SAC logo
Selected Areas in Cryptography 2025
Toronto Metropolitan University
August 11–15, 2025
Toronto, Ontario
August 11–15, 2025
Toronto, Ontario
SAC logo
Selected Areas in Cryptography 2025
Toronto Metropolitan University
August 11–15, 2025
Toronto, Ontario


Schedule


Mon Aug 11
8:45 AM – 9:00 AM
TRSM Main Lobby Entrance (55 Dundas St. West, Toronto, ON, M5G 2C3)

SAC Summer School - Registration

Mon Aug 11
9:00 AM – 10:30 AM
TRS 1-149

SAC Summer School - Differential Cryptanalysis, Part 1

Searching for Differential Attacks

Patrick Derbez, Univ Rennes, Inria, CNRS, IRISA, France

In this lesson, we will explore differential cryptanalysis, a powerful and widely studied, yet non-trivial, cryptanalytic technique. We will begin by examining various algorithmic approaches (e.g., dynamic programming, branch-and-cut) and generic modeling frameworks (e.g., SAT, MILP) for finding differential distinguishers across different cipher designs, including AES, SKINNY, and SPEEDY. We will discuss key challenges in evaluating the probability of a differential distinguisher, such as key-dependent probabilities and the clustering of differential characteristics. Next, I will explain how to transform a differential distinguisher into a key-recovery attack, introducing the concept of probabilistic extensions of differential distinguishers and outlining the core problems in the key-recovery phase, along with algorithms designed to tackle them. Finally, we will examine some open and emerging challenges in the field of differential cryptanalysis.
Slides
Mon Aug 11
10:30 AM – 11:00 AM
TRSM Commons (rooms TRS 1-148 and TRS 1-150)

Coffee Break

Mon Aug 11
11:00 AM – 12:15 PM
TRS 1-149

SAC Summer School - Differential Cryptanalysis, Part 2

Searching for Differential Attacks

Patrick Derbez, Univ Rennes, Inria, CNRS, IRISA, France

Mon Aug 11
12:15 PM – 1:45 PM
TRSM Commons (rooms TRS 1-148 and TRS 1-150)

Lunch

Mon Aug 11
1:45 PM – 3:15 PM
TRS 1-149

SAC Summer School - Post-Quantum Cryptography, Part 1

A tutorial on Post-Quantum cryptography

Doug Stinson, University of Waterloo, Canada

We begin with a short introduction to quantum computing and its potential impact on current cryptographic algorithms and we summarize the ongoing NIST standardization process for post-quantum cryptography. We briefly review some important cryptographic tools that are used in the design of post-quantum cryptography, including pseudorandom generators and functions, the random oracle model and key encapsulation mechanisms. Then we discuss the main approaches to post-quantum cryptography, emphasizing the underlying mathematical techniques. These include: - hash-based signature schemes - code-based cryptography (e.g., McEliece, Niederreiter, BIKE, HQC) - lattice-based cryptography (e.g., NTRU, Regev, Kyber, Dilithium) - multivariate cryptography (e.g., Oil and Vinegar) We assume a basic background in cryptography, algebra and number theory.
Slides
Mon Aug 11
3:15 PM – 3:45 PM
TRSM Commons (rooms TRS 1-148 and TRS 1-150)

Coffee Break

Mon Aug 11
3:45 PM – 5:00 PM
TRS 1-149

SAC Summer School - Post-Quantum Cryptography, Part 2

A tutorial on Post-Quantum Cryptography

Doug Stinson, University of Waterloo, Canada





Tue Aug 12
9:00 AM – 10:30 AM
TRS 1-149

SAC Summer School - Arithmetization-Oriented Primitives, Part 1

A Guided Tour through the Jungle of Arithmetization-Oriented Primitives

Clémence Bouvier, Inria Nancy, France

In the last few years, a large number of symmetric primitives have been introduced following the emergence of advanced protocols such as multi-party computation (MPC), in combination with a fully homomorphic encryption (FHE) or in various systems of zero-knowledge proofs (ZKP). These primitives, also known as Arithmetization-Oriented Primitives (AOPs), are based on a specific arithmetic and an unusual environment in symmetric cryptography. In this lecture, we will present the context that led to the emergence of AOPs and propose different ways of classifying them. We will also discuss the latest advances in design and security analysis.
Slides
Tue Aug 12
10:30 AM – 11:00 AM
TRSM Commons (rooms TRS 1-148 and TRS 1-150)

