SPIQE

Invited Talk: Instantiating PQ Protocols: Status, Challenges and Solutions for the PQ Transition

09:30–10:30 · Benjamin Dowling (King's College London)

The post-quantum transition is underway: Many post-quantum primitives have been introduced, analysed and standardised, and we see their use in widespread cryptographic protocols, including secure messaging and secure channels. This transition has not been uniform, however: different protocols achieve different notions of security from their classical counterparts, and many aspects of the transition have lagged behind. In this talk we discuss some case studies in post-quantum protocols, discuss the gaps that still exist, and potential directions on how to solve them.

About the speaker. Benjamin Dowling is a Senior Lecturer in the Cybersecurity group at King’s College London. Benjamin is interested in the provable security of real-world cryptography, extending security frameworks to bridge the gap between theoretical cryptography and its usage in the real-world. His notable publications examine the security of secure communication protocols such as SSL/TLS, secure messaging protocols such as Signal and Matrix, and introducing post-quantum security in practical cryptographic protocols.

Layered Performance Analysis of TLS 1.3 Handshakes: Classical, Hybrid, and Pure Post-Quantum Key Exchange

11:00–11:30 · David Gómez-Cambronero (Telefónica Innovación Digital), Daniel Munteanu (Keysight), Ana Isabel González (Universidad Carlos III)

Paper: arXiv:2603.11006

In this paper, we present a laboratory study focused on the impact of post-quantum cryptography (PQC) algorithms on multiple layers of stateful HTTP over TLS transactions: the TCP handshake, the intermediate TCP–TLS layer, the TLS handshake, the intermediate TLS layer, and the HTTP application layer. To this end, we propose a laboratory architecture that emulates a real-world setup in which a load test of up to 100 transactions per second is sent to a load balancer, which in turn forwards them to a backend server that returns the responses. Each set of tests is executed using the TLS 1.3 key exchange groups as follows: traditional (or non-PQC), hybrid PQC and pure PQC. Each set of tests also varied the backend response size. Across more than thirty experiments, we performed data reduction and statistical analysis for each layer, to determine the specific impact of each algorithm (PQC and traditional) at every stage of the HTTP-over-TLS transaction.

About the speaker. David Gómez-Cambronero Álvarez is a Senior Quantum and Performance Engineer at Telefónica (Spain), with an MSc in Physics and over 20 years of experience in telecommunications, distributed systems, and performance engineering. He is currently leading initiatives related to the adoption and transformation of Post-Quantum Cryptography (PQC) within Telefónica, focusing on the evaluation, validation, and integration of quantum-safe algorithms in real production environments. In parallel, he contributes as an expert to ETSI, where he is involved in the development of a reference implementation of an authenticated protocol combining PQC, elliptic curve cryptography, and QKD.

Finding SSH Strict Key Exchange Violations by State Learning

11:30–12:00 · Fabian Bäumer, Marcel Maehren, Marcus Brinkmann, Jörg Schwenk (all Ruhr University Bochum)

Paper: ACM CCS 2025

SSH is an important protocol for secure remote shell access to servers on the Internet. At USENIX 2024, Bäumer et al. presented the Terrapin attack on SSH, which relies on the attacker injecting optional messages during the key exchange. To mitigate this attack, SSH vendors adopted an extension developed by OpenSSH called strict key exchange (“strict KEX”). With strict KEX, optional messages are forbidden during the handshake, preventing the attack. In practice, this should simplify the state machine of an SSH handshake to a linear message flow similar to that of TLS.

In this work, we analyze the design, implementation, and security of strict KEX in popular SSH servers, using black-box state learning, which can uncover the hidden state machine of an implementation. In practice, it is limited by the number of learned messages and the complexity of the state machine. Thus, learning the complete state machine of SSH is infeasible. Previous research on SSH, therefore, excluded optional messages, learning only a partial state machine. However, these messages are a critical part of the Terrapin attack. We propose to instead learn the complete state machine of the handshake phase of an SSH server, but with strict KEX enabled.

We investigate the security of ten SSH implementations supporting strict KEX for up to five key exchange algorithms. In total, we learn 33 state machines, revealing significant differences in the implementations. We show that seven implementations violate the strict KEX specification and find two critical security vulnerabilities. One results in a rogue session attack in the proprietary Tectia SSH implementation. Another affects the official SSH implementation of the Erlang Open Telecom Platform, and enables unauthenticated remote code execution in the security context of the SSH server.

