Christoph Striecks

AIT Austrian Institute of Technology, Cyber Security, Giefinggasse 4, 1220 Vienna, Austria, first name dot last name at ait dot ac dot at

Cryptography researcher in the Cyber Security team at AIT Austrian Institute of Technology in Vienna, Austria’s largest Research and Technology Organization (RTO).

My professional focus lies in cryptographic technologies (such as end-to-end encryption, secure data sharing and computation on data, and authentication) with strong provable security guarantees and applications to concrete real-world problems (such as Big Data, Cloud, and transition to post-quantum systems).

In 2015, I received my PhD (Dr. rer. nat.) in cryptography from the Karlsruhe Institute of Technology (KIT) in Germany under the supervision of Prof. Dennis Hofheinz and second doctoral thesis appraiser Prof. Eike Kiltz on scalable identity-based encryption, short digital signatures, and modular revocation schemes. Larger-scale teaching activities included Algorithms I (lab, SS 2015) and IT security (lab, SS 2013), encompassed by several smaller-scale seminars and labs on the topic of cryptography.

In 2010, I received my Diploma in computer science from the Technical University of Braunschweig in Germany with a major in cryptography and software engineering. From March to September 2008, I worked as a software-development intern for Siemens USA in Princeton, New Jersey.

Program committees: Security Standardisation Research Conference 2023, CANS 2022, ARES 2022 (Workshop on Security, Privacy, and Identity Management in the Cloud), SICHERHEIT 2022, ARES 2020 (Workshop on Industrial Security and IoT), SICHERHEIT 2020, IMA International Conference on Cryptography and Coding 2019, IFIP Summer School on Privacy and Identity Management 2019, ARES 2019 (Workshop on Industrial Security and IoT), IFIP Summer School on Privacy and Identity Management 2018, and SICHERHEIT 2018 (Doktorandenforum).

Further main reviewing activities: EUROCRYPT 2023, PKC 2023, Designs, Codes and Cryptography 2022, ASIACRYPT 2022, CRYPTO 2022, ICALP 2022, IEEE Symposium on Security and Privacy 2022, ACM CCS 2022, EUROCRYPT 2022, IEEE Transactions on Information Forensics and Security 2022, IEEE Transactions on Dependable and Secure Computing 2022, ASIACRYPT 2021, IEEE Transactions on Dependable and Secure Computing 2021, USENIX Security 2021, CT-RSA 2021, ACM CCS 2020, PKC 2020, CRYPTO 2019, EuroS&P 2018, PKC 2018, SAC 2017, PKC 2017, ASIACRYPT 2016, PKC 2016, and ASIACRYPT 2015, among others.

Main projects: PROFET (FWF, netidee SCIENCE, 2019-2023), COMP4DRONES (EU HORIZON 2020, ECSEL, 2019-2023), SECREDAS (EU HORIZON 2020, ECSEL, 2018-2021), IoT4CPS (FFG and BMK, ICT of the Future, 2017-2020), PRISMACLOUD (EU HORIZON 2020, 2015-2018), CREDENTIAL (EU HORIZON 2020, 2015-2018).

Other activities: I was involved in the standardization process of ETSI STF 529 within ETSI TC CYBER (on Attribute-Based Encryption for access control and data privacy). Moreover, I am a member of the International Association for Cryptologic Research (IACR).

Blog post: Together with my colleagues Sebastian Ramacher and Daniel Slamanig, I wrote a series of blog posts on Puncturable Encryption for fine-grained forward security in public-key encryption. See here for Part I (Introduction and Motivation) and here for Part II (Techniques and State-of-the-Art), and here for Part III (Applications and Implementation).

news

Dec 12, 2022	From 7 to 9 December, I visited Dominique Schröder’s group at Friedrich-Alexander-Universität Erlangen-Nürnberg and gave a presentation on Forward Security.
Oct 24, 2022	I will serve as a program committee member of the Security Standardisation Research Conference 2023.
Sep 24, 2022	From 19 to 23 September, I visited Dennis Hofheinz’ group at ETH Zurich and held a talk on Puncturable Encryption.
Apr 20, 2022	Last week, I attended Real World Crypto Symposium 2022 in Amsterdam and gave a contributed talk on Puncturable Encryption.
Mar 11, 2022	I will serve as a program committee member of CANS 2022.

selected publications

Bloom Filter Encryption and Applications to Efficient Forward-Secret 0-RTT Key Exchange

With David Derler, Kai Gellert, Tibor Jager, and Daniel Slamanig.