Coffee Break

Tue Aug 12
11:00 AM – 12:15 PM
TRS 1-149

SAC Summer School - Arithmetization-Oriented Primitives, Part 2

A Guided Tour through the Jungle of Arithmetization-Oriented Primitives

Clémence Bouvier, Inria Nancy, France

Slides
Tue Aug 12
12:15 PM – 1:45 PM
TRSM Commons (rooms TRS 1-148 and TRS 1-150)

Lunch

Tue Aug 12
1:45 PM – 3:15 PM
TRS 1-149

SAC Summer School - Deep Learning-based Side-channel Analysis, Part 1

A Deep Dive into Deep Learning-based Side-channel Analysis

Stjepan Picek, University of Zagreb, Croatia and Radboud University, Nijmegen, The Netherlands

Side-channel attacks (SCAs) have been a realistic threat to the security of embedded devices for nearly three decades now. Various attacks and targets they can be applied to have been introduced, and while the area of side-channel attacks and their mitigations is very well-researched, there are still important open challenges. Deep learning-based side-channel attacks (DLSCA) entered the field in recent years with the promise of more competitive performance and improved attackers' capabilities compared to other techniques. Breaking targets protected with countermeasures even with a few attack traces and the relaxations on the pre-processing requirements make DLSCA a powerful option. Despite such results, challenges remain. This tutorial starts with an overview of results from the last few years. Next, we will concentrate on several open challenges. This tutorial will also provide a practical introduction to DLSCA, allowing participants to run and edit the code to mount their attacks. We will conclude the talk by discussing potential future research directions.
Slides
Tue Aug 12
3:15 PM – 3:45 PM
TRSM Commons (rooms TRS 1-148 and TRS 1-150)

Coffee Break

Tue Aug 12
3:45 PM – 5:00 PM
TRS 1-149

SAC Summer School - Deep Learning-based Side-channel Analysis, Part 2

A Deep Dive into Deep Learning-based Side-channel Analysis

Stjepan Picek, University of Zagreb, Croatia and Radboud University, Nijmegen, The Netherlands





Wed Aug 13
8:30 AM – 9:05 AM
TRSM Lobby Main Entrance (55 Dundas St. West, Toronto, ON, M5G 2C3)

Registration

Wed Aug 13
9:05 AM – 9:15 AM
Harry Rosen Theatre (TRS 3-176)

Opening Remarks

by Christina Boura, Atty Mashatan and Ali Miri

Wed Aug 13
9:15 AM – 10:15 AM
Harry Rosen Theatre (TRS 3-176)
Session chair: Christina Boura

Invited Lecture - AI to the Rescue: Where AI Meets Cryptography

Stjepan Picek, University of Zagreb, Croatia and Radboud University, Nijmegen, The Netherlands

In recent years, artificial intelligence (AI) has become an emerging technology to assess security and privacy. Despite difficult beginnings, today, AI is also used in cryptography, allowing faster (and sometimes) better results than other techniques. AI is successfully applied in a range of cryptographic contexts, including profiled side-channel attacks using neural networks, modeling and attacking physically unclonable functions, detection and classification of hardware Trojans, and even assisting differential cryptanalysis. However, this convergence of AI and cryptography brings a unique set of challenges. The black-box nature of many AI models, the difficulty of ensuring reproducibility, and concerns around adversarial manipulation all pose significant obstacles. In the first part of the talk, we will highlight success stories where AI improved state-of-the-art in cryptography. In the second part of the talk, we will examine what cryptography can do for the security of machine learning. We will cover examples like differential cryptanalysis used for model stealing, indistinguishable backdoors, and cryptography enabling privacy for neural networks. Finally, we will conclude the talk by discussing diverse challenges and future research directions.
Slides
Wed Aug 13
10:15 AM – 10:45 AM
Outside Lobby of Harry Rosen Theatre TRS 3-176

Coffee Break

Wed Aug 13
10:45 AM – 12:05 PM
Harry Rosen Theatre (TRS 3-176)
Session chair: Pierrick Méaux

Physical Security

Picking up the Fallen Mask: Breaking and Fixing the RS-Mask Countermeasure
by Dilara Toprakhisar, Svetla Nikova and Ventzislav Nikov Pre-proceeding Slides

Diffuse Some Noise: Diffusion Models for Measurement Noise Removal in Side-channel Analysis
by Sengim Karayalcin, Guilherme Perin and Stjepan Picek Pre-proceeding Slides

