9:00  9:30 
Registration  Opening 
9:30  10:20 
Big Crypto
Periklis Papakonstantinou, Rutgers University
Abstract: TBA

10:20  11:00 
Proofs of ProofsofWork with Sublinear Complexity
Dionysis Zindros , University of Athens
Abstract:
In this talk, I will give a brief overview of the attempt to create
Proofs of ProofsofWork for workbased blockchain protocols in order
to construct secure proofs which have communication complexity
polylogarithmic to the size of the blockchain. Such schemas enable the
creation of efficient SPV clients and are the foundation for building
blockchain sidechains, a key solution to the fundamental blockchain
problems of scalability, interoperability and upgradability. I will
give an overview of the paper by Kiayias, Lamprou, Stouka (Financial
Crypto 16) on interactive proofs of proofofwork as well as discuss
research directions in noninteractive proofs of proofsofwork, a
draft schema we are working on with Aggelos Kiayias & Andrew Miller.

11:00  11:40 
The state of quantum money
Marios Georgiou, City University of New York
Abstract:
From a cryptographic point of view, money is a primitive whose purpose is to produce coins that are impossible to copy/counterfeit while still can be efficiently verified. Classically, in a setting where verification takes place locally, a coin cannot correspond to a single bitstring, since bits can be easily copied. As a result, we give away local verification by either interacting with a trusted bank or by interacting with the rest of the users in order to achieve consensus over account balances. On the other hand, in a quantum setting, the nocloning theorem gives evidence that a coin may actually correspond to a qubitstring while preserving local verification.
The talk will survey results in the area of quantum money, give constructions and connections between them and explore their limits by presenting impossibility results. Moreover, it will present similarities and differences between quantum money and cryptocurrencies.
Based on works with KaiMin Chung, Iordanis Kerenidis, Aggelos Kiayias, ChingYi Lai and Vassilis Zikas.

11:40  12:00 
Break 
12:00  12:40 
Efficient DesignatedVerifier NonInteractive ZeroKnowledge Proofs of Knowledge
PavlosIoannisPyrros Chaidos, University of Athens
Abstract:
We propose a framework for constructing efficient designatedverifier
noninteractive zeroknowledge proofs (DVNIZK) for a wide class of
algebraic languages over abelian groups, under standard assumptions. The
proofs obtained via our framework are proofs of knowledge, enjoy
statistical, and unbounded soundness (the soundness holds even when the
prover receives arbitrary feedbacks on previous proofs). Previously, no
efficient DVNIZK system satisfying any of those three properties was
known. Our framework allows proving arbitrary relations between
cryptographic primitives such as Pedersen commitments, ElGamal
encryptions, or Paillier encryptions, in an efficient way. For the latter,
we further exhibit the first noninteractive zeroknowledge proof system
in the standard model which is more efficient than proofs obtained via the
FiatShamir transform, with stillmeaningful security guarantees and under
standard assumptions. Our framework has numerous applications, in
particular for the design of efficient privacypreserving noninteractive
authentication.

12:40  13:00 
Automated Functional Validation and Security Evaluation Setup for Arbitrary Cryptographic IP Cores
Athanassios Moschos, University of Patras
Abstract:
The highlyspecialized skills required for the evaluation of the devices in conjunction with the isolation of the involved disciplines, become a true barrier for the identification of additional security issues. This obstacle is strengthened by the lack of an overall platform that would enable the estimation of information leakage from different devices. While in theory the testing approach as well as the employed trace collection toolset can be designed exclusively for a specific cryptographic implementation (e.g. AES, RSA etc.), in practice, experienced SCA analysts require a generic and flexible toolset and DUT leakage evaluator (e.g. test vector leakage assessment, TVLA and its variations), that needs to be easily adapted to the Device Under Test they are currently evaluating and still be able to collect huge amount of traces in a reasonably fast way.
Open source SCA setups that are widely used by the research community have either very primitive software/hardware support or they are built on lowcost equipment that cannot endure very sophisticated attacks without having considerable custom software code developed by an attacker. To collect huge amounts of traces (e.g. leakage assessment requires millions of traces) in reasonable time, custom hardware control mechanisms on a platform are developed specifically for the respective DUT’s cryptographic algorithm, in order to provide the appropriate test vector inputs. This considerably increases the development time of the control mechanism (a different hardware control implementation for each cryptoalgorithm on test) and restricts its reusability.
In an attempt to adapt and improve the existing cryptanalysis methodologies and tools, we designed a mechanism that enables the security assessment of realworld cryptographic IP implementations, regardless of their algorithm implemented internally, thus supporting flexibility, reconfigurability, high scalability, fast trace collection and easeofuse.
Joint work with Apostolos P. Fournaris.

