seminar

Wednesday, Apr 8, 2026 - 10:00 - 25-26/105

Julia Sauvage

Security analysis of cryptographic algorithms based on structured polynomial systems

(Soutenance Thèse)

Tuesday, Apr 14, 2026 - 10:30 - 24-25/509

Dung Bui

Critical Rounds in Multi-Round Proofs: Proof of Partial Knowledge and Trapdoor Commitments

(ALMASTY Seminar)

Zero-knowledge simulators, initially developed for proving the security of proof systems, turned out to be also useful in constructing advanced protocols from simple three-move interactive proofs. However, in the context of multi-round public-coin protocols, the interfaces of these auxiliary algorithms become more complex, introducing a range of technical challenges that hinder the generalization of these constructions.

We introduce a framework to enhance the usability of zero-knowledge simulators in multi-round argument systems for protocol designs. Critical-round zero-knowledge relies on the ability to perform complete zero-knowledge simulations by knowing the challenge of just one specific round in advance. We show that these notions are satisfied by diverse protocols based on MPC-in-the-Head, interactive oracle proofs, and split-and-fold arguments.

We demonstrate the usefulness of the critical round framework by constructing proofs of partial knowledge (Cramer, Damgård, and Schoenmakers, CRYPTO’94) and trapdoor commitments (Damgård, CRYPTO’89) from critical-round multi-round proofs.

(IACR Eprint)

Tuesday, Apr 28, 2026 - 10:30 - 24-25/405

Thomas Prest

TBD

(ALMASTY Seminar)

Tuesday, May 5, 2026 - 10:30 - 24-25/405

Victor Normand

Masked Circuit Compiler in the Cardinal Random Probing Composability Framework

(ALMASTY Seminar)

Designing practically secure masked circuits remains a central problem in the field of cryptographic implementation. While most masking schemes have been proven secure in the classical probing model, this model fails to capture more advanced side-channel attacks such as horizontal attacks. In recent years, the community has shifted toward the more realistic random probing model, which offers stronger guarantees. Yet, balancing strong security with practical efficiency continues to be a significant challenge. In this presentation, I will introduce new tools and constructions that significantly improve the design and analysis of random probing secure circuits. First, I will formalize new security notions that combine the benefits of cardinal and general Random Probing Composability (RPC), two recently introduced notions enabling more flexible and efficient composition of secure gadgets. I will then show how uniformly random permutations can be applied to transform any cardinal or general RPC gadget into a so-called uniformly cardinal RPC gadget, thereby enhancing security at low cost. Using these techniques, I will present the first non-linear multiplication gadget, inspired by the recursive construction from CHES 2016, that achieves concrete cardinal RPC security. I will provide a detailed comparison with state-of-the-art multiplication gadgets in terms of both random probing advantage and implementation complexity. Building upon this gadget, I will propose a tighter random probing compiler that strategically uses permutations to improve security bounds while preserving efficiency. Finally, I will apply this compiler to the AES and demonstrate improved performance and security compared to existing methods.

Tuesday, May 19, 2026 - 10:30 - 24-25/405

Ahmed Alharbi

TBD

(ALMASTY Seminar)

Tuesday, May 26, 2026 - 10:30 - 24-25/405

Christina Boura

Cryptanalyse des réseaux de neurones

(ALMASTY Seminar)

Tuesday, May 26, 2026 - 10:30 - 24-25/405

Pierre Galissant

Exploring the Set of APN Functions in Practice

(ALMASTY Seminar)

Functions that have optimal resistance to differential attacks are called Almost Perfect Nonlinear (APN). While defining APN functions is straightforward, discovering new ones with specific properties remains a challenging task. For example, it is still unknown whether an 8-bit APN bijection exists. The only known APN bijection in even dimension is the Dillon permutation in dimension 6 which was found exploring the CCZ-equivalence class of a known quadratic APN function - the Kim mapping. However, few techniques exist that allow one to move beyond the CCZ-class of known functions. One such method, switching neighbours, was successfully used by Edel and Pott to construct a 6-bit APN function that is not CCZ-equivalent to any quadratic one. To this day, the functions in the CCZ-class of this function are the only known functions in dimension 6 that are not equivalent to a quadratic one. Recently, Beierle et al. computed more than 3.8 millions CCZ-inequivalent quadratic functions in dimension 8. It rises the following question: with such amount of quadratic functions as a starting point, is it possible to replicate the successes of Dillon or Edel and Pott in dimension 8 ?