About the speaker. Fabian Bäumer completed his M.Sc. degree in IT security by the end of 2021. Since 2022, Fabian has been working as a PhD student at Ruhr University Bochum and is part of the Chair for Network and Data Security. Currently, he is researching the SSH (Secure Shell) network protocol from a security standpoint.

A Constant-Time Analysis Framework for PQC Algorithms

12:00–12:30 · Pablo Gutiérrez Félix (NICS Lab / University of Málaga)

Post-quantum cryptographic implementations are ultimately secured not only by their source code but also by the compilation configuration used downstream, which can silently introduce timing leaks into constant-time designs. Even when developers implement constant-time coding patterns, modern compilers may rewrite these patterns into non-constant-time behavior at the assembly level, potentially reintroducing timing leaks. This build-time variability is unavoidable in open-source software because users integrate libraries through toolchains and performance-driven compilation settings. Accordingly, this study provides practical directions for detecting non-constant-time behavior across diverse compilation parameters. We develop a framework and accompanying guidelines to evaluate all enabled post-quantum algorithms in liboqs, the core cryptographic library of the Open Quantum Safe project, across a range of realistic build configurations. The cryptographic algorithms tested belong to liboqs version 0.15, including schemes from the NIST standards, PQC digital signatures on ramp candidates, and other PQC primitives undergoing standardization processes. Designed for integration into the project’s CI, the framework’s main objective is to assist practitioners in identifying timing-leak candidates that manifest only under specific build settings.

The framework comprises two primary analysis tools: Valgrind’s MemCheck extended with the KyberSlash-derived variable-latency patch (Valgrind-Varlat) and LLVM MemorySanitizer for multi-platform testing (MemSan). Both employ a poisoning-based methodology, in which the random bytes used to derive secret values are marked as undefined. This allows both tools to identify secret-dependent branches or memory accesses as warnings, indicating potential non-constant-time behavior.

The key design element of this framework lies in the controlled exploration of optimization and build settings. The framework varies (1) compiler family (GCC and Clang), (2) compiler versions (default vs latest at the time of the study: gcc-13 vs gcc-14, clang-18 vs clang-20), (3) liboqs CPU-optimization target selection (generic vs optimized implementations), and (4) a spectrum of optimization flags ranging from -O0 through -Ofast, including configurations that explicitly disable vectorization. This matrix intends to capture both performance-oriented and conservative builds, reflecting how open-source libraries are compiled in practice.

Empirically, our framework indicates that absolute warning counts are less informative than configuration-induced changes driven by compiler choice, build type, and optimization level. Across experiments, these shifts suggest changes in warnings depending on compiler updates but vary systematically across algorithm families and build configurations, with different analysis tools exhibiting distinct sensitivities to optimization and library build settings. Beyond aggregate trends, the framework also surfaces already-reported and unreported, configuration-dependent constant-time warnings in multiple algorithms, motivating a targeted individual analysis of the affected implementations.

About the speaker. Pablo Gutiérrez Félix is a PhD candidate at the University of Málaga and SandboxAQ, specializing in applied cryptography. His current work focuses on PQC migration for wireless protocols under constrained-resource scenarios and side-channel resistance through constant-time analysis. He is an active contributor to the Open Quantum Safe (OQS) initiative through its PQCA mentorship program.

Invited Talk: Beyond Post-Quantum Security: Physical Attacks and Countermeasures

13:30–14:30 · Melissa Azouaoui (NXP Semiconductors)

Post-quantum cryptographic schemes are based on strong theoretical guarantees, but these guarantees are challenging to preserve in real implementations. This talk examines how physical attacks, such as side-channel and fault injection attacks, challenge the security of post-quantum cryptography in practice. While these attacks do not break the underlying mathematics, they can compromise real implementations, making dedicated countermeasures essential. The talk draws on a body of work on both attacks and countermeasures, and highlights their implications for designing secure implementations in practice.

About the speaker. Dr. Melissa Azouaoui is a Principal Cryptographer and Technical Lead for Long-Term Innovation in Post-Quantum Cryptography at NXP Semiconductors. She holds a PhD in cryptography and her work spans PQC, with a particular focus on side-channel and fault attacks and their countermeasures.

