Cryptographic algorithms are the equivalent of locks, seals, security stamps and identification documents on the Internet. They are essential to protect our on-line bank transactions, credit cards, medical and personal information and to support e-commerce and e-government. They come in different flavors. Encryption algorithms are essential to protect sensitive information such as medical data, financial information and Personal Identification Numbers (PINs) from prying eyes. Digital signature algorithms (in combination with hash functions) replace hand-written signatures in electronic transactions. A similar role can be played by MAC algorithms. Identification protocols allow to securely verify the identity of the party at the other end of the line. Therefore, cryptology is a research area with a high strategic impact for industries, individuals, and for the society as a whole. The research activity of the project-team CASCADE addresses the following topics, which cover most of the domains that are currently active in the international cryptographic community, but mainly in the public-key area:
Implementation of cryptographic and applied cryptography
Design and provable security
Theoretical and concrete attacks
Since the beginning of public-key cryptography, with the seminal Diffie-Hellman paper, many suitable algorithmic problems for cryptography have been proposed and many cryptographic schemes have been designed, together with more or less heuristic proofs of their security relative to the intractability of the underlying problems. However, many of those schemes have thereafter been broken. The simple fact that a cryptographic algorithm withstood cryptanalytic attacks for several years has often been considered as a kind of validation procedure, but schemes may take a long time before being broken. An example is the Chor-Rivest cryptosystem, based on the knapsack problem, which took more than 10 years to be totally broken by Serge Vaudenay, whereas before this attack it was believed to be strongly secure. As a consequence, the lack of attacks at some time should never be considered as a full security validation of the proposal.
A completely different paradigm is provided by the concept of “provable” security. A significant line of research has tried to provide proofs in the framework of computational complexity theory (a.k.a. “reductionist” security proofs): the proofs provide reductions from a well-studied problem (factoring, RSA or the discrete logarithm) to an attack against a cryptographic protocol.
At the beginning, researchers just tried to define the security notions required by actual cryptographic schemes, and then to design protocols which could achieve these notions. The techniques were directly derived from complexity theory, providing polynomial reductions. However, their aim was essentially theoretical. They were indeed trying to minimize the required assumptions on the primitives (one-way functions or permutations, possibly trapdoor, etc), without considering practicality. Therefore, they just needed to design a scheme with polynomial-time algorithms, and to exhibit polynomial reductions from the basic mathematical assumption on the hardness of the underlying problem into an attack of the security notion, in an asymptotic way. However, such a result has no practical impact on actual security. Indeed, even with a polynomial reduction, one may be able to break the cryptographic protocol within a few hours, whereas the reduction just leads to an algorithm against the underlying problem which requires many years. Therefore, those reductions only prove the security when very huge (and thus maybe unpractical) parameters are in use, under the assumption that no polynomial time algorithm exists to solve the underlying problem. For many years, more efficient reductions have been expected, under the denomination of either “exact security" or “concrete security”, which provide more practical security results, with concrete efficiency properties.
Unfortunately, in many cases, even just provable security is at the cost of an important loss in terms of efficiency for the cryptographic protocol. Thus, some models have been proposed, trying to deal with the security of efficient schemes: some concrete objects are identified with ideal (or black-box) ones. For example, it is by now usual to identify hash functions with ideal random functions, in the so-called “random-oracle model”. Similarly, block ciphers are identified with families of truly random permutations in the “ideal cipher model”. Another kind of idealization has also been introduced in cryptography, the black-box group, where the group operation, in any algebraic group, is defined by a black-box: a new element necessarily comes from the addition (or the subtraction) of two already known elements. It is by now called the “generic model”, extended to the bilinear and multi-linear setting. Some works even require several ideal models together to provide some new validations.
But still, such idealization cannot be instantiated in practice, and so one prefers to get provable security, without such ideal assumptions, under new and possibly stronger computational assumptions. As a consequence, a cryptographer has to deal with the four following important steps, which are all our main goals:
which are the foundations of the security. We thus need to have a strong evidence that the computational problems are reasonably hard to solve.
which makes precise the security notions one wants to achieve, as well as the means the adversary may be given. We contribute to this point, in several ways:
by providing security models for many primitives and protocols;
by enhancing some classical security models;
by considering new means for the adversary, such as side-channel information.
of new schemes/protocols, or more efficient, with additional features, etc.
which consists in exhibiting a reduction.
