talks

2023

1. (Invited) Muckle+: End-to-End Hybrid Authenticated Key Exchanges

   With Sebastian Ramacher.

   NXP Belgium, 3 May.
2. Hybrid Authenticated Key Exchanges: Status-Quo, Novel Constructions, and Applications to Long-Range Quantum-Safe Networks

   9th ETSI/IQC Quantum Safe Cryptography Event, 13-15 February.

   URL
3. (Invited) Hybrid Key Exchanges for End-to-End Security in Quantum-Safe Networks

   IDQ Europe, Workshop: Migration to Quantum-Safe, February 10.

   URL

2022

1. (Invited) Efficient Puncturable Encryption – From Bloom Filters to Forward Security

   Chair of Applied Cryptography, Friedrich-Alexander-Universität Erlangen-Nürnberg (FAU), December 9.

   URL
2. (Invited) Efficient Puncturable Encryption – From Bloom Filters to Forward Security

   Foundation of Cryptography Group, ETH Zurich, September 21.

   URL
3. Puncturable Encryption - A Fine-Grained Approach to Forward Security and More

   Real World Crypto Symposium 2022, Amsterdam, April 13-15.

   Abstract URL Video Slides

   Forward security is an essential design goal of modern cryptographic protocols with a long body of literature in several application domains such as interactive key-establishment protocols (prominently, in TLS 1.3), digital signatures, search on encrypted data, updatable cryptography, mobile Cloud backups, decentralized contact tracing, new approaches to Tor, and even novel distributed protocols such as Dfinity’s Internet Computer, among others. The well-known benefit of forward security is the mitigation of key leakage by evolving secret keys over epochs and thereby revoking access to prior-epoch ciphertexts. Such a strong security guarantee is highly recognized by industry to be included into security products (e.g., by companies such as Google, Apple, Meta, Microsoft, and Cloudflare), particularly resulting in over 99% of Internet sites surveyed by Qualys SSL Labs (https://www.ssllabs.com/ssl-pulse) support at least some form of forward security at the time of writing. Green and Miers (S&P 2015) initiated the studies of puncturable encryption (PE) as a new cryptographic primitive towards the strong form of non-interactive forward-secure encryption (in particular, without the need of any pre-shared key material). Already several follow-up works showed the versatility of such a concept yielding a rich abstraction of forward security investigated in a variety of (data-in-transit and data-at-rest) application domains such as 0-RTT key exchange with replay protection for TLS (Eurocrypt’17, Eurocrypt’18, Asiacrypt’20, JoC’21), Google’s QUIC (Cans’20), Searchable Encryption (CCS’17, CCS’18, NDSS’21), mobile Cloud backups (OSDI’20), Content Distribution Networks (Financial Crypto’21), Tor (PoPETS’20), and Updatable Encryption (ePrint’21). Loosely speaking, PE is a promising variant of public-key encryption that allows realizing the property of fine-grained and non-interactive forward security with several useful applications. This talk provides an exhausting overview to the concept of PE with motivation, presents state-of-the-art research on PE schemes, and discusses applications (such as 0-RTT key exchange with forward security and replay protection, and forward security for Content Delivery Networks). The overall goal is to make PE more accessible to the general audience and industry in a developer-friendly way, and also presenting new insights and results. The presentation builds on an existing blog post with the same title (https://profet.at/blog/pe).

2021

1. Fine-Grained Forward Secrecy: Allow-List/Deny-List Encryption and Applications

   With Sebastian Ramacher, and Daniel Slamanig.

   Financial Cryptography and Data Security 2021, Virtual, March 1-5.

   Abstract URL Video

   Forward secrecy is an important feature for modern cryptographic systems and is widely used in secure messaging such as Signal and WhatsApp as well as in common Internet protocols such as TLS, IPSec or SSH. The benefits of forward secrecy is that the damage in case of key-leakage is mitigated. Forward-secret encryption schemes provides security of past ciphertexts even if secret key leaks, which is interesting in settings where cryptographic keys often reside in memory for quite a long time and could be extracted by an adversary, e.g., in cloud computing. The recent concept of puncturable encryption (PE; IEEE S&P’15) provides a versatile generalization of forward-secret encryption: it allows to puncture secret keys with respect to ciphertexts to prevent the future decryption of these ciphertexts. Thus it represents a fine-grained mechanism to restrict decryption capabilities of a secret key to reduce damage in case of key leakage. We introduce the abstraction of allow-list/deny-list encryption schemes, and classify different types of PE schemes using this abstraction. Based on our classification we identify and close a gap in existing work by introducing a novel variant of PE which we dub Dual-Form Puncturable Encryption (DFPE). DFPE significantly enhances and in particular generalizes previous variants of PE, by allowing an interleaved application of allow- and deny-list operations. We present a construction of DFPE in prime order bilinear groups based on the novel primitive of tagged hierarchical identity-based encryption (THIBE). We discuss a direct application of DPFE for enhancing security guarantees within Cloudflare’s Geo Key Manager and show its generic use to construct forward-secret IBE and forward-secret digital signatures.

