London Crypto Day 2023

Liz Quaglia and Christian Weinert are organising the next London Crypto Day 2023, which will be on Friday 9th June 2023 at Royal Holloway, University of London.

The event will be held in the Moore Auditorium on Royal Holloway's Egham campus.

The LCD23 schedule is out!

09:30 - 09:55 Arrival and welcome coffee

09:55 - 10:00 Opening remarks

10:00 - 10:45 Rachel Player (RHUL)

10:45 - 11:30 Patrick McCorry (Arbitrum Foundation)

11:30 - 11:45 Coffee break

11:45 - 12:30 Ilaria Chillotti (Zama)

12:30 - 14:00 Lunch sponsored by CryptoQuantique

14:00 - 14:45 Michele Ciampi (University of Edinburgh) 

14:45 - 15:30 Aydin Abadi (UCL)

15:30 - 16:00 Coffee Break

16:00 - 16:45 Ashley Fraser (University of Surrey)

You can register for LCD23 here!

Please register by 26th May 2023.

TITLES and ABSTRACTS of the LCD23 TALKS

Rachel Player

New results in BFV-type FHE schemes

The talk will describe some results presented in two papers that are currently under submission. In "Homomorphic polynomial evaluation using Galois structure and applications to BFV bootstrapping” (joint work with Hiroki Okada and Simon Pohmann) we show how Galois automorphisms can be used to homomorphically evaluate a polynomial of degree d in O(log(d)) ciphertext-ciphertext and automorphism evaluations, compared to O(sqrt(d)) as required without automorphisms. We then discuss the application of this result to BFV bootstrapping. In "Designs for practical SHE schemes based on Ring-LWR” (joint work with Madalina Bolboceanu, Anamaria Costache, Erin Hales, Miruna Rosca, and Radu Titiu), we present two new Ring-LWR based analogues of BFV, in the LPR and Regev paradigms. We give a theoretical and concrete security analysis of both schemes; and present a comparison to the BFV scheme itself, showing that our new schemes are marginally better than BFV in terms of ciphertext size.

Patrick McCorry

Validating Bridges and "Rollups" as a Scaling Solution for Cryptocurrencies

One scalability route for cryptocurrencies is to empower users to lock their assets on one blockchain network and to unlock the same assets on another off-chain system. This is how cryptocurrencies have scaled for the past ~12 years. We take a look at the history and pitfalls of bridges before diving into the emergence of a validating bridge. It is the only bridge that allows a user to lock assets into another off-chain system while retaining the security of the underlying blockchain. We explore what we mean by security and how validating bridges represent an opportunity to build better off-chain systems that protect the user from an all-powerful adversary while allowing software, and not a human operator, to protect billions of dollars locked in the bridge. 

Ilaria Chillotti

Parameter Optimization & Larger Precision for (T)FHE

In theory, Fully Homomorphic Encryption schemes allow users to compute any operation over encrypted data. However in practice, one of the major difficulties lies into determining secure cryptographic parameters that minimize the computational cost of evaluating a circuit. In this paper, we propose a solution to solve this open problem. Even though it mainly focuses on TFHE, the method is generic enough to be adapted to all the current FHE schemes. TFHE is particularly suited, for small precision messages, from Boolean to 5-bit integers. It is possible to instantiate bigger integers with this scheme, however the computational cost quickly becomes unpractical. By studying the parameter optimization problem for TFHE, we observed that if one wants to evaluate operations on larger integers, the best way to do it is by encrypting the message into several ciphertexts, instead of considering bigger parameters for a single ciphertext. In the literature, one can find some constructions going in that direction, which are mainly based on radix and CRT representations of the message. However, they still present some limitations, such as inefficient algorithms to evaluate generic homomorphic lookup tables and no solution to work with arbitrary modulus for the message space. We overcome these limitations by proposing two new ways to evaluate homomorphic modular reductions for any modulo in the radix approach, by introducing on the one hand a new hybrid representation, and on the other hand by exploiting a new efficient algorithm to evaluate generic lookup tables on several ciphertexts. The latter is not only a programmable bootstrapping but does not require any padding bit, as needed in the original TFHE bootstrapping. We additionally provide benchmarks to support our results in practice. Finally, we formalize the parameter selection as an optimization problem, and we introduce a framework based on it enabling easy and efficient translation of an arithmetic circuit into an FHE graph of operation along with its optimal set of cryptographic parameters. This framework offers a plethora of features: fair comparisons between FHE operators, study of contexts that are favorable to a given FHE strategy/algorithm, failure probability selection for the entire use case, and so on.

Michele Ciampi

On the round-complexity of secure multi-party computation with identifiable aborts

In multi-party computation (MPC), multiple entities, each having some inputs, want to jointly compute a function of these inputs with the guarantee that nothing aside from the output of the function will be leaked. In the dishonest majority setting, unfortunately, output delivery is not guaranteed. It is however still possible to achieve security with identifiable aborts. In this talk, we will see how to construct an MPC protocol that is secure with identifiable aborts, assuming that parties send only four messages over a broadcast channel (i.e., a four-round protocol). We will then discuss whether the use of broadcast is necessary for every round to securely realize any functionality with identifiable aborts.

Aydin Abadi

Earn While You Reveal: Private Set Intersection that Rewards Participants

In Private Set Intersection protocols (PSIs), a non-empty result always reveals something about the private input sets of the parties. Moreover, in various variants of PSI, not all parties necessarily receive or are interested in the result. Nevertheless, to date, the literature has assumed that those parties who do not receive or are not interested in the result still contribute their private input sets to the PSI for free, although doing so would cost them their privacy. In this talk, I will talk about our multi-party PSI, called “Anesidora”, which rewards parties who contribute their private input sets to the protocol. Anesidora is efficient; it mainly relies on symmetric key primitives and its computation and communication complexities are linear with the number of parties and set cardinality. It remains secure even if the majority of parties are corrupted by active colluding adversaries.

Ashley Fraser

Privacy-Preserving Image Sharing with Self-Sovereign Identity

Self-sovereign identity (SSI) is a digital identity management model that enables users to control the management of their identity. In this talk, we will describe a novel application of SSI. We used open-source SSI toolkits to build a proof-of-concept implementation of an SSI platform that enables photographers to collect credentials for their images and use their credentials to assert ownership of their images to a third party in a privacy-preserving way. Presently, the security goals of SSI are undefined and existing analyses of SSI systems are informal. We will outline the privacy and security requirements of our implementation and conclude this talk by discussing formalisation of these requirements.

Thank you to CryptoQuantique for sponsoring our lunch!