International Association
for Cryptologic Research

The paper defines a novel type of consensus for a distributed smart contract system, named RGB, which is based on the concept of client-side validation, separating the contract state and operations from the blockchain. With this approach, contracts are sharded (each contract is a standalone shard), kept, and validated only by contract participants, providing native scalability and privacy mechanisms, exceeding all existing blockchain-based smart contract systems while not compromising on security or decentralization. The system is designed to operate on top of compatible layers 1, such as an UTXO-based blockchain (e.g., Bitcoin) without relying on it for transaction ordering or state replication. Instead, RGB keeps the state client-side, operating as partially replicated state machines (PRiSM). It employs a novel SONIC (State machine with Ownership Notation Involving Capabilities) architecture, which provides capability-based access control to the contract state, individually owned and operated by a well-defined contract parties via novel single-use seal mechanism. RGB does state validation using zk-AluVM virtual machine, designed to support zk-STARK provers. It has a single security assumption of the collision-resistance hash function and, thus, is quantum-secure. The proposed RGB consensus is distinct from traditional blockchain-based smart contract systems; it is scalable, provably-secure, and formally verifiable.

Recent KEM-to-PAKE compilers follow the Encrypted Key Exchange (EKE) paradigm (or a variant thereof), where the KEM public key is password-encrypted. While constant-time implementations of KEMs typically avoid secret-dependent branches and memory accesses, this requirement does not usually extend to operations involving the expansion of the public key because public keys are generally assumed to be public. A notable example is $\mathsf{ML\textrm{-}KEM}$, which expands a short seed $\rho$ into a large matrix $\mathsf{A}$ of polynomial coefficients using rejection sampling---a process that is variable-time but usually does not depend on any secret. However, in PAKE protocols that password-encrypt the compressed public key, this introduces the risk of timing honest parties and mounting an offline dictionary attack against the measurement. This is particularly concerning given the well-known real-world impact of such attacks on PAKE protocols.

In this paper we show two approaches which yield $\mathsf{ML\textrm{-}KEM}$-based PAKEs that resist timing attacks. First, we explore constant-time alternatives to $\mathsf{ML\textrm{-}KEM}$ rejection sampling: one that refactors the original $\mathsf{SampleNTT}$ algorithm into constant-time style code, whilst preserving its functionality, and two that modify the matrix expansion procedure to abandon rejection sampling and rely instead on large-integer modular arithmetic. All the proposed constant-time algorithms are slower than the current rejection sampling implementations, but they are still reasonably fast in absolute terms. Our conclusion is that adopting constant-time methods will imply both performance penalties and difficulties in using off-the-shelf $\mathsf{ML\textrm{-}KEM}$ implementations. Alternatively, we present the first $\mathsf{ML\textrm{-}KEM}$-to-PAKE compiler that mitigates this issue by design: our proposal transmits the seed $\rho$ in the clear, decoupling password-dependent runtime variations from the matrix expansion step. This means that vanilla implementations of $\mathsf{ML\textrm{-}KEM}$ can be used as a black-box. Our new protocol $\mathsf{Tempo}$ builds on the ideas from $\mathsf{CHIC}$, which considered splitting the KEM public key, adopts the two-round Feistel approach for password encryption of the non-expandable part of the public key, and leverages the proof techniques from $\mathsf{NoIC}$ to show that, despite the malleability permitted by the two-round Feistel, it is sufficient for password extraction and protocol simulation in the UC framework.

The advent of quantum computing threatens the security assumptions underpinning classical public-key cryptographic algorithms such as RSA and ECC. As a response, the cryptographic community has focused on developing quantum-resistant alternatives, with hash-based signature schemes emerging as a compelling option due to their reliance on well-understood hash functions rather than number-theoretic hard- ness assumptions. This paper presents a comprehensive review of hash- based signature schemes, including Lamport, WOTS, XMSS, XMSSMT , and SPHINCS+, examining their structural design, key generation, sign- ing, and verification processes. Emphasis is placed on their classification as stateful and stateless schemes, as well as their practical integration us- ing Merkle trees and address structures. Furthermore, the paper analyzes several notable cryptanalytic attacks-such as intermediate value guess- ing, Antonov’s attack, multi-target attacks, and fault injection strate- gies-that pose risks to these constructions. By discussing both their strengths and vulnerabilities, this work highlights the viability of hash- based signatures as secure and efficient candidates for post-quantum digital signatures.