2. Towards Functional Encryption in the Quantum-Safe Setting and Standardization Efforts

   European Telecommunications Standards Institute (ETSI), Quantum Safe Cryptography Technical Event 2021, Virtual, February 18-19.

   Abstract URL Video

   The talk motivates the use of Functional Encryption (FE) as a methodology for fine-grained encryption and secure computation of data. Furthermore, Identity-Based Encryption (IBE) and Attribute-Based Encryption (ABE) as special variants of FE are presented. The talk concludes with standardization efforts and quantum-safeness towards available IBE and ABE schemes.

3. (Invited) Redactable Blockchains

   With Daniel Slamanig.

   TU Vienna, January 2021, Virtual, January 14. (Invited by Matteo Maffei as a single-lecture for the course Cryptocurrencies.)

   Abstract URL

   The lecture motivated the problem of editing/re-writing blockchains with a focus on the advanced cryptographic tools policy-based chameleon hashing and attribute-based encryption used for redactable blockchains.

2020

1. (Invited, in German) Europäische Standards für das IoT – Security-, Safety-, und Privacy-by-Design

   With Christoph Schmittner

   Austrian Standards, 4. IoT-Fachkongress 2020, Virtual, November 4.

   Abstract URL Press 1 Press 2

   The talk presents current technology and standardization work within the EU HORIZON 2020 ECSEL project SECREDAS.

2. (Invited) Attribute-Based Encryption for Strong Access Control: TS 103 532

   European Telecommunications Standards Institute (ETSI), Security Week 2020, 8-19 June 2020, online

   Abstract URL Webinar

   Attribute-Based Encryption (ABE) is a cryptographic mechanism that enforces access control solely on the mathematical level with strong security guarantees. A main incentive using ABE is to provide a proper and versatile replacement for software-only access-control mechanisms that need to embed all trust into (often seen to be error-prone) software components by design. Applications of ABE in EU research projects and ETSI TS 103 532 will be presented.

3. Quantum-Safe Identity-Based Encryption: TR 103 618

   European Telecommunications Standards Institute (ETSI), Security Week 2020, 8-19 June 2020, online

   Abstract URL Webinar

   As quantum computing poses a threat to the long-term security of most of the currently used encryption mechanisms, ongoing efforts in the development of quantum-safe Identity-Based Encryption (IBE), with a focus on a hierarchical IBE scheme based on structured lattices and described in ETSI TR 103 618, are presented.

4. (Invited) Advanced Public-Key Encryption

   TU Wien 2020, Vienna, Austria. January 28. (Invited by Daniel Slamanig as a single-lecture for the course Modern Cryptography.)

   Abstract URL Slides

   The lecture recapped advanced public-key encryption ranging from identity-based encryption to attribute-based encryption with security models and constructions.

2019

1. (Invited) Attribute-Based Encryption for Strong Access Control

   Graz Security Days for Industry 2019, Graz, Austria, September 19.

   Abstract URL

   The talk covered the concept of attribute-based encryption (ABE) and the ABE standardization work done at ETSI towards strong access control.

2. Fine-Grained and Controlled Rewriting in Blockchains: Chameleon-Hashing Gone Attribute-Based

   The Network and Distributed System Security Symposium (NDSS) 2019, San Diego, USA, February 24-27.

