Seminar Themen

NTRU is a well-known lattice-based cryptosystem that can be described using polynomial rings. The public-key encryption scheme NTRUEncrypt has the advantage of having short keys with fast encryption/decryption algorithms and is considered a viable candidate for post-quantum cryptography. There is also a signature scheme called NTRUSign, though its security is less trusted compared to NTRUEncrypt.

The task of the student is to understand and summarise how the two schemes work, the attacks against them in the literature and the countermeasures proposed to resist these attacks.

[1] J. Hoffstein, J. Pipher, and J. H. Silverman, ‘NTRU: A ring-based public key cryptosystem’. doi: 10.1007/BFb0054868.

[2] J. Hoffstein, N. Howgrave-Graham, J. Pipher, J. H. Silverman, and W. Whyte, ‘NTRUSign: Digital Signatures Using the NTRU Lattice’. doi: 10.1007/3-540-36563-X_9.

[3] J. Hoffstein, N. Howgrave-Graham, J. Pipher, and W. Whyte, ‘Practical Lattice-Based Cryptography: NTRUEncrypt and NTRUSign’. doi: 10.1007/978-3-642-02295-1_11.

• Security in Communications and Storage

The number-theoretic transform (NTT) is a generalization of the discrete Fourier transform over a ring or finite field. In a similar fashion to the FFT algorithm, the NNT efficiently computes the circular convolution of an integer sequence. An application of the NTT is the multiplication of two polynomials over a finite field, which is often used in cryptosystems based on lattices like CRYSTALS-KYBER.

Tasks: 

• Understand the NTT and inverse NTT and how it relates to the FFT,
• study applications of NTT in post-quantum cryptosystems using the paper provided 

Main papers: 

Number Theoretic Transform and Its Applications in Lattice-based Cryptosystems: A Survey

Conceptual Review on Number Theoretic Transform and Comprehensive Review on Its Implementations 

A nice primer on the NTT with examples can also be found in this blog 

Due to the recent advances in quantum computers, searching for cryptosystems that survive quantum attacks is of great interest. Code-based cryptography is a promising candidate since it is built on the NP-hard problem of decoding a random code [5].

Random-looking codes replace random codes for most cryptosystems to enable a trapdoor. McEliece originally proposed to use binary Goppa codes. Later, MDPC codes were successfully introduced.

More recently, it was suggested that generalized (U|U+V) codes be used, which belong to the class of generalized concatenated codes.
Concatenated codes play an important role in classical channel coding, but further research is required to evaluate which variants also form a promising basis for code-based cryptography.

The goal of this topic is to analyze constructions of generalized concatenated codes proposed for cryptographic applications, e.g., [1-4]:
- how do proposed constructions work?
- which properties do they have?
- is the secret structure well hidden?

The exact scope can be set depending on your interest.

Main Papers:

[1] Márquez-Corbella, Irene, and Jean-Pierre Tillich. "Using Reed-Solomon codes in the (U| U+ V) construction and an application to cryptography." 2016 IEEE International Symposium on Information Theory (ISIT). IEEE, 2016.

[2] Puchinger, S., Müelich, S., Ishak, K., & Bossert, M. (2017). Code-based cryptosystems using generalized concatenated codes. In Applications of Computer Algebra: Kalamata, Greece, July 20–23 2015 (pp. 397-423). Springer International Publishing.

[3] Debris-Alazard, T., Sendrier, N., & Tillich, J. P. (2018). Wave: A new code-based signature scheme.

[4] Cho, J., No, J. S., Lee, Y., Koo, Z., & Kim, Y. S. (2022). Enhanced pqsigRM: code-based digital signature scheme with short signature and fast verification for post-quantum cryptography. Cryptology ePrint Archive.

Further References:

[5] Weger, V., Gassner, N., & Rosenthal, J. (2022). A Survey on Code-Based Cryptography. arXiv preprint arXiv:2201.07119.

Security in Communications and Storage
Channel Coding

There are scenarios where we wish to enable public access to a program (a function) without giving away any information about how the function is implemented.
For general circuits, this notion called virtual black box obfuscation is known to be impossible.
However, a weaker notion called indistinguishability obfuscation (iO) can be achieved.
Here, the obfuscations of two similarly-size circuits realizing the same function should be computationally indistinguishable from each other and reveal no more than some canonical form of the underlying function.
In some sense this is even the strongest achievable form of function obfuscation.

As of today, iO is too inefficient for almost all practical applications.
However, recent research has shown it may be used to build most cryptographic constructions of interest (assuming the existence of a one-way function).
For some of these it is even the only currently known way.

The student's task is to survey the literature to understand the formal definition, properties and applications of indistinguishability obfuscation (iO). More specifically, the student should aim to explain a recent construction [1] achieving this notion and the underlying hardness assumptions.

[1] Brakerski, Z., Döttling, N., Garg, S., & Malavolta, G. (2020). Factoring and pairings are not necessary for io: Circular-secure lwe suffices. Cryptology ePrint Archive. https://eprint.iacr.org/2020/1024

Any prior knowledge of modern cryptography such as notions of security based on computational indistinguishability as well as an elementary understanding of the concept of homomorphic encryption (based on lattices) will be useful for this task.

