<!DOCTYPE html><html lang="en"><base href='https://foc.ethz.ch/'><meta charset='utf-8'> <meta name='viewport' content='width=device-width, initial-scale=1, user-scalable=no'> <meta name='mobile-web-app-capable' content='yes'> <meta name='apple-web-app-capable' content='yes'> <meta name='theme-color' content='#1F407A'> <!--<meta name='robots' content='index,follow'>--> <link rel='icon' href='./images/logos/logo.svg' type='image/svg+xml'> <link rel="manifest" href="./manifest.json"> <script src='./install-sw.js' async type='module'></script> <script src='./foc-elements/foc-card-section.js' async type='module'></script> <script src='./foc-elements/foc-card.js' async type='module'></script> <script src='./foc-elements/foc-list.js' async type='module'></script> <script src='./foc-elements/foc-publication-list.js' async type='module'></script> <script src='./foc-elements/foc-li.js' async type='module'></script> <script src='./foc-elements/foc-map.js' async type='module'></script> <link rel='stylesheet' type='text/css' href='./template.css'> <style> .timeline.animate:not(.rendering):not(.rendered) { display: none; } </style> <title>Foundations of Cryptography</title> <header> <a id="eth-logo" href="//ethz.ch"> <img src="//ethz.ch/etc/designs/ethz/img/header/ethz_logo_white.svg" alt="ETH Zürich" loading="lazy"> </a> <a class="foc-logo" href="//foc.ethz.ch"> <span> Foundations of Cryptography </span> <picture> <source srcset="./images/logos/logo-hor-wh.svg" media="(max-width: 680px)"> <img src="./images/logos/logo-wh.svg" alt="Foundations of Cryptography"> </picture> </a> </header> <nav> <a href='#news'>News</a> <a href='#group-picture'>People</a> <a href='#research'>Research</a> <a href='#teaching'>Teaching</a> </nav> <section id='news'> <h1>News</h1> <foc-list class='timeline'> <li is='foc-li' data-publication-src='./people/karenklein.json' data-publication-title='Tighter provable security for TreeKEM' data-publish-date='2025-03-18' data-image-src=''> Karen Azari and Andreas Ellison got a paper accepted at ACNS 2025. Congratulations! </li> <li is='foc-li' data-publication-src='./people/romanlangrehr.json' data-publication-title='Non-Interactive Key Exchange: New Notions, New Constructions, and Forward Security' data-publish-date='2025-02-06' data-image-src=''> Dennis Hofheinz and Roman Langrehr got a paper accepted at PKC 2025. Congratulations! </li> <li is='foc-li' data-publication-src='./people/karenklein.json' data-publication-title='Securely Instantiating Half Gates Garbling in the Standard Model' data-publish-date='2025-02-05' data-image-src=''> Karen Azari and Dennis Hofheinz got a paper accepted at PKC 2025. Congratulations! </li> <li is='foc-li' data-publication-src='./people/mariandietz.json' data-publication-title='How to Compress Garbled Circuit Input Labels, Efficiently' data-publish-date='2025-02-03' data-image-src=''> Marian Dietz got a paper accepted at EUROCRYPT 2025. Congratulations! </li> <li is='foc-li' data-publication-src='./people/romanlangrehr.json' data-publication-title='Malleable SNARKs and Their Applications' data-publish-date='2025-02-03' data-image-src=''> Dennis Hofheinz and Roman Langrehr got a paper accepted at EUROCRYPT 2025. Congratulations! </li> <li is='foc-li' data-publication-src='./people/karenklein.json' data-publication-title='On the Adaptive Security of Free-XOR-based Garbling Schemes in the Plain Model' data-publish-date='2025-02-01' data-image-src=''> Karen Azari got a paper accepted at EUROCRYPT 2025. Congratulations! </li> <li is='foc-li' data-publication-src='./people/ceciliaboschini.json' data-publication-title='Ringtail: Practical Two-Round Threshold Signatures from Learning with Errors' data-publish-date='2024-10-08' data-image-src=''> Cecilia Boschini got a paper accepted at the IEEE Symposium on Security and Privacy 2025. Congratulations! </li> <li is='foc-li' data-publication-src='./people/karenklein.json' data-publication-title='DeCAF: Decentralizable Continuous Group Key Agreement with Fast Healing' data-publish-date='2024-10-07' data-image-src=''> Karen Klein got a paper accepted at SCN 2024. Congratulations! </li> <li is='foc-li' data-publication-src='./people/romanlangrehr.json' data-publication-title='On