All times are given in Korea Standard Time (UTC+09:00).
please join our Slack space through the following link to ask your questions and to communicate anytime:
Time  Program (Coordinator: Jooyoung Lee)  

13:0013:15  Watch Live Session  Opening 
13:1514:00  1.1 CodeBased Cryptography Session Chair: YoungSik Kim Watch Live Session 
Decoding Supercodes of Gabidulin Codes and Applications to Cryptanalysis Maxime Bombar and Alain Couvreur Abstract
This article discusses the decoding of Gabidulin codes and shows how to extend the usual decoder to any supercode of a Gabidulin code at the cost of a significant decrease of the decoding radius. Using this decoder, we provide polynomial time attacks on the rank metric encryption schemes RAMESSES and LIGA. 
LESSFM: Finetuning Signatures from the Code Equivalence Problem Alessandro Barenghi, JeanFrancois Biasse, Edoardo Persichetti and Paolo Santini Abstract
Codebased cryptographic schemes are highly regarded among the quantumsafe alternatives to current standards. Yet, designing codebased signatures using traditional methods has always been a challenging task, and current proposals are still far from the target set by other postquantum primitives (e.g. latticebased). In this paper, we revisit a recent work using an innovative approach for signing, based on the hardness of the code equivalence problem. We introduce some optimizations and provide a security analysis for all variants considered. We then show that the new parameters produce instances of practical interest. 

Classical and Quantum algorithms for generic Syndrome Decoding problems and applications to the Lee metric Thomas DebrisAlazard, André Chailloux and Simona Etinski Abstract
The security of codebased cryptography usually relies on the hardness of the Syndrome Decoding (SD) problem for the Hamming weight. The best generic algorithms are all improvements of an old algorithm by Prange, and they are known under the name of Information Set Decoding (ISD) algorithms. This work aims to extend ISD algorithms’ scope by changing the underlying weight function and alphabet size of SD. More precisely, we show how to use Wagner’s algorithm in the ISD framework to solve SD for a wide range of weight functions. We also calculate the asymptotic complexities of ISD algorithms, both for the classical and quantum case. We then apply our results to the Lee metric, which is currently receiving a significant amount of attention. By providing the parameters of SD for the Lee weight for which decoding seems to be the hardest, our study could have several applications for designing codebased cryptosystems and their security analysis, especially against quantum adversaries. 

14:0014:15  Break  
14:1515:00  1.2 Multivariate Cryptography Session Chair: Jae Hong Seo Watch Live Session 
Improving ThomaeWolf Algorithm for Solving Underdetermined Multivariate Quadratic Polynomial Problem Hiroki Furue, Shuhei Nakamura and Tsuyoshi Takagi Abstract
The multivariate quadratic polynomial problem (MQ problem) is a fundamental computational problem in postquantum cryptography. We denote by MQ(q, n, m) the MQ problem of m quadratic equations in n variables over finite field Fq. At PKC 2012, an efficient algorithm for solving the underdetermined MQ(2^{r}, n, m) for n > m was proposed by Thomae and Wolf (TW algorithm). In PKC 2012, Thomae and Wolf proposed an efficient algorithm (ThomaeWolf (TW) algorithm) to solve an underdetermined MQ(2^{r}, n, m), that is, n > m. Specifically, by eliminating the crossproduct terms in α quadratic polynomials through linearization, MQ(2^{r}, n, m) can be reduced to MQ(2^{r}, m  k  α, m  α), where k is the number of variables fixed in the hybrid approach after the TW algorithm is applied. Then, the algorithm yields the smallest MQ problem for the largest linearization factor α =  1 among possible α, where b·c is the floor function. 
New Practical Multivariate Signatures from a Nonlinear Modifier Daniel SmithTone Abstract
Multivariate cryptography is dominated by schemes supporting various tweaks, or "modifiers," designed to patch certain algebraic weaknesses they would otherwise exhibit. Typically these modifiers are linear in nature either requiring an extra composition with an affine map, or being evaluated by a legitimate user via an affine projection. This description applies to the minus, plus, vinegar and internal perturbation modifiers, to name a few. Though it is wellknown that combinations of various modifiers can offer security against certain classes of attacks, cryptanalysts have produced ever more sophisticated attacks against various combinations of these linear modifiers. 