Invited Talk: Preparing for Q-Day: migration timelines, policies and activities

14:30–15:30 · Charlotte Weitkämper (Bundesamt für Sicherheit in der Informationstechnik (BSI), Germany)

The development of a cryptographically relevant quantum computer (CRQC) will have far-reaching consequences, for example a devastating impact on the security of digital communication and the reliability of trust infrastructures based on traditional cryptography. The Federal Office for Information Security (BSI) has been a long-time promoter of post-quantum cryptography (PQC) to increase quantum-resilience in IT products and services, and has published several guidelines and position papers focusing on how to transition to PQC. In this talk, we will highlight several essential aspects of migration planning; from availability predictions for CRQCs and updates on national and international transition roadmaps to BSI recommendations and useful resources.

About the speaker. Since 2024, Charlotte Weitkämper has been working for the division “Quantum technologies and cryptographic applications” at the Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik, BSI) in Germany where she focuses on quantum-safe cryptography and the transitioning of cryptographic IT-products to PQC. She has previously received her PhD in isogeny-based cryptography.

Implementation of a post-quantum hybrid group key exchange protocol

16:00–16:30 · Tomáš Fabšič, Samuel Klement, Zoltán Raffay, Pavol Zajac (all Slovak University of Technology in Bratislava)

Paper: IACR ePrint 2026/445

Post-quantum cryptography focuses on research of cryptographic primitives, including public key encryption and signatures, that can resist the attacks mounted by an adversary with an access to a quantum computer. An alternative is to employ quantum cryptography to protect communication links by employing principles of quantum physics to protect security of the key exchange. Recently, a group key establishment protocol that combines these approaches in a secure way was presented by Steinwandt and Gonzales Vasco. We have successfully implemented and employed this protocol in a prototype application. In this article we describe the overall architecture and specific details of the implementation that can be of interest for scientific community. We conclude with a discussion of specific challenges, options and open problems that can accompany similar implementation task.

About the speaker. Pavol Zajac is a full professor at Slovak University of Technology in Bratislava. His research focus is mathematical cryptology, with a specific interest in Post-quantum cryptography. He was a member of 3 NATO SPS projects (since 2012) that studied the secure implementation of post-quantum cryptography, and its applications for secure group communication. He is currently trying to design a new cryptosystem based on the MRHS equations. He is also interested in historical cryptography and general computer security, especially with questions related to the applications of Artificial Intelligence in the areas, and applications of cryptography techniques in the study of AI tools.

Beyond the Quantum Channel — Detecting Invisible Delivery-Pipeline Failures in Commercial QKD Systems

16:30–17:00 · Darshit Suratwala (Technische Universität Berlin), Matvey Romanowski (Technische Universität Berlin), Orr Dunkelman (Technische Universität Berlin and University of Haifa), Elham Amini (Technische Universität Berlin), Jean-Pierre Seifert (Technische Universität Berlin)

Quantum Key Distribution (QKD) is designed to let two parties establish shared secret keys whose security is guaranteed by the laws of physics rather than computational hardness. In practice, however, a QKD system is not just a physics experiment, it is a complex software and hardware pipeline. Raw quantum signals pass through error correction, privacy amplification, and key management software before a key is delivered to an application. The security community has extensive tools for characterising the quantum channel itself: measuring error rates, key generation throughput, and finite-key security parameters. What it lacks is a principled methodology for asking a simpler but equally important question: is the key that actually arrived at the application well-behaved? This gap matters because the software and integration layers between the quantum channel and the application are a rich source of classical engineering faults. Keys can be silently truncated, padded with zeros, replayed after a system restart, or shuffled by a buffer management bug. These failures are entirely outside the scope of quantum-layer security proofs and are invisible to link-layer telemetry. Crucially, they can persist silently across sessions undetected by any current operational monitoring practice.

About the speaker. Darshit P. Suratwala is a PhD researcher at Technische Universität Berlin, where his work focuses on the security evaluation of quantum communication systems. His research investigates implementation-level vulnerabilities in quantum key distribution (QKD), including side-channel analysis and statistical validation of generated key material. His broader interests lie in practical quantum security, system-level testing, and the reliable deployment of secure quantum communication technologies.