Past Cryptography Seminar

The Ring Learning With Errors problem (RLWE) comes in various forms. Vanilla RLWE is the decision dual-RLWE variant, consisting in distinguishing from uniform a distribution depending on a secret belonging to the dual OK^vee of the ring of integers OK of a specified number field K. In primal-RLWE, the secret instead belongs to OK. Both decision dual-RLWE and primal-RLWE enjoy search counterparts. Also widely used is (search/decision) Polynomial Learning With Errors (PLWE), which is not defined using a ring of integers OK of a number field K but a polynomial ring Z[x]/f for a monic irreducible f in Z[x]. We show that there exist reductions between all of these six problems that incur limited parameter losses. More precisely: we prove that the (decision/search) dual to primal reduction from Lyubashevsky et al. [EUROCRYPT 2010] and Peikert [SCN 2016] can be implemented with a small error rate growth for all rings (the resulting reduction is nonuniform polynomial time); we extend it to polynomial-time reductions between (decision/search) primal RLWE and PLWE that work for a family of polynomials f that is exponentially large as a function of deg f (the resulting reduction is also non-uniform polynomial time); and we exploit the recent technique from Peikert et al. [STOC 2017] to obtain a search to decision reduction for RLWE. The reductions incur error rate increases that depend on intrinsic quantities related to K and f.

Based on joint work with Miruna Roșca and Damien Stehlé.

Pseudorandom functions (PRFs) are one of the fundamental building blocks in cryptography. Traditionally, there have been two main approaches for PRF design: the ``practitioner's approach'' of building concretely-efficient constructions based on known heuristics and prior experience, and the ``theoretician's approach'' of proposing constructions and reducing their security to a previously-studied hardness assumption. While both approaches have their merits, the resulting PRF candidates vary greatly in terms of concrete efficiency and design complexity. In this work, we depart from these traditional approaches by exploring a new space of plausible PRF candidates. Our guiding principle is to maximize simplicity while optimizing complexity measures that are relevant to cryptographic applications. Our primary focus is on weak PRFs computable by very simple circuits (depth-2 ACC^0 circuits). Concretely, our main weak PRF candidate is a ``piecewise-linear'' function that first applies a secret mod-2 linear mapping to the input, and then a public mod-3 linear mapping to the result. We also put forward a similar depth-3 strong PRF candidate.  
The advantage of our approach is twofold. On the theoretical side, the simplicity of our candidates enables us to draw many natural connections between their hardness and questions in complexity theory or learning theory (e.g., learnability of depth-2 ACC^0 circuits and width-3 branching programs, interpolation and property testing for sparse polynomials, and natural proof barriers for showing super-linear circuit lower bounds). On the applied side, the piecewise-linear structure of our candidates lends itself nicely to applications in secure multiparty computation (MPC). Using our PRF candidates, we construct protocols for distributed PRF evaluation that achieve better round complexity and/or communication complexity (often both) compared to protocols obtained by combining standard MPC protocols with PRFs like AES, LowMC, or Rasta (the latter two are specialized MPC-friendly PRFs).
Finally, we introduce a new primitive we call an encoded-input PRF, which can be viewed as an interpolation between weak PRFs and standard (strong) PRFs. As we demonstrate, an encoded-input PRF can often be used as a drop-in replacement for a strong PRF, combining the efficiency benefits of weak PRFs and the security benefits of strong PRFs. We conclude by showing that our main weak PRF candidate can plausibly be boosted to an encoded-input PRF by leveraging standard error-correcting codes.
Joint work with Dan Boneh, Yuval Ishai, Amit Sahai, and David J. Wu.

We provide lattice-based protocols allowing to prove relations among committed integers. While the most general zero-knowledge proof techniques can handle arithmetic circuits in the lattice setting, adapting them to prove statements over the integers is non-trivial, at least if we want to handle exponentially large integers while working with a polynomial-size modulus qq. For a polynomial L, we provide zero-knowledge arguments allowing a prover to convince a verifier that committed L-bit bitstrings x, y and z are the binary representations of integers X, Y and Z satisfying Z=X+Y over the integers. The complexity of our arguments is only linear in L. Using them, we construct arguments allowing to prove inequalities X <Z among committed integers, as well as arguments showing that a committed X belongs to a public interval [α,β], where α and β can be arbitrarily large. Our range arguments have logarithmic cost (i.e., linear in L) in the maximal range magnitude. Using these tools, we obtain zero-knowledge arguments showing that a committed element X does not belong to a public set S using soft-O(n⋅log|S|) bits of communication, where n is the security parameter. We finally give a protocol allowing to argue that committed L-bit integers X, Y and Z satisfy multiplicative relations Z=XY over the integers, with communication cost subquadratic in L. To this end, we use our protocol for integer addition to prove the correct recursive execution of Karatsuba's multiplication algorithm. The security of our protocols relies on standard lattice assumptions with polynomial modulus and polynomial approximation factor.

