International Association
for Cryptologic Research

SNARKs are frequently used to prove encryption, yet the circuit size often becomes large due to the intricate operations inherent in encryption. It entails considerable computational overhead for a prover and can also lead to an increase in the size of the public parameters (e.g., evaluation key). We propose an encryption-friendly SNARK framework, $\textsf{Tangram}$, which allows anyone to construct a system by using their desired encryption and proof system. Our approach revises existing encryption schemes to produce Pedersen-like ciphertext, including identity-based, hierarchical identity-based, and attribute-based encryption. Afterward, to prove the knowledge of the encryption, we utilize a modular manner of commit-and-prove SNARKs, which uses commitment as a `bridge'. With our framework, one can prove encryption significantly faster than proving the whole encryption within the circuit. We implement various $\textsf{Tangram}$ gadgets and evaluate their performance. Our results show 12x - 3500x times better performance than encryption-in-the-circuit.

Blockchain advancements, currency digitalization, and declining cash usage have fueled global interest in Central Bank Digital Currencies (CBDCs). The BIS states that the hybrid model, where central banks authorize intermediaries to manage distribution, is more suitable than the direct model. However, designing a CBDC for practical implementation requires careful consideration. First, the public blockchain raises privacy concerns due to transparency. While zk-SNARKs can be a solution, they can introduce significant proof generation overhead for large-scale transactions. Second, intermediaries that provide user-facing services on behalf of the central bank commonly performs Proof of Liabilities on customers' static liabilities. However, in real-world scenarios where user liabilities can arbitrarily increase or decrease, the static nature poses such as window attacks.

In this paper, we propose a new smart contract-based privacy-preserving CBDC framework based on zk-SNARKs, called $\textbf{Aegis}$. our framework introduces a transaction batching technique to enhance scalability and defines a new dynamic PoL which is near-real time. We formally define the security models for our system and provide rigorous security proofs to demonstrate its robustness. To evaluate the system’s performance, we instantiate our proposed framework and measure its efficiency. The result indicates that, the end-to-end process, including proof generation for 512 transactions, takes approximately 2.8 seconds, with a gas consumption of 74,726 per user.

Digital signatures underpin identity, authenticity, and trust in modern computer systems. Cryptography research has shown that it is possible to prove possession of a valid message and signature for some public key, without revealing the message or signature. These proofs of possession work only for specially-designed signature schemes. Though these proofs of possession have many useful applications to improving security, privacy, and anonymity, they are not currently usable for widely deployed, legacy signature schemes such as RSA, ECDSA, and Ed25519. Unlocking practical proofs of possession for these legacy signature schemes requires closing a huge efficiency gap.

This work brings proofs of possession for legacy signature schemes very close to practicality. Our design strategy is to encode the signature's verification algorithm as a rank-one constraint system (R1CS), then use a zkSNARK to prove knowledge of a solution. To do this efficiently we (1) design and analyze a new zkSNARK called Dorian that supports randomized computations, (2) introduce several new techniques for encoding hashes, elliptic curve operations, and modular arithmetic, (3) give a new approach that allows performing the most expensive parts of ECDSA and Ed25519 verifications outside R1CS, and (4) generate a novel elliptic curve that allows expressing Ed25519 curve operations very efficiently. Our techniques reduce R1CS sizes by up to 200$\times$ and prover times by 3-22$\times$.

We can generate a 240-byte proof of possession of an RSA signature over a message the size of a typical TLS certificate (two kilobytes) in only three seconds.

In recent years, the intersection of deep learning and differential cryptanalysis has given rise to the emerging field of differential neural cryptanalysis, providing an efficient data-driven paradigm for security evaluation of modern cryptographic algorithms. Traditional differential cryptanalysis relies on manual search for high-probability differential characteristics, a process limited by the nonlinearity complexity of the algorithm. In contrast, differential neural cryptanalysis improves the efficiency and automation of the analysis by training neural networks to automatically extract statistical features from ciphertext pairs. As research advances, Lu et al. proposed improved related-key neural distinguishers for the SIMON and SIMECK algorithms. However, current methodologies for constructing related-key distinguishers remain highly specialized, lacking a generalized optimization framework to address diverse cryptographic structures.

