International Association
for Cryptologic Research

Registration-based encryption (RBE) is a recently developed alternative to identity-based encryption, that mitigates the well-known key-escrow problem by letting each user sample its own key pair. In RBE, the key authority is substituted by a key curator, a completely transparent entity whose only job is to reliably aggregate users' keys. However, one limitation of all known RBE scheme is that they all rely on one-time trusted setup, that must be computed honestly. In this work, we ask whether this limitation is indeed inherent and we initiate the systematic study of RBE in the plain model, without any common reference string. We present the following main results: - (Definitions) We show that the standard security definition of RBE is unachievable without a trusted setup and we propose a slight weakening, where one honest user is required to be registered in the system. - (Constructions) We present constructions of RBE in the plain model, based on standard cryptographic assumptions. Along the way, we introduce the notions of non-interactive witness indistinguishable (NIWI) proofs secure against chosen statements attack and re-randomizable RBE, which may be of independent interest. A major limitation of our constructions, is that users must be updated upon every new registration. - (Lower Bounds) We show that this limitation is in some sense inherent. We prove that any RBE in the plain model that satisfies a certain structural requirement, which holds for all known RBE constructions, must update all but a vanishing fraction of the users, upon each new registration. This is in contrast with the standard RBE settings, where users receive a logarithmic amount of updates throughout the lifetime of the system.

Due to their simple security assessments, permutation-based pseudo-random functions (PRFs) have become widely used in cryptography. It has been shown that PRFs using a single $n$-bit permutation achieve $n/2$ bits of security, while those using two permutation calls provide $2n/3$ bits of security in the classical setting. This paper studies the security of permutation-based PRFs within the Q1 model, where attackers are restricted to classical queries and offline quantum computations. We present improved quantum-time/classical-data tradeoffs compared with the previous attacks. Specifically, under the same assumptions/hardware as Grover's exhaustive search attack, i.e. the offline Simon algorithm, we can recover keys in quantum time $\tilde{O}(2^{n/3})$, with $O(2^{n/3})$ classical queries and $O(n^2)$ qubits. Furthermore, we enhance previous superposition attacks by reducing the data complexity from exponential to polynomial, while maintaining the same time complexity. This implies that permutation-based PRFs become vulnerable when adversaries have access to quantum computing resources. It is pointed out that the above quantum attack can be used to quite a few cryptography, including SoEM, PDMMAC, pEDM, as well as general instantiations like XopEM, EDMEM, EDMDEM, and others.

Event date: 18 September to 19 September 2025
Submission deadline: 15 May 2025
Notification: 8 July 2025

Event date: 27 October to 31 October 2025
Submission deadline: 30 June 2025
Notification: 15 August 2025

Applications are sought for a post-doc position in the cryptography group (CSE Department, UCSD) with Mihir Bellare. Dates are flexible.

Topics of interest include application-relevant theory of two-party computation that in particular continues work such as https://eprint.iacr.org/2024/1476, and provable security for symmetric cryptography, in particular authenticated encryption. Open to considering other topics as well.

Needed background is experience in, and facility with, formal definitions and proofs in the provable-security style.

Apply: To apply, please complete this Google form: https://docs.google.com/forms/d/1iOOKWI1kfU348b6Aw53FILEOu5qIDOnUoB9ngyK5wh8

Closing date for applications:

Contact: Mihir Bellare mbellare AT ucsd DOT edu

More information: https://cseweb.ucsd.edu/~mihir/

The Faculty of Informatics at Università della Svizzera italiana (USI) welcomes applications for a tenure-track Assistant Professor in Information and Computer Security. The faculty’s focus is always on excellence in both research and teaching – exceptional candidates in all areas of Security are strongly encouraged to apply. The position is available from autumn 2025. The targeted starting date for the position is as early as September 1, 2025. More information available here: https://content.usi.ch/sites/default/files/storage/attachments/inf/inf-assistant-professor-2025.pdf

Closing date for applications:

Contact: Stefan Wolf, http://usi.to/nbk

More information: https://content.usi.ch/sites/default/files/storage/attachments/inf/inf-assistant-professor-2025.pdf

The Research Training Group "Cybercrime and Forensic Computing" aims to systematically analyze research questions arising from the interaction between computer science and criminal law. More information about the project can be found at https://cybercrime.fau.de.

