International Association
for Cryptologic Research

We analyze the composition of symmetric encryption and digital signatures in secure group messaging protocols where group members share a symmetric encryption key. In particular, we analyze the chat encryption algorithms underlying MLS, Session, Signal, and Matrix using the formalism of symmetric signcryption introduced by Jaeger, Kumar, and Stepanovs (Eurocrypt 2024). We identify theoretical attacks against each of the constructions we analyze that result from the insufficient binding between the symmetric encryption scheme and the digital signature scheme. In the case of MLS and Session, these translate into practically exploitable replay and reordering attacks by a group-insider. For Signal this leads to a forgery attack by a group-outsider with access to a user’s signing key, an attack previously discovered by Balbás, Collins, and Gajland (Asiacrypt 2023). In Matrix there are mitigations in the broader ecosystem that prevent exploitation. We provide formal security theorems that each of the four constructions are secure up to these attacks. Additionally, in Session we identified two attacks outside the symmetric signcryption model. The first allows a group-outsider with access to an exposed signing key to forge arbitrary messages and the second allows outsiders to replay ciphertexts.

Hardware IP blocks have been subjected to various forms of confidentiality and integrity attacks in recent years due to the globalization of the semiconductor industry. System-on-chip (SoC) designers are now considering a zero-trust model for security, where an IP can be attacked at any stage of the manufacturing process for piracy, cloning, overproduction, or malicious alterations. Hardware redaction has emerged as a promising countermeasure to thwart confidentiality and integrity attacks by untrusted entities in the globally distributed supply chain. However, existing redaction techniques provide this security at high overhead costs, making them unsuitable for real-world implementation. In this paper, we propose HIPR, a fine-grain redaction methodology that is robust, scalable, and incurs significantly lower overhead compared to existing redaction techniques. HIPR redacts security-critical Boolean and sequential logic from the hardware design, performs interconnect randomization, and employs multiple overhead optimization steps to reduce overhead costs. We evaluate HIPR on open-source benchmarks and reduce area overheads by 1 to 2 orders of magnitude compared to state-of-the-art redaction techniques without compromising security. We also demonstrate that the redaction performed by HIPR is resilient against conventional functional and structural attacks on hardware IPs. The redacted test IPs used to evaluate HIPR are available at: https://github.com/UF-Nelms-IoT-Git-Projects/HIPR.

A (single server) private information retrieval (PIR) allows a client to read data from a public database held on a remote server, without revealing to the server which locations she is reading. In a doubly efficient PIR (DEPIR), the database is first preprocessed offline into a data structure, which then allows the server to answer any client query efficiently in sub-linear online time. Constructing DEPIR is a notoriously difficult problem, and this difficulty even extends to a weaker notion secret-key DEPIR (SK-DEPIR), where the database is preprocessed using secret randomness and the client is given a secret key for making queries. We currently only have constructions of SK-DEPIR from the Ring LWE assumption or from non-standard code-based assumptions.

We show that the black-box use of essentially all generic cryptographic primitives (e.g., key agreement, oblivious transfer, indistinguishability obfuscation, etc.), including idealized primitives (e.g., random oracles, generic multilinear groups, virtual black-box obfuscation, etc.) is essentially useless for constructing SK-DEPIR. In particular, in any such SK-DEPIR construction, we can replace all black-box use of these primitives with just a black-box use of one-way functions. While we conjecture that SK-DEPIR cannot be constructed using black-box one-way functions alone, we are unable to show this in its full generality. However, we do show this for 2-round schemes with a passive server that simply outputs requested locations in the preprocessed data structure, which is the format of all known schemes. Overall, this shows that the black-box use of essentially all crypto primitives is insufficient for constructing 2-round passive-server SK-DEPIR, and does not provide any benefit beyond black-box one-way functions for constructing general SK-DEPIR.

In a social key recovery scheme, users back up their secret keys (typically using Shamir's secret sharing) with their social connections, known as a set of guardians. This places a heavy burden on the guardians, as they must manage their shares both securely and reliably. Finding and managing such a set of guardians may not be easy, especially when the consequences of losing a key are significant.

