In this talk, Rune gives an overview of his research so far.
The first part of the talk covers Signal's initial handshake protocol and transitioning to a post-quantum protocol.
He has proposed a post-quantum replacement protocol called SPQR [PKC:BFGJS22] and analyzed the confidentiality [PKC:FieGun25] and deniability [PoPETS:FieJan24] of PQXDH, the post-quantum protocol that Signal has deployed for the initial handshake.
In the second part he presents his (impossibility) results on deniable authentication against malicious verifiers and the implications for Signal's initial handshake. [EPRINT:FieLan25]
In the third part he introduces the Beyond UnForgeability Features (BUFF) for signature schemes [SP:CDFFJ21] and gives an overview how the signature schemes in the NIST standardization process are doing wrt. BUFF properties [SAC:DuzFieFis24].
[PKC:BFGJS22] https://eprint.iacr.org/2021/769
[PKC:FieGun25] https://eprint.iacr.org/2024/702
[PoPETS:FieJan24] https://eprint.iacr.org/2024/702
[EPRINT:FieLan25] https://eprint.iacr.org/2025/470
[SP:CDFFJ21] https://eprint.iacr.org/2020/1525
[SAC:DuzFieFis24] https://eprint.iacr.org/2024/710
Several recent works have established lower bounds on the communication cost of secure messaging protocols using only selected primitives. We argue that these bounds no longer apply if succinct noninteractive multi-party key exchange (SMNIKE) exists, a setup-free primitive where no party’s message depends on the number of parties. We introduce succinct PPRFs, where the punctured key is of size 5λ and, in particular, independent of the input size, as long as the punctured point has a short description. We then show how to combine succinct PPRFs with JJ to show that a variant of the Boneh–Zhandry construction is already an SMNIKE.
Strong Asymmetric Password-Authenticated Key Exchange (saPAKE) enables a client, holding only a low-entropy password, to repeatedly establish shared high-entropy session keys with a server, holding a digest of that password. Ideally, an adversary is limited to impersonation attempts, online dictionary attacks, and, in the event of a leaked digest, a brute-force attack that does not admit precomputation. In this talk, I will present our novel saPAKE protocol, which is the first to simultaneously achieve the ideal security, as described, in a single round trip without generic algebraic models. We instantiate our saPAKE from an oblivious pseudorandom function (OPRF); I will also present our novel Dodis-Yampolskiy-based OPRF, the first online-extractable and input-committing UC-secure OPRF.
In this seminar I will present the paper that lies the foundation for the phd position I applied to. Key Transparency Log are an emerging technique to provide a secure and transparent way to manage and distribute cryptographic keys in centralised systems such as WhatsApp and iMessage. This paper (by Brorsson et al) presents a new way to prevent split-view attacks in Key Transparency Logs by leveraging light-weight and scalable cryptographic tools.
In a world where cryptographic constructs are stuck in a race against faster algorithms, we propose a cosmic solution: why not root cryptographic provable delays in the speed of light? This paper introduces Sequential Communication Delay (SCD) in the Universal Composability framework, a functionality models communication channels where data is transmitted fashionably late. With our SCD proofs, we proposed the first constructions of a Verifiable Delay Function and a Publicly Verifiable Time-Lock Puzzle that do not rely on computational assumptions Say goodbye to the worries of computational speed-ups and hello to a time-delay rooted in the cosmos!
Cryptography, data Hiding and digital watermarking algorithms being the basic building blocks for making powerful security solutions and security and privacy protocols. The systems at each end must negotiate and establish the configuration of these basic algorithms and their parameters before secure communication can occur. I will describe my research on the design of different types of cryptographic algorithms aimed at some application domains which will span everything from crypto-compression techniques and new image cryptosystems to lightweight cryptographic primitives for resource-restrained devices. One of the main objectives will be to provide a formal verification of these algorithms regarding their statistical, differential, and linear cryptanalysis, to verify their claims of security proof. In addition to standard cryptography, we might look at new ways to support confidentiality, e.g., data hiding in digital images. I will be talking about blind steganalysis methods using machine learning/deep learning methods which can be used in targeted attacks to break or assess the security of these data hiding systems. I will also illustrate the significant value that a rigorous cryptanalysis / security evaluation plays in the comprehensive design of what the critical security and privacy constructs. These techniques combine domain knowledge and cryptographic algorithms to secure the way in which sensitive data can be integrated. This analysis may provide an understanding of what types of algorithms can be better to use based on their cryptanalysis work.
Contact discovery allows new users of a messaging service to find existing contacts that already use that service. Existing users are similarly informed of new users that join. Current contact discovery protocols allow the server to reconstruct the social graph (i.e. the graph describing who is a contact of who), which is a serious privacy issue, unless they use trusted hardware to prevent this. But even in the latter case, privacy is still at stake: anyone already on the service that has your number on their contact list gets notified that you joined. Even if you don't know that person, or if it is an ex or former colleague that you long parted with and whose contact details you deleted long ago.
To solve this, we propose a *mutual* contact discovery protocol, that only allow users to discover each other when *both* are (still) in each other's contact list. Mutual contact discovery has the additional advantage that it can be implemented in a more privacy friendly fashion (e.g. protecting the social graph from the server) than traditional, one-sided contact discovery, without necessarily relying on trusted hardware.
This seminar presents research on anonymous credentials with Publicly Auditable Privacy Revocation (PAPR). PAPR credentials simultaneously provide conditional user privacy and auditable privacy revocation for credential systems.
Alley will argue in favor of using the real/ideal paradigm for defining security in a programming languages context, even when systems are entirely non-probabilistic.
HTTPS is a cornerstone of privacy in the modern Web. The public key
infrastructure underlying HTTPS, however, is a frequent target of
attacks. We introduce LogPicker, a novel protocol for strengthening
the public key infrastructure of HTTPS. LogPicker enables a pool of
Certificate Transparency (CT) logs to collaborate, where a randomly
selected log includes the certificate while the rest witness and
testify the certificate issuance process. As a result, CT logs
become capable of auditing the log in charge independently without
the need for a trusted third party.