About

I’m a distinguished researcher at NTT Corporation, based in Tokyo, Japan. I work under Masayuki Abe at the Social Informatics Laboratories. I’ve joined NTT in 2011, after receiving my Ph.D. in computer science, prepared at École normale supérieure under the supervision of David Naccache and Jean-Sébastien Coron.

Masayuki and I are also visiting faculty of the Graduate School of Informatics at Kyoto University. We have a small research lab there where we supervise and give lectures to graduate students.

My research interests cover various mathematical aspects of public-key cryptography and cryptanalysis, particularly related to elliptic curves and Euclidean lattices, as well as side-channels and the security of cryptographic implementations.

Recent & upcoming events

• Nov 17, 2025 to Nov 20, 2025. Grand Cube Osaka — Osaka, Japan.
  CANS 2025.
  Program co-chair.
• Oct 20, 2025 to Oct 22, 2024. Sungkyunkwan University — Seoul, South Korea.
  ISC 2025.
  Keynote talk: “Sokół: Polishing up Falcon”.
• Nov 20, 2024. Osaka University — Osaka, Japan.
  Public hearing of Kaiming Chen's Ph.D. dissertation.
  External reviewer.
• Nov 15, 2024. UC Louvain — Louvain-la-Neuve, Belgium (joining remotely).
  Ph.D. defense of Clément Hoffmann.
  Jury member.

See the full list here.

Selected recent papers

• CRYPTO 2025 - Crowhammer: Full key recovery attack on Falcon with a single Rowhammer bit flip.

  While fault attacks are usually seen as a concern in the embedded space, Rowhammer is an example of a class of faults that apply to desktop and server computers, and allow to insert relatively well-controlled bit flips in memory. It is important to consider the security of implementations of standard primitives against such threats. In this paper, we look at the case of Falcon, and show that a single Rowhammer bit flip on the table that defines its base Gaussian distribution is sufficient to fully expose the signing key given sufficiently many signatures. The key recovery is based on an Nguyen–Regev style statistical approach, but additional tricks (essentially, dimension reduction using principal component analysis) are needed to make it practical. We argue that the vulnerability can be mitigated very cheaply, by rejecting not only signatures that are too long, but also those that are implausibly short. Joint work with Calvin Abou Haidar and Quentin Payet.

• EUROCRYPT 2025 - Do not disturb a sleeping Falcon: floating-point error sensitivity of the Falcon sampler and its consequences.

  The fact that Falcon relies on floating point arithmetic is often mentioned as a potential pitfall, but the extent to which this can lead to actual vulnerabilities is not clear. In this paper, we point out that the Falcon one-dimensional Gaussian sampler is highly sensitive to small floating point discrepancies around integer centers, which surprisingly can only appear with significant probability at exactly four positions during the traversal of the Falcon tree, including two towards the very end. As a consequence, if the Falcon lattice sampler is called twice on the same input in the presence of floating point discrepancies, there is a good chance to obtain two output vectors whose difference immediately exposes the secret key. This does not affect the Falcon scheme itself as long as salts are never repeated, but it can be a serious issue for derandomized variants of Falcon used, e.g., for IBE, SNARKs or aggregate signatures. As a possible countermeasure, we propose a small change to the Falcon sampler that eliminates this floating point sensitivity for free. Joint work with Xiuhan Lin, Yang Yu and Shiduo Zhang.

• IEEE S&P 2025 - Ringtail: practical two-round threshold signatures from learning with errors.

  A lattice-based, two-round, online-offline, arbitrary threshold signature protocol which is concretely efficient and proved secure under standard LWE. It is similar to a recently proposed scheme of Espitau, Katsumata and Takemure (EKT), but avoids the reliance upon their non-standard “algebraic one-more LWE” assumption. Interesting proof technique, and the parameters end up fairly close to EKT: very similar key and signature sizes, somewhat smaller online communication, and about 3 times larger offline communication. Joint work with Ceclia Boschini, Darya Kaviani, Russell Lai, Giulio Malavolta and Akira Takahashi.

• ASIACRYPT 2023 - Antrag: annular NTRU trapdoor generation.

  How to efficiently generate NTRU trapdoors for Prest’s hybrid lattice Gaussian sampler of equally good quality as the Klein/FFO sampler-friendly trapdoors used in Falcon. This yields a variant of the Mitaka signature scheme with all the same advantages, but drop-in compatible with Falcon (or with shorter signatures if you prefer!). Joint work with Thomas Espitau, Thi Thu Quyen Nguyen, Chao Sun and Alexandre Wallet. Shout out to Jade Guiton for an awesome implementation as well.

• ASIACRYPT 2022 - SwiftEC: Shallue-van de Woestijne indifferentiable function to elliptic curves.

  Hashing to elliptic curves is a topic I’ve been thinking about for the past 15-ish years, so it was exciting to realize that the solution—almost—to one of the long standing open problems in that area (indifferentiable hashing for general elliptic curves at the cost of one exponentiation) was hiding in plain sight so to speak: it was just a matter of combining the techniques of one of the seminal works in the field with some classical result in arithmetic (the function field analogue of Legendre’s theorem on rational ternary quadratic forms). Joint work with Jorge Chávez-Saab and Francisco Rodríguez-Henríquez. Paper award of Asiacrypt 2022.

See the full list here.