the Black-Box Complexity of Private-Key Inner-Product Functional Encryption' data-publish-date='2024-10-07' data-image-src=''> Roman Langrehr got a paper accepted at TCC 2024. Congratulations! </li> <li is='foc-li' data-title='Visitor' data-publish-date='2024-10-07' data-image-src=''> Milan Gonzalez-Thauvin is visiting from 07.09.2024-07.02.2025 Welcome Milan! </li> <li is='foc-li' data-publication-src='./people/michaelklooss.json' data-publication-title='Practical Blind Signatures in Pairing-Free Groups' data-publish-date='2024-10-07' data-image-src=''> Michael Klooss and Michael Reichle got a paper accepted at ASIACRYPT 2024. Congratulations! </li> <li is='foc-li' data-publication-src='./people/michaelklooss.json' data-publication-title='RoK, Paper, SISsors – Toolkit for Lattice-based Succinct Arguments' data-publish-date='2024-10-07' data-image-src=''> Michael Klooss got a paper accepted at ASIACRYPT 2024. Congratulations! </li> <li is='foc-li' data-publication-src='./people/nicholasbrandt.json' data-publication-title='Lower Bounds for Levin–Kolmogorov Complexity' data-publish-date='2024-10-03' data-image-src=''> Nicholas Brandt got a paper accepted at TCC 2024. Congratulations! </li> <li is='foc-li' data-publication-src='./people/michaelreichle.json' data-publication-title='Adaptively Secure 5 Round Threshold Signatures from MLWE/MSIS and DL with Rewinding' data-publish-date='2024-05-07' data-image-src=''> Michael Reichle got a paper accepted at CRYPTO 2024. Congratulations! </li> <li is='foc-li' data-publication-src='./people/ceciliaboschini.json' data-publication-title='That’s not my signature! Fail-stop signatures for a post-quantum world' data-publish-date='2024-05-07' data-image-src=''> Cecilia Boschini got a paper accepted at CRYPTO 2024. Congratulations! </li> <li is='foc-li' data-publication-src='./people/juliakastner.json' data-publication-title='Pairing-Free Blind Signatures from Standard Assumptions in the ROM' data-publish-date='2024-05-07' data-image-src=''> Julia Kastner and Michael Reichle got a paper accepted at CRYPTO 2024. Congratulations! </li> <li is='foc-li' data-publication-src='./people/michaelreichle.json' data-publication-title='Breaking Parallel ROS: Implication for Isogeny and Lattice-based Blind Signatures' data-publish-date='2024-01-15' data-image-src=''> Michael Reichle got a paper accepted at PKC 2024. Congratulations! </li> <li is='foc-li' data-publication-src='./people/romanlangrehr.json' data-publication-title='On Structure-Preserving Cryptography and Lattices' data-publish-date='2023-12-22' data-image-src=''> Dennis Hofheinz, Kristina Hostáková, Roman Langrehr, and Bogdan Ursu got a paper accepted at PKC 2024. Congratulations! </li> <li is='foc-li' data-publication-src='./people/juliakastner.json' data-publication-title='Compact Lossy Trapdoor Functions and Selective Opening Security From LWE' data-publish-date='2023-12-22' data-image-src=''> Dennis Hofheinz, Kristina Hostáková, Julia Kastner, Karen Klein, and Akin Ünal got a paper accepted at PKC 2024. Congratulations! </li> <li is='foc-li' data-publication-src='./people/romanlangrehr.json' data-publication-title='On the Multi-User Security of LWE-based NIKE' data-publish-date='2023-09-13' data-image-src=''> Roman Langrehr got a paper accepted at TCC 2023. Congratulations! </li> <li is='foc-li' data-title='Paper accepted' data-publication-src='./people/kristinahostakova.json' data-publication-title='Generalized Fuzzy Password-Authenticated Key Exchange from Error Correcting Codes' data-publish-date='2023-09-06' data-image-src=''> Sebastian Faller and Kristina Hostáková got a paper accepted at ASIACRYPT 2023. Congratulations! </li> <li is='foc-li' data-title='Paper accepted' data-publication-src='./people/juliakastner.json' data-publication-title='Concurrent Security of Anonymous Credentials Light, Revisited' data-publish-date='2023-09-04' data-image-src=''> Julia Kastner got a paper accepted at ACM CCS 2023. Congratulations! </li> <li is='foc-li' data-title='Visitor' data-publish-date='2023-08-1' data-image-src=''> Michael Klooß is visiting from 7.08.