Paris Crypto Day

June 21 @ ENS

Sat, 01 Jun 2019 10:10:00 +0000

The next Paris Area Crypto Day will be held on 21.06.19 (Fri) at ENS, co-located with Fête de la Musique.

Amphi Rataud, ENS, 45 rue d’Ulm
Please register (free). Deadline 17.06.19

Tentative Program

09:55–10:00	Welcome
10:00–11:00	Jean Paul Degabriele: The Security of Onion Encryption in Tor
11:00–12:00	Joël Alwen: 2-Party Secure Messaging for Unreliable Channels
12:00–14:00	Lunch
14:00–14:30	Aisling Connolly: Freedom of Encryption
14:30–15:00	Ward Beullens: On Sigma Protocols with Helper for MQ and PKP, Fishy Signature Schemes and More
15:00–15:30	Rotem Tsabary: Degree 2 is Complete for the Round Complexity of Malicious MPC
15:30–16:00	Coffee Break
16:00–17:00	Hoeteck Wee: Encrypted Computation from Lattices

Organizers. Michel Abdalla, Georg Fuchsbauer and Hoeteck Wee (ENS)

Acknowledgements. ERC CryptoCloud, aSCEND and EfTrEC

Abstracts

The Security of Onion Encryption in Tor
Jean Paul Degabriele (TU Darmstadt)

Tor is a primary tool for maintaining anonymity online. It provides a low-latency, circuit-based, bidirectional secure channel between two parties through a network of onion routers, with the aim of obscuring exactly who is talking to whom, even to adversaries controlling part of the network. Tor relies heavily on cryptographic techniques, yet its onion encryption scheme is susceptible to tagging attacks (Fu and Ling, 2009), which allow an active adversary controlling the first and last node of a circuit to deanonymize with near-certainty. This contrasts with less active traffic correlation attacks, where the same adversary can at best deanonymize with high probability. The Tor project has been actively looking to defend against tagging attacks and its most concrete alternative is proposal 261, which specifies a new onion encryption scheme based on a variable-input-length tweakable cipher. We provide a formal treatment of low-latency, circuit-based onion encryption, relaxed to the unidirectional setting, by expanding existing secure channel notions to the new setting and introducing circuit hiding to capture the anonymity aspect of Tor. We demonstrate that circuit hiding prevents tagging attacks and show proposal 261’s relay protocol is circuit hiding and thus resistant against tagging attacks.

2-Party Secure Messaging for Unreliable Channels
Joël Alwen (Wickr)

Double Ratchet (DR) based protocols have rapidly become the world’s dominant 2-party secure messaging (2SM) paradigm. Yet, despite the paradigm’s wide spread adoption in wild, our cryptographic understanding of it is still evolving.

In this talk, we’ll look at the recent results of Alwen, Coretti and Dodis at Eurocrypt 2019, which focus on building 2SM protocols using the DR paradigm with the explicit goal of obtaining robust, simple and efficient protocols for use in the real world yet provably exhibiting very strong security properties.

We first look at is their new security notion for 2SM. The definition captures (in a clean, intuitive and yet succinct game) both the desired functionality of 2SM, as well as the security properties of Forward Secrecy, Authenticity, Post-Compromise Security and “Resilience to Adversarially Chosen Randomness”. In an effort to further reduce the assumptions about an underlying network’s behavior, the new 2SM definition is also the first to capture the intuitive goal of “Immediate Decryption”; namely that any honestly generated ciphertext can be decrypted immediately upon delivery by the receiver. As this property must hold regardless of the order in which ciphertexts are delivered (and even when arbitrary previous protocol packets were outright dropped) constructions enjoying Immediate Decryption will be far more resilient when used over unreliable transports. This stands in stark contrast to almost all 2SM’s that have been proposed thus far as improvements over the original DR protocol still being used in practice. In fact, essentially all stronger security notions for 2SM’s proposed in those works seem to fundamentally contradict supporting Immediate Decryption. Now, while it is easy to imagine practical settings that require these stronger security notions and/or where the reliability of the underlying transport can be guaranteed, we observe that, to the best of our knowledge, essentially all 2SM protocols actually deployed in practice do indeed support Immediate Decryption. We believe this shows that, often, in practice the added robustness afforded by Immediate Decryption outweighs the value of achieving yet stronger security properties.

Armed with the new security notion, we will take a new look at the DR design paradigm. In particular:

We describe a modular construction of a DR-based 2SM (and prove its security). For this we use 3, significantly simpler, black-box primitives. In particular, we believe that this approach not only “explains” a wide class of 2SM protocols but that it will also generalize well to the (much more challenging and poorly understood) group secure messaging setting.
We provide constructions of each of the 3 primitives based on a variety of number-theoretic and black-box primitives. In particular, we obtain: 1) the original DR protocol as used in practice resulting in a new security proof for a 2SM currently used by over 1 billion people. 2) the first provably PQ-secure 2SM. 3) a new highly efficient 2SM with stronger security properties than anything used in practice (yet still enjoying Immediate Decryption).

Finally, we extend the modular construction to include basic public-key primitives. Using this, we obtain a yet more secure 2SM, albeit at a moderate cost in efficiency.

Freedom of Encryption
Aisling Connolly (ENS)

Legislation surrounding digital privacy has seen quite an upheaval in recent years. The introduction of the General Data Protection Regulation (GDPR) in the EU, and new resolutions within the United Nations Human Rights Council (UNHRC) have recognized the urgency to include recommendations on the use of encryption to protect the digital identities of citizens. In this work, we meander through the main events in history which have shaped the legislative landscape that encompasses the use of encryption, paying particular attention to recent (post-Snowden) developments.

On Sigma Protocols with Helper for MQ and PKP, Fishy Signature Schemes and More
Ward Beullens (KU Leuven)

This work presents 2 sigma protocols with helper to prove knowledge of:

A solution to a system of quadratic polynomials
A solution to an instance of the Permuted Kernel Problem

We then remove the helper from the protocol with a “cut-and-choose” protocol and we apply the Fiat-Shamir transform to obtain signature schemes with security proof in the QROM. We show that the resulting signature schemes, which we call the “MUltivarite quaDratic FIat-SHamir” scheme (MUDFISH) and the “ShUffled Solution to Homogeneous linear SYstem FIat-SHamir” scheme (SUSHSYFISH), are more efficient than existing signatures based on the MQ problem and the Permuted Kernel Problem. We also leverage the ZK-proof for PKP to improve the efficiency of Stern-like Zero Knowledge proofs for lattice statements.

Degree 2 is Complete for the Round Complexity of Malicious MPC
Rotem Tsabary (Weizmann)

We show, via a non-interactive reduction, that the existence of a secure multi-party computation (MPC) protocol for degree-2 functions implies the existence of a protocol with the same round complexity for general functions. Thus showing that when considering the round complexity of MPC, it is sufficient to consider very simple functions.

