COSIC's Avatar

COSIC

@cosic

COSIC provides a broad expertise in digital security and strives for innovative security solutions. COSIC is headed by Bart Preneel. https://www.esat.kuleuven.be/cosic/

311
Followers 41
Following 845
Posts 12.09.2023
Joined
Posts Following

Latest posts by COSIC @cosic

Abstract. Recent work at Eurocrypt 2025 by Basso and Maino introduced POKÉ, an isogeny-based public key encryption (PKE) scheme. POKÉ shows how two parties can derive a shared secret on a higher-dimensional, SIDH-like commutative diagram via basis evaluations, giving the fastest isogeny-based PKE to date with performance comparable to the original SIDH. In this paper we present PIKE, a new isogeny-based PKE obtained by tweaking the POKÉ design. Our key change is to use pairings to derive the shared secret while preserving post-quantum security. This brings two benefits: (i) decryption is directly faster, and (ii) by relaxing the required prime form, we can choose smaller primes, further improving overall runtime. We provide a proof-of-concept implementation in SageMath. Under the NIST~I setting, our benchmarks show speedups of 1.30× (key generation), 1.24× (encryption), and 1.47× (decryption) over POKÉ, while maintaining competitive public key and ciphertext sizes. In addition, we provide a C implementation. The encryption and decryption take 53~Mcycles (23~ms) and 34~Mcycles (15~ms) on an Intel i7 2.3 GHz CPU, respectively.

Abstract. Recent work at Eurocrypt 2025 by Basso and Maino introduced POKÉ, an isogeny-based public key encryption (PKE) scheme. POKÉ shows how two parties can derive a shared secret on a higher-dimensional, SIDH-like commutative diagram via basis evaluations, giving the fastest isogeny-based PKE to date with performance comparable to the original SIDH. In this paper we present PIKE, a new isogeny-based PKE obtained by tweaking the POKÉ design. Our key change is to use pairings to derive the shared secret while preserving post-quantum security. This brings two benefits: (i) decryption is directly faster, and (ii) by relaxing the required prime form, we can choose smaller primes, further improving overall runtime. We provide a proof-of-concept implementation in SageMath. Under the NIST~I setting, our benchmarks show speedups of 1.30× (key generation), 1.24× (encryption), and 1.47× (decryption) over POKÉ, while maintaining competitive public key and ciphertext sizes. In addition, we provide a C implementation. The encryption and decryption take 53~Mcycles (23~ms) and 34~Mcycles (15~ms) on an Intel i7 2.3 GHz CPU, respectively.

Image showing part 2 of abstract.

Image showing part 2 of abstract.

PIKE: Faster Isogeny-Based Public Key Encryption with Pairing-Assisted Decryption (Shiping Cai, Mingjie Chen, Yi-Fu Lai, Kaizhan Lin) ia.cr/2026/473

08.03.2026 00:18 👍 2 🔁 2 💬 0 📌 0
Abstract. LESS is a digital signature scheme that is currently in the second round of the National Institute of Standards and Technology’s (NIST’s) ongoing additional call for post-quantum standardization. LESS has been designed using a zero-knowledge identification scheme using a Fiat-Shamir transformation. The design of LESS is based on the hardness of the linear equivalence problem. However, the designers updated the scheme in the second round to improve efficiency and signature size. As we have seen before, in the NIST standardization process, analysis of physical security attacks such as side-channel and fault-injection attacks is considered nearly as important as mathematical security. In recent years, several works have been shown on LESS version 1 (LESS-v1). Among these, the work by Mondal et al. that appeared in Asiacrypt-2024 is most notable. This work showed several attack surfaces on LESS-v1 that can be exploited using different fault attacks. However, the implementation of LESS version 2 (LESS-v2) has not yet been explored in this direction. In this work, we analyze the new structure of LESS-v2 signature scheme and propose a process of signature forgery. These techniques do not require the full signing key, but some other secret-related information. Our attacks uncovered multiple such attack surfaces in the design of LESS-v2 from where we can recover this secret-related information. We assume an adversary can use interrupted execution techniques, such as fault attacks, to recover this extra information. We have analyzed the average number of required faults for two particular fault models to recover the secret equivalent component and observed that we need only 1 faulted signature for most of the parameter sets. Our attacks rely on very simple and standard fault models. We demonstrated these using both simulation and a simple experimental setup.