-11.08. Welcome Michael! </li> <li is='foc-li' data-title='Visitor' data-publish-date='2023-07-1' data-image-src=''> Thomas Attema is visiting from 10.07.-11.08. Welcome Thomas! </li> <li is='foc-li' data-title='Visitors' data-publish-date='2023-05-30' data-image-src=''> Adam O'Neill and Ojaswi Acharya are visiting from 30.05.-3.06. Welcome Adam and Ojaswi! </li> <li is='foc-li' data-title='🏆 VIS Teaching Awards' data-publish-date='2023-05-25' data-image-src=''> The Information Security lecture (co-held with the Information Security Group) was awarded the VIS Teaching Award for Best Interaction. Congratulations! </li> <li is='foc-li' data-title='Paper accepted' data-publication-src='./people/sebastianfaller.json' data-publication-title='Security Analysis of the WhatsApp End-to-End Encrypted Backup Protocol' data-publish-date='2023-05-08' data-image-src=''> Sebastian Faller got a paper accepted at CRYPTO 2023. Congratulations! </li> <li is='foc-li' data-title='Paper accepted' data-publication-src='./people/juliakastner.json' data-publication-title='The Power of Undirected Rewindings for Adaptive Security' data-publish-date='2023-05-08' data-image-src=''> Dennis Hofheinz, Julia Kastner, and Karen Klein got a paper accepted at CRYPTO 2023. Congratulations! </li> <li is='foc-li' data-title='🏆 Early Career Best Paper Award' data-image-src='./images/news/ec23awardCropped.png' data-publish-date='2023-05-03'> Akin Ünal won the Early Career Best Paper Award at EUROCRYPT 2023 with his paper "Worst-Case Subexponential Attacks on PRGs of Constant Degree or Constant Locality". Congratulations Akin! </li> <li is='foc-li' data-title='🎓 Bogdan Ursu graduated' data-image-src='' data-publish-date='2023-03-29'> Bogdan Ursu graduated with his thesis titled "New Constructions of Round-Efficient Zero-Knowledge Proofs". Congratulations Bogdan! </li> <li is='foc-li' data-title='Paper accepted' data-publication-src='./people/dennishofheinz.json' data-publication-title='Almost Tightly-Secure Re-Randomizable and Replayable CCA-secure Public Key Encryption' data-publish-date='2023-02-12' data-image-src=''> Dennis Hofheinz got a paper accepted at PKC 2023. Congratulations! </li> <li is='foc-li' data-title='Paper accepted' data-publication-src='./people/suvradipchakraborty.json' data-publication-title='Deniable Authentication when Signing Keys Leak' data-publish-date='2023-02-02' data-image-src=''> Dennis Hofheinz and Suvradip Chakraborty got a paper accepted at EUROCRYPT 2023. Congratulations! </li> <li is='foc-li' data-title='Paper accepted' data-publication-src='./people/suvradipchakraborty.json' data-publication-title='Reverse Firewalls for Oblivious Transfer Extension and Applications to Zero-Knowledge' data-publish-date='2023-02-02' data-image-src=''> Suvradip Chakraborty got a paper accepted at EUROCRYPT 2023. Congratulations! </li> <li is='foc-li' data-title='Paper accepted' data-publication-src='./people/akinuenal.json' data-publication-title='Worst-Case Subexponential Attacks on PRGs of Constant Degree or Constant Locality' data-publish-date='2023-02-02' data-image-src=''> Akin Ünal got a paper accepted at EUROCRYPT 2023. Congratulations! </li> <li is='foc-li' data-publication-src='./people/nicholasbrandt.json' data-publication-title='On the Correlation Complexity of MPC with Cheater Identification' data-publish-date='2023-02-01' data-image-src=''> Nicholas Brandt got a paper accepted at Financial Crypto 2023. Congratulations! </li> <li is='foc-li' data-title='Visitor' data-publish-date='2022-11-25' data-image-src=''> Michael Reichle is visiting from 12.12.-15.12. Welcome Michael! </li> <li is='foc-li' data-title='Visitor' data-publish-date='2022-11-25' data-image-src=''> Erkan Tairi is visiting from 28.11.-2.12. Welcome Erkan! </li> <li is='foc-li' data-title='Visitor' data-publish-date='2022-09-21' data-image-src=''> Christoph Striecks is visiting from 19.9.-23.9. Welcome Christoph! </li> <li is='foc-li' data-publication-src='./people/karenklein.json' data-publication-title='SNACKs: Leveraging Proofs of Sequential Work for Blockchain Light Clients' data-publish-date='2022-09-14' data-image-src=''> Karen Klein got a paper accepted at ASIACRYPT 2022. Congratulations! </li> <li is='foc-li' data-title='Visitor' data-publish-date='2022-08-31' data-image-src=''> Thomas Attema is visiting from 12.9.