On the Effect of Projection on Rank Attacks in Multivariate Cryptography Morten øygarden, Daniel SmithTone and Javier Verbel Abstract
The multivariate scheme HFEv used to be considered a promising candidate for a postquantum signature system. First suggested in the early 2000s, a version of the scheme made it to the third round of the ongoing NIST postquantum standardization process. In late 2020, the system suffered from an efficient rank attack due to Tao, Petzoldt, and Ding. In this paper, we inspect how this recent rank attack is affected by the projection modification. This modification was introduced to secure the signature scheme PFLASH against its predecessor’s attacks. We prove upper bounds for the rank of projected HFEv (pHFEv) and PFLASH under the new attack, which are tight for the experiments we have performed. We conclude that projection could be a useful tool in protecting against this recent cryptanalysis. 

15:0015:45  1.3 Quantum Algorithms Session Chair: Steven Galbraith Watch Live Session 
Quantum Key Search for Ternary LWE Iggy van Hoof, Elena Kir shanova and Alexander May Abstract
Ternary LWE, i.e., LWE with coefficients of the secret and the error vectors taken from {−1, 0, 1}, is a popular choice among NTRUtype cryptosystems and some signatures schemes like BLISS and GLP. In this work we consider quantum combinatorial attacks on ternary LWE. Our algorithms are based on the quantum walk framework of MagniezNayakRolandSantha. At the heart of our algorithms is a combinatorial tool called the representation technique that appears in algorithms for the subset sum problem. This technique can also be applied to ternary LWE resulting in faster attacks. The focus of this work is quantum speedups for such representationbased attacks on LWE. When expressed in terms of the search space S for LWE keys, the asymptotic complexity of the representation attack drops from S^{0.24} (classical) down to S^{0.19} (quantum). This translates into noticeable attack's speedups for concrete NTRU instantiations like NTRUHRSS [CHES'17] and NTRU Prime [SAC'17]. 
A Fusion Algorithm for Solving the Hidden Shift Problem in Finite Abelian Groups Wouter Castryck, Ann Dooms, Carlo Emerencia and Alexander Lemmens Abstract
It follows from a result by Friedl, Ivanyos, Magniez, Santha and Sen from 2014 that, for any fixed integer m > 0 (thought of as being small), there exists a quantum algorithm for solving the hidden shift problem in an arbitrary finite abelian group (G, +) with time complexity [poly(log G) · 2^{O(log √mG}) .] As discussed in the current paper, this can be viewed as a modest statement of Pohlig–Hellman type for hard homogeneous spaces. Our main contribution is a somewhat simpler algorithm achieving the same runtime for m = 2^{t}p, with t any nonnegative integer and p any prime number, where additionally the memory requirements are mostly in terms of quantum random access classical memory; indeed, the amount of qubits that need to be stored is poly(log G). Our central tool is an extension of Peikert's adaptation of Kuperberg’s collimation sieve to arbitrary finite abelian groups. This allows for a reduction, in said time, to the hidden shift problem in the quotient G/2^{t}pG, which can then be tackled in polynomial time, by combining methods by Friedl et al. for ptorsion groups and by Bonnetain and NayaPlasencia for 2^{t}torsion groups. 

The "Quantum Annoying" Property of PasswordAuthenticated Key Exchange Protocols Edward Eaton and Douglas Stebila Abstract
During the Crypto Forum Research Group (CFRG)'s standardization of passwordauthenticated key exchange (PAKE) protocols, a novel property emerged: a PAKE scheme is said to be "quantumannoying" if a quantum computer can compromise the security of the scheme, but only by solving one discrete logarithm for each guess of a password. Considering that early quantum computers will likely take quite long to solve even a single discrete logarithm, a quantumannoying PAKE, combined with a large password space, could delay the need for a postquantum replacement by years, or even decades. 

15:4516:00  Break  
16:0017:00  1.4 Implementation and Side Channel Attack Session Chair: Tommaso Gagliardoni Watch Live Session 
Differential Power Analysis of the Picnic Signature Scheme Tim Gellersen, Okan Seker and Thomas Eisenbarth Abstract
This work introduces the first differential sidechannel analysis of the Picnic Signature Scheme, an alternate candidate in the ongoing competition for postquantum cryptography by the National Institute of Standards and Technology (NIST). We present a successful sidechannel analysis of the underlying multiparty implementation of the LowMC block cipher (MPCLowMC) and show how sidechannel information can be used to recover the entire secret key by exploiting two different parts of the algorithm. LowMC key recovery then allows to forge signatures for the calling Picnic postquantum signature scheme. We target the NIST reference implementation executed on a FRDMK66F development board. Key recovery succeeds with fewer than 1000 LowMC traces, which can be obtained from fewer than 30 observed Picnic signatures. 
Implementation of Lattice Trapdoors on Modules and Applications Pauline Bert, Gautier Eberhart, Lucas Prabel, Adeline RouxLanglois and Mohamed Sabt Abstract
We develop and implement efficient Gaussian preimage sampling techniques on module lattices, which rely on the works of Micciancio and Peikert in 2012, and Micciancio and Genise in 2018. The main advantage of our implementation is its modularity, which makes it practical to use for signature schemes, but also for more advanced constructions using trapdoors such as identitybased encryption. In particular, it is easy to use in the ring or module setting, and to modify the arithmetic on R_{q} (as different schemes have different conditions on q). 

