School and Workshop "Mathematics of Information-Theoretic Cryptography" at Lorentz Center (Leiden University).
School: 13 to 17 May
Workshop: 21 to 25 May.
You can check the program in this link.
Special RISC seminar on cryptologic aspects of the spy-malware *Flame*
|Date:|| Wednesday March 20, 2013 |
|Location: ||CWI, Turing Room(main auditorium)|
| 15:00 - 15:45 h
Marc Stevens(CWI Amsterdam):
Counter-cryptanalysis: analyzing Flame's new collision attack
Flame, a highly advanced malware for cyberwarfare discovered in May,
spread itself through Microsoft Windows Update as a properly, but
illegitimately, signed security patch. Flame achieved this by forging a
signature from Microsoft using a so-called chosen-prefix collision
attack on the very weak cryptographic hash function MD5.
In this talk we will introduce counter-cryptanalysis, a new paradigm for
strengthening cryptographic primitives, and the first example thereof,
namely an efficient anomaly detection technique that detects whether a
given signature was forged using a cryptanalytic collision attack on the
underlying hash function.
We have used our new technique to analyze the collision attack used by
Flame and made the very surprising (and scientifically interesting)
discovery that Flame used an as of yet unknown variant of our
chosen-prefix collision attack that we introduced in 2007 and greatly
improved in 2009. In this talk we will also present our analysis of this
new variant attack.
| 16:00 - 16:45 h
Brian LaMacchia (Microsoft) and Dan Shumow (Microsoft) :
Fire Retardant for your PKI: Towards automatic detection of the next Flame-like attack
On June 3, 2012, Microsoft published an emergency, out-of-band critical update that revoked two X.509 certificates associated with the Microsoft Public Key Infrastructure (PKI). These certificates were revoked in order to shut down a propagation mechanism being used by the Flame malware. Flame was digitally signed with private key associated with a forged (but cryptographically valid) X.509v3 public key certificate that chained into a portion of the Microsoft PKI; the forged certificate was created using an MD5 hash collision attack against a live Microsoft Certificate Authority.
Microsoft Research personnel were involved very early on in the analysis of the Flame malware and the development of Microsoft's corporate response, and following that work we have begun a project looking at building tools that could efficiently and automatically detect signed objects that appeared to be created through hash collision attacks. In this talk we will discuss MSR's involvement in the analysis and response to the Flame malware, the specific hash collision attack that the authors of Flame carried out against the Microsoft PKI, and our attempts to develop automated mechanisms for detecting future attempts to subvert other PKIs in a similar fashion.
| 16:45 - 17:00 h
Questions and Discussion
RISC-Seminar on Quantum Cryptography to the occassion of Niek Bouman's PhD defense
|Date:|| Thursday December 20, 2012 |
|Location: ||CWI, Room L017|
| 12:30 - 13:15 h
Niek Bouman(CWI Amsterdam):
Another look at "Cryptography from Quantum Uncertainty, in the Presence of Quantum Side Information"
In this talk of approx. 45 mins I will give an overview of my PhD thesis.
In this thesis, we present two new quantum-information-theoretic tools
* a "quantum-sampling" framework to infer properties about an unknown $n$-qubit quantum state, from measuring a fraction of those qubits.
* an "all-but-one" quantum uncertainty relation.
Furthermore, we study the problem of message authentication in an extended setting and present an authentication protocol with a special key-privacy property.
Also, we present new security proofs for important quantum-cryptographic protocols (quantum key distribution, quantum reduction of oblivious transfer to an ideal bit commitment, quantum identification). Some of those proofs use our new information-theoretic tools.
