New Techniques for Efficient Isogeny-based Encryption Protocols


Isogeny-based cryptography is known for its low bandwidth requirements, which often come at the cost of slower computations. SIDH, one of the most well-known isogeny-based key exchanges, and the only one submitted to the NIST standardisation process, was broken in 2022 in a series of three breakthrough papers. The attack relies on isogenies between abelian varieties (a generalisation of elliptic curves to higher dimensions), and it leads to a complete key recovery within seconds.

In this talk, we discuss two approaches to obtaining secure protocols that could, eventually, replace SIDH. The first approach involves modifying the SIDH protocol to include simple but effective countermeasures against all known attacks. The technique is based on restricting the set of potential isogenies, so that less information about the secret isogeny (in the form of torsion images) need to be revealed.

The second approach is based on the development of a new PKE, which we call FESTA. The attacks on SIDH rely on higher-dimensional isogenies to make some computations, previously believed to be hard, extremely efficient. In FESTA, we use the same techniques constructively: we build a trapdoor function where the inversion operation consists of recovering an SIDH secret key. From the trapdoor, it is then simple to obtain an IND-CCA PKE through standard transformations.

Andrea Basso is a postdoctoral researcher at the University of Bristol, where he focuses on developing new isogeny-based protocols, with a particular interest in advanced functionalities such as non-interactive key exchanges and oblivious pseudorandom functions. He received his PhD from the University of Birmingham, and he will soon join IBM Research Zurich as a postdoctoral researcher.

Photo © Private

Imitation Learning and Value Alignment Under Mismatch and Constraints

Short bio:
Dr. Sebastian Tschiatschek is assistant professor at the University of Vienna.

He is part of the research group for Data Mining and Machine Learning, leading the work group for Probabilistic and Interactive Machine Learning.

He is also an alumni of TU Graz.


Reinforcement learning has been successfully used for training AI agents when given clearly defined reward signals. However, reinforcement learning can suffer from high sample complexity and is challenging to use in settings in which the reward signal is hard to specify, e.g., for training personal agents that should maximize a human-defined reward function. We investigate imitation learning and reinforcement learning from human feedback which allows us to avoid the specification of a reward function and can drastically reduce sample complexity. Inspired by real-world applications, we particularly study settings in which there is a mismatch between the human providing demonstrations or feedback and the learning AI agent, e.g., in terms of observations, capabilities, or constraints. Our insights emphasize the need for adaptation of the human and the AI agent to achieve the best alignment regarding the human’s goals. Furthermore, we propose practical algorithms to perform this adaptation and sample efficient approaches for learning about rewards and constraints.

Photo: ©University of Vienna

Propagation of Subspaces in Primitives with Monomial Sboxes


Motivated by progress in the field of zero-knowledge proofs, so-called Arithmetization-Oriented (AO) symmetric primitives have started to appear in the literature, such as MiMC, Poseidon or Rescue. Due to the design constraints implied by this setting, these algorithms are defined using simple operations over large (possibly prime) fields. In particular, many rely on simple low-degree monomials for their non-linear layers.
In this work, we show that the structure of the material injected in each round (be it subkeys in a block cipher or round constants in a public permutation) could allow a specific pattern, whereby a well-defined affine space is mapped to another by the round function, and then to another, etc. Such chains of one-dimensional subspaces always exist over 2 rounds, and they can be extended to an arbitrary number of rounds provided that the round-constants are well chosen.
As a consequence, for several ciphers like Rescue, or a variant of AES with a monomial Sbox, there exist some round-key sequences for which the cipher has an abnormally high differential uniformity, exceeding the size of the Sbox alphabet.
Well-known security arguments, in particular based on the wide trail strategy, have been reused in the AO setting by many designers.
Unfortunately, our results show their limits. To illustrate this, we present two new primitives (a tweakable block cipher and a permutation-based hash function) that are built using state-of-the-art security arguments, but which are actually deeply flawed.

