CIFRIS25 – an event by De Cifris & Roma Tre University
in cooperation with Agenzia per la Cybersicurezza Nazionale (ACN)

Venue: Roma Tre University
September 11th and 12th 2025

PROGRAM

Download the full program

September 11th, 2025
Aula Conferenze, Dipartimento di Ingegneria, Via Vito Volterra 62

09:00 - 09:30

Registration and badge

09:30 - 09:45

Welcome speech and introduction

(in italian)

  • Massimiliano Sala (DeCifris)

  • Marco Pedicini (Università RomaTre)

  • Alessandro Casale (ACN)

09:45 - 10:00

Institutional round table

(in italian)

Moderatore: Arturo di Corinto (ACN)

  • Paolo Libri (Banca D'Italia)

  • Cristiano Leggeri (Polizia Postale)

10:00 - 10:15

De Cifris

(in italian)

Roberto Civino (Università dell'Aquila); slides

10:15 - 10:45

Partners

(in italian)

Moderatore: Andrea Gelpi (Responsabile Partner)

10:45 - 11:00

Coffee break

11:00 - 12:00

Invited Speaker:

Ludovic Perret (Sorbonne University - EPITA)

Post-Quantum Transition: Challenges and Opportunities

slides
Abstract Post-Quantum Cryptography (PQC) refers to cryptographic algorithms that are, presumed, secure against quantum and classical computers. A first set of PQC standards have been finalized by NIST in 2024-2025, marking the first step of a major upgrade of digital infrastructures to these new standards. It is, by far, the most important cryptographic transition ever performed, yet, and it needs to be completed as soon as possible due to steady progress in quantum computing. For example, the EU commission recommends members states finalize the transition of critical infrastructures by 2030-2035. In this talk, we will provide an overview of PQC standards, as well as alternative approaches such as Quantum Key Distribution (QKD), to protect against the quantum threat. We will review the regulatory frameworks governing the quantum-safe transition and describe the main organizational and technical approaches developed so far to support this transition.

12:00 - 13:00

Symmetric Cryptography and Coding Theory

Roberto La Scala (Università di Bari)

Oracle-Based Multistep Strategy for Solving Polynomial Systems Over Finite Fields and Algebraic Cryptanalysis of the Aradi Cipher

slides
Abstract The multistep solving strategy consists in a divide-and-conquer approach: when a multivariate polynomial system is computationally infeasible to solve directly, one variable is assigned over the elements of the base finite field, and the procedure is recursively applied to the resulting simplified systems. This method already proved effective in attacking the Trivium cipher. In this talk, we present a new implementation of the corresponding algorithm based on a Depth-First Search strategy, along with a novel complexity analysis leveraging tree structures. We further introduce the notion of an "oracle function" as a general predictive tool for deciding whether the evaluation of a new variable is necessary to simplify the current polynomial system. This notion allows us to unify all previously proposed variants of the multistep strategy, including the classical hybrid approach, by appropriately selecting the oracle function. Finally, we apply the multistep solving strategy to the cryptanalysis of the low-latency block cipher Aradi, recently introduced by the NSA. We present the first full-round algebraic attack, raising concerns about the cipher’s actual security with respect to its key length.

Francesco Ghiandoni (Università di Perugia)

AG Codes for Secure and Private Information Retrieval

slides
Abstract Private information retrieval (PIR) addresses the question of how to retrieve data items from a database without disclosing information about the identity of the data items retrieved. The rate of a PIR scheme is measured as the ratio of the gained information over the downloaded information. Secure PIR complements this problem by further requiring the contents of the data to be kept secure. In particular, X-secure and T-private information retrieval (XST-PIR) is a form of PIR where data security is guaranteed against collusion among up to X servers and the user’s privacy is ensured against collusion among up to T servers. Cross-subspace alignment (CSA) Reed-Solomon codes have been recently proposed by Jia, Sun, and Jafar (IEEE Trans. Inf. Theory, 65(9):5783–5798, 2019) as a means to construct XST-PIR schemes. Makkonen, Karpuk, and Hollanti reinterpret and generalize such CSA codes as algebraic geometric (AG) codes from curves of genus 0 and 1 (ISIT 2024, pp. 2874–2879), respectively, and from higher-genus hyperelliptic curves (arXiv:2408.00542, 2024). In this talk we show a XST-PIR scheme coming from Hermitian codes, i.e., AG codes over the Hermitian curve. Such a scheme offers interesting tradeoffs between the field size, file size, number of colluding servers, and the total number of servers. When the field size is fixed, this translates in some cases to higher retrieval rates than those of Makkonen et al. (2024). In addition, the new scheme exists also for some parameters where the original ones do not.

Alessio Caminata (Università di Genova)

Construction and cryptanalysis of a multivariate CCZ scheme a.k.a. do not bring your Pesto to Switzerland!

