International Association
for Cryptologic Research

Linkable ring signatures (Liu et al., ACISP'04) is a ring signature scheme with a linking mechanism for detecting signatures from the same signer. This functionality has found many practical applications in electronic voting, cryptocurrencies, and whistleblowing systems. However, existing linkable ring signature schemes impose a fundamental limitation: users can issue only one signature, and after that their anonymity is not guaranteed. This limited number of usage is inadequate for many real-world scenarios.

This work introduces the notion of Many-time Linkable Ring Signatures, extending the anonymity guarantees of standard linkable ring signatures. Specifically, many-time linkable ring signatures ensure that signers remain anonymous as long as the number of their signatures is smaller than a system-global threshold. Only when a signer exceeds this threshold the anonymity is lost. We formalize this via a security notion called T-anonymity, which guarantees that adversaries cannot distinguish signatures from users who have each produced at most T signatures. This new notion of anonymity generalizes one-time anonymity in previous linkable schemes, while providing stronger guarantees than existing constructions. We also present a lattice-based construction with proven security in the quantum random oracle model (QROM).

The Hamming Quasi-Cyclic (HQC) key encapsulation mechanism (KEM), recently selected by NIST for standardization in the Post-Quantum Cryptography (PQC) process, distinguishes itself through its efficiency, robust design based on hard decoding problems in coding theory, and well-characterized decryption failure rates. Despite its selection, practical security concerns arise from implementation threats, particularly those exploiting plaintext-checking (PC) oracles. While multi-value PC (MV-PC) and full decryption (FD) oracle attacks have been extensively studied in the context of lattice-based cryptography, their applicability to code-based schemes like HQC has remained relatively unexplored.

In this work, we present the first MV-PC and FD oracle attacks targeting code-based KEMs, specifically on HQC. Our MV-PC attack significantly reduces the required oracle queries compared to previous PC oracle-based methods and holds implications for side-channel, key-mismatch, and fault-injection attacks. Our FD attack exhibits remarkable efficiency in trace complexity, achieving secret key recovery for hqc-128 with just two queries to a perfect oracle, and four queries for hqc-192 and hqc-256. Simulations further demonstrate the robustness of our MV-PC and FD oracle attacks against imperfect oracle responses. We experimentally validate the new attacks on an ARM Cortex-M4 microcontroller, highlighting the critical need for robust countermeasures. In particular, on such a platform, substantial leakage during operations like syndrome computation poses significant challenges to the efficiency of masking techniques in mitigating FD oracle attacks.

We propose a hybrid formal verification approach that combines high-level deductive reasoning and circuit-based reasoning and apply it to highly optimized cryptographic assembly code. Our approach permits scaling up formal verifi- cation in two complementary directions: 1) it reduces the proof effort required for low-level functions where the computation logics are obfuscated by the intricate use of architecture-specific instructions and 2) it permits amortizing the effort of proving one implementation by using equivalence checking to propagate the guarantees to other implementations of the same computation using different optimizations or targeting different architectures. We demonstrate our approach via an extension to the EasyCrypt proof assistant and by revisiting formally verified implementations of ML-KEM in Jasmin. As a result, we obtain the first formally verified implementation of ML-KEM that offers performance comparable to the fastest non-verified implementation in x86-64 architectures.

In this paper, we introduce a new cryptographic hash algorithm in that we used the Collatz problem, focusing on its conditional branching structure, an element often overlooked despite the fame of the 3x + 1 conjecture. This hash algorithm takes an arbitrary-length input and produces a fixedlength 256, 384, 512-bit output. The presented hash algorithm is in the category of Collision Resistance Hash Function (CRHF), and this hash algorithm is designed by focusing on its use in password storing, HMAC, and digital signatures etc. Until now, quantum computers also didn’t show any speedup in the Collatz conjectures problem, so still the proving and disproving of the Collatz conjecture is a big question, so we believe that there is no structural attack on this hash algorithm.

In this paper, we discuss refined Humbert invariants of principally polarized superspecial abelian surfaces. Kani introduced the refined Humbert invariant of a principally polarized abelian surface in 1994. The main contribution of this paper is to calculate the refined Humbert invariant of a principally polarized superspecial abelian surface. We present three applications of computing this invariant in the context of isogeny-based cryptography. First, we discuss the maximum of the minimum degrees of isogenies between two uniformly random supersingular elliptic curves independent of their endomorphism ring structures. Second, we provide a different perspective on the fixed isogeny degree problem using refined Humbert invariants, and analyze this problem on average without endomorphism rings. Third, we give experimental evidence for the proven upper bounds that the minimum distance is $\approx \sqrt{p}$; our work verifies this claim up to p=727.