Anne Canteaut is a Researcher in the COSMIQ project-team at INRIA, and an Honorary Doctor at the University of Bergen (Norway).

Her main research interest is symmetric cryptography.
(Source & further details on:

Photo copyright: © Inria / Photo C. Morel

Recent Advances in Secure Two-Party Computation

Secure two-party computation allows two parties to securely compute a function on their respective private inputs. It allows to preserve privacy in applications that involve a client and a single server, and in settings where private data is outsourced to two non-colluding servers. In this talk, I will give an overview on recent advances in the area of secure two-party computation. In particular, I will focus on the setting with semi-honest parties, which allows to construct the most efficient protocols. I will summarize three recent research results from the ENCRYPTO group: First, circuit synthesis and secure evaluation of circuits should be considered together to not leak private information when evaluating malformed circuits with popular instantiations of Yao’s garbled circuits protocol (JoC’23). In the area of secret-sharing based protocols, ABY2.0 (USENIX Security’21) allows highly efficient secure evaluation of Boolean circuits with multi-input AND gates and vector products, and FLUTE (IEEE S&P’23) extends these results to multi-input lookup tables. Among many other applications, these protocols substantially improve efficiency of privacy-preserving machine learning.

Short Bio:
Thomas Schneider is full professor for Cryptography and Privacy Engineering in the Department of Computer Science at Technical University of Darmstadt, Germany. Before, he was independent research group leader at TU Darmstadt (2012-2018), did a PhD in IT Security at Ruhr-University Bochum (2008- 2011), and wrote his Master thesis during a research internship at Nokia Bell Labs, NJ, USA (2007). His research focuses on privacy, cryptographic protocols, applied cryptography, and computer security. He heads the Cryptography and Privacy Engineering Group (ENCRYPTO), whose mission is to demonstrate that privacy can be efficiently protected in real-world applications. For this, his group combines applied cryptography and algorithm engineering to develop cryptographic protocols and tools for protecting sensitive data and algorithms. For his research on cryptography and privacy engineering, he was awarded with an ERC Starting Grant 2019 and an ERC Consolidator Grant 2023. See for more details.

Photo copyright: TU Darmstadt

Graz Security Week 2024

We are happy to announce that Security Week will take place again in September 2024!
This summer school targets graduate students interested in security and correctness aspects of computing devices. 

Click here to check out Security Week of 2023 (photos, programme, etc.)!
We will open registration in late spring 2024 – check this space; we will keep you posted!

We are looking forward to seeing you in 2024!

Bachelor@IAIK 2023/24

We present our new open bachelor’s thesis topics and award prizes to excellent students who contributed to scientific publications this past year.

If you’re interested in joining us for your bachelor’s thesis in security, this is the best way to get an impression of our topics as well as how a bachelor’s thesis at IAIK works: You’ll hear about our research areas and current hot topics, our Bachelor@IAIK program where you can work on your thesis together with your fellow students in one of our offices if you like, and maybe you’ll get to know your supervisor while chatting along.

The event will also be the kick-off lecture in Introduction to Scientific Working (ISW) where you will be able to choose your preferred topic!   

We are looking forward to meeting you!


Targeted Deanonymization via the Cache Side Channel: Attacks and Defenses

Side-channel techniques have been traditionally applied toward the recovery of computer-related secrets, such as cryptographic keys. Recently, however, attackers have turned to target humans, who also share secrets of their own with their computers. Recoverable human secrets include, for example, browsing habits, keystrokes, political or religious beliefs, or sensitive information about the user’s health. In this talk, I will show how a cache side-channel attacker can target humans using a *targeted deanonymization* attack. Targeted deanonymization attacks, which let a malicious website discover whether a website visitor bears a certain public identifier, such as an email address or a Twitter handle, are both practical and dangerous, as they can put journalists, activists, and other vulnerable populations into serious risk.

After describing and demonstrating the attack, I will talk about the unique challenge of defending against an attack which involves users, and show how mitigations against the attack were built into the popular NoScript extension.

