2025Activity‌​‌ reportProject-TeamCASCADE

2.1 Presentation

Cryptographic algorithms‌ play the role of‌​‌ locks, seals, and identity​​ documents on the Internet.​​​‌ They are fundamental to‌ securing online banking, protecting‌​‌ medical and personal data,​​ and enabling trusted e-commerce​​​‌ and e-government services.

These‌ algorithms serve different but‌​‌ complementary purposes. Encryption safeguards​​ sensitive information against unauthorized​​​‌ access. Digital signature schemes‌ — often combined with‌​‌ hash functions — and​​ message authentication codes (MACs)​​​‌ provide the electronic equivalent‌ of handwritten signatures, ensuring‌​‌ integrity and authenticity in​​ digital transactions. Identification protocols​​​‌ allow parties to verify‌ each other’s identity securely,‌​‌ even at a distance.​​

Taken together, cryptology is​​​‌ a field of research‌ with major strategic importance‌​‌ for industry, individuals, and​​ society as a whole.​​​‌

The research activities of‌ the CASCADE project-team address‌​‌ the following topics, which​​ cover most of the​​​‌ areas currently active in‌ the international cryptographic community,‌​‌ with a focus on​​ public-key algorithms:

1. Algorithm and​​​‌ protocol design, with provable‌ security;
2. Theoretical and practical‌​‌ attacks.

2.2 Design of​​ Provably Secure Primitives and​​​‌ Protocols

Since the advent‌ of public-key cryptography, marked‌​‌ by the seminal Diffie–Hellman​​ paper, many algorithmic problems​​​‌ suitable for cryptographic use‌ have been proposed, and‌​‌ numerous cryptographic schemes have​​ been designed—often accompanied by​​​‌ more or less heuristic‌ proofs of their security,‌​‌ based on the assumed​​ intractability of the underlying​​​‌ problems. However, many of‌ these schemes have subsequently‌​‌ been broken. The mere​​ fact that a cryptographic​​​‌ algorithm has withstood cryptanalytic‌ attacks for several years‌​‌ is often taken as​​ a kind of validation,​​​‌ but it may take‌ a long time before‌​‌ a scheme is broken.​​ As a result, the​​​‌ absence of known attacks‌ at a given time‌​‌ should never be considered​​ a full validation of​​​‌ a scheme’s security.

A‌ fundamentally different approach is‌​‌ offered by the concept​​ of provable security. A​​​‌ significant line of research‌ has aimed to provide‌​‌ formal proofs within the​​ framework of computational complexity​​​‌ theory (also known as‌ reductionist security proofs). These‌​‌ proofs reduce the task​​ of breaking a cryptographic​​​‌ protocol to solving a‌ well-studied hard problem (e.g.,‌​‌ factoring, RSA, or the​​ discrete logarithm problem).

Initially,​​​‌ researchers focused on defining‌ the security notions required‌​‌ by practical cryptographic schemes,​​ and then designing protocols​​​‌ that satisfied these notions.‌ The techniques were derived‌​‌ directly from complexity theory,​​ relying on polynomial-time reductions.​​​‌ However, this line of‌ work was primarily theoretical‌​‌ in nature. The goal​​ was to minimize the​​​‌ assumptions needed on cryptographic‌ primitives (e.g., one-way functions,‌​‌ permutations, possibly with trapdoors),​​ without regard to practical​​​‌ efficiency. Thus, it was‌ sufficient to design a‌​‌ scheme with polynomial-time algorithms​​ and to present polynomial​​​‌ reductions from the hardness‌ of the underlying problem‌​‌ to an attack on​​ the security notion, in​​​‌ an asymptotic sense. However,‌ such results have limited‌​‌ practical impact on real-world​​ security.

Over time, the​​​‌ community has sought more‌ efficient, quantitatively meaningful reductions—an‌​‌ approach known as exact​​​‌ or concrete security—which aims​ to produce security guarantees​‌ that are not only​​ theoretically sound but also​​​‌ practically relevant, with concrete​ efficiency parameters.

