Christoph Striecks

AIT Austrian Institute of Technology, Cyber Security, Giefinggasse 4, 1220 Vienna, Austria

Cryptography researcher in the Cyber Security team at AIT Austrian Institute of Technology in Vienna, Austria.

My professional focus lies in the area of privacy-enhancing cryptographic technologies (such as end-to-end encryption, secure selective data sharing and computation on data, and authentication) with applications to concrete real-world problems (such as Big Data, Cloud, and IoT).

In 2015, I received my PhD (Dr. rer. nat.) in cryptography from the Karlsruhe Institute of Technology (KIT) in Germany under the supervision of Prof. Dennis Hofheinz and second doctoral thesis appraiser Prof. Eike Kiltz on scalable identity-based encryption, short digital signatures, and modular revocation schemes. Larger-scale teaching activities included Algorithms I (lab, SS 2015) and IT security (lab, SS 2013), encompassed by several smaller-scale seminars and labs on the topic of cryptography.

In 2010, I received my Diploma in computer science from the Technical University of Braunschweig in Germany with a major in cryptography and software engineering. From March to September 2008, I worked as a software-development intern for Siemens USA in Princeton, New Jersey.

More recently, I was involved in the standardization process of ETSI STF 529 within ETSI TC CYBER (on Attribute-Based Encryption for access control and data privacy). Furthermore, I was part of the ENISA List of Experts for field B: ICT Security Standardisation and Certification in category 1) Applied Cryptography (Algorithms, Protocols, Standards). Moreover, I am a member of the International Association for Cryptologic Research (IACR).

Program committees: CANS 2022, ARES 2022 (Workshop on Security, Privacy, and Identity Management in the Cloud), SICHERHEIT 2022, ARES 2020 (Workshop on Industrial Security and IoT), SICHERHEIT 2020, IMA International Conference on Cryptography and Coding 2019, IFIP Summer School on Privacy and Identity Management 2019, ARES 2019 (Workshop on Industrial Security and IoT), IFIP Summer School on Privacy and Identity Management 2018, and SICHERHEIT 2018 (Doktorandenforum).

Further main reviewing activities: ASIACRYPT 2022, CRYPTO 2022, ICALP 2022, IEEE Symposium on Security and Privacy 2022, ACM CCS 2022, EUROCRYPT 2022, IEEE Transactions on Information Forensics and Security 2022, IEEE Transactions on Dependable and Secure Computing 2022, ASIACRYPT 2021, IEEE Transactions on Dependable and Secure Computing 2021, USENIX Security 2021, CT-RSA 2021, ACM CCS 2020, PKC 2020, CRYPTO 2019, EuroS&P 2018, PKC 2018, SAC 2017, PKC 2017, ASIACRYPT 2016, PKC 2016, and ASIACRYPT 2015, among others.

Main projects: PROFET (FWF, netidee SCIENCE Call #2, 2019-2023), COMP4DRONES (EU HORIZON 2020, ECSEL-2018-2, RIA, 2019-2023), SECREDAS (EU HORIZON 2020, ECSEL-2017-2, RIA, 2018-2021), IoT4CPS (FFG and BMK, ICT of the Future, 2017-2020), PRISMACLOUD (EU HORIZON 2020, ICT-32-2014, RIA, 2015-2018), CREDENTIAL (EU HORIZON 2020, DS-02-2014, IA, 2015-2018).

Together with my colleagues Sebastian Ramacher and Daniel Slamanig, I wrote a series of blog posts on Puncturable Encryption for fine-grained forward security in public-key encryption. See here for Part I (Introduction and Motivation) and here for Part II (Techniques and State-of-the-Art), and here for Part III (Applications and Implementation).

news

Sep 24, 2022	From 19 to 23 September, I visited Dennis Hofheinz’ group at ETH Zurich and held a talk on Puncturable Encryption.
Apr 20, 2022	Last week, I attended Real World Crypto Symposium 2022 in Amsterdam and gave a contributed talk on Puncturable Encryption.
Mar 11, 2022	I will serve as a program committee member of CANS 2022.
Nov 30, 2021	Accepted paper on Threshold Ring Signatures at the International Conference on Practice and Theory of Public-Key Cryptography (PKC) 2022.
Nov 9, 2021	Accepted talk on Puncturable Encryption and Fine-Grained Forward Security at the Real World Crypto Symposium 2022.

selected publications

Bloom Filter Encryption and Applications to Efficient Forward-Secret 0-RTT Key Exchange

With David Derler, Kai Gellert, Tibor Jager, and Daniel Slamanig.

