If you want to attend, please contact the organizers: relatively precise headcount is required to book appropriate rooms.

Rooms: Amphi B on Thursday afternoon and Friday morning, Amphi H on Friday afternoon.

Times: Thursday afternoon and Friday.

The goal of these lectures is to review the necessary mathematical background required to understand isogeny-based cryptography and to explain the two different approaches: one based on ordinary curves and one based on supersingular curves. The most important cryptographic protocols will be explained as well as the most efficient attacks on both systems.

Room: 115 (2nd floor, South aisle).

Times: Starting at 2pm on 19.04.2018, finishing at 3pm on 20.04.2018

Based on joint work with Daniele Micciancio: 2018/077.

Based on joint work with Dennis Hofheinz and Eike Kiltz. 2017/604.

Based on an ongoing joint work with Shi Bai and Damien Stehlé.

Room: 115 (2nd floor, South aisle).

Times: Starting at 3pm on 01.03.2018, finishing at 3pm on 02.03.2018

Based on joint work with Martin R. Albrecht, Benjamin R. Curtis, Amit Deo, Alex Davidson, Rachel Player, Eamonn Postlethwaite, and Thomas Wunderer: paper.

To ease this burden on the verifier, batch verification techniques have been proposed that allow to combine and check multiple equations probabilistically using less operations than checking each equation individually. In this work, we revisit the batch verification problem and existing standard techniques. We introduce a new technique which, in contrast to previous work, enables us to fully exploit the structure of certain systems of equations. Equations of the appropriate form naturally appear in many protocols, e.g., due to the use of Groth-Sahai proofs.

The beauty of our technique is that the underlying idea is pretty simple: we observe that many systems of equations can alternatively be viewed as a single equation of products of polynomials for which probabilistic polynomial identity testing following Schwartz-Zippel can be applied. Comparisons show that our approach can lead to significant improvements in terms of the number of pairing evaluations. For example, for the BeleniosRF voting system presented at CCS 2016, we can reduce the number of pairings (required for ballot verification) from 4k+140, as originally reported by Chaidos et al., to k+7.

(k is a parameter depending on the number of alternatives in the ballot and is typically small, possibly k=1)

Based on joint work with Max Hoffmann, Michael Klooß Carla Ràfols and Andy Rupp. 2017/802.

Based on joint work with Benoît Libert and Damien Stehlé.

Room: 115 (2nd floor, South aisle).

Work room, for around the talks: M7 meeting room (level 3, end of the South-East corridor).

Times: Starting at 2pm on 21.12.2017, finishing at 3pm on 22.12.2017

Based on joint work with Vadim Lyubashevsky, Gregory Neven and Gregor Seiler: 2017/1235.

Based on joint work with Léo Ducas and Max Fillinger: 2017/996.

Based on joint work with Thomas Pornin.

Room: 115 on Thursday, 116 on Friday (both on 2nd floor, South aisle).

Work room, for around the talks: 'Salle du Conseil du LIP' (3rd floor, next to Amphi B) on Thursday, 316C on Friday.

Times: Starting at 2pm on 21.12.2017, finishing at 3pm on 22.12.2017

Our construction has the bit size of ciphertext modulus linear in the circuit depth due to rescaling procedure while all the previous works either require exponentially large size of modulus or expensive computations such as bootstrapping or bit extraction. One important feature of our method is that the precision loss during evaluation is bounded by circuit depth and it is at most one more bit compared with unencrypted approximate arithmetic such as floating-point operations. We show by implementation that our scheme can be applied to efficiently evaluate the transcendental functions such as multiplicative inverse, exponential function, logistic function, and discrete Fourier transform.

Based on joint work with Miran Kim, Andrey Kim and Jung Hee Cheon: 2016/421.

Based on joint works with Nir Bitansky, Zvika Brakerski, Aayush Jain, Ilan Komargodski,Ryo Nishimaki and Daniel Wichs: 2016/558 and 2017/874.

Based on joint work with Jie Chen: 2017/859.

Room: 115 on Thursday, 116 on Friday (both on 2nd floor, South aisle).

Work room, for around the talks: 'Salle du Conseil du LIP' (3rd floor, next to Amphi B) on Thursday, 316C on Friday.

Times: Starting at 2pm on 16.11.2017, finishing at 3pm on 17.11.2017

In this talk, we will investigate the compatibility between families of symmetric encryption schemes and homomorphic evaluation, we will present the FLIP family of stream ciphers designed for FHE, and we will analyze its homomorphic behavior.

The presentation will be mostly based on joint work with Anthony Journault, François-Xavier Standaert and Claude Carlet: 2016/254.