The following aspects are particularly relevant to the PhD position in the area of Hardware Security:

• Computer Architecture
• Embedded Systems
• System-level Design Automation
• Side-channel Analysis

Applicants should have an excellent academic record, hold an MSc or an equivalent university degree in computer science or related disciplines, and have the goal to finish a PhD degree within three years.

For the particular position in hardware security, applicants should have an understanding of computer architectures (particularly RISC-V), hardware description languages, SoC design, and FPGA tools. Applicants should be team-oriented, open-minded, and communicative, with an interest in both theoretical and practical aspects of hardware security and embedded system design.

Closing date for applications:

Contact: Felix Freiling ([email protected]) for general questions and the application process, Jürgen Teich ([email protected]) and Stefan Wildermann ([email protected]) for questions about the position on hardware security.

More information: https://www.jobs.fau.de/jobs/7-phd-positions-m-f-d-salary-level-13-tv-l-in-computer-science-full-time-and-3-phd-position-m-f-d-salary-level-13-tv-l-in-law-part-time-75-91680455/

The newly established junior research group on Computer-Aided Verification of Physical Security Properties (CAVE) is looking for excellent Ph.D. candidates in the area of hardware security, particularly (but not limited to) those specialized in:

• Hardware Security Verification: We explore how to perform efficient pre-silicon security verification with respect to physical implementation attacks (Side-Channel Analysis / Fault-Injection Analysis).
• Physical Implementation Attacks: We deepen the (theoretical) understanding of active and passive physical implementation attacks to build formal attacker models for security verification.
• Secure Hardware Design: We investigate how to build secure hardware circuits that can resist physical implementation attacks.

If you are interested in applying, please send an email to Dr. Pascal Sasdrich ([email protected]) with the following documents in a single PDF (max. 10 MB) and subject line "[CAVE] Application for PhD position":

1. Your CV, including a transcript of records.
2. A brief cover letter describing your research interests.
3. Contact details of 2-3 potential references.

HGI and RUB stand for a collaborative, diverse, and inclusive workplace culture and promote equal opportunities. We strongly encourage applications from members of any underrepresented group in our research area. In particular, we invite and motivate women and individuals with disabilities to apply.

Closing date for applications:

Contact: Pascal Sasdrich ([email protected])

Information Security and Machine Learning Lab (https://ai-security.github.io/index_e.htm) has conducted research in a range of areas including artificial intelligence, cyber security and cryptography. We are also extending our areas to emerging areas such as quantum computing and parallel computing. Post-doctoral research fellows are welcome from computer science/engineering, electric/electronics, and mathematics/statistics. Applicants with good high-impact journal publication records are encouraged to send their CVs, publication lists and research statements to Professor Seong Oun Hwang (seongoun.hwang at gmail.com) by April 25, 2025.

Closing date for applications:

Contact: Professor Seong Oun Hwang

More information: https://ai-security.github.io/index_e.htm

We are looking for a Post Doctoral researcher to join the Crypto Team in the information Security Unit at Chalmers, under the guidance of Asst. Prof. Elena Pagnin. The applicant will have the opportunity to contribute to one or more research projects carried out in the team and to work together with all team members. Topics of interest include: provable security, post-quantum security, transparency logs, fine-grained and bounded space cryptography, and foundational cryptography. The position is fully funded for 2 years, with a 80-20 split between research and teaching duties (including supervising master thesis and helping in course-related teaching activities)

Closing date for applications:

Contact: Only applications via the official portal are considered valid.

