The rump session chairs are Allison Bishop, Carmit Hazay, and Martijn Stam.
More information, including links to papers and slides, is available at https://eurocrypt.iacr.org/2024/program.php
so uh welcome to the r session we’re still waiting for the uh slides but there we are so there’s three of us there is Allison Bishop K haai and uh me uh there are always a little bit of administrative things so one thing you will notice is that there’s the icr logo at the moment uh the ISR logo will actually change into pictures of various fellows so you can play the game in your head like do you recognize the fellow the other thing is that you will see here names so these are the people who should get ready because it’s there will be up next now a long time ago when my when I gave my first rum session talk there was this idea that speakers who finished in time they would get a little reward so we have the same thing if you finish in time as a speaker you will be given a little chocolate but you have to exit the stage from that side because that’s where the chocolate will be uh and I think from that’s it from me so now I’ll hand over to Ellison all right can we get our first speakers up here uh for for the program chairs report all right so uh just one remark Michelle you forgot to sign all these Awards I think there’s no signature it’s not valid okay um we need our slides yeah what start the timer okay timer started timer started yeah um thank you very much for joining this rum session was I supposed to say more on the slide no no okay next so once upon a time I I was told that that’s a very good way to start a talk um so there was Euro crit 2024 and the story I mean takes place online it started in October 2023 I mean that was when if you think of it quite some time ago um people decided to submit papers uh we got uh if I remember ly 501 submission out of which 482 went to the review process and if you imagine how many pages this is it’s impossible to do this just the two of us so we were very happy that you could rely on first of all our area chairs soeta s Pala Maria claudo and Danielle who have helped us a lot in splitting this immense load of papers into more manageable Parts yeah thank you thank you very much [Applause] yeah so a lot of people were involved in the re review process so we had a huge community of uh 104 PC members uh we also got the help of uh external reviewers so I won’t go over the list but if you’re a PC member or if you did review a paper for your Crypt I’d like you to to stand up no no one really thank you very much uh all of you there’s no one no um okay this slide is tells maybe a bit about our collaboration so whenever we did not know Mark before we we started this adventure and um so when we were talking I was always the one who would not do things right away and Mark was no let’s do it now let’s do it now and then it’s done and he was so right every single time you said this so it was a a a great help and here you [Music] see um yeah you see how the how all the um PC members work over time and what you would hope is uh is there like no so what you would hope is like the the guy on the very left of the picture that’s what you would hope as a PC um uh chair so the the rars come in from the start but that’s not the case it’s very steep very close to the deadline and then you also have guys like the one on the very right with this Mark but but far off the dash line but of course it’s not because Mark didn’t do his reviews but it’s because it’s extra reviews that that were missing or where we needed additional expertise so uh thanks a lot to all all these reviews that we got okay um so if you had been on a PC before in a conference like your Crypt so you should know how much work that is um so we’d like to start from TC Crypts a new tradition and would like to annulate the artwor of the PC members um so we’d like to nominate some distinguished PC members so uh those are those uh we did I mean the exra my like reviewing more papers uh being super active in the discussion or helping I mean in general so uh this year so we’d like to uh to distinguish um SOA Diego Christina Chris and Bernardo Danielle Tibor pavana faan Divia Peter Yanik Serge and Mark so thank you very much for all your dedicated work [Applause] and and we do have uh Awards like this also without the frame so it’s easier to transport but signed yeah you can come to us and collect it ah yeah and then uh if you either got accepted or rejected anyway you you maybe noticed that we did not do an interactive rebuttle interactive phase with the ERS but only had a rebuttle because we thought it’s better to to limit this interaction to to what’s needed but some authors felt the need to still communicate with us and that’s maybe the reply all um hit so we have several emails that we wanted to show we try to anonymize um so we have been invited for example for a zoom meeting to discuss the rebuttal yeah so yeah so also some authors I mean told how much they like the review and the reviewers and then we were asked if he I don’t know if it was to ask to if we should comment on this I don’t know I don’t think we answer but yeah and I also don’t don’t know what happened but yeah to crypto um some people were not