Lena Heimberger
LightNews LightNews
meyira.bsky.social
Lena Heimberger
@meyira.bsky.social
24 followers 48 following 6 posts
Cryptography and Privacy @tugraz
heimberger.xyz
Posts Replies Media Videos
meyira.bsky.social
I'll be around Melbourne for LatticeCC before asiacrypt. Let me know if you want to talk lattices!
November 25, 2025 at 10:54 PM
Reposted by Lena Heimberger
meredithmeredith.bsky.social
📣 Germany's close to reversing its opposition to mass surveillance & private message scanning, & backing the Chat Control bill. This could end private comms-& Signal-in the EU.

Time's short and they're counting on obscurity: please let German politicians know how horrifying their reversal would be.
signal.org Signal @signal.org · Oct 3
We are alarmed by reports that Germany is on the verge of a catastrophic about-face, reversing its longstanding and principled opposition to the EU’s Chat Control proposal which, if passed, could spell the end of the right to privacy in Europe. signal.org/blog/pdfs/ge...
signal.org
October 6, 2025 at 6:46 AM
Reposted by Lena Heimberger
eprint.ing.bot
Forging Dilithium and Falcon Signatures by Single Fault Injection (Sven Bauer, Fabrizio De Santis) ia.cr/2025/2029
Abstract. Embedded devices commonly rely on digital signatures to ensure both integrity and authentication. For example, digital signatures are typically verified during the boot process or firmware updates to verify the integrity of a system. They are also used to ensure authenticity of a communication party in secure protocols. Fault injection can be used to tamper with a device in order to cause malfunctioning during cryptographic computations. For example, fault injections can be used to disturb digital signing operations. With the right type of fault an attacker can compute private keys from faulted signatures. However, fault injections can also be used during verification to get maliciously crafted digital signatures accepted during signature verification with catastrophic consequences for the security of an embedded device. In this paper, we introduce new non-obvious fault injection attacks on the verification routines of Dilithium and Falcon signature schemes, which allow an attacker to get signatures for arbitrary messages accepted by fault injection. We demonstrate the feasibility of our attacks by simulations using an ARM Cortex-M4 and the pqm4 library as a target of evaluation and pinpoint vulnerable instructions. Finally, we propose and discuss possible countermeasures against these attacks. Image showing part 2 of abstract.
November 3, 2025 at 4:09 PM
Reposted by Lena Heimberger
cjpatton.bsky.social
Anonymous credentials are going to have a big year. In the realm of "fancy" cryptography, they're perhaps the most important primitive we'll need to make PQ. Where do we stand? Lena Heimberger spent part of the summer finding out.
blog.cloudflare.com/pq-anonymous...
Policy, privacy and post-quantum: anonymous credentials for everyone
The world is adopting anonymous credentials for digital privacy, but these systems are vulnerable to quantum computers. This post explores the cryptographic challenges and promising research paths tow...
blog.cloudflare.com
October 31, 2025 at 2:05 PM
Reposted by Lena Heimberger
thibmeu.com
@cjpatton.bsky.social and @meyira.bsky.social also dive into how we can make these primitives post-quantum secure
blog.cloudflare.com/pq-anonymous...
Policy, privacy and post-quantum: anonymous credentials for everyone
The world is adopting anonymous credentials for digital privacy, but these systems are vulnerable to quantum computers. This post explores the cryptographic challenges and promising research paths tow...
blog.cloudflare.com
October 30, 2025 at 1:09 PM
meyira.bsky.social
Anonymous credentials are mostly talked about in the context of age verification. We also looked how to use them to verify bots, laying the foundation for a new version of rate limiting- more refined, with more functionality, and still private!
blog.cloudflare.com/private-rate...
Anonymous credentials- rate-limiting bots and agents without compromising privacy
As AI agents change how the Internet is used, they create a challenge for security. We explore how Anonymous Credentials can rate limit agent traffic and block abuse without tracking users or compromi...
blog.cloudflare.com
October 30, 2025 at 1:21 PM
Reposted by Lena Heimberger
thibmeu.com
Most AI traffic comes from massive shared, platforms. If one user is abusive, how do you rate-limit them without blocking everyone? IP blocks won't work.
We explore private rate limits, a way to stop abuse without tracking users.
blog.cloudflare.com/private-rate...