This paper proposes a novel framework for constructing related-key neural differential distinguishers that optimizes three key components: dataset construction (multi-ciphertext multi-difference formats), differential path selection (structural filtering), and network architecture (DRSN for noise suppression). By applying this framework to two standardized algorithms, DES and PRESENT, our experiments demonstrate significant advancements. For DES, the framework achieves an 8-round related-key neural distinguisher and improves 6/7-round distinguisher accuracy by over 40%. For PRESENT, we construct the first 9-round related-key neural distinguisher, which outperforms existing single-key distinguishers in both round coverage and accuracy. Additionally, we employ kernel principal component analysis (KPCA) and K-means clustering to evaluate the quality of differential datasets for DES and PRESENT, revealing that clustering compactness strongly correlates with distinguisher performance. Furthermore, we propose a validation algorithm to verify differential combinations with cryptographic advantages from a machine learning perspective, identifying 'good' plaintext-key differential combinations. We apply this approach to the SIMECK algorithm, demonstrating its broad applicability. These findings validate the framework’s effectiveness in bridging cryptographic analysis with data-driven feature extraction and offer new insights for automated security evaluation of block ciphers.

The Fiat-Shamir transformation underlies numerous non-interactive arguments, with variants that differ in important ways. This paper addresses a gap between variants analyzed by theoreticians and variants implemented (and deployed) by practitioners. Specifically, theoretical analyses typically assume parties have access to random oracles with sufficiently large input and output size, while cryptographic hash functions in practice have fixed input and output sizes (pushing practitioners towards other variants).

In this paper we propose and analyze a variant of the Fiat-Shamir transformation that is based on an ideal permutation of fixed size. The transformation relies on the popular duplex sponge paradigm, and minimizes the number of calls to the permutation (given the amount of information to absorb and to squeeze). Our variant closely models deployed variants of the Fiat-Shamir transformation, and our analysis provides concrete security bounds that can be used to set security parameters in practice.

We additionally contribute spongefish, an open-source Rust library implementing our Fiat-Shamir transformation. The library is interoperable across multiple cryptographic frameworks, and works with any choice of permutation. The library comes equipped with Keccak and Poseidon permutations, as well as several "codecs" for re-mapping prover and verifier messages to the permutation's domain.

As artificial intelligence (AI) becomes increasingly embedded in high-stakes applications such as healthcare, finance, and autonomous systems, ensuring the verifiability of AI computations without compromising sensitive data or proprietary models is crucial. Zero-knowledge machine learning (ZKML) leverages zero-knowledge proofs (ZKPs) to enable the verification of AI model outputs while preserving confidentiality. However, existing ZKML approaches require specialized cryptographic expertise, making them inaccessible to traditional AI developers.

In this paper, we introduce ZKPyTorch, a compiler that seamlessly integrates ML frameworks like PyTorch with ZKP engines like Expander, simplifying the development of ZKML. ZKPyTorch automates the translation of ML operations into optimized ZKP circuits through three key components. First, a ZKP preprocessor converts models into structured computational graphs and injects necessary auxiliary information to facilitate proof generation. Second, a ZKP-friendly quantization module introduces an optimized quantization strategy that reduces computation bit-widths, enabling efficient ZKP execution within smaller finite fields such as M61. Third, a hierarchical ZKP circuit optimizer employs a multi-level optimization framework at model, operation, and circuit levels to improve proof generation efficiency.

We demonstrate ZKPyTorch effectiveness through end-to-end case studies, successfully converting VGG-16 and Llama-3 models from PyTorch, a leading ML framework, into ZKP-compatible circuits recognizable by Expander, a state-of-the-art ZKP engine. Using Expander, we generate zero-knowledge proofs for these models, achieving proof generation for the VGG-16 model in 2.2 seconds per CIFAR-10 image for VGG-16 and 150 seconds per token for Llama-3 inference, improving the practical adoption of ZKML.

Rank-1 Constraint Systems (R1CS) and Plonk constraint systems are two commonly used circuit formats for zero-knowledge succinct non-interactive arguments of knowledge (zkSNARKs). We present Plonkify, a tool that converts a circuit in an R1CS arithmetization to Plonk, with support for both vanilla gates and custom gates. Our tool is able to convert an R1CS circuit with 229,847 constraints to a vanilla Plonk circuit with 855,296 constraints, or a jellyfish turbo Plonk circuit with 429,166 constraints, representing a $2.59\times$ and $1.9\times$ reduction in the number of constraints over the respective naïve conversions.