Abstract. LESS is a digital signature scheme that is currently in the second round of the National Institute of Standards and Technology’s (NIST’s) ongoing additional call for post-quantum standardization. LESS has been designed using a zero-knowledge identification scheme using a Fiat-Shamir transformation. The design of LESS is based on the hardness of the linear equivalence problem. However, the designers updated the scheme in the second round to improve efficiency and signature size. As we have seen before, in the NIST standardization process, analysis of physical security attacks such as side-channel and fault-injection attacks is considered nearly as important as mathematical security. In recent years, several works have been shown on LESS version 1 (LESS-v1). Among these, the work by Mondal et al. that appeared in Asiacrypt-2024 is most notable. This work showed several attack surfaces on LESS-v1 that can be exploited using different fault attacks. However, the implementation of LESS version 2 (LESS-v2) has not yet been explored in this direction. In this work, we analyze the new structure of LESS-v2 signature scheme and propose a process of signature forgery. These techniques do not require the full signing key, but some other secret-related information. Our attacks uncovered multiple such attack surfaces in the design of LESS-v2 from where we can recover this secret-related information. We assume an adversary can use interrupted execution techniques, such as fault attacks, to recover this extra information. We have analyzed the average number of required faults for two particular fault models to recover the secret equivalent component and observed that we need only 1 faulted signature for most of the parameter sets. Our attacks rely on very simple and standard fault models. We demonstrated these using both simulation and a simple experimental setup.

Image showing part 2 of abstract.

Image showing part 2 of abstract.

Fault to Forge: Fault Assisted Forging Attacks on LESS Signature Scheme (Puja Mondal, Suparna Kundu, Hikaru Nishiyama, Supriya Adhikary, Daisuke Fujimoto, Yuichi Hayashi, Angshuman Karmakar) ia.cr/2025/1838

08.10.2025 03:36 👍 1 🔁 1 💬 0 📌 0
Abstract. 𝑃ℎ𝑜𝑡𝑜𝐷𝑁𝐴 is a widely deployed perceptual hash function used for the detection of illicit content such as Child Sexual Abuse Material (CSAM). This paper presents the first mathematical description of 𝐴𝑙𝑙𝑒𝑔𝑒𝑑 𝑃ℎ𝑜𝑡𝑜𝐷𝑁𝐴, a new function which has identical outputs to that of 𝑃ℎ𝑜𝑡𝑜𝐷𝑁𝐴 for a large database of test images. From this description, several design weaknesses are identified: the algorithm is piece-wise linear and differentiable, the hash value only depends on the sum of the RGB values of each pixel, and it is trivial to find images with hash value equal to all zeroes. The paper further demonstrates that gradient-based optimization techniques and quadratic programming can exploit the mathematical weaknesses of 𝐴𝑙𝑙𝑒𝑔𝑒𝑑 𝑃ℎ𝑜𝑡𝑜𝐷𝑁𝐴 and 𝑃ℎ𝑜𝑡𝑜𝐷𝑁𝐴 to produce visually appealing exact collisions and second preimages; for near-collisions and near-second-preimages the image quality can be further improved. The same techniques can be used to recover the rough shapes of an image from its hash value, disproving the claim from the designer that 𝑃ℎ𝑜𝑡𝑜𝐷𝑁𝐴 is irreversible. Finally, it is also shown that it is easy to produce high-quality perceptually identical images with a hash value that is far from the original image allowing to avoid detection. We have implemented our attacks on a large set of varied images and we have tested them on both 𝐴𝑙𝑙𝑒𝑔𝑒𝑑 𝑃ℎ𝑜𝑡𝑜𝐷𝑁𝐴 and 𝑃ℎ𝑜𝑡𝑜𝐷𝑁𝐴. Our attacks have success rates close or equal to 100% and run in seconds or minutes on a personal laptop; they present a substantial improvement over earlier work that requires hours on parallel machines and that results only in near-collisions. We believe that with additional optimization of the parameters, the image quality and/or the attack performance can be further improved. Our work demonstrates that 𝑃ℎ𝑜𝑡𝑜𝐷𝑁𝐴 is unreliable for the detection of illicit content: it is easy to incriminate someone by sending them false content with a hash value close to illicit content (a false positive) and to avoid detection of illicit content with minimal modifications to an image (a false negative). False positives and leakage of information are particularly problematic in a Client Side Scanning (CSS) scenario as envisaged by several countries, where large hash databases would be stored on every user device and billions of images would be hashed with 𝑃ℎ𝑜𝑡𝑜𝐷𝑁𝐴 every day. Overall, our research cast serious doubts on the suitability of 𝑃ℎ𝑜𝑡𝑜𝐷𝑁𝐴for the large-scale detection of illicit content.