Anonymous credentials- rate-limiting bots and agents without compromising privacy
As AI agents change how the Internet is used, they create a challenge for security. We explore how Anonymous Credentials can rate limit agent traffic and block abuse without tracking users or compromi...
blog.cloudflare.com
October 30, 2025 at 1:06 PM
Reposted by Lena Heimberger
str4d.xyz
Update: the claimed bugfix is refuted!
eprint.ing.bot ePrint Updates @eprint.ing.bot · Oct 20
So about that Quantum Lattice Thing: Rebuttal to “Exact Coset Sampling for Quantum Lattice Algorithms” (Daniel Apon) ia.cr/2025/1945
Abstract. In this note we identify major issues with “Exact Coset Sampling for Quantum Lattice Algorithms” by Zhang. The issues include: • in the first version, the proposed algorithm requires foreknowledge of the answer to compute the answer; • in the latest version, the proposed algorithm displays basic misunderstandings of quantum mechanics. We believe the existence of these issues refute the author’s claims.
October 20, 2025 at 3:35 AM
Reposted by Lena Heimberger
matthewdgreen.bsky.social
This is amazing research by Nadia Heninger and her co-authors Wenyi Morty Zhang, Annie Dai, Keegan Ryan, Dave Levin and Aaron Schulman. TL;DR a huge number of satellite links over our heads are totally unencrypted. satcom.sysnet.ucsd.edu
🛰️ SATCOM Security
Research project homepage for SATCOM Security: papers, source code, and recent satellite communications vulnerabilities.
satcom.sysnet.ucsd.edu
October 14, 2025 at 1:16 AM
Reposted by Lena Heimberger
alecmuffett.bsky.social
Why Signal’s post-quantum makeover is an amazing engineering achievement | Ars Technica
https://alecmuffett.com/article/117370
#EndToEndEncryption #PostQuantum #signal
Why Signal’s post-quantum makeover is an amazing engineering achievement | Ars Technica
Happy to read this, not least because I’ve often seen the push for rapid adoption of PQ as coming from intelligence agencies seeking to sow confusion & discord; having a well researched h…
alecmuffett.com
October 14, 2025 at 1:05 PM
Reposted by Lena Heimberger
eprint.ing.bot
Graeffe-Based Attacks on Poseidon and NTT Lower Bounds (Ziyu Zhao, Antonio Sanso, Giuseppe Vitto, Jintai Ding) ia.cr/2025/1916
Abstract. Poseidon and Poseidon2 are cryptographic hash functions crafted for efficient zero-knowledge proof systems and have seen wide adoption in practical applications. We introduce the use of the Graeffe transform in univariate polynomial solving within this line of work. The proposed method streamlines the root recovery process in interpolation attacks and achieves several orders of magnitude acceleration in practical settings, enabling a new and more efficient class of attacks against Poseidon targeting round-reduced permutations and constrained input/output instances. We release open-source code and describe our method in detail, demonstrating substantial improvements over prior approaches: reductions in wall time by a factor of 2¹³ and in memory usage by a factor of 2^(4.5). Memory-access costs for NTTs turn out to be a dominant barrier in practice. And we prove that this cost increases at least as the 4/3-power of the input size (up to logarithmic factors), which suggests the commonly used pseudo-linear cost model may underestimate the true resource requirements. This behavior contrasts with multivariate equation solving, whose main bottleneck remains finite-field linear algebra. We argue that, when selecting parameters, designers should account for interpolation-based attacks explicitly, since their practical hardness is determined by different, and sometimes stronger, resource constraints than those of multivariate techniques. Image showing part 2 of abstract.
October 17, 2025 at 2:28 AM
meyira.bsky.social
Javascript just became a bit more trustworthy using transparency protocols! This is a really cool deployment and shows how tk use transparency in ither places than certificates!

blog.cloudflare.com/improving-th...
Improving the trustworthiness of Javascript on the Web
Today, there's no way to audit a site’s client-side code as it changes, making it hard to trust sites that use cryptography. We preview a specification we coauthored that adds auditability to the web.
blog.cloudflare.com
October 17, 2025 at 9:55 AM
Reposted by Lena Heimberger
malb.bsky.social
Slides of my talk titled "Lattices give us KEMs and FHE, but where are the efficient lattice PETs? -- By Example of (Verifiable) Oblivious PRFs" given at spiqe-workshop.github.io are here: github.com/malb/talks/b...

