International Association
for Cryptologic Research

In this work, we present an efficient secure multi-party computation MPC protocol that provides strong security guarantees in settings with a dishonest majority of participants who may behave arbitrarily. Unlike the popular MPC implementation known as SPDZ [Crypto ’12], which only ensures security with abort, our protocol achieves both complete identifiability and robustness. With complete identifiability, honest parties can detect and unanimously agree on the identity of any malicious party. Robustness allows the protocol to continue with the computation without requiring a restart, even when malicious behavior is detected. Additionally, our approach addresses the performance limitations observed in the protocol by Cunningham et al. [ICITS ’17], which, while achieving complete identifiability, is hindered by the costly exponentiation operations required by the choice of commitment scheme.

Our protocol is based on the approach by Rivinius et al. [S&P ’22], utilizing lattice-based commitment for better efficiency. We achieves robustness with the help of a semi-honest trusted third party. We benchmark our robust protocol, showing the efficient recovery from parties’ malicious behavior.

Finally, we benchmark our protocol on a ML-as-a-service scenario, wherein clients off-load the desired computation to the servers, and verify the computation result. We benchmark on linear ML inference, running on various datasets. While our efficiency is slightly lower compared to SPDZ’s, we offer stronger security properties that provide distinct advantages.

Authenticated encryption with associated data (AEAD) schemes are responsible for securing increasingly critical digital infrastructures, worldwide. Unfortunately, current widely deployed schemes suffer from various limitations that make them difficult to use securely in practice. For example, schemes like AES-GCM limit the amount of data that can be encrypted with a single key, therefore limiting its secure scaling to modern workloads. At the same time, practitioners may not be able to move away from the use of AES-GCM due to mature and widely deployed implementations, legacy constraints, and compliance. In this paper, we provide approaches to improve the secure scaling of AEAD schemes via what we call derived-nonce, derived-key (DNDK) transforms. At a high level, such transforms use a root key to derive a nonce and key for use with an underlying scheme. The challenge is doing so in a way that introduces as little overhead as possible, and relying on a small number of assumptions on the used primitives. We provide some general results about secure scaling transforms and a concrete design for AES-GCM that is called DNDK-GCM. It requires as little as three additional AES calls to enable use of the same key to encrypt up to $2^{64}$ bytes of data, even when using random nonces. We also provide a detailed performance analysis. DNDK-GCM is now a draft IETF standard, and is already deployed at the cloud scale by companies including Meta.

The CKKS fully homomorphic encryption scheme enables efficient homomorphic operations in terms of throughput, but its bootstrapping algorithm incurs a significant latency. In this work, we introduce SHIP, a novel bootstrapping algorithm for CKKS ciphertexts. SHIP enjoys a very shallow homomorphic multiplicative depth compared to state-of-the-art CKKS bootstrapping algorithms. Bootstrapping depth directly impacts the required Ring-LWE modulus, and hence the Ring- LWE degree. The massive depth saving allows us to report the first bootstrapping of CKKS ciphertexts for full-dimensional cleartext vectors in ring degree N=2^13, without resorting to an expensive scheme switching to DM/CGGI. SHIP also enjoys great parallelizability, with minimal communication between threads. The combined ring size reduction and high parallelizability lead to very low latency. In ring degree N=2^13, our experimental implementation runs in 215ms on a 32-core CPU for real-valued cleartext vectors. This is 2.5x lower than the smallest latency we could observe with the HEaaN library (using 48 cores). For binary cleartext vectors, the latency is lowered to 174ms, which is 2.2x lower than Bae et al [Eurocrypt’24] (with 32 cores).

The power of adaptivity in algorithms has been intensively studied in diverse areas of theoretical computer science. In this paper, we obtain a number of sharp lower bound results which show that adaptivity provides a significant extra power in cryptanalytic time-space tradeoffs with (possibly unlimited) preprocessing time.