I will do my to best to find a good balance between giving a broad overview and discussing some technical details.
| 13:30 - 14:15 h
Christian Schaffner (University of Amsterdam):
Complete Insecurity of Quantum Protocols for Classical Two-Party Computation
A fundamental task in modern cryptography is the joint computation of a
function which has two inputs, one from Alice and one from Bob, such
that neither of the two can learn more about the other’s input than what
is implied by the value of the function. In this work, we show that any
quantum protocol for the computation of a classical deterministic
function that outputs the result to both parties (two-sided computation)
and that is secure against a cheating Bob can be completely broken by a
cheating Alice. Whereas it is known that quantum protocols for this task
cannot be completely secure, our result implies that security for one
party implies complete insecurity for the other. Our findings stand in
stark contrast to recent protocols for weak coin tossing and highlight
the limits of cryptography within quantum mechanics. We remark that our
conclusions remain valid, even if security is only required to be
approximate and if the function that is computed for Bob is different
from that of Alice.
Joint work with Harry Buhrman and Matthias Christandl
| 14:30 - 15:00 h
Serge Fehr (CWI):
On the Conditional Rényi Entropy
I will present a new definition for the classical (i.e. non-quantum) conditional Rényi entropy of order α. In contrast to previous suggestions, the new definition satisfies monotonicity, meaning that additional knowledge can only decrease the uncertainty, and the chain rule, meaning that the drop in uncertainty is at most the number of bits that encode the additional knowledge. These are very natural and very useful properties for a conditional entropy measure, and thus we feel that this new definition is "the right" one. Towards the end of the presentation, I will also briefly discuss the quantum case, and I will point out that here it is not fully clear yet what should be "the right" definition.
This is ongoing joint work with Stefan Berens (Leiden University).
| 15:15 - 16:00 h
Louis Salvail (Montreal University):
Actively Secure Two-Party Evaluation of any Quantum Operation
We provide the first two-party protocol allowing Alice and Bob to evaluate privately even against active adversaries
any completely positive, trace- preserving map F: L(Ain⊗Bin)→L(Aout⊗Bout), given as a quantum circuit, upon their joint
quantum input state ρ ∈ D(Ain⊗Bin). Our protocol leaks no more to any active adversary than an ideal functionality for F provided
Alice and Bob have the cryptographic resources for active secure two-party classical computation. Our protocol is constructed from
the protocol for the same task secure against specious adversaries presented at CRYPTO'2010.
NB: Niek's defense takes place on Tuesday December 18, in the Academiegebouw, Rapenburg 73, Leiden, starting at 10:00h.
RISC-Seminar on Practical Secure Computation
|Date:|| Monday November 19, 2012 |
|Location: ||CWI, Room L016|
Robbert de Haan (CWI Amsterdam):
Secure Recommendation Systems
A recommendation system involves a large number of users that each
initially provide a list of ratings or preferences. During the lifetime
of the system users are both able to update their provided list and to
request an up-to-date personalized list of recommendations based on the
most similar users in the system. In this talk I will present some
technical details of ongoing work on secure recommendation systems,
where none of the data provided by the users should leak beyond what is
exposed by the provided recommendations.
Ulrich Rührmair (TU München):
Cryptographic Protocols based on Physical Unclonable Functions and Related Structures
Physical Unclonable Functions (PUFs) are an emerging, alternative approach in cryptography and security. While their initial use was mainly as a novel key storage element, recent work has discovered their potential as a general cryptographic primitive, comparable to the bounded storage model, quantum cryptography, or noise-based cryptography. In this talk, we undertake a journey through the area, describing PUF-based protocols for identification, key exchange and oblivious transfer. We then move on to two new concepts, which improve and generalize PUFs in certain aspects: So-called SIMPL systems, which are a public key variant of PUFs; and so-termed Virtual Proofs of Reality (VPs), which aim at proving physical statements via remote communication. For future hardware implementations of these two concepts, quantum technology could be a very interesting candidate.
Marten van Dijk (MIT/CSAIL):
Ascend: Architecture for Secure Computation on ENcrypted Data
This presentation considers encrypted computation where the user
specifies encrypted inputs to an untrusted program, and the server computes
on those encrypted inputs. To this end we propose a secure processor
architecture, called Ascend, that guarantees privacy of data when arbitrary
programs use the data running in a cloud-like environment (e.g., an
untrusted server running an untrusted software stack).
The key idea to guarantee privacy is obfuscated instruction execution;
Ascend does not disclose what instruction is being run at any given time,
be it an arithmetic instruction or a memory instruction. Periodic accesses
to external instruction and data memory are performed through an Oblivious
RAM (ORAM) interface to prevent leakage through memory access patterns.