This work presents an exhaustive analysis of QSF, the KEM combiner used by X-Wing (Communications in Cryptology 1(1), 2024). While the X-Wing paper focuses on the applicability of QSF for combining ML-KEM-768 with X25519, we discuss its applicability for combining other post-quantum KEM with other instantiations of ECDH.

To this end, we establish simple conditions that allow one to check whether a KEM is compatible with QSF by proving ciphertext second‑preimage resistance C2PRI for several variants of the Fujisaki–Okamoto (FO) transform. Applying these results to post-quantum KEMs that are either standardized or under consideration for standardization, we show that QSF can also be used with all of these, including ML-KEM-1024, (e)FrodoKEM, HQC, Classic McEliece, and sntrup.

We also present QSI, a variation of QSF and show that any two KEM can be combined by hashing their concatenated keys. The result is a hybrid KEM which is IND-CCA-secure as long as one of the KEM is IND-CCA- and the other C2PRI-secure.

Finally, we also analyze QSF and QSI regarding their preservation of the recently introduced family of binding properties for KEM.

Let $N = pq$ be the product of two balanced prime numbers $p$ and $q$. In 2023, Cotan and Te\c seleanu introduced a family of RSA-like cryptosystems based on the key equation $ed - k(p^n - 1)(q^n - 1) = 1$, where $n \geq 1$. Note that when $n = 1$, we obtain the classical RSA scheme, while $n = 2$ yields the variant proposed by Elkamchouchi, Elshenawy, and Shaban. In this paper, we present a novel attack that combines continued fractions with lattice-based methods for the case $n = 2^i$, where $i > 2$ is an integer. This represents a natural continuation of previous research, which successfully applied similar techniques for $n = 1, 2, 4$.

In smart grid (SG), key agreement protocols (KAPs) are used as one of the most prevalent means to establish secure data transmission channels between smart meters (SMs) and service providers (SPs). Quite recently, Wu et al. have indicated the vulnerability of Hu et al.'s KAP to key compromise impersonation (KCI) attack and proposed a security-enhanced one for secure communications of SMs and SPs in SG. Not to undermine the noteworthy contributions of their work, this comment demonstrates that their own KAP, i.e., Wu et al.'s scheme is still vulnerable to KCI attack. Accordingly, we suggest a simple modification to fix the KCI attack issue. Our attack procedure gives some delicate hints to scholars to protect their schemes against the KCI attack in future researches.

An important requirement in synchronous protocols is that, even when a party receives all its messages for a given round ahead of time, it must wait until the round officially concludes before sending its messages for the next round. In practice, however, implementations often overlook this waiting requirement. This leads to a mismatch between the security analysis and real-world deployments, giving adversaries a new, unaccounted-for capability: the ability to ``peek into the future.'' Specifically, an adversary can force certain honest parties to advance to round $r+1$, observe their round $r+1$ messages, and then use this information to determine its remaining round $r$ messages. We refer to adversaries with this capability as ``super-rushing" adversaries.

We initiate a study of secure computation in the presence of super-rushing adversaries. We focus on understanding the conditions under which existing synchronous protocols remain secure in the presence of super-rushing adversaries. We show that not all protocols remain secure in this model, highlighting a critical gap between theoretical security guarantees and practical implementations. Even worse, we show that security against super-rushing adversaries is not necessarily maintained under sequential composition.

Despite those limitations, we present a general positive result: secret-sharing based protocols in the perfect setting, such as BGW, or those that are based on multiplication triplets, remain secure against super-rushing adversaries. This general theorem effectively enhances the security of such protocols ``for free.'' It shows that these protocols do not require parties to wait for the end of a round, enabling potential optimizations and faster executions without compromising security. Moreover, it shows that there is no need to spend efforts to achieve perfect synchronization when establishing the communication networks for such protocols.

In this paper we introduce a rank $2$ lattice over a polynomial ring arising from the public key of the BIKE cryptosystem. The secret key is a sparse vector in this lattice. We study properties of this lattice and generalize the recovery of weak keys from "Weak keys for the quasi-cyclic MDPC public key encryption scheme". In particular, we show that they implicitly solved a shortest vector problem in the lattice we constructed. Rather than finding only a shortest vector, we obtain a reduced basis of the lattice which makes it possible to check for more weak keys.