The main building block in isogeny-based cryptography is an algorithmic version of the Deuring correspondence, called $\mathsf{IdealToIsogeny}$. This algorithm takes as input left ideals of the endomorphism ring of a supersingular elliptic curve and computes the associated isogeny. Building on ideas from $\mathsf{QFESTA}$, the $\mathsf{Clapoti}$ framework by Page and Robert reduces this problem to solving a certain norm equation. The current state of the art is however unable to efficiently solve this equation, and resorts to a relaxed version of it instead. This impacts not only the efficiency of the $\mathsf{IdealToIsogeny}$ procedure, but also its success probability. The latter issue has to be mitigated with complex and memory-heavy rerandomization procedures, but still leaves a gap between the security analysis and the actual implementation of cryptographic schemes employing $\mathsf{IdealToIsogeny}$ as a subroutine. For instance, in $\mathsf{SQIsign}$ the failure probability is still $2^{-60}$ which is not cryptographically negligible.

The main contribution of this paper is a very simple and efficient algorithm called $\mathsf{Qlapoti}$ which approaches the norm equation from $\mathsf{Clapoti}$ directly, solving all the aforementioned problems at once. First, it makes the $\mathsf{IdealToIsogeny}$ subroutine between $2.2$ and $2.6$ times faster. This signigicantly improves the speed of schemes using this subroutine, including notably $\mathsf{SQIsign}$ and \prism. On top of that, $\mathsf{Qlapoti}$ has a cryptographically negligible failure probability. This eliminates the need for rerandomization, drastically reducing memory consumption, and allows for cleaner security reductions.

Since Kuwakado and Morii's work (ISIT 2010 & ISITA 2012), it is known that the classically secure 3-round Luby-Rackoff PRP and Even-Mansour cipher become insecure against an adversary equipped with quantum query access. However, while this query model (the so-called Q2 model) has led to many more attacks, it seems that restricting the adversary to classical query access prevents such breaks (the so-called Q1 model). Indeed, at EUROCRYPT 2022, Alagic et al. proved the Q1-security of the Even-Mansour cipher. Notably, such a proof needs to take into account the dichotomy between construction queries, which are classical, and primitive queries, which are quantum (since the random oracle / permutation models a public function that the adversary can compute).

In this paper, we focus on Feistel ciphers. More precisely, we consider Key-Alternating Feistels built from random functions or permutations. We borrow the tools used by Alagic et al. and adapt them to this setting, showing that in the Q1 setting: $\bullet$ the 3-round Key-Alternating Feistel, even when the round functions are the same random oracle, is a pseudo-random permutation; $\bullet$ similarly the 4-round KAF is a strong pseudo-random permutation.

PRISM is an isogeny-based cryptographic framework that relies on the hardness of computing a large prime-degree isogeny from a supersingular elliptic curve with an unknown endomorphism ring. It includes both an identification scheme PRISM-id and a signature scheme PRISM-sig. In this work, we present two attacks on PRISM-d. First, we analyze the probability that a randomly sampled prime $q$ in PRISM-id results in a $q$-torsion subgroup defined over a small extension field, and we show that this probability is higher than claimed in the original proposal. Exploiting this observation, we construct classical forgery attacks on PRISM-id. The first one handles the scenario where the attacker is not allowed to reject a challenge. It succeeds with success probability $\Theta(2^{-(\lambda + \log\lambda)(1-\varepsilon)})$ and runs in expected time $\tilde{O}(\max\{2^{3\lambda\varepsilon}, 2^{\lambda(\varepsilon + 1/2)}\})$ for any positive real number $\varepsilon < 1/3$. If you take $\varepsilon = 1/4$, the success probability becomes $\Theta(2^{-3(\lambda + \log\lambda)/4})$ and the expected time complexity $\tilde O(2^{3\lambda/4})$. The second forgery attack works in the scenario where the attacker is allowed to reject challenges. It always succeeds and runs in expected time $\tilde O(2^{6\lambda/7})$. Finally, we describe an attack on the underlying hardness assumption of PRISM-id, achieving expected time complexity $\tilde O(2^{\lambda/2})$. Note that our results do not affect the security of PRISM-sig.