More information: https://www.chalmers.se/en/about-chalmers/work-with-us/vacancies/

The Department of Engineering of the public Pompeu Fabra University, Barcelona, Catalonia, Spain, invites applications for a Tenure Track faculty position on Computer Security. Details about the formal requirements, the selection criteria, the selection process, and further essential information are given in the official regulations of the call. Approximated gross salary: 42.268,90 EUR per year. Applications must include an electronic copy of the PhD certificate. Furthermore, in order to illustrate the applicant's match with the requirement and selection criteria, it is strongly recommended to include a cover letter (1 page maximum), a curriculum vitae (providing common academic IDs such as Orcid or Web of Science Researcher ID), as well as a teaching and research statement (1 page maximum each). Equal Employment Opportunity Statement: UPF promotes a diverse and inclusive environment and welcomes applicants regardless of age, disability, gender, nationality, race, religion or sexual orientation.

Closing date for applications:

Contact: [email protected]

More information: https://www.upf.edu/documents/1656590/294524599/Bases+ENG-TTPT-2025-8+ENGLISH.docx.pdf/8d0201ec-ba05-868e-699b-0db42e026f85?t=1741351921540

The Young Investigator Group “COSYS - Control Systems and Cyber Security Lab” at the Chair of IT Security at the Brandenburg University of Technology Cottbus-Senftenberg has an open PhD/Postdoc position in the following areas:

AI-based Network Attack Detection and Simulation.

AI-enabled Penetration Testing.

Privacy-Enhancing Technologies in Cyber-Physical Systems.

The available position is funded as 100% TV-L E13 tariff in Germany and limited until 31.07.2026, with possibility for extension. Candidates must hold a Master’s degree (PhD degree for Postdocs) or equivalent in Computer Science or related disciplines, or be close to completing it. If you are interested, please send your CV, transcript of records from your Master studies, and an electronic version of your Master's thesis (if possible), as a single pdf file. Applications will be reviewed until the position is filled.

Closing date for applications:

Contact: Ivan Pryvalov ([email protected])

DNA edit distance (ED) measures the minimum number of single nucleotide insertions, substitutions, or deletions required to convert a DNA sequence into another. ED has broad applications in healthcare such as sequence alignment, genome assembly, functional annotation, and drug discovery. Privacy-preserving computation is essential in this context to protect sensitive genomic data. Nonetheless, the existing secure DNA edit distance solutions lack efficiency when handling large data sequences or resort to approximations and fail to accurately compute the metric.

In this work, we introduce secureED, a protocol that tackles these limitations, resulting in a significant performance enhancement of approximately $2-24\times$ compared to existing methods. Our protocol computes a secure ED between two genomes, each comprising $1,000$ letters, in just a few seconds. The underlying technique of our protocol is a novel approach that transforms the established approximate matching technique (i.e., the Ukkonen algorithm) into exact matching, exploiting the inherent similarity in human DNA to achieve cost-effectiveness. Furthermore, we introduce various optimizations tailored for secure computation in scenarios with a limited input domain, such as DNA sequences composed solely of the four nucleotide letters.

Side-channel analysis (SCA) is a growing field in hardware security where adversaries extract secret information from embedded devices by measuring physical observables like power consumption and electromagnetic emanation. SCA is a security assessment method used by governmental labs, standardization bodies, and researchers, where testing is not just limited to standardized cryptographic circuits, but it is expanded to AI accelerators, Post Quantum circuits, systems, etc. Despite its importance, SCA is performed on an ad hoc basis in the sense that its flow is not systematically optimized and unified among labs. As a result, the current solutions do not account for fair comparisons between analyses. Furthermore, neglecting the need for interoperability between datasets and SCA metric computation increases students’ barriers to entry. To address this, we introduce SCAPEgoat, a Python-based SCA library with three key modules devoted to defining file format, capturing interfaces, and metric calculation. The custom file framework organizes side-channel traces using JSON for metadata, offering a hierarchical structure similar to HDF5 commonly applied in SCA, but more flexible and human-readable. The metadata can be queried with regular expressions, a feature unavailable in HDF5. Secondly, we incorporate memory-efficient SCA metric computations, which allow using our functions on resource-restricted machines. This is accomplished by partitioning datasets and leveraging statistics-based optimizations on the metrics. In doing so, SCAPEgoat makes the SCA more accessible to newcomers so that they can learn techniques and conduct experiments faster and with the possibility to expand on in the future.