-16.9. Welcome Thomas! </li> <li is='foc-li' data-title='Visitor' data-publish-date='2022-08-31' data-image-src=''> David Niehues is visiting from 5.9.-9.9. Welcome David! </li> <li is='foc-li' data-publication-src='./people/juliakastner.json' data-publication-title='The Abe-Okamoto Partially Blind Signature Scheme Revisited' data-publish-date='2022-08-31' data-image-src=''> Julia Kastner got a paper accepted at ASIACRYPT 2022. Congratulations! </li> <li is='foc-li' data-publication-src='./people/juliakastner.json' data-publication-title='The Price of Verifiability: Lower Bounds for Verifiable Random Functions' data-publish-date='2022-08-31' data-image-src=''> Nicholas Brandt, Dennis Hofheinz, Julia Kastner, and Akin Ünal got a paper accepted at TCC 2022. Congratulations! </li> <!-- <li> <h2>manual title</h2> <img src='./images/logos/logo.svg'> manual text: Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum </li> <li is='foc-li' data-title='auto title' data-image-src='./images/logos/logo.svg' data-publish-date='2022-08-25'> template text: Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum </li> <li is='foc-li' data-title='XYZ graduated' data-image-src='./images/logos/logo.svg' data-publish-date='2022-06-22' data-expiry-date='2022-08-27'> XYZ graduated </li> <li is='foc-li' data-publication-src='./people/kristinahostakova.json' data-publication-title='Generalized Channels from Limited Blockchain Scripts and Adaptor Signatures' data-publish-date='2022-06-22' data-image-src='./images/logos/logo.svg'> XYZ got a paper accepted at UVW. </li> --> </foc-list> </section> <section id='group-picture' class='image-container'> <img srcset="./images/group-photo-480px.webp 480w, ./images/group-photo-1280px.webp 1280w, ./images/group-photo.webp 1709w" loading="lazy" alt="Photograph of the group in front of the CAB building" sizes="calc(60vw + 120px)"> </section> <section id='people' class='tiles'> <!-- order by last name --> <div> <foc-card-section> <h2 slot='prefix'>Professor</h2> <foc-card data-src='./people/dennishofheinz.json'></foc-card> </foc-card-section> <foc-card-section> <h2 slot='prefix'>Administration</h2> <foc-card data-src='./people/claudiaguenthart.json'></foc-card> </foc-card-section> </div> <foc-card-section> <h2 slot='prefix'>PostDocs</h2> <foc-card data-src='./people/ceciliaboschini.json'></foc-card> <foc-card data-src='./people/kristinahostakova.json'></foc-card> <foc-card data-src='./people/karenklein.json'></foc-card> <foc-card data-src='./people/michaelklooss.json'></foc-card> <foc-card data-src='./people/michaelreichle.json'></foc-card> </foc-card-section> <foc-card-section> <h2 slot='prefix'>PhD Students</h2> <foc-card data-src='./people/nicholasbrandt.json'></foc-card> <foc-card data-src='./people/mariandietz.json'></foc-card> <foc-card data-src='./people/xiaoqiduan.json'></foc-card> <foc-card data-src='./people/sebastianfaller.json'></foc-card> <foc-card data-src='./people/romanlangrehr.json'></foc-card> <foc-card data-src='./people/moetosuzuki.json'></foc-card> </foc-card-section> <foc-card-section> <h2 slot='prefix'>Alumni</h2> <foc-card data-src='./people/bogdanursu.json'></foc-card> <foc-card data-src='./people/suvradipchakraborty.json'></foc-card> <foc-card data-src='./people/khanhnguyen.json'></foc-card> <foc-card data-src='./people/akinuenal.json'></foc-card> <foc-card data-src='./people/juliakastner.json'></foc-card> </foc-card-section> </section> <section id='research'> <h1>Research</h1> <h3>Motivation.</h3> <p> Cryptography is a crucial tool for securing information systems. Cryptographic building blocks ensure the secrecy and integrity of information, and help to protect the privacy of users. Still, most actually deployed cryptographic schemes are not known to have any rigorously proven security guarantees. This has led to a number of far-reaching security issues in widely deployed software systems. </p> <h3>Goal.