We take an alternative approach of social recovery within a community, where each member already holds a secret key (with possibly an associated public key) and uses other community members as their guardians forming a mutual dependency among themselves. Potentially, each member acts as a guardian for upto $(n-1)$ other community members. Therefore, in this setting, using standard Shamir's sharing leads to a linear ($O(n)$) blow-up in the internal secret storage of the guardian for each key recovery. Our solution avoids this linear blowup in internal secret storage by relying on a novel secret-sharing scheme, leveraging the fact that each member already manages a secret key. In fact, our scheme does not require guardians to store anything beyond their own secret keys.

We propose the first formal definition of a social key recovery scheme for general access structures in the community setting. We prove that our scheme is secure against any malicious and adaptive adversary that may corrupt up to $t$ parties. As a main technical tool, we use a new notion of secret sharing, that enables $(t+1)$ out of $n$ sharing of a secret even when the shares are generated independently -- we formalize this as bottom-up secret sharing (BUSS), which may be of independent interest.

Finally, we provide an implementation benchmarking varying the number of guardians both in a regional, and geo-distributed setting. For instance, for 8 guardians, our backup protocol takes around 146-149 ms in a geo-distributed WAN setting, and 4.9-5.9 ms in the LAN setting; for recovery protocol, the timings are approximately the same for the WAN setting (as network latency dominates), and 1.2-1.4 ms for the LAN setting.

This work presents an exact and compact formula for the probability of rotation-xor differentials (RX-differentials) through modular addition, for arbitrary rotation amounts, which has been a long-standing open problem. The formula comes with a rigorous proof and is also verified by extensive experiments.

Our formula uncovers error in a recent work from 2022 proposing a formula for rotation amounts bigger than 1. Surprisingly, it also affects correctness of the more studied and used formula for the rotation amount equal to 1 (from TOSC 2016). Specifically, it uncovers rare cases where the assumptions of this formula do not hold. Correct formula for arbitrary rotations now opens up a larger search space where one can often find better trails.

For applications, we propose automated mixed integer linear programming (MILP) modeling techniques for searching optimal RX-trails based on our exact formula. They are consequently applied to several ARX designs, including Salsa, Alzette and a small-key variant of Speck, and yield many new RX-differential distinguishers, some of them based on provably optimal trails. In order to showcase the relevance of the RX-differential analysis, we also design Malzette, a 12-round Alzette-based permutation with maliciously chosen constants, which has a practical RX-differential distinguisher, while standard differential/linear security arguments suggest sufficient security.

Digital identity wallets allow citizens to prove who they are and manage digital documents, called credentials, such as mobile driving licenses or passports. As with physical documents, secure and privacy-preserving management of the credential lifecycle is crucial: a credential can change its status from issued to valid, revoked or expired. In this paper, we focus on the analysis of cryptographic accumulators as a revocation scheme for digital identity wallet credentials. We describe the most well-established public key accumulators, and how zero-knowledge proofs can be used with accumulators for revocation of non-anonymous credentials. In addition, we assess the computational and communication costs analytically and experimentally. Our results show that they are comparable with existing schemes used in the context of certificate revocation.

HuFu is an unstructured lattice-based signature scheme proposed during the NIST PQC standardization process. In this work, we present a side-channel analysis of HuFu's reference implementation.

We first exploit the multiplications involving its two main secret matrices, recovering approximately half of their entries through a non-profiled power analysis with a few hundred traces. Using these coefficients, we reduce the dimension of the underlying LWE problem, enabling full secret key recovery with calls to a small block-sized BKZ.

To mitigate this attack, we propose a countermeasure that replaces sensitive computations involving a secret matrix with equivalent operations derived solely from public elements, eliminating approximately half of the identified leakage and rendering the attack unfeasible.

Finally, we perform a non-profiled power analysis targeting HuFu's Gaussian sampling procedure, recovering around 75\% of the remaining secret matrix's entries in a few hundred traces. While full key recovery remains computationally intensive, we demonstrate that partial knowledge of the secret significantly improves the efficiency of signature forgery.

Who you are:
The internship is ideally intended for senior undergraduate/master students, PhD candidates, or early postdocs in one of the fields with relevance to blockchain systems, such as computer science, applied mathematics, cryptography, or economics. It is a perfect opportunity for an early-stage researcher to gain valuable research experience by collaborating with members of the IOG Research team on current challenges in blockchain technologies.

