Adaptor signatures are a cryptographic primitive that ties together the
authorization of a message and the leakage of a secret value -- a concept
particularly useful in the context of decentralized payment systems. While
there exist various constructions for adaptor signatures where one party takes
the role of a signer, less attention has been given to settings where there are
multiple (potential) signers authorizing a message. The goal of the thesis is
be to formally define one of the possible multi-signer notions and present a
provably secure construction.

**Contact:** Kristina Hostáková

A zero-knowledge proof system is a protocol between a prover and a verifier,
where the prover attempts to convince the verifier that a statement x belongs
to an NP language. The honest prover possesses a witness w for the fact that x
is a valid statement in the language and the zero-knowledge property asks that
during the interaction with the verifier, no information is leaked about the
witness w. Moreover, a cheating prover should not be able to convince the
verifier to accept any statements which are not in the language.

Zero knowledge protocols have many applications, for example in privacy-preserving authentication or in building other cryptographic protocols.

In this project, we will look at recent breakthroughs in the field of zero-knowledge and attempt to build on these techniques to obtain new results. Earliest possible starting date 01.04.2021.

**Preliminary references:**

[ADk+19]: http://eprint.iacr.org/2019/732

**Contact:** Bogdan Ursu

Zero knowledge protocols have many applications, for example in privacy-preserving authentication or in building other cryptographic protocols.

In this project, we will look at recent breakthroughs in the field of zero-knowledge and attempt to build on these techniques to obtain new results. Earliest possible starting date 01.04.2021.

[ADk+19]: http://eprint.iacr.org/2019/732

Secure Multi-Party Computation enables mutually untrusting parties to perform a
shared computation without revealing any information about their input that is
not already leaked by the result of the computation. This notion is often also
called Secure Function Evaluation (SFE).

Depending on the network and adversary model, i.e. how parties communicate and what capabilities an attacker possesses, different notions are achievable or impossible. Early works show that when a majority or parties is corrupt, then output cannot be guaranteed, and indeed not even fairness [Cle86].

To sidestep this fundamental impossibility,*Identifiable Abort* has been
introduced [IOZ14]: here an adversary may abort the protocol but it must reveal
the identity of at least one corrupted party. Open questions in this area
concern in particular the strong setting where the adversary is computationally
unbounded and may corrupt a majority of parties. [BMM+20] investigated this
setting, formalizing a tool for analyzing protocols with Identifiable Abort and
linking it to an NP-hard problem.
The goals of this thesis are to study the hardness computational hardness of
Identifiable Abort, and to improve their bound for the minimal setup size.

**Contact:** Nicholas Brandt

Depending on the network and adversary model, i.e. how parties communicate and what capabilities an attacker possesses, different notions are achievable or impossible. Early works show that when a majority or parties is corrupt, then output cannot be guaranteed, and indeed not even fairness [Cle86].

To sidestep this fundamental impossibility,

Obfuscation denotes the process of making a circuit/an algorithm/a program
unintelligible without changing its functionality. While it may be questionable
at first why somebody would make his code deliberately unreadable, it turns out
that the possibility of obfuscating circuits would have a lot of applications
in cryptography (consider for example [HMM06]). However, it has been shown in
[BGI+01] that obfuscation does not exist in a (somewhat technical) black-box
sense for all families of circuits. This means, in general it is not possible
to hide all internals of a circuit while still maintaining its functionality.
Therefore, the notion of indistinguishability obfuscation has been proposed for
cryptography. An indistinguishability obfuscator is a program which transforms
a circuit in a way s.t. each piece of information an adversary can learn of the
obfuscation is independent of the concrete implementation of the circuit which
has been used by the Obfuscator.

As has been pointed out in [BKM+19], Chapter 5, an indistinguishability obfuscator for a family of circuits is trivially achieved, if there exist efficiently computable canonical forms of circuits of those family. A canonical form is a circuit s.t. each other circuit of the family with the same functionality can be efficiently transformed to this canonical form by one uniform algorithm. At the end of Chapter 5 in [BKM+19], the authors suspect that each circuit in disjunctive normal form (DNF) with a constant number of clauses admits a canonical form. As it turns out, those DNFs belong to a bigger family of circuits which all admit canonical forms. Those canonical forms are constructed by carefully transforming those circuits to sufficiently small deterministic finite-state automatons and computing Nerode's minimal automaton of those.

**Your thesis:**

In this thesis, you should formally write down the above algorithm for computing canonical forms and specify the family of circuits on which it is applicable. Further, you should formally prove the correctness of the algorithm.

In a second step, you should extend the algorithm to arithmetic circuits and automatons, and prove its correctness again. Further, you should semantically interpret the corresponding family of circuits anf find interesting specimen.

**Preliminary references:**

[BGI+01] https://eprint.iacr.org/2001/069

[HMM06] https://eprint.iacr.org/2006/463

[BKM+19] https://eprint.iacr.org/2019/463

**Contact:** Akin Ünal

As has been pointed out in [BKM+19], Chapter 5, an indistinguishability obfuscator for a family of circuits is trivially achieved, if there exist efficiently computable canonical forms of circuits of those family. A canonical form is a circuit s.t. each other circuit of the family with the same functionality can be efficiently transformed to this canonical form by one uniform algorithm. At the end of Chapter 5 in [BKM+19], the authors suspect that each circuit in disjunctive normal form (DNF) with a constant number of clauses admits a canonical form. As it turns out, those DNFs belong to a bigger family of circuits which all admit canonical forms. Those canonical forms are constructed by carefully transforming those circuits to sufficiently small deterministic finite-state automatons and computing Nerode's minimal automaton of those.

In this thesis, you should formally write down the above algorithm for computing canonical forms and specify the family of circuits on which it is applicable. Further, you should formally prove the correctness of the algorithm.

In a second step, you should extend the algorithm to arithmetic circuits and automatons, and prove its correctness again. Further, you should semantically interpret the corresponding family of circuits anf find interesting specimen.

[BGI+01] https://eprint.iacr.org/2001/069

[HMM06] https://eprint.iacr.org/2006/463

[BKM+19] https://eprint.iacr.org/2019/463