|
DoE CRYPTODOC
DoE CRYPTODOC brings together leading European researchers in cryptography, who are pursuing their
academic or industrial career. DoE CRYPTODOC features a series of invited talks, held by distinguished postdocs, and is open likewise to PhD students and tenured researchers. Its informal style offers unique opportunity for
participants to discuss promising research directions, share experience, and foster contacts, aiming to increase collaboration and outreach within the scientific community.
Contact: Mark Manulis (Technische Universität Darmstadt, Germany)
Location: TU Darmstadt, Mornewegstr. 30, 64293 Darmstadt
List of Participants
|
|
|
Stanislav Bulygin (TU Darmstadt), Daniel Cabarcas (TU Darmstadt), Delphine Christin (TU Darmstadt), Cas Cremers (ETH Zurich),
Özgür Dagdelen (TU Darmstadt), Angelo De Caro (University of Salerno), Mohamed El Yousfi (TU Darmstadt), Pooya Farshim (TU Darmstadt),
Dario Fiore (ENS Paris), Nils Fleischhacker (TU Darmstadt), Georg Fuchsbauer (University of Bristol), Felix Günther (TU Darmstadt),
Florian Giesen (Ruhr-University Bochum), Christian Henrich (FZI Forschungszentrum Informatik), Javier Herranz (Universitat Politecnica de Catalunya),
Andreas Hülsing (TU Darmstadt), Vincenzo Iovino (University of Salerno), Tibor Jager (Karlsruhe Institute of Technology),
Franziskus Kiefer (TU Darmstadt), Florian Kohlar (Ruhr-University Bochum), Markulf Kohlweiss (Microsoft Research Cambridge),
Daniel Kraschewski (Karlsruhe Institute of Technology), Lakshmi Kuppusamy (Queensland University of Technology),
Benoit Libert (Universite catholique de Louvain), Manuel Liedel (University of Regensburg),
Mark Manulis (TU Darmstadt), Michael Naehrig (Eindhoven University of Technology), Heike Neumann (NXP Semiconductors),
Claudio Orlandi (Bar-Ilan University), Cristina Onete (TU Darmstadt), Bertram Poettering (TU Darmstadt),
Andreas Peter (TU Darmstadt), Jothi Rangasamy (Queensland University of Technology), Amir Sadr-Azodi (TU Darmstadt),
Michael Schneider (TU Darmstadt), Fatemeh Shirazi (TU Darmstadt), Claudio Soriente (Universidad Politecnica de Madrid),
Martin Stopczynski (TU Darmstadt), Viktoria Villanyi (Budapest Institute of Technology), Michael Walter (TU Darmstadt),
Dan Yamamoto (Hitachi Inc.)
|
| 09:00-09:05 |
Welcome Remarks
|
| 09:05-09:45 |
Attribute-Based Cryptography: a Survey and some (Inefficient?) Generic Constructions
Javier Herranz (Universitat Politecnica de Catalunya, Spain)
Attribute-based cryptography is an extension of the concept of identity-based cryptography which has attracted a lot of attention in the last years.
In an attribute-based cryptosystem, ciphertexts or signatures are linked to an attribute policy, so that a user is able to perform the secret task
(decrypting or signing) if and only if his attributes satisfy that policy.
In this talk we will review some of the most relevant results that have been achieved in the area of attribute-based cryptography,
as well as the problems that remain open. We will also discuss some possible relations between attribute-based cryptography and other
cryptographic primitives. Finally, we will mention some very simple constructions of attribute-based encryption schemes starting from any
(hierarchical) identity-based encryption scheme, which are in principle very inefficient, and discuss with the audience if they may be practical in some real-life application.
|
| 09:45-10:25 |
Pairings at High-Security Levels
Michael Naehrig (Eindhoven University of Technology, Netherlands)
Pairings can be used to realize many interesting cryptographic protocols. Their applications range from classical pairing-based schemes
such as identity-based encryption and short signatures to more advanced implementations of searchable encryption and non-interactive zero-knowledge proofs.