Abstract Multivariate cryptography is one of the main candidates for post-quantum cryptography. Traditional multivariate schemes are typically constructed by applying two secret affine invertible transformations to a set of secret multivariate polynomials, often quadratic. These secret polynomials contain a trapdoor that enables the legitimate user to solve the corresponding system efficiently, while the public polynomials appear indistinguishable from random ones. In this context, the secret and public key polynomials are said to be affine equivalent. In an effort to generalize this construction, we propose a new approach to construct a multivariate scheme by considering CCZ equivalence, a concept introduced and studied in the theory of vectorial Boolean functions. We explore the potential advantages and disadvantages of this construction. In particular, we present a cryptanalysis attempt aimed at assessing whether this approach indeed provides stronger or more general security guarantees compared to affine equivalence. The talk is based on joint works with Marco Calderini, Elisa Gorla, Madison Mabe, Martina Vigorito, and Irene Villa.

13:00 - 14:00

Lunch break

14:00 - 15:20

Applied Cryptography

Daniele Venturi (Università La Sapienza)

Evolving Secret Sharing

slides
Abstract Evolving secret sharing (Komargodski, Naor, and Yogev, TCC’16) generalizes the notion of secret sharing to the setting of evolving access structures, in which the shareholders are added to the system in an online manner, and where the dealer does not know neither the access structure nor the maximum number of parties in advance. Here, the main difficulty is to distribute shares to the new players without updating the shares of old players; moreover, one would like to minimize the share size as a function of the number of players. In this talk, I will review recent constructions of evolving secret sharing schemes for various access structures, with a particular focus on efficient and computationally secure schemes.

Marco Rinaudo (Telsy)

The critical role of acceleration in fully homomorphic encryption

slides
Abstract Fully Homomorphic Encryption (FHE) has attracted substantial attention from the international cryptographic community over the past decade, primarily due to its potential to safeguard data-in-use across a wide range of scenarios, with cloud computing being a leading example. However, the deployment of this technology in real-world applications remains limited by the considerable computational overhead inherent in current FHE schemes. One of the most promising approaches to reduce the computational cost of FHE and thereby broaden its applicability is the development of specialized accelerators for homomorphic encryption primitives. This talk will present the main techniques employed in this effort, with a particular focus on hardware acceleration, as well as some other key challenges that must be addressed to enable the widespread adoption of Fully Homomorphic Encryption.

Barbara Masucci (Università di Salerno)

Anonymous Access Schemes with Distributed User Registration

slides
Abstract We address the problem of anonymous access to restricted resources via distributed user registration, where multiple dealers collaboratively issue access tokens without compromising user anonymity towards a set of guards. Prior work proposed protocols with informal security arguments but lacked a formal model. We introduce an information-theoretic framework that rigorously defines correctness and security properties for such schemes, prove a lower bound on the private information each guard must hold, and present a simple, optimal construction leveraging secret sharing. Our results advance the design of unconditionally secure anonymous access protocols, relevant in the post-quantum era.

Antonio Tortora (Università della Campania "Luigi Vanvitelli")

Using Homomorphic Encryption for Inner-Product Functional Encryption

slides
Abstract Homomorphic encryption schemes enable computations on encrypted data, producing an encrypted result that can only be decrypted by the owner of the corresponding decryption key. A completely different approach is provided by functional encryption, which gives access to a function of some plaintexts working only on ciphertexts. Nevertheless, as shown in 2015 by Abdalla, Bourse, De Caro and Pointcheval, any (additive) homomorphic encryption scheme can be used to instantiate a functional encryption scheme for inner-product functionality. In this context, we will consider Torus Fully Homomorphic Encryption to construct a functional encryption scheme supporting the inner product.

15:20 - 15:40

Coffee break

15:40 - 17:00

Post-quantum Cryptography

Michele Battagliola (Università Politecnica delle Marche)

A Revision of CROSS Security: Proofs and Attacks for Multi-Round Fiat-Shamir Signatures

slides
Abstract In this talk, we first introduce CROSS, a digital signature scheme recently admitted to the second round of the NIST on-ramp standardization process for post-quantum digital signatures. We will discuss its construction and how it uses multi-round interactive proofs. Subsequently, we will focus on the security proof of CROSS, in particular about how the fixed-weight parallel-repetition optimization employed in CROSS complicates its security analysis. We will present the first explicit proof of the EUF-CMA security of CROSS, demonstrating that the Fiat-Shamir transform of an HVZK and knowledge-sound multi-round interactive proof is EUF-CMA secure. Furthermore, we will present a novel forgery attack on signatures obtained from fixed-weight repetitions of 5-round interactive proofs, significantly improving upon previous results. As a consequence of this attack, CROSS parameters were modified between its first and second submissions.