Fully decentralized schemes do not require a central entity and have been studied in [1, 2]. These works aim to reach consensus on a desirable machine learning model among all clients. We can mainly distinguish between i) gossip algorithms [3] where clients share their result with all neighbors, naturally leading to high communication complexities, and ii) random walk approaches like [4, 5] where the model is communicated only to a specific neighbor until matching certain convergence criteria. Such random walk approaches are used in federated learning to reduce the communication load in the network and at the clients’ side.

The main task of the student is to study the work in [5], which additionally accounts for the heterogeneity of the clients’ data. Further, drawbacks and limitations of the proposed approach should be determined.

[1] J. B. Predd, S. B. Kulkarni, and H. V. Poor, “Distributed learning in wireless sensor networks,” IEEE Signal Process. Mag., vol. 23, no. 4, pp. 56–69, 2006.

[2] S. Boyd, N. Parikh, E. Chu, B. Peleato, J. Eckstein et al., “Distributed optimization and statistical learning via the alternating direction method of multipliers,” Found. Trends Mach. Learn., vol. 3, no. 1, pp. 1–122, 2011.

[3] S. S. Ram, A. Nedi ?c, and V. V. Veeravalli, “Asynchronous gossip algorithms for stochastic optimization,” in IEEE Conf. Decis. Control. IEEE, 2009, pp. 3581–3586.

[4] D. Needell, R. Ward, and N. Srebro, “Stochastic gradient descent, weighted sampling, and the randomized kaczmarz algorithm,” Adv. Neural Inf. Process. Syst., vol. 27, 2014.

[5] G. Ayache, V. Dassari, and S. E. Rouayheb, “Walk for learning: A random walk approach for federated learning from heterogeneous data,” arXiv preprint arXiv:2206.00737, 2022.

- Machine Learning and Statistics
- Information Theory

Rank-matric codes are codes that live in a vector space that is endowed with a different metric than the Hamming metric: in the rank-metric the distance between two codewords, represented as matrices over a smaller field, is defined as the rank of their difference.

The theory of rank-metric codes has interesting connections to many topics in discrete mathematics and promissing applications to code-based cryptography and network coding.

In this seminar work, the student will study properties and constructions of rank-metric codes and one or more applications. The goal is to understand and summarize parts of the following papers:

[1] H. Bartz, L. Holzbaur, H. Liu, S. Puchinger, J. Renner, A. Wachter-Zeh (2022). “Rank-Metric Codes and Their Applications”. arXiv: 2203.12384  https://arxiv.org/pdf/2203.12384.pdf 

[2] K. Marshall, (2016). “A study of cryptographic systems based on Rank metric codes”, Dissertation, University of Zurich  https://www.zora.uzh.ch/id/eprint/127105/1/Diss%20Kyle.pdf

[3] T. Randrianarisoa, (2018). “Rank metric codes, codes using linear complexity and applications to public key cryptosystems”, Dissertation, University of Zurich  https://www.zora.uzh.ch/id/eprint/153545/1/153545.pdf

[4] E. Gorla (2019). “Rank-metric codes”. arXiv: 1902.02650  https://arxiv.org/pdf/1902.02650.pdf

[5] E. Gorla and A. Ravagnani. (2018). “Codes endowed with the rank metric”. In: Network Coding and Subspace Designs. Springer. 3–23.  https://link.springer.com/content/pdf/10.1007/978-3-319-70293-3.pdf 

Polymer-based storage involves storing information strings as a chain of molecules, the masses of which indicate whether the encoded bit is a 0 or 1. The readout mechanism requires tandem mass spectrometers which output compositions of all possible substrings, i.e. the number of 0s and 1s in a particular substring. The authors of [1] demonstrated that unique string reconstruction is only possible for specific string lengths, and also presented an algorithm for the same. In [2-5], code constructions were presented to facilitate this for all string lengths and also to correct substitution errors in the measured compositions.

[1] J. Acharya, H. Das, O. Milenkovic, A. Orlitsky, and S. Pan, “String
reconstruction from substring compositions,” SIAM Journal on Discrete
Mathematics, vol. 29, no. 3, pp. 1340--1371, 2015.

[2]  S. Pattabiraman, R. Gabrys and O. Milenkovic, "Coding for Polymer-Based Data Storage", arXiv:2003.02121, 2020

[3] R.Gabrys,   S.Pattabiraman,   and   O.Milenkovic, "Mass error-correction codes for polymer-based data storage,”  IEEE International Symposium on Information Theory, ISIT 2020, Los Angeles, CA, USA, June  21-26,  2020, pp. 25--30, IEEE, 2020.

[4] S.~Pattabiraman,  R.~Gabrys,  and  O.~Milenkovic,  “Reconstruction  and error-correction  codes  for  polymer-based  data  storage,”  in IEEE Information Theory Workshop, ITW 2019, Visby, Sweden, August 25-28,2019, pp. 1--5, IEEE, 2019.