Our completeness theorem applies in various settings: information theoretic and computational, fully malicious and malicious with various types of aborts. In fact, we give a master theorem from which all individual settings follow as direct corollaries. Our basic transformation does not require any additional assumptions and incurs communication and computation blow-up which is polynomial in the number of players and in S, 2^D, where S,D are the circuit size and depth of the function to be computed. Using one-way functions as an additional assumption, the exponential dependence on the depth can be removed.

As a consequence, we are able to push the envelope on the state of the art in various settings of MPC, including the following cases.

3-round perfectly-secure protocol (with guaranteed output delivery) against an active adversary that corrupts less than a quarter of the parties.
2-round statistically-secure protocol that achieves security with “selective abort” against an active adversary that corrupts less than half of the parties.
Assuming one-way functions, 2-round computationally-secure protocol that achieves security with (standard) abort against an active adversary that corrupts less than half of the parties.

Encrypted Computation from Lattices
Hoeteck Wee (CNRS/ENS/PSL)

In this talk, we will survey three cryptographic notions of enabling computation over encrypted data – attribute-based encryption, fully homomorphic encryption, and laconic functional evaluation – as well as their instantiations from lattices.

Venue

45 rue d’Ulm, 75005 Paris, Amphi Rataud: level -1 in the building labeled “Bibliothèque”

Mar 18 @ ENS

Sat, 16 Mar 2019 10:10:10 +0000

The next Paris Area Crypto Day will be held on 18.03.2019 (Mon) at ENS.

Amphi Jaurès, ENS (29 rue d’Ulm, level B1)
Please register (free). Deadline 12.03.2019

Program

10:00 - 10:05	Welcome
10:05 - 10:50	Shweta Agrawal Mathematical Assumptions Underlying Code Obfuscation
11:00 - 11:45	Dennis Hofheinz Tight Security (slides)
12:00 - 14:00	Lunch
14:00 - 14:45	Dario Fiore Homomorphic Authentication for Computing Securely on Untrusted Machines (slides)
15:00 - 15:45	Tancrède Lepoint Cryptographic Suite for Algebraic Lattices

Organizers. Michel Abdalla, Georg Fuchsbauer, and Hoeteck Wee (ENS)

Acknowledgements. ERC CryptoCloud and aSCEND

Abstracts

Mathematical Assumptions Underlying Code Obfuscation
Shweta Agrawal (IIT Madras)

In recent times, there has been significant interest in constructing the cryptographic primitive of “indistinguishability obfuscation”. Standard cryptographic hardness assumptions appear insufficient for this task, and we now have a variety of new mathematical conjectures to fill the gap. I will define the notion of indistinguishability obfuscation, briefly describe its importance and discuss the new mathematical conjectures, hard distributions, known attacks and open problems.

Tight security
Dennis Hofheinz (KIT)

A cryptographic building block (such as an encryption or signature scheme) is called tightly secure if its security reduction is tight, i.e., if its reduction connects security and underlying assumption in a quantitatively close way, even in a multi-instance/multi-use scenario. In particular, the security of a tightly secure scheme should not degrade in the number of instances or uses of that scheme. This property is beneficial in particular in scenarios in which it is not clear a priori how many instances of that scheme are used.

In this talk, we survey recent results to achieve tight security, with a focus on encryption schemes. We explain the intrinsic difficulty to achieve tight security (e.g., for chosen-ciphertext secure encryption or signatures), and also showcase techniques to overcome this difficulty.

Homomorphic Authentication for Computing Securely on Untrusted Machines
Dario Fiore (IMDEA)

Due to phenomena like the ubiquity of the Internet and cloud computing, it is increasingly common to store and process data on third-party machines. In spite of its attractive aspects, this trend raises a number of security concerns, including: how to ensure that the results computed by third parties are correct (integrity) and no unauthorized information is leaked (privacy)? This talk focuses on cryptographic solutions for integrity, and more specifically on the notion of homomorphic authentication. It presents this notion, gives an overview of the state of the art in this area, and covers some of the recent efficient constructions.

Cryptographic Suite for Algebraic Lattices
Tancrède Lepoint (Google)

In this talk, I introduce CRYSTALS — Cryptographic Suite for Algebraic Lattices —, a cryptographic suite composed of a CCA-secure KEM and a digital signature based on module lattices and designed in collaboration with Joppe Bos, Léo Ducas, Eike Kiltz, Vadim Lyubashevsky, John M. Schanck, Peter Schwabe, Gregor Seiler, and Damien Stehlé in 2017. CRYSTALS is designed to enable ease of implementation and modularity in security by using module lattices and well established cryptographic assumptions. Module lattices not only enable simple implementations (the core operation, a polynomial multiplication, has only to be implemented in dimension 256), but enable extremely simple scaling up and down of the security without the need to reimplement anything.

In January 2019, the algorithms in CRYSTALS were selected for the second round of the NIST post-standardization effort; I’ll report on performances and second round tweaks.

Oct 25 @ ENS

Mon, 01 Oct 2018 10:10:00 +0000

The next Paris Area Crypto Day will be held on 25.10.2018 (Thu) at ENS.

Amphi Jaurès, ENS (29 rue d’Ulm, level B1)
Please register (free). Deadline 23.10.2018

Tentative Program

10:00 - 10:05	Welcome
10:05 - 11:05	Sarah Meiklejohn: Anonymity in Cryptocurrencies
11:15 - 11:45	Mary Maller: Updatable and Universal Common Reference Strings with Applications to zk-SNARKs
11:45 - 12:15	Julian Loss: The Algebraic Group Model and its Applications
12:15 - 14:15	Lunch
14:15 - 15:15	Benjamin Smith: Post-quantum Diffie–Hellman: Caveat Emptor
15:15 - 15:45	Michele Minelli: Fast Homomorphic Evaluation of Deep Discretized Neural Networks
15:45 - 16:15	Coffee Break
16:15 - 17:15	Adam O’Neill: Towards RSA-OAEP without Random Oracles

Organizers. Michel Abdalla, Georg Fuchsbauer, and Hoeteck Wee (ENS)

Acknowledgements. ERC CryptoCloud and aSCEND

Abstracts

Anonymity in Cryptocurrencies Sarah Meiklejohn (UCL)

A long line of recent research has demonstrated that existing cryptocurrencies often do not achieve the level of anonymity that users might expect they do, while at the same time another line of research has worked to increase the level of anonymity by adding new features to existing cryptocurrencies or creating entirely new cryptocurrencies. This talk will explore both of these lines of research, briefly demonstrating de-anonymization attacks but focusing primarily on techniques for anonymity that achieve provably secure guarantees.