Randomness is a key ingredient for cryptography. Random bits are necessary not only for generating cryptographic keys, but are also often an important part of cryptographic algorithms. In some cases, probabilistic protocols make it possible to perform tasks that are impossible deterministically. In other cases, probabilistic algorithms are faster, more space efficient or simpler than known deterministic algorithms. Cryptographers usually assume that parties have access to perfect randomness but in practice this assumption is often violated and a large body of research is concerned with obtaining such a sequence of random or pseudorandom bits.
One of the project-team research goals is to get a better understanding of the interplay between randomness and cryptography and to study the security of various cryptographic protocols at different levels (information-theoretic and computational security, number-theoretic assumptions, design and provable security of new and existing constructions).
Cryptographic literature usually pays no attention to the fact that in practice randomness is quite difficult to generate and that it should be considered as a resource like space and time. Moreover since the perfect randomness abstraction is not physically realizable, it is interesting to determine whether imperfect randomness is “good enough” for certain cryptographic algorithms and to design algorithms that are robust with respect to deviations of the random sources from true randomness.
The power of randomness in computation is a central problem in complexity theory and in cryptography. Cryptographers should definitely take these considerations into account when proposing new cryptographic schemes: there exist computational tasks that we only know how to perform efficiently using randomness but conversely it is sometimes possible to remove randomness from probabilistic algorithms to obtain efficient deterministic counterparts. Since these constructions may hinder the security of cryptographic schemes, it is of high interest to study the efficiency/security tradeoff provided by randomness in cryptography.
Quite often in practice, the random bits in cryptographic protocols are generated by a pseudorandom number generation process. When this is done, the security of the scheme of course depends in a crucial way on the quality of the random bits produced by the generator. Despite the importance, many protocols used in practice often leave unspecified what pseudorandom number generation to use. It is well-known that pseudorandom generators exist if and only if one-way functions exist and there exist efficient constructions based on various number-theoretic assumptions. Unfortunately, these constructions are too inefficient and many protocols used in practice rely on “ad-hoc” constructions. It is therefore interesting to propose more efficient constructions, to analyze the security of existing ones and of specific cryptographic constructions that use weak pseudorandom number generators.
The project-team undertakes research in these three aspects. The approach adopted is both theoretical and practical, since we provide security results in a mathematical framework (information theoretic or computational) with the aim to design protocols among the most efficient known.
The security of almost all public-key cryptographic protocols in use today relies on the presumed hardness of problems from number theory such as factoring and discrete log. This is somewhat problematic because these problems have very similar underlying structure, and its unforeseen exploit can render all currently used public key cryptography insecure. This structure was in fact exploited by Shor to construct efficient quantum algorithms that break all hardness assumptions from number theory that are currently in use. And so naturally, an important area of research is to build provably-secure protocols based on mathematical problems that are unrelated to factoring and discrete log. One of the most promising directions in this line of research is using lattice problems as a source of computational hardness —in particular since they also offer features that other alternative public-key cryptosystems (such as MQ-based, code-based or hash-based schemes) cannot provide.
Fully Homomorphic Encryption (FHE) is a very active research area. Let us just give one example illustrating the usefulness of computing on encrypted data: Consider an on-line patent database on which firms perform complex novelty queries before filing patents. With current technologies, the database owner might analyze the queries, infer the invention and apply for a patent before the genuine inventor. While such frauds were not reported so far, similar incidents happen during domain name registration. Several websites propose “registration services” preceded by “availability searches”. These queries trigger the automated registration of the searched domain names which are then proposed for sale. Algorithms allowing arbitrary computations without disclosing their inputs (and/or their results) are hence of immediate usefulness.
