AZTEC Overview Phong Nguyen (ENS, France) AZTEC Leader May 27, 2008, Antwerpen
AZTEC Overview
Phong Nguyen (ENS, France)AZTEC Leader
May 27, 2008, Antwerpen
AZTECAZTEC Goal
• To foster collaborative research in asymmetric cryptographic techniques
• Security is essential:– Provable security: identifying the exact security
assumption, designs to achieve simple security assumptions.
– Cryptanalysis: searching for attacks, studying hardness of computational problems.
• Design and analysis of new asymmetric techniques, possibly with special properties.
AZTECAZTEC Composition
• 18 ECRYPT partners. Main partners = KUL, ENS, RHUL, UNISA, BRIS, G+, TUE.
• 9 countries– 2/3 of all countries.– France, Belgium, Germany, U.K., Italy,
Switzerland, Netherlands, Poland, Sweden.
AZTECAZTEC Structure
Leader ENS
WG1BRIS
WG2TUERHUL
WG3AXALTOUNISA
P. Nguyen andD. Catalano/M. Abdalla
Provable Security Cryptanalysis Special PropertiesN. Smart andJ. Malone-Lee
B. de Weger andS. Galbraith
L. Goubin andP. Persiano
AZTECResearch Areas
• WG1: Security proofs, security designs.• WG2: Algorithmic number theory, breaking
cryptosystems. • WG3: Searchable encryption, ID-based
cryptography, traitor tracing, pairings.
AZTECManagement Approach
• Two mailing-lists to communicate– General for all AZTEC partners– WG leaders
• Rely on WG leaders: organize activities and meetings by WG.
• Activities focused on actual research, not “bureaucracy”.
AZTECMain Activities
–3 summer schools–9 workshops: only on appropriate topics.– 19 research retreats:
• 1 or 2-day meetings brainstorming on interesting research topics. Usually 10 participants per meeting.
• sometimes leading to papers, e.g. CRYPTO ’05, ICALP ’06, PKC ’07.
AZTECResearch Retreat Example: WG2/2006 in Amsterdam• About 16 people
(ENS,IEM,BRIS,TUE,EDI,KUL,IBM)• Topics discussed:
– Discrete Logarithm on curves and finite fields– Lattices and NTRU– Finding small roots of polynomials and RSA– Security of pairings– Security of the new VSH hash function
AZTECWorkshop Example:
Post-Quantum Cryptography• If large-scale quantum computers can be
built, the main schemes (RSA and ECC) for public-key encryption and digital signatures become insecure.
• The workshop explored current alternatives: multivariate cryptography, lattice-based cryptography, coding-based cryptography.
• It also gave a state-of-the-art in quantum computing and quantum algorithms.
AZTECReport Deliverables
• WG1: « Provable Security : Designs and Open Questions » (50 pages). [D.AZTEC.5]
• WG2: « Hardness of the Main Computational Problems Used in Cryptography » (62 pages). [D.AZTEC.6]
• WG3: « New Technical Trends in Asymmetric Cryptography » (93 pages). [D.AZTEC.7]
AZTECPublications
• Regular publications at the major conferences/workshops: CRYPTO/EUROCRYPT and ASIACRYPT/PKC/ICALP.
• Regular participation to program committees.