TBA

TBA

Post-quantum cryptography has been one of the most active subfields of
cryptography in the last few years. This is especially true today as
standardization efforts are currently underway, with no less than 69
candidate cryptographic schemes proposed.

In this talk, I will present one of these schemes: Falcon, a signature
scheme based on the NTRU class of structured lattices. I will focus on
mathematical aspects of Falcon: for example how we take advantage of the
algebraic structure to speed up some operations, or how relying on the
most adequate probability divergence can go a long way in getting more
efficient parameters "for free". The talk will be concluded with a few
open problems.

In 2016, Facebook added an optional end-to-end (E2E) encryption feature called Secret Conversations to Messenger. This was challenging to design, as many of Messenger's key properties and features don't fit the typical model of E2E apps. Additionally, Messenger is already one of the world's most popular messaging apps, supporting nearly a billion people across a variety of technical and cultural environments. Because of this, Messenger's deployment of E2E encryption provides attendees with a valuable case study on how to build usable, secure products. 

We will discuss the core properties of a typical E2E app, the core features of Messenger, the distance between the two, and the approach we took to close the gap. We'll examine how minimizing the distance shaped the current E2E experience within Messenger. Through discussion of the key decisions in this process, we'll address the implications for alternative designs with real world comparisons where they exist. 

Although Secret Conversations in Messenger use off-the-shelf Signal Protocol for message encryption, Facebook also wanted to ensure a safe communication channel for community members who may be victims of online abuse. To this end, we created a way for people to report secret conversations that violate our Community Standards, without breaking any E2E guarantees for other messages.

Developing a reporting protocol created an interesting challenge: the potential of fake reports with no intermediary to invalidate them. To pre-empt the possibility of Bob forging a report to incriminate Alice, we added a method that uses two HMACs - one added by the sender and one by Facebook - to “cryptographically frank” messages as we forward them from one party to the other (physical mail uses a similar franking). This technique ensures similar confidence that a report is genuine as we have for messages stored in plaintext on our servers. Additionally, the frank is only verifiable by Facebook after receiving a report from the recipient, thus preventing a third party from using it as evidence against the sender.

We hope that this talk will provide an insight into the intricacies of deploying security features at scale, and the additional considerations necessary when developing an existing product.

Tight security is increasingly gaining importance in real-world
cryptography, as it allows to choose cryptographic parameters in a way
that is supported by a security proof, without the need to sacrifice
efficiency by compensating the security loss of a reduction with larger
parameters. However, for many important cryptographic primitives,
including digital signatures and authenticated key exchange (AKE), we
are still lacking constructions that are suitable for real-world deployment.

This talk will present the first first practical AKE protocol with tight
security. It allows the establishment of a key within 1 RTT in a
practical client-server setting, provides forward security, is simple
and easy to implement, and thus very suitable for practical deployment.
It is essentially the "signed Diffie-Hellman" protocol, but with an
additional message, which is crucial to achieve tight security. This
message is used to overcome a technical difficulty in constructing
tightly-secure AKE protocols.

The second important building block is a practical signature scheme with
tight security in a real-world multi-user setting with adaptive
corruptions. The scheme is based on a new way of applying the
Fiat-Shamir approach to construct tightly-secure signatures from certain
identification schemes.

For a theoretically-sound choice of parameters and a moderate number of
users and sessions, our protocol has comparable computational efficiency
to the simple signed Diffie-Hellman protocol with EC-DSA, while for
large-scale settings our protocol has even better computational per-
formance, at moderately increased communication complexity.

TBA

There is currently a large interest in the applications of the Blockchain technology. After the well known success of the cryptocurrency Bitcoin, several other real-world applications of Blockchain technology have been proposed, often raising privacy concerns. We will discuss the potential of advanced cryptographic tools in relaxing the tension between pros and cons of this technology.