happy of course it’s mainly Reon email um but still the comments were good yeah we were happy with this no or to submit to CCS yeah yeah so maybe something a fun fact so if uh you’re a fellow so the probability that you eat the reply to all button is almost close to one um so it means maybe that uh if uh I mean you have the tendency to click that button so maybe you’ll be soon liated an ask your fellow so to eat that button um what’s next a yeah so can take this one oh yeah um so I mean this is almost the end of the story so uh 400 reviews and 5200 comments later I mean that’s a huge number um so 105 paper have been accepted in the program so thank you and congrats to all AP authors but also thank you to all who did submit so uh so we cannot have a conference I mean without all those contribution and you can observe that this is on pair with the other IRC [Applause] conferences so besides the uh regular um papers uh and paper talks we also had um two invited two great invited talks thank you very much um Kenny and wa for for both talks are already given so thank you very much for for for the nice talks um we had a panel discussion on Publications thank you very much to everybody who attended me also and an for moderating thank you very much an um and we hope to have a nice rum session not so clear yet but uh thanks anyway for for doing yeah we had um behind the scenes is who always helps a lot Kevin McCurley so we googled for Kevin McCurley to find a new updated picture and that’s what we found that’s the first I hope it’s not you so we we also have this one and yes thanks [Applause] Kevin and some people cannot be thanked enough I think so thanks a lot yeah and a big big big shout out to uh two uh General chair so Julia and Tyas so thank you thank you thank you for all the work you did and also to all the uh amazing uh organizing team so thank you so much for from the bottom of our [Applause] [Laughter] Earth so next we’ll um yeah so we now give a few on the fact evaluation yeah hi everyone uh I will keep this quick I promise all right but first I need to issue a clarification these people made me spell it wrong the entire time it is not spelled artifact moving on so eurocrypt was the first IA Flagship conference that had an artifact evaluation process so the whole thing was started at chess in 21 then it’s been continuing at chess since then and then now you are here at eurocrypt and it will continue at crypto 24 I’m not sure if the Asia Crypt uh chairs have made a decision on this already so for crypto it’s going to be Mark Stevens going to be the uh the chair um and so the idea of this process is and I’m here to tell you about it so you’re more aware of that this exists is that the authors of invited papers were encouraged and invited to uh to submit artifacts which could be software implementations Hardware implementations data sets that kind of thing and then the idea is that a committee looks over these some reviewers in order to test functionality and reusability uh but we didn’t go for things like reproducibility right so we have a quite limited scope in our process um given that these were accepted papers these submissions were not Anonymous and then we had like some requirements give us a re me tell us what this does give us a license um and then we had some uh reviewers look at this and give some feedback uh the whole thing was uh interactive was meant to be interactive uh but the uh the point of this is to essentially accept every submission so the idea was to improve the submissions rather than do an accept uh reject uh decision and here’s the guiding question the idea is in a few years time some Professor asked some poor grat student kind of why don’t you extend the result from this old paper do they have a Fighting Chance of actually doing that right so can they take this can they run this can they kind of hack it like that’s the idea that we’re aiming for here okay we had a small committee so uh here are all the members so thank you all of you who were on the committee so Luca Maria Yan Marcel Benjamin Yan Baptist Peter Dury and Mark so thank you I want to raise an issue and that you can have opinions on because I was the chair of this process and two artifacts that were accepted were submitted by me so I accepted my own submissions which is not okay uh the way we handled this is that Mark Stevens who will be the chair of crypto kind of like he was given these artifacts and he then kind of handled the review process and made the accept reject decision I would like you all to encourage enage to have strong opinions about this and talk at Mark and me about this so we can think about like maybe there’s a better way of doing this the rationalist the commit the community of people who evaluate artifacts is very small so it might be difficult to prevent those from being submitted okay we we accepted uh 14 submissions 10 straight up uh accepted three with Shepherd and one we just merged so essentially we accepted everything um we didn’t award a best artifa award a question I have what does the best artifact even look like like what should we go for how should we change the process and the other question I would like to ask is so we we ran this like review process with