AZTEC Overview

Phong Nguyen (ENS, France)AZTEC Leader

May 27, 2008, Antwerpen

AZTECAZTEC Goal

• To foster collaborative research in asymmetric cryptographic techniques

• Security is essential:– Provable security: identifying the exact security

assumption, designs to achieve simple security assumptions.

– Cryptanalysis: searching for attacks, studying hardness of computational problems.

• Design and analysis of new asymmetric techniques, possibly with special properties.

AZTECAZTEC Composition

• 18 ECRYPT partners. Main partners = KUL, ENS, RHUL, UNISA, BRIS, G+, TUE.

• 9 countries– 2/3 of all countries.– France, Belgium, Germany, U.K., Italy,

Switzerland, Netherlands, Poland, Sweden.

AZTECAZTEC Structure

Leader ENS

WG1BRIS

WG2TUERHUL

WG3AXALTOUNISA

P. Nguyen andD. Catalano/M. Abdalla

Provable Security Cryptanalysis Special PropertiesN. Smart andJ. Malone-Lee

B. de Weger andS. Galbraith

L. Goubin andP. Persiano

AZTECResearch Areas

• WG1: Security proofs, security designs.• WG2: Algorithmic number theory, breaking

cryptosystems. • WG3: Searchable encryption, ID-based

cryptography, traitor tracing, pairings.

AZTECManagement Approach

• Two mailing-lists to communicate– General for all AZTEC partners– WG leaders

• Rely on WG leaders: organize activities and meetings by WG.

• Activities focused on actual research, not “bureaucracy”.

AZTECMain Activities

–3 summer schools–9 workshops: only on appropriate topics.– 19 research retreats:

• 1 or 2-day meetings brainstorming on interesting research topics. Usually 10 participants per meeting.

• sometimes leading to papers, e.g. CRYPTO ’05, ICALP ’06, PKC ’07.

AZTECResearch Retreat Example: WG2/2006 in Amsterdam• About 16 people

(ENS,IEM,BRIS,TUE,EDI,KUL,IBM)• Topics discussed:

– Discrete Logarithm on curves and finite fields– Lattices and NTRU– Finding small roots of polynomials and RSA– Security of pairings– Security of the new VSH hash function

AZTECWorkshop Example:

Post-Quantum Cryptography• If large-scale quantum computers can be

built, the main schemes (RSA and ECC) for public-key encryption and digital signatures become insecure.

• The workshop explored current alternatives: multivariate cryptography, lattice-based cryptography, coding-based cryptography.

• It also gave a state-of-the-art in quantum computing and quantum algorithms.

AZTECReport Deliverables

• WG1: « Provable Security : Designs and Open Questions » (50 pages). [D.AZTEC.5]

• WG2: « Hardness of the Main Computational Problems Used in Cryptography » (62 pages). [D.AZTEC.6]

• WG3: « New Technical Trends in Asymmetric Cryptography » (93 pages). [D.AZTEC.7]

AZTECPublications

• Regular publications at the major conferences/workshops: CRYPTO/EUROCRYPT and ASIACRYPT/PKC/ICALP.

• Regular participation to program committees.

AZTECExcellence in Research• Best Paper Awards

– ASIACRYPT ’05: Discrete-Log-Based Signatures May Not Be Equivalent to Discrete Log [Provable Security]

– EUROCRYPT ’06: Learning a Parallelepiped: Cryptanalysis of GGH and NTRU Signatures [Cryptanalysis]

– EUROCRYPT ’08: Isogenies and the Discrete Logarithm Problem in Jacobians of Genus 3 Hyperelliptic Curves [Computational Assumptions]

AZTECResearch Highlights• Computational Assumptions

– Discrete Log: finite fields and curves– Lattice reduction– RSA

• Cryptanalysis– Multivariate schemes, e.g. HFE and SFLASH– NTRU– Special cases of RSA

• Provable Security– Foundations– ID-based and beyond– Automating Security Proofs

AZTECComputational Assumptions

• Discrete log in finite fields– Antoine Joux, Reynald Lercier, Nigel P. Smart, Frederik Vercauteren:

The Number Field Sieve in the Medium Prime Case. [CRYPTO 2006]

• Discrete log in curves– Benjamin Smith:

