François Dupressoir

Quantum computers break ECC as well.

We’re hiring in Artificial Intelligence

We are recruiting two Lecturers / Senior Lecturers in AI to join our growing, world-leading community.

📅 Closing date: 24 March
🔗 Full details & apply: www.bristol.ac.uk/jobs/find/de...

Please share with anyone who might be interested.

a painting of napoleon giving a thumbs up sign Alt: a painting of napoleon giving a thumbs up sign

Corsica?

This was a fun piece of work, if your idea of fun is trying to prove false for a month before realising that the RFC and its reference implementation are equivalent for the parameters defined in the RFC (and elsewhere) but not for all values of the parameters.

Fortunately for me, it's mine.

Planning your trip to Eurocrypt or looking for an excuse to still go? The reviewers did not appreciate your too involved or too elegant proofs?

Consider submitting a talk to ProTeCS (protecs-workshop.gitlab.io), an affiliated event of EC, where we celebrate proofs as independent objects of study!

Abstract. Specified as part of the (standard, optional) M extension, the mul and mulhu instructions reflect support for unsigned integer multiplication in RISC-V base Instruction Set Architectures (ISAs) such as RV32I and RV64I: given w-bit integers x and y for a word size w, they respectively produce the less- and more-significant w bits of the (2 · w)-bit product r = x × y. This typically minimal, and hence RISC-like form contrasts sharply with many alternative ISAs. For example, ARMv7-M includes a rich set of multiply and multiply-accumulate instructions; these cater for a wide variety of important use-cases in cryptography, where multi-precision integer arithmetic is often a central requirement. In this paper, we explore the extension of RV32I and RV64I, i.e., an Instruction Set Extension (ISE), with richer support for unsigned integer multiplication. Our design has three central features: 1) it includes dedicated carry propagation and multiply-accumulate instructions, 2) those instructions allow flexible selection of the radix (thus catering for reduced- and full-radix representations), and 3) the design can be considered for any w, and so uniformly across both RV32I and RV64I. A headline outcome of our evaluation is that, for X25519-based scalar multiplication, use of the ISE affords 1.5× and 1.6× improvement for full- and reduced-radix cases, respectively, on RV32I, and 1.3× and 1.7× improvement for full- and reduced-radix cases, respectively, on RV64I.

Image showing part 2 of abstract.

Extending RISC-V to Support Flexible-Radix Multiply-Accumulate Operations (Isaar Ahmad, Hao Cheng, Johann Großschädl, Daniel Page) ia.cr/2026/108

Abstract. The Beneš network can be utilised to apply a single permutation to different inputs repeatedly. We present novel generalisations of Bernstein’s formulae for the control bits of a Beneš network and from them derive an iterative control bit setting algorithm. We provide verified proofs of our formulae and prototype a a provably correct implementation in the Lean language and theorem prover. We develop and evaluate portable and vectorised implementations of our algorithm in the C programming language. Our implementation utilising Intel’s Advanced Vector eXtensions 2 feature reduces execution latency by 25% compared to the equivalent implementation in the libmceliece software library.

Verified non-recursive calculation of Beneš networks applied to Classic McEliece (Wrenna Robson, Samuel Kelly) ia.cr/2026/107

"Designing and crafting good envelopes is really hard, you know?" he writes, for the person whose career is to design and craft really good envelopes to read.

"I want to send you a message. Would you prefer I send it on a postcard, or on a letter inside an envelope?"

"Obviously on a postcard. Someone could open the envelope and give you a false sense of security."

"Ur. What?"

OK, I've just started skimming through, and the first thing I notice is multi-user security definitions. I'm now sitting up right and wondering if I should go to the office to print it out...

This is very nice.

I saw that. And a nice piece of cryptographic design as well.

It's fine as long as all voters get a chance to double vote.

Perfect time to switch to vi.

A joyful face for a joyful book.