   Abstract URL Video Slides

   Blockchain technologies recently received a considerable amount of attention. While the initial focus was mainly on the use of blockchains in the context of cryptocurrencies such as Bitcoin, application scenarios now go far beyond this. Most blockchains have the property that once some object, e.g., a block or a transaction, has been registered to be included into the blockchain, it is persisted and there are no means to modify it again. While this is an essential feature of most blockchain scenarios, it is still often desirable—at times it may be even legally required–to allow for breaking this immutability in a controlled way. Only recently, Ateniese et al. (EuroS&P 2017) proposed an elegant solution to this problem on the block level. Thereby, the authors replace standard hash functions with so-called chameleon-hashes (Krawczyk and Rabin, NDSS 2000). While their work seems to offer a suited solution to the problem of controlled re-writing of blockchains, their approach is too coarse-grained in that it only offers an all-or-nothing solution. We revisit this idea and introduce the novel concept of policy-based chameleon-hashes (PBCH). PBCHs generalize the notion of chameleon-hashes by giving the party computing a hash the ability to associate access policies to the generated hashes. Anyone who possesses enough privileges to satisfy the policy can then find arbitrary collisions for a given hash. We then apply this concept to transaction-level rewriting within blockchains, and thus support fine-grained and controlled modifiability of blockchain objects. Besides modeling PBCHs, we present a generic construction of PBCHs (using a strengthened version of chameleon-hashes with ephemeral trapdoors which we also introduce), rigorously prove its security, and instantiate it with efficient building blocks. We report first implementation results.

3. (Invited) Advanced Public-Key Encryption

   TU Wien 2019, Vienna, Austria, January 22. (Invited by Daniel Slamanig as a single-lecture for the course Modern Cryptography.)

   Abstract URL Slides

   The lecture recapped advanced public-key encryption ranging from identity-based encryption to attribute-based encryption with security models and constructions.

2018

1. (Invited) Bloom Filter Encryption and Applications to Efficient Forward-Secret 0-RTT Key Exchange

   Royal Holloway, University of London (RHUL) seminar 2018, London, UK, October 18.

   Abstract Slides

   Forward secrecy is considered an essential design goal of modern key establishment (KE) protocols, such as TLS 1.3, for example. Furthermore, efficiency considerations such as zero round-trip time (0-RTT), where a client is able to send cryptographically protected payload data along with the very first KE message, are motivated by the practical demand for secure low-latency communication. For a long time, it was unclear whether protocols that simultaneously achieve 0-RTT and full forward secrecy exist. Only recently, the first forward-secret 0-RTT protocol was described by Günther et al. (EUROCRYPT 2017). It is based on Puncturable Encryption. Forward secrecy is achieved by “puncturing” the secret key after each decryption operation, such that a given ciphertext can only be decrypted once (cf. also Green and Miers, S&P 2015). Unfortunately, their scheme is completely impractical, since one puncturing operation takes between 30 seconds and several minutes for reasonable security and deployment parameters, such that this solution is only a first feasibility result, but not efficient enough to be deployed in practice. In this paper, we introduce a new primitive that we term Bloom Filter Encryption (BFE), which is derived from the probabilistic Bloom filter data structure. We describe different constructions of BFE schemes, and show how these yield new puncturable encryption mechanisms with extremely efficient puncturing. Most importantly, a puncturing operation only involves a small number of very efficient computations, plus the deletion of certain parts of the secret key, which outperforms previous constructions by orders of magnitude. This gives rise to the first forward-secret 0-RTT protocols that are efficient enough to be deployed in practice. We believe that BFE will find applications beyond forward-secret 0-RTT protocols.

2. Revisiting Proxy Re-encryption: Forward Secrecy, Improved Security, and Applications

   PKC 2018, Rio de Janeiro, Brazil, March 25-29.

   Abstract

   We revisit the notion of proxy re-encryption (PRE), an enhanced public-key encryption primitive envisioned by Blaze et al. (Eurocrypt’98) and formalized by Ateniese et al. (NDSS’05) for delegating decryption rights from a delegator to a delegatee using a semi- trusted proxy. PRE notably allows to craft re-encryption keys in order to equip the proxy with the power of transforming ciphertexts under a delegator’s public key to ciphertexts under a delegatee’s public key, while not learning anything about the underlying plaintexts. We study an attractive cryptographic property for PRE, namely that of forward secrecy. In our forward-secret PRE (fs-PRE) definition, the proxy periodically evolves the re-encryption keys and permanently erases old versions while he delegator’s public key is kept constant. As a consequence, ciphertexts for old periods are no longer re-encryptable and, in particular, cannot be decrypted anymore at the delegatee’s end. Moreover, delegators evolve their secret keys too, and, thus, not even they can decrypt old ciphertexts once their key material from past periods has been deleted. This, as we will discuss, directly has application in short-term data/message-sharing scenarios. Technically, we formalize fs-PRE. Thereby, we identify a subtle but significant gap in the well-established security model for conventional PRE and close it with our formalization (which we dub fs-PRE+). We present the first provably secure and efficient constructions of fs-PRE as well as PRE (implied by the former) satisfying the strong fs-PRE+ and PRE+ notions, respectively. All our constructions are instantiable in the standard model under standard assumptions and our central build- ing block are hierarchical identity-based encryption (HIBE) schemes that only need to be selectively secure.