</h3> <p> Our goal is to provide practical cryptographic building blocks that come with rigorously proven security guarantees. These building blocks should be efficient enough for the use in large-scale modern information systems, and their security should be defined and formally analyzed in a mathematically rigorous manner. </p> <h3>Technical interests.</h3> <p> We are interested in the foundations of theoretical cryptography, and in general ways to derive constructions and security guarantees in a modular fashion. One research focus in our group concerns new cryptographic building blocks such as indistinguishability obfuscation, functional encryption, and fully homomorphic encryption. We are particularly interested in the design and analysis of cryptographic schemes in the public-key setting. This covers common tools like public-key encryption and digital signatures, specifically in realistic modern scenarios (such as settings with adaptive adversaries, and a huge number of users). </p> </section> <section id='teaching' class='tiles'> <h1>Teaching</h1> <foc-card-section> <foc-card> <div class='name'>Lecture: Digital Signatures</div> <p> This information concerns the “Digital Signatures” lecture in the Spring 2023 semester at ETH. The content for this course will be provided through Moodle. </p> </foc-card> <foc-card> <div class='name'>Lecture: Information Security</div> <p> This information concerns the “Information Security” lecture in the Spring 2023 semester at ETH. The content for this course will be provided through Moodle. </p> </foc-card> <foc-card> <div class='name'>Seminar: Current Topics in Cryptography</div> <p> Information about the course will be communicate to the subscribed participants via email. </p> </foc-card> </foc-card-section> <foc-card-section> <h2 slot='prefix'>Available Theses</h2> <div slot='prefix' style='margin: 20px 0'> For more details or questions in general please contact <a href='mailto:michael.reichle@inf.ethz.ch?subject=Thesis'>michael.reichle@inf.ethz.ch</a>. </div> <foc-card> <div class='name'>Improving the Security of Lattice-based Threshold Signatures(Master Thesis)</div> <p> A <i>t-out-of-N threshold signature</i> distributes a secret key among N parties, such that any group of at least t parties can jointly produce a valid siganture. Importantly, even if up to t-1 parties are corrupted, an adversary still cannot forge signatures. Threshold signatures have practical applications, such as blockchain systems. Recently, NIST has launched a standardization effort <a href='https://doi.org/10.6028/NIST.IR.8214C.ipd'> [1]</a> for multi-party threshold protocols. <br> While there are efficient constructions with strong security guarantees in the classical (pre-quantum) settings, research on post-quantum (in particular, lattice-based) threshold signatures remains limited (see e.g. <a href='https://eprint.iacr.org/2024/184'>[2]</a>), and many existing constructions provide only weak security guarantees. <br> The aim of this project is to enhance the security guarantees of existing lattice-based threshold signatures. In particular, the project will focus on applying existing technique for distributed key generation and for adaptive security to existing lattice-based constructions to enhance their security guarantees. A student interested in this thesis should have a background in crytography (Information Security course, Digital Signature course, etc.) and basic knowledge of mathematics </p> <div class='references'> <ul> <li> <a href='https://doi.org/10.6028/NIST.IR.8214C.ipd'> [1] NIST first call for Multi-Party Threshold Schemes </a> <a href='https://eprint.iacr.org/2024/184'> [2] Threshold Raccoon: Practical Threshold Signatures from Standard Lattice Assumptions </a> </li> </ul> </div> <a class='mail' href='mailto:moeto.suzuki@inf.ethz.ch'>Moeto Suzuki</a> </foc-card> <!