Side channel leakage is no longer just a concern for industries that
traditionally have a high degree of awareness and expertise in
(implementing) cryptography. With the rapid growth of security
sensitive applications in other areas, e.g. smartphones, homes, etc.
there is a clear need for developers with little to no crypto
expertise to implement and instantiate cryptography securely on
embedded devices. In this talk, I explain what makes finding side
channel leaks challenging (in theory and in practice) and give an
update on our latest work to develop methods and tools to enable
non-domain experts to ‘get a grip’ on leakage in their
implementations.

Let n be a positive integer. In this talk we provide a recipe to 
construct full orbit sequences in the affine n-dimensional space over a 
finite field. For n=1 our construction covers the case of the well 
studied pseudorandom number generator ICG.

This is a joint work with Federico Amadio Guidi.

Multivariate cryptography is one of a handful of proposals for post-quantum cryptographic schemes, i.e. cryptographic schemes that are secure also against attacks carried on with a quantum computer. Their security relies on the assumption that solving a system of multivariate (quadratic) equations over a finite field is computationally hard. 

Groebner bases allow us to solve systems of polynomial equations. Therefore, one of the key questions in assessing the robustness of multivariate cryptosystems is estimating how long it takes to compute the Groebner basis of a given system of polynomial equations. 

After introducing multivariate cryptography and Groebner bases, I will present a rigorous method to estimate the complexity of computing a Groebner basis. This approach is based on techniques from commutative algebra and is joint work with Alessio Caminata (University of Barcelona).

Large parts of the cryptography in use today,

key-agreement protocols and digital signatures based on the

hardness of factoring large integers or solving the

discrete-logarithm problem, are not secure against attackers

equipped with a large universal quantum computer. It is not

clear when such a large quantum computer will be built, but

continuous progress by various labs around the world suggests

that it may well be less than two decades until today's

cryptography will become insecure.

To address this issue, NIST started a public competition to

identify suitable replacements for today's cryptosystems. In

my talk, I will describe two of these systems: the

key-encapsulation mechanism Kyber and the digital signature

scheme Dilithium. Both schemes are based on the hardness of

solving problems in module lattices and they together form the

"Cryptographic Suite for Algebraic Lattices -- CRYSTALS".

Integer programming, the problem of finding an optimal integer solution satisfying linear constraints, is one of the most fundamental problems in discrete optimization. In the first part of this talk, I will discuss the important open problem of whether there exists a single exponential time algorithm for solving a general n variable integer program, where the best current algorithm requires n^{O(n)} time. I will use this to motivate a beautiful conjecture of Kannan & Lovasz (KL) regarding how "flat" convex bodies not containing integer points must be.

The l_2 case of KL was recently resolved in breakthrough work by Regev & Davidowitz `17, who proved a more general "Reverse Minkowski" theorem which gives an effective way of bounding lattice point counts inside any ball around the origin as a function of sublattice determinants. In both cases, they prove the existence of certain "witness" lattice subspaces in a non-constructive way that explains geometric parameters of the lattice. In this work, as my first result, I show how to make these results constructive in 2^{O(n)} time, i.e. which can actually find these witness subspaces, using discrete Gaussian sampling techniques. As a second main result, I show an improved complexity characterization for approximating the covering radius of a lattice, i.e. the farthest distance of any point in space to the lattice. In particular, assuming the slicing conjecture, I show that this problem is in coNP for constant approximation factor, which improves on the corresponding O(log^{3/2} n) approximation factor given by Regev & Davidowitz's proof of the l_2 KL conjecture.

With the evolution towards the IoT and cyber-physical systems, the role that the underlying hardware plays in securing an application is becoming more prominent. Hardware can be used constructively, e.g. for accelerating computationally- intensive cryptographic algorithms. Hardware can also be used destructively, e.g., for physical attacks or transistor-level Trojans which are virtually impossible to detect. In this talk, we will present case studies for high-speed cryptography used in car2x communication and recent research on low-level hardware Trojans. 