Verifying PostQuantum Signatures in 8 kB of RAM Ruben Gonzalez, Andreas Hülsing, Matthias J. Kannwischer, Juliane Krämer, Tanja Lange, Marc Stöttinger, Elisabeth Waitz, Thom Wiggers and BoYin Yang Abstract
In this paper, we study implementations of postquantum signature schemes on resourceconstrained devices. We focus on verification of signatures and cover NIST PQC round3 candidates Dilithium, Falcon, Rainbow, GeMSS, and SPHINCS+. We assume an ARM CortexM3 with 8 kB of memory and 8 kB of flash for code; a practical and widely deployed setup in, for example, the automotive sector. This amount of memory is insufficient for most schemes. Rainbow and GeMSS public keys are too big; SPHINCS+ signatures do not fit in this memory. To make signature verification work for these schemes, we stream in public keys and signatures. Due to the memory requirements for efficient Dilithium implementations, we stream in the public key to cache more intermediate results. We discuss the suitability of the signature schemes for streaming, adapt existing implementations, and compare performance. 

Fast NEONbased Multiplication for Latticebased NIST PostQuantum Cryptography Finalists Duc Nguyen and Kris Gaj Abstract
This paper focuses on highspeed NEONbased constanttime implementations of multiplication of large polynomials in the NIST PQC KEM Finalists: NTRU, Saber, and CRYSTALSKyber. We use the Number Theoretic Transform (NTT)based multiplication in Kyber, the ToomCook algorithm in NTRU, and both types of multiplication in Saber. Following these algorithms and using Apple M1, we improve the decapsulation performance of the NTRU, Kyber, and Saberbased KEMs at the security level 3 by the factors of 8.4, 3.0, and 1.6, respectively, compared to the reference implementations. On CortexA72, we achieve the speedups by factors varying between 5.7 and 7.5× for the Forward/Inverse NTT in Kyber, and between 6.0 and 7.8× for ToomCook in NTRU, over the best existing implementations in pure C. For Saber, when using NEON instructions, the implementation based on NTT outperforms the implementation based on the ToomCook algorithm by 14% in the case of the MatrixVectorMul function but is slower by 21% in the case of the InnerProduct function. Taking into account that in Saber, keys are not available in the NTT domain, the overall performance of the NTTbased version is very close to the performance of the ToomCook version. The differences for the entire decapsulation at the three major security levels (1, 3, and 5) are 4, 2, and +2%, respectively. Our benchmarking results demonstrate that our NEONbased implementations run on an Apple M1 ARM processor are comparable to those obtained using the best AVX2based implementations run on an Intel Core i78750H processor. AMD EPYC 7742 processor. Our work is the first NEONbased ARMv8 implementation of each of the three NIST PQC KEM finalists. 
Time  Program (Coordinator: YoungSik Kim)  

13:0013:45  2.1 Isogeny Session Chair: Benjamin Smith Watch Live Session 
CSIRAShi: Distributed Key Generation for CSIDH Ward Beullens, Lucas Disson, Robi Pedersen and Frederik Vercauteren Abstract
We present an honestmajority Distributed Key Generation protocol (DKG) based on Shamir’s (k,n)threshold secret sharing in the setting of Very Hard Homogenous Spaces (VHHS). DKGs in the DLOG setting use Pedersen commitments, for which there is no known analogue in the VHHS setting. As a replacement, we introduce a new primitive called piecewise verifiable proofs, which allow a prover to prove that a list of NPstatements is valid with respect to a common witness, and such that the different statements can be verified individually. Our protocol is robust and actively secure in the Quantum Random Oracle Model. For n participants, the total runtime of our protocol is 2 + λ + n(1 + 4λ) group action evaluations, where λ is the underlying security parameter, and is thus independent of the threshold k. When instantiated with CSIDH512, this amounts to approximately 4.5+18n seconds. 
SimS: a Simplification of SiGamal Tako Boris Fouotsa and Christophe Petit Abstract
At Asiacrypt 2020, Moriya et al. introduced two new INDCPA secure supersingular isogeny based Public Key Encryption (PKE) protocols: SiGamal and CSiGamal. Unlike the PKEs canonically derived from SIKE and CSIDH, the new protocols provide INDCPA security without the use of random oracles. SiGamal and CSiGamal are however not INDCCA secure. Moriya et al. suggested a variant of SiGamal that could be INDCCA secure, but left its study as an open problem. 

