Abstract: What was that encrypted message you sent? Oh, it was "Ran is the greatest of all times"! Can you prove? Sure, here are the random bits used to generate the ciphertext.

In this talk I will survey Ran Canetti's early work on non-committing encryption and deniable encryption and its implications. 

Abstract: I will talk about the probabilistic IO work with a focus on its surprising implications for fully homomorphic encryption.

Abstract: TBD

Abstract: Can we design a private variant of “Google search” that would enable users to search the Internet privately without revealing their queries to Google? Fully homomorphic encryption gives a potential solution to this problem, but would require Google to run a huge computation that is linear in the size of the entire internet to answer each encrypted search query. Can Google to preprocess the internet content into a special data structure that would then allow it to answer each encrypted search query very efficiently by only accessing a small number of locations in the data structure? We give a solution to this problem as a special case of our work.

Concretely, we construct the first schemes for “doubly efficient private information retrieval (DEPIR)” and “fully homomorphic encryption in the RAM model (RAM-FHE)” under standard cryptographic hardness assumptions (Ring Learning with Errors). Previously we only had heuristic candidate constructions that only satisfied relaxed variants of these primitives. Our new solutions combine tools from cryptography together with data structures for fast polynomial evaluation (Kedlaya and Umans ’08).

Joint work with Wei-Kai Lin and Ethan Mook.

Abstract: TBD

Abstract: Motivated in part by the desire to run meaningful workflows in large open systems, we consider distributed computations in a setting where parties come and go throughout the protocol execution. In the extreme, we have parties that join the computation for just a single step, to fulfil some ephemeral roles. These parties join without any state, receive the relevant state from the network, perform some computation, send their messages, and then depart.

This survey talk will cover multiple works by many people, I will touch on the motivation for this extreme model, security notions, and useful techniques. The main feasibility result in this line of work states that every efficiently computable function can be securely computed in (the YOSO equivalent of) the honest-majority setting.

Abstract: We will survey a collection of results over the last 5 years -- due to Ran and many others -- on Correlation Intractability and the Fiat-Shamir heuristic. Correlation intractability was introduced by Canetti-Goldreich-Halevi as a tool for understanding the uninstantiability of random oracles. However, by sufficiently narrowing the scope of the definition, we were able to obtain constructions of CI hash functions from simple, and often even standard, cryptographic assumptions! In turn, we have been able to use these weak forms of CI to instantiate the Fiat-Shamir heuristic in the standard model and build many new and powerful non-interactive argument systems. 

Abstract: TBD

Abstract: In this talk I will first recall some early interactions with Ran, where Ran's encouragement of "Imagine!" plays an essential role in shaping my development as a PhD student. I will then share some recent thoughts on designing quantum algorithms for solving lattice problems, inspired by many colors of Ran.

Abstract: You can trust Ran that even if the world were coming to an end, he would still be formulating a new cryptographic model or analyzing some intricate security protocol.  How else could you conceive that he would be sitting at Sushi Samba in NYC, the afternoon of September 11, 2001, rigorously working on the analysis of the SIGMA key-exchange protocol (while inhaling a good dose of broken glass)?  I designed SIGMA in 1996 for the IPsec Key Exchange (IKE) protocol with very limited understanding of the modeling of key-exchange protocols. Fortunately, I had Ran, with whom I spent countless hours on transatlantic phone calls in subsequent years, working together to try and tame this seemingly docile yet elusive beast known as 'authenticated key exchange.' Eventually, we converged on some useful modeling (including early UC model stuff) with SIGMA as one of the more challenging and significant protocols we analyzed (partly during that fateful afternoon 22 years ago).  You may know nothing about SIGMA but you are surely using it. It has been the key-exchange protocol for IKE for 25 years and since 2018 also the cryptographic core of TLS 1.3 handshake. In this presentation, I'll tell you a bit more about SIGMA (and about Ran too, of course).

Oh. And, by the way, this SIGMA protocol has nothing to do with the honest-verifiable ZK SIGMA protocols, or with this other one https://en.wikipedia.org/wiki/The_Sigma_Protocol.

Abstract: The notion of environmental security (a.k.a UC-security) is one of Ran's most important contributions to cryptography. I will offer my own perspective, which focuses on the pivotal role of efficiently computable oracles in the formulation.

Abstract: Will tell you about some scientific journeys with Ran or inspired by Ran.