Past Cryptography Seminar

30 May 2018

Post-quantum cryptography has been one of the most active subfields of
cryptography in the last few years. This is especially true today as
standardization efforts are currently underway, with no less than 69
candidate cryptographic schemes proposed.

In this talk, I will present one of these schemes: Falcon, a signature
scheme based on the NTRU class of structured lattices. I will focus on
mathematical aspects of Falcon: for example how we take advantage of the
algebraic structure to speed up some operations, or how relying on the
most adequate probability divergence can go a long way in getting more
efficient parameters "for free". The talk will be concluded with a few
open problems.

  • Cryptography Seminar
16 May 2018
Jon Millican

In 2016, Facebook added an optional end-to-end (E2E) encryption feature called Secret Conversations to Messenger. This was challenging to design, as many of Messenger's key properties and features don't fit the typical model of E2E apps. Additionally, Messenger is already one of the world's most popular messaging apps, supporting nearly a billion people across a variety of technical and cultural environments. Because of this, Messenger's deployment of E2E encryption provides attendees with a valuable case study on how to build usable, secure products. 

We will discuss the core properties of a typical E2E app, the core features of Messenger, the distance between the two, and the approach we took to close the gap. We'll examine how minimizing the distance shaped the current E2E experience within Messenger. Through discussion of the key decisions in this process, we'll address the implications for alternative designs with real world comparisons where they exist. 

Although Secret Conversations in Messenger use off-the-shelf Signal Protocol for message encryption, Facebook also wanted to ensure a safe communication channel for community members who may be victims of online abuse. To this end, we created a way for people to report secret conversations that violate our Community Standards, without breaking any E2E guarantees for other messages.

Developing a reporting protocol created an interesting challenge: the potential of fake reports with no intermediary to invalidate them. To pre-empt the possibility of Bob forging a report to incriminate Alice, we added a method that uses two HMACs - one added by the sender and one by Facebook - to “cryptographically frank” messages as we forward them from one party to the other (physical mail uses a similar franking). This technique ensures similar confidence that a report is genuine as we have for messages stored in plaintext on our servers. Additionally, the frank is only verifiable by Facebook after receiving a report from the recipient, thus preventing a third party from using it as evidence against the sender.

We hope that this talk will provide an insight into the intricacies of deploying security features at scale, and the additional considerations necessary when developing an existing product.

  • Cryptography Seminar
9 May 2018
Tibor Jager

Tight security is increasingly gaining importance in real-world
cryptography, as it allows to choose cryptographic parameters in a way
that is supported by a security proof, without the need to sacrifice
efficiency by compensating the security loss of a reduction with larger
parameters. However, for many important cryptographic primitives,
including digital signatures and authenticated key exchange (AKE), we
are still lacking constructions that are suitable for real-world deployment.

This talk will present the first first practical AKE protocol with tight
security. It allows the establishment of a key within 1 RTT in a
practical client-server setting, provides forward security, is simple
and easy to implement, and thus very suitable for practical deployment.
It is essentially the "signed Diffie-Hellman" protocol, but with an
additional message, which is crucial to achieve tight security. This
message is used to overcome a technical difficulty in constructing
tightly-secure AKE protocols.

The second important building block is a practical signature scheme with
tight security in a real-world multi-user setting with adaptive
corruptions. The scheme is based on a new way of applying the
Fiat-Shamir approach to construct tightly-secure signatures from certain
identification schemes.

For a theoretically-sound choice of parameters and a moderate number of
users and sessions, our protocol has comparable computational efficiency
to the simple signed Diffie-Hellman protocol with EC-DSA, while for
large-scale settings our protocol has even better computational per-
formance, at moderately increased communication complexity.

  • Cryptography Seminar
25 April 2018

There is currently a large interest in the applications of the Blockchain technology. After the well known success of the cryptocurrency Bitcoin, several other real-world applications of Blockchain technology have been proposed, often raising privacy concerns. We will discuss the potential of advanced cryptographic tools in relaxing the tension between pros and cons of this technology.

  • Cryptography Seminar
7 March 2018
Elisabeth Oswald

Side channel leakage is no longer just a concern for industries that
traditionally have a high degree of awareness and expertise in
(implementing) cryptography. With the rapid growth of security
sensitive applications in other areas, e.g. smartphones, homes, etc.
there is a clear need for developers with little to no crypto
expertise to implement and instantiate cryptography securely on
embedded devices. In this talk, I explain what makes finding side
channel leaks challenging (in theory and in practice) and give an
update on our latest work to develop methods and tools to enable
non-domain experts to ‘get a grip’ on leakage in their

  • Cryptography Seminar
21 February 2018
Giacomo Micheli

Let n be a positive integer. In this talk we provide a recipe to 
construct full orbit sequences in the affine n-dimensional space over a 
finite field. For n=1 our construction covers the case of the well 
studied pseudorandom number generator ICG.

This is a joint work with Federico Amadio Guidi.

  • Cryptography Seminar
14 February 2018

Multivariate cryptography is one of a handful of proposals for post-quantum cryptographic schemes, i.e. cryptographic schemes that are secure also against attacks carried on with a quantum computer. Their security relies on the assumption that solving a system of multivariate (quadratic) equations over a finite field is computationally hard. 

Groebner bases allow us to solve systems of polynomial equations. Therefore, one of the key questions in assessing the robustness of multivariate cryptosystems is estimating how long it takes to compute the Groebner basis of a given system of polynomial equations. 

After introducing multivariate cryptography and Groebner bases, I will present a rigorous method to estimate the complexity of computing a Groebner basis. This approach is based on techniques from commutative algebra and is joint work with Alessio Caminata (University of Barcelona).

  • Cryptography Seminar
7 February 2018
Peter Schwabe

Large parts of the cryptography in use today,

key-agreement protocols and digital signatures based on the

hardness of factoring large integers or solving the

discrete-logarithm problem, are not secure against attackers

equipped with a large universal quantum computer. It is not

clear when such a large quantum computer will be built, but

continuous progress by various labs around the world suggests

that it may well be less than two decades until today's

cryptography will become insecure.

To address this issue, NIST started a public competition to

identify suitable replacements for today's cryptosystems. In

my talk, I will describe two of these systems: the

key-encapsulation mechanism Kyber and the digital signature

scheme Dilithium. Both schemes are based on the hardness of

solving problems in module lattices and they together form the

"Cryptographic Suite for Algebraic Lattices -- CRYSTALS".

  • Cryptography Seminar