Summer 2018 Crypto Day

Date: Friday, May 25th
Location: George Mason University, 4201 Volgenau School of Engineering.
Parking: $15 Parking. Or $8 Parking, which requires creating an account.
Shuttle: from Vienna Metro station (Metro to Sandy Creek).
Time: 9-5

Program (subject to change):

  • 9-9:40AM: Welcome breakfast
  • 9:40-11AM:  Aria Shahverdi.
    • Title: On the Leakage Resilience of Ideal-Lattice Based Public Key Encryption.
  • 11AM-12:20PM: Hong-Sheng Zhou.
    • Title: How to mimic Nakamoto’s design via proof-of-stake.
  • 12:20PM-2PM: Lunch (on your own)
  • 2pm-3:20pm: Mohammad Hajiabadi.
    • Title: Trapdoor Functions From the Computational Diffie-Hellman Assumption
  • 3:20-4:40pm: Mohammad Zaheri.
    • Title: On Instantiability of RSA-OAEP and Variants

Speaker: Aria Shahverdi.
Title: On the Leakage Resilience of Ideal-Lattice Based Public Key Encryption.
Abstract:  We consider the leakage resilience of the Ring-LWE analogue of the Dual-Regev encryption scheme (R-Dual-Regev for short), originally presented by Lyubashevsky et al. (Eurocrypt ’13). Specifically, we would like to determine whether the R-Dual-Regev encryption scheme remains IND-CPA secure, even in the case where an attacker leaks information about the secret key. We consider the setting where R is the ring of integers of the m-th cyclotomic number field, for m which is a power-of-two, and the Ring-LWE modulus is set to q≡1 mod m. This is the common setting used in practice and is desirable in terms of the efficiency and simplicity of the scheme. Unfortunately, in this setting Rq is very far from being a field so standard techniques for proving leakage resilience in the general lattice setting, which rely on the leftover hash lemma, do not apply. Therefore, new techniques must be developed. In this work, we put forth a high-level approach for proving the leakage resilience of the R-Dual-Regev scheme, by generalizing the original proof of Lyubashevsky et al. (Eurocrypt ’13). We then give three instantiations of our approach, proving that the R-Dual-Regev remains IND-CPA secure in the presence of three natural, non-adaptive leakage classes. Joint work with: Dana Dachman-Soled, Huijing Gong and Mukul Kulkarni.

Speaker: Hong-Sheng Zhou.
Title: How to mimic Nakamoto’s design via proof-of-stake.
Abstract: Cryptocurrencies like Bitcoin and Ethereum have proven to be a phenomenal success. The underlying techniques hold a huge promise to change the future of financial transactions, and eventually our way of computation and collaboration. At the heart of the Bitcoin-like system is a blockchain, that records transactions between users in consecutive time windows. The blockchain is maintained in the open network environment i.e., the Internet, by a peer-to-peer network of nodes called miners via the so-called proof-of-work mechanism.

In this talk, I will first review Bitcoin’s proof-of-work based blockchain design, and present the main challenges in blockchain design. Then I will show how to construct blockchain protocols via alternative mechanisms such as proof-of-stake. Despite the fact that proof-of-stake related mechanisms have been intensively investigated for constructing blockchains in the past years, several issues remain. I will present the first natural mimics of Bitcoin’s design via proof-of-stake only: the constructions are simple without using any form of Byzantine fault tolerance, are adaptively secure, and can have post-quantum security.

If time permits, I will also discuss how to improve the performance of blockchain protocols. This talk is based on joint work with Lei Fan and Jonathan Katz.

Speaker: Mohammad Hajiabadi.

Title: Trapdoor Functions From the Computational Diffie-Hellman Assumption
Abstract: Trapdoor functions (TDFs) are a fundamental primitive in cryptography. Informally, trapdoor functions are a family of functions where each function in the family is easy to compute, but a randomly chosen function is hard to invert without knowledge of an associated trapdoor key.  Note that, unlike for public-key encryption, there is no randomness used in the function evaluation procedure.  The computational Diffie-Hellman (CDH) problem, which is the basis for the well-known Diffie-Hellman key agreement protocol, says that given a group generator g, as well as g^x and g^y for random x,y, it is hard to compute g^{xy}.  Whether CDH implies TDFs has been open for more than 30 years.  In this talk, I will present a positive solution to this problem.

Speaker: Mohammad Zaheri.
Title: On Instantiability of RSA-OAEP and Variants.
AbstractWe prove the first positive results about instantiability of RSA-OAEP under *chosen-ciphertext attack.*  We first show a partial instantiation result that G can be replaced with a pairwise independent hash function while the scheme retains IND-CCA2 security.  We then consider two variants of RSA-OAEP with slightly longer ciphertexts, called t-clear and s-clear, referring to the parts of the underlying transform’s output that encryption leaves in the clear.  The t-clear variant has been considered in prior work but ours is the first to consider s-clear.  Both variants retain IND-CCA2 security in the RO model, in the s-clear case if RSA is non-malleable with respect to the XOR function.  We prove t-clear is IND-CCA1 in the standard model if G and H are *extractable* in the sense of Canetti and Dakdouk (TCC 2009).  We prove s-clear is IND-CCA2 in the standard model under various assumptions, including that G meets a novel strengthening to the notion of hardcore function for RSA.  We find our result about s-clear to be the most surprising because the scheme itself is counter-intuitive.  This is joint work with Nairen Cao and Adam O’Neill.
Summer 2018 Crypto Day

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s