To this​‌ aim, a cryptographer has​​ to deal with the​​​‌ following four important steps,​ which are all main​‌ goals of ours:

• computational​​ assumptions,
  which are​​​‌ the foundation of the​ security. We thus need​‌ to have a strong​​ evidence that the computational​​​‌ problems are reasonably hard​ to solve, for concrete​‌ parameters;
• security model,​​
  which makes precise the​​​‌ security notions one wants​ to achieve, as well​‌ as the means the​​ adversary may be given.​​​‌ We contribute to this​ point, in several ways:​‌

  • by providing security models​​ for many primitives and​​​‌ protocols;
  • by enhancing some​ classical security models;
  • by​‌ considering new means for​​ the adversary.
• design
  of​​​‌ new schemes/protocols, or more​ efficient ones, with additional​‌ features, etc.
• security proof​​,
  which consists in​​​‌ exhibiting a reduction.

2.3​ Attacks and security analysis​‌

But, some schemes are​​ still published without complete​​​‌ security proofs, hence their​ security requires further analysis,​‌ and attacks may be​​ found. And even for​​​‌ provably secure schemes, attacks​ are not excluded, and​‌ may appear at several​​ levels:

• A computational assumption​​​‌ may prove wrong. So​ we study them, and​‌ in particular the ones​​ that are believed to​​​‌ resist quantum computers.
• the​ security model may be​‌ inappropriate, and allow for​​ devastating attacks in concrete​​​‌ usage scenarios.

3.1 Quantum-safe cryptography​‌

The security of almost​​ all public-key cryptographic protocols​​​‌ in use today relies​ on the presumed hardness​‌ of problems from number​​ theory such as factoring​​​‌ and computing discrete logarithms.​ This is problematic because​‌ these problems have very​​ similar underlying structure, and​​​‌ its unforeseen exploit can​ render all currently used​‌ public-key cryptography insecure. This​​ structure was in fact​​​‌ exploited by Shor to​ construct efficient quantum algorithms​‌ that break all hardness​​ assumptions from number theory​​​‌ that are currently in​ use. And so naturally,​‌ an important area of​​ research is to build​​​‌ provably secure protocols based​ on mathematical problems that​‌ are unrelated to factoring​​ and discrete log. One​​​‌ of the most promising​ directions in this line​‌ of research is using​​ lattice problems as a​​​‌ source of computational hardness,​ which also offer features​‌ that other alternative public-key​​ cryptosystems (such as MQ-based,​​​‌ code-based, isogeny-based or hash-based​ schemes) cannot provide. The​‌ ERC Advanced Grant PARQ​​ aims at evaluating the​​​‌ security of lattice-based cryptography,​ with respect to the​‌ most powerful adversaries, such​​ as quantum computers and​​​‌ large-scale parallel computers.

In​ the meantime, although a​‌ universal quantum computer may​​ be some decades in​​​‌ the future, quantum communication​ and quantum error correcting​‌ codes are beginning to​​ become concretely available. It​​​‌ is already possible to​ prepare, manipulate and precisely​‌ control systems involving a​​ few quantum information bits​​​‌ (qubits). Such quantum technologies​ could help improve the​‌ efficiency and security of​​ concrete cryptographic protocols. The​​​‌ ANR JCJC project CryptiQ​ aims at considering three​‌ possible scenarios (first, the​​ simple existence of a​​ quantum attacker, then the​​​‌ access to quantum communication‌ for anyone, and finally‌​‌ a complete quantum world)​​ and studies the consequences​​​‌ on the cryptographic protocols‌ currently available. This implies‌​‌ elaborating adversarial models and​​ designing or analyzing concrete​​​‌ protocols with formal security‌ proofs, in order to‌​‌ get ready as soon​​ as one of these​​​‌ scenarios becomes the new‌ reality.