2015

1. Confined guessing: a reduction strategy to obtain new signatures from standard assumptions

   NTT, Tokyo, Japan, September 2015.

   Abstract Slides

   We put forward new techniques for designing signature schemes. As a result, we present practical signature schemes based on the CDH, the RSA, and the SIS assumptions. Our schemes compare favorably with existing schemes based on these assumptions. Our core idea is the use of tag-based signatures. Concretely, each signatures contains a tag which is uniformly chosen from a suitable tag set. Intuitively, the tag provides a way to embed instances of computational problems. Indeed, carefully choosing these tag spaces provides new ways to partition the set of possible message-tag pairs into "signable" and "unsignable" pairs. In our security proof, we will thus be able to sign all adversarially requested messages, and at the same time use an adversarially generated forgery with suitably large probability

2014

1. A Generic View on Trace-and-Revoke Broadcast Encryption Schemes

   CT-RSA 2014 - The Cryptographer’s Track at the RSA Conference 2014, San Francisco, CA, USA, February 25-28.

   Abstract URL

   At Eurocrypt 2011, Wee presented a generalization of threshold public key encryption, threshold signatures, and revocation schemes arising from threshold extractable hash proof systems. In particular, he gave instances of his generic revocation scheme from the DDH assumption (which led to the Naor-Pinkas revocation scheme), and from the factoring assumption (which led to a new revocation scheme). We expand on Wee’s work in two directions: (a) We propose threshold extractable hash proof instantiations from the “Extended Decisional Diffie-Hellman” (EDDH) assumption due to Hemenway and Ostrovsky (PKC 2012). This in particular yields EDDH-based variants of threshold public key encryption, threshold signatures, and revocation schemes. In detail, this yields a DCR-based revocation scheme. (b) We show that our EDDH-based revocation scheme allows for a mild form of traitor tracing (and, thus, yields a new trace-and-revoke scheme). In particular, compared to Wee’s factoring-based scheme, our DCR-based scheme has the advantage that it allows to trace traitors.

2. Programmable Hash Functions in the Multilinear Setting

   Rhine Neckar Crypto Seminar 2014, Heidelberg, Germany.

   Abstract

   We adapt the concept of a programmable hash function (PHF, Crypto 2008) to a setting in which a multilinear map is available. This enables new PHFs with previously unachieved parameters. To demonstrate their usefulness, we show how our (standard-model) PHFs can replace random oracles in several well-known cryptographic constructions. Namely, we obtain standard-model versions of the Boneh-Franklin identity-based encryption scheme, the Boneh-Lynn-Shacham signature scheme, and the Sakai-Ohgishi-Kasahara identity-based non- interactive key exchange (ID-NIKE) scheme. The ID-NIKE scheme is the first scheme of its kind in the standard model. Our abstraction also allows to derive hierarchical versions of the above schemes in settings with multilinear maps. This in particular yields simple and efficient hierarchical generalizations of the BF, BLS, and SOK schemes. In the case of hierarchical ID-NIKE, ours is the first such scheme with full security, in either the random oracle model or the standard model. While our constructions are formulated with respect to a generic multilinear map, we also outline the necessary adaptations required for the recent “noisy” multilinear map candidate due to Garg, Gentry, and Halevi.

2013

1. Practical Signatures from Standard Assumptions

   EUROCRYPT 2013, Athens, Greece, May 29.

   Abstract URL

   We put forward new techniques for designing signature schemes. As a result, we present practical signature schemes based on the CDH, the RSA, and the SIS assumptions. Our schemes compare favorably with existing schemes based on these assumptions. Our core idea is the use of tag-based signatures. Concretely, each signatures contains a tag which is uniformly chosen from a suitable tag set. Intuitively, the tag provides a way to embed instances of computational problems. Indeed, carefully choosing these tag spaces provides new ways to partition the set of possible message-tag pairs into "signable" and "unsignable" pairs. In our security proof, we will thus be able to sign all adversarially requested messages, and at the same time use an adversarially generated forgery with suitably large probability.