Memory Optimization Techniques for Computing Discrete Logarithms in Compressed SIKE Aaron Hutchinson, Koray Karabina and Geovandro Pereira Abstract
The supersingular isogenybased key encapsulation (SIKE) suite stands as an attractive postquantum cryptosystem with its relatively small public keys. Public key sizes in SIKE can further be compressed by computing pairings and solving discrete logarithms in certain subgroups of finite fields. This comes at a cost of precomputing and storing large discrete logarithm tables. In this paper, we propose several techniques to optimize memory requirements in computing discrete logarithms in SIKE, and achive to reduce table sizes by a factor of 4. We implement our techniques and verify our theoretical findings. 

13:4514:00  Break  
14:0015:00  Live Only2.2 Invited Talk Session Chair: JeanPierre Tillich Watch Live Session 
The Homestretch: the beginning of the end of the NIST PQC 3rd Round Dustin Moody (NIST) Abstract
In 2017, NIST received more than 80 submissions to begin the NIST PQC standardization process. Now four years later, there are 7 finalists and 8 alternates still being evaluated. The 3rd round has been going for one year, and NIST expects to announce which algorithms are selected for standardization in approximately six months. In this talk, I will recap the process and discuss how NIST will approach its decision, as well as look ahead to the future. 
15:0015:10  Break  
15:1015:15  Live Only2.3 Industrial Track Session Chair: Kyung Chul Jeong Watch Live Session 
Opening Message  PQC Transition Policy in Korea Jinbae Hong (Ministry of Science and ICT) 
15:1517:00 
PQC Transition  ANSSI Views Mélissa Rossi (ANSSI) Abstract
Similarly to several other national crypto authorities, the French cybersecurity agency (ANSSI) agrees that the quantum threat should be taken into account in the near future for security products aimed at offering a long lasting protection of information. Thus the question of how to conservatively include postquantum algorithms in security products is very relevant. In this talk, we will give an outline of ANSSI’s views on the needed gradual transition agenda towards postquantum security in France, including some positions regarding NIST’s standardization campaign and the short and mediumterm necessity of hybridation between pre and postquantum algorithms. 

Activities on PQC in Japan Keita Xagawa (NTT) Abstract
I review the activities on PQC (including QKD) in Japan academic/industrial research groups. I also review the activities on PQC in CRYPTREC, Cryptography Research and Evaluation Committees, which evaluates and monitors the security of eGovernment recommended ciphers in Japan. 

Progress and Challenges in the Industrial Adoption of PQC Peter Pessl (Infineon) Abstract
Long before NIST’s standardization process comes to a conclusion and standards are being drafted, large parts of the industry already prepare for the adoption of PQC. In this talk, we give some insights into the current state of this adoption and state still open problems. We, for instance, discuss efforts to adapt PQC into industrial standards and applications. Further, we state challenges in the context of secure and efficient implementations and highlight differences between academic research and industrial development in this regard. 

Introduction of PQC Pilot Infrastructure and Services in the Industrial Area Kyoung Hak Mun (LG Uplus) Abstract
The advent of quantum computer is urging security enhancements in various industrial fields. Internet service providers, obligated to provide safe communication services to their subscribers, are rushing to announce quantum security pilot networks and service implementation cases to proactively respond to the quantumthreat. PQC (Post Quantum Cryptography) is a nextgeneration cryptography technology using mathematical difficulties and has the advantage of upgrading the existing security infrastructure and newly applying it to various industrial fields. In this talk, I will introduce a PQC private network pilot service in addition to a PQCTLS protocolbased application that protect confidential information in the IT and medical fields, which were deployed by LG Uplus. 

