# Barcelona Crypto Day, June 21st, 2017

Wednesday, **June 21st, 2017**, Building C3 (Campus Nord, Barcelona), 2nd floor, library.

Four talks given by **Benoît Libert** (ENS, Lyon), **Fabien Laguillaumie** (ENS, Lyon - LIRMM, Montpellier), **Carla Ràfols** (UPF, Barcelona) and **Javier Silva** (UPF, Barcelona).

**10h30, Benoît Libert** (ENS, Lyon): All-But-Many Lossy Trapdoor Functions and Selective Opening Chosen-Ciphertext Security from LWE

Abstract:

Selective opening (SO) security refers to adversaries that receive a number of ciphertexts and, after having corrupted a subset of the senders (thus obtaining the plaintexts and the senders' random coins), aim at breaking the security of remaining ciphertexts. So far, very few public-key encryption schemes are known to provide simulation-based selective opening (SIM-SO-CCA2) security under chosen-ciphertext attacks and most of them encrypt messages bit-wise. The only exceptions to date rely on all-but-many lossy trapdoor functions (as introduced by Hofheinz; Eurocrypt'12) and the Composite Residuosity assumption. We describe the first all-but-many lossy trapdoor function with security relying on the presumed hardness of the Learning-With-Errors problem (LWE) with standard parameters.

Our construction exploits homomorphic computations on lattice trapdoors for lossy LWE matrices. By carefully embedding a lattice trapdoor in lossy public keys, we can prove SIM-SO-CCA2 security under the LWE assumption.

**11h20, Carla Ràfols** (UPF, Barcelona): New Techniques for Batch Verification in Bilinear Groups

Abstract:

In 1998, Bellare, Garay and Rabin proposed a set of techniques to batch verify a set of equations. The most simple and useful of these techniques, the small exponent test, checks if a set of equations is satisfied by verifying a single equation which is a random linear combination of the original equation with small exponents. These techniques have also been used in the bilinear group setting, to verify sets of pairing product equations. In this talk we introduce new techniques specific to the bilinear setting. These techniques work particularly well with highly structured sets of equations, like Groth-Sahai verification equations or matrix product verfication in the exponent.

(based on joint work with G.Herold, M.Hoffman, M. Kloss, A.Rupp.)

*(Coffee break: 12h00 - 12h10)*

**12h10, Fabien Laguillaumie** (ENS, Lyon - LIRMM, Montpellier): Encryption switching protocols modulo p

Abstract:

At CRYPTO 2016, Couteau, Peters and Pointcheval introduced a new primitive called encryption switching protocols, allowing to switch ciphertexts between two encryption schemes. If such an ESP is built with two schemes that are respectively additively and multiplicatively homomorphic, it naturally gives rise to a secure 2-party computation protocol. It is thus perfectly suited for evaluating functions, such as multivariate polynomials, given as arithmetic circuits. Couteau et al. built an ESP to switch between Elgamal and Paillier encryptions which do not naturally fit well together.

In this talk, I will present a conceptually simple generic construction for encryption switching protocols. I'll suggest an efficient instantiation of our generic approach that uses two well-suited protocols, namely a variant of Elgamal in Zp and the Castagnos-Laguillaumie encryption which is additively homomorphic over Zp. Among other advantages, this allows to perform all computations modulo a prime p instead of an RSA modulus. Overall, our solution leads to significant reductions in the number of rounds as well as the number of bits exchanged by the parties during the interactive protocols.

(This is a joint work with Guilhem Castagnos (Bordeaux) and Laurent

Imbert (Montpellier).)

**13h00, Javier Silva** (UPF, Barcelona): Complex Parameter Hiding in Prime Order Groups.

Abstract:

At TCC 2016, Wee presented an identity-based encryption scheme with very small parameters, and proved its security under standard assumptions in groups with order the product of three large primes. The security proof uses the techniques introduced by the Déjà Q framework (Chase and Meiklejohn, Eurocrypt 2014), which allows to reduce q-type assumptions to standard assumptions. Wee also proposed a candidate for a prime-order group translation of the IBE scheme, but he did not provide a proof. In particular, he left open the problem of analyzing when a certain property, called parameter hiding, is satisfied in the prime order setting. In this talk, we analyze this issue in the prime-order candidate of Wee and conclude that an straightforward use of the Déjà Q techniques is not enough to prove the security of this scheme.

*(expected ending: 13h30)*