Updatable and Universal Common Reference Strings with Applications to zk-SNARKs Mary Maller (UCL)

By design, existing (pre-processing) zk-SNARKs embed a secret trapdoor in a relation-dependent common reference strings (CRS). The trapdoor is exploited by a (hypothetical) simulator to prove the scheme is zero knowledge, and the secret-dependent structure facilitates a linear-size CRS and linear-time prover computation. If known by a real party, however, the trapdoor can be used to subvert the security of the system. The structured CRS that makes zk-SNARKs practical also makes deploying zk-SNARKS problematic, as it is difficult to argue why the trapdoor would not be available to the entity responsible for generating the CRS. Moreover, for pre-processing zk-SNARKs a new trusted CRS needs to be computed every time the relation is changed.

In this paper, we address both issues by proposing a model where a number of users can update a universal CRS. The updatable CRS model guarantees security if at least one of the users updating the CRS is honest. We provide both a negative result, by showing that zk-SNARKs with private secret-dependent polynomials in the CRS cannot be updatable, and a positive result by constructing a zk-SNARK based on a CRS consisting only of secret-dependent monomials. The CRS is of quadratic size, is updatable, and is universal in the sense that it can be specialized into one or more relation-dependent CRS of linear size with linear-time prover computation.

(Joint work with Jens Groth, Markulf Kohlweiss, Sarah Meiklejohn and Ian Miers)

The Algebraic Group Model and its Applications Julian Loss (RUB)

One of the most important and successful tools for assessing hardness assumptions in cryptography is the Generic Group Model (GGM). Over the past two decades, numerous assumptions and protocols have been analyzed within this model. While a proof in the GGM can certainly provide some measure of confidence in an assumption, its scope is rather limited since it does not capture group-specific algorithms that make use of the representation of the group.

To overcome this limitation, we propose the Algebraic Group Model (AGM), a model that lies in between the Standard Model and the GGM. It is the first restricted model of computation covering group-specific algorithms yet allowing to derive simple and meaningful security statements.
To prove its usefulness, we show that several important assumptions, among them the Computational Diffie-Hellman, the Strong Diffie-Hellman, and the interactive LRSW assumptions, are equivalent to the Discrete Logarithm (DLog) assumption in the AGM. On the more practical side, we prove tight security reductions for two important schemes in the AGM to DLog or a variant thereof: the BLS signature scheme and Groth’s zero-knowledge SNARK (EUROCRYPT 2016), which is the most efficient SNARK for which only a proof in the GGM was known. Our proofs are quite simple and therefore less prone to subtle errors than those in the GGM.

Moreover, in combination with known lower bounds on the Discrete Logarithm assumption in the GGM, our results can be used to derive lower bounds for all the above-mentioned results in the GGM.

(Joint work with Georg Fuchsbauer and Eike Kiltz)

Post-quantum Diffie–Hellman: Caveat Emptor Benjamin Smith (INRIA/LIX)

In the mad dash towards post-quantum crypto, it is often overlooked that it has been surprisingly hard to find a practical drop-in replacement for Diffie–Hellman key exchange (as opposed to post-quantum KEMs for key establishment). Recent work revisiting an old isogeny-based primitive due to Couveignes, Rostovtsev, and Stolbunov has given some very useful results in this direction: practical post-quantum Diffie–Hellman is now in reach, especially with the new CSIDH proposal. These key exchanges, based on isogenies of elliptic curves with commutative endomorphism rings, have a clear superficial resemblance to classical Diffie–Hellman; but the deeper we look, the further their properties diverge from the common intuitions for Diffie–Hellman-based cryptosystems that we have developed over the last four decades. In this talk we will compare and contrast pre- and post-quantum Diffie–Hellman algorithms and their applications, highlighting some important subtleties and distinctions.

Fast Homomorphic Evaluation of Deep Discretized Neural Networks Michele Minelli (ENS)

The rise of machine learning as a service multiplies scenarios where one faces a privacy dilemma: either sensitive user data must be revealed to the entity that evaluates the cognitive model (e.g., in the Cloud), or the model itself must be revealed to the user so that the evaluation can take place locally. Fully Homomorphic Encryption (FHE) offers an elegant way to reconcile these conflicting interests in the Cloud-based scenario and also preserve non-interactivity. However, due to the inefficiency of existing FHE schemes, most applications prefer to use Somewhat Homomorphic Encryption (SHE), where the complexity of the computation to be performed has to be known in advance, and the efficiency of the scheme depends on this global complexity.

In this paper, we present a new framework for homomorphic evaluation of neural networks, that we call FHE-DiNN, whose complexity is strictly linear in the depth of the network and whose parameters can be set beforehand. To obtain this scale-invariance property, we rely heavily on the bootstrapping procedure. We refine the recent FHE construction by Chillotti et al. (ASIACRYPT 2016) in order to increase the message space and apply the sign function (that we use to activate the neurons in the network) during the bootstrapping. We derive some empirical results, using TFHE library as a starting point, and classify encrypted images from the MNIST dataset with more than 96% accuracy in less than 1.7 seconds.

Finally, as a side contribution, we analyze and introduce some variations to the bootstrapping technique of Chillotti et al. that offer an improvement in efficiency at the cost of increasing the storage requirements.

(Joint work with Florian Bourse, Matthias Minihold and Pascal Paillier)

Towards RSA-OAEP without Random Oracles Adam O’Neill (Georgetown)

We give the first positive results about instantiability of the widely implemented and standarized RSA-OAEP encryption scheme of Bellare and Rogaway (EUROCRYPT 1994) and variants under chosen-ciphertext attack. Recall that RSA-OAEP adds redundancy and randomness to a message before composing two rounds of an underlying Feistel transform, whose round functions are modeled as random oracles (ROs), with RSA. First, we show that either of the two oracles (while still modeling the other as a RO) can be instantiated in RSA-OAEP under IND-CCA2 using mild standard model assumptions. Surprisingly, ours are the first “partial instantiation” results for RSA-OAEP. We obtain them by exploiting (generalizations of) algebraic properties of RSA proven by Barthe, Pointcheval, and Báguelin (CCS 2012). Second, we show that both oracles can be instantiated simultaneously for two variants of RSA-OAEP, called “t-clear” and “s-clear” RSA-OAEP. In particular, we are the first to consider s-clear RSA-OAEP, and our result for it yields the most efficient RSA-based IND-CCA2 secure scheme (under plausible assumptions) in the standard model to date. We obtain it by leveraging a new hierarchy of extractability-style assumptions in the sense of Canetti and Dakdouk (TCC 2010) on the round functions, as well as novel yet plausible assumptions on RSA.

(Joint work with Nairen Cao and Mohammad Zaheri)

June 14 @ ENS

Mon, 04 Jun 2018 10:10:00 +0000

The next Paris Area Crypto Day will be held on 14.06.2018 (Thu) at ENS.