3.2 Computations on‌​‌ encrypted data

In the​​ area of computations on​​​‌ encrypted data, there are‌ three main families of‌​‌ approaches:

• Advanced Encryption,
  with​​ fully homomorphic encryption and​​​‌ functional encryption:

  • Fully Homomorphic‌ Encryption (FHE), which has‌​‌ been announced in 2009,​​ allows to perform any​​​‌ computation on encrypted data,‌ getting the result encrypted‌​‌ under the same key.​​ This is perfect in​​​‌ order to outsource computation‌ in the Cloud, on‌​‌ encrypted data: the Cloud​​ provider does not learn​​​‌ any information;
  • Functional Encryption‌ (FE), proposed in 2011,‌​‌ allows an authority to​​ deliver functional decryption keys,​​​‌ for any function $\mathrm{f‌}$ of his choice, so‌​‌ that on the encryption​​ of any message $\mathrm{m‌}$, the functional decryption‌ key leads to $\mathrm{f‌‌}\left(m\right)$.​​ This is a generalization​​​‌ of Identity-Based Encryption (IBE),‌ Attribute-Based Encryption (ABE) and‌​‌ Predicate Encryption (PE), which​​ where limited to the​​​‌ identity function, under some‌ access-control.
• Secure Multi-Party Computation‌​‌ (SMPC)
  is an interactive​​ protocol between 2 or​​​‌ more parties, with their‌ own private inputs. After‌​‌ several communications, this is​​ possible to let each​​​‌ party to learn specific‌ evaluations on the inputs,‌​‌ and nothing else.
• Searchable​​ Symmetric Encryption (SSE)
  proposes​​​‌ a trade-off between efficiency‌ and security, using fast‌​‌ (structured) symmetric encryption, but​​ allowing some leakage of​​​‌ information. The goal is‌ akin to private information‌​‌ retrieval: one can retrieve​​ records in a database​​​‌ without leaking much information‌ about the query.

4.1 Privacy​​ for the Cloud

Many​​​‌ companies have already started‌ the migration to the‌​‌ Cloud and many individuals​​ share their personal informations​​​‌ on social networks. While‌ some of the data‌​‌ are public information, many​​ of them are personal​​​‌ and even quite sensitive.‌ Unfortunately, the current access‌​‌ mode is purely right-based:​​ the provider first authenticates​​​‌ the client, and grants‌ him access, or not,‌​‌ according to his rights​​ in the access-control list.​​​‌ Therefore, the provider itself‌ not only has total‌​‌ access to the data,​​ but also knows which​​​‌ data are accessed, by‌ whom, and how: privacy,‌​‌ which includes secrecy of​​ data (confidentiality), identities (anonymity),​​​‌ and requests (obliviousness), should‌ be enforced. Moreover, while‌​‌ high availability can easily​​ be controlled, and thus​​​‌ any defect can immediately‌ be detected, failures in‌​‌ privacy protection can remain​​ hidden for a long​​​‌ time. The industry of‌ the Cloud introduces a‌​‌ new implicit trust requirement:​​ nobody has any idea​​​‌ at all of where‌ and how his data‌​‌ are stored and manipulated,​​ but everybody should blindly​​​‌ trust the providers. The‌ providers will definitely do‌​‌ their best, but this​​ is not enough. Privacy-compliant​​​‌ procedures cannot be left‌ to the responsibility of‌​‌ the provider: however strong​​​‌ the trustfulness of the​ provider may be, any​‌ system or human vulnerability​​ can be exploited against​​​‌ privacy. This presents too​ huge a threat to​‌ tolerate. The distribution of​​ the data and the​​​‌ secrecy of the actions​ must be given back​‌ to the users. It​​ requires promoting privacy as​​​‌ a global security notion.​

In order to protect​‌ the data, one needs​​ to encrypt it. Unfortunately,​​​‌ traditional encryption systems are​ inadequate for most applications​‌ involving big, complex data.​​ Recall that in traditional​​​‌ public key encryption, a​ party encrypts data to​‌ a single known user,​​ which lacks the expressiveness​​​‌ needed for more advanced​ data sharing. In enterprise​‌ settings, a party will​​ want to share data​​​‌ with groups of users​ based on their credentials.​‌ Similarly, individuals want to​​ selectively grant access to​​​‌ their personal data on​ social networks as well​‌ as documents and spreadsheets​​ on Google Docs. Moreover,​​​‌ the access policy may​ even refer to users​‌ who do not exist​​ in the system at​​​‌ the time the data​ is encrypted. Solving this​‌ problem requires an entirely​​ new way of encrypting​​​‌ data.