<QCrypton>, The Quantum Security Evaluation Platform for Cryptographic Algorithms Sokjoon Lee (ETRI) Abstract
According to the quantum technology roadmap of global quantum computer vendor such as Google, IBM and IonQ, thousands of qubit quantum processors are expected to be developed in the next few years. But, even if a quantum computer is developed with more qubits than the logical qubit required by Shor algorithm, it won't be able to easily break RSA system on that computer. There is a big difference in the number of qubits and quantum gates on the logical and physical layers. 
Time  Program (Coordinator: Youngjoo Shin)  

13:0014:00  Live Only3.1 Invited Talk Session Chair: Jung Hee Cheon Watch Live Session 
Intractability Assumptions on Module Lattices Damien Stehlé (ENS de Lyon) Abstract
Lattice problems restricted to module lattices are some of the most common security foundations in postquantum cryptography. As an example, five out of the seven finalist candidates in the NIST PQC standardisation project have their security that relies on their presumed intractability. These assumptions include NTRU, RingLWE/SIS and ModuleLWE/SIS, which all depend on a variety of parameters. In this talk, I will provide an overview on module lattice problems used for cryptographic design. 
14:0014:15  Break  
14:1515:30  3.2 Lattice Based Cryptography Session Chair: Elena Kirshanova Watch Live Session 
Generating CryptographicallyStrong Random Lattice Bases and Recognizing Rotations of Z^n Tamar Blanks and Stephen Miller Abstract
Latticebased cryptography relies on generating random bases which are difficult to fully reduce. Given a lattice basis (such as the private basis for a cryptosystem), all other bases are related by multiplication by matrices in GL(n, Z). We compare the strengths of various methods to sample random elements of SL(n, Z), finding some are stronger than others with respect to the problem of recognizing rotations of the Z^{n} lattice. In particular, the standard algorithm of multiplying unipotent generators together (as implemented in Magma's RandomSLnZ command) generates instances of this last problem which can be efficiently broken, even in dimensions nearing 1,500. We also can efficiently break the random basis generation method in one of the NIST PostQuantum Cryptography competition submissions (DRS). Other random basis generation algorithms (some older, some newer) are described which appear to be much stronger. 
ZeroKnowledge Proofs for Committed Symmetric Boolean Functions San Ling, Khoa Nguyen, Duong Hieu Phan, Hanh Tang and Huaxiong Wang Abstract
Zeroknowledge proofs (ZKP) are a fundamental notion in modern cryptography and an essential building block for countless privacypreserving constructions. Recent years have witnessed a rapid development in the designs of ZKP for general statements, in which, for a publicly given Boolean function f : {0, 1}^{n}→ {0, 1}, one’s goal is to prove knowledge of a secret input x ∈ {0, 1}^{n} satisfying f(x) = b, for a given bit b. Nevertheless, in many interesting application scenarios, not only the input x but also the underlying function f should be kept private. The problem of designing ZKP for the setting where both x and f are hidden, however, has not received much attention. 

Short IdentityBased Signatures with Tight Security from Lattices Jiaxin Pan and Benedikt Wagner Abstract
We construct a short and adaptively secure identitybased signature scheme tightly based on the wellknown Short Integer Solution (SIS) assumption. Although identitybased signature schemes can be tightly constructed from either standard signature schemes against adaptive corruptions in the multiuser setting or a twolevel hierarchical identitybased encryption scheme, neither of them is known with short signature size and tight security based on the SIS assumption. Here "short" means the signature size is independent of the message length, which is in contrast to the treebased (tight) signatures. Our approach consists of two steps: Firstly, we give two generic transformations (one with random oracles and the other without) from nonadaptively secure identitybased signature schemes to adaptively secure ones tightly. Our idea extends the similar transformation for digital signature schemes. Secondly, we construct a nonadaptively secure identitybased signature scheme based on the SIS assumption in the random oracle model. 

On Removing Rejection Conditions in Practical LatticeBased Signatures Rouzbeh Behnia, Yilei Chen and Daniel Masny Abstract
Digital signatures following the methodology of "FiatShamir with Aborts", proposed by Lyubashevsky, are capable of achieving the smallest publickey and signature sizes among all the existing lattice signature schemes based on the hardness of the RingSIS and RingLWE problems. Since its introduction, several variants and optimizations have been proposed, and two of them (i.e., Dilithium and qTESLA) entered the second round of the NIST postquantum cryptography standardization. This method of designing signatures relies on rejection sampling during the signing process. Rejection sampling is crucial for ensuring both the correctness and security of these signature schemes. 

