[crypto] Fwd: [CWG] Program for Crypto Working Group March 14

R. Hirschfeld ray at unipay.nl
Thu Mar 13 11:08:28 CET 2025 


-------- Original Message --------
Subject: [CWG] Program for Crypto Working Group March 14
Date: 2025-03-13 11:01
 From: Hülsing, Andreas <a.t.huelsing at tue.nl>

Dear Crypto Working Group Participant,

Please find below the schedule for our meeting this Friday, 14 March, 
(tomorrow) at the Kargadoor, in Utrecht.
Apologies for the late notice (we are helpless without our support 
staff). We hope to still see many of you tomorrow.

Best regards,

Alessandro, Andreas, Simona, Tanja & Zeki


10:45h
On the Insecurity of Bloom Filter-Based Private Set Intersections
Jorrit van Assen

Private set intersections are cryptographic protocols that compute the 
intersection of multiple parties' private sets
without revealing elements that are not in the intersection. These 
protocols become less efficient when the number
of parties grows, or the size of the sets increases. For this reason, 
many protocols are based on Bloom filters, which
speed up the protocol by approximating the intersections, introducing 
false positives with a small but non-negligible
probability.
In this work, we show that an adversary can abuse false positives of the 
Bloom filters to leak information about parties'
\private sets. We show that even in the most optimistic setting, Bloom 
filter-based private set intersections cannot
securely realize an approximate private set intersection unless the 
parameters are so large that false positives only
occur with negligible probability. We demonstrate a practical attack on 
small parameters that lets a party learn if an
  element is contained in a victim's private set. We conclude that the 
efficiency gain of using Bloom filters as an
approximation in existing protocols vanishes when accounting for this 
security problem. Furthermore, we discuss
possible mitigations besides choosing larger parameters.

11:30h - coffee break

11:45h
Symmetric Key Exchange: Lightweight alternatives for a Post-quantum IoT
Bor De Kock

Symmetric cryptographic primitives such as AES are simple, efficient and 
secure – even in a post-quantum world – which
makes them interesting for a variation of purposes where we need secure 
encryption, but with strong constraints to
computing power and storage. Traditionally a downside of these 
algorithms has been their static, long-term keys,
making it hard to achieve security properties such as forward secrecy 
without negotiating a new key every time.
In this talk we will look at a number of protocols that achieve 
symmetric authenticated key exchange: we propose new
methods of key evolution that guarantee full forward secrecy, while also 
taking care of key synchronization between the
involved parties. This makes them very suitable for IoT devices, or 
other settings where efficient post-quantum
cryptography is required.

12:30h lunch

14:00h
Algorithms for equivalence problems
Simona Samardjiska

In the past few years, there has been an increased interest in hard 
equivalence problems, especially with NIST's  fourth
round for new designs of digital signatures. On a high level, such a 
problem can be defined as follows: Given two algebraic
objects, find - if any - an equivalence that maps one object into the 
other. Several instantiations have been considered
for cryptographic purposes, for example - Isomorphism of polynomials 
(Pattarin '96), Code equivalence (Biasse et al. '20),
Matrix Code equivalence (Chou et al. '22), Alternating trilinear form 
equivalence (Tang et al.'22), Lattice isomorphism
(Ducas & van Woerden '22). All of these problems are believed to be hard 
even for quantum adversaries. Conveniently,
they can generically be used to build a Sigma protocol and further a 
post-quantum secure signature using the
Fiat-Shamir transform.

In this talk I will consider a class of equivalence problems that can be 
seen as an instance of the Tensor Isomorphism problem.
I will discuss their theoretical and practical hardness, the 
state-of-the-art algorithms for solving them, as well as some open
questions that could help better understand the complexity of this 
problem.

14:45h coffee and end of activities

More information about the crypto mailing list