What the role involves:
The intern will work on an Internship Project that will be defined prior to the commencement of the internship, taking into account the intern’s scientific background and skillset, as well as the research priorities within IOG.

The work will be done under the guidance of a supervisor, who will be one of the members of IOG Research. Supervisors will contribute to defining the scope of the Internship Project, track the intern’s progress, provide guidance, and ensure that the work done is aligned with the broader research carried out at IOG Research.

The duration of the internship is up to 3 months and is primarily intended to take place during summer 2025, although other time periods may be considered.

Closing date for applications:

Contact: Sandro Coretti-Drayton

More information: https://apply.workable.com/io-global/j/0BC29938F1/

EPITA : École d'Ingénieurs en Informatique is offering several teaching/research positions (MCF and PR profile) in computer science within the EPITA Research Laboratory (LRE) for the start of the 2025-2026 academic year.
The LRE, https://www.lre.epita.fr, is attached to the "EDITE doctoral school" in Paris (Sorbonne University). It was evaluated by Hcéres in 2017-2018, and is currently being evaluated (wave 2024-2025). We are recruiting to strengthen the five LRE teams, in particular the Security and Systems team (https://www.lre.epita.fr/systems/), for the Paris, Rennes and Toulouse sites in the following areas:

• For the Paris site :
• Cryptography
• Post-quantum standards, protocols and primitives
• Automatic analysis
• Blockchain
• Learning detection and security
• Attack detection and analysis
• Security of learning models
• Software and hardware security
• Virology and malware analysis
• Reverse engineering at assembler and hardware level
• Systems
• Operating systems and kernels
• Cloud computing and virtualisation
• Embedded systems
• For the Rennes site:
• Static and dynamic analysis of malicious software
• Instrumentation and tools for analysis and monitoring
with teaching interventions mainly in the DevSecOps major.
• For the Toulouse site:
• The dedicated job description for an HDR or ‘almost HDR’ profile is here: https://tinyurl.com/PosteEpitaToulouseHDR2025

Closing date for applications:

Contact: [email protected]; [email protected]

More information: https://tinyurl.com/PostesEpitaSECUSYST2025

Position 1: One or two casual researchers in the field of Privacy-preserving Machine Learning, for a few hundred hours each (the exact number of hours is negotiable and depends on the availability of the candidate/s).
Expectations: to produce top-tier journal paper/s in the field of Privacy-preserving Machine Learning.

Position 2 : A casual developer with the following skill set required, for a few hundred hours (the exact number of hours is negotiable and depends on the availability of the candidate):
1. Swift (for a task specifically for iOS), and
2. Java (for Android app development), and
3. TensorFlow.js (for a specific task), and
4. Java or PHP or C# (for web page development), and
5. HTML and CSS and JavaScript (for UI design).
Expectations : to continue with some existing development work by polishing and finalizing the mobile app development.

Note : The successful candidates for both the positions above must be physically based in Australia with working rights in Australia when the work is being done.

Closing date for applications:

Contact: Dr. Zhaohui (Linda) Tang at:
[email protected]

The zero-knowledge group (a subgroup of the cryptography group) at the Institute of Computer Science of the University of Tartu seeks one postdoctoral researcher and one Ph.D student in contemporary zk-SNARKs. The existing zero-knowledge group comprises Helger Lipmaa, Janno Siim, and Ph.D students. Our current research interests include the provable security of zk-SNARKs (including more stringent security notions and more realistic cryptographic assumptions), the design of pairing-based, code-based, and lattice-based zk-SNARKs, and the design of zk-SNARKs for applications like zkVM and zkML. We collaborate actively with local groups on coding theory and machine learning to further our aims. While primarily focused on academic publishing, we are interested in collaborating with ZK companies.

The postdoctoral researcher should have a strong track record in areas related to the design and analysis of efficient zero-knowledge proofs. We expect the candidate to have published a few papers at IACR conferences or venues of equivalent renown. The Ph.D student must have an MSc or equivalent by this spring, a strong mathematics and/or theoretical computer science background, and an existing cryptography background. We welcome all exceptional candidates. We especially welcome candidates with a background in PQ zk-SNARKs (hash-based or lattice-based) or applications like zkML; in the case of the Ph.D student, we interpret it as a background either in coding theory, lattice-based cryptography, or machine learning.