Isogenies and the Discrete Logarithm Problem in Jacobians of Genus 3 Hyperelliptic Curves. [EUROCRYPT 2008]

– Andreas Enge, Pierrick Gaudry: An L (1/3 + epsilon ) Algorithm for the Discrete Logarithm Problem for Low Degree Curves. [EUROCRYPT 2007]

AZTECComputational Assumptions

• Lattice reduction– Phong Q. Nguyen, Damien Stehlé:

Floating-Point LLL Revisited. [EUROCRYPT 2005]– Nicolas Gama, Phong Q. Nguyen:

Finding Short Lattice Vectors within Mordell’s Inequality. [STOC 2008]

– Nicolas Gama, Phong Q. Nguyen: Predicting Lattice Reduction. [EUROCRYPT 2008]

• RSA– Antoine Joux, David Naccache, Emmanuel Thomé:

When e-th Roots Become Easier Than Factoring. [ASIACRYPT 2007]

AZTECCryptanalysis

• Multivariate Schemes– Vivien Dubois, Pierre-Alain Fouque, Adi Shamir, Jacques Stern:

Practical Cryptanalysis of SFLASH. [CRYPTO 2007] (signature scheme recommended by the NESSIE European project in 2003)

– Louis Granboulan, Antoine Joux, Jacques Stern: Inverting HFE Is Quasipolynomial. [CRYPTO 2006]

• NTRU– Phong Q. Nguyen, Oded Regev:

Learning a Parallelepiped: Cryptanalysis of GGH and NTRU Signatures. [EUROCRYPT 2006]

• RSA– Ellen Jochemsz, Alexander May:

A Polynomial Time Attack on RSA with Private CRT-Exponents Smaller Than N 0.073. [CRYPTO 2007]

AZTECProvable Security

• Foundations– Pascal Paillier, Damien Vergnaud:

Discrete-Log-Based Signatures May Not Be Equivalent to Discrete Log. [ASIACRYPT 2005]

– Alexander W. Dent: The Cramer-Shoup Encryption Scheme Is Plaintext Aware in the Standard Model. [EUROCRYPT 2006]

• ID-based and Beyond– Michel Abdalla, Mihir Bellare, Dario Catalano, Eike Kiltz, Tadayoshi Kohno,

Tanja Lange, John Malone-Lee, Gregory Neven, Pascal Paillier, Haixia Shi: Searchable Encryption Revisited: Consistency Properties, Relation to Anonymous IBE, and Extensions. [CRYPTO 2005]

• Automating Security Proofs– Bruno Blanchet, David Pointcheval:

Automated Security Proofs with Sequences of Games.

AZTEC

Contributions of AZTEC to Integration:Two Examples

AZTECCooperation within ECRYPT

– The first paper produced during a research retreat was published at CRYPTO ’05: ECRYPT partners are ENS-TUE-BRIS-KUL-G+.

– A research retreat at the end of 2005 led to a paper published at ICALP’06: “Identity-Based Encryption Gone Wild”.

– Building on that work, a 2006 retreat led to “Identity-Based Traitor Tracing”, published at PKC ’07.

AZTECCooperation outside ECRYPT

• In 2005, ANSI requested opinions on the security of NTRU.

• At the end of 2005, ENS invited N. Howgrave-Graham (USA) to work on NTRU lattices: two publications in 2006 (EUROCRYPT and CRYPTO).

• ENS worked with O. Regev (Israel) on NTRU signatures: Best Paper Award at EUROCRYPT ’06.

AZTECInteractions with other

Virtual Labs• STVL: Joint summer schools, algebraic

analysis, and impact of hash function collisions.

• VAMPIRE: eBats.• PROVILAB:

– UNISA is co-leader of AZTEC WG3, and leader of PROVILAB WG1.

– Several topics are at the frontier: key exchange, ID-based crypto.

AZTECResearch Perspectives• Computational assumptions: arguably

not enough work compared to provable security.

• Security proofs:– Better understanding, in particular in the

Random Oracle Model.– Make them easier to produce/verify.

• Find credible alternatives to RSA/ECC, resistant to quantum computers.

AZTECConclusions

• AZTEC research has been productive• EU collaboration has been

strengthened• There are major open problems in

public-key cryptology• Looking forward to ECRYPT II’s MAYA