- Solving SIDH given extra information, by solving DLog in E[2^e]. (UnionCTF 21)
- Factoring low entropy RSA modulus bit-by-bit. (GoogleCTF 20)
- Forging post-quantum SPHINCS+ signatures when using small parameters. (GoogleCTF 20)
- Breaking flawed quantum OTP using qiskit. (Pwn2WinCTF 20)
- Key-recovery for SIDH when the secret key is reused, against 3^n-isogenies. (PlaidCTF 20)
- Attacking ECDH with supersingular curves implementing MOV. (Volga CTF Quals 20)
- Forging plain Schnorr multisignatures using a rogue-key attack. (Real World CTF Quals 19)
- Bad instance of RSA with Gaussian integers: Euler theorem and Square and Multiply for complex numbers. (CryptoCTF 19)
- Solving Rivest Time Capsule Crypto-Puzzle when n is factorizable. (CryptoCTF 19)
- Breaking 3-round Feistel cipher (provably secure pseudorandom permutation) using a non-secure PRF. (PlaidCTF 19)
- Unmasking the commit of a ZK protocol to recover the secret, using polynomial interpolation. (MidnightSun CTF Quals 19)
- CRIME-like attack against misused GPG: side-channel to get information compressed before encryption. (InsomniHack Teaser CTF 19)
- Known-plaintext attack to code-based cryptosystem, decoding the error by exploiting its structure. (35C3 CTF)
- "Learning a Parallelepiped" attack on the GGH signature scheme to recover the secret key. (CPS 2018 coursework, IST)