International Association
for Cryptologic Research

PAKE protocols are used to establish secure communication channels using a relatively short, often human memorable, password for authentication. The currently standardized PAKEs however rely on classical asymmetric (public key) cryptography. Thus, these classical PAKEs may no longer maintain their security, should the expected quantum threat become a reality. Unlike prominent security protocols such as TLS, IKEv2 and VPN, quantum-safe PAKEs did not receive much attention from the ongoing PQC integration efforts. Thus, there is a significant gap in awareness compared to PQC schemes that are subject to the official governmental and institutional standardization processes. In the work at hand, we provide a comprehensive overview of the existing PQC PAKEs focusing on their design rationales, authentication methods and used asymmetric key agreement primitives. We highlight their performance and properties as per their assumed security assurances and practical usage in applications. Moreover, we address PAKE designs that are still non-present in the PQC realm and discuss the possibility of their adaptation. Thus, we offer a detailed reference and derive future work for quantum-safe PAKEs.

The Fiat-Shamir (FS) transform is a prolific and powerful technique for compiling public-coin interactive protocols into non-interactive ones. Roughly speaking, the idea is to replace the random coins of the verifier with the evaluations of a complex hash function. The FS transform is known to be sound in the random oracle model (i.e., when the hash function is modeled as a totally random function). However, when instantiating the random oracle using a concrete hash function, there are examples of protocols in which the transformation is not sound. So far all of these examples have been contrived protocols that were specifically designed to fail.

In this work we show such an attack for a standard and popular interactive succinct argument, based on the GKR protocol, for verifying the correctness of a non-determinstic bounded-depth computation. For every choice of FS hash function, we show that a corresponding instantiation of this protocol, which was been widely studied in the literature and used also in practice, is not (adaptively) sound when compiled with the FS transform. Specifically, we construct an explicit circuit for which we can generate an accepting proof for a false statement. We further extend our attack and show that for every circuit $C$ and desired output $y$, we can construct a functionally equivalent circuit $C^*$, for which we can produce an accepting proof that $C^*$ outputs $y$ (regardless of whether or not this statement is true). This demonstrates that any security guarantee (if such exists) would have to depend on the specific implementation of the circuit $C$, rather than just its functionality.

Lastly, we also demonstrate versions of the attack that violate non-adaptive soundness of the protocol -- that is, we generate an attacking circuit that is independent of the underlying cryptographic objects. However, these versions are either less practical (as the attacking circuit has very large depth) or make some additional (reasonable) assumptions on the underlying cryptographic primitives.

Post-quantum signatures have high costs compared to RSA and ECDSA, in particular for smart cards. A line of work originating from Even, Goldreich, and Micali (CRYPTO'89) aimed to reduce digital signature latency by splitting up signing into an online and offline phase. The online/offline paradigm combines an ordinary long-term signature scheme with a fast, generally one-time, signature scheme. We reconsider this paradigm in the context of lattice-based post-quantum signatures in the GPV framework, with an example instantiation based on Falcon.

CROSS is a post-quantum secure digital signature scheme submitted to NIST’s Call for Additional Signatures which was recently selected for round 2. It features signature and key sizes in the range of SLH-DSA while providing a substantially faster signing operation. Within this work, we provide the first passive side-channel attack on the scheme. The attack recovers the secret key from all except one parameter sets from a single power trace while requiring at maximum two power traces for the R-SDP(G) 1 Fast instance. To successfully mount the attack, we show how to recover the secret key from side-channel information gained from the syndrome computation in CROSS’ identification protocol. We furthermore show how the hypothesis space for the attack can be restricted using information from the published signature.

As part of the collaboration between the Okinawa Institute of Science and Technology (OIST) and Partisia (Aarhus, Denmark), the Applied Cryptography Unit at OIST is seeking to hire a postdoctoral scholar to conduct research on applications of Secure Multi-party Computation (MPC) to quantum cryptography.

The postdoc will investigate how MPC techniques may be used to enhance the security and functionality of Quantum Key Distribution (QKD) enabled networks. The project will be led by Prof. Carlos Cid at OIST, with close collaboration with researchers from Partisia. The ideal candidate will have experience in the design and analysis of secure computation protocols, and strong knowledge of quantum cryptography.