Efficient SPA Countermeasures using Redundant Number Representation with Application to Kyber
by Rishub Nagpal, Vedad Hadžić, Robert Primas and Stefan Mangard Pre-proceeding Slides

Secret in OnePiece: Single-Bit Fault Attack on Kyber
by Jian Wang, Weiqiong Cao, Hua Chen and Haoyuan Li Pre-proceeding Slides

Wed Aug 13
12:05 PM – 1:30 PM
TRSM Commons (rooms TRS 1-148 and TRS 1-150)

Lunch Break

Lunch included

Wed Aug 13
1:30 PM – 3:10 PM
Harry Rosen Theatre (TRS 3-176)
Session chair: Pierre-Alain Fouque

Implementation

High-Throughput EdDSA Verification on Intel Processors with Advanced Vector Extensions
by Bowen Zhang, Hao Cheng, Johann Großschädl and Peter Y. A. Ryan Pre-proceeding Slides

Air-FRI: Acceleration of the FRI Protocol on the GPU for zkSNARK Applications
by Tanmayi Jandhyala and Guang Gong Pre-proceeding Slides

Accelerating Post-quantum Secure zkSNARKs by Optimizing Additive FFT
by Mohammadtaghi Badakhshan, Susanta Samanta and Guang Gong Pre-proceeding Slides

Multi-precision PMNS with CIOS reduction
by François Palma, Pascal Veron and Nicolas Méloni Pre-proceeding Slides

Unified MEDS Accelerator
by Sanjay Deshpande, Yongseok Lee, Mamuri Nawan, Kashif Nawaz, Ruben Niederhagen, Yunheung Paek and Jakub Szefer Pre-proceeding Slides

Wed Aug 13
3:10 PM – 3:40 PM
Outside Lobby of Harry Rosen Theatre TRS 3-176

Coffee Break

Wed Aug 13
3:40 PM – 5:00 PM
Harry Rosen Theatre (TRS 3-176)
Session chair: Yusuke Naito

Symmetric Cryptography

Preimage-type Attacks for Reduced Ascon-Hash: Application to Ed25519
by Marcel Nageler, Lorenz Schmid and Maria Eichlseder Pre-proceeding Slides

Multiforked Iterated Even-Mansour and a Note on the Tightness of IEM Proofs
by Andreas Weninger, Amit Singh Bhati and Elena Andreeva Pre-proceeding Slides

Breaking the Twinkle Authentication Scheme and Analyzing Its Underlying Permutation
by Debasmita Chakraborty, Hosein Hadipour, Anup Kumar Kundu, Mostafizar Rahman, Prathamesh Ram, Yu Sasaki, Dilip Sau and Aman Sinha Pre-proceeding Slides

Blockcipher-Based Key Commitment for Nonce-Derived Schemes
by Panos Kampanakis, Shai Halevi, Nevine Ebeid and Matthew Campagna Pre-proceeding Slides





Thu Aug 14
9:15 AM – 10:15 AM
Steve & Rashmi Gupta Lecture Theatre TRS 1-067
Session chair: Ali Miri

Stafford Tavares Invited Lecture - Reducing the Number of Qubits in Quantum Factoring

Pierre-Alain Fouque, University of Rennes and Institut Universitaire de France, France

In this talk, I will recall Shor's quantum algorithm, then its version by Ekera-Hastad through the computation of short discrete-log, before describing our improvement via May-Schlieper hashing technique.
Slides
Thu Aug 14
10:15 AM – 10:45 AM
Outside of TRSM Commons

Coffee Break

Thu Aug 14
10:45 AM – 12:05 PM
Steve & Rashmi Gupta Lecture Theatre TRS 1-067
Session chair: Yu Sasaki

Symmetric Cryptanalysis

Minimalist model for Impossible Differentials
by Patrick Derbez and Marie Euler Pre-proceeding Slides

Impossible Differentials Automation: Model Generation and New Techniques
by Emanuele Bellini, Alessandro De Piccoli, David Gérault, Paul Huynh, Simone Pelizzola and Andrea Visconti Pre-proceeding Slides

Collision Attacks on SPONGENT with Grouping Method
by Keita Toyama, Kosei Sakamoto and Takanori Isobe Pre-proceeding Slides

Practical Collision Attacks on Reduced-Round Xoodyak Hash Mode
by Huina Li, Le He and Weidong Qiu Pre-proceeding Slides

Thu Aug 14
12:05 PM – 1:30 PM
TRSM Commons (rooms TRS 1-148 and TRS 1-150)