Abstract. 𝑃ℎ𝑜𝑡𝑜𝐷𝑁𝐴 is a widely deployed perceptual hash function used for the detection of illicit content such as Child Sexual Abuse Material (CSAM). This paper presents the first mathematical description of 𝐴𝑙𝑙𝑒𝑔𝑒𝑑 𝑃ℎ𝑜𝑡𝑜𝐷𝑁𝐴, a new function which has identical outputs to that of 𝑃ℎ𝑜𝑡𝑜𝐷𝑁𝐴 for a large database of test images. From this description, several design weaknesses are identified: the algorithm is piece-wise linear and differentiable, the hash value only depends on the sum of the RGB values of each pixel, and it is trivial to find images with hash value equal to all zeroes. The paper further demonstrates that gradient-based optimization techniques and quadratic programming can exploit the mathematical weaknesses of 𝐴𝑙𝑙𝑒𝑔𝑒𝑑 𝑃ℎ𝑜𝑡𝑜𝐷𝑁𝐴 and 𝑃ℎ𝑜𝑡𝑜𝐷𝑁𝐴 to produce visually appealing exact collisions and second preimages; for near-collisions and near-second-preimages the image quality can be further improved. The same techniques can be used to recover the rough shapes of an image from its hash value, disproving the claim from the designer that 𝑃ℎ𝑜𝑡𝑜𝐷𝑁𝐴 is irreversible. Finally, it is also shown that it is easy to produce high-quality perceptually identical images with a hash value that is far from the original image allowing to avoid detection. We have implemented our attacks on a large set of varied images and we have tested them on both 𝐴𝑙𝑙𝑒𝑔𝑒𝑑 𝑃ℎ𝑜𝑡𝑜𝐷𝑁𝐴 and 𝑃ℎ𝑜𝑡𝑜𝐷𝑁𝐴. Our attacks have success rates close or equal to 100% and run in seconds or minutes on a personal laptop; they present a substantial improvement over earlier work that requires hours on parallel machines and that results only in near-collisions. We believe that with additional optimization of the parameters, the image quality and/or the attack performance can be further improved. Our work demonstrates that 𝑃ℎ𝑜𝑡𝑜𝐷𝑁𝐴 is unreliable for the detection of illicit content: it is easy to incriminate someone by sending them false content with a hash value close to illicit content (a false positive) and to avoid detection of illicit content with minimal modifications to an image (a false negative). False positives and leakage of information are particularly problematic in a Client Side Scanning (CSS) scenario as envisaged by several countries, where large hash databases would be stored on every user device and billions of images would be hashed with 𝑃ℎ𝑜𝑡𝑜𝐷𝑁𝐴 every day. Overall, our research cast serious doubts on the suitability of 𝑃ℎ𝑜𝑡𝑜𝐷𝑁𝐴for the large-scale detection of illicit content.

Image showing part 2 of abstract.

Image showing part 2 of abstract.

Image showing part 3 of abstract.

Image showing part 3 of abstract.

White-Box Attacks on PhotoDNA Perceptual Hash Function (Maxime Deryck, Diane Leblanc-Albarel, Bart Preneel) ia.cr/2026/486

11.03.2026 03:41 👍 2 🔁 1 💬 0 📌 0
Post image

Save the date!
The COSIC Course on Cryptography and Cybersecurity will take place in Heverlee (Leuven, Belgium) from 22–25 June 2026. A unique, expert‑driven program covering the foundations and latest developments in crypto & cybersecurity.
Website and registration coming soon!

12.03.2026 12:02 👍 0 🔁 0 💬 0 📌 0

The talk introduced the components of our Proof-of-Concept implementation of an end-to-end secure data processing platform instantiated on a use case of heartbeat arrhythmia detection. Our results show that MPC can be practical for ML-based use cases.
#RWMPC

11.03.2026 09:29 👍 0 🔁 0 💬 0 📌 0
Post image

COSIC researcher Martin Zbudila presented "#MOZAIK: A Privacy-Preserving Analytics Platform for IoT Data Using MPC" at #RWMPC in Taiwan.
www.mpcalliance.org/rwmpc-2026
Paper in the Journal of Network and Systems Management: link.springer.com/article/10.1...
Preprint:
arxiv.org/abs/2601.02245

11.03.2026 09:29 👍 0 🔁 0 💬 1 📌 0
Preview
RSAC Set to Honor Excellence in the Field of Mathematics Awards, Inaugural Test of Time Awards at RSAC 2026 Conference

🎉 Proud moment for COSIC! Prof. Nigel Smart has received the #RSAC 2026 Award for Excellence in the Field of Mathematics for his groundbreaking work in #MPC, Threshold #Cryptography & foundational crypto research. Congratulations, Nigel! 👏
www.rsaconference.com/library/pres...