Broken cryptographic algorithms and hardness assumptions are a constant
threat to real-world protocols. Prominent examples are
hash functions for which collisions become known, or number-theoretic
assumptions which are threatened by advances in quantum computing.
Especially when it comes to key exchange protocols, the switch to
quantum-resistant primitives has begun and aims to protect today’s
secrets against future developments, moving from common Diffie–Hellman
based solutions to Learning-With-Errors-based approaches. Remarkably,
the authentication step in such protocols is usually still carried out
with quantum-vulnerable signature schemes. The intuition here is that
the adversary would need to break this protocol primitive today, without
having quantum power yet. The question we address here is if this
intuition is justified, and if so, if we can show this rigorously. We
particularly consider the authenticated variant of the recently
introduced post-quantum secure key exchange protocol NewHope (Alkim et
al., USENIX Security 2016), as well as by TLS 1.3, which is currently
being developed by the Internet Engineering Task Force.

Adaptive oblivious transfer (OT) is a protocol where a sender
initially commits to a database {M_i}_{i=1}^N . Then, a receiver can query the
sender up to k times with private indexes ρ_1, …, ρ_k so as to obtain
M_{ρ_1}, …, M_{ρ_k} and nothing else. Moreover, for each i ∈ [k], the receiver’s
choice ρ_i may depend on previously obtained messages {M_ρ_j}_{j<i} . Oblivious transfer
with access control (OT-AC) is a flavor of adaptive OT
where database records are protected by distinct access control policies
that specify which credentials a receiver should obtain in order to access
each M_i . So far, all known OT-AC protocols only support access policies
made of conjunctions or rely on ad hoc assumptions in pairing-friendly
groups (or both). In this paper, we provide an OT-AC protocol where access policies may consist of any branching program of polynomial length, which is sufficient to realize any access policy in NC^1. The security of
our protocol is proved under the Learning-with-Errors (LWE) and Short-
Integer-Solution (SIS) assumptions. As a result of independent interest,
we provide protocols for proving the correct evaluation of a committed
branching program on a committed input.

Joint work with Benoît Libert, San Ling, Khoa Nguyen and Huaxiong Wang.

Identity-based cryptography can be useful in situations where a full-scale public-key infrastructure is impractical.  Original identity-based proposals relied on elliptic curve pairings and so are vulnerable to quantum computers.  I will describe some on-going work to design a post-quantum identity-based encryption scheme using ideas from Ring Learning with Errors. Our scheme has the advantage that it can be extended to the hierarchical setting for more flexible key management.

In this lecture, we present  practical and provably
secure (authenticated) key exchange protocol and password
authenticated key exchange protocol, which are based on the
learning with errors problems. These protocols are conceptually
simple and have strong provable security properties.
This type of new constructions were started in 2011-2012.
These protocols are shown indeed practical.  We will explain
that all the existing LWE based key exchanges are variants
of this fundamental design.  In addition, we will explain
some issues with key reuse and how to use the signal function
invented for KE for authentication schemes.

Direct Anonymous Attestation (DAA) is a protocol that allows a security chip embedded in a platform such as laptop to authenticate itself as a genuine chip.  Different authentications are not linkeable, thus the protocol protects the privacy of the platform. The first DAA protocol was proposed by Brickell, Chen, and Camenisch and was standardized in 2004 by the Trusted Computing Group (TCG). Implementations of this protocols were rather slow because it is based on RSA. Later, alternative and faster protocols were proposed based on elliptic curves. Recently the specification by the TCG was updated to allow for DAA protocols based on elliptic curves. Unfortunately, the new standard does not allow for provably secure DAA protocols. In this talk, we will review some of the history of DAA and  then discuss the latest protocols, security models, and finally a provably secure realization of DAA based on elliptic curves.

Hash Proof Systems or Smooth Projective Hash Functions (SPHFs) are a
form of implicit arguments introduced by Cramer and Shoup at
Eurocrypt’02. They have found many applications since then, in
particular for authenticated key exchange or honest-verifier
zero-knowledge proofs. While they are relatively well understood in
group settings, they seem painful to construct directly in the lattice
setting.
Only one construction of an SPHF over lattices has been proposed, by
Katz and Vaikuntanathan at Asiacrypt’09. But this construction has an
important drawback: it only works for an ad-hoc language of ciphertexts.
Concretely, the corresponding decryption procedure needs to be tweaked,
now requiring q many trapdoor inversion attempts, where q is the modulus
of the underlying Learning With Error (LWE) problem.
Using harmonic analysis, we explain the source of this limitation, and
propose a way around it. We show how to construct SPHFs for standard
languages of LWE ciphertexts, and explicit our construction over a
tag-CCA2 encryption scheme à la Micciancio-Peikert (Eurocrypt’12).