Based on joint work with Carmen E. Z. Baltico, Dario Catalano and Dario Fiore: 2017/151.

Based on joint work with Elena Kirshanova and Thijs Laarhoven.

Room: 115 on Thursday, 116 on Friday (both on 2nd floor, South aisle).

Work room, for around the talks: 316C.

Times: Starting at 2pm on 19.10.2017, finishing at 3pm on 20.10.2017

Based on joint work with Nicolas Gama, Mariya Georgieva and Malika Izabachène: 2017/430.

Based on joint work with Vadim Lyubashevsky: 2017/280.

Based on joint work with Miruna Roșca and Damien Stehlé.

Room: 115 (2nd floor, South aisle).

Work room, for around the talks: 316C.

Times: Starting at 2pm on 21.09.2017, finishing at 3pm on 22.09.2017

Based on joint work with Martin Albrecht, Florian Göpfert and Thomas Wunderer: eprint 2017/815.

Room: B1 (4th floor, North aisle).

Work room, for around the talks: 316C.

Times: 9am to 4:30pm

– Our construction for reusable garbled circuits achieves the optimal “full” simulation based security.

– When generalised to handle Q queries for any fixed polynomial Q , our ciphertext size grows additively with Q^2 . Such query dependence on ciphertext size has only been achieved in a weaker security game before [Agr17].

– The ciphertext of our scheme can be divided into a succinct data dependent component and a non-succinct data independent component. This makes it well suited for optimization in an online- offline model that allows a majority of the computation to be performed in an offline phase, before the data becomes available.

Security of our scheme may be based on the Learning With Errors assumption (LWE) or its ring variant (Ring-LWE). To achieve our result, we provide new public key and ciphertext evaluation algorithms in the context of functional encryption. These algorithms are general, and may find application elsewhere.

Based on joint work with Alon Rosen: eprint 2016/361.

Based on joint work with Dan Boneh, Hart Montgomery, and David J. Wu: eprint 2017/100 and eprint 2017/380.

The talk will focus on GGH15. It will be composed of 3 parts: (1) The description of GGHRSW obfuscator; (2) The description of the GGH 15 maps; (3) The analysis of the GGH15 based obfuscator.

Based on joint work with Craig Gentry and Shai Halevi: eprint 2016/998.

Location: ENS Lyon, Monod campus.

Room: 116.

Work room, for around the talks: 316C.

Consequently, the heuristic security of SPRING is evaluated using known attacks and the complexity of the best known algorithms for breaking the underlying hard problem. We revisit the efficiency and security of SPRING when used as a pseudo-random generator. We propose a new variant which is competitive with the AES in counter mode without hardware AES acceleration, and about four times slower than AES with hardware acceleration. In terms of security, we improve some previous analysis of SPRING and we estimate the security of our variant against classical algorithms and attacks. Finally, we implement our variant using AVX2 instructions, resulting in high performances on high-end desktop computers.

This is joint work with Charles Bouillaguet, Pierre-Alain Fouque and Paul Kirchner.

This is joint work with Carlos Aguilar-Melchor, Pierre-Alain Fouque, Vadim Lyubashevsky, Thomas Pornin and Thomas Ricosset.

We now turn to more traditional power analysis and EMA, and propose several attacks that can yield a full key recovery in that setting, the most striking of which exploits an easy SPA leakage in the rejection sampling algorithm used during signature generation. Existing implementations of that rejection sampling step, which is essential for security, actually leak the relative norm of the secret key in the totally real subfield of the cyclotomic field used in BLISS. We show how an extension to power-of-two cyclotomic fields of an algorithm due to Howgrave-Graham and Szydlo (ANTS 2004) can be used to recover the secret key from that relative norm, at least when the absolute norm is easy to factor (which happens for a significant fraction of secret keys). The entire attack is validated in practice using EMA experiments against an 8-bit AVR microcontroller, and an implementation of our generalized Howgrave-Graham–Szydlo algorithm in PARI/GP.

The talk will be based on this article.

This is joint work with Pierre-Alain Fouque, Benoît Gérard and Mehdi Tibouchi.

Location: ENS Lyon, Monod campus.

Room: 116 on Thursday morning, 115 the rest of the time.

Work room, for around the talks: 316C.

The talk will be based on this article.

This is joint work with Fabrice Benhamouda and Helger Lipmaa.

This is joint work with Benoît Libert, San Ling, Khoa Nguyen and Huaxiong Wang.

This is joint work with Shweta Agrawal, Sanjay Bhattacherjee, Duong Hieu Phan and Shota Yamada.

This is joint work with Fabrice Benhamouda, Léo Ducas and Willy Quach.