This work present attacks on full ChiLow-32, a tweakable block cipher presented at EUROCRYPT'25. We first show that an attack on full ChiLow-32 is possible with a straight forward Meet-in-the-Middle attack on the data path. Here, we introduce a method based on linear structures of the round functions to optimally select the meeting point in our attack. Then, we improve this attack using novel high correlation non-linear approximations of the inverse of the $\chi$ map. This results in a drastic reduction in the time complexity of the attack, in exchange for a reduced success probability. The final attack has a time complexity of $2^{111}$, a success probability of 7% and requires 165 messages encrypted under the same tweak. Application of the same techniques to ChiLow-40 results in a deterministic attack on 7 rounds with a time complexity of $2^{125}$ and 29 messages, and a probabilistic attack on 6 rounds with a time complexity of $2^{95}$, a 14% success probability and $128$ messages encrypted under the same tweak.

Distributed Broadcast Encryption (DBE) is a registration-based cryptographic paradigm in which users generate their own public/secret keys and register their public keys on a public bulletin board. Any sender can encrypt messages for any subset of registered users, and only intended recipients can decrypt, thereby enabling scalable, trustless, and provably secure communication. While Wee et al. (CRYPTO 2025) constructed the first unbounded optimal DBE from the succinct LWE assumption, their construction achieves only selective security. Until now, it was unknown how to achieve adaptive security for unbounded optimal DBE under standard lattice assumptions without relying on heavy primitives such as indistinguishability obfuscation or witness encryption. In this work, we present the first adaptively secure unbounded optimal DBE schemes from falsifiable lattice assumptions. Specifically, for the security parameter $\lambda$ and number of users $N$, we achieve the following:

- A semi-statically secure DBE in the plain model for an arbitrary polynomial number of users, where the sizes of public parameters, user public/secret keys and ciphertext are all optimal (i.e., have size $\textsf{poly}(\lambda,\log N)$), based on the falsifiable $\textsf{poly}(\lambda,\log N$)-succinct LWE assumption.

- An adaptively-secure DBE in the random oracle model supporting an arbitrary polynomial number of users, with optimal public parameters, user public/secret keys and ciphertext sizes, again under $\textsf{poly}(\lambda,\log N)$-succinct LWE assumption.

- An adaptively-secure DBE in the plain model supporting a priori-maximum polynomially many users under the $\textsf{poly}(\lambda,\log N)$-succinct LWE assumption. Our construction achieves optimal sizes for both the user public/secret keys and the ciphertext, whereas the public parameters grow linearly with the number of users (i.e., have size $N \cdot \textsf{poly}(\lambda,\log N)$).

QR-UOV is a multivariate signature scheme selected as one of the candidates in the second round of the NIST PQC Additional Digital Signatures process. This paper presents software acceleration methods for QR-UOV optimized for modern x86 architectures. QR-UOV operates over small odd prime-power extension fields such as $\mathrm{GF}(31^3)$ and $\mathrm{GF}(127^3)$ unlike other multivariate cryptosystem candidates. This property allows direct utilization of hardware multipliers for field arithmetic, offering a distinctive advantage for high-performance implementations. Yet, how to implement QR-UOV efficiently on modern CPUs based on this property remains unclear so far. Our implementation benefits from two proposed optimizations: (1) reducing the computational overhead of the QR-UOV algorithm through algorithm-level optimization, and (2) leveraging advanced SIMD instruction set extensions (e.g., AVX2, AVX512) to accelerate main operations such as matrix multiplication. Our implementation achieves substantial speedups over the Round 2 reference: for the parameter set $(q,\ell)=(127,3)$ at NIST security level I, it delivers a $5.1\times$ improvement in key generation, $3.6\times$ in signature generation, and $5.7\times$ in signature verification. These results demonstrate that QR-UOV achieves performance comparable or higher than that of UOV implementations, particularly at higher security levels.

We study “send this data to that device now” exchanges under an active network adversary without PKI or pre-shared secrets. We model a human-verifiable out-of-band channel for comparing short codes as a first-class UC functionality. Building on this, we give two commitment-style protocols, a one-sided and a mutual one, that are direct UC equivalents of MANA-IV and prove they realize authenticated channels with explicit misbinding parameter \(\varepsilon=2^{-t}\). We then compose SAS-based authentication with standard KEM/DEM encryption to obtain a UC-secure message-transfer functionality, preserving the explicit \(\varepsilon\) under composition, and we detail practical instantiations over signatures or MACs. Complementing the theory, we systematize real-world tooling: popular file-transfer utilities either form unauthenticated WebRTC/DTLS channels or single use PAKE “one-code” designs that couple rendezvous and a longer password string but none deploy a session-bound SAS. Our approach decouples rendezvous from authentication and reduces the out-of-band burden to comparing a short \(t\)-bit string. We also sketch an RO-free variant (coin-flip plus non-malleable commitments) with the same user interface.