In 2009, IBM announced the discovery of a FHE scheme by Craig Gentry. The security of this algorithm relies on worst-case problems over ideal lattices and on the hardness of the sparse subset sum problem. Gentry’s construction is an ingenious combination of two ideas: a somewhat homomorphic scheme (capable of supporting many “logical or” operations but very few “ands”) and a procedure that refreshes the homomorphically processed ciphertexts. Gentry’s main conceptual achievement is a “bootstrapping” process in which the somewhat homomorphic scheme evaluates its own decryption circuit (self-reference) to refresh (recrypt) ciphertexts.
Unfortunately, it is safe to surmise that if the state of affairs remains as it is in the present, then despite all the theoretical efforts that went into their constructions, these schemes will never be used in practical applications.
Our team is looking at the foundations of these primitives with the hope of achieving a breakthrough that will allow them to be practical in the near future.
But FHE builds new ciphertexts from ciphertexts, and the initial user only can decrypt the result. A more recent primitive has be defined, under the name of “Functional Encryption”. It allows users to encrypt messages and an authority to distribute functional decryption keys. The latter only allow recipient of ciphertexts to obtain an evaluation of the plaintexts, according to the functions associated to the functional decryption keys: this for example allows some people to have access to various aggregations of data, in clear, from an encrypted database.
While this functionality has initially been defined in theory, our team is actively working on designing concrete instantiations for practical purpose.
Cryptographic protocols that are secure when executed in isolation, can be completely insecure when multiple such instances are executed concurrently (as is unavoidable on the Internet) or when used as a part of a larger protocol. For instance, a man-in-the-middle attacker participating in two simultaneous executions of a cryptographic protocol might use messages from one of the executions in order to compromise the security of the second – Lowe’s attack on the Needham-Schroeder authentication protocol and Bleichenbacher's attack on SSL work this way. Our research addresses security amidst concurrent executions in secure computation and key exchange protocols.
Secure computation allows several mutually distrustful parties to collaboratively compute a public function of their inputs, while providing the same security guarantees as if a trusted party had performed the computation. Potential applications for secure computation include anonymous voting as well as privacy-preserving auctions and data-mining. Our recent contributions on this topic include
new protocols for secure computation in a model where each party interacts only once, with a single centralized server; this model captures communication patterns that arise in many practical settings, such as that of Internet users on a website,
and efficient constructions of universally composable commitments and oblivious transfer protocols, which are the main building blocks for general secure computation.
In key exchange protocols, we are actively involved in designing new password-authenticated key exchange protocols, as well as the analysis of the widely-used SSL/TLS protocols.
Electronic cash (e-cash) was first proposed in the 1980s but despite extensive research it has never been deployed on a large scale. Other means of digital payments have instead largely replaced physical cash. Common to all digital payments offered by banks and other payment providers is that they do not respect the citizens' right to privacy, which for legitimate purchases and moderate sums also includes their right of anonymous payments.
The rise of so-called decentralized currencies, such as Bitcoin and the numerous “alt-coins” inspired by it, have established a third way of payments in addition to physical cash, which offers privacy, and card and other electronic payments, which are traceable by its providers. The continuous growth of popularity and usage of this new kind of currencies, also called “cryptocurrencies” as their security and stability crucially relies on the use of cryptography, have triggered a renewed interest in cryptographic e-cash.
On the one hand, our group investigates “centralized” e-cash, in keeping with the current economic model that has money be issued by (central) banks. In contrast, cryptocurrencies use money distribution as an incentive for widespread participation in the system, on which its stability hinges. Of particular interest among centralized e-cash schemes is transferable e-cash, which allows users to transfer coins between each other without interacting with a third party (or the blockchain). Currently all efficient e-cash schemes require coins to be deposited at the bank once received; they are thus not transferable. Our goal is to propose efficient transferable e-cash schemes.
Another direction concerns (decentralized) cryptocurrencies whose adoption is continuously growing so that now even central banks, like the Swedish Riksbank, are considering issuing their own currency as a cryptocurrency. While systems like Bitcoin are perceived as offering anonymous payments, a line of research has shown that this is not the case. One of the major research challenges in this area is to devise schemes with an anonymity level comparable to that of physical cash. The currently proposed schemes either lack formal security analyses or they are inefficient due to the heavy-duty cryptography used. Our group works towards practical cryptocurrencies with formally analyzed privacy guarantees.
