Adaptor signatures are a cryptographic primitive that ties together the authorization of a message and the leakage of a secret value -- a concept particularly useful in the context of decentralized payment systems. While there exist various constructions for adaptor signatures where one party takes the role of a signer, less attention has been given to settings where there are multiple (potential) signers authorizing a message.

The goal of the thesis is be to formally define one of the possible multi-signer notions and present a provably secure construction. Earliest possible starting date 01.03.2022.

Preliminary references:
[EFH+21]: https://eprint.iacr.org/2021/150.pdf

Contact: Claudia Günthart

A zero-knowledge proof system is a protocol between a prover and a verifier, where the prover attempts to convince the verifier that a statement x belongs to an NP language. The honest prover possesses a witness w for the fact that x is a valid statement in the language and the zero-knowledge property asks that during the interaction with the verifier, no information is leaked about the witness w. Moreover, a cheating prover should not be able to convince the verifier to accept any statements which are not in the language.

Zero knowledge protocols have many applications, for example in privacy-preserving authentication or in building other cryptographic protocols.

In this project, we will look at recent breakthroughs in the field of zero-knowledge and attempt to build on these techniques to obtain new results. Earliest possible starting date 01.04.2021.

Preliminary references:
[ADk+19]: http://eprint.iacr.org/2019/732

Contact: Bogdan Ursu

Secure Multi-Party Computation enables mutually untrusting parties to perform a shared computation without revealing any information about their input that is not already leaked by the result of the computation. This notion is often also called Secure Function Evaluation (SFE).

Depending on the network and adversary model, i.e. how parties communicate and what capabilities an attacker possesses, different notions are achievable or impossible. Early works show that when a majority or parties is corrupt, then output cannot be guaranteed, and indeed not even fairness [Cle86].

To sidestep this fundamental impossibility, Identifiable Abort has been introduced [IOZ14]: here an adversary may abort the protocol but it must reveal the identity of at least one corrupted party. Open questions in this area concern in particular the strong setting where the adversary is computationally unbounded and may corrupt a majority of parties. [BMM+20] investigated this setting, formalizing a tool for analyzing protocols with Identifiable Abort and linking it to an NP-hard problem. The goals of this thesis are to study the hardness computational hardness of Identifiable Abort, and to improve their bound for the minimal setup size.

Contact: Nicholas Brandt

Obfuscation denotes the process of making a circuit/an algorithm/a program unintelligible without changing its functionality. While it may be questionable at first why somebody would make his code deliberately unreadable, it turns out that the possibility of obfuscating circuits would have a lot of applications in cryptography (consider for example [HMM06]). However, it has been shown in [BGI+01] that obfuscation does not exist in a (somewhat technical) black-box sense for all families of circuits. This means, in general it is not possible to hide all internals of a circuit while still maintaining its functionality. Therefore, the notion of indistinguishability obfuscation has been proposed for cryptography. An indistinguishability obfuscator is a program which transforms a circuit in a way s.t. each piece of information an adversary can learn of the obfuscation is independent of the concrete implementation of the circuit which has been used by the Obfuscator.

As has been pointed out in [BKM+19], Chapter 5, an indistinguishability obfuscator for a family of circuits is trivially achieved, if there exist efficiently computable canonical forms of circuits of those family. A canonical form is a circuit s.t. each other circuit of the family with the same functionality can be efficiently transformed to this canonical form by one uniform algorithm. At the end of Chapter 5 in [BKM+19], the authors suspect that each circuit in disjunctive normal form (DNF) with a constant number of clauses admits a canonical form. As it turns out, those DNFs belong to a bigger family of circuits which all admit canonical forms. Those canonical forms are constructed by carefully transforming those circuits to sufficiently small deterministic finite-state automatons and computing Nerode's minimal automaton of those.

Your thesis:

In this thesis, you should formally write down the above algorithm for computing canonical forms and specify the family of circuits on which it is applicable. Further, you should formally prove the correctness of the algorithm.
In a second step, you should extend the algorithm to arithmetic circuits and automatons, and prove its correctness again. Further, you should semantically interpret the corresponding family of circuits anf find interesting specimen.

Preliminary references:
[BGI+01] https://eprint.iacr.org/2001/069
[HMM06] https://eprint.iacr.org/2006/463
[BKM+19] https://eprint.iacr.org/2019/463

Contact: Akin Ünal

Non-Interactive Key Exchange (NIKE) is primitive that allows any two parties to obtain a secret key, without any communication using only a public key infrastructure. That is, after a trusted party generated some public parameters, every user can generate a public/secret key pair. Then, a user (Alice) can use her secret key and another user’s (Bob’s) public key to obtain a shared key. When Bob does the same with his secret key and Alice’s public key he should obtain the same shared key. Every other user that has only access to Alice’s and Bob’s public key should learn nothing about their shared key.

The first example of a NIKE scheme is the famous Diffie-Hellman key exchange. A drawback of Diffie and Hellman’s NIKE is its lack of post-quantum security. Therefore it is an interesting problem to construct NIKE from assumptions that achieve post-quantum security like learning with errors (LWE). A drawback of all known construction is that they have a correctness error that grows with 1/q where q is the LWE modulus. Thus these constructions need very large modulus to control the correctness error, which makes them less efficient and require a stronger assumption for security.

Guo, Kamath, Rosen and Sotiraki showed in 2020 that this large correctness error is inherant for a canonical type of NIKE constructions.[GKRS20]. However, even simple constructions like the following are not captured by their work:
Public parameters: LWE-Matrix 𝐀 ∈ ℤ_q^{n × m}
User 1: Samples 𝐬 ← χ^n and 𝐞 ← χ^m (where χ is the discrete Gaussian distribution on ℤ_q) and sets pk = 𝐬ᵀ 𝐀 + 𝐞ᵀ and sk = (𝐬, 𝐞).
User 2: Samples 𝐮 ← {-1, 0, 1}^m and sets pk = 𝐀𝐮 and sk = 𝐮.
Their shared key is Round(𝐬ᵀ 𝐀 𝐮), which both parties can compute assuming the term 𝐞ᵀ𝐮 vanishes in the rounding process.

The goal of this bachelor or master thesis or semester project is to generalize the result of [GKRS20] to a wider class of LWE-based NIKE schemes that captures, for example, the construction above.

Contact: Roman Langrehr