T apply for the positions, submit a letter of motivation (clearly stating why this project and the applicant are a good match), a full research CV, names of two references, and a research statement (obligatory for the postdoctoral researcher), clearly indicating the sought position (postdoc or Ph.D student).

The postdoc position starts on August 1, 2025, or later and lasts 2-4 years, depending on the candidate and negotiations. The Ph.D. position starts on September 1, 2025, and lasts four years. The candidates may later seek further employment, but this is not guaranteed in advance. Application deadline: 25.04.2025.

Closing date for applications:

Contact: Helger Lipmaa Professor of Cryptography, Head of Chair

https://kodu.ut.ee/~lipmaa/

helger dot lipmaa at ut dot ee

More information: https://crypto.cs.ut.ee/Main/OpenPositions

The Applied Crypto group of the University of Luxembourg is offering a Ph.D. student and a post-doc position in cryptography. Possible topics of interests are fully homomorphic encryption, public-key cryptanalysis, and side-channel attacks and countermeasures. We offer a competitive salary. The duration of the position is 3 years (+ 1 year extension) for Ph.D., and 3 years for post-doc.

Closing date for applications:

Contact: Jean-Sebastien Coron - [email protected]

More information: http://www.crypto-uni.lu/vacancies.html

We are looking for a Ph.D. student to join the Digital Security group at Radboud University. The position is fully funded for 4 years.

The candidate will work on the hardware security of symmetric-key ciphers. Topics of interest include:

• hardware implementations
• side-channel analysis
• fault analysis
• investigation of countermeasures

You will spend about 10% of your time assisting with teaching at our department. This will typically include tutoring practical assignments, grading coursework, and supervising student projects.

Your profile You hold a Master’s degree in mathematics, computer science, engineering, or a related field or expect to obtain such a degree soon. You have good programming skills and some experience with at least one of the following: cryptography, side-channel attacks or hardware description languages. You have a strong interest in cryptography and embedded systems security and especially their real-world deployment.

To apply please visit: https://www.ru.nl/en/working-at/job-opportunities/phd-position-hardware-security-of-symmetric-key-ciphers
Only applications via the official portal will be considered. Application deadline: 31 March 2025 Start date: flexible

Closing date for applications:

Contact: Dr. S. Mella

More information: https://www.ru.nl/en/working-at/job-opportunities/phd-position-hardware-security-of-symmetric-key-ciphers

This paper presents a security analysis of the South Korean Format-Preserving Encryption (FPE) standards FEA-1 and FEA-2. In 2023, Chauhan \textit{et al.} presented the first third-party analysis of FEA-1 and FEA-2 against the square attack. The authors proposed new distinguishing attacks covering up to three rounds of FEA-1 and five rounds of FEA-2, with a data complexity of $2^8$ plaintexts. Additionally, using these distinguishers, they presented key recovery attacks for four rounds of FEA-1 and six rounds of FEA-2, for 192-bit and 256-bit key sizes. The complexities of both the four-round FEA-1 and six-round FEA-2 key recovery attacks are $2^{137.6}$. \\

In this work, we successfully extend the number of rounds attacked for both FEA-1 and FEA-2, using the square attack technique. Specifically, we present a four-round distinguishing attack against FEA-1 and six-round distinguishing attack against FEA-2. The data complexities of these distinguishers are $2^{64}$ plaintexts. Furthermore, we apply these distinguishers to perform key recovery attacks on five rounds of FEA-1 and seven rounds of FEA-2, targeting the 256-bit key size. The time complexities of the presented key recovery attacks are $2^{193.6}$.

The current landscape of system-on-chips (SoCs) security verification faces challenges due to manual, labor-intensive, and inflexible methodologies. These issues limit the scalability and effectiveness of security protocols, making bug detection at the Register-Transfer Level (RTL) difficult. This paper proposes a new framework named BugWhisperer that utilizes a specialized, fine-tuned Large Language Model (LLM) to address these challenges. By enhancing the LLM's hardware security knowledge and leveraging its capabilities for text inference and knowledge transfer, this approach automates and improves the adaptability and reusability of the verification process. We introduce an open-source, fine-tuned LLM specifically designed for detecting security vulnerabilities in SoC designs. Our findings demonstrate that this tailored LLM effectively enhances the efficiency and flexibility of the security verification process. Additionally, we introduce a comprehensive hardware vulnerability database that supports this work and will further assist the research community in enhancing the security verification process.

