[crypto] Fwd: PROGRAM Crypto Working Group, November 29, 2019
R. Hirschfeld
ray at unipay.nl
Wed Nov 20 14:07:15 CET 2019
-------- Original Message --------
Subject: PROGRAM Crypto Working Group, November 29, 2019
Date: 2019-11-20 11:51
From: Secretariaat DM <secdm at tue.nl>
To: Secretariaat DM <secdm at tue.nl>
Dear all,
Herewith I send you the program of the CWG-meeting on Friday, November
29, 2019.
With kind regards, / Met vriendelijke groeten,
Anita Klooster
secretary of the section Discrete Mathematics
[cid:image001.png at 01D4442F.81AF2D80]
Dept. of Mathematics and Computer Science
MF 6.101
Office hours: Monday and Wednesday 08.30-17.00 h / Friday 08.30-12.30 h
Tel.: +31 (0)40 2472254
CRYPTO WORKING GROUP
Friday, November 29, 2019
De Kargadoor (http://www.kargadoor.nl/utrecht/zaalverhuur.html)
Oudegracht 36, Utrecht
Program
10.45 – 11.30 hrs. Jelle Don (CWI),
Security of the Fiat-Shamir Transformation in the Quantum
Random-Oracle Model
11.30 - 11.45 hrs. Coffee / tea break
11.45 - 12.30 hrs. Andreas Hülsing (TU
Eindhoven),
Decisional second-preimage resistance: When does SPR imply PRE?
12.30 - 14.00 hrs. Lunch break (lunch not
included)
14.00 - 14.45 hrs. Benoît Viguier (RU
Nijmegen),
A Coq proof of the correctness of X25519 in TweetNaCl
14.45 - 15.00 hrs. Coffee / tea break
15.00 - 15.45 hrs. Marloes Venema (RU
Nijmegen),
How to Break Attribute-Based Encryption
Abstract talk Jelle Don: Security of the Fiat-Shamir Transformation in
the Quantum Random-Oracle Model
The Fiat-Shamir transformation is a well-known and widely used method to
turn sigma-protocols into non-interactive proof systems or signature
schemes. A generic security reduction was previously known only in the
random-oracle model, which is insufficient for the post-quantum setting.
In our recent paper [1] we give such a reduction in the *quantum*
random-oracle model, at a loss quadratic in the number of queries made
by the adversary. The proof involves a new technique that allows for
adaptive reprogramming of the oracle. We furthermore introduce the
property 'quantum computational unique responses' and show how it can be
used for quantum rewinding, which is required for the standard security
reduction of sigma-protocols. In this talk, I will discuss these results
and their implications, and sketch the intuition behind the proofs.
[1] Don, Fehr, Majenz, Schaffner, Security of the Fiat-Shamir
Transformation in the Quantum Random-Oracle Model, Crypto 2019
Abstract talk Andreas Hülsing: Decisional second-preimage resistance:
When does SPR imply PRE?
There is a well-known gap between second-preimage resistance and
preimage resistance for length-preserving hash functions. This paper
introduces a simple concept that fills this gap. One consequence of this
concept is that tight reductions can remove interactivity for
multi-target length-preserving preimage problems, such as the problems
that appear in analyzing hash-based signature systems. Previous
reduction techniques applied to only a negligible fraction of all
length-preserving hash functions, presumably excluding all off-the-shelf
hash functions.
Abstract talk Benoît Viguier: A Coq proof of the correctness of X25519
in TweetNaCl
We formally prove that the C implementation of the X25519 key-exchange
protocol in the TweetNaCl library is correct. We prove both that it
correctly implements the protocol from Bernstein's 2006 paper, as
standardized in RFC~7748, as well as the absence of undefined behavior
like arithmetic overflows and array out of bounds errors. We also
formally prove, based on the work of Bartzia and Strub, that X25519 is
mathematically correct, i.e., that it correctly computes scalar
multiplication on the elliptic curve Curve25519.
The proofs are all computer-verified using the Coq theorem prover. To
establish the link between C and Coq we use the Verified Software
Toolchain (VST).
Abstract talk Marloes Venema: How to Break Attribute-Based Encryption
Attribute-based encryption (ABE) is a type of public-key cryptography
that associates key-pairs with attributes rather than identities. For
this reason, many users can possess secret keys for one or more of the
same attributes. Additionally, users might want to collude by pooling
their secret keys together such that they might be able to decrypt
ciphertexts that they cannot decrypt individually. This is not allowed
in secure ABE. Because both the ciphertexts and the secret keys require
strong security guarantees, designing provably secure ABE is difficult.
As a result, several ABE schemes are broken despite having security
proofs. In this talk, I will show how to make and break ABE, and how
(crypt)analysis of an ABE scheme can be simplified by reducing schemes
to an efficient and structured notation.
More information about the crypto
mailing list