We evaluate the processor architecture on SPEC benchmarks running on
encrypted data and quantify overheads.
Talk by Adriana Suárez Corona
|Date:|| Monday July 9, 2012, 15:00-16:00 |
|Location: ||Room L016, CWI|
Adriana Suárez Corona (University of Oviedo, Spain):
Scalable Deniable Group Key Establishment
(click to see abstract)
The popular Katz-Yung compiler from CRYPTO 2003 can be used to transform unauthenticated group key establishment protocols into authenticated ones. In this talk we present a modification of Katz and Yung's construction which maintains the round complexity
of their compiler, but for `typical' unauthenticated group key establishments adds authentication in such a way that deniability is achieved as
well. As an application, a deniable authenticated group key establishment with three rounds of communication can be constructed.
This is joint work with Kashi Neupane and Rainer Steinwandt (Florida Atlantic University).
RISC-Seminar in Leiden with occassion of Marc Stevens' PhD. defense.
The seminar will consist of two talks in the morning while Marc's defense will take place in the afternoon. The venues of both events are different. See below.
|Date:|| Tuesday June 19, 2012 |
|Location: ||Snellius Building (Mathematical Institute), Leiden University, Room 174|
Xiaoyun Wang (Tsinghua University, Beijing, China):
Shortest Lattice Vectors in the Presence of Gaps
The talk will recall the existing algorithms of solving SVP (Shortest Vector Problem ), and then introduce a more
efficient SVP search algorithm in the Presence of Gaps.
Eli Biham (Technion, Haifa, Israel):
On the (in)security of GSM cellular phones
In this talk we describe the ciphers and protocols used for the GSM
cellular phone network, and discuss the (in)security of the system.
We describe several techniques to attack the ciphers A5/2 and A5/1, and
how they can be applied as a ciphertext-only attack. We also show that
active attacks on the protocols can recover keys of ciphers that are not
used during that transmission. As a result, it is possible to listen in
to GSM phone conversations, steal calls during the conversation, and
even issue new calls on behalf of (and paid by) an attacked phone.
This is a joint work with Elad Barkan and Nathan Keller.
|Location: ||Academiegebouw, Rapenburg 73 ( not Mathematical Institute) |
|Time: 15:00 h
Attacks on Hash Functions and Applications, PhD. defense.
Short course on lattice-based cryptography by Dr. Erwin Torreao Dassen.
Day 1 - L016 - 11 June
Session 1 - 14:00 - 15:00 - Introduction to lattices
In this session we introduce lattices and some of their invariants. We take a look at bases and basis reduction algorithms with special attention to the LLL algorithm. We finish with some examples.
Session 2 - 15:30 - 16:30 - Lattices in cryptanalysis
Continuing with examples we now describe two uses of lattices in cryptanalysis: Coppersmith's attack on RSA based on stereotypical messages and the attack on the GGH signature scheme.
Day 2 - L016 - 15 June
Session 3 - 14:00 - 15:00 - The SIS problem
We move on to "modern" lattice-based cryptography. We introduce the Short Integer Solution (SIS) problem one of the problems with average-case to worst-case reduction to lattice problems. We describe this reduction and give an example of a cryptographic primitive (collision-resistant hash functions) based on SIS.
Session 4 - 15:30 - 16:30 - LWE and Ring-LWE
We introduce the "other half" of lattice-based cryptography: the Learning With Errors (LWE) problem. Cryptographic schemes whose security are based on LWE or SIS enjoy average-case to worst-case reduction to lattice problems. We introduce a variant of this problem called Ring-LWE that is widely used to bolster efficiency. We briefly discuss the security of schemes based on the latter.
Day 3 - L016 - 21 June
Session 5 - 14:00 - 15:00 - Fully homomorphic encryption
We introduce a "hot-topic" in lattice-based cryptography: fully homomorphic encryption. We discuss Gentry's bootstrapping theorem and give an example of a such a scheme based on RLWE.