This paper presents FLEX (Fraud proofs with Lightweight Escrows for eXits), a garbled circuit-based protocol designed to facilitate two-party disputes on Bitcoin without requiring permanent security bonds. FLEX enables conditional security deposits that are only activated in the event of a dispute, reducing the financial overhead for both parties. The main goal of FLEX is to improve the capital efficiency of BitVM-based bridges in a permissioned challenge setting but can also be used to improve the security of any other fraud proof-based protocol such as payment channels. The paper also introduces enhancements that allow faster reimbursements in scenarios where one party's node is unavailable, while preserving security and minimizing race conditions.

We introduce the \(Inverse\ Discrete\ Logarithm\ Problem\) (iDLP) framework, which inverts traditional discrete logarithm assumptions by making the exponent public but deliberately non-invertible modulo the group order, while hiding the base. This creates a many-to-one algebraic mapping that is computationally irreversible under both classical and quantum attack models.

Within this framework, we define three post-quantum cryptographic primitives: Inverse Discrete Diffie–Hellman (IDDH), Inverse Discrete Key Encapsulation (IDKE), and Inverse Discrete Data Encapsulation (IDDE). Using a 512-bit modulus (prime or semiprime), a random generator \( g \), and a public exponent \( y \) with \(\gcd(y, \varphi(m)) = 2\), the masking function \[ \mathsf{Mask}_{g,y}(x) := g^{x y} \bmod m \] induces a two-to-one mapping that renders discrete logarithm inversion infeasible.

Our security analysis shows that known quantum algorithms yield only multiple candidates, requiring exhaustive search among equivalence classes, which remains intractable at 512-bit parameters. We demonstrate efficient prototype implementations with sub-millisecond key operations and AES-GCM-level data throughput. Full source code and parameters are publicly available at \url{https://github.com/AdamaSoftware/InverseDiscrete/}.

Zero-knowledge rollups represent a critical scaling solution for Ethereum, yet their practical deployment faces significant challenges in on-chain verification costs. This paper presents a comprehensive implementation of the Tokamak zkEVM verifier, specifically optimized for the BLS12-381 elliptic curve operations introduced by EIP-2537. We detail the complete verification architecture, from EVM compatible data formatting for pairing checks, multi-scalar multiplication (MSM), and elliptic curve addition, to the non-interactive protocol design between prover and verifier. Our key contribution lies in novel optimization techniques that substantially reduce on-chain verification costs. Through strategic polynomial aggregation and scalar factorization, we minimize G1 exponentiations from 40 to 31, achieving gas savings of 108,000 units per verification. Additionally, we introduce a dynamic barycentric interpolation method that replaces computationally intensive FFT operations, resulting in 92-95% gas reduction for sparse polynomial evaluations. We further present proof aggregation strategies that minimize precompile calls while maintaining the 128-bit security guarantees of BLS12-381. Our implementation demonstrates that careful protocol design and mathematical optimizations can make zk-rollup verification economically viable on Ethereum. The techniques presented are compatible with the upcoming Pectra upgrade and provide a blueprint for efficient on-chain verification of complex zero-knowledge proofs. Experimental results show total gas costs reduced from 857,200 to 748,450 units for complete proof verification, making our approach practical for high-throughput rollup deployments.

Democratic discourse depends on citizens’ ability to verify information, yet this capacity is under systematic attack. We introduce Verification Cost Asymmetry (VCA)—a mathematical framework quantifying how much harder it is for different populations to check the same claims. Using complexity theory and cryptographic techniques, we show how to engineer ”spot-checkable” information bundles that trusted audiences can verify in constant time while adversaries face combinatorial verification costs. This provides the first rigorous foundation for designing information systems that structurally favor truth over disinformation. The approach transforms cognitive security from intuitive defense to mathematical engineering, with immediate applications to platform design, content authentication, and democratic resilience.

We need to perform some maintenance on submit.iacr.org. It will be down from 3pm-5pm UTC on Sunday August 3. Since apologies for the late notice, but it's difficult to find a time to update this and it's long overdue.

East China Normal University (ECNU) locates in Shanghai, China, and is one of the first institutions in China to conduct education and research in cryptography and cybersecurity.

The School of Cryptology at ECNU was founded in November 2024 and is now seeking candidates for tenure-track (associate professor) and tenured (full/chair professor) positions in all areas of cryptography and cybersecurity, including: public-key cryptography, symmetric-key cryptography, cryptanalysis, multi-party computation, zero-knowledge proof, fully homomorphic encryption, obfuscation, applied cryptography, blockchain, AI security, system security, etc. Preference will be given to applicants with publications in top-tier venues such as FOCS, STOC, CRYPTO, EUROCRYPT, ASIACRYPT, CCS, S&P.

