[crypto] Fwd: CWG: 28 Nov schedule

Thu Nov 13 20:12:00 CET 2025

-------- Original Message --------
Subject: CWG: 28 Nov schedule
Date: 2025-11-13 16:37
 From: "Guarise Vieira, Heloise" <h.guarise.vieira at tue.nl>
To:

Dear all,

Find below the schedule for the Crypto Working Group of 28 November.

The meeting will be held at the Kargadoor, in Utrecht (google maps: 
https://maps.app.goo.gl/Ufzj8qNC2DpE6rCU6).

See you there!

10:45h
GNU Taler: Anonymous, ethical and provably secure E-cash system
Elisa Pioldi
GNU Taler is a private-by-design token-based payment system, that offers 
cash-like privacy to customers, while ensuring honest income reporting 
by merchants, making it ideal for a real-world deployment as a digital 
currency since it complies with banking regulations.
Our recent work focuses on analyzing the security of Taler under quantum 
attacks, designing a quantum-safe version, enhancing the security 
definitions and providing security proofs with concrete bounds.
This talk will be made of two parts: a non-technical overview of the 
workings of Taler, including what the difference between Taler and 
cryptocurrencies or other payment systems is and which the possible 
applications exist; and a technical section, which will focus on Taler's 
protocols, the cryptographic primitives that are used, the security 
properties that are ensured and the efforts to make the protocol 
post-quantum.

11:30h - coffee break

11:45h
Symmetric Primitives for MPC-/ZK-/HE-Applications
Lorenzo Grassi

Modern cryptography has developed many techniques that go well beyond 
solving traditional confidentiality and authenticity problems in 
two-party communication.

In order to work, such protocols may rely on the evaluation of symmetric 
cryptographic primitives, such as Pseudo-Random Functions (PRFs), 
symmetric encryption schemes, or hash functions, whose details have a 
big impact on the performances of the considered applications. For this 
reason, several dedicated MPC-/ZK-/HE-friendly symmetric primitives 
(defined especially over prime fields) have recently appeared in the 
literature.

In this presentation, we first highlight the design principles of the 
symmetric primitives that target MPC-/HE-/ZK-applications, comparing 
them with the ones commonly used for  "traditional/classical" symmetric 
schemes such as AES or Keccak/SHA-3. Next, for each one of the cited 
applications, we will present some concrete examples of symmetric 
primitives published in the literature, including:

     the MPC-friendly block ciphers MiMC (ASIACRYPT 2016) and HadesMiMC 
(EUROCRYPT 2020);
     the ZK-friendly hash functions Rescue (FSE/ToSC 2020) and Poseidon 
(USENIX 2021);
     the FHE-friendly stream cipher Rasta (CRYPTO 2018).

12:30h - lunch break

14:00h
Authorized Private Set Intersection
Tjitske Koster
Private Set Intersection (PSI) enables two parties to compute the 
intersection of their datasets without revealing any elements outside 
the intersection. Many solid protocols exist, but recent attacks have 
shown that input privacy can sometimes be compromised - even in 
maliciously secure protocols. These attacks make use of malicious input 
and our goal today is to protect against this threat.

To mitigate these types of attacks, Authorized PSI (APSI) introduces a 
trusted third-party judge who authorizes the input prior to the 
intersection. However, trusting a judge with all your elements may be 
impractical or undesirable. Building on this idea, Falzon and Markatou 
(PETS 2025) proposed Partial-APSI, a privacy-preserving variant of APSI 
where only a portion of each input set is revealed to the judge. 
Unfortunately, their protocol suffers from substantial bandwidth costs.
In this presentation we will construct a bandwidth-efficient 
Partial-APSI protocol that significantly outperforms Falzon and 
Markatou’s approach—both in theory and in practice. Together we will 
investigate how many elements should be revealed to the judge. A 
game-theoretic analysis can help us weigh privacy and verifiability. And 
then the final question, can we obtain the same functionality without a 
judge?

14:45h - coffee break

15:00h
Wedges, oil, and vinegar
Lars Ran
The Unbalanced Oil and Vinegar construction (UOV) is considered the 
backbone of multivariate cryptography. It appeared first in the 90'ties, 
and evolved slightly over the years. Today's modern variants - the 4 
NIST candidates UOV, MAYO, SNOVA, QRUOV (is it this one you refer to?) 
generally don't provide improved security guarantees, and mostly focus 
on reducing the public key size. In this talk, we explore a new 
key-recovery attack on UOV in characteristic 2.
In this setting the polar forms of the UOV public maps are not only 
symmetric, but also alternating. This allows us to view both the public 
key (the polar forms) and the secret key (the oil space) as elements of 
the exterior algebra. We show how to establish relations between these 
elements and demonstrate that the secret oil space can be recovered 
using sparse linear algebra.
Our attack achieves improved complexity compared to previous methods, 
reducing the claimed security by 4, 11, and 20 bits for uov-Ip, uov-III, 
and uov-V, respectively. Moreover, the attack also applies to MAYO2 and 
improves on the best attack by 28 bits.
Finally, we present an idea on how to generalize this to odd 
characteristic and how this could lead to future improvements.

15:45h end of activities

--

[Image]

Heloise Vieira, PhD
Discrete Mathematics Cluster, Project Leader
Department of Mathematics and Computer Science
Phone number +31 (0)402474864

De Zaale, Eindhoven
05 MetaForum, MF 5.120