Most notably, we consider the discrete logarithm (DLOG) problem in a generic group of $N$ elements. The classical `baby-step giant-step' algorithm for the problem has time complexity $T=O(\sqrt{N})$, uses $O(\sqrt{N})$ bits of space (up to logarithmic factors in $N$) and achieves constant success probability.

We examine a generalized setting where an algorithm obtains an advice string of $S$ bits and is allowed to make $T$ arbitrary non-adaptive queries that depend on the advice string (but not on the challenge group element for which the DLOG needs to be computed). We show that in this setting, the $T=O(\sqrt{N})$ online time complexity of the baby-step giant-step algorithm cannot be improved, unless the advice string is more than $\Omega(\sqrt{N})$ bits long. This lies in stark contrast with the classical adaptive Pollard's rho algorithm for DLOG, which can exploit preprocessing to obtain the tradeoff curve $ST^2=O(N)$. We obtain similar sharp lower bounds for the problem of breaking the Even-Mansour cryptosystem in symmetric-key cryptography and for several other problems. To obtain our results, we present a new model that allows analyzing non-adaptive preprocessing algorithms for a wide array of search and decision problems in a unified way. Since previous proof techniques inherently cannot distinguish between adaptive and non-adaptive algorithms for the problems in our model, they cannot be used to obtain our results. Consequently, we rely on information-theoretic tools for handling distributions and functions over the space $S_N$ of permutations of $N$ elements. Specifically, we use a variant of Shearer's lemma for this setting, due to Barthe, Cordero-Erausquin, Ledoux, and Maurey (2011), and a variant of the concentration inequality of Gavinsky, Lovett, Saks and Srinivasan (2015) for read-$k$ families of functions, that we derive from it. This seems to be the first time a variant of Shearer's lemma for permutations is used in an algorithmic context, and it is expected to be useful in other lower bound arguments.

The dream of achieving data privacy during external computations has become increasingly concrete in recent years. Indeed, since the early days of Fully Homomorphic Encryption (FHE) more than a decade ago, new cryptosystems and techniques have constantly optimized the efficiency of computation on encrypted data. However, one of the main disadvantages of FHE, namely its significant ciphertext expansion factor, remains at the center of the efficiency bottleneck of FHE schemes. To tackle the issue of slow uplink FHE data transmission, we use transciphering. With transciphering, the client naturally encrypts its data under a symmetric scheme and sends them to the server with (once and for all) an FHE encryption of the symmetric scheme’s key. With its larger computing power, the server then evaluates the symmetric scheme’s decryption algorithm within the homomorphic domain to obtain homomorphic ciphertexts that allow it to perform the requested calculations. Since the first use of this method a bit more than ten years ago, papers on the homomorphic evaluation of AES have been numerous. And as the AES execution is the application chosen by NIST in the FHE part of its recent call for proposals on threshold encryption, the stakes of such work go up another level. But what about other standardized block ciphers? Is the AES the more efficient option? In this work, we leverage on two methods which have successfully been applied to the homomorphic evaluation of AES to study several state-of-the-art symmetric block ciphers (namely CLEFIA, PRESENT, PRINCE, SIMON, SKINNY). That is to say, we implement a representative set of symmetric block ciphers using TFHE. These implementations allow us to compare the efficiency of this set of symmetric schemes and to categorize them. We highlight the characteristics of block ciphers that are fast to execute in the homomorphic domain and those that are particularly costly. Finally, this classification of operation types enables us to sketch out what the ideal block cipher for transciphering homomorphic data in integer mode might look like.

Event date: 8 October to 9 October 2025
Submission deadline: 1 July 2025
Notification: 23 August 2025

The Augot-Finiasz system is a public-key encryption (PKE) scheme based on Reed-Solomon codes and was later followed by analogous versions in the rank metric. Although these schemes were eventually broken, their fundamental idea remains exciting. Notably, these schemes are significantly different from the McEliece system as there is no need to hide the code and, as such, promise much better parameters. Further, they admit a simple description where both the public key and ciphertext are just corrupted codewords of a public code. An interesting question is whether the general idea can be made to work, i.e., resist all known attacks, by using other code classes. This paper shows how to generalize the Augot-Finiasz system to other code families. We reduce the correctness and security of this framework to simple assertions about the code class with which it is instantiated. Specifically, its correctness is equivalent to the existence of an efficient error-erasure decoder, and its security reduces to an easily understood hardness assumption, called "supercode decoding", close to the syndrome decoding problem.

