Eurocrypt 2001 papers citation chart

Since (but not only) I am a general chair of Eurocrypt 2011 in Tallinn, I became somewhat curious about the past Eurocrypts. The chart above is what I found about the citation statistics of papers published in Eurocrypt 2001, that is, exactly 10 years ago. The citations are counted according to Google Scholar (and may obviously be somewhat incorrect). Moreover, I only counted citations for the top match (and not say for mistyped names, journal versions, etc).

The 9 papers that have received more than 100 citations are (unordered):

• Efficient Password-Authenticated Key Exchange Using Human-Memorable Passwords
• Priced Oblivious Transfer: How to Sell Digital Goods
• Practical Threshold RSA Signatures without a Trusted Dealer
• Analysis of Key-Exchange Protocols and Their Use for Building Secure Channels
• Evidence that XTR Is More Secure than Supersingular Elliptic Curve Cryptosystems
• Multiparty Computation from Threshold Homomorphic Encryption
• The Rectangle Attack – Rectangling the Serpent
• An Efficient System for Non-transferable Anonymous Credentials with Optional Anonymity Revocation
• Encryption Modes with Almost Free Message Integrity

Anyone can guess which paper is actually the most cited one — at least I was not able to do it before Googling the Scholar.

I think even more interesting is the tail of this chart, with 39, 38, 38, 37, 32, 26, 26, 20, 19, 17 and 13 citations.

I have obvious questions: is it normal that papers accepted in a top venue have less than 20 citations after 10 years? What about less than 50? Is getting citations (having impact) important at all during selection of the papers? I know that in the case of STOC and FOCS there is severe criticism that papers get accepted based on their technical difficulty, and not on their possible impact. (I fail at finding a good link right now, but see for example here or here.) Impact *is* shown by the number of citations, so do Crypto and Eurocrypt have a similar problem? As an example, the *least* cited paper (with 13 citations) is called “Efficient Amplification of the Security of Weak Pseudo-random Function Generators” – and it’s definitely a technically complex paper.

Also, it would be interesting to know the most cited rejected papers (even without concrete names).

So many questions.
]]> http://helger.wordpress.com/2011/05/05/105/feed/ 3 helger Eurocrypt 2001 papers citation chart http://helger.wordpress.com/2011/04/30/endgame/ http://helger.wordpress.com/2011/04/30/endgame/#comments Sat, 30 Apr 2011 18:47:30 +0000 helger http://helger.wordpress.com/?p=100 ]]> Not only has the new Canadian TV show “Endgame” an ex-world champion in chess as the main hero, in the newest episode 7 they also introduce a female cryptographer (“she’s a brilliant cryptologist for the world’s biggest firewall developer”) who does research on homomorphic encryption.

“Algebraic cryptosystems?” – “Yeah, lattice-based”

EDIT: going to add a few more funny quotes.

“Her master thesis at MIT was about the [...] transposition cipher used by Spartan military. How cool is that?”

Many people probably already know that Estonia has had Internet voting since 2005. Over the years, the number of voters has increased. In the parliamentary elections this week, more than 10% of the whole population (which means even larger percentage of the population who can vote – and probably quite a large percentage of the people who actually go to vote) used Internet voting.

I paper voted.

Why? First of all, as a cryptographer, it is my job not to support insecure systems. Given the current situation in Estonia, paper-voting is the only thing that I can do, but I hope things will improve rapidly.

Here’s a short description of Estonian Internet voting protocol:

One vote attempt:
You as a voter either use an ActiveX control (or a downloadable application if you use a wrong browser/…) to log in to a secure webpage. To authenticate yourself you use an ID card (those have been obligatory in Estonia for quite a few years). After logging in, you use the GUI to select the candidate. After that, the voter computer encrypts your vote by using RSA and the key of a tallier. The result is also signed by using your private key (which is again stored in your ID card). Your computer now sends the signed & encrypted vote to the vote collector server.