Recent advances in Vector Oblivious Linear Evaluation (VOLE) protocols have enabled constant-round, fast, and scalable (designated-verifier) zero-knowledge proofs, significantly reducing prover computational cost. Existing protocols, such as QuickSilver [CCS’21] and LPZKv2 [CCS’22], achieve efficiency with prover costs of 4 multiplications in the extension field per AND gate for Boolean circuits, with one multiplication requiring a O(κ log κ)-bit operation where κ = 128 is the security parameter and 3-4 field multiplications per multiplication gate for arithmetic circuits over a large field. We introduce JesseQ, a suite of two VOLE-based protocols: JQv1 and JQv2, which advance state of the art. JQv1 requires only 2 scalar multiplications in an extension field per AND gate for Boolean circuits, with one scalar needing a O(κ)- bit operation, and 2 field multiplications per multiplication gate for arithmetic circuits over a large field. In terms of communication costs, JQv1 needs just 1 field element per gate. JQv2 further reduces communication costs by half at the cost of doubling the prover’s computation. Experiments show that, compared to the current state of the art, both JQv1 and JQv2 achieve at least 3.9× improvement for Boolean circuits. For large field circuits, JQv1 has a similar performance, while JQv2 offers a 1.3× improvement. Additionally, both JQv1 and JQv2 maintain the same communication cost as the current state of the art. Notably, on the cheapest AWS instances, JQv1 can prove 9.2 trillion AND gates (or 5.8 trillion multiplication gates over a 61-bit field) for just one US dollar. JesseQ excels in applications like inner products, matrix multiplication, and lattice problems, delivering 40%- 200% performance improvements compared to QuickSilver. Additionally, JesseQ integrates seamlessly with the sublinear Batchman framework [CCS’23], enabling further efficiency gains for batched disjunctive statements.

Systems such as file backup services often use content-defined chunking (CDC) algorithms, especially those based on rolling hash techniques, to split files into chunks in a way that allows for data deduplication. These chunking algorithms often depend on per-user parameters in an attempt to avoid leaking information about the data being stored. We present attacks to extract these chunking parameters and discuss protocol-agnostic attacks and loss of security once the parameters are breached (including when these parameters are not setup at all, which is often available as an option). Our parameter-extraction attacks themselves are protocol-specific but their ideas are generalizable to many potential CDC schemes.

Distinguishing Goppa codes or alternant codes from generic linear codes [FGO+11] has been shown to be a first step before being able to attack McEliece cryptosystem based on those codes [BMT24]. Whereas the distinguisher of [FGO+11] is only able to distinguish Goppa codes or alternant codes of rate very close to 1, in [CMT23a] a much more powerful (and more general) distinguisher was proposed. It is based on computing the Hilbert series $\{\mathrm{HF}(d),~d\in \mathbb{N}\}$ of a Pfaffian modeling. The distinguisher of [FGO+11] can be interpreted as computing $\mathrm{HF}(1)$. Computing $\mathrm{HF}(2)$ still gives a polynomial time distinguisher for alternant or Goppa codes and is apparently able to distinguish Goppa or alternant codes in a much broader regime of rates as the one of [FGO+11]. However, the scope of this distinguisher was unclear. We give here a formula for $\mathrm{HF}(2)$ corresponding to generic alternant codes when the field size $q$ satisfies $q \geq r$, where r is the degree of the alternant code. We also show that this expression for$\mathrm{HF}(2)$ provides a lower bound in general. The value of $\mathrm{HF}(2)$ corresponding to random linear codes is known and this yields a precise description of the new regime of rates that can be distinguished by this new method. This shows that the new distinguisher improves significantly upon the one given in [FGO+11].

This article presents an extension of the work performed by Liu, Baek and Susilo on extended withdrawable signatures to lattice-based constructions. We introduce a general construction, and provide security proofs for this proposal. As instantiations, we provide concrete construction for extended withdrawable signature schemes based on Dilithium and HAETAE.

We show that the anonymous authentication and key establishment scheme [IEEE TDSC, 20(4), 3535-3545, 2023] fails to keep user anonymity, not as claimed. We also suggest a method to fix it.

Zero-knowledge range arguments are a fundamental cryptographic primitive that allows a prover to convince a verifier of the knowledge of a secret value lying within a predefined range. They have been utilized in diverse applications, such as confidential transactions, proofs of solvency and anonymous credentials. Range arguments with a transparent setup dispense with any trusted setup to eliminate security backdoor and enhance transparency. They are increasingly deployed in diverse decentralized applications on blockchains. One of the major concerns of practical deployment of range arguments on blockchains is the incurred gas cost and high computational overhead associated with blockchain miners. Hence, it is crucial to optimize the verification efficiency in range arguments to alleviate the deployment cost on blockchains and other decentralized platforms. In this paper, we present VeRange with several new zero-knowledge range arguments in the discrete logarithm setting, requiring only $c \sqrt{N/\log N}$ group exponentiations for verification, where $N$ is the number of bits to represent a range and $c$ is a small constant, making them concretely efficient for blockchain deployment with a very low gas cost. Furthermore, VeRange is aggregable, allowing a prover to simultaneously prove $T$ range arguments in a single argument, requiring only $O(\sqrt{TN/\log (TN)}) + T$ group exponentiations for verification. We deployed {\tt VeRange} on Ethereum and measured the empirical gas cost, achieving the fastest verification runtime and the lowest gas cost among the discrete-logarithm-based range arguments in practice.

