About

I’m a distinguished researcher at NTT Corporation, based in Tokyo, Japan. I work under Masayuki Abe at the Social Informatics Laboratories. I’ve joined NTT in 2011, after receiving my Ph.D. in computer science, prepared at École normale supérieure under the supervision of David Naccache and Jean-Sébastien Coron.

Masayuki and I are also visiting faculty of the Graduate School of Informatics at Kyoto University. We have a small research lab there where we supervise and give lectures to graduate students.

My research interests cover various mathematical aspects of public-key cryptography and cryptanalysis, particularly related to elliptic curves and Euclidean lattices, as well as side-channels and the security of cryptographic implementations.

Recent & upcoming events

• Nov 24, 2026 to Nov 26, 2026. Tokyo — Japan.
  IWSEC 2026.
  Program co-chair.
• Oct 28, 2026 to Oct 30, 2026. Inria Convention Center — Rennes, France.
  ISC 2026.
  Program co-chair.
• Nov 17, 2025 to Nov 20, 2025. Grand Cube Osaka — Osaka, Japan.
  CANS 2025.
  Program co-chair.
• Oct 20, 2025 to Oct 22, 2024. Sungkyunkwan University — Seoul, South Korea.
  ISC 2025.
  Keynote talk: “Sokół: Polishing up Falcon”.

See the full list here.

Selected recent papers

• CRYPTO 2026 - Maskaglia: a new, efficient approach to masked discrete Gaussian sampling.

  Discrete Gaussian sampling is an important operation in lattice-based cryptography, for which we now have efficient constant-time algorithms, in order to protect against simple timing attacks. Protecting against more advanced side-channels, however, remains challenging: applying a generic countermeasure like masking to most discrete Gaussian samplers comes with a considerable overhead. In this paper, we introduce a new, masking-friendly algorithm for discrete Gaussian sampling based on classical techniques for sampling normal distributions, and show how to turn it into an efficient gadget at any masking order. When applied to the Hawk hash-and-sign signature scheme, it outperforms previous works by a large margin. Joint work with Calvin Abou Haidar, Thomas Espitau and Clément Hoffmann.

• CRYPTO 2025 - Crowhammer: Full key recovery attack on Falcon with a single Rowhammer bit flip.

  While fault attacks are usually seen as a concern in the embedded space, Rowhammer is an example of a class of faults that apply to desktop and server computers, and allow to insert relatively well-controlled bit flips in memory. It is important to consider the security of implementations of standard primitives against such threats. In this paper, we look at the case of Falcon, and show that a single Rowhammer bit flip on the table that defines its base Gaussian distribution is sufficient to fully expose the signing key given sufficiently many signatures. The key recovery is based on an Nguyen–Regev style statistical approach, but additional tricks (essentially, dimension reduction using principal component analysis) are needed to make it practical. We argue that the vulnerability can be mitigated very cheaply, by rejecting not only signatures that are too long, but also those that are implausibly short. Joint work with Calvin Abou Haidar and Quentin Payet.

• EUROCRYPT 2025 - Do not disturb a sleeping Falcon: floating-point error sensitivity of the Falcon sampler and its consequences.

  The fact that Falcon relies on floating point arithmetic is often mentioned as a potential pitfall, but the extent to which this can lead to actual vulnerabilities is not clear. In this paper, we point out that the Falcon one-dimensional Gaussian sampler is highly sensitive to small floating point discrepancies around integer centers, which surprisingly can only appear with significant probability at exactly four positions during the traversal of the Falcon tree, including two towards the very end. As a consequence, if the Falcon lattice sampler is called twice on the same input in the presence of floating point discrepancies, there is a good chance to obtain two output vectors whose difference immediately exposes the secret key. This does not affect the Falcon scheme itself as long as salts are never repeated, but it can be a serious issue for derandomized variants of Falcon used, e.g., for IBE, SNARKs or aggregate signatures. As a possible countermeasure, we propose a small change to the Falcon sampler that eliminates this floating point sensitivity for free. Joint work with Xiuhan Lin, Yang Yu and Shiduo Zhang.

• IEEE S&P 2025 - Ringtail: practical two-round threshold signatures from learning with errors.

  A lattice-based, two-round, online-offline, arbitrary threshold signature protocol which is concretely efficient and proved secure under standard LWE. It is similar to a recently proposed scheme of Espitau, Katsumata and Takemure (EKT), but avoids the reliance upon their non-standard “algebraic one-more LWE” assumption. Interesting proof technique, and the parameters end up fairly close to EKT: very similar key and signature sizes, somewhat smaller online communication, and about 3 times larger offline communication. Joint work with Ceclia Boschini, Darya Kaviani, Russell Lai, Giulio Malavolta and Akira Takahashi.

See the full list here.