Amphi Jaurès, ENS (29 rue d’Ulm, level B1)

Program

14:30 - 15:30

Dan Boneh Cryptography for crypto currencies

Abstracts

Cryptography for crypto currencies
Dan Boneh (Stanford)

Cryptocurrencies raise many new questions in cryptography, including in the area of digital signatures. In this talk we will describe recent progress on signatures, aggregate signatures, and multi-signatures that is motivated by their use in cryptocurrencies. These new constructions show how modern signatures can significantly shrink the size of the blockchain.

This is joint work with Manu Drijvers and Gregory Neven.

Nov 30 @ ENS

Thu, 02 Nov 2017 10:10:00 +0000

The sixth Paris Area Crypto Day will be held on 30.11.2017 (Thu) at ENS.

Salle Celan, ENS
Please register (free). Deadline 27.11.2016

Program

13:30 - 14:30	Yuval Ishai Secure Arithmetic Computation with Constant Computational Overhead
14:40 - 15:40	Jens Groth Linear-Time Zero-Knowledge Proofs for Arithmetic Circuit Satisfiability
15:45 - 16:30	Coffee & Snacks @ S16, ENS

Abstracts

Secure Arithmetic Computation with Constant Computational Overhead
Yuval Ishai (Technion)

Motivated by the goal of efficient secure computations on sensitive numerical data, we present a protocol for securely computing arithmetic circuits that requires only a constant (amortized) number of arithmetic operations per gate. This applies to the model of security against passive (or “semi-honest”) adversaries. Our protocol is based on new cryptographic assumptions that can be viewed as natural arithmetic analogues of well studied assumptions. Beyond the asymptotic result, a key building block in our protocol can yield concrete efficiency improvements for natural secure computation tasks.

Joint work with Benny Applebaum, Ivan Damgård, Michael Nielsen, and Lior Zichron

Linear-Time Zero-Knowledge Proofs for Arithmetic Circuit Satisfiability
Jens Groth (UCL)

We give computationally efficient zero-knowledge proofs of knowledge for arithmetic circuit satisfiability over a large field. For a circuit with N addition and multiplication gates, the prover only uses O(N) multiplications and the verifier only uses O(N) additions in the field. If the commitments we use are statistically binding, our zero-knowledge proofs have unconditional soundness, while if the commitments are statistically hiding we get computational soundness. Our zero-knowledge proofs also have sub-linear communication if the commitment scheme is compact.

Our construction proceeds in three steps. First, we give a zero-knowledge proof for arithmetic circuit satisfiability in an ideal linear commitment model where the prover may commit to secret vectors of field elements, and the verifier can receive certified linear combinations of those vectors. Second, we show that the ideal linear commitment proof can be instantiated using error-correcting codes and non-interactive commitments. Finally, by choosing efficient instantiations of the primitives we obtain linear-time zero-knowledge proofs.

Jun 27-28 @ ENS

Fri, 02 Jun 2017 10:10:00 +0000

The next Paris Area Crypto Day will take place on 27.06.2017 and 28.06.2017 (Tue/Wed) at ENS. The event will be co-located with the ECRYPT NET Workshop on Crypto for the Cloud & Implementation; the website is here.

Salle Dussane, ENS (item 9 of this map)
Please register here (free)

Program

Day one (Jun 27)

09:30 - 10:00	Coffee & Welcome
10:10 - 11:10	David Evans Secure multi-party computation: promises, protocols, and practicalities [slides]
11:15 - 12:00	Georg Fuchsbauer Subversion-resistant zero knowledge [slides]
12:00 - 14:00	Lunch (not provided)
14:00 - 15:00	Ingrid Verbauwhede Energy efficiency and security for cryptographic algorithm implementations
15:00 - 15:30	Coffee Break
15:30 - 16:30	Pascal Paillier Whitebox cryptomania [slides]

Day two (Jun 28)

09:50 - 10:00	Coffee & Welcome
10:00 - 11:00	Kenneth Paterson Secure storage in the cloud using property preserving encryption [slides]
11:15 - 12:00	Raphael Bost Searchable encryption: from theory to implementation [slides]
12:00 - 14:00	Lunch (not provided)
14:00 - 15:00	Sergey Gorbunov IRON: functional encryption using Intel SGX [slides]
15:00 - 15:30	Coffee Break
15:30 - 16:00	Panel

Abstracts

Secure multi-party computation: promises, protocols, and practicalities
David Evans (University of Virginia)

Secure multi-party computation (MPC) provides a way for two (or more) parties to compute a function that depends on inputs from both parties, while keeping their inputs private. A general solution to this problem have been known since Yao’s pioneering work on garbled circuits in the 1980s, but only recently has it become conceivable to use this approach in real systems. Over the past decade, the costs of executing MPC protocols have dropped by about 7 orders of magnitude, but real-world deployments remain rare, and mostly unsatisfying. In this talk, I’ll provide a brief introduction to MPC and summarize some of the work our group has done to make secure computation scalable, efficient, and accessible. I’ll describe some attempts to build interesting practical systems with MPC including an ongoing effort to develop a decentralized certificate authority that can produce signed certificates without ever exposing the private signing key. Finally, I’ll discuss the remaining impediments that are holding back MPC from being widely used in practice.

Subversion-resistant zero knowledge
Georg Fuchsbauer (INRIA and ENS)

Motivated by the subversion of “trusted” public parameters in mass-surveillance activities, we study the security of non-interactive zero-knowledge (NIZK) proofs in the presence of a maliciously chosen common reference string. We first provide definitions for subversion-resistant soundness, witness indistinguishability and zero knowledge. We show that certain combinations of goals are unachievable but for all other combinations we give constructions that achieve them.

We then turn to zk-SNARKs (succinct non-interactive arguments of knowledge), which are computationally sound NIZK systems with short and efficiently verifiable proofs, used e.g. in cryptocurrencies such as Zcash. We show that under plausible hardness assumptions, many zk-SNARK schemes proposed in the literature can be made subversion-zero-knowledge at very little cost.

(joint work with Mihir Bellare and Alessandra Scafuro)

Energy efficiency and security for cryptographic algorithm implementations
Ingrid Verbauwhede (K.U. Leuven)

Energy and power efficiency is an extremely important optimization goal when implementing applications on any digital platform. This is important for light-weight InternetOfThings devices as well as high end servers and cloud computing. The first one requires a long battery life, the second one needs to reduce the cost of cooling (and the electricity bill).

The energy and power optimization also holds for the implementation of cryptographic algorithms. Our goal is to build devices that can perform the mathematically demanding cryptographic operations in an efficient way. At the same time, we request that the implementations are also secure against a wide range of physical attacks, including side-channel attacks. Unfortunately countermeasures to side-channel attacks impose an extra cost.

