10:45h – One for All, All for Ascon: Ensemble-based Deep Learning Side-channel Analysis (Azade Rezaeezade) Abstract: In recent years, deep learning-based side-channel analysis (DLSCA) has become an active research topic within the side-channel analysis community. The well-known challenge of hyperparameter tuning in DLSCA encouraged the community to use methods that reduce the effort required to identify an optimal model. One of the successful methods is ensemble learning. While ensemble methods have demonstrated their effectiveness in DLSCA, particularly with AES-based datasets, their efficacy in analyzing symmetric-key cryptographic primitives with different operational mechanics remains unexplored. Ascon was recently announced as the winner of the NIST lightweight cryptography competition. This will lead to broader use of Ascon and a crucial requirement for thorough side-channel analysis of its implementations. With these two considerations in view, we utilize an ensemble of deep neural networks to attack two implementations of Ascon. Using an ensemble of five multilayer perceptrons or convolutional neural networks, we could find the secret key for the Ascon-protected implementation with less than 3\,000 traces. To the best of our knowledge, this is the best currently known result. We can also identify the correct key with less than 100 traces for the unprotected implementation of Ascon, which is on par with the state-of-the-art results. 11:30h – coffee break 11:45h – Analysis of HWQCS and Layered-ROLLO-I (Alex Pellegrini) Research in code based cryptography area led to the proposal of candidates to post-quantum competitions using both codes in the Hamming and rank metrics. In this talk I will present the cryptanalysis of Layered-ROLLO-I, a rank metric code-based cryptosystem submitted to the Korean post-quantum Cryptography Competition, and HWQCS, a Hamming metric signature scheme presented at ICISC 2023. I will show how to unwrap the layers of Layered-ROLLO-I reducing it to a weak version of ROLLO-I and also describe an efficient message recovery attack that only uses linear algebra. Moving to HWQCS, I will show that the signatures leak substantial secret information, give a statistical modeling of the leakage and finally use this knowledge to mount an efficient universal forgery attack. 12:30h – lunch 14h - Towards Compressed Permutation Oracle (Dominique Unruh) Abstract: Compressed oracles (Zhandry, Crypto 2019) are a powerful technique to reason about quantum random oracles, enabling a sort of lazy sampling in the presence of superposition queries. A long-standing open question is whether a similar technique can also be used to reason about random (efficiently invertible) permutations. In this work, we make a step towards answering this question. We first define the compressed permutation oracle and illustrate its use. While the soundness of this technique (i.e., the indistinguishability from a random permutation) remains a conjecture, we show a curious 2-for-1 theorem: If we use the compressed permutation oracle methodology to show that some construction (e.g., Luby-Rackoff) implements a random permutation (or strong qPRP), then we get the fact that this methodology is actually sound for free. 14:45h – Coffee break 15h - Topology-Based Reconstruction Defences for Decentralised Learning ( Florine Dekker) Abstract: Decentralised learning has recently gained traction as an alternative to federated learning in which both data and coordination are distributed over the users. To preserve the confidentiality of users' data, decentralised learning relies on differential privacy, multi-party computation, or a combination thereof. However, running multiple privacy-preserving summations in sequence may, counterintuitively, decrease privacy in what is known as a reconstruction attack. Unfortunately, current reconstruction countermeasures either do not consider correlated data, or have been designed for centralised systems and cannot trivially be adapted to the setting of decentralised learning. In this work, we show that passive honest-but-curious adversaries can reconstruct other users' private data after several privacy-preserving summations. For example, in subgraphs with 18 users, we show that only three passive honest-but-curious adversaries succeed at reconstructing private data 11.0% of the time, requiring an average of 8.8 summations per adversary. The success rate is independent of the size of the full network. We consider weak adversaries, who do not control the graph topology, and can exploit neither the inner workings of the summation protocol nor the specifics of users' data. We develop a mathematical understanding of how reconstruction relates to topology and propose the first decentralised countermeasure to reconstruction attacks as seen in decentralised learning. Specifically, we show that reconstruction requires a number of adversaries linear in the length of the network's shortest cycle. Consequently, reconstructing private data from privacy-preserving summations is impossible in acyclic networks. Our work is a stepping stone for a formal theory of decentralised reconstruction defences through structured composition. Such a theory would generalise our countermeasure beyond summation, define confidentiality in terms of entropy, and describe the effects of (topology-aware) differential privacy. 15:45h – end of activities