In the $k$-Orthogonal Vectors ($k$-OV) problem we are given $k$ sets, each containing $n$ binary vectors of dimension $d=n^{o(1)}$, and our goal is to pick one vector from each set so that at each coordinate at least one vector has a zero. It is a central problem in fine-grained complexity, conjectured to require $n^{k-o(1)}$ time in the worst case.

We propose a way to plant a solution among vectors with i.i.d. $p$-biased entries, for appropriately chosen $p$, so that the planted solution is the unique one. Our conjecture is that the resulting $k$-OV instances still require time $n^{k-o(1)}$ to solve, on average.

Our planted distribution has the property that any subset of strictly less than $k$ vectors has the same marginal distribution as in the model distribution, consisting of i.i.d. $p$-biased random vectors. We use this property to give average-case search-to-decision reductions for $k$-OV.

For very long messages, the reliable broadcast protocol with the best communication complexity to date is the Minicast protocol of Locher & Shoup [2024]. To reliably broadcast a message $m$ to $n$ parties, Minicast has communication complexity $\sim 1.5 |m| n$, when $|m|$ is large. However, the round complexity of Minicast is 4, which is worse than the 3 rounds of the classical protocol of Bracha. We give a new reliable broadcast protocol whose communication complexity is essentially the same as that of Minicast, but whose round complexity is just 3. Like Minicast, our new protocol does not rely on any cryptography other than hash functions. We also give a new 2-round protocol that relies on signatures. For large $|m|$, its communication complexity is also $\sim 1.5 |m| n$, unless the sender provably misbehaves, in which case its communication complexity may degrade to at most $\sim 2 |m| n$.

One-way functions (OWFs) form the foundation of modern cryptography, yet their unconditional existence remains a major open question. In this work, we study this question by exploring its relation to lossy reductions, i.e., reductions $R$ for which it holds that $I(X;R(X)) \ll n$ for all distributions $X$ over inputs of size $n$. Our main result is that either OWFs exist or any lossy reduction for any promise problem $\Pi$ runs in time $2^{\Omega(\log\tau_\Pi / \log\log n)}$, where $\tau_\Pi(n)$ is the infimum of the runtime of all (worst-case) solvers of $\Pi$ on instances of size $n$. More precisely, by having a reduction with a better runtime, for an arbitrary promise problem $\Pi$, and by using a non-uniform advice, we construct (a family of) OWFs. In fact, our result requires a milder condition, that $R$ is lossy for sparse uniform distributions (which we call mild-lossiness). It also extends to $f$-reductions as long as $f$ is a non-constant permutation-invariant Boolean function, which includes $\text{And-, Or-, Maj-, Parity-}$, $\text{Mod}_k$-, and $\text{Threshold}_k$-reductions.

Additionally, we show that worst-case to average-case Karp reductions and randomized encodings are special cases of mild-lossy reductions and improve the runtime above as $2^{\Omega(\log \tau_\Pi)}$ when these mappings are considered. Restricting to weak fine-grained OWFs, this runtime can be further improved as $\Omega(\tau_\Pi)$. Intuitively, the latter asserts that if weak fine-grained OWFs do not exist then any instance randomization of any $\Pi$ has the same runtime (up to a constant factor) as the best worst-case solver of $\Pi$.

Taking $\Pi$ as $k\text{Sat}$, our results provide sufficient conditions under which (fine-grained) OWFs exist assuming the Exponential Time Hypothesis (ETH). Conversely, if (fine-grained) OWFs do not exist, we obtain impossibilities on instance compressions (Harnik and Naor, FOCS 2006) and instance randomizations of $k\text{Sat}$ under the ETH. Moreover, the analysis can be adapted to studying such properties of any $\text{NP}$-complete problem.