This presentation will focus on the implementation aspects of cryptographic operations and how to balance the computation requirements with the resource constraints. These concepts will be illustrated with the design of several cryptographic co-processors, secret key, public key and new generation of post-quantum secure algorithms.

Whitebox cryptomania
Pascal Paillier (CryptoExperts)

In the utopic world of whitebox cryptomania, cryptographic programs can be freely executed, copied and shared without endangering their inner secret keys, as breaking them requires intractable computational efforts. Once again, constructive cryptography has prevailed over cryptanalysis thanks to reductionist proofs and tamper-resistant cryptographic software has suddenly become a reality. This talk explores the side effects of this parallel universe on cryptographic constructions - good and bad alike - and what they potentially mean for the security of the Cloud.

Secure storage in the cloud using property preserving encryption
Kenneth Paterson (Royal Holloway)

In this talk, we’ll take a look at how Property Preserving Encryption (PPE) schemes can be used to store data in encrypted form at cloud service providers while still allowing various forms of search queries to be carried out against the data. We’ll explain why some of the currently deployed schemes provide insufficient security in practice, and discuss methods by which security can be enhanced whilst preserving search capabilities.

Searchable encryption: from theory to implementation
Raphael Bost (DGA and Universite Rennes 1)

Searchable encryption is a very appealing concept to store data on an untrusted server, so as to keep search functionalities while ensuring privacy of both the queries and the data. Many different solutions emerged, differing on their security and on their efficiency, originating both from the industry and the academia. Actually, these past few years, searchable encryption has actually been a very hot topic, a lot of work on new constructions or new attacks has been done.

In this presentation, I will try to give an insight on the big challenges of searchable encryption, and explain why the compromise between security and performance is the core problem in this area. To do so, I will talk about lower bounds, recent attacks and constructions, and ongoing work, both theoretical and practical. This will give you a glimpse at the variety of techniques and tools that can be applied to searchable encryption, and at how wide this topic can be, ranging from theoretical computer science, to systems design. Finally, I will conclude by describing some exciting open problems on searchable encryption, again both theoretical and practical.

IRON: functional encryption using Intel SGX
Sergey Gorbunov (University of Waterloo)

Functional encryption (FE) is an extremely powerful cryptographic mechanism that lets an authorized entity compute on encrypted data, and learn the results in the clear. However, all current cryptographic instantiations for general FE are too impractical to be implemented. We build Iron, a practical and usable FE system using Intel’s recent Software Guard Extensions (SGX). We show that Iron can be applied to complex functionalities, and even for simple functions, outperforms the best known cryptographic schemes. We argue security by modeling FE in the context of hardware elements, and prove that Iron satisfies the security model.

Joint work with: Ben A Fisch, Dhinakaran Vinayagamurthy, Dan Boneh

Jan 12 @ ENS

Sun, 08 Jan 2017 10:10:00 +0000

The fourth Paris Area Crypto Day will be held on 12.01.2017 (Thu) at ENS.

Amphi Dussane, ENS (map)
Please register (free, lunch included). Deadline 09.01.2016

Program

09:30 - 09:50	Coffee & Welcome
10:00 - 11:00	Vinod Vaikuntanathan Low-Complexity Cryptographic Hash Functions
11:00 - 12:00	Melissa Chase Basing Privacy-Preserving Credentials on Standard Signatures
12:00 - 13:30	Lunch
14:00 - 15:00	Guillaume Poupard De la crypto à la « cyberguerre » ?
15:00 - 15:30	Coffee Break
15:30 - 16:30	Pierre-Alain Fouque Content Delivery over TLS: A Cryptographic Analysis of Keyless SSL

Abstracts

Low-Complexity Cryptographic Hash Functions
Vinod Vaikuntanathan (MIT)

Cryptographic hash functions are efficiently computable functions that shrink a long input into a shorter output while achieving some of the useful security properties of a random function. The most common type of such hash functions is collision resistant hash functions (CRH), which prevent an efficient attacker from finding a pair of inputs on which the function has the same output.

Despite the ubiquitous role of hash functions in cryptography, several of the most basic questions regarding their computational and algebraic complexity remained open. In this work we settle most of these questions under new, but arguably quite conservative, cryptographic assumptions, whose study may be of independent interest.

Concretely, we obtain the following results:

Low-complexity CRH. Assuming the intractability of finding short codewords in natural families of linear error-correcting codes, there are CRH that shrink the input by a constant factor and have a constant algebraic degree over Z_2 (as low as 3), or even constant output locality and input locality and thus computable by linear-size circuits. Such CRH are potentially MPC- and FHE-friendly.
Win-win results. If low-degree CRH with good shrinkage do not exist, this has useful consequences for learning algorithms and data structures.
Degree-2 hash functions. Assuming the conjectured intractability of solving a random system of quadratic equations over Z_2, a uniformly random degree-2 mapping is a universal one-way hash function (UOWHF). UOWHF relaxes CRH by forcing the attacker to find a collision with a random input picked by a challenger. On the other hand, a uniformly random degree-2 mapping is not a CRH. We leave the existence of degree-2 CRH open, and relate it to open questions on the existence of degree-2 randomized encodings of functions.

An important research direction is to understand the security of our assumptions from the cryptanalysis standpoint.

Joint Work with Benny Applebaum, Naama Haramaty, Yuval Ishai and Eyal Kushilevitz, to appear in ITCS 2017.

Basing Privacy-Preserving Credentials on Standard Signatures
Melissa Chase (Microsoft Research)

Practical anonymous credential systems are generally built around sigma-protocol ZK proofs. This requires that credentials be based on specially formed signatures. Here we ask whether we can instead use a standard (say, RSA, or (EC)DSA) signature that includes formatting and hashing messages, as a credential, and still provide privacy. Existing techniques do not provide efficient solutions for proving knowledge of such a signature: On the one hand, ZK proofs based on garbled circuits (Jawurek et al. 2013) give efficient proofs for checking formatting of messages and evaluating hash functions. On the other hand they are expensive for checking algebraic relations such as RSA or discrete-log, which can be done efficiently with sigma protocols.

We design new constructions obtaining the best of both worlds: combining the efficiency of the garbled circuit approach for non-algebraic statements and that of sigma protocols for algebraic ones. We then discuss how to use these as building-blocks to construct privacy-preserving credential systems based on standard RSA and (EC)DSA signatures.

Other applications of our techniques include anonymous credentials with more complex policies, the ability to efficiently switch between commitments (and signatures) in different groups, and secure two-party computation on committed/signed inputs.