Giuseppe D'Alconzo (Politecnico di Torino)

Towards Post-Quantum Multi-Signatures from Group Action Assumptions

slides
Abstract In various scenarios, it is necessary for a set of N users, each possessing a private/public key pair, to jointly sign a common message. Instead of sending N individual signatures, a multi-signature scheme enables a group of signers to produce a single, compact signature on the shared message, significantly reducing the communication overhead. Numerous practical multi-signature schemes have been developed under pre-quantum assumptions. A notable example is MuSig2 (CRYPTO 2021), which builds upon Schnorr signatures based on the discrete logarithm problem. More recently, such efforts have been extended to the post-quantum setting, with lattice-based constructions like MuSig-L (CRYPTO 2022). With the growing interest in group action-based signatures, a natural question arises: can we construct an efficient multi-signature scheme based on group action assumptions? In this talk, we present the first construction of such a scheme, relying on group action-based cryptographic assumptions. Our protocol is a 3-round scheme that achieves concurrent security in the Random Oracle Model (ROM). We instantiate our construction using the three round-1 candidates from NIST’s additional call for post-quantum digital signatures: LESS, MEDS, and ALTEQ. Our implementation demonstrates favorable compression rates across various parameter sets.

Alessandro Barenghi (Politecnico di Milano)

Moving to a Post-Quantum World: Challenges in Engineering and Deploying Quantum Resistant Cryptography

slides
Abstract The strong push for the construction of large scale quantum computers carries, along with the prospect of significant societal benefits, a threat to widespread asymmetric cryptographic techniques. This talk aims to provide a systematic outlook on the design, engineering and field deployment efforts for post-quantum asymmetric cryptographic solutions.

Walter Tiberti (Università dell'Aquila)

Post-Quantum Cryptography in Intra-Vehicle Networks

slides
Abstract Quantum computing poses a significant threat to modern classical cryptography. To address this challenge, NIST has recently selected new standard protocols for post-quantum cryptography, specifically focusing on Key Encapsulation Mechanisms (KEMs) and post-quantum digital signatures. Some products and networking protocols — such as TLS and SSH — have already begun integrating these standards, with many more following by offering them as selectable alternatives to classical cryptographic solutions. However, there are contexts where even classical cryptography has faced persistent challenges due to constraints such as limited energy, real-time requirements, and low-latency demands. One such context is intra-vehicle communication, which involves the internal components of a vehicle (e.g., Electronic Control Units or ECUs). In this talk, we explore how classical cryptography has been applied within intra-vehicle networks and discuss the potential for adopting post-quantum cryptography standards in this specialized domain. Finally, we present a possible solution for implementing NIST's ML-KEM (Kyber) and Dilithium algorithms in CAN-based intra-vehicle communication systems.

September 12th, 2025
Dipartimento di Matematica e Fisica, Largo S. Leonardo Murialdo, 1

Permanent Workshops

Contributed Workshops

Community and Dissemination Workshop

A Journey into Bitcoin’s Cryptography

Workshop: Topics in Applied Cryptography -- Room M1

10:00 - 11:00

Francesco Stocco (Telsy)

QKD (Re)Initialization via PQC: An Industrial Security-Usability Trade-off

Abstract In the industrialization perspective of Quantum Key Distribution (QKD), it is required to evaluate the subtle interaction between its classical and quantum components. Among these, the classical authentication of QKD protocols respecting both the Information Theoretic Security (ITS) targeted by QKD and the usability required in concrete telecommunication networks is a major challenge. In this talk, we will focus on the possible security-usability trade-offs, involving also Post-Quantum Cryptography (PQC), to deal with authentication key (re)initialization.

Lorenzo Naturale (RandomPower s.r.l. & University of Insubria)

Quantum Root-of-Trust: Post-Quantum Security for Industrial IoT

Abstract In response to the growing threat posed by quantum computing to classical cryptographic schemes, this work presents the design of a proof-of-concept Quantum Root of Trust (QRoT) system. The solution integrates a quantum-entropy ASIC with the Nordic nRF9161 System-In-Package, one of the most advanced solutions for cellular IoT. The design and the state-of-play of an architecture focused on DECT nr+ networks to enable secure key generation, storage and distribution together with authentication and encryption for Industrial IoT in a post-quantum world is described.

Carlo Brunetta (Independent researcher)

Verifiable Computation Outsourcing via Contracts over Blockchain Transactions

Abstract We present a technique to obtain verifiable outsourcing of computation with a fair rewarding mechanism over a blockchain. Existing (cryptographic) solutions are often impractical due to either high computational overhead or independence from the economic layer required for achieving a fair rewarding mechanism. Our approach introduces a contract-based framework encoded as blockchain transactions which encode all the details for both outsourced computation, verification, and rewarding. This solution is particularly relevant in distributed AI marketplaces, where data owners and AI developers want to sell/buy data, outsource training/evaluation of models securely within the framework.