[5] R. Gabrys, S. Pattabiraman and O. Milenkovic, "Reconstructing Mixtures of Coded Strings from Prefix and Suffix Compositions," 2020 IEEE Information Theory Workshop (ITW), 2021, pp. 1-5.

In cryptography, an oblivious transfer (OT) protocol is a type of protocol in which a sender transfers one of potentially many pieces of information to a receiver, but remains oblivious as to what piece (if any) has been transferred.   Often seen as an enemy, noise turned out to be a good ally of cryptographers. While a noiseless channel, from a cryptographic point of view, is a sterile medium where information theoretical security cannot be achieved for two parties, noise provides us with oblivious transfer (OT), the most powerful two-party primitive.   https://link.springer.com/chapter/10.1007/978-3-642-36899-8_6   https://ieeexplore.ieee.org/document/4529286   https://ieeexplore.ieee.org/document/8000673

Information theory

High-throughput applications for optical links spured great interest in low-complexity decoding of product codes. Several novel algorithms rely on passing hard messages and careful use of soft channel information to strike the balance between memory efficiency, computational complexity and error-correcting performance. New ideas for component decoding [2] [3] and attempts to go beyond pure iterative decoding [1][4] are of special interest.

The task of the student is to review and understand algorithms for decoding of product codes. After successful completion of the seminar the student will have a comprehensive overview of research in the field of high-throughput decoder design and analysis.

[1] C. Häger and H. D. Pfister, "Approaching Miscorrection-Free Performance of Product Codes With Anchor Decoding," in IEEE Transactions on Communications, vol. 66, no. 7, pp. 2797-2808, July 2018.

(Online: ieeexplore.ieee.org/abstract/document/8316914 )

[2] A. Sheikh, A. Graell i Amat, G. Liva and A. Alvarado, "Refined Reliability Combining for Binary Message Passing Decoding of Product Codes," J. Lightwave Technol., vol. 39, no. 15, pp. 4958-4973, August 2021.

(Online: arxiv.org/pdf/2006.00070 )

[3] A. Sheikh, A. Graell i Amat and A. Alvarado, "Novel High-Throughput Decoding Algorithms for Product and Staircase Codes based on Error-and-Erasure Decoding," J. Lightwave Technol., vol. 39, no. 15, pp. 4909-4922, August 2021.

(Online: arxiv.org/pdf/2008.02181 )

[4] S. Miao, L. Rapp and L. Schmalen, "Improved Soft-Aided Decoding of Product Codes With Dynamic Reliability Scores," J. Lightwave Technol., vol. 40, no. 22, pp. 7279-7288, November 2022.

(Online: arxiv.org/pdf/2204.00466 )

Recommended: Channel Codes for Iterative Decoding and/or Codes on Graphs

Additional: Channel Coding, Information Theory

The QIP (Quantum Information Processing) and TQC (Theory of Quantum Computation, Communication and Cryptography) conferences are two of the most important conference in quantum theory. The student will have the freedom of choosing one article from the latest conferences and will then have to understand and report on the article.

the capacity of optical transmission system is limitted by the nonlinear effects in the fiber.

the digital back propagation(DBP) is a method to sovle this problem.

By reading some papers, student can get the principle of this method and its advantage.

it's better for student to have some basic knowledge about optical transmission system, nonlinear effects and digital signal processing.

In order to increase the capacity of the current optical networks, new transmission architectures are under investigation. Hollow-core fibers are a new technology, which promises, among the others, to have reduced losses and extremely low nonlinear effects. New propagation impairments, which are still under study, would arise compared to the well-known single-mode fibers (SMFs). Yet, their employment in the field of optical communications seems likely to bring about a breakthrough over the current SMF-based solutions.

The student is required to compare ste system-level benefits of hollow-core fiber based systems against wideband frequency-division multiplexing (FDM) systems based on SMFs (or also on multi-core fibers), highlighting the most likely application scenarios, see [1]. 

A further elective task is to provide an overview on the design and modeling of hollow-core fibers, see [2].

REFERENCES:

[1] E. N. Fokua et al., ``Loss in hollow-core optical fibers: mechanisms, scaling rules, and limits'', 2023

[2] P. Poggiolini, F. Poletti, ``Opportunities and Challenges for Long-Distance Transmission in Hollow-Core Fibres'', 2022

Bases in optical communication systems and, possibly, in guided mode propagation.

Digital coherent optical receivers have revolutionized optical transmission system design through the integration of advanced subsystems and algorithms. This paper presents a comprehensive analysis of these components, including the optical front end, analog-to-digital converter (ADC), and digital signal processing (DSP) algorithms that contribute to the performance of the system. The paper delves into the methods used to compensate for transmission impairments, both static and dynamic, with a particular focus on dynamic-channel equalization.

[1] S. J. Savory, "Digital Coherent Optical Receivers: Algorithms and Subsystems," in IEEE Journal of Selected Topics in Quantum Electronics, vol. 16, no. 5, pp. 1164-1179, Sept.-Oct. 2010.

Recommended Courses:

   - Digital Signal Processing for Optical Communication Systems

   - Optical Communication Systems