If there is enough time, we will conclude with applications of these
SPHFs to password-authenticated key exchange, honest-verifier
zero-knowledge and a variant of witness encryption.

TBA

In this talk, I’ll share the progress that we have made in the field of e-voting, including the proposal of a new paradigm of e-voting system called self-enforcing e-voting (SEEV). A SEEV system is End-to-End (E2E) verifiable, but it differs from all previous E2E systems in that it does not require tallying authorities. The removal of tallying authorities significantly simplifies the election management and makes the system much more practical than before. A prototype of a SEEV system based on the DRE-i protocol (Hao et al. USENIX JETS 2014) has been built and used regularly in Newcastle University for classroom voting and student prize competitions with very positive student feedback. Lessons from our experience of designing, analysing and deploying an e-voting system for real-world applications are also presented.

The amount of digital data that requires long-term protection 
of integrity, authenticity, and confidentiality protection is steadily 
increasing. Examples are health records and genomic data which may have 
to be kept and protected for 100 years and more. However, current 
security technology does not provide such protection which I consider a 
major challenge. In this talk I report about a storage system that 
achieves the above protection goals in the long-term. It is based on 
information theoretic secure cryptography (both classical and quantum) 
as well as on chains of committments. I discuss its security and present 
a proof-of-concept implementation including an experimental analysis.

Classical modular functions and forms may be evaluated numerically using truncations of the q-series of the Dedekind eta-function or of Jacobi theta-constants. We show that the special structure of the exponents occurring in these series makes it possible to evaluate their truncations to N terms with N+o(N) multiplications; the proofs use elementary number theory and sometimes rely on a Bateman-Horn type conjecture. We furthermore obtain a baby-step giant-step algorithm needing only a sublinear number of multiplications, more precisely O (N/log^r N) for any r>0. Both approaches lead to a measurable speed-up in practical precision ranges, and push the cross-over point for the asymptotically faster arithmetic- geometric mean algorithm even further.

(joint work with William Hart and Fredrik Johansson) ​

In this seminar, we present a fast fully homomorphic encryption (FHE) based on GSW and its ring variants. The cryptosystem relies on the hardness of lattice problems in the unique domain (e.g. the LWE family). After a brief presentation of these lattice problems, with a few notes on their asymptotic and practical average case hardness, we will present our homomorphic cryptosystem TFHE, based on a ring variant of GSW. TFHE can operate in two modes: The first one is a leveled homomorphic mode, which has the ability to evaluate deterministic automata (or branching programs) at a rate of 1 transition every 50microseconds. For the second mode, we also show that this scheme can evaluate its own decryption in only 20milliseconds, improving on the the construction by Ducas-Micciancio, and of Brakerski-Perlman. This makes the scheme fully homomorphic by Gentry's bootstrapping principle, and for instance, suitable for representing fully dynamic encrypted databases in the cloud.

We present “Ouroboros,” the first blockchain protocol based on proof of stake with rigorous security guarantees. We establish security properties for the protocol comparable to those achieved by the bitcoin blockchain protocol. As the protocol provides a “proof of stake” blockchain discipline, it offers qualitative efficiency advantages over blockchains based on proof of physical resources (e.g., proof of work). We showcase the practicality of our protocol in real world settings by providing experimental results on transaction processing time obtained with a prototype implementation in the Amazon cloud. We also present a novel reward mechanism for incentivizing the protocol and we prove that given this mechanism, honest behavior is an approximate Nash equilibrium, thus neutralizing attacks such as selfish mining. 

Joint work with  Alexander Russell and Bernardo David and Roman Oliynykov

Code based Cryptography had its beginning in 1978 when Robert McEliece
demonstrated how the hardness of decoding a general linear code up to
half the minimum distance can be used as the basis for a public key
crypto system.  At the time the proposed system was not implemented in
practice as the required public key was relatively large.

With the realization that a quantum computer would make many
practically used systems obsolete coding based systems became an
important research subject in the area of post-quantum cryptography.
In this talk we will provide an overview to the subject.

