Past Cryptography Seminar

8 November 2017
Fabrice Mouhartem

Adaptive oblivious transfer (OT) is a protocol where a sender
initially commits to a database {M_i}_{i=1}^N . Then, a receiver can query the
sender up to k times with private indexes ρ_1, …, ρ_k so as to obtain
M_{ρ_1}, …, M_{ρ_k} and nothing else. Moreover, for each i ∈ [k], the receiver’s
choice ρ_i may depend on previously obtained messages {M_ρ_j}_{j<i} . Oblivious transfer
with access control (OT-AC) is a flavor of adaptive OT
where database records are protected by distinct access control policies
that specify which credentials a receiver should obtain in order to access
each M_i . So far, all known OT-AC protocols only support access policies
made of conjunctions or rely on ad hoc assumptions in pairing-friendly
groups (or both). In this paper, we provide an OT-AC protocol where access policies may consist of any branching program of polynomial length, which is sufficient to realize any access policy in NC^1. The security of
our protocol is proved under the Learning-with-Errors (LWE) and Short-
Integer-Solution (SIS) assumptions. As a result of independent interest,
we provide protocols for proving the correct evaluation of a committed
branching program on a committed input.

Joint work with Benoît Libert, San Ling, Khoa Nguyen and Huaxiong Wang.

  • Cryptography Seminar
11 October 2017
Peter Campbell

Identity-based cryptography can be useful in situations where a full-scale public-key infrastructure is impractical.  Original identity-based proposals relied on elliptic curve pairings and so are vulnerable to quantum computers.  I will describe some on-going work to design a post-quantum identity-based encryption scheme using ideas from Ring Learning with Errors. Our scheme has the advantage that it can be extended to the hierarchical setting for more flexible key management.

  • Cryptography Seminar
21 June 2017

In this lecture, we present  practical and provably
secure (authenticated) key exchange protocol and password
authenticated key exchange protocol, which are based on the
learning with errors problems. These protocols are conceptually
simple and have strong provable security properties.
This type of new constructions were started in 2011-2012.
These protocols are shown indeed practical.  We will explain
that all the existing LWE based key exchanges are variants
of this fundamental design.  In addition, we will explain
some issues with key reuse and how to use the signal function
invented for KE for authentication schemes.

  • Cryptography Seminar
7 June 2017
Jan Camenisch

Direct Anonymous Attestation (DAA) is a protocol that allows a security chip embedded in a platform such as laptop to authenticate itself as a genuine chip.  Different authentications are not linkeable, thus the protocol protects the privacy of the platform. The first DAA protocol was proposed by Brickell, Chen, and Camenisch and was standardized in 2004 by the Trusted Computing Group (TCG). Implementations of this protocols were rather slow because it is based on RSA. Later, alternative and faster protocols were proposed based on elliptic curves. Recently the specification by the TCG was updated to allow for DAA protocols based on elliptic curves. Unfortunately, the new standard does not allow for provably secure DAA protocols. In this talk, we will review some of the history of DAA and  then discuss the latest protocols, security models, and finally a provably secure realization of DAA based on elliptic curves.

  • Cryptography Seminar
31 May 2017
Olivier Blazy

Hash Proof Systems or Smooth Projective Hash Functions (SPHFs) are a
form of implicit arguments introduced by Cramer and Shoup at
Eurocrypt’02. They have found many applications since then, in
particular for authenticated key exchange or honest-verifier
zero-knowledge proofs. While they are relatively well understood in
group settings, they seem painful to construct directly in the lattice
Only one construction of an SPHF over lattices has been proposed, by
Katz and Vaikuntanathan at Asiacrypt’09. But this construction has an
important drawback: it only works for an ad-hoc language of ciphertexts.
Concretely, the corresponding decryption procedure needs to be tweaked,
now requiring q many trapdoor inversion attempts, where q is the modulus
of the underlying Learning With Error (LWE) problem.
Using harmonic analysis, we explain the source of this limitation, and
propose a way around it. We show how to construct SPHFs for standard
languages of LWE ciphertexts, and explicit our construction over a
tag-CCA2 encryption scheme à la Micciancio-Peikert (Eurocrypt’12).

If there is enough time, we will conclude with applications of these
SPHFs to password-authenticated key exchange, honest-verifier
zero-knowledge and a variant of witness encryption.

  • Cryptography Seminar