The state-test technique, originally introduced in the context of impossible-differential cryptanalysis and recently used as an improvement for truncated-differential Meet-in-the-Middle attacks, has proven to be useful for reducing the complexity of attacks. In essence, the idea is to guess parts of the state instead of the key during the key-guessing stage of an attack, ultimately reducing the number of guesses needed. We generalize the idea of the state-test technique, allowing it to be applied not only to impossible-differential and truncated-)differential Meet-in-the-Middle, but also to differential and differential-linear cryptanalysis, proposing also a new performant technique exploiting the state-test technique and probabilistic key-recovery. Additionally, we provide insights on the interaction between cipher and difference needed for the state-test technique to be applicable, finding it to be a promising option for many ciphers. To illustrate our findings, we provide 3 new applications of the state-test technique: we show how it can be used to improve the best known attack on the block cipher Pride, how it can be used to improve a step in the best known attack on Serpent, and use it to present the first known attacks on 24, 25 and 26 rounds of CRAFT (out of 32), improving by up to three rounds over the previous best ones.

The rise of quantum computers results in many cryptographic systems being no longer considered sufficiently secure. Algorithms from the field of post-quantum cryptography promise to provide security against the new systems. However, PQC algorithms are generally more computationally intensive than classical cryptography. In order to increase suitability of PQC for everyday use, this paper investigates their acceleration using GPUs. For this purpose, we analyzed research in the field and closed some gaps with our own implementations. We implemented Dilithium, FrodoKEM, and SPHINCS+ on GPUs using CUDA and benchmarked them together with an existing GPU implementation of Kyber on a Tesla A100 and on a RTX 2070 Super. Dilithium performed convincingly on both GPUs, achieving speed-ups in key generation, signing, and verify by factors of around 820, 2,724 and 2,609 on the A100 and 198, 714 and 802 on the RTX 2070 using the optimal batch sizes. SPHINCS+ achieved speed-ups by factors of around 715, 4,114 and 5,915 on the A100 and 193, 193 and 134 on the RTX 2070. FrodoKEM’s key generation, encapsulation, and decapsulation on the A100 were accelerated by factors of 9,989, 4,726, and 3,566. It performed speed-up factors of 107, 108, and 206 on the RTX 2070, respectively. We compared to Kyber's acceleration factors of 476, 513 and 1782 on the A100 and 18.5, 17.4 and 184.5 on the RTX 2070. In addition, we investigated the effect of using a variable set of CUDA streams for FrodoKEM. Here, using 8 streams, a speedup of another 2% could be achieved.

We study secure computation in the plain model against fully concurrent quantum adversaries. While classical simulation-based notions --- such as Super-Polynomial Simulation (SPS) security --- have enabled meaningful forms of concurrent security, very little is known about their quantum counterparts, particularly under standard polynomial-time hardness assumptions.

Our main result is the first post-quantum two-party computation protocol that achieves concurrent SPS security, based solely on the minimal assumption of semi-honest post-quantum oblivious transfer (PQ-OT). Moreover, our protocol has constant round complexity when the underlying PQ-OT protocol is constant-round. This can be viewed as a post-quantum analog of the classical result by Garg et al. [Eurocrypt'12], but with a crucial difference: our security proof completely avoids rewinding, making it suitable for quantum settings where rewinding is notoriously challenging due to the no-cloning principle.

By leveraging a compiler of Bartusek et al. [Crypto'21], we further extend our result to the fully quantum setting, yielding the first constant-round concurrent SPS two-party computation for quantum functionalities in the plain model.

Additionally, we construct a two-round, public-coin, concurrent SPS post-quantum zero-knowledge protocol for languages in $\mathsf{NP} \cap \mathsf{coNP}$, under the quantum polynomial-time hardness of LWE. This result is notable even in the classical setting.