In this presentation, we investigate known structures in the set of APN functions by establishing new results about the structure of the CCZ-equivalence class of APN functions, in particular quadratic, and new results about the structure of the set of switching neighbours. These advances allow us to build a database containing exactly one representative of each extended-affine class of APN function over 6 bits and 7-bits. Our theoretical and algorithmic improvements regarding switching neighbors make it possible to efficiently compute all switching neighbours for 6-bit and 7-bit functions, though no new APN functions were identified in this process. Nonetheless, these techniques allowed us to exhaustively compute all switching neighbors of the 3.8 million 8-bit quadratic functions in less than a day of computations, among which we report new functions. The implementations used for these computations are publicly available in the sboxU library.

Friday, Mar 13, 2026 - 10:30 - 24-25/405

Lorenzo Casalino

(On) The Impact of the Micro- architecture on Countermeasures against Side-Channel Attacks

(ALMASTY Seminar)

Although “Masking” comes with formal security guarantees against side-channel attacks, physical non-idealities (e.g., state-transitions of registers) potentially reduce the proven security.

In the context of software implementations, the physical non-idealities of a CPU – thus, the CPU’ side-channel behaviour – strictly depend on the microarchitectural choices underlying the CPU.

Due to such microarchitectural non-idealities (or “effects”), researchers are actively studying approaches to deliver practically secure masked software implementations.

In this seminar, we present two orthogonal methodologies contributing to the current research efforts.

The first methodology targets a microarchitecture-dependent approach, and evaluates the use of optimising compilers to mitigate transition-based leakages in an automated manner.

The second methodology targets an microarchitecture-independent approach, and evaluates the use of masking schemes with different algebraic structures to mitigate the side-channel leakage of different microarchitectural effects.

We conclude the presentation with a summary of the current limitations research perspectives of the two presented approaches.

Friday, Feb 13, 2026 - 10:30 - 26-00/534

Joel Felderhoff

A Gaussian Leftover Hash Lemma for Modules over Number Fields

(ALMASTY Seminar)

Given a Gaussian matrix X, a Gaussian Leftover Hash Lemma (LHL) states that X*v for a Gaussian v is an essentially independent Gaussian sample. It has seen numerous applications in cryptography for hiding sensitive distributions of v. We generalise the Gaussian LHL initially stated over ZZ by Agrawal, Gentry, Halevi, and Sahai (2013) to modules over number fields. Our results have a sub-linear dependency on the degree of the number field and require only polynomial norm growth: ∥v∥/∥X∥. To this end, we also proof when X is surjective (assuming the Generalised Riemann Hypothesis) and give bounds on the smoothing parameter of the kernel of X. We also establish when the resulting distribution is independent of the geometry of X and establish the hardness of the k-SIS and k-LWE problems over modules based on the hardness of SIS and LWE over modules, which was assumed without proof in prior works.

Monday, Jan 19, 2026 - 10:30 - 24-25/405

Thibauld Feneuil

ALMASTY Reading Group

Monday, Jan 5, 2026 - 10:30 - 24-25/405

Sana Boussam

Generic-compatible distinguishers for linear regression based attacks

(ALMASTY Seminar)

Non profiled attacks are a type of attacks in which an attacker aims at retrieving secret information from any device with no prior knowledge about leakage model characteristics. In practice, Differential Power Analysis (DPA), Correlation Power Analysis (CPA) and Linear Regression based Attack (LRA) which are the most common non profiled attacks require an a priori about leakage model to be used nowadays. The development of a generic attack in which no assumptions are made about the leakage model remains therefore an open issue to this day and has been investigated for over 10 years by the side channel community. Among all state-of-the-art non profiled attacks, it has been showed by Whitnall et al. that Linear Regression based Attack (LRA) corresponds to a generic attack when all predictors are considered i.e. LRA captures the dependencies between the bits of the secret information and their interactions and the physical traces. However, in practice, LRA cannot be carried out considering all predictors, as it is subject to multiple limitations, namely the problem of multicollinearity related to linear regression and the use of inappropriate distinguishers as the latter lose their discriminating ability when targeting injective functions. In this talk, we aim at finding a solution to this issue and providing a significant improvement in generic attacks research topic by proposing a novel methodology for LRA that allows to conduct generic attacks.