In this paper we provide new theoretical and empirical evidences that gradient-based deep learning profiling attacks (DL-SCA) suffer from masking schemes. This occurs through an initial stall of the learning process: the so-called plateau effect. To understand why, we derive an analytical expression of a DL-SCA model targeting simulated traces which enables us to study an analytical expression of the loss. By studying the loss landscape of this model, we show that not only do the magnitudes of the gradients decrease as the order of masking increases, but the loss landscape also exhibits a prominent saddle point interfering with the optimization process. From these observations, we (1) propose the usage of a second-order optimization algorithm mitigating the impact of low-gradient areas. In addition, we show how to leverage the intrinsic sparsity of valuable information in SCA traces to better pose the DL-SCA problem. To do so, we (2) propose to use the implicit regularization properties of the sparse mirror descent. These propositions are gathered in a new publicly available optimization algorithm, Scoop. Scoop combines second-order derivative of the loss function in the optimization process, with a sparse stochastic mirror descent. We experimentally show that Scoop pushes further the current limitations of DL-SCA against simulated traces, and outperforms the state-of-the-art on the ASCADv1 dataset in terms of number of traces required to retrieve the key, perceived information and plateau length. Scoop also performs the first non-worst-case attack on the ASCADv2 dataset. On simulated traces, we show that using Scoop reduces the DL-SCA time complexity by the equivalent of one masking order.

Scloud+ is an unstructured LWE-based key encapsulation mechanism (KEM) with conservative quantum security, in which ternary secrets and lattice coding are incorporated for higher computational and communication efficiency. However, its efficiencies are still much inferior to those of the structured LWE-based KEM, like ML-KEM (standardized by NIST). In this paper, we present a configurable hardware architecture for Scloud+.KEM to improve the computational efficiency. Many algorithmic and architectural co-optimizations are proposed to reduce the complexity and increase the degree of parallelism. Specially, the matrix multiplications are computed by a block in serial and the block is calculated in one cycle, without using any multipliers. In addition, the random bits all are generated by an unfolded Keccak core, well matched with the data flow required by the block matrix multiplier. The proposed design is coded in Verilog and implemented under the SMIC 40nm LP CMOS technology. The synthesized results show that Scloud+.KEM-128 only costs 23.0 $us$, 24.3 $us$, and 24.6 $us$ in the KeyGen, Encaps, and Decaps stages, respectively, with an area consumption of 0.69 $mm^2$, significantly narrowing the gap with the state-of-the-art of Kyber hardware implementation.

Recently, Differential Fault Attacks (DFAs) have proven highly effective against stream ciphers designed for Hybrid Homomorphic Encryption (HHE). In this work, we present a table-based DFA framework called the \textit{shortcut attack}, which generalizes the attack proposed by Wang and Tang on the cipher \textsf{Elisabeth}. The framework applies to a broad sub-family of ciphers following the Group Filter Permutator (GFP) paradigm and enhances previous DFAs by improving both the fault identification and path generation steps. Notably, the shortcut attack circumvents the issue of function representation, allowing successful attacks even when the cipher's filter function cannot be represented over the ring it is defined on.

Additionally, we provide complexity estimates for the framework and apply the shortcut attack to \textsf{Elisabeth-4} and its patches. As a result, we optimize the DFA on \textsf{Elisabeth-4}, requiring fewer keystreams and running faster than previous methods. Specifically, we achieve a DFA that requires only $3000$ keystreams, which is one-fifth of the previous best result. We also successfully mount a practical DFA on \textsf{Gabriel-4} and provide a theoretical DFA for \textsf{Elisabeth-b4}.