Revoting:
You can always revote by using exactly the same procedure. The VCS only stores the latest vote by every voter. (This step was introduced to combat vote coercion/family voting — note that if everything else fails, you can go to the voting station and revoke your electronic vote by paper-voting.)

Vote counting:
After the election period ends, the VCS will take the latest encrypted votes of all voters and send them to the second server that is behind a firewall. The second server removes all the signatures. It then ‘burns’ all the unsigned encrypted votes to a CD. Now, a number of trusted people (including observers) take this CD and bring it to a separate room, which is well guarded. That room contains the third server, the tallier who is *not* connected to Internet at all. The CD is input to the tallier. The tallier reads all encrypted votes. Since it knows the decryption keys, it can decrypt all votes. After that it outputs the number of votes given for every candidate.

This whole process also contains a number of organizational steps (like transfer of the CD to the tallier, or general auditing), but cryptographically that’s it.

So what’s wrong with it? For a cryptographer it’s a rhetoric question but let me reiterate some points. Basically, an e-voting system can be attacked by attacking voter computers, Internet connection or voting servers. Signing/encryption mostly takes care of fraudulent Internet (they do not obviously protect you against DDOS attacks and the like).

Voter computers are an obvious problem: most of the people are computer illiterate, and are not able to check if their computers are not infected. Even if they have the newest antivirus (which we can’t be sure of), that antivirus itself might not be able to detect a piece of new malware that has been written specifically for *that* election and is unleashed just before it. (Note: in Estonia e-voting lasts for 3 days.) That malware could do a lot of damage, like hijack the connection between you and the ID card (basically letting the ID card to sign wrong votes), between the GUI and what actually happens inside the computer, etc. I would *not* be surprised if such a piece of software was written by a high-school kid.

Vote servers are another problem: they can attacked by a hostile (but yet invisible) takeover, or by an insider (software provider, hardware provider, they guy with a gun meant to protect the servers, cleaning lady…). To be completely certain nothing like that happens, one should use either 100% trusted providers etc, etc (which is somewhat unlikely if an interested foreign powers invests a few million euros to bribe everybody), or one should use cryptography. But first, why does it matter? Can’t we trust the election office? Rhetorically I could ask: do we trust politicians in general? Do we? Less rhetorically, there are so many potential threats here.

Given all this, when Internet voting process started in Norway, the government officials clearly stated they want strong cryptography, and probable security in general. In particular, they do not want to only avoid attacks. They want to be able to prove that no attacks happened. Moreover, they want to be able to prove that the e-voting system is so secure that no attacks are possible at all. (Or at least, the number of possible attacks is strongly limited.) If the e-voting system satisfies that property, they can in particular prove that they did *not* cheat. That means, at least some kittens in Norway will have a good night sleep. And people’s trust in the governance will increase.

We can imagine all kind of attacks (and motivations behind those attacks) against Internet voting. A party would like to gain a few more votes. A script kiddie is angry at a politician whose daughter doesn’t like him. A foreign power wants their favorite party to gain a few more votes. A foreign power attacks e-voting process just so that it will be clear that somebody attacked and thus the results can’t be trusted. Etc. Etc. Script kiddie might spend a few days to write a virus that works on user computers. A foreign power might spend $10M to develop Stuxnet+.

How can we protect Internet voting then? Fortunately, there *are* very well-known (at least in the cryptographic community) protocols for that. It is known how to get security in the case when a minority of voting servers is malicious. Under some conditions, it just suffices to have one uncorrupted voting server. Developing such protocols means that there is a need for additional computing power (and time, to implement the cryptographic protocols). Deploying such protocols is invisible to the voters.

Protecting against corrupted voter computers is more difficult. There are quite many ways to do it, but most of the ways requires the voters to perform some additional operations. As an example, Norway will use a scheme where every voter receives (by post) a codesheet that has the names of all candidates and corresponding check codes. (The codes are unique for every voter.) Voting proceeds as usual, by using computer and your favorite GUI, but afterwards you will receive by SMS a single code. The voter can now just verify if this is the same code that was written on the codesheet under his or her favorite candidate. If it is not, he can revote electronically (or go and paper-vote).