A first natural​ approach would be fully​‌ homomorphic encryption (FHE, see​​ above), but a second​​​‌ one is also Functional​ Encryption (FE), that is​‌ an emerging paradigm for​​ public-key encryption: it enables​​​‌ more fine-grained access control​ to encrypted data, for​‌ instance, the ability to​​ specify a decryption policy​​​‌ in the ciphertext so​ that only individuals who​‌ satisfy the policy can​​ decrypt, or the ability​​​‌ to associate keywords to​ a secret key so​‌ that it can only​​ decrypt documents containing the​​​‌ keyword. Our work on​ functional encryption centers around​‌ two goals:

1. to obtain​​ more efficient pairings-based functional​​​‌ encryption;
2. and to realize​ new functionalities and more​‌ expressive functional encryption schemes.​​

Another approach is secure​​​‌ multi-party computation protocols,​ where interactivity might provide​‌ privacy in a more​​ efficient way, namely for​​​‌ machine learning techniques. Machine​ learning makes an intensive​‌ use of comparisons, for​​ the activation of neurons,​​​‌ and new approaches have​ been proposed for efficient​‌ comparisons with interactive protocols.​​

4.2 Searchable Encryption

Searchable​​​‌ Encryption (SE) is another​ technique that aims to​‌ protect users' privacy with​​ regard to data uploaded​​​‌ to the cloud. Searchable​ Encryption is equally concerned​‌ with scalability, with the​​ aim to accomodate large​​​‌ real-world databases. As a​ concrete application, an email​‌ provider may wish to​​ store its users’ emails​​​‌ in an encrypted form​ to provide privacy; but​‌ it is obviously highly​​ desirable that users should​​​‌ still be able to​ search for emails that​‌ contain a given word,​​ or whose date falls​​​‌ within a given range.​ Businesses may also want​‌ to outsource databases containing​​ sensitive information, such as​​​‌ client data, for example​ to dispense with a​‌ costly dedicated IT department.​​ To be usable at​​​‌ all, the outsourced encrypted​ database should still offer​‌ some form of search​​ functionality. Failing that, the​​​‌ entire database must be​ downloaded to process each​‌ query to the database,​​ defeating the purpose of​​ cloud storage.

In many​​​‌ contexts, the amount of‌ data outsourced by a‌​‌ client is large, and​​ the overhead incurred by​​​‌ generic solutions such as‌ FHE or FE becomes‌​‌ prohibitive. The goal of​​ Searchable Encryption is to​​​‌ find practical trade-offs between‌ privacy, functionality, and efficiency.‌​‌ Regarding functionality, the focus​​ is mainly on privately​​​‌ searching over encrypted cloud‌ data, altough many SE‌​‌ schemes also support simple​​ forms of update operation.​​​‌ Regarding privacy, SE typically‌ allows the server to‌​‌ learn some information on​​ the encrypted data. This​​​‌ information is formally captured‌ by a leakage function‌​‌. Security proofs show​​ that the cloud server​​​‌ does not learn any‌ more information about the‌​‌ client's data than what​​ is expressed by the​​​‌ leakage function.