De la crypto à la « cyberguerre » ?
Guillaume Poupard (ANSSI)

Discipline pourtant exclusivement défensive, la cryptographie a historiquement été associée à nombre de conflits et d’histoires d’espionnage en tout genre. On aurait pu croire, avec la libéralisation mais également la banalisation de son usage dans notre vie de tous les jours que la crypto allait réintégrer le simple champ des technologies indispensables aux développements numériques mais il n’en est rien. Dans un contexte de fortes incertitudes géopolitiques où le « cyber » tend à jouer un rôle déstabilisateur de plus important mais également face à la menace de terroristes présumés adeptes de « messageries cryptées », la cryptologie continue à jouer un rôle complexe mais déterminant. Petit tour d’horizon de la question et des enjeux vu de l’ANSSI…

Content Delivery over TLS: A Cryptographic Analysis of Keyless SSL
Pierre-Alain Fouque (Rennes)

The Transport Layer Security (TLS) protocol is designed to allow two parties, a client and a server, to communicate securely over an insecure network. However, when TLS connections are proxied through an intermediate middlebox, like a Content Delivery Network (CDN), the standard end-to-end security guarantees of the protocol no longer apply. In this talk, we will investigate the security guarantees provided by Keyless SSL, a CDN architecture currently deployed by CloudFlare that composes two TLS 1.2 handshakes to obtain a proxied TLS connection. We demonstrate new attacks that show that Keyless SSL does not meet its intended security goals. These attacks have been reported to CloudFlare and we are in the process of discussing fixes.

We argue that proxied TLS handshakes require a new, stronger, 3-party security definition. We modify Keyless SSL and prove that our modifications guarantee the new 3-party security, assuming ACCE-security for the individual TLS 1.2 connections. We also propose a new design for Keyless TLS 1.3 and prove its security, assuming that the TLS 1.3 handshake implements an authenticated 2-party key exchange. Notably, we show that secure proxying in Keyless TLS 1.3 is computationally lighter and requires simpler assumptions on the certificate infrastructure than our proposed fix for Keyless SSL. Our results indicate that proxied TLS architectures, as currently used by a number of CDNs, may be vulnerable to subtle attacks and deserve close attention.

joint work with K. Bhargavan, I. Carlson, C. Onete, and B. Richard Will appear at EURO S&P 2017.

Sep 6 @ INRIA

Thu, 01 Sep 2016 10:10:00 +0000

The third Paris Area Crypto Day will be held on 06.09.16 (Tue) at INRIA.

Salle JL Lions, INRIA
Please register (free, lunch included). Deadline 01.09.2016

Program

10:00 - 10:10	Welcome
10:10 - 11:10	Vadim Lyubashevsky Directions in Lattice Cryptography
11:30 - 12:00	Michele Minelli FHE Circuit Privacy Almost For Free
12:00 - 12:30	Virginie Lallemand Cryptanalysis of the FLIP Family of Stream Ciphers
12:30 - 14:30	Lunch
14:30 - 15:30	Chris Brzuska Assumptions in Cryptography
15:30 - 16:00	Coffee Break
16:00 - 16:30	Benoît Cogliati EWCDM: An Efficient, Beyond-Birthday Secure, Nonce-Misuse Resistant MAC
16:30 - 17:00	Geoffroy Couteau Encryption Switching Protocols

Abstracts

Directions in Lattice Cryptography
Vadim Lyubashevsky (IBM Zurich)

In the past 20 years, lattice cryptography went from a purely theoretical research area to actually being implemented inside of Google Chrome today. I will describe the state-of-the-art results in practical lattice cryptography and sketch out what I consider to be interesting directions for further research.

HE Circuit Privacy Almost For Free
Michele Minelli (ENS)

Circuit privacy is an important property for many applications of fully homomorphic encryption. Prior approaches for achieving circuit privacy rely on superpolynomial noise flooding or on bootstrapping. In this work, we present a conceptually different approach to circuit privacy based on a novel characterization of the noise distribution. In particular, we show that a variant of the GSW FHE for branching programs already achieves circuit privacy; this immediately yields a circuit-private FHE for NC1 circuits under the standard LWE assumption with polynomial modulus-to-noise ratio. Our analysis relies on a variant of the discrete Gaussian leftover hash lemma which states that $e^t G^{−1}(v)$ + small noise does not depend on $v$. We believe that this result is of independent interest.

Joint work with Florian Bourse, Rafaël Del Pino and Hoeteck Wee

Cryptanalysis of the FLIP Family of Stream Ciphers
Virginie Lallemand (INRIA)

At Eurocrypt 2016, Méaux et al. proposed FLIP, a new family of stream ciphers intended for use in Fully Homomorphic Encryption systems. Unlike its competitors which either have a low initial noise that grows at each successive encryption, or a high constant noise, the FLIP family of ciphers achieves a low constant noise thanks to a new construction called filter permutator. In this paper, we present an attack on the early version of FLIP that exploits the structure of the filter function and the constant internal state of the cipher. Applying this attack to the two instantiations proposed by Méaux et al. allows for a key recovery in $2^{54}$ basic operations (resp. $2^{68}$), compared to the claimed security of $2^{80}$ (resp. $2^{128}$).

Joint work with Sébastien Duval and Yann Rotella

Assumptions in Cryptography
Chris Brzuska (TU Hamburg)

EWCDM: An Efficient, Beyond-Birthday Secure, Nonce-Misuse Resistant MAC
Benoît Cogliati (University of Versailles)

We propose a nonce-based MAC construction called EWCDM (Encrypted Wegman-Carter with Davies-Meyer), based on an almost xor-universal hash function and a block cipher, with the following properties: (i) it is simple and efficient, requiring only two calls to the block cipher, one of which can be carried out in parallel to the hash function computation; (ii) it is provably secure beyond the birthday bound when nonces are not reused; (iii) it provably retains security up to the birthday bound in case of nonce misuse. Our construction is a simple modification of the Encrypted Wegman-Carter construction, which is known to achieve only (i) and (iii) when based on a block cipher. Underlying our new construction is a new PRP-to-PRF conversion method coined Encrypted Davies-Meyer, which turns a pair of secret random permutations into a function which is provably indistinguishable from a perfectly random function up to at least $2^{2n/3}$ queries, where $n$ is the bit-length of the domain of the permutations.

Joint work with Yannick Seurin

Encryption Switching Protocols
Geoffroy Couteau (ENS)

We put forth a novel cryptographic primitive: encryption switching protocol (ESP), allowing to switch between two encryption schemes. Intuitively, this two-party protocol converts given ciphertexts from one scheme into ciphertexts of the same messages in the other scheme, for any polynomial number of switches, in any direction. Although ESP is a special kind of two-party computation protocol, it turns out that ESP implies general two-party computation under natural conditions. In particular, our new paradigm is tailored to the evaluation of functions over rings. Indeed, assuming the compatibility of two additively and multiplicatively homomorphic encryption schemes, switching ciphertexts makes it possible to efficiently reconcile the two internal laws. Since no such pair of schemes appeared in the literature, except for the non-interactive case of fully homomorphic encryption which still remains prohibitive in practice, we build the first ElGamal-like encryption scheme over $(Z_n;\times)$ as a complement to the Paillier encryption scheme over $(Z_n;+)$, where $n$ is a strong RSA modulus. Eventually, we also instantiate secure ESP between the two schemes, in front of malicious adversaries. Thanks to a pre-processing step, we manage to get an online communication in terms of group elements which neither depends on the security parameter nor on the modulus $n$. This makes use of a new technique called refreshable twin-ciphertext pool that is of independent interest.