11:00 - 11:30

Coffee break

11:30 - 13:00

Invited talk: Peter Rønne (Université du Luxembourg)

Transparent Verification in E-Voting

Abstract The main challenge in secure e-voting is to allow voters to verify their cast vote while preserving strong privacy notions, especially preventing vote-buying and coercion. We will introduce the electronic voting schemes Selene and Hyperion which offer a very transparent form of verifiability allowing voters to find and check their plaintext vote directly in the tally result while preserving coercion-mitigation. We will introduce new, more general security definitions to capture the context of these schemes and prove their security. Finally, we will see how we can achieve both everlasting privacy and everlasting coercion-mitigation for Hyperion, as well as speculating on the post-quantum migration of the scheme.

Laura Mattiuz (Cybersecurity Center, FBK)

A Review of Post-Quantum e-Voting

Abstract The adoption of e-voting in democratic elections has significantly increased in the recent years. E-voting offers a convenient alternative to postal or in-person paper voting, while further providing cryptographic privacy of the votes and public verifiability of the whole process. However, all currently deployed e-voting systems employ cryptographic protocols which will no longer be secure as soon as a powerful enough quantum computer becomes available. Hence, in order to guarantee secure voting, it is important to design e-voting schemes from quantum-secure cryptographic primitives. Due to the sensitivity of voting and the complexity of its infrastructures, this task poses a great challenge. This talk will provide an overview of post-quantum e-voting, focusing on the different constructions and illustrating the state of the art quantum-safe e-voting protocols.

Lorenzo Rovida (University of Milano-Bicocca, DISCo)

Exploring blind signatures under FHE by combining GBFV and HAWK

Abstract Blind signatures allow signing an encrypted message without being able to see the content of the message itself. Many applications include signatures for encrypted votes or private transactions in a blockchain environment. This technique, though, is still far from being practical for real-world scenarios. In this proposal, we suggest an approach to perform blind signatures by combining three ingredients: a fully homomorphic encryption scheme, a hashing function, and a signature scheme. We will consider the new GBFV (Geelen and Vercauteren, Eurocrypt '25) scheme, which natively supports the Goldilocks field as a plaintext modulus. Moreover, the Poseidon2 hashing function performs computations in this field as well — this allows evaluating that circuit under GBFV naturally. Lastly, we propose to sign the hashed message using a very simple, yet powerful, signature scheme based on the Lattice isomorphism problem, namely HAWK.

Workshop: Number Theory & Cryptography -- Room M2

10:00 - 11:00

Dimitry Koshelev (Lleida University)

Endomorphisms for Faster Cryptography on Elliptic Curves of Moderate CM Discriminants

Abstract The talk is devoted to generalization of the widely-used GLV decomposition for multi-scalar multiplication to a much broader range of elliptic curves with moderate CM discriminant D < 0. Previously, it was commonly believed that this technique can only be applied efficiently for small values of D, e.g., up to 100. In practice, curves with j-invariant 0 are most frequently employed, as they have the smallest possible D = -3. However, j = 0 curves are either too suspicious for conservative government regulators, e.g., for Russian ones, which prefer D = -619, or unavailable under imposed extra restrictions in a series of cryptographic settings. The new result thus contributes to the decade-long development of numerous curves with moderate D in the context of zk-SNARKs. Such curves are typically derived from others, which limits the ability to generate them while controlling the magnitude of D.

Pietro Mercuri (Università di Trento)

High order elements in finite fields arising from recursive towers

Abstract We describe a general method to produce high multiplicative order elements in finite fields of cardinality 4^(3^n) and q^(2^n), for q an odd prime power, and for each positive integer n. This can have coding theoretic and cryptographic applications when high order elements are required.

11:00 - 11:30

Coffee break

11:30 - 13:00

Lorenzo Romano (Politecnico di Torino)

One Reduction To Rule Them All. The Hidden Subgroup Problem and its role among post-quantum cryptographic assumptions

Abstract Public-key cryptography relies on computational assumptions that guarantee the security of a scheme up to a certain bound, determined by the complexity of solving the underlying mathematical problem; such a resource-dependent definition is severely damaged by the awakening of quantum computers, on which new algorithms are available and old computational assumptions no longer hold. In this talk, we introduce the Hidden Subgroup Problem, which appears to be one of the minimal cryptographic assumptions, in the sense that most of the widely used assumptions can be efficiently recast as an instance thereof (e.g. discrete logarithm, integer factorization, but also shortest vector and others). The post-quantum relevance of this assumption is motivated by Kitaev algorithm, a quantum routine which generalizes Shor algorithm and efficiently solves the problem for abelian groups, delimiting the area of post-quantum only to those assumptions which reduce to non-abelian cases or do not reduce at all.

Andrea Sanguineti (Università di Genova)

Algebraic modelings of the Supersingular Isogeny Problem

Abstract We construct algebraic models for the Supersingular Isogeny Problem, for isogenies of degree powers of 2 and 3, using modular polynomials and explicit formulas from the works of Burdges, DeFeo, Renes, Costello, and Hisil. These constructions yield multivariate polynomial systems which we study through tools from computational algebra, including Gröbner bases and related techniques in commutative algebra. We further present experimental results that estimate the maximum step degree observed during the solution process, providing insight into the complexity and feasibility of solving these systems in practice. This is an ongoing joint work with Alessio Caminata (Università di Genova) and Silvia Sconza (University of Zurich).