We are seeking candidates with excellent post-graduate academic formation in cryptography, mathematics, computer science, or a closely related field, with research strong experience in the design and analysis of secure computation, and in quantum cryptography. Candidates must have a PhD at the time of commencing the position. This is a full-time, fixed-term appointment for 2 years, potentially extended depending of performance and other circumstances.

Starting Date: as soon as possible.

Closing date for applications:

Contact: Carlos Cid (carlos.cid_[at]_oist.jp)

More information: https://www.oist.jp/careers/postdoctoral-scholar-multi-party-computation-and-quantum-cryptography-applied-cryptography-unit

The Applied Cryptography Unit at the Okinawa Institute of Science and Technology (OIST) is seeking to hire a postdoctoral scholar to conduct research on quantum-resistant cryptography.

The postdoc will work on a project, part of a collaboration between Prof. Carlos Cid at OIST and Prof. Ludovic Perret at EPITA Research Lab, EPITA, Paris, France, focusing on the design and benchmarking of novel hybrid protocols for secure satellite communication that use classical and post-quantum cryptography combined with space-based Quantum Key Distribution (QKD). The successful candidate will have experience in the design and analysis of protocols in post-quantum or quantum cryptography, with a strong motivation to work at the intersection of these two domains.

We are seeking candidates with excellent post-graduate academic formation in cryptography, mathematics, computer science, or a closely related field, with research experience in the design and analysis of protocols in post-quantum or quantum cryptography. Candidates must have a PhD at the time of commencing the position. This is a full-time, fixed-term appointment for 2 years, potentially extended depending of performance and other circumstances.

Starting Date: as soon as possible.

Closing date for applications:

Contact: Carlos Cid (carlos.cid_[at]_oist.jp) and Ludovic Perret (ludovic.perret_[at]_epita.fr)

More information: https://www.oist.jp/careers/postdoctoral-scholar-quantum-resistant-cryptography-applied-cryptography-unit

Since our founding, IDEMIA has been on a mission to unlock the world and make it safer through our cutting-edge identity technologies.

The IDEMIA Smart Identity (ISI) Division of the IDEMIA Group is looking for a Cryptography/Security Engineer to help us secure our products and thus protect your identity from external threats.

The candidate has strong interest and suitable experience in any of the following areas:
• Integration of state-of-the-art cryptography algorithms in embedded systems.
• Physical attacks on embedded systems / smart-cards.
• Automatic vulnerability detection in embedded devices and/or firmware.

Responsabilities: The candidate will support R&D development teams, lead our research in ongoing / upcoming, and contribute to the growth of our activities through working groups.

Requirements:
• Master's degree (or equivalent) or PhD in Mathematics, Cryptography, Computer Science, or Embedded Electronic.
• Solid knowledge and demonstrable experiences in any of the aforementioned areas.
• Experience in developing/analyzing cryptographic primitives’ implementations in one high-level language (e.g., Python, MATLAB) and C/C++. (essential)
• Experience with vulnerabilities research. (desirable)
• Proficiency in English (essential) and French. (essential)
• Problem-solving, independence, communication skills. (essential)
• Knowledge in Side-channel attacks or Fault Injections attacks. (desirable)
• Post-quantum Cryptography (PQC) techniques for any of the aforementioned areas. (desirable)

The candidate will work at our Paris-La Defense office, closely with members of our R&D team in France and abroad. Travel may be required.

Applications will be processed continuously until the position is filled.

Due to the confidential and sensitive nature of the projects we work on, this position requires an on-site presence five days a week.

Closing date for applications:

Contact: Applicants are invited to submit a digital application on our career portal.

More information: https://careers.idemia.com/job/Courbevoie-Ing%C3%A9nieur-en-S%C3%A9curit%C3%A9-2-92400/1162028901/

The School of Computer Science is further investing in its already strong Security and Privacy Research group.

We seek to recruit an outstanding researcher with a specific interest in applied cryptography in the context of hardware and embedded systems security. We are particularly interested in researchers with a track record in pre-silicon leakage and/or fault analysis, secure embedded software development, statistical side channel and fault evaluation techniques, machine and deep learning for side channels.

You will be expected to develop your own research agenda over time, and you can expect to contribute to all aspects of school life (teaching, administration), initially guided and supported by Prof. Elisabeth Oswald

The University of Birmingham offers permanent positions, with a defined pathway for progression and promotion.

