programs.

In this paper, we present Rotom, a compilation framework that autovectorizes tensor programs into optimized HE programs. Rotom systematically explores a wide range of layout assignments, applies state-of-the-art optimizations, and automatically finds an equivalent, efficient HE program. At its core, Rotom utilizes a novel, lightweight ApplyRoll layout conversion operator to easily modify the underlying data layouts and unlock new avenues for performance gains. Our evaluation demonstrates that Rotom scalably compiles all benchmarks in under 5 minutes, reduces rotations in manually optimized protocols by up to 4×, and achieves up to 80× performance improvement over prior systems.

The synchrony model allows Byzantine Agreement (BA) protocols to be deterministic, tolerate minority faults, and achieve the asymptotically optimal $O(n)$ rounds, and $O(n^2)$ bits of communication where $n$ is the number of parties. We study the deterministic BA problem in a model in which every communication link is either synchronous or partially synchronous. Our main result for this model is that feasibility implies optimality: For every $\frac{n}{3}\leq f<\frac{n}{2}$, the minimal network conditions required for BA to be solvable against $f$ byzantine faults, are also sufficient for it to be solvable optimally, i.e., with $O(f)$ rounds and $O(f^2)$ communication. In particular, BA against minority byzantine faults can be solved when the synchronous links in the network form a mere path ($f$ synchronous links) as efficiently (up to constant factors) as when all communication links are synchronous ($\Omega(f^2)$ synchronous links).