About

I’m a distinguished researcher at NTT Corporation, based in Tokyo, Japan. I work under Masayuki Abe at the Social Informatics Laboratories. I’ve joined NTT in 2011, after receiving my Ph.D. in computer science, prepared at École normale supérieure under the supervision of David Naccache and Jean-Sébastien Coron.

Masayuki and I are also visiting faculty of the Graduate School of Informatics at Kyoto University. We have a small research lab there where we supervise and give lectures to graduate students.

My research interests cover various mathematical aspects of public-key cryptography and cryptanalysis, particularly related to elliptic curves and Euclidean lattices, as well as side-channels and the security of cryptographic implementations.

Recent & upcoming events

• Nov 20, 2024. Osaka University — Osaka, Japan.
  Public hearing of Kaiming Chen's Ph.D. dissertation.
  External reviewer.
• Nov 15, 2024. UC Louvain — Louvain-la-Neuve, Belgium (joining remotely).
  Ph.D. defense of Clément Hoffmann.
  Jury member.
• Oct 30, 2024 to Nov 1, 2024. Academia Sinica — Taipei, Taiwan.
  ECC Workshop 2024.
  Invited talk: “Indifferentiable hashing to elliptic curves: an update”.
• Dec 4, 2023 to Dec 8, 2023. China Hotel — Guangzhou, China.
  ASIACRYPT 2023.
  Invited talk: “Mathematical problems arising from timing attacks on signatures and their countermeasures”.

See the full list here.

Selected recent papers

• EUROCRYPT 2025 - Do not disturb a sleeping Falcon: floating-point error sensitivity of the Falcon sampler and its consequences.

  The fact that Falcon relies on floating point arithmetic is often mentioned as a potential pitfall, but the extent to which this can lead to actual vulnerabilities is not clear. In this paper, we point out that the Falcon one-dimensional Gaussian sampler is highly sensitive to small floating point discrepancies around integer centers, which surprisingly can only appear with significant probability at exactly four positions during the traversal of the Falcon tree, including two towards the very end. As a consequence, if the Falcon lattice sampler is called twice on the same input in the presence of floating point discrepancies, there is a good chance to obtain two output vectors whose difference immediately exposes the secret key. This does not affect the Falcon scheme itself as long as salts are never repeated, but it can be a serious issue for derandomized variants of Falcon used, e.g., for IBE, SNARKs or aggregate signatures. As a possible countermeasure, we propose a small change to the Falcon sampler that eliminates this floating point sensitivity for free. Joint work with Xiuhan Lin, Yang Yu and Shiduo Zhang.

• IEEE S&P 2025 - Ringtail: practical two-round threshold signatures from learning with errors.

  A lattice-based, two-round, online-offline, arbitrary threshold signature protocol which is concretely efficient and proved secure under standard LWE. It is similar to a recently proposed scheme of Espitau, Katsumata and Takemure (EKT), but avoids the reliance upon their non-standard “algebraic one-more LWE” assumption. Interesting proof technique, and the parameters end up fairly close to EKT: very similar key and signature sizes, somewhat smaller online communication, and about 3 times larger offline communication. Joint work with Ceclia Boschini, Darya Kaviani, Russell Lai, Giulio Malavolta and Akira Takahashi.

• ASIACRYPT 2023 - Antrag: annular NTRU trapdoor generation.

  How to efficiently generate NTRU trapdoors for Prest’s hybrid lattice Gaussian sampler of equally good quality as the Klein/FFO sampler-friendly trapdoors used in Falcon. This yields a variant of the Mitaka signature scheme with all the same advantages, but drop-in compatible with Falcon (or with shorter signatures if you prefer!). Joint work with Thomas Espitau, Thi Thu Quyen Nguyen, Chao Sun and Alexandre Wallet. Shout out to Jade Guiton for an awesome implementation as well.

• ASIACRYPT 2022 - SwiftEC: Shallue-van de Woestijne indifferentiable function to elliptic curves.

  Hashing to elliptic curves is a topic I’ve been thinking about for the past 15-ish years, so it was exciting to realize that the solution—almost—to one of the long standing open problems in that area (indifferentiable hashing for general elliptic curves at the cost of one exponentiation) was hiding in plain sight so to speak: it was just a matter of combining the techniques of one of the seminal works in the field with some classical result in arithmetic (the function field analogue of Legendre’s theorem on rational ternary quadratic forms). Joint work with Jorge Chávez-Saab and Francisco Rodríguez-Henríquez. Paper award of Asiacrypt 2022.

See the full list here.