In addition  we will report on recent results where the underlying
code is a disguised Gabidulin code or more generally a subspace
code and where the distance measure is the rank metric respecively the
subspace distance.
 

We introduce Learning with Errors and Ring Learning with Errors, two hard
lattice problems which are widely used for security of Homomorphic
Encryption schemes. Following a study we conducted comparing four such
schemes, the best scheme was the so-called BGV scheme, introduced by
Brakerski-Gentry-Vaikuntanathan in 2012. We present it as an example of a
ring-based homomorphic scheme, discussing its number theoretic
optimisations.

Isogenies are algebraic group morphisms of elliptic curves. Let E, E' be two (ordinary) elliptic curves defined over a finite field of characteristic p, and suppose that there exists an isogeny ψ between E and E'. The explicit isogeny problem asks to compute a rational function expression for ψ. Various specializations of this problem appear naturally in point counting and elliptic curve cryptography. There exist essentially two families of algorithms to compute isogenies. Algorithms based on Weierstraß' differential equation are very fast and well suited in the point count setting, but are clumsier in general. Algorithms based on interpolation work more generally, but have exponential complexity in log(p) (the characteristic of the finite field). We propose a new interpolation-based algorithm that solves the explicit isogeny problem in polynomial time in all the involved parameters. Our approach is inspired by a previous algorithm of Couveignes', that performs interpolation on the p-torsion on the curves. We replace the p-torsion in Couveignes' algorithm with the ℓ-torsion for some small prime ℓ; however this adaptation requires some non-trivial work on isogeny graphs in order to yield a satisfying complexity. Joint work with Cyril Hugounenq, Jérôme Plût and Éric Schost.

Commitment schemes are a fundamental primitive in cryptography. Their security (more precisely the computational binding property) is closely tied to the notion of collision-resistance of hash functions. Classical definitions of binding and collision-resistance turn out too be weaker than expected when used in the quantum setting. We present strengthened notions (collapse-binding commitments and collapsing hash functions), explain why they are "better", and show how they be realized under standard assumptions.

Gauss was the first to give a formula for the number of monic irreducible polynomials of degree n over a finite field. A natural problem is to determine the number of such polynomials for which certain coefficients are prescribed. While some asymptotic and existence results have been obtained, very few exact results are known. In this talk I shall present an algorithm which for any finite field GF(q) of characteristic p expresses the number of monic irreducibles of degree n for which the first l < p coefficients are prescribed, for n >= l and coprime to p, in terms of the number of GF(q^n)-rational points of certain affine varieties defined over GF(q). 
The GF(2) base field case is related to the distribution of binary Kloosterman sums, which have numerous applications in coding theory and cryptography, for example via the construction of bent functions. Using a variant of the algorithm, we present varieties (which are all curves) for l <= 7 and compute explicit formulae for l <= 5; before this work such formulae were only known for l <= 3. While this connection motivates the problem, the talk shall focus mainly on computational algebraic geometry, with the algorithm, theoretical questions and computational challenges taking centre stage.

Not considering classified work, the first person to have asked and solved the problem of secure communication over insecure communication channels was Ralph Merkle, in a project for a Computer securitjohn y course at UC Berkeley in 1974. In this work, he gave a protocol that allow two legitimate parties to establish a secret key with an effort of the order of N, but such that an eavesdropper can not discover the secret key with non-vanishing probability if he is not willing to spend an effort of at least the order of N^2.
In this talk, we will consider key exchange protocols in the presence of a quantum eavesdropper. Unfortunately, it is easy to see that in this case, breaking Merkle’s original protocol only requires an effort of the order of N, similar to the one of the legitimate parties. We will show how to restore the security by presenting two sequences of protocols with the following properties:
- In the first sequence, the legitimate parties have access to a quantum computer, and the eavesdropper's effort is arbitrarily close to N^2.
- In the second sequence, the protocols are classical, but the eavesdropper’s effort is arbitrarily close to N^{3/2}.
We will show the key exchange protocols, the quantum attacks with the proof of their optimality. We will focus mostly on the techniques from quantum algorithms and complexity theory used to devise quantum algorithms and to prove lower bounds. The underlying tools are the quantum walk formalism, and the quantum adversary lower bound method, respectively. Finally, we will introduce a new method to prove average-case quantum query complexity lower bounds.