CHide is one of the most prominent e-voting protocols, which, while combining security and efficiency, suffers from having very long encrypted credentials. In this paper, starting from CHide, we propose a new protocol, based on multiparty Class Group Encryption (CGE) instead of discrete logarithm cryptography over known order groups, achieving a computational complexity of $O(nr)$, for $n$ votes and $r$ voters, and using a single MixNet. The homomorphic properties of CGE allow for more compact credentials while maintaining the same level of security at the cost of a small slowdown in efficiency.

The ETSI Technical Specification 104 015 proposes a framework to build Key Encapsulation Mechanisms (KEMs) with access policies and attributes, in the Ciphertext-Policy Attribute-Based Encryption (CP-ABE) vein. Several security guarantees and functionalities are claimed, such as pre-quantum and post-quantum hybridization to achieve security against Chosen-Ciphertext Attacks (CCA), anonymity, and traceability. In this paper, we present a formal security analysis of a more generic construction, with application to the specific Covercrypt scheme, based on the pre-quantum ECDH and the post-quantum ML-KEM KEMs. We additionally provide an open-source library that implements the ETSI standard, in Rust, with high effiency.

In order to compute a multiple of a point on an elliptic curve in Weierstrass form one can use formulas in only one of the two coordinates of the points. When one computes with these $x$-only formulas one says that one computes on the Kummer line. Similarly, it is easy to define the Kummer line of an elliptic curve in theta coordinates. In this article we give a unified definition of what is a Kummer line.

Using Mumford's theory of the theta group and defining the isomorphism of Kummer lines, we obtain that there are only two types of Kummer lines. The same theory allows to give conversion formulas between Kummer models in a unified manner.

We also classify curves that admit these different models via Galois representation and modular curves. When an elliptic curve is viewed inside a $2$-volcano we give criteria to say if it has a given Kummer model based solely on its position in the volcano. We give applications to the ECM factorization algorithm.

Over two decades since their introduction in 2005, all major verifiable pairing delegation protocols for public inputs have been designed to ensure information-theoretic security. However, we note that a delegation protocol involving only ephemeral secret keys in the public view can achieve everlasting security, provided the server is unable to produce a pairing forgery within the protocol’s execution time. Thus, computationally bounding the adversary’s capabilities during the protocol’s execution, rather than across its entire lifespan, may be more reasonable, especially when the goal is to achieve significant efficiency gains for the delegating party. This consideration is particularly relevant given the continuously evolving computational costs associated with pairing computations and their ancillary blocks, which creates an ever-changing landscape for what constitutes efficiency in pairing delegation protocols. With the goal of fulfilling both efficiency and everlasting security, we present AmorE, a protocol equipped with an adjustable security and efficiency parameter for sequential pairing delegation, which achieves state-of-the-art amortized efficiency in terms of the number of pairing computations. For example, delegating batches of 10 pairings on the BLS48-575 elliptic curve via our protocol costs to the client, on average, less than a single scalar multiplication in G2 per delegated pairing, while still ensuring at least 40 bits of statistical security.

Power side-channel (PSC) vulnerabilities present formidable challenges to the security of ubiquitous microelectronic devices in mission-critical infrastructure. Existing side-channel assessment techniques mostly focus on post-silicon stages by analyzing power profiles of fabricated devices, suffering from low flexibility and prohibitively high cost while deploying security countermeasures. While pre-silicon PSC assessments offer flexibility and low cost, the true nature of the power signatures cannot be fully captured through RTL or gate-level design. Although physical design-level analysis provides precise power traces, collecting data is time and resource-consuming at the layout level. To address this challenge, we propose, for the first time, a fast and efficient physical design-level PSC assessment framework using a graph neural network (GNN). This framework predicts dynamic power traces for new layouts, using them to assess physical design security through metrics evaluation. Our experiments on AES-GF layout implementations achieve a tremendous 133 times speedup compared to conventional simulation-based flow without sacrificing substantial accuracy.