There are a number of good things about the Norwegian system. First of all, receiving the codesheet and checking your codes is not obligatory — you just have to do it when you are paranoid or just security-conscious (or just geeky). Thus, Internet voting still rules in the sense of convenience. On the other hand, interested voters can verify that their votes were counted for by following a relatively small number of steps.

Another thing that I like about the Norwegian solution is that by using their own words, the underlying math is simple enough to be understood by high school students — and they plan to start teaching the protocol at high schools. (See the slides here.) Which is nice, since cryptography is not everything — for complete trust there have to be enough people to understand the system. And it’s always nice to teach people new math.

The Norwegian system is not ideal, but it can be improved upon. There are also many other, somewhat similar (or completely different) techniques to protect Internet voting schemes against corrupted user computers. Unfortunately, dwelling into them would take quite a lot of time and this margin here is too short.

I personally expect that if handled correctly, such rebuttals would help tremendously in the reviewing process. I’ve just too many times received reviews that could be rebutted with a single paragraph, and may be I’ve written some reviews like that myself. I am a strong supporter of rebuttals, and I hope they will be implemented in at least top conferences in cryptography too.

This time the school has two younger but already very well known cryptographers, Jens Groth and Aggelos Kiayias. Jens will talk about pairing-based non-interactive zero-knowledge proofs (in my opinion, he and his coauthors caused a little revolution there a few years ago), and Aggelos will talk about cryptographic methods for digital content distribution (he’s a new book upcoming on this topic just a bit after the winter school). Other presenters include say Alan Mycroft from Cambridge.

The school is week-long, in an old manor among the forests, and yes, we usually have snow there. Please see the linked homepage of the school and please refer it to your familiar (non)graduate students! We usually have quite strong students, including a very strong bunch coming from neighbourly St Petersburg.

See here for further details.

A SUC CFP should include a nice 15-35 page introduction that would explain what exactly is UC, give notation and definitions. It should also provide the descriptions of most fundamental functionalities in the UC model (say commitments, encryption, signature schemes, etc). This introduction should be then printed as the introductory part of the SUC proceedings. All submitted (and later accepted papers) would be free of the burden of redefining the UC-security, introducing notation, and common functionalities. Instead, they could just focus on the new stuff. Obviously, the reviewers of SUC should also first familiarize themselves with the introduction.

In addition, reviewers of other conferences could breath much more easily since they would not have to review papers on UC-security anymore.

Reading their autobios however is interesting. For example, the first bio I accidentally started to read is by one James Harris Simons (“differential geometry”). And then I found the next part (which is by the way not mentioned in Wikipedia): “I went on to Princeton and worked as a code-cracker at the time of the Vietnam war. I worked for the Institute for Defense Analysis. It was National Security Agency work and highly classified.” Then he continued to work on pure mathematics, and finally, moved into investment business. And became rich. Simons is the CEO of what is now one of the world’s most successful hedge funds.

I found the next quote to be quite intriguing: “Interestingly, the work I did as a code-cracker during the Vietnam War turned out to be extremely useful. As a code-cracker, you see a lot of data from your adversary. You get ideas. You test them. Most of them are wrong. If you’re lucky, you get a few hits and you begin to see. It’s similar with predicting financial data: you have an idea that when one thing happens, you might expect to see a certain pattern. You can test it out. Maybe you’re right. Maybe you’re wrong.”

Somehow the connection between code-cracking and predicting financial markets has been around in the popular culture for quite a while (“The Pi”, The Cryptographer – though not exactly, and probably some others), but this is the first time I’ve seen somebody really announcing that he’s become (that) rich because of his cryptographic background.

So – we have now one more reason to tell people why it’s good to be a cryptographer.

Another question: how much is known about the Vietnam war-era ciphers? I guess they didn’t use Enigmas anymore. Or Navajo windspeakers.