13:00  13:40 
Obfuscating ComputeandCompare Programs under LWE
Giorgos Zirdelis, Northeastern University
Abstract:
We show how to obfuscate a large and expressive class of programs, which we call computeandcompare programs, under the learningwitherrors (LWE) assumption. Each such program $CC[f,y]$ is parametrized by an arbitrary polynomialtime computable function $f$ along with a target value y and we define $CC[f,y](x)$ to output 1 if $f(x)=y$ and 0 otherwise. In other words, the program performs an arbitrary computation f and then compares its output against a target y. Our obfuscator satisfies distributional virtualblackbox security, which guarantees that the obfuscated program does not reveal any partial information about the function f or the target value y, as long as they are chosen from some distribution where y has sufficient pseudoentropy given f. We also extend our result to multibit computeandcompare programs $MBCC[f,y,z](x)$ which output a message z if $f(x)=y$.
Computeandcompare programs are powerful enough to capture many interesting obfuscation tasks as special cases. This includes obfuscating conjunctions, and therefore we improve on the prior work of Brakerski et al. (ITCS '16) which constructed a conjunction obfuscator under a nonstandard "entropic" ringLWE assumption, while here we obfuscate a significantly broader class of programs under standard LWE. We show that our obfuscator has several interesting applications. For example, we can take any encryption scheme and publish an obfuscated plaintext equality tester that allows users to check whether an arbitrary ciphertext encrypts some target value y; as long as y has sufficient pseudoentropy this will not harm semantic security. We can also use our obfuscator to generically upgrade attributebased encryption to predicate encryption with onesided attributehiding security, as well as witness encryption to indistinguishability obfuscation which is secure for all null circuits. Furthermore, we show that our obfuscator gives new circularsecurity counterexamples for publickey bit encryption and for unbounded length key cycles.
Our result uses the graphinduced multilinear maps of Gentry, Gorbunov and Halevi (TCC '15), but only in a carefully restricted manner which is provably secure under LWE. Our technique is inspired by ideas introduced in a recent work of Goyal, Koppula and Waters (EUROCRYPT '17) in a seemingly unrelated context.
Joint work with Daniel Wichs.

13:40  14:40 
Lunch Break 
14:40  15:20 
Quantum Cryptography and Secure Computation
Anna Pappa, University College London
Abstract:
Quantum systems exhibit an intrinsic randomness that can be exploited in order to significantly boost computational performance, increase security of communications and in general achieve tasks that are believed to be impossible with purely classical means. The use of quantum technologies in future telecommunication networks also raises important questions on the security of the currently deployed protocols since quantum adversaries will be able to use quantum effects to break widelydeployed cryptosystems (e.g. RSA). In this talk I will give an introduction on the essential components for secure quantum communication and computing, and I will present important research questions and recent progress in the field.

15:20  16:00 
The Bitcoin Backbone Protocol with Chains of Variable Difficulty
Nikos Leonardos, University of Athens
Abstract:
Bitcoin's innovative and distributedly maintained blockchain data structure
hinges on the adequate degree of difficulty of socalled "proofs of work,"
which miners have to produce in order for transactions to be inserted.
Importantly, these proofs of work have to be hard enough so that miners have
an opportunity to unify their views in the presence of an adversary who
interferes but has bounded computational power, but easy enough to be solvable
regularly and enable the miners to make progress. As such, as the miners'
population evolves over time, so should the difficulty of these proofs.
Bitcoin provides this adjustment mechanism, with empirical evidence of
a constant block generation rate against such population changes.
In this paper we provide the first formal analysis of Bitcoin's target
(re)calculation function in the cryptographic setting, i.e., against all
possible adversaries aiming to subvert the protocol's properties. We provide
a set of necessary conditions with respect to the way the population evolves
under which the "Bitcoin backbone with chains of variable difficulty" provides
a robust transaction ledger in the presence of an actively malicious
adversary controlling a fraction of the miners strictly below 50% at each
instant of the execution.

16:00  16:20 
Break 
16:20  17:00 
Towards everlasting privacy and efficient coercion resistance in remote electronic voting
Panagiotis Grontas, National Technical University of Athens
Abstract:
In this talk, we introduce a first version of an evoting scheme that achieves endtoend verifiability, everlasting privacy and
efficient coercion resistance in the JCJ setting. Everlasting privacy is achieved assuming an anonymous channel, without resorting to dedicated channels between the election authorities to exchange private data. In addition, the proposed scheme achieves coercion resistance under the assumption of untappable channels. As a core building block of our scheme, we also propose a new primitive called publicly auditable conditional blind signature (PACBS), where a client receives a token from the signing
server after interaction; the token is a valid signature only if a certain condition holds. The validity of the signatures can only be verifiable by a designated signature verifier. This primitive is utilized in the proposed voting scheme to blindly mark votes under coercion in an auditable manner.
Joint work with Aris Pagourtzis, Alexandros Zacharakis and Bingsheng Zhang

17:00 
End 
 