The introduction of Edwards' curves in 2007 relaunched a
deeper study of the arithmetic of elliptic curves with a
view to cryptographic applications.  In particular, this
research focused on the role of the model of the curve ---
a triple consisting of a curve, base point, and projective
(or affine) embedding. From the computational perspective,
a projective (as opposed to affine) model allows one to
avoid inversions in the base field, while from the
mathematical perspective, it permits one to reduce various
arithmetical operations to linear algebra (passing through
the language of sheaves). We describe the role of the model,
particularly its classification up to linear isomorphism
and its role in the linearization of the operations of addition,
doubling, and scalar multiplication.

The Algebraic Eraser is a cryptosystem (more precisely, a class of key
agreement schemes) introduced by Anshel, Anshel, Goldfeld and Lemieux
about 10 years ago. There is a concrete instantiation of the Algebraic
Eraser called the Colored Burau Key Agreement Protocol (CBKAP), which
uses a blend of techniques from permutation groups, matrix groups and
braid groups. SecureRF, the company owning the trademark to the
Algebraic Eraser, is marketing this system for lightweight
environments such as RFID tags and other Internet of Things
applications; they have proposed making this scheme the basis for an
ISO RFID standard.

This talk gives an introduction to the Algebraic Eraser, a brief
history of the attacks on this scheme using ideas from group-theoretic
cryptography, and describes the countermeasures that have been
proposed. I would not recommend the scheme for the proposed
applications: the talk ends with a brief sketch of a recent convincing
cryptanalysis of this scheme due to Ben-Zvi, Blackburn and Tsaban
(which appeared at CRYPTO this summer), and significant attacks
on the protocol in the proposed ISO standard due to Blackburn and
Robshaw (which appeared at ACNS earlier this year).

Linear algebra is a widely used tool both in mathematics and computer science, and cryptography is no exception to this rule. Yet, it introduces some particularities, such as dealing with linear systems that are often sparse, or, in other words, linear systems inside which a lot of coefficients are equal to zero. We propose to enlarge this notion to nearly sparse matrices, caracterized by the concatenation of a sparse matrix and some dense columns, and to design an algorithm to solve this kind of problems. Motivated by discrete logarithms computations on medium and high caracteristic finite fields, the Nearly Sparse Linear Algebra briges the gap between classical dense linear algebra problems and sparse linear algebra ones, for which specific methods have already been established. Our algorithm particularly applies on one of the three phases of NFS (Number Field Sieve) which precisely consists in finding a non trivial element of the kernel of a nearly sparse matrix.

Additive combinatorics enable one to characterise subsets S of elements in a group such that S+S has

small cardinality. In particular a theorem of Vosper says that subsets of integers modulo a prime p

with minimal sumsets can only be arithmetic progressions, apart from some degenerate cases. We are

interested in q-analogues of these results, namely characterising subspaces S in some algebras such

that the linear span of its square S^2 has small dimension.

Analogues of Vosper's theorem will imply that such spaces will have bases consisting of elements in

geometric progression.

We derive such analogues in extensions of finite fields, where bounds on codes in the space of

quadratic forms play a crucial role. We also obtain that under appropriately formulated conditions,

linear codes with small squares for the component-wise product can only be generalized Reed-Solomon

codes.



Based on joint works with Christine Bachoc and Oriol Serra, and with Diego Mirandola.

Efficient factorization or efficient computation of class 
numbers would both suffice to break RSA.  However the talk lies more in 
computational number theory rather than in cryptography proper. We will 
address two questions: (1) How quickly can one construct a factor table 
for the numbers up to x?, and (2) How quickly can one do the same for the 
class numbers (of imaginary quadratic fields)? Somewhat surprisingly, the 
approach we describe for the second problem is motivated by the classical 
Hardy-Littlewood method.

