[crypto] Fwd: PROGRAM Crypto Working Group, November 29, 2019

R. Hirschfeld ray at unipay.nl
Wed Nov 20 14:07:15 CET 2019

-------- Original Message --------
Subject: PROGRAM Crypto Working Group, November 29, 2019
Date: 2019-11-20 11:51
 From: Secretariaat DM <secdm at tue.nl>
To: Secretariaat DM <secdm at tue.nl>

Dear all,

Herewith I send you the program of the CWG-meeting on Friday, November 
29, 2019.

With kind regards, / Met vriendelijke groeten,
Anita Klooster
secretary of the section Discrete Mathematics
  [cid:image001.png at 01D4442F.81AF2D80]
Dept. of Mathematics and Computer Science
MF 6.101
Office hours: Monday and Wednesday 08.30-17.00 h / Friday 08.30-12.30 h
Tel.: +31 (0)40 2472254


Friday, November 29, 2019
De Kargadoor (http://www.kargadoor.nl/utrecht/zaalverhuur.html)
Oudegracht 36, Utrecht


10.45 – 11.30 hrs.                             Jelle Don (CWI),

         Security of the Fiat-Shamir Transformation in the Quantum 
Random-Oracle Model

11.30 -  11.45 hrs.                             Coffee / tea break

11.45 - 12.30 hrs.                              Andreas Hülsing (TU 

         Decisional second-preimage resistance: When does SPR imply PRE?

12.30 -  14.00 hrs.                             Lunch break (lunch not 

14.00 - 14.45 hrs.                              Benoît Viguier (RU 

         A Coq proof of the correctness of X25519 in TweetNaCl

14.45 - 15.00 hrs.                              Coffee / tea break

15.00 - 15.45 hrs.                              Marloes Venema (RU 

         How to Break Attribute-Based Encryption

Abstract talk Jelle Don: Security of the Fiat-Shamir Transformation in 
the Quantum Random-Oracle Model
The Fiat-Shamir transformation is a well-known and widely used method to 
turn sigma-protocols into non-interactive proof systems or signature 
schemes. A generic security reduction was previously known only in the 
random-oracle model, which is insufficient for the post-quantum setting. 
In our recent paper [1] we give such a reduction in the *quantum* 
random-oracle model, at a loss quadratic in the number of queries made 
by the adversary. The proof involves a new technique that allows for 
adaptive reprogramming of the oracle. We furthermore introduce the 
property 'quantum computational unique responses' and show how it can be 
used for quantum rewinding, which is required for the standard security 
reduction of sigma-protocols. In this talk, I will discuss these results 
and their implications, and sketch the intuition behind the proofs.
[1] Don, Fehr, Majenz, Schaffner, Security of the Fiat-Shamir 
Transformation in the Quantum Random-Oracle Model, Crypto 2019

Abstract talk Andreas Hülsing: Decisional second-preimage resistance: 
When does SPR imply PRE?

There is a well-known gap between second-preimage resistance and 
preimage resistance for length-preserving hash functions. This paper 
introduces a simple concept that fills this gap. One consequence of this 
concept is that tight reductions can remove interactivity for 
multi-target length-preserving preimage problems, such as the problems 
that appear in analyzing hash-based signature systems. Previous 
reduction techniques applied to only a negligible fraction of all 
length-preserving hash functions, presumably excluding all off-the-shelf 
hash functions.

Abstract talk Benoît Viguier: A Coq proof of the correctness of X25519 
in TweetNaCl

We formally prove that the C implementation of the X25519 key-exchange 
protocol  in the TweetNaCl library is correct.  We prove both that it 
correctly implements the protocol from  Bernstein's 2006 paper, as 
standardized in RFC~7748,  as well as the absence of undefined behavior  
like arithmetic overflows  and array out of bounds errors.  We also 
formally prove, based on the work of Bartzia and Strub,  that X25519 is 
mathematically correct, i.e.,  that it correctly computes scalar 
multiplication on  the elliptic curve Curve25519.
The proofs are all computer-verified using the Coq theorem prover.  To 
establish the link between C and Coq we use the  Verified Software 
Toolchain (VST).

Abstract talk Marloes Venema: How to Break Attribute-Based Encryption

Attribute-based encryption (ABE) is a type of public-key cryptography 
that associates key-pairs with attributes rather than identities. For 
this reason, many users can possess secret keys for one or more of the 
same attributes. Additionally, users might want to collude by pooling 
their secret keys together such that they might be able to decrypt 
ciphertexts that they cannot decrypt individually. This is not allowed 
in secure ABE. Because both the ciphertexts and the secret keys require 
strong security guarantees, designing provably secure ABE is difficult. 
As a result, several ABE schemes are broken despite having security 
proofs. In this talk, I will show how to make and break ABE, and how 
(crypt)analysis of an ABE scheme can be simplified by reducing schemes 
to an efficient and structured notation.

More information about the crypto mailing list