09:30–09:40 

Welcome

09:40–10:10 
Tancrède Lepoint

Efficient PostQuantum Key Exchanges Based On *LWE



Abstract:
In the past couple of years, latticebased cryptography began a transition to widespread deployment. A striking example is that of Google's experiment with NewHope, a latticebased key agreement protocol. In this talk, we will extract the common idea behind the three most practical latticebased schemes for key exchange based on the learning with error problem (Frodo, NewHope and Kyber, respectively based on LWE, RingLWE and ModuleLWE), and compare their efficiency.

10:10–10:40 
Vassilis Zikas

The Price of Low Communication in Secure MultiParty Computation



Abstract:
Traditional protocols for secure multiparty computation (MPC) among n parties that achieve optimal resiliency communicate at least a linear (in n) number of bits. In this work we investigate the feasibility of MPC with sublinear communication complexity. Concretely, we consider two clients, one of which may be corrupted, that wish to perform some joint computation using n servers but do not have any trusted setup. We show that enforcing sublinear message complexity drastically affects the feasibility bounds on the number of corrupted parties that can be tolerated.
We provide a complete investigation of security against semihonest adversariesstatic and adaptive, with or without erasuresand also initiate the study of actively malicious adversaries. In the case of semihonest static adversaries, our bounds match (up to any constant fraction of corruptions) the corresponding bounds when there is no communication restrictioni.e., we can tolerate up to t < (1/2 \epsilon)n corrupted parties. For the adaptive case, however, the situation is different. We prove that without erasures a constant fraction of corruptions is intolerable, andmost surprisinglywhen erasures are allowed, we prove that t < (1  \sqrt(0.5)  \epsilon)n corruptions can be tolerated, which we also show to be optimal up to an arbitrarily small constant factor. The latter optimality proof hinges on a new treatment of probabilistic adversary structures which may be of independent interest. In the case of active corruptions in this setting, we prove that static security with abort is feasible when t < (1/2  \epsilon)n, namely, the bound that is tight for semihonest security.
This is joint work with Juan Garay, Yuval Ishai, and Rafail Ostrovsky.

10:40–11:10 
Payman Mohassel

Towards Scalable PrivacyPreserving Machine Learning



Abstract:
Machine learning is widely used in practice to produce predictive models for applications such as image processing, speech and text recognition. These models are more accurate when trained on large amount of data collected from different sources. However, the massive data collection raises privacy concerns.
In this talk, I present new and efficient protocols for privacy preserving machine learning for linear regression, logistic regression and neural network training using the stochastic gradient descent method. I also report on experimental results that confirm our protocols are several orders of magnitude faster than the state of the art implementations and scale to millions of data samples with thousands of features.
Joint work with Yupeng Zhang.

11:10–11:30 

Break

11:30–12:30 
Phillip Rogaway

The Long Road from Theory to Practice: The Case of Authenticated Encryption



Abstract:
To many theoryoriented cryptographers, symmetric encryption is our most passé problem. Yet from the point of view of providing a useful theory and desirable schemes, the area is very much alive. For this talk I’d like to explore the long dialectic that has taken us from semantic security to robust authenticatedencryption.
I’ll trace the history of AE, explaining why it emerged and how it evolved. AE is rare topic insofar as there has at least been a dialog around identifying what the right problem is. For most topics in cryptography, we seem to travel a road with little but our imagination as guide.

12:30–14:00 

Lunch (provided)

14:00–14:30 
Sam Kim

Privately Puncturable PRFs From Standard Lattice Assumptions



Abstract:
A puncturable pseudorandom function (PRF) has a master key k that enables one to evaluate the PRF at all points of the domain, and has a punctured key k_x that enables one to evaluate the PRF at all points but one. The punctured key k_x reveals no information about the value of the PRF at the punctured point x. In a private puncturable PRF, the punctured key k_x additionally hides the punctured point x. Previous privately puncturable PRF constructions relied on multilinear maps or indistinguishability obfuscation.
We construct the first privately puncturable PRF from standard lattice assumptions, namely from the hardness of learning with errors (LWE) and 1 dimensional short integer solutions (1DSIS), which have connections to worstcase hardness of general lattice problems. Along the way, we introduce a number of new techniques that can have wider applications in other latticebased constructions.
This is joint work with Dan Boneh and Hart Montgomery.

14:30–15:00 
Peihan Miao

Laconic Receiver Oblivious Transfer And Its Applications



Abstract:
We introduce a novel technique for secure computation over large inputs. Specifically, we provide a new oblivious transfer (OT) protocol with a laconic receiver. Laconic OT allows a receiver to commit to a large input D (of length M) via a short message. Subsequently, a single short message by a sender allows the receiver to learn m_{D[L]}, where the messages m_0, m_1 and the location L \in [M] are dynamically chosen by the sender. All prior constructions of OT required the receiver's outgoing message to grow with D.
Our key contribution is an instantiation of this primitive based on the Decisional DiffieHellman (DDH) assumption. The technical core of this construction is a novel use of somewhere statistically binding (SSB) hashing in conjunction with hash proof systems. Next, we show applications of laconic OT to noninteractive secure computation on large inputs and multihop homomorphic encryption for RAM programs.
Based on joint work with Chongwon Cho, Nico Döttling, Sanjam Garg, Divya Gupta, and Antigoni Polychroniadou.

15:00–15:30 
David Wu

LatticeBased SNARGs and Their Application to More Efficient Obfuscation



Abstract:
Succinct noninteractive arguments (SNARGs) enable verifying NP computations with substantially lower complexity than that required for classical NP verification. In this work, we first construct a latticebased SNARG candidate with quasioptimal succinctness (where the argument size is quasilinear in the security parameter). Further extension of our methods yields the first SNARG (from any assumption) that is quasioptimal in terms of both prover overhead (polylogarithmic in the security parameter) as well as succinctness. Moreover, because our constructions are latticebased, they plausibly resist quantum attacks. Central to our construction is a new notion of linearonly vector encryption which is a generalization of the notion of linearonly encryption introduced by Bitansky et al. (TCC 2013). We conjecture that variants of Regev encryption satisfy our new linearonly definition. Then, together with new informationtheoretic approaches for building statisticallysound linear PCPs over small finite fields, we obtain the first quasioptimal SNARGs.
We then show a surprising connection between our new latticebased SNARGs and the concrete efficiency of program obfuscation. All existing obfuscation candidates currently rely on multilinear maps. Among the constructions that make blackbox use of the multilinear map, obfuscating a circuit of even moderate depth (say, 100) requires a multilinear map with multilinearity degree in excess of 2^100. In this work, we show that an ideal obfuscation of both the decryption function in a fully homomorphic encryption scheme and a variant of the verification algorithm of our new latticebased SNARG yields a generalpurpose obfuscator for all circuits. Finally, we give some concrete estimates needed to obfuscate this “obfuscationcomplete” primitive. We estimate that at 80bits of security, a (blackbox) multilinear map with ≈2^12 levels of multilinearity suffices. This is over 2^80 times more efficient than existing candidates, and thus, represents an important milestone towards implementable program obfuscation for all circuits.