Joint work with Thomas Peters and David Pointcheval

June 30 @ ENS

Fri, 03 Jun 2016 10:10:00 +0000

The second Paris Area Crypto Day will be held on 30.06.16 (Thur) at ENS.

Amphi Rataud, ENS
Please register (free, lunch included). Deadline 27.06.16

Program

9:50 - 10:00	Welcome
10:00 - 11:00	Anne Canteaut Algebraic Distinguishers against Symmetric Primitives
11:00 - 12:00	Leonid Reyzin On Memory Hardness of SCrypt
12:00 - 14:00	Lunch
14:00 - 15:30	Victor Shoup Hash Proof Systems, Old and New
15:30 - 16:00	Coffee Break
16:00 - 17:00	Rafael Pass Analysis of the Blockchain Protocol in Asynchronous Networks

Organizers. Michel Abdalla and Hoeteck Wee (ENS)

Acknowledgements. ERC CryptoCloud, aSCEND, and ECRYPT-NET

Abstracts

Algebraic Distinguishers against Symmetric Primitives
Anne Canteaut, INRIA

Higher-order differential attacks, introduced by Knudsen in 1994, are the first family of attacks against block ciphers which exploit some specific property of the polynomial representation of the cipher. Indeed, these attacks rely on the fact that, for all keys, the involved multivariate polynomial does not have maximal degree. This idea has then been generalized by several authors and has led to the notion of cube distinguishers, and more recently to the so-called division property. Both generalizations actually exploit the fact that some given monomials do not appear in the polynomials. In this talk, I will present some unified view of these attacks, and I will show how such algebraic properties propagate through the successive layers of iterated primitives.

Joint work with Christina Boura (Université de Versailles St Quentin)

On Memory Hardness of SCrypt
Leonid Reyzin, BU

The key derivation function scrypt (Percival, 2009) is defined as the result of n steps, where each step consists of selecting one or two previously computed values (the selection depends on the values themselves) and hashing them. It is conjectured that this function is memory-hard.

We show that indeed scrypt is maximally memory-hard in the parallel random oracle model. Specifically, we show that the product of memory and time used during the computation of scrypt must be Theta(n^2). Moreover, even if the amount of memory used fluctuates during the computation, we show that the sum of memory usage over time (a.k.a. “cumulative memory complexity” introduced by Alwen and Serbinenko in 2015) is Theta(n^2). This suggests that computation of multiple instances of scrypt in cannot be improved via amortization. Our result holds even if the adversary is allowed to make an unlimited number of parallel random oracle queries at each step.

Previous work (Alwen, Chen, Kamath, Kolmogorov, Pietrzak, Tessaro 2016) showed a lowerbounds of Omega( n^2 / log^2 n) on the memory complexity of scrypt in more restricted models, where the adversary was assumed to store only random oracle outputs or specific functions of them. Our result improves the bound quantitatively by eliminating the log^2 n factor and qualitatively by allowing arbitrary storage by the adversary.

Joint work with Joel Alwen, Jeremiah Blocki, and Krzysztof Pietrzak.

Hash Proof Systems, Old and New
Victor Shoup, NYU

This talk will be an exposition on hash proof systems and their applications. I will review the basic definitions, constructions, and applications of hash proof systems, focusing on the original application to chosen ciphertext secure public key encryption, as well as more recent applications to password authenticated key exchange.

Analysis of the Blockchain Protocol in Asynchronous Networks
Rafael Pass, Cornell

Nakamoto’s famous blockchain protocol enables achieving consensus in a so-called permissionless setting—anyone can join (or leave) the protocol execution, and the protocol instructions do not depend on the identities of the players. His ingenious protocol prevents “sybil attacks” (where an adversary spawns any number of new players) by relying on computational puzzles (a.k.a. “moderately hard functions”) introduced by Dwork and Naor (Crypto’92).

Prior works that analyze the blockchain protocol either make the simplifying assumption that network channels are fully synchronous (i.e. messages are instantly delivered without delays) (Garay et al, Eurocrypt’15) or only consider specific attacks (Nakamoto’08; Sampolinsky and Zohar, FinancialCrypt’15); additionally, as far as we know, none of them deal with players joining or leaving the protocol.

We prove that the blockchain consensus mechanism satisfies a strong forms of consistency and liveness in an asynchronous network with adversarial delays that are a-priori bounded, within a formal model allowing for adaptive corruption and spawning of new players, assuming that the computational puzzle is modeled as a random oracle. (We complement this result by showing a simple attack against the blockchain protocol in a fully asynchronous setting, showing that the “puzzle-hardness” needs to be appropriately set as a function of the maximum network delay.)

As an independent contribution, we define an abstract notion of a blockchain protocol and identify appropriate security properties of such protocols; we prove that Nakamoto’s blockchain protocol satisfies them and that these properties are sufficient for typical applications. We finally show how to use our analysis to build new blockchain protocols that overcome some of the bottlenecks in Nakamoto’s original protocol.

The analysis of Nakamoto’s blockchain is based on joint work with Lior Seeman and abhi shelat, and new blockchain protocols are based on joint work with Elaine Shi. No prior knowledge of Bitcoin or the blockchain will be assumed.

Crypto Day 10000.10.10000

Thu, 04 Feb 2016 23:20:28 +0000

The first Paris Area Crypto Day will be held on 16.02.16 (Tues) at ENS.

Amphi Rataud, ENS
Please register (free, lunch included). Deadline 11.02.16

Program

10:00 - 10:10	Welcome
10:10 - 11:10	Antoine Joux Technical History of Discrete Logarithms in Small Characteristic Finite Fields
11:20 - 11:40	Romain Gay Tightly Secure CCA-Secure Encryption without Pairings
11:40 - 12:00	Pierrick Méaux Towards Stream Ciphers for Efficient FHE with Low-Noise Ciphertexts
12:00 - 14:00	Lunch
14:00 - 15:00	Sonia Belaïd On the Use of Masking to Defeat Power-Analysis Attacks
15:00 - 15:20	Alain Passelègue Randomness Complexity of Private Circuits for Multiplication
15:20 - 15:50	Coffee Break
15:50 - 16:50	Karthikeyan Bhargavan Freak, Logjam, and Sloth: Protecting TLS from Legacy Crypto

Organizers. Michel Abdalla and Hoeteck Wee (ENS)

Acknowledgements. ERC CryptoCloud and aSCEND

Abstracts

Technical History of Discrete Logarithms in Small Characteristic Finite Fields Antoine Joux

Due to its use in cryptographic protocols such as the Diffie–Hellman key exchange, the discrete logarithm problem attracted a considerable amount of attention in the past 40 years. In this talk, we summarize the key technical ideas and their evolution for the case of discrete logarithms in small characteristic finite fields. This road leads from the original belief that this problem was hard enough for cryptographic purpose to the current state of the art where the algorithms are so efficient and practical that the problem can no longer be considered for cryptographic use.