Monday, Dec 15, 2025 - 10:30 - 24-25/405

Clémence Chevignard

A reduction from Hawk to the principal ideal problem in a quaternion algebra

(ALMASTY Seminar)

Hawk is a signature published in 2023, whose security is based on a variant of the Lattice Isomorphism Problem, called module-LIP. In this talk, we present a polynomial time reduction from module-LIP, to another mathematical problem that involves quaternion algebras. If you want to learn more about it, come to the talk :)

Monday, Dec 8, 2025 - 10:30 - 24-25/405

Mahshid Riahinia

Fast Pseudorandom Correlation Functions from Sparse LPN

(ALMASTY Seminar)

Pseudorandom Correlation Functions (PCFs) are functions that generate pseudorandom correlated strings. These correlations can then be used to speed up secure computation protocols. In this talk, I present a new and efficient pseudorandom correlation function whose security reduces to the sparse LPN assumption in the random oracle model. Our construction is the first to achieve high concrete efficiency while relying on well-established assumptions: previous candidates either required introducing new assumptions, or had poor concrete performances. We complement our result with an in-depth analysis of the sparse LPN assumption, providing new insight on how to evaluate the strength of concrete sets of parameters. Based on a joint work with Lennart Braun, Geoffroy Couteau, Kelsey Melissaris, and Elahe Sadeghi (ia.cr/2025/1644).

Monday, Dec 1, 2025 - 10:30 - 24-25/405

Thomas Legavre

ML-DSA masking sweetened with SUCRE: Shuffle-and-Unmask Countermeasure for REjection sampling

(ALMASTY Seminar)

Monday, Nov 24, 2025 - 10:30 - 24-25/405

Damien Vergnaud

ALMASTY Reading Group

Monday, Nov 17, 2025 - 10:30 - 24-25/405

Ky Nguyen

ALMASTY Reading Group

Monday, Nov 3, 2025 - 10:30 - 24-25/405

Christophe Levrat

Highway to Hull: A new algorithm solving the matrix code equivalence problem

(ALMASTY Seminar)

The matrix code equivalence (MCE) problem, which is an algorithmic problem in rank metric coding theory, is at the core of a few recent signature schemes such as MEDS and ALTEQ. Recent works by Narayanan, Qiao and Tang on the one hand and by Ran and Samardjiska on the other hand tackle specific instances of MCE. In this talk, I will introduce the MCE problem, give an overview of these existing algorithms, and present a new algorithm which deals with a much broader range of possible parameters of MCE while preserving a similar complexity. This is joint work with Alain Couvreur.

Monday, Oct 13, 2025 - 10:30 - 24-25/405

Haetham Al Aswad

Computing Discrete Logarithms in Finite Fields Faster with Galois automorphisms

(ALMASTY Seminar)

The Number Field Sieve (NFS) algorithm and its variants are the best algorithms to solve the discrete logarithm problem in finite fields. We will first take a look on how NFS works, and second, explore how Galois automorphisms can accelerate the hardest steps of NFS by quite large factors. We discuss an open problem of using Galois automorphisms of any order, and present our work that solves the problem for the two orders 6 and 12—whereas the previous solved orders stand at the only order 2. Consequently, this brings acceleration factors approximately equal to 36 and 144 to one of the two hardest steps in NFS, surpassing the prior record acceleration factor of 4. The work can be found here

Prior knowledge of NFS is not required.

Monday, Sep 29, 2025 - 10:30 - 24-25/405

Ky Nguyen

Multi-Client Functional Encryption - A Closer Look at Security Models and Constructions

(ALMASTY Seminar)

Recent years have witnessed a significant development for functional encryption (FE) in the multi-user setting, particularly with multi-client functional encryption (MCFE). The challenge becomes more important when combined with access control, such as attribute-based encryption (ABE), which was actually not covered syntactically by the public-key FE nor semantically by the secret-key MCFE frameworks. On the other hand, as for complex primitives, many works have studied the admissibility of adversaries to ensure that the security model encompasses all real threats of attacks.