11.03.2026 07:37 👍 2 🔁 1 💬 0 📌 0
Preview
Gezichts­scan om porno te bekijken? Australië legt nieuwe leeftijdsverificatie op | VRT NWS Nieuws Australiërs die naar een pornosite willen surfen, zullen binnenkort moeten kunnen bewijzen dat ze ouder zijn dan 18. Dat heeft de digitale waakhond beslist. Sites met expliciete inhoud zullen daarom s...

Bart Preneel on Australia’s new age‑verification rules for adult sites on vrtnws: "Alongside education for youth and parents, I see more value in voluntary technical solutions."
www.vrt.be/vrtnws/nl/20...

10.03.2026 15:45 👍 0 🔁 0 💬 0 📌 0
VRT MAX

Bart Preneel discusses Australia’s new age‑verification rules for adult sites on the #VRTnws podcast #HetKwartier, warning about the privacy risks: www.vrt.be/vrtmax/podca...

09.03.2026 15:56 👍 1 🔁 0 💬 0 📌 0
Abstract. The problem of computing an isogeny of large prime degree from a supersingular elliptic curve of unknown endomorphism ring is assumed to be hard both for classical as well as quantum computers. In this work, we first build a two-round identification protocol whose security reduces to this problem. The challenge consists of a random large prime q and the prover simply replies with an efficient representation of an isogeny of degree q from its public key. Using the hash-and-sign paradigm, we then derive a signature scheme with a very simple and flexible signing procedure and prove its security in the standard model. The most efficient variant of our signature schemes features a signing which is 1.4× to 1.6× faster than the most recent implementaion of SQIsign, whereas verification ranges from 1.2× slower to 1.01× faster depending on the security level. The sizes of public key and signature are comparable to existing schemes.

Abstract. The problem of computing an isogeny of large prime degree from a supersingular elliptic curve of unknown endomorphism ring is assumed to be hard both for classical as well as quantum computers. In this work, we first build a two-round identification protocol whose security reduces to this problem. The challenge consists of a random large prime q and the prover simply replies with an efficient representation of an isogeny of degree q from its public key. Using the hash-and-sign paradigm, we then derive a signature scheme with a very simple and flexible signing procedure and prove its security in the standard model. The most efficient variant of our signature schemes features a signing which is 1.4× to 1.6× faster than the most recent implementaion of SQIsign, whereas verification ranges from 1.2× slower to 1.01× faster depending on the security level. The sizes of public key and signature are comparable to existing schemes.

PRISM with a pinch of salt: Simple, Efficient and Strongly Unforgeable Signatures from Isogenies (Andrea Basso, Giacomo Borin, Wouter Castryck, Maria Corte-Real Santos, Riccardo Invernizzi, Antonin Leroux, Luciano Maino, Frederik Vercauteren, Benjamin Wesolowski) ia.cr/2026/443

05.03.2026 06:38 👍 3 🔁 2 💬 0 📌 0
Preview
Black Hat Black Hat

#BHAsia blackhat.com/asia-26/brie...

05.03.2026 12:50 👍 0 🔁 0 💬 0 📌 0
WhisperPair: Hijacking Bluetooth Accessories Using Google Fast Pair WhisperPair is a family of practical attacks leveraging a flaw in the Google Fast Pair implementation on flagship audio accessories.

Your earbuds can be hijacked & tracked in seconds! At Black Hat Asia 2026 COSIC & DistriNet researchers will present WhisperPair (whisperpair.eu), showing how nearby attackers can hijack Fast Pair devices & use them for covert tracking and stalking.

05.03.2026 12:50 👍 0 🔁 0 💬 1 📌 0
Post image

COSIC researcher Mahdi Sedaghat presented Post-Quantum Readiness in EdDSA Chains at FC 2026 in St. Kitts.
#fc2026 #cryptography #fc
fc26.ifca.ai/program.html

05.03.2026 11:36 👍 0 🔁 0 💬 0 📌 0
Preview
Overheidsdienst kan en mag voortaan je smartphone ontgrendelen: “Hoogst problematisch” De FOD Financiën heeft voortaan technologie in huis om smartphones mee te kraken, in het geval dat een verdachte het paswoord van zijn iPhone of tablet niet wil bekendmaken. “Bijzonder problematisch”, aldus Vincent van Quickenborne (Anders).

KU Leuven cryptography expert Prof. Bart Preneel says in Nieuwsblad tools like #GrayKey don’t surprise him, it’s a constant cat‑and‑mouse game between smartphone makers and those trying to break their security.
www.nieuwsblad.be/binnenland/o... (paywall)

05.03.2026 11:29 👍 0 🔁 0 💬 0 📌 0
Preview
Verplichte leeftijdsverificatie zal in big brother eindigen Een Europese variant van de Chinese Great Firewall is geen karikatuur, maar een consequentie van een beleid dat inzet op toegangscontrole tot het internet, schrijft Bart Preneel.

