Abstracts and Biographies
A Practical Oblivious Pseudorandom Function Protocol from Learning with Rounding
Speaker: Alex Davidson (Slides)
Bio: Alex Davidson is an Assistant Professor in the Department of Computer Science at the Faculty of Sciences of the University of Lisbon, and an integrated researcher in the LASIGE research laboratory. His research focuses on the area of cryptography, where he models, designs, and implements technologies that strengthen the privacy of Internet users, with an emphasis on mechanisms that maintain security in the post-quantum era of computing. His work has already received academic distinctions, and has been translated into standardised Internet protocols and globally implemented communication mechanisms, reinforcing individuals' privacy and security guarantees.
Abstract: Oblivious Pseudorandom Function (OPRF) protocols allow a client to receive a pseudorandom function evaluation on their private input X, from a server holding a secret key K. OPRFs have quickly become a fundamental cryptographic tool, serving as both a key building block in complex theoretical constructions, while also being standardised for providing privacy-preserving versions of Internet cookies. Our work proposes Pool: a conceptually simple post-quantum (PQ) OPRF protocol, that is round-optimal, practically efficient, and with security based on the well-understood hardness of the Learning with Rounding (LWR) problem. Pool is more efficient than constructions from well-known PQ PRFs, and is competitive even with those that only conjecture PQ security on lesser-known assumptions.
Efficient Fully Homomorphic Encryption with Polynomial Noise Overhead
Speaker: Antonio Guimarães (Slides)
Bio: Antonio Guimarães is a postdoctoral researcher at IMDEA Software Institute in Madrid, Spain. His research interests include all practical aspects of Fully Homomorphic Encryption (FHE), with particular focus on verifiable FHE, fast bootstrapping algorithms, and efficient homomorphic evaluation of cryptographic primitives.
Abstract: Fully Homomorphic Encryption (FHE) is a powerful cryptographic primitive that enables computation directly on encrypted data. The most efficient FHE schemes to date exploit "single-instruction multiple-data" (SIMD) techniques to improve performance, i.e., they perform operations on multiple messages simultaneously to lower their amortized cost. However, these schemes require parameters to be superpolynomially large in the security level, which limits their security and practicality. Specifically, they rely on the hardness of approximate lattice problems with superpolynomial approximation factors, which is a significantly stronger assumption than what is required, for example, for lattice-based public-key encryption. Lightweight FHE schemes, such as TFHE, avoid these problems, but they lack (or have very limited) SIMD capabilities, hindering performance in large-scale applications. In 2018, Micciancio and Sorrell (ICALP'18) introduced the concept of "amortized bootstrapping" as a method to construct FHE with SIMD capabilities and polynomially large parameters. Many follow-ups ensued since then, but their approach remained purely theoretical until recently.
In this talk, we will first provide a high-level overview of existing approaches for constructing FHE schemes with polynomially bounded parameters. We will then discuss "amortized bootstrapping" techniques, which enable SIMD capabilities for these schemes. We will focus particularly on the constructions from GPV23 (Asiacrypt 2023), where we first established the feasibility of this approach, and from GP25 (CCS 2025), where we first demonstrated its concrete practicality. Notably, our latest solution achieves performance improvements of up to 39 times over state-of-the-art libraries such as TFHE-rs.
How Modern Cryptography Breaks in Practice
Speaker: Filipe Casal (Slides)
Bio: Filipe Casal is a principal security engineer at Trail of Bits. He specializes in security reviews of advanced cryptography, including threshold signature schemes, multi-party computation protocols, fully homomorphic encryption schemes for organizations such as Zama and large-scale zero-knowledge systems for teams such as Scroll and Aleo. Besides manual code review, he employs formal method tools, such as TLA+ and ProVerif, to verify algorithms and custom protocols. In support of these engagements, he also builds custom tooling for implementers and auditors, including ZKDocs, an interactive guide to zero-knowledge proof systems and related primitives; Amarna, a static analyzer and linter for the Cairo programming language; and weAudit, a collaborative code review extension for VSCode.
Before joining Trail of Bits, he served as an invited assistant professor at the University of Lisbon, where he taught and researched type theory, satisfiability procedures, and probabilistic logics for security applications.
Abstract: Modern cryptographic systems often fail in predictable ways. From the familiar flawed Fiat–Shamir transformations to the more obscure threshold key-destruction attacks, we will survey some of the most common catastrophic bugs we repeatedly encounter in security reviews of modern cryptography. While these failures are frequently blamed on implementation mistakes, they are usually caused by an underspecified protocol or a hand-waved paragraph in the primary literature. For each class, we will compare the real-world failure to its violated assumption and draw lessons for robust protocol design and specification practices.
