Event Will Start In

ETH, Hauptgebäude (HG), room D1.1

Zurich, Switzerland

May 26, 2024

09:00 AM – 05:00 PM

160 Available Seats

Coffe and Lunch

included in the Workshop registration fee

Who's Speaking?

Anna Lysyanskaya

Brown University

Foteini Baldimtsi

George Mason University

Anja Lehmann

Hasso Plattner Institute

Sofia Celi


Julia Kastner

ETH Zurich

Shuichi Katsumata

PQShield Ltd

Ngoc Khanh Nguyen

King's College London

Stefano Tessaro

University of Washington

Octavio Pérez Kempner

NTT Social Informatics Laboratories

Daniel Slamanig

Universität der Bundeswehr München


Location: Room D1.1, Building HG, ETH Zurich


Location: Room D1.1, Building HG, ETH Zurich
Location: Building HG, ETH Zurich


Location: Room D1.1, Building HG, ETH Zurich

Anonymous credentials are a strongly secure and privacy-preserving solution to user authentication but require users to securely manage cryptographic keys and credentials. In terms of usability, Single Sign-On (SSO) solutions, where the authentication is outsourced to a central identity provider, are significantly more convenient for end users. However, privacy is a major problem in SSO, as the identity provider can track all the user's online authentication attempts. In this talk, we will discuss how techniques from anonymous credentials and OPRFs can improve the privacy of Single Sign-On protocols such as OIDC, while maintaining its usability advantages - as users still don't have to manage any keys or credentials.

Location: Room D1.1, Building HG, ETH Zurich

In this talk, we will take a look at different advancements in Private Information Retrieval (PIR), with specific emphasis on single-server constructions. We will talk about the needs from real-world deployment perspective, new schemes and what future research in this area will look like.

Location: Room D1.1, Building HG, ETH Zurich
Location: Building HG, ETH Zurich

In this talk, I discuss a proof technique for proving the security of a subclass of blind signatures that have an "alternative secret key" that can be used in a security reduction. Members of this class are the Abe-Okamoto Partially Blind Signature Scheme, Abe's Blind Signature, Anonymous Credentials Light, as well as the recently introduced schemes by Tessaro and Zhu. I will also discuss limitations of the proof technique, some alternatives, and open questions in the area. The talk is based on joint works with Julian Loss, Omar Renawi, and Jiayu Xu.

Location: Room D1.1, Building HG, ETH Zurich

The 3-round blind signature based on Schnorr signatures is one of the simplest and most efficient blind signatures. Unfortunately, the ROS attack by Benhamouda et al. (Eurocrypt'21) now practically breaks them. This has lead to new ideas to secure blind Schnorr while retaining its simplistic and efficient design. In the post-quantum setting, the landscape is less clear. While the high level construction idea of blind Schnorr has been successfully ported to the post-quantum setting, a new type of ROS attack now breaks many of them. Nevertheless, there still exist schemes where the attack does not apply. Moreover, unlike the relatively simple fixes for blind Schnorr, securing the now-(practically)-insecure post-quantum blind signatures presents challenges, requiring novel approaches.

Location: Room D1.1, Building HG, ETH Zurich

Due to the significant progress in the area of (non-interactive) zero-knowledge proofs for lattice-related statements, there has been a lot of interest in building lattice-based two-round blind signatures following Fischlin's framework (Crypto 2006). In this talk, we will give an overview of the current state-of-the-art constructions and discuss their trade-offs with respect to signatures sizes, communication complexity and underlying hardness assumptions.

Location: Room D1.1, Building HG, ETH Zurich
Location: Building HG, ETH Zurich

We present the first concurrently-secure blind signatures making black-box use of a pairing-free group for which unforgeability, in the random oracle model, can be proved without relying on the algebraic group model (AGM), thus resolving a long-standing open question. Prior pairing-free blind signatures without AGM proofs have only been proved secure for bounded concurrency or relied on computationally expensive non-black-box use of NIZKs. Our most efficient constructions rely on the chosen-target CDH assumption and can be seen as blind versions of signatures by Goh and Jarecki (EUROCRYPT '03) and Chevallier-Mames (CRYPTO '05). We also give a less efficient scheme with security based on (plain) CDH. The underlying signing protocols consist of four (in order to achieve regular unforgeability) or five moves (for strong unforgeability). All schemes are proved statistically blind in the random oracle model. Joint work with Rutchathon Chairattana-Apirom and Chenzhi Zhu

Location: Room D1.1, Building HG, ETH Zurich

Digital signature schemes with specific properties have recently seen various real-world applications with a strong emphasis on privacy-enhancing technologies. In particular, signatures with randomizable keys find applications in a wide range of domains such as anonymous credentials, anonymity networks and blockchains. However, the literature on the topic is vast and different terminology is used across contributions, making it difficult to compare related works and understand the range of applications covered by a given construction. In this talk, which is based on a recent systematization of knowledge work from FC ‘24, we will first present a unified view of signatures with randomizable keys, revisiting their security properties. From there, we will discuss related applications and existing challenges in the area.

Location: Room D1.1, Building HG, ETH Zurich

Equivalence Class Signatures (EQS) are signature schemes for a message space that is partitioned into equivalence classes. They are malleable in that signatures can be publicly randomized and adapted to other message representatives in the same equivalence class of a signed message. Importantly, adapted message-signature pairs are indistinguishable from random message-signature pairs. Together with the Decisional Diffie-Hellman assumption this gives an unlinkability notion and makes EQS a very attractive building block for privacy-preserving primitives such as anonymous credentials. The malleability of EQS has also further been extended to the key space, i.e., to support key randomization. Such schemes are called mercuiral signatures (MS) and further extend potential applications. In this talk we will introduce the aforementioned concepts and present the most efficient constructions. Then, we briefly capture recent results on their instantiability as well as review some (recent) applications. Finally, we will discuss some open problems related to this class of signature schemes.

Location: Room D1.1, Building HG, ETH Zurich


Julian Loss

CISPA Helmholtz Center for Information Security

Lucjan Hanzlik

CISPA Helmholtz Center for Information Security