Location: ENS Lyon, Monod campus.

Room: 116.

Work room, for around the talks: 316C.

The talk will be based on this article.

This is joint work with Ilia Iliashenko and Frederik Vercauteren.

* The Gentry-Szydlo algorithm to perform a halving of dimension by working in the totally real subfield of the cyclotomic field.

* A q-descent procedure using lattice reduction and ideal arithmetic to reduce the problem to PIP for L(1/2)-smooth ideals.

* A linear algebra phase to solve the L(1/2)-smooth instances.

All along the presentation we will emphasize on the relations between the commutative algebra side (ideals arithmetic, manipulations of number field elements,...) and the geometric side (norms related issues, lattice reduction,...).

The talk will be based on this article.

Joint work with Pierre-Alain Fouque, Alexandre Gélin and Paul Kirchner.

The talk will be based on this article.

Joint work with Ronald Cramer and Benjamin Wesolowski.

Location: ENS Paris.

Room: Amphi Rataud.

Location: ENS Lyon, Monod campus.

Rooms: 115 on Thursday the 15th (main building, level 1, South aisle), Amphi G on Friday the 16th (ground floor, North aisle).

Work room, for around the talks: 316C.

Dates: This is indeed a Thursday and a Friday, not as usual!

Joint work with Elena Kirshanova.

The talk will be based on this article.

Joint work with Wessel P.J. van Woerden.

The talk will be based on this article.

Joint work with Vinod Vaikuntanathan, Hoeteck Wee and Daniel Wichs.

Location: ENS Lyon, Monod campus.

Rooms: 116 and then 115 (main building, level 1, South aisle).

The talk will be based on this article.

Joint work with Nicolas Gama and Mariya Georgieva and Malika Izabachène.

The talk will be based on this article.

Joint work with Rafael Del Pino, Michele Minelli and Hoeteck Wee.

The talk will be based on this article.

Joint work with Yehuda Lindell and Nigel P. Smart.

Location: ENS Lyon, Monod campus.

Room: A2 (main building, level 4, North aisle).

Warning: the meeting will be on Tuesday + Wednesday (instead of the usual Wednesday + Thursday).

The talk will be based on this article.

Joint work with Martin R. Albrecht, Dennis Hofheinz, Enrique Larraia and Kenneth G. Paterson.

The talk will be based on this article.

The talk will be based on this article.

Joint work with Sebastian Faust and Daniele Venturi.

Location: ENS Lyon, Monod campus.

Room: Amphi K on the 13th, Amphi I on the 14th (main building, Level 0, North side).

The talk will be based on this article.

Joint work with Joris Barrier, Serge Guelton, Adrien Guinet, Marc-Olivier Killijian and Tancrède Lepoint .

This is work in progress with Alex van Poppelen and Wessel van Woerden

The talk will be based on this article.

Joint work with Erdem Alkim, Léo Ducas and Thomas Pöppelmann.

Joint work with Catalin Cocis, Fabien Laguillaumlie and Adeline Langlois.

Location: ENS Lyon, Monod campus.

Room: 116 (main building, level 1, South aisle).

Joint work with Arnold Neumaier.

The talk will be based on this article and this article.

Joint work with Baojian Zhou, Wai Ho Mow and Xiao-Wen Chang.

The talk will be based on this article.

Joint work with Céline Chevalier, Adrian Thillard, and Damien Vergnaud.

Location: ENS Paris.

Room: W

The talk will be based on this article.

Joint work with Sergey Gorbunov and Vinod Vaikuntanathan.

The talk will be based on this article.

Joint work with Shweta Agrawal.

The talk will be based on this article.

Joint work with Léo Ducas.

Location: ENS Lyon, Monod campus.

Room: 116 (main building, level 1, South aisle).

Joint work with Anja Becker and Antoine Joux.

The talk will be based on this article.

Joint work with Alexander May.

Joint work with Martin R. Albrecht, Carlos Cid and Jean-Charles Faugère.

Location: ENS Lyon, Monod campus.

Room: 116 (main building, level 1, South aisle).

Suggested readings:

- Foundations of Group Signatures: Formal Definitions, Simplified Requirements, and a Construction Based on General Assumptions, M. Bellare, D. Micciancio and B. Warinschi.
- Short Group Signatures, D. Boneh, X. Boyen, and H. Shacham.

The talk will be based on this article. Joint work with San Ling and Huaxiong Wang.

The talk will be based on this article. Joint work with Martianus Frederic Ezerman, Hyung Tae Lee, San Ling and Huaxiong Wang.

Joint work with Carlos Aguilar Melchor, Olivier Blazy and Jean-Christophe Deneuville.

Before 09/2015.