Advanced Security: 20172018
Lecturer 

Degrees 
Schedule C1 (CS&P) — Computer Science and Philosophy Schedule C1 — Computer Science 
Term 
Hilary Term 2018 (18 lectures) 
Overview
The Advanced Security course is designed to bring students towards the research boundaries in computer security, covering contemporary topics in depth. It is split into two modules, each an area of interest to members of the Computer Security research group. This year the modules will be:
first half of term, Sadie Creese
Title to be confirmed.
Cryptography for Privacy: 8 lectures, second half of term, Michael Goldsmith
Using modern cryptography for limited release of information.
Learning outcomes
To attain a deeper understanding of certain contemporary topics in computer security, bridging the gap to research.
Cryptography for Privacy
The standard uses of cryptography are intended to allow only intended recipients to extract all of some piece of information,
or to give assurance of its validity as a whole; this is a rather blunt instrument for the modern world. As a vendor
of agerestricted goods, for instance, you may wish to rely on government certification of your customer's majority, but you
have no real business knowing anything more about their identity; so a passport or driving licence, or their certified electronic
moral equivalents, are far from ideal from a privacy point of view. The course covers the concepts and definitions required
for more subtle uses of cryptography and related mechanisms enabling schemes that allow a verifier to be satisfied
about some attribute of a supplicant based on an unforgeable credential backed by a trusted certifier,
without leaking further information about the supplicant to the verifier, nor the fact of the request to the certifier.
We will also explore some of the challenges that remain, particularly at the frontier between the electronic and human worlds.
Prerequisites
For both modules, the Computer Security course (or its equivalent).
For the Information Hiding module: basic (1st yr) probability, basic (1st yr) linear algebra. The Information Hiding practical will be in C, but only a very basic understanding of the language will be required.
Synopsis
Cryptography for Privacy (weeks 58, 2 classes, 1 practical)
Background Review of the concept of authentication and authentication protocols. Generalisation to authentication of attributes as a goal. Technical challenges and privacy goals. [12 lectures]
Mechanisms underlying the solution Introduction to homomorphic encryption. Zeroknowledge proofs. Secure multiparty computation. [23 lectures]
AttributeBased Credentials and their applications Use cases. Simplistic solutions. Weaknesses. Unforgeable derived credentials. [23 lectures]
Remaining chellenges in social contexts. Abuse cases. Forward privacy? Possible approaches towards solutions. [12 lectures]
Syllabus
Cryptography for Privacy
Authentication and authentication protocols. Authentication of attributes. Privacy goals. Elementary homomorphic encryption. Zeroknowledge proofs. Secure multiparty computation. AttributeBased Credentials. Applications and use cases. Simplistic and more sophisticated solutions. Unforgeable derived credentials. Remaining chellenges in social contexts. Abuse cases. Forward privacy.
Examination: both part C undergraduate and MSc students will be examined by takehome assignment over the Easter vacation. Students must answer questions on both modules.
Reading list
Cryptography for Privacy
Yehuda Lindell (2007) "Anonymous Authentication," Journal of Privacy and Confidentiality: 2(2), Article 4: PDF
Ronald L. Rivest, Adi Shamir and Yael Tauman (2001) "How to Leak a Secret," ASIACRYPT 2001, LNCS 2248, pp. 552–565: PDF
Ronald L. Rivest, Len Adleman and Michael L. Dertouzos (1978) "On data banks and privacy homomorphisms," Foundations of Secure Computations, pp. 171–182: PDF
Ronald L. Rivest, Adi Shamir and Len Adleman (1978) "A method for obtaining digital signatures and publickey cryptosystems," Communications of the ACM 21(2), pp. 120–126: PDF
Craig Gentry (2009) A fully homomorphic encryption scheme, PhD thesis, Stanford University: PDF
Craig Gentry (2009) "Fully homomorphic encryption using ideal lattices," STOC, pp. 169–178, ACM: PDF
Craig Gentry (2010) "Computing Arbitrary Functions of Encrypted Data," Communications of the ACM, 53(3), pp. 97–105: PDF available here
Nigel Smart and Frederik Vercauteren (2010) "Fully homomorphic encryption with relatively small key and ciphertext sizes," Public Key Cryprography – PKC 2010, Springer LNCS 6056, pp. 420–443: PDF available here
JeanSébastien Coron, Avradip Mandal, David Naccache and Mehdi Tibouchi, "Fully Homomorphic Encryption over the Integers with Shorter Public Keys," Advances in Cryptology – CRYPTO 2011, Springer LNCS 6841 pp. 487–504: PDF available here