(NB: this is the only autobio I’ve read yet.)

But even more than that, Alan deserves recognition for his contribution to humankind. For those of us born after 1945, into a Europe which is united, democratic and at peace, it is hard to imagine that our continent was once the theatre of mankind’s darkest hour. It is difficult to believe that in living memory, people could become so consumed by hate – by anti-Semitism, by homophobia, by xenophobia and other murderous prejudices – that the gas chambers and crematoria became a piece of the European landscape as surely as the galleries and universities and concert halls which had marked out the European civilisation for hundreds of years. It is thanks to men and women who were totally committed to fighting fascism, people like Alan Turing, that the horrors of the Holocaust and of total war are part of Europe’s history and not Europe’s present.

Obviously, you can just use answers.com to get the same answer. Interestingly enough, answers.com gave a wrong answer for 18 just a few days ago, but after I pointed it out in Facebook, somebody has gone over those pages.

Now there is an online petition that seeks apology for Turing. Finally. Unfortunately, you have to be a British citizen or at least resident to sign the petition, but still. Show your support.

Interestingly enough, the google search ‘online petition turing’ turns up almost 2 million pages.

I hope Jon Katz will blog about Crypto extensively. I was reading the abstracts of accepted papers (which are fortunately online) and saw many interesting papers. Some are interesting because the result sounds good. Some are interesting because I am interested in the area. However, it is difficult to judge before actually reading the paper. Jon???

Also, the rump session is later today, broadcasted live, though I doubt I will be awake at that moment.

Now, what is a polymath project? The idea is to use the joint energy of millions of bored people, who’d otherwise just sit on Facebook, to actually do something useful. Somebody poses an interesting question and then everybody is free to take a stab on it. Hopefully, those millions of people can finally jointly solve the problem.

The current discussion thread for this project is here. Michael Nielsen has a wiki page that summarizes the known results and current ideas. Finally, Terry Tao has a number of posts about this project on his blog too.

From familiar people, I’ve spotted Avi Wigderson on those pages. I’ve also commented, though only anonymously, since I am just an egg.

My own two “favorite” reviews from past: First, by a reviewer saying that our result is not interesting since we improve the best known result only by a constant factor (well, the constant happened to be 2^15), and second, by some reviewer saying that the CPIR protocol I proposed (with log^2 communication) was not interesting since we already had protocols with polylogarithmic communication. The reviewer went forward to say that we can always define a new security parameter k’ as a polynomial of k, and thus log^2 vs log^anything is a nonissue. In general I also tend to be amused by a review that says that my work is a combination of known techniques. I thought that was what was called research.

Finally, I really like yet another opinion piece by Doron Zeilberger, where he says that due to the stupid reviews he’s not going to publish anymore papers in peer-reviewed journals. Lucky guy, he’s both famous and tenured. I also like one of the reviews he has gotten: “I think the results are new and the general plan is straightforward. It won’t get the Fields medal but I don’t think that’s our criteria. I do recommend it’s acceptance.”

On the other news, Jon Katz doesn’t like FOCS and Asiacrypt.

PS Finally, as you might have noticed I started to actively blog again. I used to do it a few years ago, but then most of my posts were personal. I’ll try to make this blog purely work-related.

This law is not even wrong for so many reasons, starting from basic human rights, and ending with it being a technical and legal absurdity. I’d just like to point out two factors why this law is absurd. First, how can you prove that one has known they keys, or has not forgotten them, or the post-it note where they keys were was not burned by a third person? This really baffles me. Second, without actually knowing the key, it is impossible to assume that the encrypted material has anything to do with the case, and thus as far as I see it, one should have convincing evidence to imprison even without getting the key at all. This however would make this concrete law superfluous.

This reminds me the next strip from XKCD:

On the other hand, may be there is something that “crypto nerds” can do here, and I’d actually like to propose a research question. Namely, we could try to devise a cryptosystem which has many possible indistinguishable decryption keys. If you have you have a copy of the ciphertext, the plaintext, and the corresponding decryption key, then you can easily generate a new decryption key that corresponds to any possible plaintext. The authority should not be able to (a) distinguish between different decryption keys, and (b) to have a reasonable advantage to even guess what is the number of the active keys.