The additional‌ flexibility afforded by allowing‌​‌ a controlled amount of​​ leakage enables SE to​​​‌ offer highly efficient solutions,‌ which can be deployed‌​‌ in practice on large​​ datasets. The main goal​​​‌ of our research in‌ this area is to‌​‌ analyze the precise privacy​​ impact of different leakage​​​‌ functions; propose new techniques‌ to reduce this leakage;‌​‌ as well as extend​​ the range of functionality​​​‌ achieved by Searchable Encryption.‌

4.3 Post-Quantum Standardization

In‌​‌ recent years, there has​​ been very significant investment​​​‌ on research on quantum‌ computers – machines that‌​‌ exploit quantum mechanical phenomena​​ to solve mathematical problems​​​‌ that are difficult or‌ intractable for conventional computers.‌​‌ If large-scale quantum computers​​ are ever built, they​​​‌ will be able to‌ break many of the‌​‌ public-key cryptosystems currently in​​ use. This would seriously​​​‌ compromise the confidentiality and‌ integrity of digital communications‌​‌ on the Internet and​​ elsewhere. The goal of​​​‌ post-quantum cryptography (also called‌ quantum-resistant cryptography or quantum-safe‌​‌ cryptography) is to develop​​ cryptographic systems that are​​​‌ secure against both quantum‌ and classical computers, and‌​‌ can interoperate with existing​​ communication protocols and networks.​​​‌

In 2016, NIST initiated‌ a process to solicit,‌​‌ evaluate, and standardize one​​ or more quantum-resistant public-key​​​‌ cryptographic algorithms. The first‌ selection of standards was‌​‌ announced in July 2022.​​ Out of the first​​​‌ four standards, three are‌ based on lattice problems:‌​‌ CRYSTALS-KYBER for encryption, CRYSTALS-DILITHIUM​​ and FALCON for signature.​​​‌ We study the best‌ lattice algorithms in order‌​‌ to assess the security​​ of the three NIST​​​‌ standards (and two other‌ NIST finalists SABER and‌​‌ NTRU) based on the​​ hardness of lattice problems.​​​‌

4.4 Provable Security for‌ the Quantum Internet

With‌​‌ several initiatives such as​​ the development of a​​​‌ 2,000 km quantum network‌ in China, the access‌​‌ of IBM's quantum platform​​ freely available and the​​​‌ efforts made in the‌ EU for instance with‌​‌ the quantum internet alliance​​ team, we can assume​​​‌ that in a further‌ future, not only the‌​‌ adversary has potential access​​ to a quantum computer,​​​‌ but everybody may have‌ access to quantum channels,‌​‌ allowing honest parties to​​ exchange quantum data up​​​‌ to a limited amount.‌ Going one step further‌​‌ than post-quantum cryptography, it​​ is therefore needed to​​​‌ carefully study the security‌ models and properties of‌​‌ classical protocols or the​​​‌ soundness of classical theoretical​ results in such a​‌ setting. Some security notions​​ have already been defined​​​‌ but others have to​ be extended, such as​‌ the formal treatment of​​ superposition attacks initiated by​​​‌ Zhandry.

On the positive​ side, some quantum primitives​‌ which are already well-studied,​​ unconditionally quantum secure and​​​‌ already deployed in practice​ (such as Quantum Key​‌ Distribution) allow for new​​ security properties such as​​​‌ everlasting confidentiality for sensitive​ long-lived data (which holds​‌ even if an attacker​​ stores encrypted data now​​​‌ and decrypts them later​ when a quantum computer​‌ becomes available). We intend​​ to study to what​​​‌ extent allowing honest parties​ to have access to​‌ currently available (or near-term)​​ quantum technologies allows to​​​‌ achieve quantum-enhanced protocols (for​ classical functionalities) with improved​‌ security or efficiency beyond​​ what is possible classically.​​​‌

5.1 Footprint of​‌ research activities

Unfortunately, private​​ computation is usually at​​​‌ a huge cost: it​ definitely costs more to​‌ compute on encrypted data​​ than on clear inputs.​​​‌ However, our goal is​ definitely to reduce this​‌ cost, as it will​​ improve the user experience​​​‌ at the same time,​ with shorter computation time.​‌

5.2 Impact of research​​ results

Strong privacy for​​​‌ the Cloud would have​ a huge societal impact​‌ since it would revolutionize​​ the trust model: users​​​‌ would be able to​ make safe use of​‌ outsourced storage, namely for​​ personal, financial and medical​​​‌ data, without having to​ worry about failures or​‌ attacks of the server.​​

Both design of new​​​‌ primitives and study of​ the best attacks are​‌ essential for this goal.​​

7.1 Latest software developments​​​‌

7.2 New platforms

Participants:​ Not Applicable.