-- <foc-card> <div class='name'>Subexponential Attacks on Variational LPN (Master Thesis)</div> <p> <i>Learning Parity with Noise</i> is a mathematical problem on whose intractability several advanced cryptographic primitives are based. While LPN is similar to Learning With Errors it has received less attention than its lattice-based pendants. However, there are signs that some cryptographic primitives can be achieved by LPN, but not by LWE (Indistinguishability Obfuscation and VOLE e.g.). <br> In this thesis, we will study a variation of LPN that is given over large fields (instead of bits). Our aim is to find new subexponential attacks on LPN, where we put our focus on algebraic attacks. <br> A student interested in this thesis should have some basic knowledge in commutative algebra (polynomial rings and ideals). </p> <div class='references'> <ul> <li> <a href='https://eprint.iacr.org/2019/273'> Compressing Vector OLE </a> <a href='https://eprint.iacr.org/2022/712'> The Hardness of LPN over Any Integer Ring and Field for PCG Applications </a> </li> </ul> </div> <a class='mail' href='mailto:akin.uenal@inf.ethz.ch'>Akin Ünal</a> </foc-card> --> <!-- <foc-card> <div class='name'>Survey Meta-complexity literature (Semester project only!)</div> <p> <i>Meta-complexity</i> is an exciting field that provides intriguing insights into how computation fundamentally works. In particular, meta-complexity techniques have established some interesting results between complexity theory and cryptography (see <a href='https://eprint.iacr.org/2021/535'>[1]</a>) and seem promising in ruling out some of Impagliazzo's five worlds (see <a href='https://stuff.mit.edu/afs/sipb/project/reading-group/past-readings/2009-06-08-five-worlds.pdf'>[2]</a>). <br> The goal of this project is to survey the existing literature on meta-complexity, in particular in connection to the theory of cryptography. <br> A student interested in this topic should have a strong background and interest in theoretical computer science ("Theoretische Informatik" or an equivalent basic TCS course). Knowledge of cryptographic principles is beneficial but not strictly necessary. </p> <div class='references'> <ul> <li> <a href='https://eprint.iacr.org/2021/535'> [1] On the Possibility of Basing Cryptography on BPP =/= EXP </a> <a href='https://stuff.mit.edu/afs/sipb/project/reading-group/past-readings/2009-06-08-five-worlds.pdf'> [2] A Personal View of Average-Case Complexity </a> </li> </ul> </div> <a class='mail' href='mailto:nicholas.brandt@inf.ethz.ch'>Nicholas Brandt</a> </foc-card> --> <!--<foc-card> <div class='name'>Punctureable Signatures (Master thesis)</div> <p> A <i>puncturable signature scheme</i> is a special type of digital signature. It allows a signer to update their signing key sk to sk* such that certain message(s) become unsignable. This turns out to be a useful property in applications such as Proof-of-Stake based blockchains or asynchronous transaction data signing services. <br> The goal of the thesis is to review existing definitions and constructions, understand their advantages and drawbacks, and propose new constructions. Depending on the interest of the candidate, this could either be interesting theoretical constructions or rather constructions with properties useful in practical applications. <br> A student interested in this topic should have basic knowledge of cryptographic principles. To get yourself familiar with the topic, see for example <a href='https://arxiv.org/pdf/1909.03955.pdf'>[1]</a> or <a href='https://link.springer.com/chapter/10.1007/978-3-031-17146-8_25'>[2]</a>. </p> <div class='references'> <ul> <li> <a href='https://arxiv.org/pdf/1909.03955.pdf'> [1] Puncturable Signatures and Applications in Proof-of-Stake Blockchain Protocol </a> <a href='https://link.springer.com/chapter/10.1007/978-3-031-17146-8_25'> [2] Puncturable Signature: A Generic Construction and Instantiations </a> </li> </ul> </div> <a class='mail' href='mailto:kristina.hostakova@inf.ethz.ch'>Kristina Hostakova</a> </foc-card> --> <!