AtheCrypt 2018
Athens Cryptography Day

### Athens Cryptography Day 2018

Tuesday, January 9, 2018, Athens
National Technical University of Athens
Room: Multimedia Amphitheater of the Central Library of N.T.U.A.

Athens Cryptography Day is an annual event.
Its purpose is to give the opportunity to graduate students in Greece to observe talks of researchers working in all areas of Cryptography.

Many thanks to all the speakers, the participants and the organizing team for a very successful AtheCrypt. We 're looking forward to seeing you next year!

Speakers:
P. Chaidos
M. Georgiou
P. Grontas
N. Leonardos
A. Moschos
P. Papakonstantinou
A. Pappa
D. Zindros
G. Zirdelis

#### Organization

Stathis Zachos
Aris Pagourtzis
Aggelos Kiayias
Petros Potikas
Antonis Antonopoulos
Aggeliki Chalki
Giannis Papaioannou

## Register

There are no registration fees. However, participants should register for administrative purposes:

Electonic Registration is closed! You can register at AtheCrypt's front desk.

Hello

## Program

 9:00 - 9:30 Registration - Opening 9:30 - 10:20 Big Crypto     Periklis Papakonstantinou, Rutgers University Abstract: TBA 10:20 - 11:00 Proofs of Proofs-of-Work with Sublinear Complexity     Dionysis Zindros , University of Athens Abstract: In this talk, I will give a brief overview of the attempt to create Proofs of Proofs-of-Work for work-based blockchain protocols in order to construct secure proofs which have communication complexity polylogarithmic to the size of the blockchain. Such schemas enable the creation of efficient SPV clients and are the foundation for building blockchain sidechains, a key solution to the fundamental blockchain problems of scalability, interoperability and upgradability. I will give an overview of the paper by Kiayias, Lamprou, Stouka (Financial Crypto 16) on interactive proofs of proof-of-work as well as discuss research directions in non-interactive proofs of proofs-of-work, a draft schema we are working on with Aggelos Kiayias & Andrew Miller. 11:00 - 11:40 The state of quantum money     Marios Georgiou, City University of New York Abstract: From a cryptographic point of view, money is a primitive whose purpose is to produce coins that are impossible to copy/counterfeit while still can be efficiently verified. Classically, in a setting where verification takes place locally, a coin cannot correspond to a single bit-string, since bits can be easily copied. As a result, we give away local verification by either interacting with a trusted bank or by interacting with the rest of the users in order to achieve consensus over account balances. On the other hand, in a quantum setting, the no-cloning theorem gives evidence that a coin may actually correspond to a qubit-string while preserving local verification. The talk will survey results in the area of quantum money, give constructions and connections between them and explore their limits by presenting impossibility results. Moreover, it will present similarities and differences between quantum money and cryptocurrencies. Based on works with Kai-Min Chung, Iordanis Kerenidis, Aggelos Kiayias, Ching-Yi Lai and Vassilis Zikas. 11:40 - 12:00 Break 12:00 - 12:40 Efficient Designated-Verifier Non-Interactive Zero-Knowledge Proofs of Knowledge     Pavlos-Ioannis-Pyrros Chaidos, University of Athens Abstract: We propose a framework for constructing efficient designated-verifier non-interactive zero-knowledge proofs (DVNIZK) for a wide class of algebraic languages over abelian groups, under standard assumptions. The proofs obtained via our framework are proofs of knowledge, enjoy statistical, and unbounded soundness (the soundness holds even when the prover receives arbitrary feedbacks on previous proofs). Previously, no efficient DVNIZK system satisfying any of those three properties was known. Our framework allows proving arbitrary relations between cryptographic primitives such as Pedersen commitments, ElGamal encryptions, or Paillier encryptions, in an efficient way. For the latter, we further exhibit the first non-interactive zero-knowledge proof system in the standard model which is more efficient than proofs obtained via the Fiat-Shamir transform, with still-meaningful security guarantees and under standard assumptions. Our framework has numerous applications, in particular for the design of efficient privacy-preserving non-interactive authentication. 12:40 - 13:00 Automated Functional Validation and Security Evaluation Setup for Arbitrary Cryptographic IP Cores     Athanassios Moschos, University of Patras Abstract: The highly-specialized skills required for the evaluation of the devices in conjunction with the isolation of the involved disciplines, become a true barrier for the identification of additional security issues. This obstacle is strengthened by the lack of an overall platform that would enable the estimation of information leakage from different devices. While in theory the testing approach as well as the employed trace collection tool-set can be designed exclusively for a specific cryptographic implementation (e.g. AES, RSA etc.), in practice, experienced SCA analysts require a generic and flexible tool-set and DUT leakage evaluator (e.g. test vector leakage assessment, TVLA and its variations), that needs to be easily adapted to the Device Under Test they are currently evaluating and still be able to collect huge amount of traces in a reasonably fast way. Open source SCA setups that are widely used by the research community have either very primitive software/hardware support or they are built on low-cost equipment that cannot endure very sophisticated attacks without having considerable custom software code developed by an attacker. To collect huge amounts of traces (e.g. leakage assessment requires millions of traces) in reasonable time, custom hardware control mechanisms on a platform are developed specifically for the respective DUT’s cryptographic algorithm, in order to provide the appropriate test vector inputs. This considerably increases the development time of the control mechanism (a different hardware control implementation for each crypto-algorithm on test) and restricts its re-usability. In an attempt to adapt and improve the existing cryptanalysis methodologies and tools, we designed a mechanism that enables the security assessment of real-world cryptographic IP implementations, regardless of their algorithm implemented internally, thus supporting flexibility, reconfigurability, high scalability, fast trace collection and ease-of-use. Joint work with Apostolos P. Fournaris. 