Not​‌ applicable.

7.3 Open data​​

Participants: Henry Bambury,​​​‌ Nicolas Bon, Alexandre​ Camelin, Céline Chevalier​‌, Guirec Lebrun,​​ Jules Maire, Brice​​​‌ Minaud, Phong Nguyen​, David Pointcheval,​‌ Robert Schadlich.

9.1 Bilateral​​​‌ contracts with industry

• PhD​ CIFRE CryptoExperts
  – Nicolas​‌ Bon (2022–2025) – Design​​ of optimized operations for​​​‌ homomorphic cryptography
• PhD ANSSI​
  – Guirec Lebrun (2022–2025)​‌ – Protocoles cryptographiques d’authentification​​ post-quantique
• PhD Thales
  –​​​‌ Éric Sageloli (2023–2026) –​ Sécurité de protocoles et​‌ primitives cryptographiques face à​​ un attaquant quantique
• PhD​​​‌ Airbus
  – Roderick Asselineau​ (2025–2028) – Cryptanalyse de​‌ constructions symétriques et extraction​​ de modèles IA

9.2​​​‌ Grants with industry

10.1​​ International initiatives

10.2 European​​ initiatives

10.3 National​ initiatives

11.1 Promoting scientific​‌ activities

11.2 Teaching‌ - Supervision - Juries‌​‌ - Educational and pedagogical​​ outreach

• Introduction to Cryptology​​​‌ (ENS 1st year students):‌ a total of 20‌​‌ hours of lecture, 20​​ hours of TA/year
• Techniques​​​‌ in cryptography and cryptanalysis‌ (Master M2 MPRI): 24‌​‌ hours of lecture/year
• Cryptography​​ (Master MSSIS, ESIEA)
• Joint​​​‌ directorship of MPRI (M2,‌ PSL/IPP/UPC/UPS).
• Examinator for entrance‌​‌ exams to ENS (oral​​ exam in Fundamental Computer​​​‌ Science).
• Corrector for entrance‌ exams to ENS (written‌​‌ exam in Fundamental Computer​​ Science).