Finally, we partially extend these findings to the quantum setting; the existence of a pure quantum mildly-lossy reduction for $\Pi$ within the runtime $2^{o(\log\tau_\Pi / \log\log n)}$ implies the existence of one-way state generators, where $\tau_\Pi$ is defined with respect to quantum solvers.

Fully Homomorphic Encryption (FHE) enables arbitrary and unlimited computations directly on encrypted data. Notably, the TFHE scheme allows users to encrypt bits or small numbers (4-6 bits) and compute any univariate function using programmable bootstrapping (PBS), while simultaneously refreshing the ciphertext noise. Since both linear and non-linear functions can be evaluated using PBS, it is possible to compute arbitrary functions and circuits of unlimited depth without any accuracy loss. Nevertheless, a major limitation of TFHE, compared to other FHE schemes, is that it operates on a single ciphertext at a time, and the underlying message size remains small. For larger messages with longer bit sizes, the execution overhead of PBS grows exponentially with the number of message bits. A recent approach, called Without-padding PBS (WoPBS), enables computation of much larger lookup tables (10-28 bits), with the execution cost scaling linearly with the number of message bits. The significant encoding mismatch between the PBS and WoPBS, however, complicates the use of both approaches within the same circuit execution.

In this work, we introduce novel switching algorithms that enable ciphertexts to be converted back and forth between the PBS and WoPBS contexts without impacting the input noise. Moreover, we introduce a new method to bootstrap ciphertexts within the WoPBS context, allowing for unlimited XOR operations at negligible cost. To enhance runtime, we further introduce optimized parameters for both contexts. We validate our techniques through the homomorphic evaluation of AES encryption and decryption, demonstrating transciphering applications that outperform related works.

This whitepaper introduces Clementine, a secure, collateral-efficient, trust-minimized, and scalable Bitcoin bridge based on BitVM2 that enables withdrawals from rollups or other side systems to Bitcoin. Clementine proposes a new Bitcoin light client that remains secure against adversaries controlling less than 50% of Bitcoin’s hash rate, assuming at least one honest Watchtower in a permissioned set. The protocol is collateral-efficient, reusing locked funds over time and reducing unnecessary dust outputs through the strategic use of 0-value outputs, and scalable, enabling a single challenge per Operator to slash multiple misbehaviors. This increases throughput and reduces on-chain load without compromising security. Clementine enables trust-minimized and efficient peg-outs from Citrea to Bitcoin, making zk-rollups on Bitcoin practical and unlocking new paths for native scalability and interoperability.

We are seeking to recruit a researcher for an interdisciplinary project on notions of "explainability" in the context of side channel evaluations (considering technical approaches used in both FIPS style as well as CC style evaluations).

The project will run up to three years. It will require a mix of technical skills (we wish to propose and evaluate novel approaches to gather evidence for/against security of implementations given access to side channels) as well as an interest in developing social science research methodologies (we plan to engage with evaluation labs but also vendors to research useful notions of "explainable leakage").

The project will be co-supervised by Prof. Elisabeth Oswald and Prof. Katharina Kinder-Kurlanda; both situated in the interdisciplinary Digital Age Research Centre at the University of Klagenfurt (Austria).

We seek applicants with a mathematical/technical background. For applicants wishing to pursue a PhD, we expect that they have done a MSc/Bsc thesis on side channels/faults with a practical focus. For applicants who already possess a PhD, we expect a strong track record in applied cryptography with some publications in the area of side channels/faults in top venues.

The post holder will be expected to work in Klagenfurt (Austria), and to be able to do short term visits to evaluation labs/vendors throughout Europe.

In order to apply, please send a short CV, including your scientific outputs (e.g. papers, talks, seminars, open source artefacts, etc.), as a single pdf file to [email protected]. If you have questions, or wish to discuss informally, please contact Elisabeth Oswald.