Further information, (salary, application requirements, etc.) as well as a link for applicants, can be found below. The closing date for applications in 2.3.2025. If you have questions around (working in) Birmingham, then please use the contact provided below.

Closing date for applications:

Contact: Prof. Elisabeth Oswald, m.e. [email protected]

More information: https://edzz.fa.em3.oraclecloud.com/hcmUI/CandidateExperience/en/sites/CX_6001/job/6099/?utm_medium=jobshare&utm_source=External+Job+Share

We are inviting talented and highly motivated applicants to submit applications for a PhD studentship at School of Computing, Newcastle University for a project titled:

"Enhancing Privacy-Preserving Federated Learning with Incentives"

This research aims to design secure, reward-based mechanisms that incentivize data contributors to provide their sensitive input data to a collaborative, privacy-preserving federated learning process while ensuring the integrity and privacy of the process.
This has the potential to yield a fairer system and advance the goals of ethical machine learning and responsible AI.
By leveraging techniques from federated learning, cryptography, and game theory, the project will develop technical solutions that fairly reward participants based on their contributions and protect against malicious actors. The expected outcomes include secure formal models, provably secure protocols, practical implementation, and real-world applications in sectors like healthcare and finance, ultimately enhancing the real world adoption of Federated Learning.
Start date and Stipend: You will be expected to start in October of the academic year 2025/2026, the studentship will cover 100% fees and stipend at UKRI level for 4 years full time PhD studies. (2024-2025 UKRI rate £19,237).
Applicant skills/background: Candidates should possess or be highly motivated to acquire, strong knowledge in the following areas: (1) cryptography, (2) Privacy-enhancing technologies, such as FL, (3) mathematics (including number theory and game theory), and (4) computer programming in C++, Java, or Python.
Supervisors: You will be supervised by Dr Aydin Abadi (Newcastle University) and Dr Mohammad Naseri (Flower Labs). There is an opportunity to collaborate with researchers at the National Edge AI Hub, at Newcastle University.
Note: Use code COMPDLA01 when submitting an application.
Deadline: 28 Feb, 2025.

Closing date for applications:

Contact: Aydin Abadi

More information: https://www.ncl.ac.uk/computing/study/postgraduate-research/dla-studentships/

We are looking for a motivated PhD student to contribute to research in public-key cryptography and provable security.

We explore topics including, but not limited to:

• Key exchange and secure messaging
• Public-key encryption with advanced functionalities

Our research typically includes the following aspects:

• Formalizing new cryptographic primitives and security models
• Modularizing complex primitives
• Developing techniques to achieve concrete (and tight) security bounds
• Designing and analyzing practical instantiations (e.g., based on elliptic curves, lattices, or isogenies)

For more details and to apply please refer to
https://jobs.cispa.saarland/jobs/detail/phd-positions-in-cryptography-and-provable-security-m-f-d-group-riepel-265.

Closing date for applications:

Contact: Doreen Riepel (riepel[at]cispa.de)

More information: https://jobs.cispa.saarland/jobs/detail/phd-positions-in-cryptography-and-provable-security-m-f-d-group-riepel-265

The Faculty of Mathematics, Informatics and Mechanics of the University of Warsaw (MIM UW) invites applications for the positions of Assistant Professor in Computer Science, starting on 1st October 2025 or 1st February 2026.

MIM UW is one of the leading Computer Science faculties in Europe. It is known for talented students (e.g., two wins and multiple top tens in the ACM International Collegiate Programming Contest) and strong research teams, especially in algorithms, logic and automata, algorithmic economy, and computational biology. There is also a growing number of successful smaller groups in diverse areas including cryptography, databases and knowledge representation, distributed systems, and machine learning. Seven ERC grants in Computer Science are running at MIM UW at the moment.

In the current call, 7 positions are offered (follow the links for more details):

• Samuel Eilenberg Assistant Professor (2 positions; reduced teaching and increased salary),
• Assistant Professor (3 positions; research and teaching),
• Assistant Professor in Distributed Systems or Programming Languages (1 position; research and teaching),
• Assistant Professor (1 position; teaching only).

Deadline for applications: 14th February 2025.

Closing date for applications:

Contact: Filip Murlak ([email protected]), Oskar Skibski ([email protected]).

