From ray at unipay.nl Thu Nov 13 20:12:00 2025 From: ray at unipay.nl (R. Hirschfeld) Date: Thu, 13 Nov 2025 20:12:00 +0100 Subject: [crypto] Fwd: CWG: 28 Nov schedule In-Reply-To: References: Message-ID: <4253db82983e14b99768f24e40f7fe57@unipay.nl> -------- Original Message -------- Subject: CWG: 28 Nov schedule Date: 2025-11-13 16:37 From: "Guarise Vieira, Heloise" To: Dear all, Find below the schedule for the Crypto Working Group of 28 November. The meeting will be held at the Kargadoor, in Utrecht (google maps: https://maps.app.goo.gl/Ufzj8qNC2DpE6rCU6). See you there! 10:45h GNU Taler: Anonymous, ethical and provably secure E-cash system Elisa Pioldi GNU Taler is a private-by-design token-based payment system, that offers cash-like privacy to customers, while ensuring honest income reporting by merchants, making it ideal for a real-world deployment as a digital currency since it complies with banking regulations. Our recent work focuses on analyzing the security of Taler under quantum attacks, designing a quantum-safe version, enhancing the security definitions and providing security proofs with concrete bounds. This talk will be made of two parts: a non-technical overview of the workings of Taler, including what the difference between Taler and cryptocurrencies or other payment systems is and which the possible applications exist; and a technical section, which will focus on Taler's protocols, the cryptographic primitives that are used, the security properties that are ensured and the efforts to make the protocol post-quantum. 11:30h - coffee break 11:45h Symmetric Primitives for MPC-/ZK-/HE-Applications Lorenzo Grassi Modern cryptography has developed many techniques that go well beyond solving traditional confidentiality and authenticity problems in two-party communication. In order to work, such protocols may rely on the evaluation of symmetric cryptographic primitives, such as Pseudo-Random Functions (PRFs), symmetric encryption schemes, or hash functions, whose details have a big impact on the performances of the considered applications. For this reason, several dedicated MPC-/ZK-/HE-friendly symmetric primitives (defined especially over prime fields) have recently appeared in the literature. In this presentation, we first highlight the design principles of the symmetric primitives that target MPC-/HE-/ZK-applications, comparing them with the ones commonly used for "traditional/classical" symmetric schemes such as AES or Keccak/SHA-3. Next, for each one of the cited applications, we will present some concrete examples of symmetric primitives published in the literature, including: the MPC-friendly block ciphers MiMC (ASIACRYPT 2016) and HadesMiMC (EUROCRYPT 2020); the ZK-friendly hash functions Rescue (FSE/ToSC 2020) and Poseidon (USENIX 2021); the FHE-friendly stream cipher Rasta (CRYPTO 2018). 12:30h - lunch break 14:00h Authorized Private Set Intersection Tjitske Koster Private Set Intersection (PSI) enables two parties to compute the intersection of their datasets without revealing any elements outside the intersection. Many solid protocols exist, but recent attacks have shown that input privacy can sometimes be compromised - even in maliciously secure protocols. These attacks make use of malicious input and our goal today is to protect against this threat. To mitigate these types of attacks, Authorized PSI (APSI) introduces a trusted third-party judge who authorizes the input prior to the intersection. However, trusting a judge with all your elements may be impractical or undesirable. Building on this idea, Falzon and Markatou (PETS 2025) proposed Partial-APSI, a privacy-preserving variant of APSI where only a portion of each input set is revealed to the judge. Unfortunately, their protocol suffers from substantial bandwidth costs. In this presentation we will construct a bandwidth-efficient Partial-APSI protocol that significantly outperforms Falzon and Markatou?s approach?both in theory and in practice. Together we will investigate how many elements should be revealed to the judge. A game-theoretic analysis can help us weigh privacy and verifiability. And then the final question, can we obtain the same functionality without a judge? 14:45h - coffee break 15:00h Wedges, oil, and vinegar Lars Ran The Unbalanced Oil and Vinegar construction (UOV) is considered the backbone of multivariate cryptography. It appeared first in the 90'ties, and evolved slightly over the years. Today's modern variants - the 4 NIST candidates UOV, MAYO, SNOVA, QRUOV (is it this one you refer to?) generally don't provide improved security guarantees, and mostly focus on reducing the public key size. In this talk, we explore a new key-recovery attack on UOV in characteristic 2. In this setting the polar forms of the UOV public maps are not only symmetric, but also alternating. This allows us to view both the public key (the polar forms) and the secret key (the oil space) as elements of the exterior algebra. We show how to establish relations between these elements and demonstrate that the secret oil space can be recovered using sparse linear algebra. Our attack achieves improved complexity compared to previous methods, reducing the claimed security by 4, 11, and 20 bits for uov-Ip, uov-III, and uov-V, respectively. Moreover, the attack also applies to MAYO2 and improves on the best attack by 28 bits. Finally, we present an idea on how to generalize this to odd characteristic and how this could lead to future improvements. 15:45h end of activities -- [Image] Heloise Vieira, PhD Discrete Mathematics Cluster, Project Leader Department of Mathematics and Computer Science Phone number +31 (0)402474864 De Zaale, Eindhoven 05 MetaForum, MF 5.120