We will offer a competitive package including attractive salary, housing and relocation allowances, research startup funding, and support for children's education.

To apply, please send brief CV to mmxy@sc.ecnu.edu.cn (Mrs. Zhang).

Closing date for applications:

Contact: Mrs. Zhang (mmxy@sc.ecnu.edu.cn)

The cryptography research group in the Department of Computer Science and Engineering, IIITDM Kurnool, invites applications from Indian Nationals for the following position under a project funded by IBITF. 1. Research Associate (2 Positions) Salary: 1st Year - (Rs. 58000, 2nd Year - Rs. 63800, 3rd Year - Rs.66700) + HRA* * as per the institute's norm. "Qualifications": Ph.D. in a relevant area, preferably in Computer Science or Mathematics or relevant area, with a strong background in Cryptography and Mathematics. "Desired qualification": Good academic record and knowledge in public key cryptography, especially in Lattice-based Cryptography, Applied cryptography. "How to apply": Please send me your application form (https://files.iiitk.ac.in/uploads/recruitment/2025/project/DASH-IBITH-RA-Recruitment_0725_app.docx) along with all the enclosures (CV, all educational certificates, GATE/CSIR-NET/NBHM score card, and any other relevant documents) as a single .pdf file through Email with the subject “RA Application for Digital Cash Solution on CBDC Project”. It is a rolling advertisement; however, the first deadline is *20th August 2025*. Email: kabaleesh@iiitk.ac.in

Closing date for applications:

Contact: Dr. R. Kabaleeshwaran

More information: https://files.iiitk.ac.in/uploads/recruitment/2025/project/DASH-IBITH-RA-Recruitment_0725.pdf

The Post-Quantum Cryptography Migration Interdisciplinary Lab (PQC-X) at XJTLU has multiple openings for faculty positions. We are seeking excellent researchers in design, analysis, implementation and/or application aspects of the following areas, and will offer internationally competitive salary packages for successful candidates.

Topics of Interests

• Post-Quantum Cryptography

• Multi-Party Computation

• Zero-Knowledge Proofs

• Fully Homomorphic Encryption

Faculty Positions

Multiple faculty positions are open at all ranks: Professor, Associate Professor, and Assistant Professor. The positions are on three-year contract which is renewable and will be converted to long-term contract when renewed again after six-year service. Positions will remain open until filled.

What we offer:

• Opportunities to work in an excellent research environment and collaborate with global leaders in post-quantum cryptography, and with top financial institutions and industry partners.

• Internationally competitive salary and benefits such as housing allowance, travel allowance, education allowance, relocation support etc.

• Adequate research funds, and university’s supports to apply for national, provincial and municipal talent programs.

Requirements:

• Ph.D. in Computer Science, Mathematics, Cryptography, or closely related areas.

• Proven track record of research excellence in post-quantum cryptography or a closely related area.

• Demonstrated excellence in teaching and supervision of undergraduate/graduate students/post-docs.

How to Apply

Submit your application via: https://career15.sapsf.cn/sfcareer/jobreqcareer?jobId=4087&company=xjtlu.

Including,

• Cover letter

• Curriculum Vitae (CV)

• Three academic reference letters (two for research and one for teaching)

For Inquiries, you can contact HR: Ye.Lan@xjtlu.edu.cn.

Closing date for applications:

Contact: Mingwei.Sun@xjtlu.edu.cn

More information: https://career15.sapsf.cn/sfcareer/jobreqcareer?jobId=4087&company=xjtlu

The Post-Quantum Cryptography Migration Interdisciplinary Lab (PQC-X) is a newly founded lab at XJTLU, led by Prof. Jintai DING*, a globally recognized leader in Post-quantum Cryptography. With the initial CNY22 million funding by the University, PQC-X aims to establish a world-class research lab with focus on conducting world-leading research in post-quantum cryptography, advancing key technologies in post-quantum migration and facilitating their industry transfer, and fostering the development of high-level talents in this field. PQC-X is expanding to a team of 9 faculty, 9 postdoctoral researchers, and 12 doctoral students.

