<?xml version="1.0" encoding="utf-8" standalone="yes" ?>
<rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom">
  <channel>
    <title>Cryptanalysis | Jonas Meers</title>
    <link>https://joalpale.de/tag/cryptanalysis/</link>
      <atom:link href="https://joalpale.de/tag/cryptanalysis/index.xml" rel="self" type="application/rss+xml" />
    <description>Cryptanalysis</description>
    <generator>Wowchemy (https://wowchemy.com)</generator><language>en-us</language><lastBuildDate>Mon, 10 Nov 2025 00:00:00 +0000</lastBuildDate>
    <image>
      <url>https://joalpale.de/media/icon_hu0b7a4cb9992c9ac0e91bd28ffd38dd00_9727_512x512_fill_lanczos_center_3.png</url>
      <title>Cryptanalysis</title>
      <link>https://joalpale.de/tag/cryptanalysis/</link>
    </image>
    
    <item>
      <title>Leveled Isogeny Problems with Hints</title>
      <link>https://joalpale.de/publication/rub/liph/</link>
      <pubDate>Mon, 10 Nov 2025 00:00:00 +0000</pubDate>
      <guid>https://joalpale.de/publication/rub/liph/</guid>
      <description>&lt;h3 id=&#34;abstract&#34;&gt;Abstract&lt;/h3&gt;
&lt;p&gt;We define and analyze the Leveled Isogeny Problem with Hints (LIPH), which is a generalization of the Isogeny Problem with Level Structure first introduced by De Feo, Fuoutsa and Panny at EUROCRYPT&#39;24. In a LIPH instance we are tasked to recover a secret isogeny $\varphi$ given masked torsion point images $M\cdot(\varphi(P),\varphi(Q))^\top$ for some $(P,Q)$ of order $N$  and unknown $M\in\operatorname{GL}_2(N)$. Additionally, we are provided a \emph{hint} on $ M $, revealing some bits of its entries. Instances of LIPH occur naturally in the case of modern isogeny-based key exchanges that use masked torsion points as part of their public key, when additionally some parts of the masking matrix $ M $ are revealed due to, for instance, a side-channel attack.&lt;/p&gt;
&lt;p&gt;We provide efficient algorithms that solve various instances of LIPH, leading to efficient \emph{partial key recovery attacks} in practice. More specifically, we present Coppersmith-type attacks that are able to recover an M-SIDH/POK&#39;E secret key given $50%$ (resp. $86%$) of the most-significant bits of an entry of $ M $, and a FESTA secret key given the 67% of the most-significant bits of $ M $. In the case of FESTA we also present a tailored combinatorial attack running in subexponential time $O(2^{\sqrt{n}})$ with probability of $84%$ when $50%$ of the bits of $M$ leak at random.&lt;/p&gt;
</description>
    </item>
    
    <item>
      <title>A Little LESS Secure - Side-Channel Attacks Exploiting Randomness Leakage</title>
      <link>https://joalpale.de/publication/rub/pq-hnp/</link>
      <pubDate>Fri, 23 May 2025 00:00:00 +0000</pubDate>
      <guid>https://joalpale.de/publication/rub/pq-hnp/</guid>
      <description></description>
    </item>
    
  </channel>
</rss>