Blockchain technology and smart contracts have revolutionized digital transactions by enabling trustless and decentralized exchanges of value. However, the inherent transparency and immutability of blockchains pose significant privacy challenges. On-chain data, while pseudonymous, is publicly visible and permanently recorded, potentially leading to the inadvertent disclosure of sensitive information. This issue is particularly pronounced in smart contract applications, where contract details are accessible to all network participants, risking the exposure of identities and transactional details.

To address these privacy concerns, there is a pressing need for privacy-preserving mechanisms in smart contracts. To showcase this need even further, in our paper we bring forward advanced use-cases in economics which only smart contracts equipped with privacy mechanisms can realize, and show how fully-homomorphic encryption (FHE) as a privacy enhancing technology (PET) in smart contracts, operating on a public blockchain, can make possible the implementation of these use-cases. Furthermore, we perform a comprehensive systematization of FHE-based approaches in smart contracts, examining their potential to maintain the confidentiality of sensitive information while retaining the benefits of smart contracts, such as automation, decentralization, and security. After we evaluate these existing FHE solutions in the context of the use-cases we consider, we identify open problems, and suggest future research directions to enhance privacy in blockchain smart contracts.

Event date: 16 December to 19 December 2025

Event date: 2 December to 5 December 2025

Event date: 14 September 2025

Event date: 10 October to 12 October 2025
Submission deadline: 31 May 2025
Notification: 15 July 2025

What the role involves:

As an Applied Cryptography Researcher, you must be a cryptographer with a strong understanding of practical aspects of using cryptography in real world settings. You have the exciting challenge of working on bleeding-edge research and technology, always with a focus on the market's needs. You will work side by side with architects and engineers implementing novel cryptographic primitives that you may have also designed yourself. The scope is everything from Post-Quantum prototypes to hand-optimisation of existing primitives to completely new systems. To support you on this challenge, we have cryptography researchers, software architects, product managers, project managers, formal methods specialists and QA test engineers, with whom you will have high bandwidth communications.

Extract requirements from product and engineering regarding cryptographic primitives.

Lead and contribute to novel cryptographic research meeting such requirements.

Support prototyping of cryptographic systems.

Translate research into engineering specifications & implementations.

Meticulously review cryptographic protocols and proposed primitives.

Write research papers for submission to top cryptologic conferences and journals.

Contribute to peer-reviewed publications.
Who you are:

PhD in Computer Science/Engineering or Applied Mathematics. A minimum of 4-5 years development experience in the field Expert knowledge of applied cryptography & best practices Expert knowledge of ZK protocols, such as PlonK and IPA commitment scheme Expert knowledge of elliptic curve cryptography Expert knowledge of post quantum security techniques Familiarity with blockchain cryptography and constructions Practical experience with implementation of cryptographic primitives Expert in terms of cryptographic design Good understanding of implementation and engineering constraints. Security sensibility related to cryptographic implementation Excellent theoretical cryptography and mathematical knowledge

Closing date for applications:

Contact: Marios Nicolaides

More information: https://apply.workable.com/io-global/j/DE859C73F4/

Funded PhD position for Fall 2025 on Cryptographic Engineering and Hardware Security.

This is an urgent call for interested applicants. A funded Ph.D. student position is available for Fall 2025 to work on different aspects of Cryptographic Engineering in the new Bellini College of Artificial Intelligence, Cybersecurity, and Computing with Dr. Mehran Mozaffari Kermani. We are looking for motivated, talented, and hardworking applicants who have background and are interested in working on different aspects of Cryptographic Engineering with emphasis on hardware/software implementation, and side-channel attacks.

Please send email me your updated CV (including list of publications, language test marks, and references), transcripts for B.Sc. and M.Sc., and a statement of interest to: mehran2 (at) usf.edu as soon as possible.

Research Webpage: https://cse.usf.edu/~mehran2/

Closing date for applications:

Contact: Mehran Mozaffari Kermani