Thanks @kennyog.bsky.social and @jurajsomorovsky.bsky.social for inviting me.
github.com
June 24, 2025 at 9:56 AM
Reposted by Lena Heimberger
cosic.bsky.social
Registration for the Leuven Isogeny Days 6 is now open!
📅 10–12 Sept 2025 @ KU Leuven
Morning: research talks
Afternoon: brainstorming sessions
More info: www.esat.kuleuven.be/cosic/projec...
#isogeny #isocrypt #erc #postquantum
June 16, 2025 at 6:17 AM
Reposted by Lena Heimberger
andreavbasso.bsky.social
We (finally) published all the material from this course on SQIsign, including lecture slides and exercise sheets for the Sage laboratory. Available here: github.com/andreavico/S...
June 10, 2025 at 3:58 PM
meyira.bsky.social
🖤🕯️ #graz
June 10, 2025 at 2:37 PM
Reposted by Lena Heimberger
benjojo.bsky.social
On May 20th 2025 a BGP message was propagated that triggered some surprisingly disruptive behaviours with two major BGP implementations make up a lot of the internet.

In a new blog post, I will dissect what that message was, and my thoughts on how it happened:

blog.benjojo.co.uk/post/bgp-att...
BGP handling bug causes widespread internet routing instability
blog.benjojo.co.uk
May 27, 2025 at 11:03 AM
Reposted by Lena Heimberger
eprint.ing.bot
Poseidon and Neptune: Gröbner Basis Cryptanalysis Exploiting Subspace Trails (Lorenzo Grassi, Katharina Koschatko, Christian Rechberger) ia.cr/2025/954
Abstract. At the current state of the art, algebraic attacks are the most efficient method for finding preimages and collisions for arithmetization-oriented hash functions, such as the closely related primitives Poseidon/Poseidon2 and Neptune. In this paper, we revisit Gröbner basis (GB) attacks that exploit subspace trails to linearize some partial rounds, considering both sponge and compression modes. Starting from Poseidon’s original security evaluation, we identified some inaccuracies in the model description that may lead to misestimated round requirements. Consequently, we reevaluate and improve the proposed attack strategy. We find that depending on the concrete instantiation, the original security analysis of Poseidon under- or overestimates the number of rounds needed for security. Moreover, we demonstrate that GB attacks leveraging subspace trails can outperform basic GB attacks for Poseidon/Poseidon2 and Neptune. We propose a variant of the previous attack strategy that exploits a crucial difference between Poseidon/Poseidon2 and Neptune: while Poseidon’s inverse round functions have a high degree, Neptune’s inverse external rounds maintain the same degree as the forward rounds. Using this new model, we demonstrate that Neptune’s security in compression mode cannot be reduced to its security against the Constrained-Input-Constrained-Output (CICO) problem. To the best of our knowledge, this is the first time a concrete example has been provided where finding preimages is easier than solving the corresponding CICO problem. Our results emphasize the importance of considering the mode of operation in security analysis while confirming the overall security of Poseidon/Poseidon2 and Neptune against the presented algebraic attacks. Image showing part 2 of abstract.
May 26, 2025 at 5:52 PM
Reposted by Lena Heimberger
eprint.ing.bot
Breaking Poseidon Challenges with Graeffe Transforms and Complexity Analysis by FFT Lower Bounds (Ziyu Zhao, Jintai Ding) ia.cr/2025/950
Abstract. Poseidon and Poseidon2 are cryptographic hash functions designed for efficient zero-knowledge proof protocols and have been widely adopted in Ethereum applications. To encourage security research, the Ethereum Foundation announced a bounty program in November 2024 for breaking the Poseidon challenges, i.e. solving the CICO (Constrained Input, Constrained Output) problems for round-reduced Poseidon constructions. In this paper, we explain how to apply the Graeffe transform to univariate polynomial solving, enabling efficient interpolation attacks against Poseidon. We will provide an open-source code and details our approach for solving several challenges valued at $20000 in total. Compared to existing attacks, we improves 2^{13} and 2^{4.5} times in wall time and memory usage, respectively. For all challenges we solved, the cost of memory access turns out to be an essential barrier, which makes the security margin much larger than expected. We actually prove that the memory access cost for FFT grows as the 4/3-power of the input size, up to a logarithmic factor. This indicates the commonly used pseudo linear estimate may be overly conservative. This is very different from multivariate equation solving whose main bottleneck is linear algebra over finite fields. Thus, it might be preferable to choose parameters such that the best known attack is interpolation, as it presents more inherent hardness. Image showing part 2 of abstract.