Due to Shor's algorithm, quantum computers are a severe threat for public key cryptography. This motivated the cryptographic community to search for quantum-safe solutions. On the other hand, the impact of quantum computing on secret key cryptography is much less understood. In this paper, we consider attacks where an adversary can query an oracle implementing a cryptographic primitive in a quantum superposition of different states. This model gives a lot of power to the adversary, but recent results show that it is nonetheless possible to build secure cryptosystems in it.
We study applications of a quantum procedure called Simon's algorithm (the simplest quantum period finding algorithm) in order to attack symmetric cryptosystems in this model. Following previous works in this direction, we show that several classical attacks based on finding collisions can be dramatically sped up using Simon's algorithm: finding a collision requires Ω(2n/2) queries in the classical setting, but when collisions happen with some hidden periodicity, they can be found with only O(n) queries in the quantum model.
We obtain attacks with very strong implications. First, we show that the most widely used modes of operation for authentication and authenticated encryption (e.g. CBC-MAC, PMAC, GMAC, GCM, and OCB) are completely broken in this security model. Our attacks are also applicable to many CAESAR candidates: CLOC, AEZ, COPA, OTR, POET, OMD, and Minalpher. This is quite surprising compared to the situation with encryption modes: Anand et al. show that standard modes are secure when using a quantum-secure PRF.
Second, we show that slide attacks can also be sped up using Simon's algorithm. This is the first exponential speed up of a classical symmetric cryptanalysis technique in the quantum model.

The cube attack of Dinur and Shamir and the AIDA attack of Vielhaber have been used successfully on 

reduced round versions of the Trivium stream cipher and a few other ciphers. 

These attacks can be viewed in the framework of higher order differentiation, as introduced by Lai in 

the cryptographic context. We generalise these attacks from the binary case to general finite fields, 

showing that we would need to differentiate several times with respect to each variable in order to have

a reasonable chance of a successful attack.

We also investigate the notion of “fast points” for a binary polynomial function f  

(i.e. vectors such that the derivative of f with respect to this vector has a lower 

than expected degree). These were  introduced by Duan and Lai, motivated by the fact that higher order 

differential attacks are usually more efficient if they use such points. The number of functions which 

admit fast points were computed by Duan et al in a few particular cases; we give explicit formulae for 

all remaining cases and discuss the cryptographic significance of these results.

One of the peculiar features of quantum mechanics is
entanglement. It is known that entanglement is monogamous in the sense
that a quantum system can only be strongly entangled to one other
system. In this talk, I will show how this so-called monogamy of
entanglement can be captured and quantified by a "game". We show that,
in this particular game, the monogamy completely "cancels out" the
advantage of entanglement.
As an application of our analysis, we show that - in theory - the
standard BB84 quantum-key-distribution scheme is one-sided
device-independent, meaning that one of the parties, say Bob, does not
need to trust his quantum measurement device: security is guaranteed
even if his device is completely malicious.
The talk will be fully self-contained; no prior knowledge on quantum
mechanics/cryptography is necessary.

We hope to bring together all Oxford researchers interested in Cryptography, in Quantum Computing and in the interactions between the two.

Please register at:  http://oxford-cryptography-day.eventbrite.co.uk

Structure-preserving signatures are an important cryptographic primitive that is useful for the design of modular cryptographic protocols. In this work, we show how to bypass most of the existing lower bounds in the most efficient Type-III bilinear group setting. We formally define a new variant of structure-preserving signatures in the Type-III setting and present a number of fully secure schemes with signatures half the size of existing ones. We also give different constructions including constructions of optimal one-time signatures. In addition, we prove lower bounds and provide some impossibility results for the variant we define. Finally, we show some applications of the new constructions.

Trusted Platform Modules (TPMs) are currently used in large numbers of computers. In this talk, I will discuss the cryptographic algorithms supported by the current version of the Trusted Platform Modules (Version 1.2) and also those due to be included in the new version  (Version 2.0).  After briefly introducing the history of TPMs, and the difference between these two generations TPMs, I will focus on the challenges faced in developing Direct Anonymous Attestation (DAA) an algorithmic scheme designed to preserve privacy and included in TPMs.

The security of pairings-based cryptography relies on the difficulty of two problems: computing discrete logarithms over elliptic curves and, respectively, finite fields GF(p^n) when n is a small integer larger than 1. The real-life difficulty of the latter problem was tested in 2006 by a record in a field GF(p^3) and in 2014 and 2015 by new records in GF(p^2), GF(p^3) and GF(p^4). We will present the new methods of polynomial selection which allowed to obtain these records. Then we discuss the difficulty of DLP in GF(p^6) and GF(p^12) when p has a special form (SNFS) for which two theoretical algorithms were presented recently.

In this talk, I'll discuss some personal experiences - good, bad, and
ugly - of disclosing vulnerabilities in a range of different cryptographic
standards and implementations. I'll try to draw some general lessons about
what works well and what does not.