Journal of Cryptology, Volume 34, 2021.

Abstract URL PDF ePrint

Forward secrecy is considered an essential design goal of modern key establishment (KE) protocols, such as TLS 1.3, for example. Furthermore, efficiency considerations such as zero round-trip time (0-RTT), where a client is able to send cryptographically protected payload data along with the very first KE message, are motivated by the practical demand for secure low-latency communication. For a long time, it was unclear whether protocols that simultaneously achieve 0-RTT and full forward secrecy exist. Only recently, the first forward-secret 0-RTT protocol was described by Günther et al. (EUROCRYPT 2017). It is based on Puncturable Encryption. Forward secrecy is achieved by “puncturing” the secret key after each decryption operation, such that a given ciphertext can only be decrypted once (cf. also Green and Miers, S&P 2015). Unfortunately, their scheme is completely impractical, since one puncturing operation takes between 30 seconds and several minutes for reasonable security and deployment parameters, such that this solution is only a first feasibility result, but not efficient enough to be deployed in practice. In this paper, we introduce a new primitive that we term Bloom Filter Encryption (BFE), which is derived from the probabilistic Bloom filter data structure. We describe different constructions of BFE schemes, and show how these yield new puncturable encryption mechanisms with extremely efficient puncturing. Most importantly, a puncturing operation only involves a small number of very efficient computations, plus the deletion of certain parts of the secret key, which outperforms previous constructions by orders of magnitude. This gives rise to the first forward-secret 0-RTT protocols that are efficient enough to be deployed in practice. We believe that BFE will find applications beyond forward-secret 0-RTT protocols.
Fine-Grained and Controlled Rewriting in Blockchains: Chameleon-Hashing Gone Attribute-Based

With David Derler, Kai Samelin, and Daniel Slamanig.

NDSS 2019, San Diego, USA, February 24-27. (Invited to ACM Advances in Financial Technologies (AFT 2019) as highlights-track presentation.)

Abstract URL PDF ePrint Talk Slides

Blockchain technologies recently received a considerable amount of attention. While the initial focus was mainly on the use of blockchains in the context of cryptocurrencies such as Bitcoin, application scenarios now go far beyond this. Most blockchains have the property that once some object, e.g., a block or a transaction, has been registered to be included into the blockchain, it is persisted and there are no means to modify it again. While this is an essential feature of most blockchain scenarios, it is still often desirable—at times it may be even legally required–to allow for breaking this immutability in a controlled way. Only recently, Ateniese et al. (EuroS&P 2017) proposed an elegant solution to this problem on the block level. Thereby, the authors replace standard hash functions with so-called chameleon-hashes (Krawczyk and Rabin, NDSS 2000). While their work seems to offer a suited solution to the problem of controlled re-writing of blockchains, their approach is too coarse-grained in that it only offers an all-or-nothing solution. We revisit this idea and introduce the novel concept of policy-based chameleon-hashes (PBCH). PBCHs generalize the notion of chameleon-hashes by giving the party computing a hash the ability to associate access policies to the generated hashes. Anyone who possesses enough privileges to satisfy the policy can then find arbitrary collisions for a given hash. We then apply this concept to transaction-level rewriting within blockchains, and thus support fine-grained and controlled modifiability of blockchain objects. Besides modeling PBCHs, we present a generic construction of PBCHs (using a strengthened version of chameleon-hashes with ephemeral trapdoors which we also introduce), rigorously prove its security, and instantiate it with efficient building blocks. We report first implementation results.
Identity-Based Encryption with (Almost) Tight Security in the Multi-instance, Multi-ciphertext Setting

With Dennis Hofheinz, and Jessica Koch.

PKC 2015, Gaithersburg, MD, USA, March 30 - April 1. (Invited to the Journal of Cryptology.)