Alessandro Zaccagnini (Università di Parma)

Integer Factorization

Abstract We give an overview of modern algorithms for factoring integers.

Workshop: Symmetric Cryptography & Coding Theory -- Room M3

10:00 - 11:00

Enrico Piccione (Universitetet i Bergen)

Recent advancements on TI without on-line randomness

Abstract In 1999, Kocher et al. introduced Differential Power Analysis (DPA), an attack that uses the power consumption of a device to retrieve the secret key. As a result, side-channel countermeasures were developed, aiming for the secure implementation of symmetric primitives. In the same year, the masking technique was developed as a countermeasure, but the technique alone does not account for physical behaviours such as glitches. In 2006, Nikova et al. proposed a masking-based technique called Threshold Implementation (TI) to solve this issue. A common use of this technique is to decompose an encryption algorithm into components separated by registers, with the condition that each component satisfies the properties required by the TI technique. However, a naive application of this technique may result in implementations that are either too large to fit in the target device, are too slow to meet the required performance or do not meet the security requirements. So many designs use on-line randomness to meet those requirements. However, in practice, this procedure can be resource-demanding and introduce weaknesses if not done properly. In this talk, we present recent advancements on TI without on-line randomness and discuss future challenges.

George Petrides

Decomposing Permutation Polynomials for More Efficient Hardware Implementations

Abstract Modern symmetric ciphers commonly employ permutation polynomials as core components, AES being a prime example. The implementations of these ciphers in hardware need to provide resistance to side-channel analysis and physical tampering. In some of the techniques used for achieving this, such as masking, the algebraic degree of the permutation polynomial used in the cipher affects the hardware area of the implementation proportionally. At the same time, permutation polynomials suitable for cryptographic use are most often of high algebraic degree. To address this issue and reduce the hardware area while maintaining the security of the cipher, one can decompose high algebraic degree polynomials into polynomials of small algebraic degrees which can be implemented more efficiently. In this talk we will discuss the state of the art in this respect and provide directions for future research.

11:00 - 11:30

Coffee break

11:30 - 13:00

Rocco Brunelli (Università RomaTre)

Generic Partial Decryption as Feature Engineering for Neural Distinguishers

Abstract In Neural Cryptanalysis, a deep neural network is trained as a cryptographic distinguisher between pairs of ciphertexts (F(X), F(X + δ )), where F is either a random permutation or a block cipher, δ is a fixed difference. The AutoND framework aims to use neural distinguishers that are treated as a generic tool and discourages cipher-specific optimizations. On the other hand, other works obtain superior distinguishers by adding dedicated features, such as selected parts of the difference in the previous rounds, to the input of the neural distinguishers. In this paper, we study Generic Partial Decryption as a feature engineering technique and integrate it within a fully automated pipeline, where we evaluate its effect independently of the number of pairs per sample, with which feature engineering is often combined. We show that this technique matches state-of-the-art dedicated approaches on Simon and Simeck. Additionally, we apply it to Aradi and present a practical neural-assisted key recovery for 5 rounds, as well as a 7-rounds key recovery with 2^70 time complexity. Additionally, we derive useful information from the neural distinguishers and propose a non-neural version of our 5-round key recovery.

Alessandro Neri (Università di Napoli)

Coding Theory Meets Convex Geometry: The Etzion-Silberstein Conjecture

Abstract In 2009 Etzion and Silberstein proved a combinatorial upper bound on the largest dimension of a rank-metric code over a finite field whose nonzero matrices are supported on a given Ferrers diagram and all have rank lower bounded by a fixed positive integer r. In the same paper, they also conjectured that such an upper bound is always tight: that is, for every r and Ferrers diagram D there exists an optimal rank-metric code supported on D. Since then, their conjecture has been verified in a number of cases, but as of today it still remains widely open. In this talk, we investigate the notion of reducibility of Ferrers diagrams: a diagram D reduces to D′ if an optimal code supported on D can be obtained by shortening or inclusion of an optimal code supported on D′. This induces a natural notion of irreducibility of Ferrers diagrams, and the validity of the conjecture for irreducible diagrams implies the validity of the full conjecture for all diagrams. Moreover, following the notion of irreducibility, we can provide the Hasse diagram of Young ' s lattice with an orientation. This produces a directed graph in which sources correspond to irreducible diagrams. As our main result, we give a combinatorial characterization of irreducible diagrams, as the integer points of aspecial polytope of dimension 2r-3. This talk is based on a joint work with Hugo Sauerbier Couvée.