Digital signature schemes from isogeny-based cryptography
Speaker: Maria Corte-Real Santos (Slides)
Bio: "Maria is a postdoctoral researcher at CNRS and ENS de Lyon, in the Unité de Mathématiques pures et appliquées (UMPA), working with Benjamin Wesolowski. Her main research interests are post-quantum cryptography, specifically isogeny-based cryptography, and computational number theory. Previously, she completed her PhD at University College London under the supervision of Philipp Jovanovic and Sarah Meiklejohn. Maria is a contributor of the SQIsign submission to NIST's call for alternative post-quantum secure signature schemes, which has progressed to Round 2. She is also co-organiser of The Isogeny Club, an online seminar series for young researchers in isogeny-based cryptography. Maria is passionate about promoting diversity, inclusion, and gender equality within the cryptography community, co-organising Crossfyre 2023, and the Decrypting Diversity Summit 2025."
Abstract: Most public-key cryptography that is deployed in today’s systems is susceptible to attacks by quantum computers. With increasing investment in the development of large-scale quantum computers, it is important to develop cryptography that is secure against both classical and quantum attacks. Considering this, in 2016, NIST began an effort to standardise post-quantum secure key exchange mechanisms and signature schemes. In this talk, we will focus on signature schemes built from a particular type of post-quantum cryptography: isogeny-based cryptography.
After a gentle introduction on isogenies, we will present two signature schemes: SQIsign and PRISM. SQIsign is the only isogeny-based signature scheme that was submitted to NIST's recent alternate call for signatures. On the other hand, PRISM is a much newer and simpler construction, built using the hash-and-sign paradigm.
Though these signature schemes are not as efficient as, for example, lattice-based constructions, they boast the smallest combined signature and public key sizes. Throughout the talk, we will compare the two, discussing their potential advantages and drawbacks.
From Quantum Channels to Physical Unclonability: Grounding Cryptography in the Physical World
Speaker: Paulo Mateus (Slides)
Bio: Paulo Mateus obtained his doctorate in Mathematics from Instituto Superior Técnico and was a Postdoc at the University of Pennsylvania. He was awarded the IBM scientific prize, Portugal, in 2005 for his habilitation thesis. Currently he is a Professor from the Mathematics Department of Instituto Superior Técnico and a researcher at Instituto de Telecomunicações. In 2006, he founded and presently coordinates the Security and Quantum Information Group. His research is focused on using quantum resources for security and communication and has been author and co-author of more than 50 peer-reviewed international journal publications in mathematics. He has coordinated several national and international projects and has been guest editor of Logic Journal of the IGPL, IEEE Communications, and part of the program committee of several workshops and conferences. He was invited by the Hungarian (OTKA), Czech (GACR) science foundations, as well as by the Israeli Ministry of Science and Technology, to be a member of the evaluation board for their national projects and postdocs. He was a member of the Managing Board of the European Network and Information Security Agency, vice-president of Centro Internacional de Matemática, and a consultant for the Portuguese National Security Agency.
Abstract: As cryptography evolves beyond traditional mathematical assumptions, the physical world offers powerful new resources for building secure protocols. In this talk, we explore a broad landscape of cryptographic primitives—including digital signatures, oblivious transfer, and more—whose security is grounded not in computational hardness, but in the fundamental laws of physics. We examine how quantum channels enable information-theoretic security guarantees, while relativistic constraints thwart adversaries by leveraging the limits of information propagation in space-time. Physical Unclonable Functions (PUFs), meanwhile, provide practical hardware-based security rooted in the uniqueness and unpredictability of physical systems. Together, these approaches enable cryptographic functionalities far beyond quantum key distribution (QKD), such as unforgeable quantum signatures, secure multi-party computation, and robust authentication. We will survey state-of-the-art protocols, discuss recent experimental advances, and highlight open challenges in harnessing physical assumptions to realize the next generation of cryptographic systems.
A Stroll Through Provable Security: Real-vs-Ideal Models and Ideal Functionalities
Speaker: Bernardo Portela (Slides)
Bio: Hi, I'm Bernardo Portela, an assistant professor at the Faculty of Sciences of the University of Porto. I teach courses on cryptography, trusted hardware, systems security, and the occasional introduction to programming. Alongside teaching, I'm a researcher at the High-Assurance Software Laboratory (HASLab), a research center that focuses on building trustworthy and secure software for high-assurance systems.
My main passion is cryptography, especially provable security. I've worked on cryptographic hardware — developing formal models that help us reason about the security of trusted hardware and design demonstrably secure systems — and on secure computation, particularly multi-party computation and searchable encryption. Currently, my research explores secure computation for trustworthy Conflict-free Replicated Data Types (CRDTs), novel algorithms for Oblivious RAM in distributed networks, and privacy-preserving countermeasures to protect federated learning environments against adversarial input manipulation.