-- <foc-card> <div class='name'>Adaptive Security for Continuous Group Key Agreement (Master thesis)</div> <p> While (group) messaging systems with strong security guarantees are widely used in practice, these protocols either do not scale efficiently to large groups or provide significantly weaker security guarantees. The candidate construction that is currently considered by the IETF MLS working group is called TreeKEM <a href='https://datatracker.ietf.org/doc/html/draft-ietf-mls-protocol-09#page-12'>[1]</a>. First security guarantees for (a variant of) TreeKEM against so-called adaptive adversaries, which may choose their targets adaptively, potentially depending on information they have learned while interacting with the scheme, have been proven in <a href='https://eprint.iacr.org/2019/1489.pdf'>[2]</a>. <br> The goal of this project is to improve on these results using a proof technique that is called rewinding. <br> A strong background in security reductions and probability theory is required for this project. </p> <div class='references'> <ul> <li> <a href='https://datatracker.ietf.org/doc/html/draft-ietf-mls-protocol-09#page-12'> [1] The Messaging Layer Security (MLS) Protocol </a> <a href='https://eprint.iacr.org/2019/1489.pdf'> [2] Keep the Dirt: Tainted TreeKEM, Adaptively and Actively Secure Continuous Group Key Agreement </a> </li> </ul> </div> <a class='mail' href='mailto:karen.klein@inf.ethz.ch'>Karen Klein</a> </foc-card> --> <!-- <foc-card> <div class='name'>Pairing-Based Blind Signatures in the Algebraic Group Model (Bachelor Thesis)</div> <p> A blind signature scheme is a special type of signature scheme where through interaction, a user can obtain a signature from a signer on a message of their choice without having to reveal said message. Such schemes find applications in electronic voting, electronic payments as well as anonymous credentials. <br> In [1], Boldyreva introduces a blind variant of the pairing-based BLS signature scheme. The security proof is in the random oracle model (ROM) and uses the interactive One-More-CDH assumption. <br> The algebraic group model (AGM)[2] is an abstract model of computation for groups. In the AGM, any adversary is required to explain how they computed group elements in their output from their input. This explanation can be leveraged by a reduction to solve a hard problem and allows for reductions that are not possible in the standard (group) model. Fuchsbauer, Kiltz, and Loss[2] show that in the AGM, plain BLS signatures can have a tight security reduction to the discrete logarithm problem, circumventing an impossibility result for signature schemes with unique signatures. <br> The goal of this thesis is to investigate whether one can improve the security reduction for the blind variant of BLS using the AGM to obtain security based a non-interactive assumption. <br> Familiarity with cryptographic reductions and assumptions (e.g. from the Information Security course) is strongly recommended for this project. <br> Starting date: September 2023. </p> <div class='references'> <ul> <li> <a href='https://faculty.cc.gatech.edu/~aboldyre/papers/bold.pdf'> [1] Threshold Signatures, Multisignatures and Blind Signatures Based on the Gap-Diffie-Hellman-Group Signature Scheme </a> <a href='https://eprint.iacr.org/2017/620.pdf'> [2] The Algebraic Group Model and its Applications </a> </li> </ul> </div> <a class='mail' href='mailto:julia.kastner@inf.ethz.ch'>Julia Kastner</a> </foc-card> --> <!-- <foc-card> <div class='name'>2-dimensional bit security (Semester project)</div> <p> When selecting concrete parameters for encryption schemes, one typically aims for „n-bit security” (usually with n = 128), where n-bit security is (informally) defined as “the best attack takes as much time as brute-force trying 2^n keys” or an attack that runs in time t and has advantage ε satisfies t/ε > 2^n [1]. However, the choice of considering t/ε is arbitrary and, for example in group-based schemes there are benefits in considering t^2/ε instead of t/ε (e.g. [2]). </p> <p> The goal of this project is to consider a 2-dimensional version of security and study how attacks in this setting relate to each other (given an (t,ε)-attack, which (t',ε')-attacks does this imply?), possibly by assuming some properties of the hardness problem (like random self-reduceability), and to study how this notion behaves under reductions (i.e. how reductions affect t and ε and which reductions are preferable in which scenarios). </p> <div class='references'> <ul> <li> <a href='https://eprint.iacr.org/2018/077.pdf'> [1] Daniele Micciancio, Michael Walter. “On the Bit Security of Cryptographic Primitives” (EUROCRYPT 2018) </a> </li> <li> <a href='https://eprint.iacr.org/2021/971.pdf'> [2] Lior