The last decade has seen a dramatic increase in the efficiency of pairing computation due to algorithmic improvements and the selection of better
pairing-friendly elliptic curves. This talk discusses parameter selection for obtaining highly efficient pairing algorithms and suggests particularly
implementation-friendly elliptic curves for realizing pairing-based protocols at high-security levels of 128 bits and beyond.
|
| 10:25-10:50 |
Break
|
| 10:50-11:30 |
Adaptively Secure Non-Interactive Threshold Cryptosystems: New Framework and Constructions
Benoit Libert (Universite Catholique de Louvain, Belgium)
In threshold cryptography, private keys are divided into n shares, each one of which is given to a different server in order to avoid single points of failure.
In the case of threshold public-key encryption, at least t out of n servers need to contribute to the decryption process.
A threshold primitive is said robust if no coalition of t malicious servers can prevent remaining honest servers from successfully completing private key operations.
So far, most practical non-interactive threshold cryptosystems, where no interactive conversation is required among decryption servers, were only proved secure against static
corruptions. In the adaptive corruption scenario (where the adversary can corrupt servers at any time, based on its complete view), all existing robust threshold encryption
schemes that also resist chosen-ciphertext attacks (CCA) require some interaction in the decryption phase.
In this work, we describe several constructions of adaptively secure, robust and fully non-interactive threshold cryptosystems with chosen-ciphertext security.
Some of these notably stem from a new framework based on hash proof systems with publicly verifiable proofs. All instantiations rely on well-studied assumptions in bilinear groups.
|
| 11:30-12:10 |
A New Approach to Practical Active-Secure Two-Party Computation
Claudio Orlandi (Bar-Ilan University, Israel)
We propose a new approach to practical two-party computation secure against an active adversary. All prior practical protocols were based on Yao's garbled circuits.
We use an OT-based approach and get efficiency via OT extension in the random oracle model. To get a practical protocol we introduce a number of novel techniques
for relating the outputs and inputs of OTs in a larger construction.
We also report on an implementation of this approach, that shows that our protocol is more efficient than any previous one:
For big enough circuits, we can evaluate more than 20000 Boolean gates per second. As an example, evaluating one oblivious
AES encryption (~ 34000 gates) takes 64 seconds, but when repeating the task 27 times it only takes less than 3 seconds per instance.
This is joint work with J. Nielsen, P. Nordholt and S. Sheshank. A draft of the paper can be found here.
|
| 12:10-12:50 |
Commuting Signatures and Verifiable Encryption
Georg Fuchsbauer (University of Bristol, United Kingdom)
Verifiable encryption allows to encrypt a signature while preserving its public verifiability.
We introduce a new primitive called commuting signatures and verifiable encryption that extends this in multiple ways,
such as enabling one to encrypt both a signature and a message and prove validity. Moreover, given an encryption of a message,
a signer can create a verifiably encrypted signature on the (unknown) message, which looks as though the plaintext was signed and then the
message and the signature were verifiably encrypted; thus, signing and encrypting commute. Our instantiation is based
on automorphic signatures and the Groth-Sahai proof system, of which we prove a series of properties, such as the proofs being
homomorphic with respect to the statements.
As an application, we give the first instantiation of delegatable anonymous credentials providing non-interactive (and
thus concurrently secure) issuing and delegation protocols, which is standard for non-anonymous credentials. Moreover, the size of our
credentials and the cost of verification are less than half of those of the previous instantiation, and efficiency of issuing and delegation is increased even more significantly.
|
| 12:50-14:50 |
Chat & Lunch
|
| 14:50-15:30 |
Adaptive Pseudo-Free Groups and Applications
Dario Fiore (ENS Paris, France)
A computational group is pseudo-free if an adversary cannot find solutions in this group for equations that are not trivially solvable in the free group.
This notion was put forth by Rivest at TCC 2004 as a unifying abstraction of multiple group-related hardness assumptions commonly used in cryptography.
Rivest's conjecture that the RSA group is pseudo-free had been settled by Micciancio for the case of RSA moduli that are the product of two safe primes.