Cryptocurrencies rely on a decentralized data structure called the “blockchain”, which has meanwhile found many other applications apart from electronic money. Together with Microsoft Research, our group investigates decentralized means of authentication that uses cryptography to guarantee privacy.
Many companies have already started the migration to the Cloud and many individuals share their personal informations on social networks. While some of the data are public information, many of them are personal and even quite sensitive. Unfortunately, the current access mode is purely right-based: the provider first authenticates the client, and grants him access, or not, according to his rights in the access-control list. Therefore, the provider itself not only has total access to the data, but also knows which data are accessed, by whom, and how: privacy, which includes secrecy of data (confidentiality), identities (anonymity), and requests (obliviousness), should be enforced. Moreover, while high availability can easily be controlled, and thus any defect can immediately be detected, failures in privacy protection can remain hidden for a long time. The industry of the Cloud introduces a new implicit trust requirement: nobody has any idea at all of where and how his data are stored and manipulated, but everybody should blindly trust the providers. The providers will definitely do their best, but this is not enough. Privacy-compliant procedures cannot be left to the responsibility of the provider: however strong the trustfulness of the provider may be, any system or human vulnerability can be exploited against privacy. This presents too huge a threat to tolerate. The distribution of the data and the secrecy of the actions must be given back to the users. It requires promoting privacy as a global security notion.
In order to protect the data, one needs to encrypt it. Unfortunately, traditional encryption systems are inadequate for most applications involving big, complex data. Recall that in traditional public key encryption, a party encrypts data to a single known user, which lacks the expressiveness needed for more advanced data sharing. In enterprise settings, a party will want to share data with groups of users based on their credentials. Similarly, individuals want to selectively grant access to their personal data on social networks as well as documents and spreadsheets on Google Docs. Moreover, the access policy may even refer to users who do not exist in the system at the time the data is encrypted. Solving this problem requires an entirely new way of encrypting data.
A first natural approach would be fully homomorphic encryption (FHE, see above), but a second one is also functional encryption, that is an emerging paradigm for public-key encryption: it enables more fine-grained access control to encrypted data, for instance, the ability to specify a decryption policy in the ciphertext so that only individuals who satisfy the policy can decrypt, or the ability to associate keywords to a secret key so that it can only decrypt documents containing the keyword. Our work on functional encryption centers around two goals:
to obtain more efficient pairings-based functional encryption;
and to realize new functionalities and more expressive functional encryption schemes.
Another approach is secure multi-party computation protocols, where interactivity might provide privacy in a more efficient way. Recent implicit interactive proofs of knowledge can be a starting point. But stronger properties are first expected for improving privacy. They can also be integrated into new ad-hoc broadcast systems, in order to distribute the management among several parties, and eventually remove any trust requirements.
Strong privacy for the Cloud would have a huge societal impact since it would revolutionize the trust model: users would be able to make safe use of outsourced storage, namely for personal, financial and medical data, without having to worry about failures or attacks of the server.
Cryptography is only one component of information security, but it is a crucial component. Without cryptography, it would be impossible to establish secure communications between users over insecure networks like the Internet. In particular, public-key cryptography (invented by Diffie and Hellman in 1976) enables to establish secure communications between users who have never met physically before. One can argue that companies like E-Bay or Amazon could not exist without public-key cryptography. Since 30 years the theory of cryptography has developed considerably. However cryptography is not only a theoretical science; namely at some point the cryptographic algorithms must be implemented on physical devices, such as PCs, smart cards or RFIDs. Then problems arise: in general smart cards and RFIDs have limited computing power and leak information through power consumption and electro-magnetic radiations. Similarly a PC can be exposed to various computer viruses which can leak private informations to a remote attacker. Such information leakage can be exploited by an attacker; this is called a side-channel attack. It is well known that a cryptographic algorithm which is perfectly secure in theory can be completely insecure in practice if improperly implemented.
In general, countermeasures against side-channel attacks are heuristic and can only make a particular implementation resist particular attacks. Instead of relying on ad-hoc security patches, a better approach consists in working in the framework of provable security. The goal is to prove that a cryptosystem does not only resist specific attacks but can resist any possible side-channel attack. As already demonstrated with cryptographic protocols, this approach has the potential to significantly increase the security level of cryptographic products. Recently the cryptography research community has developed new security models to take into account these practical implementation attacks; the most promising such model is called the leakage-resilient model.