We will review applications as they arrive and invite potentially suitable candidates for an online interview as soon as possible, with the intention to fill the post once a suitable candidate has been identified.

Closing date for applications:

Contact: Elisabeth Oswald (Elisabeth.Oswald AT aau.at)

The Young Investigator Group “COSYS - Control Systems and Cyber Security Lab” at the Chair of IT Security at the Brandenburg University of Technology Cottbus-Senftenberg has an open PhD/Postdoc position in the following areas:

AI-based Network Attack Detection and Simulation.

AI-enabled Penetration Testing.

Privacy-Enhancing Technologies in Cyber-Physical Systems.

The available position is funded as 100% TV-L E13 tariff in Germany and limited until 31.07.2026, with possibility for extension. Candidates must hold a Master’s degree (PhD degree for Postdocs) or equivalent in Computer Science or related disciplines, or be close to completing it. If you are interested, please send your CV, transcript of records from your Master studies, and an electronic version of your Master's thesis (if possible), as a single pdf file. Applications will be reviewed until the position is filled.

Closing date for applications:

Contact: Ivan Pryvalov ([email protected])

Postdoctoral Research Position at Shaoxing University Annual Salary: 300,000 RMB Requirements: Candidates must have a background in cybersecurity and smart cities. Submit 3 recent first-authored papers (not from special issues). Include a brief CV. Application: Email applications only to [email protected]. Shortlisted candidates will be notified for further steps. Subject Line: Postdoc Application – Cybersecurity and Smart Cities

Closing date for applications:

Contact: Mehdi Gheisari

We are looking for a motivated and talented PhD student with a passion for reinforcement learning and cybersecurity. Your main objectives will be to contribute to realistic cybersecurity benchmarks and simulators for the RL research community, develop state-of-the-art algorithms that adapt to changing threats, incorporate user models, and provide tangible performance assurance. You will investigate how to represent network environments, implement multi-agent or single-agent RL approaches, and evaluate them using realistic scenarios. Your research may have a direct real societal impact by helping to protect critical infrastructure and everyday technology users. Requirements - M.Sc. degree (completed or near completion) in Computer Science, Cyber Security, Artificial Intelligence, or a related field. - Demonstrated interest and experience (e.g., via projects, code, or publications) in reinforcement learning and/or cybersecurity. - Experience with programming (e.g., in Python, C/C++, or similar) - Proficiency in English (oral and written). - Excellent communication and collaboration skills. Are you interested in this exciting position but still have questions? Feel free to contact Dr. Ashish Sai at [email protected] or Dr. Dennis Soemers at [email protected].

Closing date for applications:

Contact: Dr. Ashish Sai ([email protected]).

More information: https://vacancies.maastrichtuniversity.nl/job/Maastricht-PhD-in-Adaptive-AI-Defense-Reinforcement-Learning-for-Cybersecurity/818657402/

Confidential Inference and Explainability: Toward Self-Diagnosis via Imaging

This PhD topic aims to jointly address privacy and explainability of decisions obtained through image analysis using a neural network. In the context of a classification task performed on a remote server, the goal is to develop approaches that ensure the confidentiality of the explanation as well as that of the input (and output) data. Preserving the privacy of data while ensuring the transparency of the model is a crucial challenge, particularly in domains such as healthcare. The objective aligns with the emerging regulatory framework on AI at the European level (AI Act). While these issues are the subject of significant research individually - whether in applied cryptography or machine learning - the combination of explainability under privacy constraints represents a new research problem. The project will seek to identify local explainability methods based on visual information or concepts that can be adapted to a privacy-preserving mode. Confidentiality may be approached through secure multi-party computation and/or homomorphic encryption. Thanks to a collaboration with the Saint-Etienne University Hospital (France), it will be possible to fine-tune the secure AI system and conduct supervised experiments on health data, aimed at enabling self-diagnosis. The experimentation may also extend to ethical and legal dimensions, through a partnership with the University of Ottawa.