Bootstrapping remains the primary bottleneck in most FHE schemes, significantly impacting their efficiency. To enhance both the speed and precision of bootstrapping, sparse secrets have been widely adopted, particularly in SIMD-style FHE schemes such as BGV, BFV, and CKKS. However, the security of sparse LWE secrets is not well understood, leading to their exclusion from standardization efforts. To address this gap between the potential security risks of sparse secrets and the inefficiency of dense-secret bootstrapping, we introduce the subring secret encapsulation method. This approach involves switching to a dense secret in a subring before bootstrapping, thereby improving bootstrapping performance while still basing security on dense secret LWE. The EvalMod and digit removal steps are accelerated due to the smaller Hamming weight of the subring secret. Furthermore, the algebraic structure of the subring secret enables faster CoeffsToSlots and SlotsToCoeffs operations through hoisted key switchings. When applied to the CKKS scheme, our method achieves a bootstrapping throughput increase of 46%–51% compared to state-of-the-art dense secret bootstrapping techniques. For BGV/BFV schemes, our approach demonstrates a 2.48x improvement in throughput when bootstrapping $2^{15}$ slots modulo $65537$.

Maximum distance separable (MDS) matrices are the main building blocks that provide the maximum possible diffusion in several block ciphers and cryptographic hash functions. In addition to using MDS matrices directly, there are also some indirect but simple and efficient methods that provide the maximum possible diffusion property. In particular, the subfield construction introduced by Barreto et al. in [DCC 56 (2-3) 141-162 (2010)] and its generalization examined by Otal in [IJISS 11 (2) 1-11 (2022)] make use of MDS matrices over smaller finite fields to provide the maximum possible diffusion property over larger finite fields.

ZK-friendly hash functions, in contrast to the classical cryptographic hash functions, use higher-dimensional MDS matrices over larger finite fields.

In this paper, we examine the applicability of the generalized subfield construction and the possibility of improvements on ZK-friendly hash functions. As a case study, we focus on a recent ZK-friendly hash function Vision Mark-32 presented by Ashur et al. in [IACR Preprint 2024/633]. In particular, instead of using a $24\times 24$ MDS matrix over $\mathbb{F}_{2^{32}}$ for a $24\times 1$ column input over $\{0,1\}^{{32}}$, we suggest separating the $24\times 1$ column input over $\{0,1\}^{{32}}$ into four $24\times 1$ subcolumns over $\{0,1\}^{{8}}$ and then using a $24\times 24$ MDS matrix over $\mathbb{F}_{2^8}$ for each subcolumn. This method still keeps the maximum diffusion property without any compromise and provides simplicity and efficiency. For example, it is possible to significantly decrease the required LUT values to 265 from about 9200 and FF values to 102 from about 4600 for the hardware implementation. We also highlight that we do not need any additional tricks such as NTT for field multiplications.

We also push the theoretical boundaries of the generalized subfield construction to see how much small finite fields we can use, examine the arithmetization complexity, and discuss its applicability to other ZK-friendly hash functions.

We are looking for a motivated PhD student to join the Cryptography Group in the Cybersecurity Engineering Section at the Department of Applied Mathematics and Computer Science (DTU Compute), located in the Copenhagen region, Denmark.

This fully funded 3-year PhD position, starting on 1 January 2026, will focus on advancing research in Multi-Party Computation and Zero-Knowledge Proofs. The PhD will be carried out under the supervision of Associate Professor Luisa Siniscalchi and the co-supervision of Associate Professor Carsten Baum. Additionally, the student will have the opportunity to spend some months at Chalmers University of Technology, working with Assistant Professor Elena Pagnin.

If you are curious, enthusiastic, and eager to learn, we would love to hear from you, and you can apply at https://lnkd.in/dC3ch5m5, including the following:

• A letter motivating the application (cover letter)
• Curriculum vitae
• Grade transcripts and BSc/MSc diploma (in English), including official description of grading scale

Closing date for applications:

Contact: For more information, do not hesitate to contact Luisa Siniscalchi (luisi[at]dtu.dk)

More information: https://lnkd.in/dC3ch5m5

Event date: 17 November to 20 November 2025
Submission deadline: 10 September 2025

We are recruiting for several open positions within the School of Computer Science, including in the area of Cybersecurity, and specifically in (applied) cryptography, implementation security, hardware security, and embedded security. Birmingham's School of Computer Science is ranked 3rd in the UK for research output (according to the national REF exercise).

The role offers opportunities to contribute to teaching as well as pursue their own research agenda. This is a permanent position. For more information, please contact Prof. Elisabeth Oswald. The advert closes at the end of September.

Link to apply: https://www.jobs.ac.uk/job/DOI907/assistant-or-associate-professor-in-computer-science-research-and-education

Closing date for applications:

Contact: Elisabeth Oswald m.e.oswald AT bham.ac.uk

More information: https://www.jobs.ac.uk/job/DOI907/assistant-or-associate-professor-in-computer-science-research-and-education