Xiaofeng Chen, Willy Susilo, Jin Li, Duncan Wong, Jianfeng Ma, Shaohua Tang, and Qiang Tang (2015) "Efficient algorithms for secure outsourcing of bilinear pairings" Theoretical Computer Science 562, pp. 112–121: PDF available here
Zvika Brakerski and Vinod Vaikuntanathan (2011) "Efficient Fully Homomorphic Encryption from (Standard) LWE," SIAM Journal of Computing, 43(2), pp. 831–871: PDF
Craig Gentry, Shai Halevi and Nigel Smart (2012) "Fully Homomorphic Encryption with Polylog Overhead," Advances in Cryptology – EUROCRYPT 2012, Springer LNCS 7237, pp. 465–482: PDF available here
Craig Gentry, Shai Halevi and Nigel Smart (2012) "Better Bootstrapping in Fully Homomorphic Encryption," Public Key Cryptography – PKC 2012, Springer LNCS 7293, pp. 1–16: PDF available here
Zvika Brakerski, Craig Gentry and Vinod Vaikuntanathan (2011) "Fully homomorphic encryption without bootstrapping", ACM Transactions on Computation Theory (TOCT)  Special issue on innovations in theoretical computer science 2012  Part II, 6(3), July 2014: PDF
Zvika Brakerski, Craig Gentry, and Vinod Vaikuntanathan (2012) "(Leveled) fully homomorphic encryption without bootstrapping," Innovations in Theoretical Computer Science (ITCS '12), ACM: PDF available here
JeanJacques Quisquater, Louis C. Guillou and Thomas A. Berson (1990) "How to Explain ZeroKnowledge Protocols to Your Children", Advances in Cryptology – CRYPTO '89, Springer LNCS 435, pp. 628–631: PDF
Shimon Even, Oded Goldreich and Abraham Lempel (1985) "A Randomized Protocol for Signing Contracts", Communications of the ACM, 28(6), pp. 637–647: PDF available here
Andrew Yao (1982) "Protocols for secure computations", FOCS 2013, pp. 160–164: PDF
Ioannis Ioannidis and Ananth Grama (2003) "An efficient protocol for Yao's Millionaires' Problem", HICCS '03: PDF
Indrajit Ray and Indrakshi Ray (2002) "Fair exchange in ecommerce", ACM SIGecom Exchange 3(2), pp. 9–17: PDF
Henning Pagnia and Felix C. Gärtner (1999) "On the impossibility of fair exchange without a trusted third party," Technische Universität Darmstadt Technical Report TUD–BS–1999–02: PDF
Michael J. Fischer, Nancy A. Lynch and Michael S. Paterson (1985) "Impossibility of Distributed Consensus with One Faulty Process," Journal of the ACM, 32(2), pp. 374–382: PDF
Matthew K. Franklin and Michael K. Reiter (1997) "Fair Exchange with a semitrusted third party," CCS '97, pp 1–6: PDF
N. Asokan, Victor Shoup and Michael Waidner (1998) "Asynchronous protocols for optimistic fair exchange," IEEE Symposium on Research in Security and Privacy, pp. 86–99: PDF; Fixed by Vitaly Shmatikov and John C. Mitchell (2000) "Analysis of a Fair Exchange Protocol", NDSS 2000: PDF
Manuel Blum (1983) "How to exchange (secret) keys," ACM TOCS 1(2), pp. 175–193: PDF
Dahlia Malkhi, Noam Nisan, Benny Pinkas and Yaron Sella (2004) "Fairplay – A Secure TwoParty Computation System," 13th USENIX Security Symposium, pp. 287–302: PDF
Chaum, David (1982) "Blind signatures for untraceable payments," Crypto 82, LNCS 1440, pp. 199–203: PDF
Claus P. Schnorr (1991) "Efficient signature generation for smart cards," Journal of Cryptology, 4(3), pp. 239–252: PDF
Jan Camenisch and Ivan Damgård (2000) "Verifiable encryption, group encryption, and their applications to group signatures and signature sharing schemes," ASIACRYPT 2000, Springer LNCS 1976, pp. 331–345: PDF
Jan Camenisch and Anna Lysyanskaya (2002) "A signature scheme with efficient protocols," SCN 2002, Springer LNCS 2576: PDF
Jan Camenisch and Victor Shoup (2003) "Practical verifiable encryption and decryption of discrete logarithms," CRYPTO 2003, Springer LNCS 2729 pp. 126–144:PDF
Ivan Damgård and Eiichiro Fujisaki (2002) "An integer commitment scheme based on groups with hidden order," ASIACRYPT 2002, Springer LNCS 2501: PDF
Jan Camenisch et al (2010) Specification of the Identity Mixer Cryptographic Library (Version 2.3.0), IBM Zurich Technical Report RZ 3730: Available via this link
Hemanta Maji, Manoj Prabhakaran and Mike Rosulek (2011) "Attributebased signatures.'' Topics in Cryptology–CTRSA 2011, Springer Berlin Heidelberg, pp. 376–392: PDF
Ali El Kaafarani, Liqun Chen, Essam Ghadaï and James Davenport (2014) "AttributeBased Signatures with UserControlled Linkability," CANS 2014, Springer LNCS 8813, pp. 256–269: PDF
Xavier Boyen (2007) "Mesh signatures." Advances in Cryptology–EUROCRYPT 2007. Springer Berlin Heidelberg, pp. 210–227: PDF
Gergely Alpár and Bart Jacobs (2013) "Credential design in attributebased identity management," 3rd TILTing Perspectives Conference, pp. 189–204: PDF
John Kubiatowicz, David Bindel, Yan Chen, Steven Czerwinski, Patrick Eaton, Dennis Geels, Ramakrishna Gummadi, Sean Rhea, Hakim Weatherspoon, Westley Weimer, Chris Wells and Ben Zhao (2000) "Oceanstore: An architecture for globalscale persistent storage." ACM Sigplan Notices 35(11), pp. 190–201: PDF
A more gentle introduction to some of the concepts...
Xun Yi, Russell Paulet and Elisa Bertino (2014) Homomorphic Encryption and Applications, Springer, ISBN 978–3–319–1228–1