Security & privacy expert Bart Preneel appeared on Belgian Radio 1 yesterday to criticize mandatory age verification on social media: “Even every adult will have to permanently prove they are older than 13, 16, or 21.”
Read his opinion piece (paywall): www.standaard.be/opinies/verp...
#chatcontrol

03.03.2026 11:08 👍 2 🔁 1 💬 0 📌 0
Preview
Dial C for Cyber: Why Benelux Telcos Are Under Attack • Assured What telco CISOs need to do to avoid becoming the next Odido

Bart Preneel in Assured: "Invest sufficiently in cybersecurity and operational resilience, both in terms of governance (people and processes) and technology": assured.co.uk/2026/dial-c-...

02.03.2026 17:39 👍 0 🔁 0 💬 0 📌 0
Preview
Verplichte leeftijdsverificatie zal in big brother eindigen Een Europese variant van de Chinese Great Firewall is geen karikatuur, maar een consequentie van een beleid dat inzet op toegangscontrole tot het internet, schrijft Bart Preneel.

Experts call for a moratorium.
Paywall: www.standaard.be/opinies/verp...
#greatfirewall #chatcontrol

02.03.2026 13:42 👍 0 🔁 0 💬 0 📌 0
Preview
Verplichte leeftijdsverificatie zal in big brother eindigen Een Europese variant van de Chinese Great Firewall is geen karikatuur, maar een consequentie van een beleid dat inzet op toegangscontrole tot het internet, schrijft Bart Preneel.

Bart Preneel wrote in the print edition of De Standaard: Europe’s push for mandatory online age checks risks a 'Great Firewall.' Protecting youth is vital, but mass verification threatens #privacy, digital inclusion, and freedom, and is easy to bypass.

02.03.2026 13:42 👍 1 🔁 0 💬 1 📌 0
Preview
Events Archive - COSIC

This week in COSIC... Tomorrow Addie Neyt (COSIC) is giving a seminar on "Improved differential cryptanalysis of SPEEDY", free to attend! More info on www.esat.kuleuven.be/cosic/?post_...

02.03.2026 08:35 👍 0 🔁 0 💬 0 📌 0
COSIC Seminar "Revisiting (Standard, Rotational, Internal) Differential..." (Jiahui He, COSIC)
COSIC Seminar "Revisiting (Standard, Rotational, Internal) Differential..." (Jiahui He, COSIC) YouTube video by COSIC - Computer Security and Industrial Cryptography

Great news, the COSIC Seminar on "Revisiting (Standard, Rotational, Internal) Differential-Linear Cryptanalysis via a Walsh-Transform Perspective" by Jiahui He (COSIC) is now available on our YouTube channel: www.youtube.com/watch?v=4VsR...

26.02.2026 14:33 👍 0 🔁 0 💬 0 📌 0
Abstract. In this paper, we present RISQrypt, the first unified architecture in the literature that implements Kyber (ML-KEM) and Dilithium (ML-DSA), standardized lattice-based Post-Quantum Cryptography (PQC) algorithms, with masking. RISQrypt is a hardware–software co-design framework that integrates dedicated cryptographic accelerators to speed up polynomial arithmetic, hashing, and mask-conversion operations, the latter being one of the primary bottlenecks in masked implementations of lattice-based PQC. Our design achieves low latency while providing both theoretical and practical side-channel security, as validated through experimental evaluation. Specifically, the masked decapsulation of Kyber768 requires 109K clock cycles, while masked signing of Dilithium3 requires 1230K clock cycles on average. These results demonstrate 11.3x time-performance improvement over existing masked implementations. Our performance results for unprotected functions also outperform the existing work by up to an order of magnitude. In addition, prior designs are more limited in scope, generally supporting only a single scheme and lacking the unified, crypto-agile framework that enables support for both Kyber and Dilithium as in our architecture. Leveraging the HW/SW co-design approach, our proposed architecture can be readily extended to other PQC standards such as Falcon and SPHINCS+, as well as to algorithms sharing similar computational building blocks, through firmware reprogramming.