On the Use of Masking to Defeat Power-Analysis Attacks Sonia Belaïd

While most cryptographic algorithms are assumed to be secure against black-box attacks, they are often vulnerable to side-channel attacks which exploit the physical emanations of the underlying device (e.g., temperature, power consumption, time). In order to defeat such attacks, several countermeasures have been exhibited within the last two decades. So far, the most deployed one at the algorithmic level is probably the use of masking. It consists in randomly splitting each sensitive variable of the computation into t+1 shares, where the masking order t represents the security level. While this countermeasure is very efficient in practice, it can be complex to design while t grows. During this talk, I will discuss the current issues to build higher-order masking schemes and the solutions that currently show up. In particular, I will present the construction of theoretical proofs to show the security of such schemes in the widely used t-probing leakage model.

Freak, Logjam, and Sloth: Protecting TLS from Legacy Crypto Karthikeyan Bhargavan

The Transport Layer Security (TLS) protocol suffers from legacy bloat: after 20 years of evolution, it features many versions, extensions, and ciphersuites, some of which are obsolete and known to be insecure. Implementations and deployments of TLS deal with this complexity by implementing composite state machines that allow new and old features to coexist for interoperability, while waiting for deprecated features to be disabled over time. Getting this composition right is tricky, and any flaw can result in a serious attack that bypasses the expected security of TLS.

This talk will discuss three recent vulnerabilities discovered in our group: FREAK uses legacy support for export-grade RSA cipher suites to break into connections between mainstream browsers and 25% of the web; Logjam exploits a protocol flaw to confuse DHE key exchanges into using export-grade Diffie-Hellman groups; SLOTH exploits hash function collisions to mount downgrade and impersonation attacks on TLS. These attacks rely on a combination of protocol-level weaknesses, implementation bugs, and weak cryptography. The talk will advocate principled methods to avoid such weaknesses in the future, such as software verification and new robust designs for new protocols like TLS 1.3.

Tightly Secure CCA-Secure Encryption without Pairings Romain Gay

We present the first CCA-secure public-key encryption scheme based on DDH where the security loss is independent of the number of challenge ciphertexts and the number of decryption queries. Our construction extends also to the standard k-Lin assumption in pairing-free groups, whereas all prior constructions starting with Hofheinz and Jager (Crypto ‘12) rely on the use of pairings. Moreover, our construction improves upon the concrete efficiency of existing schemes, reducing the ciphertext overhead by about half (to only 3 group elements under DDH), in addition to eliminating the use of pairings. We also show how to use our techniques in the NIZK setting. Specifically, we construct the first tightly simulation-sound designated-verifier NIZK for linear languages without pairings. Using pairings, we can turn our construction into a highly optimized publicly verifiable NIZK with tight simulation-soundness.

Joint work with Dennis Hofheinz, Eike Kiltz and Hoeteck Wee

Towards Stream Ciphers for Efficient FHE with Low-Noise Ciphertexts Pierrick Méaux

Symmetric ciphers purposed for Fully Homomorphic Encryption (FHE) have recently been proposed for two main reasons. First, minimizing the implementation (time and memory) overheads that are inherent to current FHE schemes. Second, improving the homomorphic capacity, i.e. the amount of operations that one can perform on homomorphic ciphertexts before bootstrapping, which amounts to limit their level of noise. Existing solutions for this purpose suggest a gap between block ciphers and stream ciphers. The first ones typically allow a constant but small homomorphic capacity, due to the iteration of rounds eventually leading to complex Boolean functions (hence large noise). The second ones typically allow a larger homomorphic capacity for the first ciphertext blocks, that decreases with the number of ciphertext blocks (due to the increasing Boolean complexity of the stream ciphers’ output). In this work, we aim to combine the best of these two worlds, and propose a new stream cipher construction that allows constant and small(er) noise. Its main idea is to apply a Boolean (filter) function to a public bit permutation of a constant key register, so that the Boolean complexity of its outputs is constant. We then propose an instantiation of the filter designed to exploit recent (3rd-generation) FHE schemes, where the error growth is quasi-additive when adequately multiplying ciphertexts with the same amount of noise. We finally analyze the cryptanalytic security and noise of a couple of instances of this stream cipher, and conclude by highlighting its excellent properties regarding the other goal of minimizing the time and memory complexity of calculus delegation (for 2nd-generation FHE schemes).

Joint work with Anthony Journault, François-Xavier Standaert and Claude Carlet.

Randomness Complexity of Private Circuits for Multiplication Alain Passelègue

Many cryptographic algorithms appear to be vulnerable to side channel analysis and several leakage models have been introduced to better understand these analyses. In 2003, Ishai, Sahai and Wagner introduced the $d$-probing security model, in which an attacker can observe at most $d$ intermediate values during a processing. They also proposed an algorithm that securely performs the multiplication of 2 bits in this model, using only $d(d+1)/2$ random bits to protect the computation. The $d$-probing model and the latter multiplication algorithm are nowadays widely used by the community to either prove the security of constructions or to define secure implementations.

In this paper, we study the randomness complexity of multiplication algorithms secure in the $d$-probing model. On this subject, we propose several contributions: we provide new theoretical characterizations and constructions, new practical constructions and a new efficient algorithmic tool to analyze the security of such schemes.

We first start by a theoretical treatment of the subject: we propose an algebraic model for multiplication algorithms and exhibit an algebraic characterization of the security in the $d$-probing model. Using this algebraic characterization, we prove a linear (in $d$) lower bound as well as a quasi-linear (non-constructive) upper bound for this randomness cost. This characterization also allows us to better understand the security of a multiplication algorithm and we construct a new generic algorithm to perform secure multiplication in the $d$-probing model that only uses $d + d^2/4$ random bits.

From a practical point of view, we consider the important cases $d \le 4$ that are actually used in real-life implementations and we build optimal algorithms for these small-order cases. More precisely, we propose algorithms with a randomness complexity matching our theoretical lower bound. Finally, still using our algebraic characterization, we provide a new dedicated verification tool, based on information set decoding, which aims at finding attacks on algorithms for fixed order $d$ at a very low computational cost.

Joint work with Sonia Belaïd, Fabrice Benhamouda, Emmanuel Prouff, Adrian Thillard, and Damien Vergnaud.