Rotem, Gil Segev. “Tighter Security for Schnorr Identification and Signatures: A High-Moment Forking Lemma for Σ-Protocols” (CRYPTO 2021) </a> </li> </ul> </div> <a class='mail' href='mailto:roman.langrehr@inf.ethz.ch'>Roman Langrehr</a> </foc-card> <foc-card> <div class='name'>Active multi-user security of the CM-NIKE (Semester project or Master thesis)</div> <p> Cachin and Maurer [1] present a 2-party NIKE with unconditional security in the bounded storage model. In this model, all parties have streaming access to a huge uniformly random string (urs), but have only bounded (much smaller than the size of the urs) storage. However, they only analyze the security in a very weak model (later called “light security”). More realistic models, with multiple (potentially dishonest) users have been proposed in [2,3]. The goal of this thesis is to analyze the CM-NIKE in these more realistic models, ideally the strongest possible model (“adaptive dishonest key registration security”). </p> <p> The work [3] provides a generic transformation from light to adaptive honest key-registration security (where many, but only honest users are allowed). However, their transformation can not be applied here directly due to the non-negligible correctness error of the CM-NIKE. </p> <p> Possible extensions:<br /> - The CM-NIKE comes with a non-negligible correctness error. Can this be improved or is this unavoidable (for unconditional security in the bounded storage model). </p> <div class='references'> <ul> <li> <a href='https://crypto.ethz.ch/publications/files/CacMau97b.pdf'> [1] Christian Cachin and Ueli Maurer. “Unconditional security against memory-bounded adversaries” (Crypto 1997) </a> </li> <li> <a href=' https://eprint.iacr.org/2008/067.pdf'> [2] David Cash, Eike Kiltz, and Victor Shoup. “The Twin Diffie-Hellman Problem and Applications”. (EUROCRYPT 2008) </a> </li> <li> <a href='https://eprint.iacr.org/2012/732.pdf'> [3] Eduarda S. V. Freire, Dennis Hofheinz, Eike Kiltz, and Kenneth G. Paterson. “Non-Interactive Key Exchange”. (PKC 2013) </a> </li> </ul> </div> <a class='mail' href='mailto:roman.langrehr@inf.ethz.ch'>Roman Langrehr</a> </foc-card> --> </foc-card-section> </section> <section id='contact' class='tiles'> <foc-card> <div class='name'> <img src="./images/logos/logo.svg" alt="Foundations of Cryptography"> <span>Contact</span> </div> <a class="address" href="https://goo.gl/maps/MibPzU5TdU3iYU3B7"> <span> Universitaetstrasse 6 <br> CAB Building, H Floor <br> 8092 Zurich <br> Switzerland </span> </a> <a class='mail' href='mailto:claudia.guenthart@inf.ethz.ch'>claudia.guenthart@inf.ethz.ch</a> <a class='homepage' href='//foc.ethz.ch/'>foc.ethz.ch</a> </foc-card> </section> <footer> <div class='spacer'></div> <section class='contact tiles'> <h2> Contact </h2> <foc-card> <div class='foc-logo' class='name'> <picture> <img src="./images/logos/logo.svg" alt="Foundations of Cryptography"> </picture> <span> Foundations of Cryptography </span> </div> <a class="address" href="https://goo.gl/maps/MibPzU5TdU3iYU3B7"> <span> Universitaetstrasse 6 <br> CAB Building, H Floor <br> 8092 Zurich <br> Switzerland </span> </a> <a class='mail' href='mailto:claudia.guenthart@inf.ethz.ch'>claudia.guenthart@inf.ethz.ch</a> <a class='homepage' href='//foc.ethz.ch/'>foc.ethz.ch</a> </foc-card> </section> <foc-map data-src='https://www.google.com/maps/embed?pb=!1m14!1m8!1m3!1d983.1914598703298!2d8.547943600718801!3d47.378403662217615!3m2!1i1024!2i768!4f13.1!3m3!1m2!1s0x0%3A0x965279ae5b0d4afd!2sETH%20Department%20of%20Computer%20Science!5e0!3m2!1sen!2sch!4v1657097257268!5m2!1sen!2sch'></foc-map> <section class='band'> <h2>Affiliations</h2> <foc-list class='timeline'> <li> <a href='//ti.ethz.ch/'>Institute of Theoretical Computer Science</a> </li> <li> <a href='//inf.ethz.ch/'>Department of Computer Science</a> </li> <li> <a href='//ethz.ch/'>ETH Zürich</a> </li> </foc-list> </section> <div> <div> <a href='/imprint.html'>Imprint</a> </div> <a href='//ethz.ch/en/footer/disclaimer.html'>Disclaimer</a> <a href='//ethz.ch/en/footer/data-protection.html'>Data protection</a> <a href='//ethz.ch/'>© 2022 ETH Zürich</a> <div> </footer></html>