Invited Talks

Steven Galbraith: Isogeny cryptography: strengths, weaknesses and challenges

Abstract: Isogeny-based cryptography is a candidate for post-quantum cryptography. It was first suggested by Couveignes, Charles-Goren-Lauter and Rostovtsev-Stolbunov, and received a major boost with the work of Jao and de Feo. Currently it is a very active area of research. This talk will give a brief overview of post-quantum cryptography and isogeny-based cryptography. I will discuss some of the strengths and weaknesses of isogeny-based crypto, and mention a number of open problems.

Nadia Heninger: Biased nonce sense: Lattice attacks against weak ECDSA signatures in the wild

Debdeep Mukhopadhyay: Automation of Fault Analysis

Abstract: Differential Fault Analysis (DFA) is a powerful attack tool for block ciphers. Starting from its conception around 1997 to the present day, the powerful attack tool has been used to develop efficient key retrieval methodologies for cryptographic implementations. This talks looks at the DFA developed for block ciphers like AES and addresses the question, is it possible to automate such attacks? Automation in this context is essential as the trend of developing precisely engineered ciphers is growing day by day. to To answer this question the talk discusses two approaches taken by us. The first tool, called EXPFault, is a data-mining based approach to develop an average case analysis on a graphical model of a block cipher. In the second part of the talk, we describe a machine learning based approach to speed up determination of DFA feasibilities in the worst case scenario for the designer. Both the tools are complementary and leads to new DFA resistance insights for block ciphers which were not reported previously in reported literature.

Bio:Bio: Debdeep Mukhopadhyay} is currently a full Professor at the Department of Computer Science and Engineering, IIT-Kharagpur, India. At IIT Kharagpur he initiated the Secured Embedded Architecture Laboratory (SEAL), with a focus on Embedded Security and Side Channel Attacks (http://cse.iitkgp.ac.in/resgrp/seal/) . Prior to this he worked as Associate Professor at IIT Kharagpur, visiting scientist at NTU Singapore, a visiting Associate Professor of NYU-Shanghai, Assistant Professor at IIT-Madras, and as Visiting Researcher at NYU Tandon-School-of-Engineering, USA. He holds a PhD, an MS, and a B. Tech from IIT Kharagpur, India. Dr. Mukhopadhyay's research interests are Cryptography, Hardware Security, and VLSI. His books include Fault Tolerant Architectures for Cryptography and Hardware Security (Springer), Cryptography and Network Security (Mc Graw Hills), Hardware Security: Design, Threats, and Safeguards (CRC Press), and Timing Channels in Cryptography (Springer). He has written more than 150 papers in peer-reviewed conferences and journals and has collaborated with several Indian and Foreign Organizations. He has been in the program committee of several top International conferences and is an Associate Editor of the International Association of Cryptologic Research (IACR) Transactions of CHES, Journal of Hardware and Systems Security, Journal of Cryptographic Engineering, Springer. He has given several invited talks in industry and academia, including tutorial talks at premier conferences like CHES, WIFS, VLSID. Dr. Mukhopadhyay is the recipient of the prestigious Swarnajayanti DST Fellowship 2015-16, Young Scientist award from the Indian National Science Academy, the Young Engineer award from the Indian National Academy of Engineers, and is a Young Associate of the Indian Academy of Science. He was also awarded the Outstanding Young Faculty fellowship in 2011 from IIT Kharagpur, and the Techno-Inventor Best PhD award by the Indian Semiconductor Association. He has recently incubated a start-up on Hardware Security, ESP Pvt Ltd at IIT Kharagpur (http://esp-research.com/).

Thomas Peyrin: From Collisions to Chosen-Prefix Collisions: Application to Full SHA-1

Abstract: A chosen-prefix collision attack for a hash function is a stronger variant of a collision attack, where an arbitrary pair of challenge prefixes are turned into a collision. Chosen-prefix collisions are usually significantly harder to produce than (identical-prefix) collisions, but the practical impact of such an attack is much larger. While many cryptographic constructions rely on collision-resistance for their security proofs, collision attacks are hard to turn into break of concrete protocols, because the adversary has a limited control over the colliding messages. On the other hand, chosen-prefix collisions have been shown to break certificates (by creating a rogue CA) and many internet protocols (TLS, SSH, IPsec). In this talk, we will show new techniques to turn collision attacks into chosen-prefix collision attacks, and we will apply them on SHA-1. In particular, we will present a chosen-prefix collision attack against full SHA-1 with complexity much smaller than 2^70 computations, only within a small factor of the complexity of the recent collision attack (estimated as 2^64.7). This represents yet another warning that industries and users have to move away from using SHA-1 as soon as possible. This is a joint work with Gaëtan Leurent.

Bio: Thomas PEYRIN received his engineer M.S. in 2004 from CPE Lyon and specialized in theoretical computer science at the Ecole Polytechnique in France. He completed in 2008 a doctorate in cryptography at Orange Labs, formerly known as France Telecom, during which he was awarded the Japan Society for the Promotion of Science (JSPS) grant. He previously worked as a Cryptography Expert at Ingenico (the world leader in payment solutions) and as a Research Fellow at the School of Physical and Mathematical Sciences of Nanyang Technological University in Singapore under the Singapore Lee Kuan Yew Postdoctoral Fellowship. He was appointed Nanyang Assistant Professor in 2012 under the Singapore NRF fellowship, and Associate Professor at NTU in 2017.

Mehdi Tibouchi: LWE without Modular Reduction and Improved Side-Channel Attacks against BLISS

Abstract: The rejection sampling step in the BLISS signature scheme leaks two values related to the signing key through side-channels: a exact, quadratic function of the secret key, and a linear but noisy function. At CCS 2017, Espitau et al. described a key recovery attack targeting the quadratic part, and noted that the linear part would yield a simpler, more efficient attack if it were not for the noise, which turns key recovery into a high-dimensional LWE-type learning problem.

In this talk, we revisit that observation, and point out in particular that the learning problem arising in this way involves no modular reduction, which makes it conisiderably easier than usual LWE. In fact, we analyze the LWE problem without modular reduction, and show that it can be solved efficiently using linear regression in most parameter ranges. This yields an improved side-channel attack on BLISS, which applies to 100% of secret keys (as opposed to 7% in the CCS paper) and is also considerably faster.

The talk will also cover newer attacks along the same lines breaking other parts of BLISS signature generation, and showing that it is hard to securely implement the rejection sampling step in constant time.

This is joint work with J. Bootle, C. Delaplace, T. Espitau and P.-A. Fouque.

Bio: An alumni of ENS (Paris, France), Mehdi Tibouchi obtained his Ph.D. in computer science from Univ. Paris VII and Univ. Luxembourg in 2011. He is now distinguished researcher at NTT Corporation (Tokyo, Japan) and guest associate professor at Kyoto University (Kyoto, Japan). His research interests cover various mathematical aspects of public-key cryptography and cryptanalysis.