On the other hand, then you could get beaten up for just using such a cryptosystem.

Another well-known bundle is in December, with Asiacrypt organized inbetween 6+ smaller conferences (CANS, ITICS, ICICS, ICISC, Indocrypt, Inscrypt, and may be some more imatinatively named conferences). The good thing about this Winter Bundle is that you can submit papers, rejected in Asiacrypt, directly to ICICS/ICISC/Indocrypt/Inscrypt. The bad thing here is that those conferences are not slightly but much weaker than Asiacrypt.

I have had for quite some time an idea that the conferences belonging to one bundle should have a joint PC, and joint reviewing process, such that the best papers would be accepted to the top conference in this bundle (respectively Eurocrypt and Asiacrypt), while other papers would be somehow distributed among the weaker conferences. (Taking into account that the papers would also be in scope: e.g., block cipher papers not going to TCC.) However, I have never been sure how to distribute papers among the smaller conferences, since at least the 6 Decembery small conferences are all weak, some more than others.

I think Doron Zeilberger has a quite neat idea, albeit in the context of mathematical journals. To translate it to our language, let the authors choose, when submitting a paper, an ordered list of preferred conferences. The conference PCs will agree on either total rejection of the paper, or the ordered suitability list of the paper to different conferences. After that, they just run a stable marriage algorithm on pairs (papers, conferences). If you get a paper matched to conference X, you can’t complain since you still thought X to be ok (and your more favorite conferences rejected you). Analogously, the conference PCs can’t complain: if they don’t like a paper at all (or it’s not in scope), they can refuse to be matched with it.

This would take care of several possible conflicts. May be you as an author cannot travel to (say) TCC at this time – then you omit TCC from your list. If you think FC and CT-RSA are too weak for you and you want to gamble, you can only put Eurocrypt and the suitable IACR workshop in your list. If you are a real gambler, you’ll only consider Eurocrypt.

Obviously, if the authors are not happy with their allocation, they can withdraw their paper, but this happens even now sometimes. Moreover, if you knew you wouldn’t like conference X, so why to list it?

Anyhow. Such a system would increase publishing rate quite a bit. However, I still think it necessary to increase the number of accepted papers in top conferences, since just both bundles are too big.

There’s another point in Doron’s opinion piece: that there shouldn’t be any journals at all, everybody should just publish in arxiv, and let the readers be the referees (e.g., just count the impact, the number of citations). Although I strongly agree in the case of journals, I am not sure if this were implementable in our conference system, where getting there (going to the conference and meeting with the people) is also fun. Still, I think counting the impact (citations) is a much more relevant way of deciding researcher’s impact than counting his or her tier 1 conference papers. (See my previous post for more.)

For another take of this issue, see also the PhD Comics. Doron’s earlier opinion piece was even better.

EDIT: Two more comments. First, in the current system your paper might be the best of the rejected papers (you don’t know it). You will then submit it to say ICICS. Assume ICICS does not have any competent reviewers in this subarea, the paper will get rejected, which may be especially depressing. With this kind of joint reviewing you may get rid of this problem, too.

Second, such a joint system will increase the average quality of the top conferences, too, even if the number of accepted papers was increased. Risk-averse authors (or authors, whose paper has already been rejected from the last big conference) might want to decrease the risk by submitting the paper to a smaller conference. However, may be it would have been accepted to the top conference this time, too – nobody knows? With the joint system, Eurocrypt could get the bestest papers of this spring (assuming that the authors prefer Eurocrypt to say FSE or TCC, of course). This would considerably decrease the gamble element: either risk a lot by submitting to a top conference (where the paper may be rejected), or submit to a non-top conference (which may accept it, but then it doesn’t look so good on CV, or which may reject it because of the lack of good reviewers).