Abstract. In this paper, we present RISQrypt, the first unified architecture in the literature that implements Kyber (ML-KEM) and Dilithium (ML-DSA), standardized lattice-based Post-Quantum Cryptography (PQC) algorithms, with masking. RISQrypt is a hardware–software co-design framework that integrates dedicated cryptographic accelerators to speed up polynomial arithmetic, hashing, and mask-conversion operations, the latter being one of the primary bottlenecks in masked implementations of lattice-based PQC. Our design achieves low latency while providing both theoretical and practical side-channel security, as validated through experimental evaluation. Specifically, the masked decapsulation of Kyber768 requires 109K clock cycles, while masked signing of Dilithium3 requires 1230K clock cycles on average. These results demonstrate 11.3x time-performance improvement over existing masked implementations. Our performance results for unprotected functions also outperform the existing work by up to an order of magnitude. In addition, prior designs are more limited in scope, generally supporting only a single scheme and lacking the unified, crypto-agile framework that enables support for both Kyber and Dilithium as in our architecture. Leveraging the HW/SW co-design approach, our proposed architecture can be readily extended to other PQC standards such as Falcon and SPHINCS+, as well as to algorithms sharing similar computational building blocks, through firmware reprogramming.

Image showing part 2 of abstract.

Image showing part 2 of abstract.

RISQrypt: Fast, Secure and Agile Hardware-Software Co-Design for Post-Quantum Cryptography (Tolun Tosun, Atıl Utku Ay, Quinten Norga, Suparna Kundu, Melik Yazıcı, Erkay Savaş, Ingrid Verbauwhede) ia.cr/2026/312

21.02.2026 14:03 👍 1 🔁 1 💬 0 📌 0
Abstract. We provide a new interpretation of the arithmetic on Hessian Kummer lines using level-3 theta structures. This allows us to break the record for tripling on elliptic curves and their Kummer lines, requiring only 4 multiplications and 4 squarings per tripling for well-chosen curve parameters.

Abstract. We provide a new interpretation of the arithmetic on Hessian Kummer lines using level-3 theta structures. This allows us to break the record for tripling on elliptic curves and their Kummer lines, requiring only 4 multiplications and 4 squarings per tripling for well-chosen curve parameters.

Tripling on Hessian curves via isogeny decomposition (Thomas Decru, Sabrina Kunzweiler) ia.cr/2026/334

23.02.2026 02:38 👍 4 🔁 3 💬 0 📌 0
Abstract. AMD Versal FPGAs introduce a new CLB microarchitecture in which legacy CARRY4/8 chains are replaced by LOOKAHEAD8 structures. Existing area-efficient LUT-based multiplier designs typically rely on CARRY4/8 primitives from prior FPGA generations. On Versal devices, these designs exhibit poor mapping efficiency. This paper proposes a new LUT-based integer multiplier architecture tailored to Versal fabric, together with an automated RTL generator supporting arbitrary operand bit-widths and configurable pipeline depths. Through the joint exploitation of radix-4 modified Booth recoding and the new micro-architectural features of Versal LUTs, only ∼n²/4 LUTs are required to generate the partial-product bit heap for an nbit multiplication. Moreover, a new heuristic is developed for compressor tree synthesis to sum the bit heap, yielding an 8–20% improvement in area–delay product compared with state-of-theart heuristics for Versal devices. Overall, the proposed multipliers achieve up to 40% LUT footprint reduction relative to AMD LogiCORE IP multipliers while maintaining comparable criticalpath delay. The proposed generator enables scalable and customizable deployment of resource-efficient bit heap compressors and integer multipliers for Versal-based accelerator designs.

Abstract. AMD Versal FPGAs introduce a new CLB microarchitecture in which legacy CARRY4/8 chains are replaced by LOOKAHEAD8 structures. Existing area-efficient LUT-based multiplier designs typically rely on CARRY4/8 primitives from prior FPGA generations. On Versal devices, these designs exhibit poor mapping efficiency. This paper proposes a new LUT-based integer multiplier architecture tailored to Versal fabric, together with an automated RTL generator supporting arbitrary operand bit-widths and configurable pipeline depths. Through the joint exploitation of radix-4 modified Booth recoding and the new micro-architectural features of Versal LUTs, only ∼n²/4 LUTs are required to generate the partial-product bit heap for an nbit multiplication. Moreover, a new heuristic is developed for compressor tree synthesis to sum the bit heap, yielding an 8–20% improvement in area–delay product compared with state-of-theart heuristics for Versal devices. Overall, the proposed multipliers achieve up to 40% LUT footprint reduction relative to AMD LogiCORE IP multipliers while maintaining comparable criticalpath delay. The proposed generator enables scalable and customizable deployment of resource-efficient bit heap compressors and integer multipliers for Versal-based accelerator designs.

Image showing part 2 of abstract.

Image showing part 2 of abstract.

