Adaptor signatures are a cryptographic primitive that ties together the authorization of a message and the leakage of a secret value -- a concept particularly useful in the context of decentralized payment systems. While there exist various constructions for adaptor signatures where one party takes the role of a signer, less attention has been given to settings where there are multiple (potential) signers authorizing a message. The goal of the thesis is be to formally define one of the possible multi-signer notions and present a provably secure construction.

Contact: Kristina Hostáková

A zero-knowledge proof system is a protocol between a prover and a verifier, where the prover attempts to convince the verifier that a statement x belongs to an NP language. The honest prover possesses a witness w for the fact that x is a valid statement in the language and the zero-knowledge property asks that during the interaction with the verifier, no information is leaked about the witness w. Moreover, a cheating prover should not be able to convince the verifier to accept any statements which are not in the language.

Zero knowledge protocols have many applications, for example in privacy-preserving authentication or in building other cryptographic protocols.

In this project, we will look at recent breakthroughs in the field of zero-knowledge and attempt to build on these techniques to obtain new results. Earliest possible starting date 01.04.2021.

Preliminary references:
[ADk+19]: http://eprint.iacr.org/2019/732

Contact: Bogdan Ursu

Secure Multi-Party Computation enables mutually untrusting parties to perform a shared computation without revealing any information about their input that is not already leaked by the result of the computation. This notion is often also called Secure Function Evaluation (SFE).

Depending on the network and adversary model, i.e. how parties communicate and what capabilities an attacker possesses, different notions are achievable or impossible. Early works show that when a majority or parties is corrupt, then output cannot be guaranteed, and indeed not even fairness [Cle86].

To sidestep this fundamental impossibility, Identifiable Abort has been introduced [IOZ14]: here an adversary may abort the protocol but it must reveal the identity of at least one corrupted party. Open questions in this area concern in particular the strong setting where the adversary is computationally unbounded and may corrupt a majority of parties. [BMM+20] investigated this setting, formalizing a tool for analyzing protocols with Identifiable Abort and linking it to an NP-hard problem. The goals of this thesis are to study the hardness computational hardness of Identifiable Abort, and to improve their bound for the minimal setup size.

Contact: Nicholas Brandt

Obfuscation denotes the process of making a circuit/an algorithm/a program unintelligible without changing its functionality. While it may be questionable at first why somebody would make his code deliberately unreadable, it turns out that the possibility of obfuscating circuits would have a lot of applications in cryptography (consider for example [HMM06]). However, it has been shown in [BGI+01] that obfuscation does not exist in a (somewhat technical) black-box sense for all families of circuits. This means, in general it is not possible to hide all internals of a circuit while still maintaining its functionality. Therefore, the notion of indistinguishability obfuscation has been proposed for cryptography. An indistinguishability obfuscator is a program which transforms a circuit in a way s.t. each piece of information an adversary can learn of the obfuscation is independent of the concrete implementation of the circuit which has been used by the Obfuscator.

As has been pointed out in [BKM+19], Chapter 5, an indistinguishability obfuscator for a family of circuits is trivially achieved, if there exist efficiently computable canonical forms of circuits of those family. A canonical form is a circuit s.t. each other circuit of the family with the same functionality can be efficiently transformed to this canonical form by one uniform algorithm. At the end of Chapter 5 in [BKM+19], the authors suspect that each circuit in disjunctive normal form (DNF) with a constant number of clauses admits a canonical form. As it turns out, those DNFs belong to a bigger family of circuits which all admit canonical forms. Those canonical forms are constructed by carefully transforming those circuits to sufficiently small deterministic finite-state automatons and computing Nerode's minimal automaton of those.

Your thesis:

In this thesis, you should formally write down the above algorithm for computing canonical forms and specify the family of circuits on which it is applicable. Further, you should formally prove the correctness of the algorithm.
In a second step, you should extend the algorithm to arithmetic circuits and automatons, and prove its correctness again. Further, you should semantically interpret the corresponding family of circuits anf find interesting specimen.

Preliminary references:
[BGI+01] https://eprint.iacr.org/2001/069
[HMM06] https://eprint.iacr.org/2006/463
[BKM+19] https://eprint.iacr.org/2019/463

Contact: Akin Ünal