For the latest patch, \textsf{Margrethe-18-4}, which follows the more general Mixed Filter Permutator (MFP) paradigm, we present a DFA in a stronger model. To the best of our knowledge, these are the first DFA results on the patches of \textsf{Elisabeth-4}. Finally, we derive security margins to prevent shortcut attacks on a broad sub-family of MFP ciphers, which can serve as parameter recommendations for designers.

We show that the aggregate signature scheme [IEEE Syst. J., 2023, 17(3), 3822-3833] is insecure against forgery attack. This flaw is due to that the ephemeral key or ephemeral value chosen in the signing phase is not indeed bound to the final signature. An adversary can sign any message while the verifier cannot find the fraud. We also suggest a revising method to frustrate this attack.

Side-channel vulnerabilities pose an increasing threat to cryptographically protected devices. Consequently, it is crucial to observe information leakages through physical parameters such as power consumption and electromagnetic (EM) radiation to reduce susceptibility during interactions with cryptographic functions. EM side-channel attacks are becoming more prevalent. PRESENT is a promising lightweight cryptographic algorithm expected to be incorporated into Internet-of-Things (IoT) devices in the future. This research investigates the EM side-channel robustness of PRESENT using a correlation attack model. This work extends our previous Correlation EM Analysis (CEMA) of PRESENT with improved results. The attack targets the Substitution box (S-box) and can retrieve 8 bytes of the 10-byte encryption key with a minimum of 256 EM waveforms. This paper presents the process of EM attack modelling, encompassing both simple and correlation attacks, followed by a critical analysis.

The Chou-Orlandi batch oblivious transfer (OT) protocol is a particularly attractive OT protocol that bridges the gap between practical efficiency and strong security guarantees and is especially notable due to its simplicity. The security analysis provided by Chou and Orlandi bases the security of their protocol on the hardness of the computational Diffie-Hellman ($\mathsf{CDH}$) problem in prime-order groups. Concretely, in groups in which no better-than-generic algorithms are known for the $\mathsf{CDH}$ problem, their security analysis yields that an attacker running in time $t$ and issuing $q$ random-oracle queries breaks the security of their protocol with probability at most $\epsilon \leq q^2 \cdot t / 2^{\kappa/2}$, where $\kappa$ is the bit-length of the group's order. This concrete bound, however, is somewhat insufficient for 256-bit groups (e.g., for $\kappa = 256$, it does not provide any guarantee already for $t = 2^{48}$ and $q = 2^{40}$).

In this work, we establish a tighter concrete security bound for the Chou-Orlandi protocol. First, we introduce the list square Diffie-Hellman ($\ell\text{-}\mathsf{sqDH}$) problem and present a tight reduction from the security of the protocol to the hardness of solving $\ell\text{-}\mathsf{sqDH}$. That is, we completely shift the task of analyzing the concrete security of the protocol to that of analyzing the concrete hardness of the $\ell\text{-}\mathsf{sqDH}$ problem. Second, we reduce the hardness of the $\ell\text{-}\mathsf{sqDH}$ problem to that of the decisional Diffie-Hellman ($\mathsf{DDH}$) problem without incurring a multiplicative loss. Our key observation is that although $\mathsf{CDH}$ and $\mathsf{DDH}$ have the same assumed concrete hardness, relying on the hardness of $\mathsf{DDH}$ enables our reduction to efficiently test the correctness of the solutions it produces.

Concretely, in groups in which no better-than-generic algorithms are known for the $\mathsf{DDH}$ problem, our analysis yields that an attacker running in time $t$ and issuing $q \leq t$ random-oracle queries breaks the security of the Chou-Orlandi protocol with probability at most $\epsilon \leq t / 2^{\kappa/2}$ (i.e., we eliminate the above multiplicative $q^2$ term). We prove our results within the standard real-vs-ideal framework considering static corruptions by malicious adversaries, and provide a concrete security treatment by accounting for the statistical distance between a real-model execution and an ideal-model execution.