Area-Efficient LUT-Based Multipliers for AMD Versal FPGAs (Zetao Miao, Xander Pottier, Jonas Bertels, Wouter Legiest, Ingrid Verbauwhede) ia.cr/2026/344

23.02.2026 02:39 👍 1 🔁 1 💬 0 📌 0
Abstract. We define and analyze the Leveled Isogeny Problem with Hints (LIPH), which is a generalization of the Isogeny Problem with Level Structure first introduced by De Feo, Fuoutsa and Panny at EUROCRYPT’24. In a LIPH instance we are tasked to recover a secret isogeny φ given masked torsion point images Γ ⋅ (φ(P), φ(Q))^(⊤) for some (P, Q) of order N and unknown Γ ∈ GL₂(N). Additionally, we are provided a on Γ, revealing some bits of its entries. Instances of LIPH occur naturally in the case of modern isogeny-based key exchanges that use masked torsion points as part of their public key, when additionally some parts of the masking matrix Γ are revealed due to, for instance, a side-channel attack. We provide efficient algorithms that solve various instances of LIPH, leading to efficient in practice. More specifically, we present Coppersmith-type attacks that are able to recover an M-SIDH/POKÉ secret key given 50% (resp. 86%) of the most-significant bits of an entry of Γ, and a FESTA secret key given the 67% of the most-significant bits of Γ. In the case of FESTA we also present a tailored combinatorial attack running in subexponential time $O(2^{\sqrt{n}})$ when 50% of the bits of Γ leak at random.

Abstract. We define and analyze the Leveled Isogeny Problem with Hints (LIPH), which is a generalization of the Isogeny Problem with Level Structure first introduced by De Feo, Fuoutsa and Panny at EUROCRYPT’24. In a LIPH instance we are tasked to recover a secret isogeny φ given masked torsion point images Γ ⋅ (φ(P), φ(Q))^(⊤) for some (P, Q) of order N and unknown Γ ∈ GL₂(N). Additionally, we are provided a on Γ, revealing some bits of its entries. Instances of LIPH occur naturally in the case of modern isogeny-based key exchanges that use masked torsion points as part of their public key, when additionally some parts of the masking matrix Γ are revealed due to, for instance, a side-channel attack. We provide efficient algorithms that solve various instances of LIPH, leading to efficient in practice. More specifically, we present Coppersmith-type attacks that are able to recover an M-SIDH/POKÉ secret key given 50% (resp. 86%) of the most-significant bits of an entry of Γ, and a FESTA secret key given the 67% of the most-significant bits of Γ. In the case of FESTA we also present a tailored combinatorial attack running in subexponential time $O(2^{\sqrt{n}})$ when 50% of the bits of Γ leak at random.

Image showing part 2 of abstract.

Image showing part 2 of abstract.

Leveled Isogeny Problems with Hints (Subham Das, Riccardo Invernizzi, Péter Kutas, Jonas Meers) ia.cr/2025/2075

13.11.2025 00:25 👍 1 🔁 1 💬 0 📌 0
Abstract. In 2006 de Graaf et al. devised a Lie-algebra-based strategy for finding a linear transformation T ∈ PGL_(N + 1)(ℚ) connecting two linearly equivalent projective varieties X, X′ ⊆ ℙ^(N) over ℚ. The method succeeds for several families of “classical” varieties such as Veronese varieties, which have large automorphism groups. In this paper, we study the Lie algebra method over finite fields, which comes with new technicalities when compared to ℚ due to, e.g., the characteristic being positive. Concretely, we make the method work for Veronese varieties of dimension r ≥ 2 and (heuristically) for secant varieties of Grassmannians of planes. This leads to classical polynomial-time attacks against two candidate-post-quantum key exchange protocols based on disguised Veronese surfaces and threefolds, which were recently proposed by Alzati et al., as well as a digital signature scheme based on secant varieties of Grassmannians of planes due to Di Tullio and Gyawali. We provide an implementation in Magma.

Abstract. In 2006 de Graaf et al. devised a Lie-algebra-based strategy for finding a linear transformation T ∈ PGL_(N + 1)(ℚ) connecting two linearly equivalent projective varieties X, X′ ⊆ ℙ^(N) over ℚ. The method succeeds for several families of “classical” varieties such as Veronese varieties, which have large automorphism groups. In this paper, we study the Lie algebra method over finite fields, which comes with new technicalities when compared to ℚ due to, e.g., the characteristic being positive. Concretely, we make the method work for Veronese varieties of dimension r ≥ 2 and (heuristically) for secant varieties of Grassmannians of planes. This leads to classical polynomial-time attacks against two candidate-post-quantum key exchange protocols based on disguised Veronese surfaces and threefolds, which were recently proposed by Alzati et al., as well as a digital signature scheme based on secant varieties of Grassmannians of planes due to Di Tullio and Gyawali. We provide an implementation in Magma.