1. At a conceptual level, by adding a public input to FE/MCFE, we cover many previous primitives, notably attribute-based function classes. Furthermore, with the strongest admissibility for inner-product functionality, our framework is quite versatile, as it encrypts multiple sub-vectors, allows repetitions and corruptions, and eventually also encompasses public-key FE and classical ABE, bridging the private setting of MCFE with the public setting of FE and ABE.
2. Finally, we propose an MCFE with public inputs with the class of functions that combines inner-products (on private inputs) and attribute-based access-control (on public inputs) for LSSS policies. We achieve the first AB-MCFE for inner products with strong admissibility (from Nguyen et al., ACNS’23) and with adaptive security. In the end, our concrete MCFE leads to MIFE for inner products, public-key single-input inner-product FE with LSSS key-policy, and KP-ABE for LSSS, with adaptive security. Previous AB-MCFE constructions are either restricted in terms of weaker admissibility (Nguyen et al., ASIACRYPT’22) or considers a slightly larger functionality of attribute-weighted sum but with only selective security (Agrawal et al., CRYPTO’23).

This is based a joint work with Duong Hieu Phan (Télécom Paris) and David Pointcheval (ENS-PSL, Cosmian), available at https://eprint.iacr.org/2024/740

Monday, Sep 22, 2025 - 10:30 - 24-25/405

Mickaël Hamdad

Practical cryptanalysis of pseudorandom correlation generators based on quasi-Abelian syndrome decoding

(ALMASTY Seminar)

Quasi-Abelian Syndrome Decoding (QA-SD) is a recently introduced generalization of Ring-LPN that uses multivariate polynomials rings. As opposed to Ring-LPN, it enables the use of small finite field such as GF(3) and GF(4). It was introduced by Bombar et al (Crypto 2023) in order to obtain pseudorandom correlation generators for Beaver triples over small fields. This theoretical work was turned into a concrete and efficient protocol called F4OLEage by Bombar et al. (Asiacrypt 2024) that allows several parties to generate Beaver triples over GF(2).

We propose efficient algorithms to solve the decoding problem underlying the QA-SD assumption. We observe that it reduce to a sparse multivariate polynomial interpolation problem over a small finite field where the adversary only has access to random evaluation points, a blind spot in the otherwise rich landscape of sparse multivariate interpolation. We develop new algorithms for this problem: using simple techniques we interpolate polynomials with up to two monomials. By sending the problem to the field of complex numbers and using convex optimization techniques inspired by the field of “compressed sensing”, we can interpolate polynomials with more terms.

This enables us to break in practice parameters proposed by Bombar et al. at Crypto’23 and Asiacrypt’24 as well as Li et al. at Eurocrypt’25 (IACR flagship conferences Grand Slam). In the case of the F4OLEage protocol, our implementation recovers all the secrets in a few hours with probability 60%. This not only invalidates the security proofs, but it yields real-life privacy attacks against multiparty protocols using the Beaver triples generated by the broken pseudorandom correlation generators.

Monday, Sep 15, 2025 - 14:30 - 25-26/105

Samuel Bouaziz--Ermann

Cryptographic Primitives in Quantum Idealized Models

(Soutenance Thèse)

In this thesis, we study both classical and quantum cryptography within idealized quantum models. Previous work has shown that quantum resources can be used to construct cryptographic tasks that are proven or conjectured to be impossible in the classical setting. Here, we first prove lower bounds on the efficiency of any quantum algorithm that finds a subset-cover of a random function, a problem that has been conjectured to be hard for assessing the security of the post-quantum digital signature scheme SPHINCS+. Next, we extend existing impossibility results for constructing public-key encryption schemes in the quantum random oracle model by showing that a more general type of public-key encryption does not exist in this model. We then study quantum assumptions for cryptography that appear weaker than one-way functions, namely quantum pseudorandomness, and its relationship to quantum public key encryption and signature schemes, both clarifying and improving upon prior constructions and impossibility proofs. Finally, we establish the importance of the size of pseudorandomness by proving that quantum pseudorandomness cannot be shrunk, and we make progress toward showing that it cannot be amplified.