AZTECExcellence in Research• Best Paper Awards
– ASIACRYPT ’05: Discrete-Log-Based Signatures May Not Be Equivalent to Discrete Log [Provable Security]
– EUROCRYPT ’06: Learning a Parallelepiped: Cryptanalysis of GGH and NTRU Signatures [Cryptanalysis]
– EUROCRYPT ’08: Isogenies and the Discrete Logarithm Problem in Jacobians of Genus 3 Hyperelliptic Curves [Computational Assumptions]
AZTECResearch Highlights• Computational Assumptions
– Discrete Log: finite fields and curves– Lattice reduction– RSA
• Cryptanalysis– Multivariate schemes, e.g. HFE and SFLASH– NTRU– Special cases of RSA
• Provable Security– Foundations– ID-based and beyond– Automating Security Proofs
AZTECComputational Assumptions
• Discrete log in finite fields– Antoine Joux, Reynald Lercier, Nigel P. Smart, Frederik Vercauteren:
The Number Field Sieve in the Medium Prime Case. [CRYPTO 2006]
• Discrete log in curves– Benjamin Smith:
Isogenies and the Discrete Logarithm Problem in Jacobians of Genus 3 Hyperelliptic Curves. [EUROCRYPT 2008]
– Andreas Enge, Pierrick Gaudry: An L (1/3 + epsilon ) Algorithm for the Discrete Logarithm Problem for Low Degree Curves. [EUROCRYPT 2007]
AZTECComputational Assumptions
• Lattice reduction– Phong Q. Nguyen, Damien Stehlé:
Floating-Point LLL Revisited. [EUROCRYPT 2005]– Nicolas Gama, Phong Q. Nguyen:
Finding Short Lattice Vectors within Mordell’s Inequality. [STOC 2008]
– Nicolas Gama, Phong Q. Nguyen: Predicting Lattice Reduction. [EUROCRYPT 2008]
• RSA– Antoine Joux, David Naccache, Emmanuel Thomé:
When e-th Roots Become Easier Than Factoring. [ASIACRYPT 2007]
AZTECCryptanalysis
• Multivariate Schemes– Vivien Dubois, Pierre-Alain Fouque, Adi Shamir, Jacques Stern:
Practical Cryptanalysis of SFLASH. [CRYPTO 2007] (signature scheme recommended by the NESSIE European project in 2003)
– Louis Granboulan, Antoine Joux, Jacques Stern: Inverting HFE Is Quasipolynomial. [CRYPTO 2006]
• NTRU– Phong Q. Nguyen, Oded Regev:
Learning a Parallelepiped: Cryptanalysis of GGH and NTRU Signatures. [EUROCRYPT 2006]
• RSA– Ellen Jochemsz, Alexander May:
A Polynomial Time Attack on RSA with Private CRT-Exponents Smaller Than N 0.073. [CRYPTO 2007]
AZTECProvable Security
• Foundations– Pascal Paillier, Damien Vergnaud:
Discrete-Log-Based Signatures May Not Be Equivalent to Discrete Log. [ASIACRYPT 2005]
– Alexander W. Dent: The Cramer-Shoup Encryption Scheme Is Plaintext Aware in the Standard Model. [EUROCRYPT 2006]
• ID-based and Beyond– Michel Abdalla, Mihir Bellare, Dario Catalano, Eike Kiltz, Tadayoshi Kohno,
Tanja Lange, John Malone-Lee, Gregory Neven, Pascal Paillier, Haixia Shi: Searchable Encryption Revisited: Consistency Properties, Relation to Anonymous IBE, and Extensions. [CRYPTO 2005]
• Automating Security Proofs– Bruno Blanchet, David Pointcheval:
Automated Security Proofs with Sequences of Games.
AZTEC
Contributions of AZTEC to Integration:Two Examples
AZTECCooperation within ECRYPT
– The first paper produced during a research retreat was published at CRYPTO ’05: ECRYPT partners are ENS-TUE-BRIS-KUL-G+.
– A research retreat at the end of 2005 led to a paper published at ICALP’06: “Identity-Based Encryption Gone Wild”.
– Building on that work, a 2006 retreat led to “Identity-Based Traitor Tracing”, published at PKC ’07.
AZTECCooperation outside ECRYPT
• In 2005, ANSI requested opinions on the security of NTRU.
• At the end of 2005, ENS invited N. Howgrave-Graham (USA) to work on NTRU lattices: two publications in 2006 (EUROCRYPT and CRYPTO).
• ENS worked with O. Regev (Israel) on NTRU signatures: Best Paper Award at EUROCRYPT ’06.
AZTECInteractions with other
Virtual Labs• STVL: Joint summer schools, algebraic
analysis, and impact of hash function collisions.
• VAMPIRE: eBats.• PROVILAB:
– UNISA is co-leader of AZTEC WG3, and leader of PROVILAB WG1.
– Several topics are at the frontier: key exchange, ID-based crypto.
AZTECResearch Perspectives• Computational assumptions: arguably
not enough work compared to provable security.
• Security proofs:– Better understanding, in particular in the
Random Oracle Model.– Make them easier to produce/verify.
• Find credible alternatives to RSA/ECC, resistant to quantum computers.
AZTECConclusions
• AZTEC research has been productive• EU collaboration has been
strengthened• There are major open problems in
public-key cryptology• Looking forward to ECRYPT II’s MAYA