Edoardo Persichetti (Florida Atlantic University)

On Practical Post-Quantum Signatures from the Code Equivalence Problem

The design of secure post-quantum digital signatures is a particularly important and current topic, especially considering the presence of initiatives such as NIST’s call for proposals. While lattice-based designs offer intriguing solutions (some of which were recently standardised) NIST itself expressed the desire for alternatives, based on different security assumptions. Code-based signatures are historically challenging to design, due to the intrinsic nature of the Hamming metric, and the syndrome decoding problem; however, a recent approach exploiting the notion of code equivalence offers an interesting alternative. In this talk, we briefly summarise the state of the art, introduce the LESS signature scheme, and then present recent developments which greatly contribute to making it one of the most promising code-based signature schemes in literature.

Lejla Batina (Radboud University)

Side channels strike back: All AI you need for side-channel analysis and vice versa 

Cryptography is considered to be the cornerstone of secure systems, but its implementations are often vulnerable to side-channel analysis (SCA).

Side-channel analysis has become one of the most common causes for security failures in the real world today. In this talk, I will first survey side-channel analysis attacks on implementations of cryptography and countermeasures. Second, we will see how machine learning and AI have changed the practical cryptography landscape and attackers’ capabilities in particular. In the end, I will discuss the other direction in this AI-SCA interplay i.e. the way side-channel analysis threatens AI implementations on embedded devices.

Wouter Castryck (KU Leuven)

Hash functions from superspecial principally polarized abelian surfaces (probably) require a trusted set-up

Charles, Goren and Lauter in 2006 proposed a cryptographic hash function, based on walks in the ℓ-isogeny graph of supersingular elliptic curves in large characteristic p. In 2016 Eisenträger et al. showed that such hash functions allow for an efficient computation of second pre-images as soon as the endomorphism ring of the starting vertex is known. Since all known methods for constructing supersingular elliptic curves implicitly leak the endomorphism ring, secure instantiations of the CGL hash function should be set up by a trusted party, who does not reveal how the starting vertex was generated. In this talk I will present a similar result for hash functions from (ℓ, ℓ)-isogenies between superspecial principally polarized abelian surfaces in characteristic p: if the principal polarization on the starting surface is sufficiently well-understood, then collisions can be produced in polynomial time. It is likely that all known methods for generating such a starting surface implicitly reveal this information, so it seems that, here again, a trusted set-up is needed. This is joint work with Thomas Decru, Péter Kutas, Abel Laval, Christophe Petit and Yan Bo Ti.