SUBMIT

Abstract. We propose a hybrid formal verification approach that combines high-level deductive reasoning and circuit-based reasoning and apply it to highly optimized cryptographic assembly code. Our approach permits scaling up formal verifi- cation in two complementary directions: 1) it reduces the proof effort required for low-level functions where the computation logics are obfuscated by the intricate use of architecture-specific instructions and 2) it permits amortizing the effort of proving one implementation by using equivalence checking to propagate the guarantees to other implementations of the same computation using different optimizations or targeting different architectures. We demonstrate our approach via an extension to the EasyCrypt proof assistant and by revisiting formally verified implementations of ML-KEM in Jasmin. As a result, we obtain the first formally verified implementation of ML-KEM that offers performance comparable to the fastest non-verified implementation in x86-64 architectures.

Faster Verification of Faster Implementations: Combining Deductive and Circuit-Based Reasoning in EasyCrypt (José Bacelar Almeida et al.) ia.cr/2025/1607

This is exactly the setup in this 5-bit experiment: the DL instance is set up in a subgroup of the curve of order 2^5 = 32.

There's a reason we usually pick prime order subgroups.

Uh... Working in a subgroup of order 32 seems... ill advised. Even with a 256-bit key, if I pick 2^256 as the order of the group I set up my discrete logarithm instance in, Pohlig-Hellman gives a classical attack in 512 guesses max. (256 on average.) No need for a quantum computer here.

You have 12 usable knuckles on each hand. (Usable because you can point to them nicely with your conveniently opposable thumb.)

Rosenpass Build post-quantum-secure VPNs with WireGuard!

This is now also implemented in Rosenpass. (With a more complex PQ key exchange layer.)

rosenpass.eu

Just in case anyone feels really excited, this closed 10 days ago.

ICYMI... Tough, you missed it.

Other governments are still (for now) linking government procurement and transition, and generally aligned on adoption. (France likes XMSS, Germany also likes Classic McEliece.)

Also strong signs that other countries are picking up the advocacy piece.

I'm not going to say it so I don't jinx it.

Abstract. Threshold signatures enable multiple participants to collaboratively produce a digital signature, ensuring both fault tolerance and decentralization. As we transition to the post-quantum era, lattice-based threshold constructions have emerged as promising candidates. However, existing approaches often struggle to scale efficiently, lack robustness guarantees, or are incompatible with standard schemes — most notably, the NIST-standard ML-DSA. In this work, we explore the design space of Fiat-Shamir-based lattice threshold signatures and introduce the two most practical schemes to date. First, we present an enhanced TRaccoon-based [DKM+24] construction that supports up to 64 participants with identifiable aborts, leveraging novel short secret-sharing techniques to achieve greater scalability than previous state-of-the-art methods. Second — and most importantly — we propose the first practical ML-DSA-compatible threshold signature scheme, supporting up to 6 users. We provide full implementations and benchmarks of our schemes, demonstrating their practicality and efficiency for real-world deployment as protocol messages are computed in at most a few milliseconds, and communication cost ranges from 10.5 kB to 525 kB depending on the threshold.

Image showing part 2 of abstract.

Threshold Signatures Reloaded: ML-DSA and Enhanced Raccoon with Identifiable Aborts (Giacomo Borin, Sofía Celi, Rafael del Pino, Thomas Espitau, Guilhem Niot, Thomas Prest) ia.cr/2025/1166

That is called a cryptographic reduction.

An emoji, crying with laughter. Heavy tears are streaming down its face, suggesting that it is also crying with crying.

The joys of the Outlook web client.

"we are simply moving assumptions to a different level of the stack" is all cryptography has ever been about, though. In the end, it's all about informing risk management decisions and moving risk.

The fact that there's nerdy stuff in the way means we get clever people working on it, which is nice.

I think you simplified that a bit too far, there...

The article (and its actual title) are very clear that being fluent with multiplication is good, but that the practice of teaching to the test is not.

A tool that fails safe is more worthy of trust than a tool that fails badly, though. Given that a hybrid KEM is a KEM, I expect it to be made by the tool makers, not by the tool users.

Sorry I missed it, and happy birthday!