PhD Location: Laboratoire Hubert Curien (LabHC), Université Jean Monnet, Saint-Etienne, France (regular meetings at the CITI Laboratory, INSA Lyon, Villeurbanne, France).

Starting date: 01/10/2025.

Expected profile: Candidates holding a degree from an engineering school or a Master 2 from a university in applied mathematics or computer science, with training in cryptography and machine learning, and proficiency in a programming language and one or more reference development libraries in one of these fields.

Send your CV, cover letter and master transcripts and give contact details of referees by 25/05/2025.

Closing date for applications:

Contact:

Thierry Fournel (LabHC, fournel(at)univ-st-etienne.fr), Clémentine Gritti (CITI, Inria, clementine.gritti(at)insa-lyon.fr) and Amaury Habrard (LabHC, Inria, amaury.habrard(at)univ-st-etienne.fr)

Authenticity-oriented (previously named as privacy-free) garbling schemes of Frederiksen et al. Eurocrypt ’15 are designed to satisfy only the authenticity criterion of Bellare et al. ACM CCS ’12, and to be more efficient compared to full-fledged garbling schemes. In this work, we improve the state-of-the-art authenticity-oriented version of half gates (HG) garbling of Zahur et al. Crypto ’15 by allowing it to be bandwidth-free if any of the input wires of an AND gate is freely settable by the garbler. Our full solution AuthOr then successfully combines the ideas from information-theoretical garbling of Kondi and Patra Crypto ’17 and the HG garbling-based scheme that we obtained. AuthOr has a lower communication cost (i.e. garbled circuit or GC size) than HG garbling without any further security assumption. Theoretically, AuthOr’s GC size reduction over HG garbling lies in the range between 0 to 100%, and the exact improvement depends on the circuit structure. We have implemented our scheme and conducted tests on various circuits that are constructed by independent researchers. Our experimental results show that in practice, the GC size gain may be up to roughly 98%.

We propose BLASter, a proof of concept LLL implementation that demonstrates the practicality of multiple theoretical improvements. The implementation uses the segmentation strategy from Neumaier–Stehlé (ISSAC 2016), parallelism and Seysen's reduction that was proposed by Kirchner–Espitau–Fouque (CRYPTO 2021) and implemented in OptLLL, and the BLAS library for linear algebra operations. It consists of only 1000 significant lines of C++ and Python code, and is made publicly available.

For q-ary lattices that fplll can handle without multiprecision (dimension <180), BLASter is considerably faster than fplll, OptLLL and Ryan–Heninger's flatter (CRYPTO 2023), without degrading output reduction quality. Thanks to Seysen's reduction it can further handle larger dimension without resorting to multiprecision, making it more than 10x faster than flatter and OptLLL, and 100x faster than fplll in dimensions 256 to 1024.

It further includes segmented BKZ and segmented deep-LLL variants. The latter provides bases as good as BKZ-15 and has a runtime that is only a couple of times more than our LLL baseline.

This remains a proof of concept: the effective use of higher precision — which is needed to handle \(\textit{all}\) lattices — has further obstacles and is left for future work. Still, this work contains many lessons learned, and is meant to motivate and guide the development of a robust and modern lattice reduction library, which shall be much faster than fplll.

At CANS 2024, Zbudila et al. presented MaSTer, a maliciously secure multi-party computation protocol for truncation. It allows adversaries to manipulate outputs with a bounded additive error while avoiding detection with a certain probability. In this work, we analyse the broader implications of adversarial exploitation in probabilistic truncation protocols, specifically in relation to MaSTer. We propose three attack strategies aimed at inducing misclassification in deep neural network (DNN) inference. Our empirical evaluation across multiple datasets demonstrates that while adversarial influence remains negligible under realistic constraints, certain configurations and network architectures exhibit increased vulnerability. By improving the understanding of the risks associated with probabilistic truncation protocols in privacy-preserving machine learning, our work demonstrates that the MaSTer protocol is robust in realistic settings.