1st London Crypto Day

The event will start at 9.30am and will end at around 6.00pm.

The detailed programme is now available here!

List of speakers

The list of speakers for the first London Crypto Day includes

– Martin Albrecht, Royal Holloway, University of London

Primal and Dual Attacks on LWE-based Encryption Schemes

This talk will review lattice attacks on LWE-based constructions. Firstly, I will present variants  of the dual-lattice attack (Eurocrypt 2017) in the presence of an unusually short (and sparse) secret. Such LWE instances are common in homomorphic encryption libraries such as IBM’s HELib or Microsoft’s SEAL and our techniques lead to revised parameter choices for these libraries. Secondly, I will revisit primal attacks which proceed by finding an unusually short vector in a lattice. Here, two different success conditions are formulated in the literature. One going back to Gama & Nguyen’s work on predicting lattice reduction (Eurocrypt 2008) and one recently sketched by Alkim et al. (USENIX 2016). I will present empirical evidence confirming the correctness of the latter estimate and explain the observed behaviour by expanding on Alkim et al.’s work.

– Liqun Chen, University of Surrey

Cryptography and Trust

The relationship between cryptography and trust has been discussed for several decades. From my point of view, there are still some aspects worthy of discussion today. In this talk, I will share some examples with the audience to demonstrate that without trust cryptography is useless, and discuss the different layers of trust necessary in a cryptographic system as it is designed and evaluated, implemented, adopted and used. A cryptographic system designed under certain trust assumptions will need to change if these trust assumptions are no longer valid. Of course, different people trust different things. Can the cryptographic community come up with suitable cryptographic solutions to meet different trust needs? How can we convince developers to adopt our designs and how can we help those who have different trust views from ours to benefit from cryptography? In the end, we must find a balance and be clear what we as the cryptographic community trust and who and what other people trust and we must respect the latter.

– Jens Groth, University College London

Snarky Signatures: Minimal Signatures of Knowledge from Simulation-Extractable SNARKs

Signatures of knowledge enable a signer to sign a message using a statement as the public key if she owns a witness to the truth of the statement. They are used in many cryptographic schemes including cryptocurrencies, anonymous credentials, ring and group signatures, and direct anonymous attestation. We will present succinct and highly efficient pairing-based signatures of knowledge. To do this we use that signatures of knowledge and simulation-extractable non-interactive zero-knowledge argument (SE-NIZK argument) are closely linked. We describe a succinct SE-NIZK argument (SE-SNARK) that consists of only 3 group elements and has highly efficient verification. The SNARK is perfectly complete, perfectly zero-knowledge and computationally simulation-extractable. As a consequence, we get signatures of knowledge consisting of only 3 group elements.

– Aggelos Kiayias, University of Edinburgh

Ouroboros: A Provably Secure Proof-of-Stake Blockchain Protocol

We present “Ouroboros,” the first blockchain protocol based on proof of stake with rigorous security guarantees. We establish security properties for the protocol comparable to those achieved by the bitcoin blockchain protocol. As the protocol provides a “proof of stake” blockchain discipline, it offers qualitative efficiency advantages over blockchains based on proof of physical resources (e.g., proof of work). We showcase the practicality of our protocol in real world settings by providing experimental results on transaction processing time obtained with a prototype implementation in the Amazon cloud. We also present a novel reward mechanism for incentivizing the protocol and we prove that given this mechanism, honest behavior is an approximate Nash equilibrium, thus neutralizing attacks such as selfish mining and block withholding. We also report on how it is possible to adapt the protocol to protect against adaptive and semi-synchronous adversaries.

– Markulf Kohlweiss, Microsoft Research Cambridge

A Cryptographically Verified Implementation of crypto_box

The crypto_box construction is a simple Diffie-Hellman based KEM-DEM construction introduced and implemented by Bernstein et al. in their crypto library NaCl. The construction was popularised by libsodium, a fork of NaCl, and is designed to be used modularly in a broad range of applications such as DNSCurve and Mega. The simplicity of crypto_box and its modular nature make it a great example to showcase code-based cryptographic verification techniques in F*, the program verification tool used by miTLS.

– Maura Paterson, Birkbeck, University of London

Reducing download complexity and storage requirements in PIR

Private Information Retrieval (PIR) involves a database consisting of several records and a user who wishes to learn one of the records without revealing which record they are seeking.  Traditionally, much of the literature in the unconditionally secure setting considers the case of multiple non-colluding servers that each store a copy of the entire database, and seeks to construct schemes where the size of the users’ queries is as small as possible.  Recently, however, there has been considerable interest in models focusing on slightly different aspects, such as the use of coded storage, rather than just replication, of the database in order to reduce the total storage overhead, and the consideration of smallest achievable sizes of the servers’ responses. In this talk we discuss recent developments in some of these areas.

Further details


Liz Quaglia and Kenny Paterson, from the Information Security Group of Royal Holloway, University of London, are the organisers of the first London Crypto Day.


The first London Crypto Day is a day of cryptography talks in the London area, aimed at attracting and bringing together the many talented researchers in cryptography in the area, and at helping create fruitful collaborations.


The event will be held in the Moore Auditorium of Royal Holloway, University of London.

You can find more practical information here.


5th June 2017


Registration for the event is free thanks to the generous sponsorship from the London Mathematical Society and the Royal Holloway Academic Centre of Excellence in Cyber Security. Registration includes tea, coffee, and a buffet lunch.

Registration is now closed.

We hope you enjoy the 1st London Crypto Day!


Logo credit: Michele Villa