13:00 - 13:40 Obfuscating Compute-and-Compare Programs under LWE     Giorgos Zirdelis, Northeastern University Abstract: We show how to obfuscate a large and expressive class of programs, which we call compute-and-compare programs, under the learning-with-errors (LWE) assumption. Each such program $CC[f,y]$ is parametrized by an arbitrary polynomial-time computable function $f$ along with a target value y and we define $CC[f,y](x)$ to output 1 if $f(x)=y$ and 0 otherwise. In other words, the program performs an arbitrary computation f and then compares its output against a target y. Our obfuscator satisfies distributional virtual-black-box security, which guarantees that the obfuscated program does not reveal any partial information about the function f or the target value y, as long as they are chosen from some distribution where y has sufficient pseudo-entropy given f. We also extend our result to multi-bit compute-and-compare programs $MBCC[f,y,z](x)$ which output a message z if $f(x)=y$. Compute-and-compare programs are powerful enough to capture many interesting obfuscation tasks as special cases. This includes obfuscating conjunctions, and therefore we improve on the prior work of Brakerski et al. (ITCS '16) which constructed a conjunction obfuscator under a non-standard "entropic" ring-LWE assumption, while here we obfuscate a significantly broader class of programs under standard LWE. We show that our obfuscator has several interesting applications. For example, we can take any encryption scheme and publish an obfuscated plaintext equality tester that allows users to check whether an arbitrary ciphertext encrypts some target value y; as long as y has sufficient pseudo-entropy this will not harm semantic security. We can also use our obfuscator to generically upgrade attribute-based encryption to predicate encryption with one-sided attribute-hiding security, as well as witness encryption to indistinguishability obfuscation which is secure for all null circuits. Furthermore, we show that our obfuscator gives new circular-security counter-examples for public-key bit encryption and for unbounded length key cycles. Our result uses the graph-induced multi-linear maps of Gentry, Gorbunov and Halevi (TCC '15), but only in a carefully restricted manner which is provably secure under LWE. Our technique is inspired by ideas introduced in a recent work of Goyal, Koppula and Waters (EUROCRYPT '17) in a seemingly unrelated context. Joint work with Daniel Wichs. 13:40 - 14:40 Lunch Break 14:40 - 15:20 Quantum Cryptography and Secure Computation     Anna Pappa, University College London Abstract: Quantum systems exhibit an intrinsic randomness that can be exploited in order to significantly boost computational performance, increase security of communications and in general achieve tasks that are believed to be impossible with purely classical means. The use of quantum technologies in future telecommunication networks also raises important questions on the security of the currently deployed protocols since quantum adversaries will be able to use quantum effects to break widely-deployed cryptosystems (e.g. RSA). In this talk I will give an introduction on the essential components for secure quantum communication and computing, and I will present important research questions and recent progress in the field. 15:20 - 16:00 The Bitcoin Backbone Protocol with Chains of Variable Difficulty     Nikos Leonardos, University of Athens Abstract: Bitcoin's innovative and distributedly maintained blockchain data structure hinges on the adequate degree of difficulty of so-called "proofs of work," which miners have to produce in order for transactions to be inserted. Importantly, these proofs of work have to be hard enough so that miners have an opportunity to unify their views in the presence of an adversary who interferes but has bounded computational power, but easy enough to be solvable regularly and enable the miners to make progress. As such, as the miners' population evolves over time, so should the difficulty of these proofs. Bitcoin provides this adjustment mechanism, with empirical evidence of a constant block generation rate against such population changes. In this paper we provide the first formal analysis of Bitcoin's target (re)calculation function in the cryptographic setting, i.e., against all possible adversaries aiming to subvert the protocol's properties. We provide a set of necessary conditions with respect to the way the population evolves under which the "Bitcoin backbone with chains of variable difficulty" provides a robust transaction ledger in the presence of an actively malicious adversary controlling a fraction of the miners strictly below 50% at each instant of the execution. 16:00 - 16:20 Break 16:20 - 17:00 Towards everlasting privacy and efficient coercion resistance in remote electronic voting     Panagiotis Grontas, National Technical University of Athens Abstract: In this talk, we introduce a first version of an e-voting scheme that achieves end-to-end verifiability, everlasting privacy and efficient coercion resistance in the JCJ setting. Everlasting privacy is achieved assuming an anonymous channel, without resorting to dedicated channels between the election authorities to exchange private data. In addition, the proposed scheme achieves coercion resistance under the assumption of untappable channels. As a core building block of our scheme, we also propose a new primitive called publicly auditable conditional blind signature (PACBS), where a client receives a token from the signing server after interaction; the token is a valid signature only if a certain condition holds. The validity of the signatures can only be verifiable by a designated signature verifier. This primitive is utilized in the proposed voting scheme to blindly mark votes under coercion in an auditable manner. Joint work with Aris Pagourtzis, Alexandros Zacharakis and Bingsheng Zhang 17:00 End

## Venue

AtheCrypt will take place in the Multimedia Amphitheater of the National Technical University of Athens, located in the basement of the building of NTUA's Central Library. See the map below:

You can arrive at the Central Library by various ways:

#### By public transport:

The easiest way is by taking the Blue Metro line and getting off at the "ΚΑΤΕΧΑΚΗ" station. Then take the bus 242, get off at stop "ΘΥΡΩΡΕΙΟ" and walk 5 minutes towards the Central Library.
Another option is to take the bus 140 from the "ΚΑΤΕΧΑΚΗ" metro station and get off at stop "ΠΟΛΥΤΕΧΝΕΙΟΥΠΟΛΗ". Then get into the campus and walk 10 minutes towards the Central Library.

#### By car:

You can use this google map to get directions from Alimou-Katechaki Avenue.