Abstract: Provable security provides an essential framework for reasoning about cryptographic protocol security. Definitions such as IND-CPA, UF-CMA, and Key Secrecy have matured over decades and become the de facto standard. However, the direct adaptation of these notions to secure computation is often suboptimal. Real-world protocols require a wide range of security guarantees simultaneously, driving the development of models such as the real-versus-ideal world paradigm. Rather than enforcing a concrete security property, this approach formally demonstrates that a system is "as secure as" an idealized functionality. While this notion is elegant for many problems, the definition of what is an "ideal functionality" can grow in complexity rapidly. In this talk, I will broadly cover the methodology of modern provable security; discuss a bit the nuances of these alternatives; and illustrate how this challenge is particularly acute in weak consistency protocols, where establishing the bounds of a "correct result" itself is non-trivial.
Short Talks
An Attack to Universally Composable Commitments from Malicious Physically Uncloneable Functions and how to Avoid it
Speaker: Lourenço Abecasis (Slides)
Abstract: In this work, we explore the possibility of unconditionally secure universally composable (UC) commitments, a very relevant cryptographic primitive in the context of secure multi-party computation. To this end, we assume the existence of Physically Uncloneable Functions (PUFs), a hardware security assumption that has been proven useful for securely achieving diverse tasks. In prior work [ASIACRYPT 2013, LNCS, vol. 8270, pp. 100--119] it was shown that a protocol for unconditional UC-secure commitments can be constructed even when the PUFs are malicious. Here, we report an attack to this protocol, as well as a few more issues that we identified in its construction. To address them, first we revise some of the previous PUF properties, and introduce new properties and tools that allow us to rigorously develop and present the security proofs. Second, we propose two different ways for making the commitment scheme secure against the attack we found. The first involves considering a new model where the creator of a PUF is notified whenever the PUF is queried and the second involves restricting adversaries to only being able to create stateless malicious PUFs. Finally, we analyze the efficiency of our schemes and show that our constructions are advantageous in this respect compared to the original proposal.
Symmetric Private Information Retrieval: Rényi Divergence for Improved Security Proofs
Speaker: Samuel Pearson (Slides)
Abstract: Private Information Retrieval (PIR) allows a client to retrieve some element from a server-held database, in such a way that the server learns nothing about which element was requested. In Symmetric PIR (SPIR), the client also learns nothing beyond the requested database item. To enforce the database privacy requirement of SPIR, one can prevent information leakage from PIR query responses via a very simple technique known as noise flooding. However, the common analysis based on the statistical distance leads to impractical parameters, as the noise dimension and ciphertext modulus must grow superpolynomially with the security parameter. Instead, we use the Rényi divergence, which leads to improved parameters but requires adapting security definitions and performing a more careful analysis. Inspired by the techniques of Boudgoust and Scholl (Asiacrypt 2023) in the context of Threshold FHE, we show how using the Rényi divergence to obtain an intermediate, unpredictability-based security guarantee can benefit scheme parameters overall. This allows us to derive single-server SPIR from state-of-the-art PIR schemes (FrodoPIR and SimplePIR) based on the Learning With Errors assumption, with polynomial noise and modulus. Thus, we retain the important advantages that the underlying PIR schemes offer with low concrete overheads and similar design simplicity.
Pratical, Efficient, and Secure Federated Learning via Hybrid Homomorphic Encryption
Speaker: Ivan Costa (Slides)
Abstract: Federated Learning(FL) is a distributed machine learning approach that enhances privacy by keeping the data local. However, the transmission of model updates to a central server can also leak private information. A promising approach to tackle this issue is with Homomorphic Encryption (HE), which is a type of encryption schemes that have the inherent property of allowing computations over encrypted data. But these scheme have major efficiency drawbacks, specially regarding client overhead, which prevents it from being a practical solution. Hybrid Homomorphic Encryption (HHE) is a recent research trend that consists of combining HE with a faster and less expensive encryption scheme, usually a symmetric cipher. This cryptographic approach has recently been applied to FL to mitigate client overhead while preserving privacy. However, existing proposals still fail to achieve a solution that besides privacy, also provides practicality and efficiency. Our previous work focused on improving the security of existing proposals that relied on the same HE key pair for every client, which would allow any client to decrypt, without permission, an homomorphic message from another client. We propose the use of two cryptographic techniques to tackle this issue: Masking and RSA wrapping. The former consists of masking the message before transmission, and the latter consists of using RSA to wrap the message before encryption. Although both techniques remove the security concerns regarding malicious clients, while maintaining performance, collusion attacks are still feasible since auxiliary information regarding any of this techniques has to be shared with the central server. Our current work focuses on extending these HHE solutions in FL to a multi key setting, which would tackle the concern of collusion attacks. Additionally, we are also researching ways to remove the need for interaction rounds in the collaborative decryption protocol while maintaining privacy at all times.