His entry and comments are mostly concerned about the situation in complexity theory/TCS. I think one ought to ask the same question about crypto, especially since our field has an over abundance of conferences. The problem is also that the top conferences (Eurocrypt, Crypto,  may be Asiacrypt) only accept 30-34 papers yearly, while the number of quality papers is much larger. Moreover, the last 10 or so papers accepted are always somewhat random. Now, when your paper is still good but gets rejected, you have to wait 3 more months for the next top conference, and then 3 more.

On the other hand, you have 20 small conferences, that are almost all equally bad. (Not FSE, TCC, PKC, CT-RSA, FC, CHES, but the rest of them.) Most of them get a tiny share of good papers, since some top researchers do not want to wait for 3 months,  or just want to travel. Or for some other not-science-related reason. In general, if you are an established researcher, it does not pay off to sit in the conference room at those conferences since you do not learn anything new so you just do some sight seeing. (If you are lucky, somebody whom you know might also participate!) And being on a PC of such conferences is usually just a pain.

I think there is some room for reform, thus. My own recommendation would be to increase the number of papers, accepted to all IACR conferences and workshops by 50%. (As said, the last 10 are always random* – and the first 10 non-accepted papers are sometimes better.) This would increase the rate crypto results get published quite a lot. This would also mean that less top papers would get accepted to third tier conferences, which would also be good – hopefully the number of third tier conferences would decrease.

Moreover, to compare it with the past, Eurocrypt 1990 got 85 submissions and accepted 42 papers. Eurocrypt 2004 got 206 submissions and accepted 36 papers. With Crypto, corresponding numbers are 43 (of 93) and 33 (211). Thus, while the number of submissions has increased 2.5 times, the number of accepted papers has actually decreased(!). In addition, in 1990 the number of active research groups in cryptography was may be 10 times less than now. This means, that the competition for Crypto/Eurocrypt papers has increased dramatically.

* I’ve actually done some statistics. I might have a separate post on that, but of Crypto 1998 papers, around 10 have been cited less than 30 times. While the top paper, by Cramer and Shoup has been cited 600+ times. Other conferences followed a similar pattern, though not always the top paper has that many citations. OTOH, there are many papers in third tier conferences that have more citations than the mean Crypto/Eurocrypt paper of the same year.

• BLAKE
• Blue Midnight Wish
• CubeHash
• ECHO
• Fugue
• Grøstl
• Hamsi
• JH
• Keccak
• Luffa
• Shabal
• SHAvite-3
• SIMD
• Skein

My understanding is that there’s a good chance for your hash function if it’s name is unpronouncable, or even better, has non-standard letters in it.

The list itself is available here (with abstracts).

There are quite a few crypto papers, but none of them seems to be vaguely as important as Craig’s fully-homomorphic paper on STOC 2009 (or many papers in Crypto/Eurocrypt). Here is a complete list of papers I deem to be cryptographic:

• Steven Myers and Abhi Shelat. One bit encryption is complete
• Yi Deng,  Vipul Goyal and Amit Sahai. Resolving the Simultaneous Resettability Conjecture and a New Non-Black-Box Simulation Strategy
• Anne Broadbent,  Joseph Fitzsimons and Elham Kashefi. Universal Blind Quantum Computation
• Yuval Ishai, Eyal Kushilevitz, Rafail Ostrovsky and Amit Sahai. Extracting Correlations
• Yael Tauman Kalai, Xin Li and Anup Rao. 2-Source Extractors Under Computational Assumptions and Cryptography with Defective Randomness

A lot of work I am doing can be classified as “theory” of cryptography, though I would personally disagree. For example, my work on oblivious transfer was motivated by applications. Moreover, all those papers accepted to FOCS sound too theoretical for me, with only may be the last paper having any practical relevance at all. I love mathematics, so I have nothing against “theory”, however, I think work done in cryptography should at least have some potential applications.

I am sure Jon Katz will also comment on this, see this for his earlier post.