Paolo Santonastaso (Politecnico di Bari)

Optimal Rank-Metric Codes from Skew Polynomial Rings: Constructions and a Welch–Berlekamp Like Algorithm

Abstract In recent years, rank-metric codes have attracted growing attention due to their numerous applications in practical scenarios and their deep connections with various algebraic and combinatorial structures. A particularly relevant class is that of Maximum Rank Distance (MRD) codes, which attain the largest possible size for a given minimum distance. In this talk, we introduce a new family of MRD codes, obtained from suitable subsets of quotient spaces of skew polynomial rings. This framework unifies several previously known constructions. We compute invariants for these codes and show that this family provides infinitely many new examples of MRD codes. Finally, we present a Welch–Berlekamp like algorithm for decoding MRD codes within these new families. This is joint work with Eimear Byrne, F. J. Lobillo, Arani Paul, and John Sheekey.

13:00 - 14:00

Lunch

Workshop: Recent Advances in Post-Quantum Cryptography -- Room M1

14:00 - 15:30

Invited talk: Paolo Santini (Università Politecnica delle Marche)

Riding a BIKE with failures (without falling down too many times)

Abstract Quasi-Cyclic Moderate-Density Parity-Check (QC-MDPC) codes offer a very simple and competitive way to build post-quantum Key Encapsulation Mechanisms (KEMs). Examples of cryptosystems based on such codes are LEDAcrypt and BIKE, with the latter having been one of the finalists in the NIST competition, together with HQC and ClassicMcEliece. The fundamental issue with BIKE is in the difficulty of assessing the Decryption Failure Rate (DFR) and, in particular, in proving that the DFR can be negligible in the security parameter (say, less than 2^(-128) for NIST category 1). This comes from the difficulty of modeling the behaviour of the employed decoder, called Bit Flipping (BF). This may seem paradoxical since the BF is a very basic and simple decoder, still, despite many years of research, no appealing solution has been found. Solving the DFR issue, i.e., finding a good and reliable theoretical model for a competitive BF decoder would finalize the construction of a KEM based on QC-MDPC codes and, arguably, would represent a breakthrough in post-quantum cryptography. In this talk we recall how BIKE works and then focus on BF decoding, aiming to explain why estimating the DFR is so complicated. We will also briefly recall the most relevant approaches to model the DFR. The talk shall be intended as a high level discussion about the DFR issue, with the aim of raising interest and stimulating new and fresh ideas for this simple to describe, yet intrinsically difficult, open problem.

Rahmi El Mechri (Università Politecnica delle Marche)

SPECK: Signature from Permutation Equivalence of Codes and Kernel

Abstract SPECK is a post-quantum digital signature protocol based on the Permuted Kernel Problem (PKP) and Permutation Code Equivalence Problem (PEP). It enhances performance over existing methods like LESS by modifying the commitment step—sending only a codeword and solving a PKP instance. The protocol introduces the PECK assumption, ensuring security under specific parameters, and offers faster verification times with reduced signature sizes.

Rosa Fera (Università di Cassino e del Lazio meridionale)

Hilbert series and degrees of regularity of Oil & Vinegar and Mixed quadratic systems

Abstract This study explores the algebraic properties of Oil & Vinegar (OV) and mixed quadratic systems in multivariate cryptography, focusing on their Hilbert series and degrees of regularity. By deriving explicit formulas and analyzing algebraic invariants, the research advances understanding of the complexity and security of these cryptosystems, which are key candidates for quantum-resistant algorithms.

15:30 - 16:00

Coffee break

16:00 - 17:00

Wissam Ghantous (University of Central Florida)

Cycles in the generalized supersingular L-isogeny graph

Abstract We study cycles in the generalized supersingular L-isogeny graph, where L is a set of primes. We show that the notion of a cycle is more subtle than in the classical graph G_p(l). We describe different types of cycles, introducing the notion of canonical decomposition and the role of refactoring. We focus on principal cycles and provide two methods to study their counts: trace formulas of Brandt matrices and ideal counting. We present theorems for the total number of principal isogeny cycles of a given degree and for the total number of principal isogeny cycles of a given length.

Martina Vigorito (EPITA Paris)

On the Security of MQ-based ZKPoK in the Multi-Instance Setting

Abstract This talk is based upon the work of Bidoux and Gaborit, who introduced a technique exploiting multiple instances of hard problems simultaneously to reduce communication complexity in ZKPoK schemes. Central to this approach is the Differential Multivariate Quadratic (DiffMQH) problem, a novel formulation arising in the multi-instance context. Vigorito and colleagues present a new probabilistic algorithm to solve DiffMQH efficiently, exposing vulnerabilities in the security assumptions of such MQ-based ZKPoK protocols. The findings underscore the necessity for careful security assessment in the multi-instance setting, influencing the design of more robust post-quantum cryptographic protocols.