Journal of Cryptology, Volume 34, 2021.

Abstract URL PDF ePrint

Forward secrecy is considered an essential design goal of modern key establishment (KE) protocols, such as TLS 1.3, for example. Furthermore, efficiency considerations such as zero round-trip time (0-RTT), where a client is able to send cryptographically protected payload data along with the very first KE message, are motivated by the practical demand for secure low-latency communication. For a long time, it was unclear whether protocols that simultaneously achieve 0-RTT and full forward secrecy exist. Only recently, the first forward-secret 0-RTT protocol was described by Günther et al. (EUROCRYPT 2017). It is based on Puncturable Encryption. Forward secrecy is achieved by “puncturing” the secret key after each decryption operation, such that a given ciphertext can only be decrypted once (cf. also Green and Miers, S&P 2015). Unfortunately, their scheme is completely impractical, since one puncturing operation takes between 30 seconds and several minutes for reasonable security and deployment parameters, such that this solution is only a first feasibility result, but not efficient enough to be deployed in practice. In this paper, we introduce a new primitive that we term Bloom Filter Encryption (BFE), which is derived from the probabilistic Bloom filter data structure. We describe different constructions of BFE schemes, and show how these yield new puncturable encryption mechanisms with extremely efficient puncturing. Most importantly, a puncturing operation only involves a small number of very efficient computations, plus the deletion of certain parts of the secret key, which outperforms previous constructions by orders of magnitude. This gives rise to the first forward-secret 0-RTT protocols that are efficient enough to be deployed in practice. We believe that BFE will find applications beyond forward-secret 0-RTT protocols.
CCA-Secure (Puncturable) KEMs from Encryption with Non-Negligible Decryption Errors

With Valerio Cini, Sebastian Ramacher, and Daniel Slamanig.

ASIACRYPT 2020, Daejeon, South Korea, December 7-11. (Recorded talk given by Valerio Cini.)

Abstract URL PDF ePrint Talk

Public-key encryption (PKE) schemes or key-encapsulation mechanisms (KEMs) are fundamental cryptographic building blocks to realize secure communication protocols. There are several known transformations that generically turn weakly secure schemes into strongly (i.e., IND-CCA) secure ones. While most of these transformations require the weakly secure scheme to provide perfect correctness, Hofheinz, Hövelmanns, and Kiltz (HHK) (TCC 2017) have recently shown that variants of the Fujisaki-Okamoto (FO) transform can work with schemes that have negligible correctness error in the (quantum) random oracle model (QROM). Many recent schemes in the NIST post-quantum competition (PQC) use variants of these transformations. Some of their CPA-secure versions even have a non-negligible correctness error and so the techniques of HHK cannot be applied. In this work, we study the setting of generically transforming PKE schemes with potentially large, i.e., non-negligible, correctness error to ones having negligible correctness error. While there have been previous treatments in an asymptotic setting by Dwork et al. (EUROCRYPT 2004), our goal is to come up with practically efficient compilers in a concrete setting and apply them in two different contexts: firstly, we show how to generically transform weakly secure deterministic or randomized PKEs into CCA-secure KEMs in the (Q)ROM using variants of HHK. This applies to essentially all candidates to the NIST PQC based on lattices and codes with non-negligible error, for which we provide an extensive analysis. We thereby show that it improves some of the code-based candidates. Secondly, we study puncturable KEMs in terms of the Bloom Filter KEM (BFKEM) proposed by Derler et al. (EUROCRYPT 2018) which inherently have a non-negligible correctness error. BFKEMs are a building block to construct fully forward-secret zero round-trip time (0-RTT) key-exchange protocols. In particular, we show how to achieve the first post-quantum secure BFKEM generically from lattices and codes by applying our techniques to identity-based encryption (IBE) schemes with (non-)negligible correctness error.
Fine-Grained and Controlled Rewriting in Blockchains: Chameleon-Hashing Gone Attribute-Based

With David Derler, Kai Samelin, and Daniel Slamanig.