May 26, 2025 at 5:36 PM
Reposted by Lena Heimberger
cknabs.bsky.social
I'm happy to finally open-source lattirust, a library for lattice-based zero-knowledge/succinct arguments! Lattirust is somewhat like arkworks, but for lattices; and like lattigo, but for arguments.

github.com/lattirust
lattirust
Lattice zero-knowledge/succinct arguments, and more - lattirust
github.com
May 20, 2025 at 2:55 PM
meyira.bsky.social
We're studying user messaging behaviour to get data for a simulation for key transparency. If you have 10 minutes, please fill out this survey: survey.tugraz.at/mobile-messe... (if you are around Graz and fill it out before Thursday, you may win a free drink at the local CTF team's fundraiser!)
User Behaviour in Mobile Messengers
survey.tugraz.at
May 20, 2025 at 12:13 PM
Reposted by Lena Heimberger
eprint.ing.bot
Private SCT Auditing, Revisited (Lena Heimberger, Christopher Patton, Bas Westerbaan) ia.cr/2025/556
Abstract. In order for a client to securely connect to a server on the web, the client must trust certificate authorities (CAs) only to issue certificates to the legitimate operator of the server. If a certificate is miss-issued, it is possible for an attacker to impersonate the server to the client. The goal of Certificate Transparency (CT) is to log every certificate issued in a manner that allows anyone to audit the logs for miss-issuance. A client can even audit a CT log itself, but this would leak sensitive browsing data to the log operator. As a result, client-side audits are rare in practice. In this work, we revisit private CT auditing from a real-world perspective. Our study is motivated by recent changes to the CT ecosystem and advancements in Private Information Retrieval (PIR). First, we find that checking for inclusion of Signed Certificate Timestamps (SCTs) in a log — the audit performed by clients — is now possible with PIR in under a second and under 100kb of communication with minor adjustments to the protocol that have been proposed previously. Our results also show how to scale audits by using existing batching techniques and the algebraic structure of the PIR protocols, in particular to obtain certificate hashes by included in the log. Since PIR protocols are more performant with smaller databases, we also suggest a number of strategies to lower the size of the SCT database for audits. Our key observation is that the web will likely transition to a new model for certificate issuance. While this transition is primarily motivated by the need to adapt the PKI to larger, post-quantum signature schemes, it also removes the need for SCT audits in most cases. We present the first estimates of how this transition may impact SCT auditing, based on data gathered from public CT logs. We find that large scale deployment of the new issuance model may reduce the number of SCT audits needed by a factor of 1,000, making PIR-based auditing practical to deploy. Image showing part 2 of abstract.
March 28, 2025 at 8:01 AM
Reposted by Lena Heimberger
eprint.ing.bot
Leap: A Fast, Lattice-based OPRF With Application to Private Set Intersection (Lena Heimberger, Daniel Kales, Riccardo Lolato, Omid Mir, Sebastian Ramacher, Christian Rechberger) ia.cr/2025/333
Abstract. Oblivious pseudorandom functions (OPRFs) are an important primitive in privacy-preserving cryptographic protocols. The growing interest in OPRFs, both in theory and practice, has led to the development of numerous constructions and variations. However, most of these constructions rely on classical assumptions. Potential future quantum attacks may limit the practicality of those OPRFs for real-world applications. To close this gap, we introduce Leap, a novel OPRF based on heuristic lattice assumptions. Fundamentally, Leap builds upon the Spring [BBL+15] pseudorandom function (PRF), which relies on the learning with rounding assumption, and integrates techniques from multi-party computation, specifically Oblivious Transfer (OT) and Oblivious Linear Evaluation (OLE). With this combination of oblivious protocols, we construct an OPRF that evaluates in less than a millisecond on a modern computer. Efficiency-wise, our prototype implementation achieves computation times of just 11 microseconds for the client and 750 microseconds for the server, excluding some base OT preprocessing overhead. Moreover, Leap requires an online communication cost of 23 kB per evaluation, where the client only has to send around 380 bytes online. To demonstrate the practical applicability of Leap, we present an efficient private set intersection (PSI) protocol built on top of Leap. This application highlights the potential for the integration of Leap into various privacy-preserving applications: We can compute an unbalanced set intersection with set sizes of 2^24 and 2^15 in under a minute of online time and just over two minutes overall. Image showing part 2 of abstract.
February 25, 2025 at 6:27 PM