Workshop: Protocols, Privacy and Security in Digital Identity -- Room M3

14:30 - 15:30

Andrea D'Intino (Forkbomb BV)

Introduction

Abstract In this talk we provide an overview of the ongoing digital identity efforts, focusing on the cryptography but including context about the political standpoints as well as the institutional and industry actors involved, int the EU and USA/Canada. We will provide a comparative analysis of the main cryptographic scheme used, along with communication protocols and the data formats for both digital identities and verifiable credentials. Some of the discussed subjects are:
  • Identity and credential formats: SD-JWT and mDOC (EUDI-ARF), W3C-DID and W3C-VC 2.0, mobile driving licenses
  • Communication protocols: OpenID4VCI and OpenID4VP
  • Overview of accepted signatures schemes in EUDI-ARF and W3C-VC
  • TEE and cryptographic devices
  • ZKP in "Age Verification"

Emiliano Vernini (EY Italy)

State of the art: impact of eIDAS 2.0 for QTSPs, public and private sector.

Abstract We summarize the implications and impacts of eIDAS 2.0 for QTSPs, public and private organization. Market perspectives, main use cases, LSPs, main development efforts from members states and public/private organizations. Italian EUDI Wallet: actors, components and interoperability within the latest EUDI-ARF and beyond. Integration with legacy systems and the Italian electronic identity card.

Denis "Jaromil" Roio (Dyne.org foundation / W3C Security Interest Group)

Security analysis of EUDI

Abstract We explore the security aspects of implementing protocols in EUDI wallet mobile apps, focusing on their connection, integration, and extension with web browsers. What threats could emerge, what mitigations should be applied, and what considerations must developers keep in mind? Additionally, what future developments and API standards could enhance browser security for online identity verification?

15:30 - 16:00

Coffee break

16:00 - 17:00

Invited talk: Matteo Frigo (Google, Inc.)

Zero-Knowledge Proofs in Identity Wallets.

Abstract We discuss the Google Longfellow-ZK system for generating zero-knowledge presentations of identity documents. The system is available as open source, it is integrated in the Google Wallet, and it is recommended for use in the forthcoming EU Age Verification application. Longfellow-ZK uses existing MDOC identity documents with no changes to either issuers or on-device hardware secure elements. A fresh zero-knowledge proof of possession of a document with the desired attributes can be generated in about one second on a mid-range mobile phone.

Puria Nafisi Azizi (Forkbomb BV)

Conformance, interoperability and security testing of EUDI

Abstract We explore the Conformance and Interoperability challenges in EUDI-ARF, analyzing the existing conformance test suits for the transport protocols and use-cases as well as the challenges in the Wallet cetrtification

Harmen van der Kooij (FIDES Community)

Interoperability Through Open Ecosystems

Abstract This talk will highlight the impact on interoperability of an open ecosystem, connecting sectors and countries. By advancing the global adoption of digital wallets and verifiable credentials for people, organizations, and products, such initiatives bring public and private actors together to collaborate on open, interoperable trust infrastructure. They enable scalable use cases across domains—from identity and organizational compliance to digital product passports and trade documents. FIDES plays a key role in providing the space, tools, and coordination needed to explore, align, and test real-world applications.

Workshop: History of Cryptography -- Room M2

(in italian)

14:30 - 15:30

Paolo Bonavoglia (Independent Researcher)

Do mathematicians win wars? The case of the Cambrai War

Abstract In 1500, after a century of wars, Venice annexed Romagna. Pope Julius II called for a Holy League with the Christian Kings and the Empire to stop Venice once and for all. In May 1509, the Venetian army was defeated by the French and faced total ruin with the siege of Padua. But suddenly, the Papacy proposed a peace to join forces and expel the French from Italy. Venice just had to return Romagna and renounce all future claims on it. Several conjectures on this reversal have been proposed. We present the possibility it was made possible by Venetian cryptanalysis, in particular by the work of secretary Zuan Soro, renowned for decrypting all intercepted messages.

Ivan Parisi (Institut Internacional d’Estudis Borgians)

Federico da Montefeltro and the Art of Cryptography: between Practical Use, Experimentation, and Sublimation

Abstract During the Renaissance, the small Duchy of Urbino experienced a flourishing development of science and the arts thanks to the enlightened patronage of Federico da Montefeltro. Among the disciplines cultivated at his court, cryptography also found a significant place, not only as a practical tool but also as an object of reflection and experimentation. The daily use of ciphers is documented in Urbinate Latin Codex no. 998 from the duke’s renowned library today preserved in the Vatican Apostolic Library which gathers numerous cryptographic systems employed in correspondence with ambassadors and powerful figures of the time. In addition to this, two further manuscripts from the same collection, Urb. Lat. 948 and Urb. Lat. 949, although of still uncertain dating, might bear witness to a surprising precocity in the exploration of polyalphabetic systems, even anticipating Trithemius’s famous tables. Finally, Federico’s passion for cryptography also emerges on the symbolic and aesthetic level: in the studiolo of Gubbio, one of the highest expressions of the Italian Renaissance, a panel appears depicting a ciphered chart. This element may be interpreted as a true celebration of cryptography, ideally placed on the same level as the liberal arts.