NDSS 2019, San Diego, USA, February 24-27.

Abstract URL PDF ePrint Talk Slides

Blockchain technologies recently received a considerable amount of attention. While the initial focus was mainly on the use of blockchains in the context of cryptocurrencies such as Bitcoin, application scenarios now go far beyond this. Most blockchains have the property that once some object, e.g., a block or a transaction, has been registered to be included into the blockchain, it is persisted and there are no means to modify it again. While this is an essential feature of most blockchain scenarios, it is still often desirable—at times it may be even legally required–to allow for breaking this immutability in a controlled way. Only recently, Ateniese et al. (EuroS&P 2017) proposed an elegant solution to this problem on the block level. Thereby, the authors replace standard hash functions with so-called chameleon-hashes (Krawczyk and Rabin, NDSS 2000). While their work seems to offer a suited solution to the problem of controlled re-writing of blockchains, their approach is too coarse-grained in that it only offers an all-or-nothing solution. We revisit this idea and introduce the novel concept of policy-based chameleon-hashes (PBCH). PBCHs generalize the notion of chameleon-hashes by giving the party computing a hash the ability to associate access policies to the generated hashes. Anyone who possesses enough privileges to satisfy the policy can then find arbitrary collisions for a given hash. We then apply this concept to transaction-level rewriting within blockchains, and thus support fine-grained and controlled modifiability of blockchain objects. Besides modeling PBCHs, we present a generic construction of PBCHs (using a strengthened version of chameleon-hashes with ephemeral trapdoors which we also introduce), rigorously prove its security, and instantiate it with efficient building blocks. We report first implementation results.
Identity-Based Encryption with (Almost) Tight Security in the Multi-instance, Multi-ciphertext Setting

With Dennis Hofheinz, and Jessica Koch.

PKC 2015, Gaithersburg, MD, USA, March 30 - April 1. (Invited to the Journal of Cryptology.)

Abstract URL PDF ePrint

We construct an identity-based encryption (IBE) scheme that is tightly secure in a very strong sense. Specifically, we consider a setting with many instances of the scheme and many encryptions per instance. In this setting, we reduce the security of our scheme to a variant of a simple assumption used for a similar purpose by Chen and Wee (Crypto 2013). The security loss of our reduction is O(k)(where k is the security parameter). Our scheme is the first IBE scheme to achieve this strong flavor of tightness under a simple assumption. Technically, our scheme is a variation of the IBE scheme by Chen and Wee. However, in order to "lift" their results to the multi-instance, multi-ciphertext case, we need to develop new ideas. In particular, while we build on (and extend) their high-level proof strategy, we deviate significantly in the low-level proof steps.
Programmable Hash Functions in the Multilinear Setting

With Eduarda S. V. Freire, Dennis Hofheinz, and Kenneth G. Paterson.

CRYPTO 2013, Santa Barbara, USA, August 18-22.

Abstract URL PDF ePrint

We adapt the concept of a programmable hash function (PHF, Crypto 2008) to a setting in which a multilinear map is available. This enables new PHFs with previously unachieved parameters. To demonstrate their usefulness, we show how our (standard-model) PHFs can replace random oracles in several well-known cryptographic constructions. Namely, we obtain standard-model versions of the Boneh-Franklin identity-based encryption scheme, the Boneh-Lynn-Shacham signature scheme, and the Sakai-Ohgishi-Kasahara identity-based non- interactive key exchange (ID-NIKE) scheme. The ID-NIKE scheme is the first scheme of its kind in the standard model. Our abstraction also allows to derive hierarchical versions of the above schemes in settings with multilinear maps. This in particular yields simple and efficient hierarchical generalizations of the BF, BLS, and SOK schemes. In the case of hierarchical ID-NIKE, ours is the first such scheme with full security, in either the random oracle model or the standard model. While our constructions are formulated with respect to a generic multilinear map, we also outline the necessary adaptations required for the recent “noisy” multilinear map candidate due to Garg, Gentry, and Halevi.