[Meet our Faculty] Antonio Faonio, expert in Cryptography at EURECOM

In July 2020, Dr. Antonio Faonio, joined EURECOM as an Assistant Professor at the Digital Security department. Below, he shares what he brings to the department with his expertise in cryptography.

Q. What is your academic trajectory?

AF. I did my PhD at Sapienza University of Rome in Cryptography, advised by Prof. Giuseppe Ateniese. Then, my first postdoc was in Denmark for 2.5 years, in the famous Cryptography group of Ivan Damgaard, working on a branch of Cryptography called Leakage and Tamper-Resilient Cryptography working with Prof. Jesper Buus Nielsen. For my second postdoc, I moved to Spain at IMDEA Software Institute in Madrid, and worked with Dario Fiore, where I shifted my research focus mostly to efficient public-key cryptography protocols. In July 2020, I arrived at EURECOM as an Assistant Professor in Cryptography, in the Digital Security Department!

Q. How did you get interested in the Cryptography field and why?

AF. As a graduate student my courses in Cryptography were taught by one of the most famous cryptographers, Stefan Dziembowski now professor at University of Warsaw. I remember pointing out an error in an exercise from the textbook in his course used and after that our interactions lead to an internship in Warsaw before my PhD. Since my studies, I enjoyed the theoretical aspects of Cryptography, and at the same time I thought that in this field there are some very important applications directly linked to society, like privacy, communications, finance etc. In Cryptography, we get to use elegant mathematics and see the impact of our theory directly on applications. It is fascinating!

Q. What made you choose to come to EURECOM?

AF. I was searching for a permanent position and I really liked the idea of working at EURECOM, so I applied to an open position. Even though it was during the pandemic, EURECOM reacted very fast and we were able to go through with the hiring procedures very efficiently. I had heard about EURECOM during my time in Spain and I knew it was a great place to work. Now, getting to know our department better, I realise the diversity of research topics we have, which makes it so exciting to be part of this team. As a fresh Assistant Professor, I am now starting my lab, having already hired a research engineer. I really like the flexibility we are offered here at EURECOM and the freedom to work on our preferred research projects.

Q. What is the expertise you bring to the Digital Security department?

AF. In the Digital Security Department, we have a Cryptography group, which we call CryptoPETs with Prof. Melek Önen, Prof. Massimiliano Todisco and myself. Melek is working more on the applied side of Cryptography, being an expert in using Multi-Party Computation (MPC), a subfield of Cryptography, for many Machine Learning applications which are actually used. On my side, I would like to work on MPC questions with Melek, complementing our knowledge and bringing in some of my expertise from different fields. .

As I said, one of my expertises is on Leakage and Tamper-Resilient (LTR) Cryptography, a field that studies the provable security of cryptographic schemes when the attacker could exploit the physical properties of the devices where the protocols are implemented. For example, in a timing attack setting, in which the adversary could compromise the system by measuring the time needed to perform a cryptographic algorithm, e.g. return back a signature to infer the secret key. With the LTR approach, we define more general models, and prove that schemes are still secure, even though attacks could be stronger.

Leakage refers to the case where we have a passive attacker who might be analysing the time that the machine needs to return back the signature.

Tamper-Resilient refers to the case when the attacker may even manipulate the secret material, which is actually doable in reality. In the literature we have many attacks that could, for example,flip bits in the memory or a virus that can modify some of the memory in an unpredictable way.

All in all, with LTR we aim to create a more general model and prove the security of schemes that already exist. I would like, also involving Melek and her expertise, to start investigating MPC protocols that could be secure even in these adversarial settings where the servers are under leakage or tamper attacks.

As said before, when I started collaborating with Dario Fiore at IMDEA, I shifted my research focus to efficient constructions of public-key cryptography protocols. In the last years, I have been working on efficient zero-knowledge proofs, which are fascinating cryptographic constructions by which one party can prove that they know a value, or to better say, the veracity of a statement that involve such value, without conveying any further information apart from the fact that they know such value.

Q. What are your current research projects about?

AF. There are some research funding proposals already submitted. One project is about no malleable secret sharing. Secret sharing is a fundamental tool in cryptography; it takes a message that can be distributed among many parties in a way that all these parties, individually or even in small conjunction, can’t infer any information about the message itself. Only when all parties are together, they can infer information about the message. In more detail, you can set a threshold; if there are N parties together they can’t infer info on the message which was shared, but as soon as there are N+1 or more, then they can fully reconstruct the message. This is a very important notion in cryptography, most of the work at the core of MPC is based on secret sharing. Non malleability means that the parties can even manipulate the message, tampering with or modifying it. The nice feature in non-malleability is that all parties can modify the message, not only a bunch of bad guys. The goal is to have a notion of MPC which is secure, even when most of the parties are corrupted, or if there is a virus or a bad implementation leading to some kind of leak.

Note that when the majority of parties is corrupted we know that some things cannot be done in cryptography. The new scenario we are looking at is that all parties are corrupted but in a very mild way. For example, my machine is not an open box to the adversary but at some point it behaves differently from what it was supposed to. Parameters that can change in our model would be how many parties there are (two or more), ratio of parties corrupted and the kind of corruption from just an honest-but-curious party or completely malicious not following the specifications of the protocol. But what is there in the middle? Can we define an adversary that follows the rules electively? This type represents a more realistic type of adversary. For example, it could be a machine in which the rules of the protocol were not correctly implemented or simply a virus. In the end, we need to prove the security of our scheme under a cryptographic assumption mathematically.

Q. How could we use such security schemes in real life?

AF. There is an example drawn out of most people’s lives. So, imagine you want to rent a house and the owner of the house asks: do you earn enough to pay the rent? Usually, the rule is that you must earn at least 3 times more than the rent to be an eligible candidate. What is requested afterwards by the owner is a proof of income; so we provide him with our payslips in order to validate our salary. But in fact, we reveal much more. The owner gets to learn the exact amount of our salary and not just if the 3-times bigger condition holds. Now, if the owner is a malicious person, he could raise your rent for next year if your salary is much higher.

Zero Knowledge-proof could be used by the renter to show that you earn more or equal to what is required for rental without needing to disclose more information. At the end of this protocol the owner of the house is covered and we don’t reveal our privacy data to a potentially malicious person.

Q. What are your future goals and what message you would like to send as an expert in cryptography?

AF. For the next 3–4 years, I would like to start investigating questions about MPC protocols with reasonable security guarantees even when all parties are corrupted.I think that we are really doing better as a society, and especially in the last few years, when it concerns our privacy online. We have a choice for each website to accept cookies, people refuse to use applications that are not end-to-end encrypted, and they are more cautious about what we post on social media. Cryptography could help us keep on having a nice way to communicate, and to collaborate in many different ways, with people online but making sure it is secure and preserving the communication as intended to be shared.