More information: https://jobs.uw.edu.pl/en-gb/offer/WMIM_2025/field/ADIUNKT/

We construct the first tightly secure signature schemes in the multi-user setting with adaptive corruptions from classical discrete logarithm, RSA, factoring, or post-quantum group action discrete logarithm assumption. In contrast to our scheme, the previous tightly secure schemes are based on the decisional assumption (e.g., (group action) DDH) or interactive search assumptions (e.g., one-more CDH). The security of our schemes is independent of the number of users, signing queries, and RO queries, and forging our signatures is as hard as solving the underlying search problem. Our starting point is an identification scheme with multiple secret keys per public key (e.g., Okamoto identification (CRYPTO'92) and parallel-OR identification (CRYPTO'94)). This property allows a reduction to solve a search problem while answering corruption queries for all users in the signature security game. To convert such an identification scheme into a signature scheme tightly, we employ randomized Fischlin's transformation introduced by Kondi and shelat (Asiacrypt 2022) that provides straight-line extraction. Intuitively, the transformation properties guarantee the tight security of our signature scheme in the programmable random oracle model, but we successfully prove its tight security in the non-programmable random oracle model.

In the HQC cryptosystem, the length $n$ of the code determines several concrete parameters such as the bandwidth usage, the memory consumption, or the decoding efficiency. In this paper, we show that currently known methods to explicitly generate asymptotically good (especially with high relative distances), binary codes with efficient associated procedures cannot be used to improve $n$. We also show that concatenated codes are currently better suited, and by exhausting small codes, find a closer to optimal concatenated code for HQC, which improves upon currently used codes.

We propose efficient, post-quantum threshold ring signatures constructed from one-wayness of AES encryption and the VOLE-in-the-Head zero-knowledge proof system. Our scheme scales efficiently to large rings and extends the linkable ring signatures paradigm. We define and construct key-binding deterministic tags for signature linkability, that also enable succinct aggregation with approximate lower bound arguments of knowledge; this allows us to achieve succinct aggregation of our signatures without SNARKs. Finally, we extend our threshold ring signatures to realize post-quantum anonymous ledger transactions in the spirit of Monero. Our constructions assume symmetric key primitives only. Whilst it is common to build post-quantum signatures from the one-wayness property of AES and a post-quantum NIZK scheme, we extend this paradigm to define and construct novel security properties from AES that are useful for advanced signature applications. We introduce key-binding and pseudorandomness of AES to establish linkability and anonymity of our threshold ring signatures from deterministic tags, and similarly establish binding and hiding properties of block ciphers modeled as ideal permutations to build commitments from AES, a crucial building block for our proposed post-quantum anonymous ledger scheme.

The Stealth Address Protocol (SAP) allows users to receive assets through stealth addresses that are unlinkable to their stealth meta-addresses. The most widely used SAP, Dual-Key SAP (DKSAP), and the most performant SAP, Elliptic Curve Pairing Dual-Key SAP (ECPDKSAP), are based on elliptic curve cryptography, which is vulnerable to quantum attacks. These protocols depend on the elliptic curve discrete logarithm problem, which could be efficiently solved on a sufficiently powerful quantum computer using the Shor algorithm. In this paper three novel post-quantum SAPs based on lattice-based cryptography are presented: LWE SAP, Ring-LWE SAP and Module-LWE SAP. These protocols leverage Learning With Errors (LWE) problem to ensure quantum-resistant privacy. Among them, Module-LWE SAP, which is based on the Kyber key encapsulation mechanism, achieves the best performance and outperforms ECPDKSAP by approximately 66.8% in the scan time of the ephemeral public key registry.

Twisted generalized Reed-Solomon (TGRS) codes constitute an interesting family of evaluation codes, containing a large class of maximum distance separable codes non-equivalent to generalized Reed-Solomon (GRS) ones. Moreover, the Schur squares of TGRS codes may be much larger than those of GRS codes with same dimension. Exploiting these structural differences, in 2018, Beelen, Bossert, Puchinger and Rosenkilde proposed a subfamily of Maximum Distance Separable (MDS) Twisted Reed--Solomon (TRS) codes over $\mathbb{F}_q$ with $\ell$ twists $q \approx n^{2^{\ell}}$ for McEliece encryption, claiming their resistance to both Sidelnikov Shestakov attack and Schur products--based attacks. In short, they claimed these codes to resist to classical key recovery attacks on McEliece encryption scheme instantiated with Reed-Solomon (RS) or GRS codes. In 2020, Lavauzelle and Renner presented an original attack on this system based on the computation of the subfield subcode of the public TRS code.