Therefore, our goal is to define new security models that take into account any possible side-channel attack, and then to design new cryptographic schemes and countermeasures with a proven security guarantee against side-channel attacks.
We organised the Eurocrypt '17 annual conference in Paris, from April 30 to May 4.
Damien Vergnaud was nominated for a 5 year appointment as Junior Member of the Institut Universitaire de France
Romain Gay received a Google PhD Fellowship.
All the results of the team have been published in journals or conferences (see the list of publications). They are all related to the research program (see before) and the research projects (see after):
More efficient constructions with lattices
New e-cash constructions
Advanced primitives for the privacy in the cloud
Efficient functional encryption
Various predicate encryption schemes
Program: FUI
Duration: October 2014 – November 2018
Coordinator: CryptoExperts
Partners: CEA, CNRS, Kalray, Inria, Dictao, Université de Limoges, VIACESS, Bertin technologies, GEMALTO
Local coordinator: David Pointcheval
We aim at studying delegation of computations to the cloud, in a secure way.
Program: GDN
Duration: February 2017 – September 2020
Coordinator: Secure-IC
Partners: ANSSI, AIRBUS, C-S, CEA LIST, CryptoExperts, Inria/ENS/CASCADE, GEMALTO, Inria POLSYS, Inria AriC, IRISA, Orange Labs, THALES, UVSQ, PCQC
Local coordinator: Michel Abdalla
The main goal of RISQ is to help the French Industry and Academia become a significant international player in the transition to post-quantum cryptography.
Title: Encryption for Big Data
Program: ANR JCJC
Duration: October 2014 – September 2018
PI: Hoeteck Wee
Partners: Université Paris 2, Université Limoges
The main objective of this project is to study techniques for efficient and expressive functional encryption schemes. Functional encryption is a novel paradigm for public-key encryption that enables both fine-grained access control and selective computation on encrypted data, as is necessary to protect big, complex data in the cloud.
Title: Efficient Transferable E-Cash
Program: ANR JCJC
Duration: October 2016 – September 2020
PI: Georg Fuchsbauer
Partners: Université Paris 2
This project deals with e-cash systems which let users transfer electronic coins between them offline. The main objectives of this project are:
establish a clean formal model for the primitive;
construct schemes which are practically efficient;
develop schemes that are even resistant to attacks on quantum computers.
Title: AppLicAtions of MalleaBIlity in Cryptography
Program: ANR PRC
Duration: October 2016 – September 2020
PI: Damien Vergnaud
Partners: ENS Lyon, Université Limoges
The main objectives of the proposal are the following:
Define theoretical models for “malleable” cryptographic primitives that capture strong practical attacks (in particular, in the settings of secure computation outsourcing, server-aided cryptography, cloud computing and cryptographic proof systems);
Analyze the security and efficiency of primitives and constructions that rely on malleability;
Conceive novel cryptographic primitives and constructions (for secure computation outsourcing, server-aided cryptography, multi-party computation, homomorphic encryption and their applications);
Implement these new constructions in order to validate their efficiency and effective security.
Title: Cryptography for Secure Digital Interaction
Program: H2020 ICT COST
Duration: April 2014 – April 2018
Local coordinator: Michel Abdalla
The aim of this COST CryptoAction is to stimulate interaction between the different national efforts in order to develop new cryptographic solutions and to evaluate the security of deployed algorithms with applications to the secure digital interactions between citizens, companies and governments.
Title: Cryptography for the Cloud
Program: FP7 ERC Advanced Grant
Duration: June 2014 – May 2019
PI: David Pointcheval
The goal of the CryptoCloud project is to develop new interactive tools to provide privacy to the Cloud.