Abstract URL PDF ePrint

We construct an identity-based encryption (IBE) scheme that is tightly secure in a very strong sense. Specifically, we consider a setting with many instances of the scheme and many encryptions per instance. In this setting, we reduce the security of our scheme to a variant of a simple assumption used for a similar purpose by Chen and Wee (Crypto 2013). The security loss of our reduction is O(k)(where k is the security parameter). Our scheme is the first IBE scheme to achieve this strong flavor of tightness under a simple assumption. Technically, our scheme is a variation of the IBE scheme by Chen and Wee. However, in order to "lift" their results to the multi-instance, multi-ciphertext case, we need to develop new ideas. In particular, while we build on (and extend) their high-level proof strategy, we deviate significantly in the low-level proof steps.
Programmable Hash Functions in the Multilinear Setting

With Eduarda S. V. Freire, Dennis Hofheinz, and Kenneth G. Paterson.

CRYPTO 2013, Santa Barbara, USA, August 18-22.

Abstract URL PDF ePrint

We adapt the concept of a programmable hash function (PHF, Crypto 2008) to a setting in which a multilinear map is available. This enables new PHFs with previously unachieved parameters. To demonstrate their usefulness, we show how our (standard-model) PHFs can replace random oracles in several well-known cryptographic constructions. Namely, we obtain standard-model versions of the Boneh-Franklin identity-based encryption scheme, the Boneh-Lynn-Shacham signature scheme, and the Sakai-Ohgishi-Kasahara identity-based non- interactive key exchange (ID-NIKE) scheme. The ID-NIKE scheme is the first scheme of its kind in the standard model. Our abstraction also allows to derive hierarchical versions of the above schemes in settings with multilinear maps. This in particular yields simple and efficient hierarchical generalizations of the BF, BLS, and SOK schemes. In the case of hierarchical ID-NIKE, ours is the first such scheme with full security, in either the random oracle model or the standard model. While our constructions are formulated with respect to a generic multilinear map, we also outline the necessary adaptations required for the recent “noisy” multilinear map candidate due to Garg, Gentry, and Halevi.

selected talks

Puncturable Encryption - A Fine-Grained Approach to Forward Security and More

Real World Crypto Symposium 2022, Amsterdam, April 13-15.

Abstract URL Video Slides

Forward security is an essential design goal of modern cryptographic protocols with a long body of literature in several application domains such as interactive key-establishment protocols (prominently, in TLS 1.3), digital signatures, search on encrypted data, updatable cryptography, mobile Cloud backups, decentralized contact tracing, new approaches to Tor, and even novel distributed protocols such as Dfinity’s Internet Computer, among others. The well-known benefit of forward security is the mitigation of key leakage by evolving secret keys over epochs and thereby revoking access to prior-epoch ciphertexts. Such a strong security guarantee is highly recognized by industry to be included into security products (e.g., by companies such as Google, Apple, Meta, Microsoft, and Cloudflare), particularly resulting in over 99% of Internet sites surveyed by Qualys SSL Labs (https://www.ssllabs.com/ssl-pulse) support at least some form of forward security at the time of writing. Green and Miers (S&P 2015) initiated the studies of puncturable encryption (PE) as a new cryptographic primitive towards the strong form of non-interactive forward-secure encryption (in particular, without the need of any pre-shared key material). Already several follow-up works showed the versatility of such a concept yielding a rich abstraction of forward security investigated in a variety of (data-in-transit and data-at-rest) application domains such as 0-RTT key exchange with replay protection for TLS (Eurocrypt’17, Eurocrypt’18, Asiacrypt’20, JoC’21), Google’s QUIC (Cans’20), Searchable Encryption (CCS’17, CCS’18, NDSS’21), mobile Cloud backups (OSDI’20), Content Distribution Networks (Financial Crypto’21), Tor (PoPETS’20), and Updatable Encryption (ePrint’21). Loosely speaking, PE is a promising variant of public-key encryption that allows realizing the property of fine-grained and non-interactive forward security with several useful applications. This talk provides an exhausting overview to the concept of PE with motivation, presents state-of-the-art research on PE schemes, and discusses applications (such as 0-RTT key exchange with forward security and replay protection, and forward security for Content Delivery Networks). The overall goal is to make PE more accessible to the general audience and industry in a developer-friendly way, and also presenting new insights and results. The presentation builds on an existing blog post with the same title (https://profet.at/blog/pe).