In this paper, we show that the original claim on the resistance of TRS and TGRS codes to Schur products based--attacks is wrong. We identify a broad class of codes including TRS and TGRS ones that is distinguishable from random by computing the Schur square of some shortening of the code. Then, we focus on the case of single twist ({i.e.}, $\ell = 1$), which is the most efficient one in terms of decryption complexity, to derive an attack. The technique is similar to the distinguisher-based attacks of RS code-based systems given by Couvreur, Gaborit, Gauthier-Umaña, Otmani, Tillich in 2014.

Homomorphic signatures for NP (HSNP) allow proving that a signed value is the result of a non-deterministic computation on signed inputs. At CCS'22, Fiore and Tucker introduced HSNP, showed how to use them for verifying arbitrary computations on data streams, and proposed a generic HSNP construction obtained by efficiently combining zkSNARKs with linearly homomorphic signatures (LHS), namely those supporting linear functions. Their proposed LHS however suffered from an high verification cost. In this work we propose an efficient LHS that significantly improves on previous work in terms of verification time. Using the modular approach of Fiore and Tucker, this yields a verifier-efficient HSNP. We show that the HSNP instantiated with our LHS is particularly suited to the case when the data is taken from consecutive samples, which captures important use cases including sliding window statistics such as variances, histograms and stock market predictions.

The adoption of Homomorphic Encryption (HE) and Secure Function Evaluation (SFE) applications in the real world remains lim- ited, even nearly 50 years after the introduction of HE. This is particu- larly unfortunate given the strong privacy and confidentiality guarantees these tools can offer to modern digital life. While attempting to incorporate a simple straw-man PSI protocol into a web service for matching individuals based on their profiles, we en- countered several shortcomings in current outsourcing frameworks. Ex- isting outsourced protocols either require clients to perform tasks beyond merely contributing their inputs or rely on a non-collusion assumption between a server and a client, which appears implausible in standard web service scenarios. To address these issues, we present, to the best of our knowledge, the first general construction for non-interactive outsourced computation based on black-box homomorphic encryption. This approach relies on a non- collusion assumption between two dedicated servers, which we consider more realistic in a web-service setting. Furthermore, we provide a proof of our construction within the Universal Composability (UC) framework, assuming semi-honest (i.e., passive) adversaries. Unlike general one-sided two-party SFE protocols, our construction addi- tionally requires sender privacy. Specifically, the sender must contribute its inputs solely in encrypted form. This ensures stronger privacy guar- antees and broadens the applicability of the protocol. Overall, the range of applications for our construction includes all one- sided two-party sender-private SFE protocols as well as server-based arithmetic computations on encrypted inputs. Finally, we demonstrate the practical applicability of our general outsourced computation frame- work by applying it to the specific use case of Outsourced Private Set Intersection (OPSI) in a real-world scenario, accompanied by a detailed evaluation of its efficiency.

In this paper, we show that subset sum problem consists on finding a solution over $\mathbb{N}_2$ of equation $n = \textbf{A}X \bullet U$ where A and n are given matrix and integer and U = $[(2^0) (2^1) .... (2^{d-2}) (2^{d-1})]$. We show that it can be subdivized into 2 solvable subproblems.

This paper presents dCTIDH, a CSIDH implementation that combines two recent developments into a novel state-of-the-art deterministic implementation. We combine the approach of deterministic variants of CSIDH with the batching strategy of CTIDH, which shows that the full potential of this key space has not yet been explored. This high-level adjustment in itself leads to a significant speed-up. To achieve an effective deterministic evaluation in constant time, we introduce Wombats, a new approach to performing isogenies in batches, specifically tailored to the behavior required for deterministic CSIDH using CTIDH batching.

Furthermore, we explore the two-dimensional space of optimal primes for dCTIDH, with regard to both the performance of dCTIDH in terms of finite-field operations per prime and the efficiency of finite-field operations, determined by the prime shape, in terms of cycles. This allows us to optimize both for choice of prime and scheme parameters simultaneously. Lastly, we implement and benchmark constant-time, deterministic dCTIDH. Our results show that dCTIDH not only outperforms state-of-the-art deterministic CSIDH, but even non-deterministic CTIDH: dCTIDH-2048 is faster than CTIDH-2048 by 17 percent, and is almost five times faster than dCSIDH-2048.