Based on joint work with Mojtaba Zaheri and Reza Curtmola presented at USENIX Security ’22. Artifacts available here:

Yossi Oren is a Senior Lecturer (Assistant Professor in U.S. terms) in the Department of Software and Information Systems Engineering at Ben Gurion University of the Negev, and a member of BGU’s Cyber Security Research Center. Prior to joining BGU, Yossi was a Post-Doctoral Research Scientist in the Network Security Lab at Columbia University in the City of New York and a member of the security lab at Samsung Research Israel. He holds a Ph.D. in Electrical Engineering from Tel-Aviv University (thesis), and an M.Sc. in Computer Science from the Weizmann Institute of Science (thesis).

His research interests include implementation security (side-channel attacks, micro-architectural attacks, power analysis and other hardware attacks and countermeasures; low-resource cryptographic constructions for lightweight computers) and cryptography in the real world (consumer and voter privacy in the digital era; web application security). He has been recognized by The Register as a Top Boffin.


Photo copyright: Ben-Gurion University of the Negev.

Formal Hardware/Software Modeling for Timing Properties: from Safety to Security

Short abstract
The emergence of open hardware initiatives, for instance, based on the RISC-V ISA, exposes more easily the exact behavior of hardware designs. They can then be analyzed and combined with application-level semantics to formally verify complex safety (and security) properties at the system level. In this talk, we first present an overview of the LEAF approach for verifying such timing-related properties. Then, we focus on the required formal model tailored to a specific property: the detection of Timing Anomalies (TA) within pipelines of processors. A TA is a counterintuitive timing behavior that can threaten Worst-Case Execution Time (WCET) analyses. We also report ongoing work to generate such pipeline formal models from RISC-V processors described in Chisel/FIRRTL. Finally, we conclude on current extensions to apply the LEAF approach to safety properties.

Dr. Mathieu Jan obtained his engineering diploma in 2003 and got a Ph.D. in 2006 on data management for grid architectures from Univ. of Rennes 1 in an INRIA laboratory. He joined CEA LIST in 2007 as a full-time researcher. Since then, his main research interests are embedded systems and real-time systems. Senior expert at CEA LIST since 2014, he obtained a “Habilitation à Diriger des Recherches” (HDR) in 2016, and is a CEA Research Director since 2021. He spent the whole year 2019 as visiting scholar at the University of California, Berkeley (UCB) in the group of Prof. Edward Lee. Since 2020, Mathieu focuses on the hardware/software formal verification of embedded systems and is the Ph.D. director of several Ph.D. students in this area.

Photo: Private

Review of laser and EM fault injection attacks into microcontrollers

Microcontrollers storing valuable data or using security functions are vulnerable to fault injection attacks. Among the various types of faults, instruction skips induced at runtime proved to be effective against identification routines or encryption algorithms. Until recently, most research papers assessed a fault model that consists in a single instruction skip, i.e. the ability to prevent one chosen instruction in a program from being executed. This seminar reports experimental results that extend the complexity and versatility of the instruction-skip fault model. It shows how using laser or EM fault injection makes it possible to induce several consecutive instructions skips or to skip instructions from different parts of a program. It focuses on results obtained on custom test circuits and general purpose microcontrollers at different technology nodes. An analysis of the involved injection mechanisms is also provided.

Short bio

Prof. Jean-Max Dutertre received the M.S. and Ph. D. degrees in microelectronics from the University of Science of Montpellier, France, in 1998 and 2002, respectively. He is head of the Secured Architectures and Systems (SAS) research department of Mines Saint-Etienne from Institut Mines-Télécom, which is part of a joint R&D team with the CEA Leti. His research interests are with hardware attack techniques and the design of the related counter-measures (either hardware or software). He has been studying fault injection attacks of secure integrated circuits for 15 years.

Graz Security Week

Once again, IAIK will hold the Graz Security Week. This summer school targets graduate students interested in security and correctness aspects of computing devices. 

Click here to check out the details of the programme and speakers, and to register!

We are looking forward to seeing you there!