CWI Cryptology Group

Abstract: Verifiable Delay Functions (VDFs) are cryptographic primitives which on input (x,T) compute the output y in T sequential steps, together with a proof certifying the output was correctly computed. A security requirement is that one cannot compute y making much fewer than T sequential septs even given massive parallelism, thus the time required to compute an output grows linear in T. The only practical VDFs are based on squaring in groups of unknown order (like RSA or class groups), i.e., on input (x,T), the output is y=x^(2^T) together with a proof of exponentiation (PoE) certifying its correctness. In this talk I will sketch the two constructions of PoE based VDFs (Wesolowski [Eurocrypt'19] and Pietrzak [ITCS'19]) and some unexpected applications to privacy (using OR-proofs to construct deniable schemes), computational number theory (certifying giant non-primes) and complexity (proving hardness of NASH).

Abstract: We propose verifiable secret sharing (VSS) schemes secure for any honest majority in the synchronous model, and that only use symmetric-key cryptographic tools (in fact, only random oracles), therefore having plausibly post-quantum security. Compared to the state-of-the-art scheme with these features, our main improvement lies on the complexity of the “optimistic” scenario where the dealer and all but a small number of receivers behave honestly in the sharing phase. This VSS protocol is of interest in multiparty computations where each party runs one VSS as a dealer, such as distributed key generation protocols. Our main technical handle is a distributed zero-knowledge proof of "low degreeness" of a polynomial where the statement is distributed among several verifiers, each knowing one evaluation. Using folding techniques similar to FRI we construct such a proof where each verifier receives polylogarithmic information and runs in polylogarithmic time. This talk is based on joint work with Daniele Cozzo and Emanuele Giunta, published in Asiacrypt 24.

Abstract: Whether we can protect our private data in the current landscape of AI evolution is a complex question. We will show how the timelines of AI development, various techniques for confidential computing towards transition-to-practice (T2P), and governance and policy have started to come together. In order to achieve T2P of confidential computing for AI, more research and work needs to be done for a prolonged time period. Also, we observe that differential privacy has not led to its promise for training deep neural networks and we discuss alternative approaches.

Abstract: We extend the classical concept of Claw-Free Trapdoor Functions (introduced by Goldwasser, Micali, and Rivest in 1984, and later refined by Damgård in 1988) to encompass multiple claws. Building on this generalization, we demonstrate how multi-claws enable stronger security guarantees for the CPace Password-Authenticated Key Exchange protocol, as standardized by the IRTF CFRG. We also show how this new perspective ties in with questions of post-quantum security.

Abstract: This talk showcases the technical tool of hash proof systems, as developed by Cramer and Shoup, in cryptography. We both take a look at the definition of hash proof systems (and mention several variants), and their applications. This talk also has a personal perspective: I have learned about hash proof systems during my time as a postdoc at CWI, and they have since proved to be a highly useful tool in my technical toolbox.

Abstract: Secure multi-party computation (MPC) and homomorphic encryption are very powerful tools to compute with secret numbers without revealing inputs or any intermediate values. To securely achieve high accuracy with varying number sizes, one needs to work with floating points in the secret (secret-shared or encrypted) domain. The main bottleneck of secure floating points is addition. We improve its efficiency by designing a protocol for multiple additions, using standard building blocks available in most MPC platforms. The more additions n were combined, the larger the relative gain, up to a factor 13 with n = 1,024. Additionally, we introduce a new protocol for securely computing the bitlength (given upper bound M), the first one with linear time complexity and constant round complexity. It reduces secure multiplications with a factor 4 (for the constant-round solution), or the number of communication rounds with a factor M/2 (for the logarithmic-round solution). We evaluate accuracy, execution time and communication complexity of our protocols, and released them open source, such that they can be broadly used to improve the efficiency of secure floating-point arithmetic.

Abstract: Quantum algorithms are known to solve some cryptographic problems with significant advantage over classical algorithms. In this talk, we will focus on the following problem: given two complex-valued Boolean functions, find the highest value of their discrete convolution. By leveraging the Quantum Fourier Transform, it is indeed possible to compute convolutions "quantumly" (with some restrictions), leading to some non-trivial quantum speedups. After introducing the general algorithm, we will look at two applications in the cryptanalysis of block ciphers, where the key-recovery can be rephrased as such a convolution problem. The first application is linear cryptanalysis, where convolutions have long been used to speedup classical key-recovery attacks, and can now be used in quantum cryptanalysis as well. The second application is differential cryptanalysis, which is less immediate and more technical. We will discuss the challenges and possible further applications of this technique.

Abstract: Four years ago, the Lattice Isomorphism Problem (LIP) was introduced as a new hardness assumption in cryptography. Since then, many follow-up works have appeared, and in this talk I will try to give a short survey of these. We will dive into problem variants of LIP, their cryptanalysis, basic and more advanced cryptographic schemes based on LIP, and some foundational results.

Abstract: From the outset, research in secret sharing has benefited from well-established areas of combinatorics, especially matroid theory. In this process, a number of open problems were posed that gave rise to relevant developments in matroid theory. Several old and recent examples of this interaction will be discussed.

Abstract: Exceptional cliques are sets of elements in a ring whose pairwise differences are invertible. They are intriguing because they connect various branches of mathematics, including number theory, projective geometry, and graph theory. Initially introduced by H.W. Lenstra to construct new large Euclidean fields, they have since found applications in cryptography, particularly in secret sharing schemes. In this talk, we will focus on exceptional cliques in the rings of matrices with integer coefficients. They are relevant to black-box secret sharing, which was introduced by Desmedt & Frankel (1994), and also found applications to zero-knowledge proofs, as shown by Cascudo & Bartoli (PKC 2024). We show an overview of known results and present recent findings: a new class of non-commutative exceptional cliques (breaking previous records), new upper bounds in the commutative case, and a fruitful geometric interpretation of known commutative cliques.

Abstract: Quantum computing threatens the cryptographic foundations of today’s digital systems. This talk offers an industry view on the shift to post-quantum cryptography (PQC), highlighting recent standards, practical challenges in constrained environments, and the concept of crypto agility. We also discuss how academic research can support and accelerate real-world adoption, bridging the gap between theoretical innovation and industrial implementation.

Abstract: We give a short introduction to the You Only Speak Once (YOSO) model for MPC, and then look at some recent results showing how to do the first asynchronous and adaptively secure YOSO MPC based on the Paillier/Damgård-Jurik cryptosystem. We provide a full-stack implementation of all tools needed, including Role Assignment and Total Order Broadcast. The communication complexity of a secure multiplication is linear in the total number of parties. Joint work with Simon Kamp, Julian Loss and Jesper Buus Nielsen