Title: Secure Architectures of Future Emerging Cryptography
Program: H2020
Duration: January 2015 – January 2019
Coordinator: The Queen's University of Belfast
Partners: Inria/ENS (France), Emc Information Systems International (Ireland), Hw Communications (United Kingdom), The Queen's University of Belfast (United Kingdom), Ruhr-Universitaet Bochum (Germany), Thales Uk (United Kingdom), Universita della Svizzera italiana (Switzerland), IBM Research Zurich (Switzerland)
Local coordinator: Michel Abdalla
SAFEcrypto will provide a new generation of practical, robust and physically secure post quantum cryptographic solutions that ensure long-term security for future ICT systems, services and applications. Novel public-key cryptographic schemes (digital signatures, authentication, public-key encryption, identity-based encryption) will be developed using lattice problems as the source of computational hardness. The project will involve algorithmic and design optimisations, and implementations of the lattice-based cryptographic schemes addressing the cost, energy consumption, performance and physical robustness needs of resource-constrained applications, such as mobile, battery-operated devices, and of real-time applications such as network security, satellite communications and cloud. Currently a significant threat to cryptographic applications is that the devices on which they are implemented leak information, which can be used to mount attacks to recover secret information. In SAFEcrypto the first analysis and development of physical-attack resistant methodologies for lattice-based cryptographic implementations will be undertaken. Effective models for the management, storage and distribution of the keys utilised in the proposed schemes (key sizes may be in the order of kilobytes or megabytes) will also be provided. This project will deliver proof-of-concept demonstrators of the novel lattice-based public-key cryptographic schemes for three practical real-word case studies with real-time performance and low power consumption requirements. In comparison to current state-of-the-art implementations of conventional public-key cryptosystems (RSA and Elliptic Curve Cryptography (ECC)), SAFEcrypto’s objective is to achieve a range of lattice-based architectures that provide comparable area costs, a 10-fold speed-up in throughput for real-time application scenarios, and a 5-fold reduction in energy consumption for low-power and embedded and mobile applications.
Title: Advanced Cryptographic Technologies for the Internet of Things and the Cloud
Program: H2020 ITN
Duration: March 2015 – February 2019
Coordinator: KU Leuven (Belgium)
Partners: KU Leuven (Belgium), Inria/ENS (France), Ruhr-Universität Bochum (Germany), Royal Holloway, University of London (UK), University of Bristol (UK), CryptoExperts (France), NXP Semiconductors (Belgium), Technische Universiteit Eindhoven (the Netherlands)
Local coordinator: Michel Abdalla
ECRYPT-NET is a research network of six universities and two companies, as well as 7 associated companies, that intends to develop advanced cryptographic techniques for the Internet of Things and the Cloud and to create efficient and secure implementations of those techniques on a broad range of platforms.
Title: Secure Computation on Encrypted Data
Program: H2020 ERC Starting Grant
Duration: June 2015 – May 2020
PI: Hoeteck Wee
The goals of the aSCEND project are (i) to design pairing and lattice-based functional encryption that are more efficient and ultimately viable in practice; and (ii) to obtain a richer understanding of expressive functional encryption schemes and to push the boundaries from encrypting data to encrypting software.
Title: Functional Encryption Technologies
Program: H2020
Duration: January 2018 – December 2020
Coordinator: ATOS Spain SA
Scientific coordinator: Michel Abdalla
Partners: Inria/ENS (France), Flensburg University (Germany), KU Leuven (Belgium), University of Helsinki (Finland), Nagra (Switzerland), XLAB (Switzerland), University of Edinburgh (United Kingdom), WALLIX (France)
Local coordinator: Michel Abdalla
Functional encryption (FE) has recently been introduced as a new paradigm of encryption systems to overcome all-or-nothing limitations of classical encryption. In an FE system the decryptor deciphers a function over the message plaintext: such functional decryptability makes it feasible to process encrypted data (e.g. on the Internet) and obtain partial view of the message plaintext. This extra flexibility over classical encryption is a powerful enabler for many emerging security technologies (i.e. controlled access, searching and computing on encrypted data, program obfuscation...). FENTEC’s mission is to make the functional encryption paradigm ready for wide-range applications, integrating it in ICT technologies as naturally as classical encryption. The primary objective is the efficient and application-oriented development of functional encryption systems. FENTEC’s team of cryptographers, software and hardware experts and information technology industry partners will document functional encryption needs of specific applications and subsequently design, develop, implement and demonstrate applied use of functional cryptography. Ultimately, a functional encryption library for both SW and HW-oriented application will be documented and made public so that it may be used by European ICT entities. With it, the FENTEC team will build emerging security technologies that increase the trustworthiness of the European ICT services and products. Concretely, the FENTEC team will showcase the expressiveness and versatility of the functional encryption paradigm in 3 use cases:
Privacy-preserving digital currency, enforcing flexible auditing models
Anonymous data analytics enabling computation of statistics over encrypted data, protecting European Fundamental Rights of Data Protection and Privacy
Key and content distribution with improved performance & efficiency as foundational technology for establishing secure communication among a vast amount of IOT devices.