PQC-X maintains an internationally collaborative research environment and strong partnerships with leading scholars and top institutions worldwide, including:

• Prof. Johannes Buchmann (Fellow of the German Academy of Sciences)

• Prof. Tsuyoshi Takagi (University of Tokyo)

• Financial institutions, e.g., the Jiangsu Province Financial Society, China Construction Bank, and the Financial Research Institute of the People’s Bank of China

*About Prof. Jintai Ding

Prof. Jintai Ding is a globally recognized leader in post-quantum cryptography and currently the Dean of School of Mathematics and Physics at Xi’an Jiaotong-Liverpool University (XJTLU). He was one of the principal designers of ML-KEM (FIPS 203), the only quantum-resistant key establishment standard selected by the US National Institute of Standards and Technology (NIST). He is also the inventor and patent holder of the first quantum key exchange, which was among the two patents licensed to NIST for ML-KEM.

Prior to joining XJTLU, Prof. Ding was Full Professor in Tsinghua University; and the Distinguished Taft Professor in the University of Cincinnati for more than 20 years. Prof. Ding received his PhD from Yale University.

How to Apply

Submit your application via the Univiersity Website.

Including,

• Cover letter

• Curriculum Vitae (CV)

• Three academic reference letters (two for research and one for teaching)

For Inquiries, you can contact HR: Ye.Lan@xjtlu.edu.cn

Closing date for applications:

Contact: Mingwei.sun@xjtlu.edu.cn

More information: https://career15.sapsf.cn/sfcareer/jobreqcareer?jobId=4200&company=xjtlu

The Young Investigator Group “COSYS - Control Systems and Cyber Security Lab” at the Chair of IT Security at the Brandenburg University of Technology Cottbus-Senftenberg has an open PhD position in the following areas:

• AI-based Network Attack Detection and Simulation.
• AI-enabled Penetration Testing.
• Privacy-Enhancing Technologies in Cyber-Physical Systems.

The available position is funded as 100% TV-L E13 tariff in Germany and initially limited until 31.07.2026, with possibility for extension. Candidates must hold a Master’s degree or equivalent in Computer Science or related disciplines, or be close to completing it. If you are interested, please send your CV, transcript of records from your Master studies, and an electronic version of your Master's thesis (if possible), as a single pdf file. Applications will be reviewed until the position is filled.

Closing date for applications:

Contact: Ivan Pryvalov (ivan.pryvalov@b-tu.de)

Collaborative zkSNARKs, proposed by Ozdemir and Boneh in 2022, allow a prover to delegate the generation of zkSNARK proofs to multiple servers, without compromising the confidentiality of the secret witness. They enable the use of zkSNARK techniques on computational limited devices in critical applications such as blockchains. However, the running time of each server is at least as slow as computing the proof on a single server. Garg et al. attempted to improve the efficiency in their scheme named zkSaaS using packed secret sharing, but the scheme still requires a powerful central server with linear computation, communication and memory usage.

In this paper, we propose a new collaborative zkSNARK scheme with $O(\frac{C}{n}\log\frac{C}{n})$ prover time and $O(1)$ proof size with $n$ servers for a circuit of size $C$. An adversary compromising less than $\frac{n}{4}$ servers cannot learn any information about the witness. The core of our technique lies in a new zkSNARK scheme for the Plonkish constraint system that is friendly to packed secret sharing. We utilize bivariate polynomials to avoid a large Fast Fourier Transform on the entire witness, which was the major bottleneck in prior work. We also construct permutation constraints based on logarithmic derivatives and univariate sumcheck to avoid the computation of prefix products. Finally, we build a bivariate polynomial commitment scheme that can be computed directly on packed secret shares. Experimental results show that for a circuit of size $2^{20}$, with 128 servers, our scheme can accelerate the proof generation by 36.2$\times$ compared to running the zkSNARK on a single server. The prover time of our system is 25.9$\times$ faster than the prior work of zkSaaS. The proof size of our scheme is only 960 Bytes.

The final exponentiation is a crucial step in pairing computations, ensuring cor- rectness and uniqueness of results in pairing-based cryptographic protocols. In this work, we propose an efficient method for computing the hard part of the final exponentiation on BW10-511, BW14-351 and BLS12 curves at 128 bits security level. Our approach reduces the computation cost by optimizing the exponenti- ation sequence and minimizing the number of required multiplications through an improved addition chain strategy. The computation cost of our method for the final exponentiation on these curves is about 25.6%, 33.2% and 10% faster than the previously fastest result on BW10-511, BW14-351 and BLS12 curves respectively. The correctness of our formulas has been verified by a Magma code.