Secure Hybrid Encryption In the Standard Model from Hard Learning Problems Xavier Boyen, Malika Izabachène and Qinyi Li Abstract
We present chosenciphertext secure hybrid encryption systems in the standard model from the learning with errors problem and lownoise learning parity with noise problem. The systems consist of publickey key encapsulation mechanisms that are not chosenciphertext secure. The systems are more efficient than the existing chosenciphertext secure hybrid encryption encryption systems in the standard model based on the same hard learning problems. 

15:3015:45  Break  
15:4516:45  3.3 Cryptanalysis Session Chair: Scott Fluhrer Watch Live Session 
Attacks on BeyondBirthdayBound MACs in the Quantum Setting Tingting Guo, Peng Wang, Lei Hu and Dingfeng Ye Abstract
We systematically study the security of twelve BeyondBirthdayBound Message Authentication Codes (BBB MACs) in the Q2 model where attackers have quantumquery access to MACs. Assuming the block size of the underlying (tweakable) block cipher is n bits, the security proofs show that they are secure at least up to O(2^{2n/3}) queries in the classical setting. The best classical attacks need O(2^{3n/4}) queries. We consider secret state recovery against SUMECBClike and PMAC Pluslike MACs and key recovery against PMAC Pluslike MACs. Both attacks lead to successful forgeries. The first attack costs O(2^{n/2}n) quantum queries by applying GrovermeetSimon algorithm. The second attack costs (2^{m/2}) quantum queries by applying Grover’s algorithm, assuming the key size of (tweakable) block cipher is m bits. As far as we know, these are the first quantum attacks against BBB MACs. It is remarkable that our attacks are suitable even for some optimally secure MACs, such as mPMAC+f, mPMAC+p1, and mPMAC+p2. 
An Algebraic Approach to the Rank Support Learning Problem Magali Bardet and Pierre Briaud Abstract
Rankmetric codebased cryptography relies on the hardness of decoding a random linear code in the rank metric. The Rank Support Learning problem (RSL) is a variant where an attacker has access to N decoding instances which are strongly related and wants to solve any one of them. This problem is used in the Durandal signature scheme [1]. In this paper, we propose an algebraic attack on RSL which clearly outperforms the previous attacks to solve this problem. We build upon [2] where similar techniques we used to solve MinRank and RD. However, our analysis is simpler and therefore our attack relies on very elementary assumptions compared to standard Gr¨obner bases attacks. Also, it suggests that key recovery attacks on Durandal are much more efficient than what was previously thought.
[1] Aragon, N., Blazy, O., Gaborit, P., Hauteville, A., Z´emor, G.: Durandal: a rank metric based signature scheme. In: Advances in Cryptology  EUROCRYPT 2019. 

Quantum Indistinguishability for Public Key Encryption Tommaso Gagliardoni, Juliane Krämer and Patrick Struck Abstract
In this work we study the quantum security of public key encryption schemes (PKE). Boneh and Zhandry (CRYPTO'13) initiated this research area for PKE and symmetric key encryption (SKE), albeit restricted to a classical indistinguishability phase. Gagliardoni et al. (CRYPTO'16) advanced the study of quantum security by giving, for SKE, the first definition with a quantum indistinguishability phase. For PKE, on the other hand, no notion of quantum security with a quantum indistinguishability phase exists. Our main result is a novel quantum security notion (qINDqCPA) for PKE with a quantum indistinguishability phase, which closes the aforementioned gap. We show a distinguishing attack against codebased schemes and, for certain parameters, against LWEbased schemes. We also show that the canonical hybrid PKESKE construction is secure, even if the underlying PKE scheme by itself is not. Finally, we classify quantumresistant PKE schemes based on the applicability of our security notion and discuss concurrent and independent work. 

A Practical Adaptive Key Recovery Attack on the LGM (GSWlike) Cryptosystem Prastudy Fauzi, Martha Norberg Hovd and Håvard Raddum Abstract
We present an adaptive key recovery attack on the leveled homomorphic encryption scheme suggested by Li, Galbraith and Ma (Provsec 2016), which itself is a modification of the GSW cryptosystem designed to resist key recovery attacks by using a different linear combination of secret keys for each decryption. We were able to efficiently recover the secret key for a realistic choice of parameters using a statistical attack. In particular, this means that the Li, Galbraith and Ma strategy does not prevent adaptive key recovery attacks. 

16:45  Watch Live Session  Adjourn 