Title: Cryptography for Privacy on the Blockchain
Partners: MSR Redmond (USA), MSR Cambridge (UK), Inria
Duration: October 2017 – October 2021
PI: Georg Fuchsbauer
The goal of this Microsoft-Inria joint project on privacy and decentralization is to use cryptography to improve privacy on the blockchain. We will investigate means of privacy-preserving authentication, such as electronic currencies, and other applications of blockchain and distributed transparency mechanisms.
Melissa Chase (MSR Redmond)
Huijia Rachel Lin (UCSB)
Yuval Ishai (Technion)
Stefano Tessaro (UCSB)
Vinod Vaikuntanathan (MIT)
a regular seminar is organized: http://
quarterly Paris Crypto Days (https://
working group on lattices (http://
BibTeX database of papers related to Cryptography, open and widely used by the community (https://
steering committee of CANS: David Pointcheval
steering committee of PKC: David Pointcheval
steering committee of LATINCRYPT: Michel Abdalla (chair)
steering committee of PAIRING: Michel Abdalla
steering committee of the Coding and Cryptography working group (GT-C2 - https://
Board of the International Association for Cryptologic Research (IACR): Michel Abdalla (2013 – 2018)
CT-RSA '17 – 14-17 February (San Francisco, California, USA): David Pointcheval
TCC '17 – 12-15 November (Baltimore, Maryland, USA): Hoeteck Wee
ICALP '17 – 10-14 July (Warsaw, Poland): Hoeteck Wee
Euro S&P '17 – 26-28 Apr (Paris, France) : Hoeteck Wee
PKC '17 – 28-31 March (Amsterdam, Netherlands): Hoeteck Wee, Georg Fuchsbauer
ASIACRYPT '17 – 3-7 December (Hong Kong): Georg Fuchsbauer
ACNS '17 – 10-12 July (Kanazawa, Japan): Georg Fuchsbauer
Indocrypt '17 – 10-13 Dec (Chennai, India): Georg Fuchsbauer
Africacrypt '17 – 24-26 May (Dakar, Senegal): Georg Fuchsbauer
of the International Journal of Applied Cryptography (IJACT) – Inderscience Publishers: David Pointcheval
of IET Information Security: Michel Abdalla
of ETRI Journal: Michel Abdalla
of Applicable Algebra in Engineering, Communication and Computing: David Pointcheval
of Journal of Cryptographic Engineering: Damien Vergnaud
Master: David Pointcheval, Jacques Stern, Damien Vergnaud, Introduction to Cryptology, M1, ENS
Master: Michel Abdalla, David Pointcheval, Cryptography, M2, MPRI
Master: Damien Vergnaud, Advanced Algebra and Applications to Cryptography, Ecole Centrale Paris
Master: David Pointcheval, Cryptography, M2, ESIEA
Bachelor: Georg Fuchsbauer, Cryptologie, 3e année, ESGI
PhD: Thierry Mefenza Nountu, Pseudo-Random Generators and Pseudo-Random Functions : Cryptanalysis and Complexity Measures, ENS, November 28th, 2017 (Supervisor: Damien Vergnaud)
PhD: Geoffroy Couteau, Zero-Knowledge Proofs for Secure Computation, ENS, November 30th, 2017 (Supervisor: David Pointcheval & Hoeteck Wee)
PhD: Pierrick Méaux, Hybrid Fully Homomorphic Framework, ENS, December 8th, 2017 (Supervisor: Vadim Lyubashevsky & David Pointcheval)
HdR: Céline Chevalier, UC-Secure Protocols using Smooth Projective Hash Functions, ENS, December 11th, 2017 (Supervisor: David Pointcheval)
PhD: Florian Bourse, Functional Encryption for Inner-Product Evaluations, ENS, December 13th, 2017 (Supervisors: Michel Abdalla & David Pointcheval)
