RISC Seminars (Research on Information Security and Cryptology)
Archives: [2024] [2023] [2022] [2021] [2020] [2019] [2018] [2017] [2016] [2015] [2014] [2013] [2012] [2011] [2010] [2009] [2008] [2007] [2006] [2005] [2004] [List of Speakers](To receive information about upcoming seminars, register for the RISC mailing list.)
[print]
Special RISC Seminar on the Occasion of Thomas Attema's PhD Defense
This seminar is on the occasion of Thomas Attema's PhD Defense, which takes place June 1st, 13:45h, at Leiden University (Academy Building, Rapenburg 73, 2311 GJ Leiden).
Date:  May 31, 2023 
Location:  CWI, Room L016 
Schedule:  
14:30  15:15  Thomas Attema (CWI & TNO): Compressed ΣProtocol Theory Abstract: Compressed Σprotocols present a strengthening of the wellestablished Σprotocol theory, yielding
(zeroknowledge) interactive proofs with low communication complexity. They show how to compress the communication complexity of basic Σprotocols from linear down to (poly)logarithmic, using a recursive ``foldingtechnique'' adapted from Bulletproofs (Bootle et al., EUROCRYPT 2016, and Bünz et al., S&P 2018), at the expense of a logarithmic number of rounds. This abstract modular theory can be instantiated from a variety of cryptographic hardness assumptions, i.e., the discretelogarithm, strongRSA, knowledgeofexponent and shortintegersolution assumption.
The analysis of these and other interactive proofs requires the construction of a socalled knowledge extractor, showing that dishonest provers without knowledge of a secret witness cannot falsely convince a verifier. However, prior proof techniques are no longer directly applicable. More precisely, the multiround nature of these interactive proofs renders prior knowledge extractors inefficient.
In this talk, we will introduce compressed Σprotocol theory and present several new techniques for analyzing the knowledge soundness of multiround interactive proofs.

15:15  16:00  Jens Groth (DFINITY, Switzerland): From the Internet Computer and Bitcoin Integration to ECDSA Security Research Abstract: The Internet Computer offers publicly accessible and globally available trustworthy computing via powerful webenabled smart contracts. Over the last year it has added capability to do http requests and native Bitcoin integration. The Bitcoin integration enable smart contracts to receive and transfer bitcoin, where outgoing transactions are signed using a threshold ECDSA signing service. The design of the threshold ECDSA service uses a couple of optimizations. BIP32 additive key derivation allows the Internet Computer to use a single ECDSA master public key to derive individual public keys for smart contracts, which simplifies key management to a single secretshared signing key. It is common in threshold ECDSA signing protocols to precompute certain group elements to reduce the online computation when signing. Motivated by the Bitcoin integration and development of a decentralized ECDSA signing service, we analyze the security of plain ECDSA with additive key derivation and precomputation in the generic group model. Our analysis shows that additive key generation is secure and precomputation is secure, but combining additive key derivation and precomputation leads to nontight security. Fortunately, we can save the combination and tighten security through public rerandomization of the precomputation. In this overview talk, I’ll give an introduction to the Internet Computer and take a tour from Bitcoin integration and threshold ECDSA signing to our cryptographic security analysis of ECDSA.

16:00  16:15  Coffee Break 
16:15  17:00  Jesper Buus Nielsen (Aarhus University, Denmark): On Valiant’s Conjecture Abstract: In his landmark paper at TCC 2008 Paul Valiant introduced the notion of “incrementally verifiable computation” which enables a prover to incrementally compute a succinct proof of correct execution of a (potentially) long running process. The paper later won the 2019 TCC test of time award. The construction was proven secure in the random oracle model without any further computational assumptions. However, the overall proof was given using a nonstandard version of the randomoracle methodology where sometimes the hash function is a random oracle and sometimes it has a short description as a circuit. Valiant clearly noted that this model is nonstandard, but conjectured that the standard random oracle methodology would not suffice. This conjecture has been open for 14 years. We prove that if the proof system can receive a long witness as input in an incremental manner and is also zeroknowledge then the conjecture is true. Valiant’s original construction does not have these properties but can easily be extended to have them in his model. We relate our result to recent possibility and impossibility results for SNARKs and incrementally verifiable computation.

0.01213s c