Lie algebras and the security of cryptosystems based on classical varieties in disguise (Wouter Castryck, Mingjie Chen, Péter Kutas, Jun Bo Lau, Alexander Lemmens, Mickael Montessinos) ia.cr/2026/351

23.02.2026 02:55 👍 1 🔁 1 💬 0 📌 0
Abstract. In this paper, we revisit the recent PEGASIS algorithm that computes an effective group action of the class group of any imaginary quadratic order R on a set of supersingular elliptic curves primitively oriented by R. Although PEGASIS was the first algorithm showing the practicality of computing unrestricted class group actions at higher security levels, it is complicated and prone to failures, which leads to many rerandomizations. In this work, we present a new algorithm, qt-Pegasis, which is much simpler, but at the same time faster and removes the need for rerandomization of the ideal we want to act with, since it never fails. It leverages the main technique of the recent qlapoti approach. However, qlapoti solves a norm equation in a quaternion algebra, which corresponds to the full endomorphism ring of a supersingular elliptic curve. We show that the algorithm still applies in the quadratic setting, by embedding the quadratic ideal into a quaternion ideal using a technique similar to the one applied in KLaPoTi. This way, we can reinterpret the output of qlapoti as four equivalent quadratic ideals, instead of two equivalent quaternion ideals. We then show how to construct a Clapoti-like diagram in dimension 2, which embeds the action of the ideal in a 4-dimensional isogeny. We implemented our qt-Pegasis algorithm in SageMath for the CSURF group action, and we achieve a speedup over PEGASIS of 1.8× for the 500-bit parameters and 2.6× for the 4000-bit parameters.

Abstract. In this paper, we revisit the recent PEGASIS algorithm that computes an effective group action of the class group of any imaginary quadratic order R on a set of supersingular elliptic curves primitively oriented by R. Although PEGASIS was the first algorithm showing the practicality of computing unrestricted class group actions at higher security levels, it is complicated and prone to failures, which leads to many rerandomizations. In this work, we present a new algorithm, qt-Pegasis, which is much simpler, but at the same time faster and removes the need for rerandomization of the ideal we want to act with, since it never fails. It leverages the main technique of the recent qlapoti approach. However, qlapoti solves a norm equation in a quaternion algebra, which corresponds to the full endomorphism ring of a supersingular elliptic curve. We show that the algorithm still applies in the quadratic setting, by embedding the quadratic ideal into a quaternion ideal using a technique similar to the one applied in KLaPoTi. This way, we can reinterpret the output of qlapoti as four equivalent quadratic ideals, instead of two equivalent quaternion ideals. We then show how to construct a Clapoti-like diagram in dimension 2, which embeds the action of the ideal in a 4-dimensional isogeny. We implemented our qt-Pegasis algorithm in SageMath for the CSURF group action, and we achieve a speedup over PEGASIS of 1.8× for the 500-bit parameters and 2.6× for the 4000-bit parameters.

Image showing part 2 of abstract.

Image showing part 2 of abstract.

qt-Pegasis: Simpler and Faster Effective Class Group Actions (Pierrick Dartois, Jonathan Komada Eriksen, Riccardo Invernizzi, Frederik Vercauteren) ia.cr/2025/1859

08.10.2025 04:55 👍 3 🔁 1 💬 0 📌 1
COSIC Seminar "Post-Quantum Readiness in EdDSA Chains" (Mahdi Sedaghat, COSIC)
COSIC Seminar "Post-Quantum Readiness in EdDSA Chains" (Mahdi Sedaghat, COSIC) YouTube video by COSIC - Computer Security and Industrial Cryptography

🎥The COSIC Seminar "Post-Quantum Readiness in EdDSA Chains" by Mahdi Sedaghat (COSIC) is now freely available on our YouTube channel: www.youtube.com/watch?v=z5Ux...

26.02.2026 10:51 👍 0 🔁 0 💬 0 📌 0
Post image Post image

Welcome to Ankan Ghosh, a visitor working on Android malware detection.
"COSIC stands as a global benchmark for cryptographic and cybersecurity research. I chose COSIC not just for its heritage, but to contribute to the next generation of breakthroughs."
#choosecosic

26.02.2026 10:31 👍 0 🔁 0 💬 0 📌 0
Post image

"I chose COSIC for its high-quality research in cryptology, cybersecurity, and its application to industry, I firmly believe COSIC is one of the best places, especially in the domains of post-quantum cryptography & multi-party computation."
#choosecosic

26.02.2026 10:27 👍 0 🔁 0 💬 0 📌 0
Post image

Aniket Basak is visiting us from Indian Statistical Institute, Kolkata. Welcome!
#choosecosic

26.02.2026 10:27 👍 0 🔁 0 💬 1 📌 0