Browse Proceedings

We present an end-to-end (equivalent) key recovery attack on the Dilithium lattice-based signature scheme, one of the winners of the NIST postquantum cryptography competition. The attack is based on a small side-channel leakage we identified in a ...

Lattice-based cryptography has attracted a great deal of attention due to the standardization of Post-Quantum Cryptography by the National Institute of Standards and Technology (NIST). The Ring-Learning with Error (Ring-LWE) problem is one of the ...$$$\mathfrak{}$$\mathfrak{}$${}^{\mathrm{}}$$\mathfrak{}$$\mathfrak{}{\mathbb{}}_{{}^{}}$${}^{\mathrm{}}$${}^{\mathrm{}}$${}^{\mathrm{}}$${}^{\mathrm{}}$${}^{\mathrm{}}$$\mathrm{}\mathrm{}$

We revisit and improve performance of arithmetic in the binary GLS254 curve by introducing the 2DT-GLS scalar multiplication algorithm. The algorithm includes theoretical and practice-oriented contributions of potential independent interest: (i) ...$\mathrm{}$$\mathrm{}$

This paper considers the security of CRAFT and WARP. We present a practical key-recovery attack on full-round CRAFT in the related-key setting with only one differential characteristic, and the theoretical time complexity of the attack is $2^{36.09}$ ...${\mathrm{}}^{\mathrm{}}$

Troika is a sponge-based hash function designed by Kölbl, Tischhauser, Bogdanov and Derbez in 2019. Its specificity is that it is defined over ${\mathbb{F}}_3$ in order to be used inside IOTA’s distributed ledger but could also serve in all settings requiring ...${\mathbb{}}_{\mathrm{}}$

Differential-Linear (DL) cryptanalysis is a well known cryptanalytic technique that combines differential and linear cryptanalysis. Over the years, multiple techniques were proposed to increase its strength. Two recent ones are: The partitioning ...

In rank-metric cryptography, a vector from a finite dimensional linear space over a finite field is viewed as the linear space spanned by its entries. The rank decoding problem which is the analogue of the problem of decoding a random linear code ...

We investigate how users of instant messaging (IM) services can acquire strong encryption keys to back up their messages and media with strong cryptographic guarantees. Many IM users regularly change their devices and use multiple devices ...

Circuit-based private set intersection (circuit-PSI) enables two parties with input set X and Y to compute a function f over the intersection set $X\cap Y$, without revealing any other information. State-of-the-art protocols for circuit-PSI commonly ...${\mathrm{}}^{\mathrm{}}$${\mathrm{}}^{\mathrm{}}$

This work focuses on concrete cryptanalysis of the isogeny-based cryptosystems SIDH/SIKE under realistic memory/storage constraints. More precisely, we are solving the problem of finding an isogeny of a given smooth degree between two given ...

Recent works have started side-channel analysis on SIKE and show the vulnerability of isogeny-based systems to zero-value attacks. In this work, we expand on such attacks by analyzing the behavior of the zero curve $E_0$ and six curve $E_6$ in CSIDH and ...

In this article, we prove a generic lower bound on the number of $\mathfrak{O}$-orientable supersingular curves over ${\mathbb{F}}_{p^2}$, i.e. curves that admit an embedding of the quadratic order $\mathfrak{O}$ inside their endomorphism ring. Prior to this work, the only known effective ...

Impossible differential (ID) cryptanalysis is one of the most important attacks on block ciphers. The Mixed Integer Linear Programming (MILP) model is a popular method to determine whether a specific difference pair is an ID. Unfortunately, due to ...${\mathrm{}}^{\mathrm{}}$

The block cipher LowMC was proposed by Albrecht et al. at EUROCRYPT 2015 for a low multiplicative complexity. Over the years, LowMC has been receiving widespread cryptanalytic attention. Recently, the digital signature scheme PICNIC3, an ...

Since Chow et al. introduced white-box cryptography with a white-box implementation of the AES block cipher in 2002, a few attacks and improvements on Chow et al.’s white-box AES implementation have been presented, particularly Lepoint et al. gave ...${\mathrm{}}^{\mathrm{}}$${\mathrm{}}^{\mathrm{}}$

Recently, Biryukov et al. presented a new technique for key recovery in differential cryptanalysis, called meet-in-the-filter (MiF). In this work, we develop theoretical and practical aspects of the technique, which helps understanding and ...

This paper presents a heuristic approach to searching the key recovery-friendly distinguishers for block ciphers, which aims to attack more rounds with lower complexities. Firstly, we construct an SAT model to search for a set of distinguishers ...$\mathtt{}$$\mathtt{}$

We propose a variant of the CGL hash algorithm [5] that is significantly faster than the original algorithm, and prove that it is preimage and collision resistant. For $n=logp$ where p is the characteristic of the finite field, the performance ratio ...$\mathrm{}\mathrm{}\mathrm{}\mathrm{}$${}^{\frac{\mathrm{}}{\mathrm{}}}$

We say a public-key encryption is plaintext-extractable in the random oracle model if there exists an algorithm that given access to the input/output of all queries to the random oracles can simulate the decryption oracle. We argue that the ...

The pseudorandom function Farfalle, proposed by Bertoni et al. at ToSC 2017, is a permutation based arbitrary length input and output PRF. At its core are the public permutations and feedback shift register based rolling functions. Being an ...$$