Lunch Break

Lunch included

Thu Aug 14
1:30 PM – 2:30 PM
Steve & Rashmi Gupta Lecture Theatre TRS 1-067
Session chair: Daniel Panario

Code-based and Multivariate Cryptography

AI for Code-based Cryptography
by Mohamed Malhou, Ludovic Perret and Kristin Lauter Pre-proceeding Slides

Practical Attack on All Parameters of the HPPC Signature Scheme
by Pierre Briaud, Maxime Bros, Ray Perlner and Daniel Smith-Tone Pre-proceeding Slides

Algebraic Key-Recovery Side-Channel Attack on Classic McEliece
by Michaël Bulois, Pierre-Louis Cayrel, Vlad-Florin Drăgoi and Vincent Grosso Pre-proceeding Slides

Thu Aug 14
2:30 PM – 3:10 PM
Steve & Rashmi Gupta Lecture Theatre TRS 1-067
Session chair: Daniel Panario

Boolean Functions and Quantum Key Search

The Revisited Hidden Weight Bit Function
by Pierrick Méaux, Tim Seuré and Deng Tang Pre-proceeding Slides

Bit Security of Quantum Key Search
by Marc Fischlin and Evangelos Gkoumas Pre-proceeding Slides

Thu Aug 14
3:10 PM – 3:40 PM
Outside of TRSM Commons

Coffee Break

Thu Aug 14
3:40 PM – 4:20 PM
Steve & Rashmi Gupta Lecture Theatre TRS 1-067
Session chair: Samuel Jaques

Fully Homomorphic Encryption

Downlink (T)FHE ciphertexts compression
by Antonina Bondarchuk, Olive Chakraborty, Geoffroy Couteau and Renaud Sirdey Pre-proceeding Slides

Efficient Full Domain Functional Bootstrapping from Recursive LUT Decomposition
by Intak Hwang, Shinwon Lee, Seonhong Min and Yongsoo Song Pre-proceeding Slides

Thu Aug 14
4:20 PM – 5:00 PM
Steve & Rashmi Gupta Lecture Theatre TRS 1-067
Session chair: Samuel Jaques

Isogeny-Based Cryptography

How (not) to Build Identity-Based Encryption from Isogenies
by Elif Özbay Gürler and Patrick Struck Pre-proceeding Slides

PIsignHD: A New Structure for the SQIsign Family with Flexible Applicability
by Kaizhan Lin, Weize Wang, Chang-An Zhao and Yunlei Zhao Pre-proceeding Slides

Thu Aug 14
5:00 PM – 5:10 PM
Steve & Rashmi Gupta Lecture Theatre TRS 1-067

Group Photo

Thu Aug 14
5:30 PM – 8:00 PM
TRSM Commons

Banquet





Fri Aug 15
9:15 AM – 10:15 AM
Steve & Rashmi Gupta Lecture Theatre TRS 1-067
Session chair: Atty Mashatan

Invited lecture - Deep Neural Cryptography

Adi Shamir, Weizmann Institute of Science, Israel

The wide adoption of deep neural networks (DNNs) raises the question of how can we equip them with a desired cryptographic functionality (e.g., to decrypt an encrypted input, to verify that this input is authorized, or to hide a secure watermark in the output). The problem is that cryptographic primitives are typically designed to run on digital computers that use Boolean gates to map sequences of bits to sequences of bits, whereas DNNs are a special type of analog computer that uses linear mappings and ReLUs to map vectors of real numbers to vectors of real numbers. In this talk I will describe a new theory of security when digital cryptographic primitives are implemented as ReLU-based DNNs, show that natural implementation techniques are highly insecure, and finally develop a new and completely practical method for implementing any desired cryptographic functionality as a standard ReLU-based DNN in a provably secure and correct way.
Slides
Fri Aug 15
10:15 AM – 10:45 AM
Outside of TRSM Commons

Coffee Break

Fri Aug 15
10:45 AM – 11:45 AM
Steve & Rashmi Gupta Lecture Theatre TRS 1-067
Session chair: Douglas Stebila

Public Key Cryptography

An attack on ML-DSA using an explicit hint
by Paco Azevedo Oliveira, Louis Goubin and Jordan Beraud Pre-proceeding Slides

Bounded CCA2 Secure Proxy Re-encryption from Lattices
by Shingo Sato and Junji Shikata Pre-proceeding Slides

Public-Key Encryption and Injective Trapdoor Functions from LWE with Large Noise Rate
by Liheng Ji and Yilei Chen Pre-proceeding Slides