This result holds for a static setting where the adversary is only given the description of the group (together with a set of randomly chosen generators)
and has to come up with the equation and the solution.
In this paper we explore a powerful extension of the notion of pseudo-freeness.
We identify, motivate, and study pseudo-freeness in face of adaptive adversaries who may learn solutions to other non-trivial equations before having to solve a new non-trivial equation.
We present a novel, carefully crafted definition of adaptive pseudo-freeness that walks a fine line between being too weak and being unsatisfiable.
We show that groups that satisfy our definition yield, via a generic construction, digital and network coding signature schemes.
Finally, we obtain concrete constructions of such schemes in the RSA group by showing this group to be adaptive pseudo-free. In particular, we demonstrate the generality of our framework for signatures by showing that most
existing schemes are instantiations of our generic construction.
This is a joint work with Dario Catalano and Bogdan Warinschi.
An extended abstract appears in the proceedings of Eurocrypt 2011.
A preliminary full version is available here.
|
| 15:30-16:10 |
Protocol Security in the Presence of
Compromising Adversaries
Cas Cremers (ETH Zurich, Switzerland)
Many recent advances in formal analysis of security protocols have extended the scope and precision of these models and the corresponding tools.
However, the underlying adversary model has remained close to the original Dolev-Yao setting, where the adversary fully controls the network and can statically
corrupt selected parties. In contrast, security models for AKE protocols have become stronger over time, giving the adversary more and more control over parties,
ranging from dynamic corruption to compromise of the local state of parties and revealing the random numbers they generate.
In this talk, we highlight some of our recent contributions to closing this gap, by extending the formal models as well as the corresponding tool support.
|
| 16:10-16:40 |
Break
|
| 16:40-17:20 |
Modular Code-Based Cryptographic Verification
Markulf Kohlweiss (Microsoft Research Cambridge, United Kingdom)
Type systems are effective tools for verifying the security of cryptographic programs.
They provide automation, modularity and scalability, and have been applied to large security protocols.
However, they traditionally rely on abstract assumptions on the underlying cryptographic primitives, expressed in symbolic models.
Cryptographers usually reason on security assumptions using lower level, computational models that precisely account for the complexity
and success probability of attacks. These models are more realistic, but they are harder to formalize and automate.
We present the first modular automated program verification method based on standard cryptographic assumptions and a general-purpose refinement typed language.
Concretely, we show how to verify ideal functionalities and protocols written in ML by typing them against new cryptographic interfaces using F7, a refinement type checker coupled with an Z3, an SMT-solver.
We develop a probabilistic core calculus for F7 and formalize its type safety in Coq. We build typed module and interfaces for MACs, signatures, and encryptions, and establish
their authenticity and secrecy properties. We relate their ideal functionalities and concrete implementations, using game-based program transformations behind typed interfaces.
We illustrate our method on a series of protocol implementations. More information is available here.
|
| 17:20-18:00 |
Participatory Privacy: Enabling Privacy in Participatory Sensing
Claudio Soriente (Universidad Politecnica de Madrid, Spain)
Participatory Sensing is an emerging computing paradigm that enables the distributed collection of data by self-selected participants.
It allows the increasing number of mobile phone users to share local knowledge, acquired by their sensor-equipped devices, e.g., to monitor temperature, pollution level,
consumer pricing information, etc. Despite the initial surge in research initiatives and prototypes, the real-world impact of Participatory Sensing is tied to pervasive user participation.
If users have no incentive or feel that their privacy might be endangered, it is likely that they will not participate, thus, the benefit of large user involvement will be lost.
In this talk, we focus on privacy issues in Participatory Sensing and review a simple privacy-enhanced infrastructure proposed at ACM WiSec'11.
We provide a set of clear definitions geared to protecting the privacy of both data producers (i.e., users providing sensed information) and consumers (i.e., applications accessing the data).
We also outline an efficient solution that incurs very low overhead on mobile phones.
Finally, we discuss a number of open problems and possible research directions.
|
|