The 8th BIU Winter School on Cryptography

Secure Key Exchange

February 11-15, 2018

School Overview

Secure key exchange is a fundamental primitive used to secure the digital world. The most well known examples are SSL/TLS and IPsec, although many different key exchange protocols are used to connect devices (wireless, bluetooth, and much more). Although the task of achieving secure key exchange may seem straightforward, it is remarkably tricky and is extremely hard to get right. Numerous attacks on real-world systems are due to poorly designed and implemented key exchange. Despite being so basic and important, key exchange is rarely taught in introductory cryptography courses. This is problematic given the ubiquity of key exchange in practice. In addition, secure key exchange is still a very active area of research in the crypto community. In the 8th BIU Winter School on Cryptography, we will study the problem of constructing secure key exchange protocols in depth. The program will cover definitional issues, protocol constructions, attacks, password protocols, and formal analysis. The following topics will be included:

1) Intro: motivation, intuition, examples, definitional approaches, design principles, advanced protocols, key derivation
2) Indistinguishability formalisms and proofs (selected protocol(s)) plus extensions (TLS 1.3), UC key exchange formalism, 0-RTT
3) Password protocols, hash proof systems
4) Attacks (incl. side channels) and automated tools
5) Secure channels (attacks and formalism)

The winter school program is designed to teach the topic from its basics up to the latest research. The program this year will be both comprehensive and in-depth, and will provide participants the understanding necessary to analyze existing protocols and carry out research in the area.

The target audience for the school is graduate students and postdocs in cryptography (we will assume that participants have taken at least one university-level course in cryptography). However, all faculty, undergrads and professionals with the necessary background are welcome. The winter school is open to participants from all over the world; all talks will be in English.

School Lecturers 

Click here to view photo gallery

  • Karthik Bhargavan, INRIA. France
  • Marc Fischlin, Darmstadt University of Technology, Germany
  • Hugo Krawczyk, IBM T.J. Watson Research Center, US
  • Kenny Paterson, Royal Holloway University of London, UK
  • David Pointcheval, ENS Paris, France

Additional Information

OrganizersYehuda Lindell and Benny Pinkas Department of Computer Science,  Bar-Ilan University, Israel.

Where: The winter school will take place at the Rayman hall at Kfar Hamaccabiah events & conference center in Ramat Gan

When: Sunday, February 11, 2018 to Thursday, February 15, 2018

Registration: Due to rising costs, registration is 750 shekels for the entire school. Registration is free for overseas participants (due to costs already incurred due to travel). Israeli participants who have difficulty paying the registration fee can request a waiver; please include this in the special request box in the registration form. After registration has been confirmed, Israeli participants will receive a link to carry out the payment. Registration will be considered complete only after payment.

Registration includes school participation, lunch, refreshments and the excursion (accommodation is not included). Please register by January 15, 2018.

Contact: For any questions or queries, please send an e-mail to:

Hotel: We have arranged a special rate at the Kfar Hamaccabiah Hotel where the conference center is located. The rate is $170 a night for a single room, $190 a night for a double room (with two occupants) and $215 for a triple room (with three occupants). The rate includes breakfast. Hotel reservation form will be available soon.

Support: A limited number of stipends of $800 each (for flight and accommodation) will be awarded for overseas students needing support. The deadline for stipend application is December 15, 2018. Please have your advisor send a letter justifying the need for financial support.

Sponsorship: This winter school is graciously sponsored by the BIU Center for Research in Applied Cryptography and Cyber Security in conjunction with the Israel National Cyber Bureau in the Prime Minister’s Office and Bar-Ilan University.

Program Schedule

Program Schedule: The detailed schedule for the winter school can be downloaded here

Sunday, February 11 – Introduction
Lecturer: Hugo Krawczyk

  • What Are Key Exchange Protocols?  Slides , Video
  • Overview of Security Definitions Video
  • Diffie-Hellman Protocols and Authenticators Video
  • STS, SIGMA and IKE (IPsec’s Key Exchange) Video
  • Implicitly Authenticated KEPs   Slides , Video
  • More on Implicit Authentication; Key Derivation   Slides , Video

Monday, February 12 – Advanced Definitions and Proofs
Lecturer: Marc Fischlin

  • Bellare-Rogaway-Security of Key Exchange (passive adversaries)   Slides , Video
  • Bellare-Rogaway-Security of Key Exchange (active adversaries)   Slides, Video
  • Forward Secrecy   Slides , Video
  • TLS 1.3 and other protocols   Slides , Video
  • Zero Round-Trip Time (0-RTT)   Slides , Video
  • Universally Composable Key Exchange   Slides , Video

Tuesday, February 13 – Password-Based Key Exchange
Lecturer: David Pointcheval

  • Hash Proof Systems   Slides
  • Definitions and Models for Password-Authenticated Key Exchange   Slides
  • Constructions of Password-Authenticated Key Exchange from Hash Proof Systems   Slides
  • Excursion

Wednesday, February 14 – Attacks and Automated Tools
Lecturer: Karthik Bhargavan

Slides (part 1)
Slides (part 2)

  • Man-in-the-Middle Attacks on Authenticated Key Exchange  Video
  • Downgrade Attacks on Agile Real-World Protocols Video
  • Automated Symbolic Protocol Verification Video
  • Mechanized Computational Protocol Proofs Video
  • Verified Cryptographic Libraries Video
  • Verified Cryptographic Protocol Implementations Video

Thursday, February 15 – TLS and Secure Channels: Definitions and Attacks
Lecturer: Kenny Paterson

  • Overview of the TLS Handshake   Slides
  • Vulnerabilities in the TLS Handshake
  • From Key Exchange to Secure Channels
  • Security Proofs for Fragments of TLS   Slides
  • Security Issues in Real-World Secure Channels   Slides
  • Modelling Secure Channels   Slides
Posted by