Session 6 - 15:30 - 16:30 - Brakerski's "scale-invariant" FHE scheme
We discuss the latest scheme of Brakerski that achieves FHE from LWE and thus security based on problems for general lattices (contrary to RLWE).
RISC Seminar, in collaboration with the Intercity Number Theory Seminar, on ``Fully Homomorphic Encryption''.
|Date:|| Friday April 27, 2012 |
|Location: ||CWI (Room L016)|
Vadim Lyubashevsky (ENS Rue d'Ulm):
Ideal Lattices and FHE
(Part I) [Slides: PDF Powerpoint ]
Vadim Lyubashevsky (ENS Rue d'Ulm):
Ideal Lattices and FHE
In the first part of the talk, I will cover the Ring-LWE problem, its
hardness, the equivalence of its search and decision versions, and explain
what little is known about the hardness of problems in ideal lattices. In
the second part, I will present two (similar) constructions of cpa-secure
encryption schemes based on Ring-LWE. Then I will present the NTRU
cryptosystem and sketch how it can be easily modified to become a
"somewhat-homomorphic" encryption scheme that supports several additions
and multiplications, and then finally present the "bootstrapping" technique
that converts "somewhat-homomorphic" schemes that meet certain requirements
into fully-homomorphic ones. (NB: the NTRU-based scheme that I will
present does not meet these requirements, but can be modified to meet them
using recent techniques.)
Erwin Torreao Dassen (CWI):
Brakerski's scale invariant homomorphic scheme
In a recent pre-print, Brakerski introduced what he called a "scale invariant" homomorphic scheme. The name comes from the fact that, contrary to other schemes, its homomorphic properties depend only on the modulus-to-noise ratio. Furthermore, while in previous works noise would grow quadratically with each multiplication, here it grows linearly. The aim of the talk is to describe this scheme in detail.
Alice Silverberg (University of California, Irvine) :
Some Remarks on Lattice-based Fully Homomorphic Encryption
The talk will include an overview of some lattice-based Fully Homomorphic Encryption schemes such as those proposed by Smart-Vercauteren and Gentry-Halevi. We will also discuss balancing cryptographic security with ease of decryption, for lattice-based FHE schemes.
Talk by Prof. Kenny Paterson
|Date:|| Monday April 2, 2012, 16:00-17:00 |
|Location: ||Room L017, CWI|
Prof. Kenny Paterson (Royal Holloway, University of London):
TLS and DTLS: A Tale of Two Protocols
(click to see abstract)
TLS is the de facto protocol of choice for securing Internet communications, while DTLS is an increasingly important variant of TLS that was designed for use in lightweight applications. In this talk, I will provide an overview of what is known about the security of the TLS and DTLS protocols. I'll discuss the BEAST attack on TLS and what its implications are. I'll also talk about a recently discovered vulnerability in TLS 1.2, as well as what we know about the provable security of the protocol. I'll then explain how and why DTLS implementations turn out to be more vulnerable than TLS to padding oracle attacks. The talk will assume knowledge of basic cryptography and networking, but will be as self-contained as possible.
Talk by Prof. Ivan Bjerre Damgaard.
|Date:|| January 30, 2012, 16:00-17:00 |
|Location: ||Room L017, CWI|
Prof. Ivan Damgaard (Aarhus University):
Secure Computation in the Preprocessing Model
(click to see abstract)
Secure Multiparty Computation for the case of dishonest majority
has previously been known as the case where no efficient solution
was possible, since here one cannot avoid using expensive public-key
machinery. However, in a recent of line of research it has been shown
that all the hard work can be pushed into a preprocessing phase
that is independent of the function to be computed. Then, in an
on-line phase, one can compute the function very efficiently
using only cheap information theoretic primitives.
In this talk we survey some of the latest results in this line on research.
For instance, we now have protocols in the preprocessing model that
have complexity linear in both size of circuit to compute and the number
of players, yet tolerate corruption of all but one player.
Joint work with Rikke Bendlin, Claudio Orlandi, Valerio Pastro, Nigel
Smart and Sarah Zakarias.
See Archive for past years events