PhD in progress: Raphael Bost, Symmetric Searchable Encryption, from 2014, David Pointcheval (with Pierre-Alain Fouque, at Rennes)
PhD in progress: Rafael Del Pino, Lattice-Based Cryptography – Complexity and Ideal-Lattices, from 2014, Vadim Lyubashevsky
PhD in progress: Aurélien Dupin, Multi-Party Computations, from 2015, David Pointcheval (with Christophe Bidan, at Rennes)
PhD in progress: Pierre-Alain Dupont, Secure Communications, from 2015, David Pointcheval
PhD in progress: Romain Gay, Functional Encryption, from 2015, Michel Abdalla & Hoeteck Wee
PhD in progress: Dahmun Goudarzi, Secure and Fast Cryptographic Implementation for Embedded Devices, from 2015, Damien Vergnaud
PhD in progress: Louiza Khati, Disk Encryption Modes, from 2015, Damien Vergnaud
PhD in progress: Michele Minelli, Increased efficiency and functionality through lattice-based cryptography, from 2015, Michel Abdalla & Hoeteck Wee
PhD in progress: Anca Nitulescu, Verifiable Outsourced Computations, from 2015, David Pointcheval
PhD in progress: Razvan Rosie, Practical Functional Encryption Schemes For the Cloud, from 2015, Michel Abdalla & Hoeteck Wee
PhD in progress: Quentin Santos, Advanced Cryptography from a Blockchain, from 2015, David Pointcheval
PhD in progress: Jérémy Chotard, Attribute-Based Encryption, from 2016, David Pointcheval (with Duong Hieu Phan, at Limoges)
PhD in progress: Michele Orrù, Functional Encryption, from 2016, Hoeteck Wee & Georg Fuchsbauer
PhD in progress: Balthazar Bauer, Transferable e-Cash, from 2017, Georg Fuchsbauer
PhD in progress: Chloé Hébant, Big Data and Privacy, from 2017, David Pointcheval (with Duong Hieu Phan, at Limoges)
PhD in progress: Mélissa Rossi, Post-Quantum Cryptography, from 2017, Michel Abdalla (with Henri Gilbert at ANSSI and Thomas Prest at Thales)
PhD Afonso Delerue Arriaga. Private Functional Encryption – Luxembourg University - Luxembourg – January 17th, 2017: Michel Abdalla (Examiner)
HdR Maria Naya-Plasencia. Symmetric Cryptography for Long- Term Security – Université Paris VI – France – May 5th, 2017: David Pointcheval (Reviewer)
PhD Benjamin Richard. Study of 3-Party Authentication and Key-Derivation Protocols – Université Rennes 1 - France – August 30th, 2017: Michel Abdalla (Reviewer)
PhD Thierry Mefenza Nountu. Pseudo-Random Generators and Pseudo-Random Functions: Cryptanalysis and Complexity Measures – ENS - France – November 28th, 2017: Damien Vergnaud (Supervisor)
PhD Geoffroy Couteau. Zero-Knowledge Proofs for Secure Computation – ENS - France – November 30th, 2017: David Pointcheval & Hoeteck Wee (Supervisors)
PhD Britta Hale. Low-Latency Key Exchange and Secure Channels – NTNU - Norway – December 5th, 2017: Michel Abdalla (Reviewer)
PhD Pierrick Méaux. Hybrid Fully Homomorphic Framework – ENS - France – December 8th, 2017: David Pointcheval (Supervisor)
HdR Céline Chevalier. UC-Secure Protocols using Smooth Projective Hash Functions – ENS - France – December 11th, 2017: David Pointcheval
PhD Florian Bourse. Functional Encryption for Inner-Product Evaluations – ENS - France – December 13th, 2017: Michel Abdalla & David Pointcheval (Supervisors)