Marco Vito (University of Wien & University of Salerno)

Italy and Florence: Cryptography in the 15th Century

Abstract Florence in the Late Middle Age is regarded by some historians as the political center of the time. The political strategies of Lorenzo de’ Medici, known as the Magnificent, positioned the Signoria as a mediator between the Papacy and various Italian political entities. Among the many rivalries at play was the competition to devise the most effective system of secret writing. From the Papal States, Leon Battista Alberti was commissioned to invent what would become the first Western polyalphabetic cipher system. Under Sforza rule, there were firstrate cryptographers, including Francesco Tranchedino, personal secretary to Cicco Simonetta and compiler of the Viennese Codex, a collection of Sforza ciphers used between 1450 and 1496. Mantua, Lucca, and Naples—though the latter lost all direct evidence of its cryptographic practices during the Second World War—represented different expressions of a continuously evolving system of secret writing. Florence, for its part, appears to have adopted cryptography systematically somewhat later than other states, but it distinguished itself through the variety of systems employed, making use of monoalphabetic ciphers with homophones, as well as jargon-based and polyalphabetic systems throughout the course of the 15th century.

Flavio Atzeni (Senior Web Developer)
Francesco Cosimato (Retired Army General)

Enigma in action

Abstract There are numerous studies on the Enigma machine, mostly focused on its operation, almost none on how it was actually used on the battlefield. Starting from this consideration, we conceived this Historical Workshop: ”Enigma in Action”, an in-depth look at the real-life use of the German cryptographic machine. From the transmission of a message actually sent during the Russian campaign to the forms used at the time.

Workshop: Quantum Random Number Generators & Cryptography -- Room M2

16:00 - 17:00

Leonardo Errati (Politecnico di Torino)
Roberto La Scala (Università di Bari)
Mauro Patano (Istituto Nazionale di Fisica Nucleare)

Cryptographic Standards for Random Number Generation

Abstract Random number generation is an often overlooked cornerstone for secure communications, cryptographic protocols, and scientific simulations. We offer a concise overview of the NIST framework for random bit generation, highlighting how the construction of Quantum RNGs - from entropy sources to filters and test suites - is a multidisciplinary effort of engineers, physicists, and mathematicians. We then introduce the potential of quantum entropy sources through an integration project for distributed IT infrastructures.

Valeria Rossi (RandomPower s.r.l. & University of Insubria)

Introducing Quantum Random Number Generators, basic principles and technologies

Abstract Random numbers play a fundamental role in many sensitive applications, ranging from cryptography, to identity management, to MonteCarlo simulations. The quantum world, being intrinsically probabilistic, provides an ideal setting for their production. Further- more, quantum correlations can be exploited to certify unpredictability, even when the devices themselves are untrusted. We present the physical principles behind the main commercially available Quantum Ran- dom Number Generators and the biases that may affect their implementation, from self- testing to practical trusted systems.

Nicola Massari (Fondazione Bruno Kessler)

QRNG-on-a-chip: exemplary embodiments

Abstract

Massimo Caccia (RandomPower s.r.l. & University of Insubria)

The Random Power FIPS compliant QRNG on-a-chip

Abstract Random Power is a company spinned off from Universita dell’Insubria and AGH-University ` of Krakow, targeting the development of a platform of random bit streamers based on quantum tunneling in silicon structures. Thanks to the support by the European Commission and a collaborative effort at European Level, it rapidly managed to design, produce and qualify a series of FIPS compliant embodiments, included an Application Specific Integrated Circuit, a chip. The presentation will focus on the chip architecture, the main challenges to be faced, the state-of-play and the next steps.

Cesare Caratozzolo (RandomPower s.r.l. & University of Insubria)

Main drives and exemplary applications of QRNGs

Abstract Randomness is at the heart of to- day’s technology, powering everything from secure communications to data protection. We’ll discuss about why randomness is needed, where it’s applied, and how it’s generated with PRNGs and TRNGs. We’ll explore some case studies in Cryptography and Differential Privacy, like in the U.S. Census, that show why the quality of randomness really matters.

Workshop: A Journey into Bitcoin’s Cryptography -- Room M1

17:00 - 18:00

Gianluca Cappiello (BitPolito, Politecnico di Torino)

Introduction to Bitcoin

Abstract This introductory section aims to outline the main features of the Bitcoin protocol that make it the only private and decentralized digital currency system, analyzing how it can be made scalable and more efficient.

Bianca Rampazzo (BitPolito, Politecnico di Torino)

ZK-STARKs on Bitcoin

Abstract We will cover the basics of ZK-STARKs, exploring their transparency, post-quantum resilience, and why they might be a natural fit for Bitcoin and related protocols.

Gianluca Cappiello (BitPolito, Politecnico di Torino)
Enrico Zangirolami (BitPolito, Politecnico di Torino)

Schnorr digital signature protocols + Live Demo

Abstract This presentation will emphasize the benefits of Schnorr signatures, highlighting their applications in multi-signature transactions through key aggregation, threshold signatures, and signature aggregation.