11.3‌​‌ Popularization

12.1 Major‌ publications

• 1 articleM.‌​‌Michel Abdalla, D.​​Dario Catalano and D.​​​‌Dario Fiore. Verifiable‌ Random Functions: Relations to‌​‌ Identity-Based Key Encapsulation and​​ New Constructions.Journal​​​‌ of Cryptology273‌2014, 544-593
• 2‌​‌ articleM.Masayuki Abe​​, G.Georg Fuchsbauer​​​‌, J.Jens Groth‌, K.Kristiyan Haralambiev‌​‌ and M.Miyako Ohkubo​​. Structure-Preserving Signatures and​​​‌ Commitments to Group Elements‌.Journal of Cryptology‌​‌2922016,​​ 363--421
• 3 inproceedingsD.​​​‌Divesh Aggarwal, J.‌Jianwei Li, P.‌​‌ Q.Phong Q Nguyen​​ and N.Noah Stephens-Davidowitz​​​‌. Slide Reduction, Revisited—Filling‌ the Gaps in SVP‌​‌ Approximation.CRYPTO 2020​​ - 40th Annual International​​​‌ Cryptology ConferenceSanta Barbara‌ / Virtual, United States‌​‌August 2020, 274-295​​HALDOI
• 4 inproceedings​​​‌F.Fabrice Benhamouda,‌ O.Olivier Blazy,‌​‌ C.Céline Chevalier,​​ D.David Pointcheval and​​​‌ D.Damien Vergnaud.‌ New Techniques for SPHFs‌​‌ and Efficient One-Round PAKE​​ Protocols.Advances in​​​‌ Cryptology -- Proceedings of‌ CRYPTO '13 (1)8042‌​‌Lecture Notes in Computer​​ ScienceSpringer2013,​​​‌ 449-475
• 5 inproceedingsP.‌Pyrros Chaidos, V.‌​‌Véronique Cortier, G.​​Georg Fuchsbauer and D.​​​‌David Galindo. BeleniosRF:‌ A Non-interactive Receipt-Free Electronic‌​‌ Voting Scheme.Proceedings​​ of the 23rd ACM​​​‌ Conference on Computer and‌ Communications Security (CCS '16)‌​‌ACM Press2016,​​ 1614--1625
• 6 inproceedingsJ.​​​‌Jérémy Chotard, E.‌Edouard Dufour Sans,‌​‌ R.Romain Gay,​​ D.David Pointcheval and​​​‌ D. H.Duong Hieu‌ Phan. Decentralized Multi-Client‌​‌ Functional Encryption for Inner​​ Product.ASIACRYPT '18​​​‌ - 24th Annual International‌ Conference on the Theory‌​‌ and Application of Cryptology​​​‌ and Information SecurityLecture​ Notes in Computer Science​‌Advances in Cryptology -​​ ASIACRYPT '1811273Brisbane,​​​‌ AustraliaSpringerDecember 2018​HALDOI
• 7 inproceedings​‌Y.Yevgeniy Dodis,​​ D.David Pointcheval,​​​‌ S.Sylvain Ruhault,​ D.Damien Vergnaud and​‌ D.Daniel Wichs.​​ Security Analysis of Pseudo-Random​​​‌ Number Generators with Input:​ /dev/random is not Robust​‌.Proceedings of the​​ 20th ACM Conference on​​​‌ Computer and Communications Security​ (CCS '13)Berlin, Germany​‌ACM Press2013,​​ 647--658
• 8 inproceedingsR.​​​‌Romain Gay, D.​Dennis Hofheinz, E.​‌Eike Kiltz and H.​​Hoeteck Wee. Tightly​​​‌ CCA-Secure Encryption Without Pairings​.Advances in Cryptology​‌ -- Proceedings of Eurocrypt​​ '16 (2)9665Lecture​​​‌ Notes in Computer Science​Springer2016, 1--27​‌
• 9 inproceedingsS.Sergey​​ Gorbunov, V.Vinod​​​‌ Vaikuntanathan and H.Hoeteck​ Wee. Predicate Encryption​‌ for Circuits from LWE​​.Advances in Cryptology​​​‌ -- Proceedings of CRYPTO​ '15 (2)9216Lecture​‌ Notes in Computer Science​​Springer2015, 503-523​​​‌
• 10 articleV.Vadim​ Lyubashevsky, C.Chris​‌ Peikert and O.Oded​​ Regev. On Ideal​​​‌ Lattices and Learning with​ Errors over Rings.​‌Journal of the ACM​​6062013,​​​‌ 43:1--43:35
• 11 inproceedingsB.​Brice Minaud and M.​‌Michael Reichle. Dynamic​​ Local Searchable Symmetric Encryption​​​‌.Crypto 2022 -​ 42nd Annual International Cryptology​‌ ConferenceLNCS - 13510​​Advances in Cryptology –​​​‌ CRYPTO 2022Santa Barbara,​ United StatesSpringerAugust​‌ 2022HALDOI
• 12​​ inproceedingsW.Willy Quach​​​‌, H.Hoeteck Wee​ and D.Daniel Wichs​‌. Laconic Function Evaluation​​ and Applications.59th​​​‌ Annual IEEE Symposium on​ Foundations of Computer Science​‌ (FOCS 2018)IEEE2018​​

12.2 Publications of the​​​‌ year