10:45h On the Insecurity of Bloom Filter-Based Private Set Intersections Jorrit van Assen Private set intersections are cryptographic protocols that compute the intersection of multiple parties' private sets without revealing elements that are not in the intersection. These protocols become less efficient when the number of parties grows, or the size of the sets increases. For this reason, many protocols are based on Bloom filters, which speed up the protocol by approximating the intersections, introducing false positives with a small but non-negligible probability. In this work, we show that an adversary can abuse false positives of the Bloom filters to leak information about parties' \private sets. We show that even in the most optimistic setting, Bloom filter-based private set intersections cannot securely realize an approximate private set intersection unless the parameters are so large that false positives only occur with negligible probability. We demonstrate a practical attack on small parameters that lets a party learn if an element is contained in a victim's private set. We conclude that the efficiency gain of using Bloom filters as an approximation in existing protocols vanishes when accounting for this security problem. Furthermore, we discuss possible mitigations besides choosing larger parameters. 11:30h - coffee break 11:45h Symmetric Key Exchange: Lightweight alternatives for a Post-quantum IoT Bor De Kock Symmetric cryptographic primitives such as AES are simple, efficient and secure – even in a post-quantum world – which makes them interesting for a variation of purposes where we need secure encryption, but with strong constraints to computing power and storage. Traditionally a downside of these algorithms has been their static, long-term keys, making it hard to achieve security properties such as forward secrecy without negotiating a new key every time. In this talk we will look at a number of protocols that achieve symmetric authenticated key exchange: we propose new methods of key evolution that guarantee full forward secrecy, while also taking care of key synchronization between the involved parties. This makes them very suitable for IoT devices, or other settings where efficient post-quantum cryptography is required. 12:30h lunch 14:00h Algorithms for equivalence problems Simona Samardjiska In the past few years, there has been an increased interest in hard equivalence problems, especially with NIST's fourth round for new designs of digital signatures. On a high level, such a problem can be defined as follows: Given two algebraic objects, find - if any - an equivalence that maps one object into the other. Several instantiations have been considered for cryptographic purposes, for example - Isomorphism of polynomials (Pattarin '96), Code equivalence (Biasse et al. '20), Matrix Code equivalence (Chou et al. '22), Alternating trilinear form equivalence (Tang et al.'22), Lattice isomorphism (Ducas & van Woerden '22). All of these problems are believed to be hard even for quantum adversaries. Conveniently, they can generically be used to build a Sigma protocol and further a post-quantum secure signature using the Fiat-Shamir transform. In this talk I will consider a class of equivalence problems that can be seen as an instance of the Tensor Isomorphism problem. I will discuss their theoretical and practical hardness, the state-of-the-art algorithms for solving them, as well as some open questions that could help better understand the complexity of this problem. 14:45h coffee and end of activities