Anonymous reviewers given the low stakes of this process maybe we shouldn’t so that is also something for the community to consider and that’s it thank you all right what our next speaker please come up all right here’s the clicker hi to keep this PR session uh fun and entertaining uh let’s talk about climate change and the carbon footprint of flying shall we all right I want to advertise a discussion group we call it EOC Crypt it’s happening tomorrow morning let me explain so I guess you don’t need me to tell you that uh InterContinental flying is emitting a lot of CO2 I computed some numbers for you in addition to that physical attendance is currently required as these two uh quotes show so this creates I know for a fact that this creates a lot of moral dilemma for some of our some members of our community um should we care is this dilemma legitimate and I mean should we try to be inclusive to these people we want to have prefer to have a smaller carbon footprint basically and if assuming we do assuming the answerers is yes what well what are our options U I’m not going to go over all of this this is actually what we will discuss uh tomorrow morning and know that yes we did discuss some of these points during the panel discussions but briefly and I think these points in particular because they are like complex issues that could have negative consequences and that should really we should really think carefully about implementing any of these things I think we deserve lengthier conversation and this will happen as I said tomorrow at 10: all right now it’s time for something related sustainability award thank you Roman so Eur 2024 sustainability award we need to implement this to a very efficient protocol we have an award for the longest train ride we’re looking for the longest train ride that’s how we do it please take out your phone if you came by train Google map from the station where you left to Z hopan Hof read the kilometers in distance it’s not about the time that you spend traveling you know sseeing in Frankfurt or whatever it’s about the distance I give you 10 seconds to do that so everybody who came by train please Google map take the car uh uh choose the car as a vehicle and read the number of kilometers so who has more than 300 show off hands okay we have uh we have some people upstairs yes good good good 400 raise your hand it’s a bit hard to see for me okay we still have some hands 500 okay you guys are very okay keep up your hand 600 people upstairs still not giving up yes yes where was I 700 oh I’m sorry 700 we still have some hands we still have some hands 800 sorry w we still have some hands 1 2 3 four race higher race higher I cannot see you yes 900 00 I see I see you I see you 900 somebody’s holding up a beer don’t don’t do that a thousand 1,000 wow one two and I see two people anybody else okay 1,100 okay one one gave up this this is between two people what you came from the same place oh damn it okay we don’t have a protocol for that okay uh tell me the number of kilometers almost almost 500 can you please both come to the stage a big a big Club of fans for over 1,200 kilm train right I assume it must have been well almost a day yeah so the price the priz for the sustainability award is a free attendance of eurocrypt 20125 in Madrid I hope you come by train and we’re going to figure out how to share this between the two of you so we need a minute for the second uh recipient of the award to come down the stairs most just Biden game yes yes quick quick quick up up stairs here stairs are over stairs are over there was one hour Del I don’t know if that helps but no it was just m okay Sona and Diego thanks a lot for coming that long by train congratulations on assist ability what this year give to same I took the same train as yeah thank you all right that was over time but I’m going to say the kids can get chocolates all right with our next speaker please come up hello everybody do you want this yes so hello I’m probably you cannot see from afar but I am Alan Turing and I’m here to talk to you about the security theater the security theater is the process by which if you came here by playe since we were just talking about plane you went to a airport queued for a lot of time just to have your water thrown away then you landed here in zurk then you came to the conference venue just to get your water thrown away again okay so I’m here to argue that this process gives us no security it’s a theater because we live in a world where we are allowed to bring laptops on planes I was very sad to see that this process is in place also in conference venues so I decided to try and test this process a bit to bring something fresh inside of eurocrypt something fresh like well it’s best if I show you what’s more fresh than a freshly done cheese sandwich and this is my laptop and as you can see my laptop features uh an Intel cheese cor du Duo some bread some cucumber I’m now going to make a sandwich on stage time [Music] allowing you know all these mornings without breakfast it was this easy don’t forget the the cuc number it gives like a lot it adds a lot to a cheese sandwich I think this will have to [Laughter] do so eat your breakfast and travel safe you’re safe not because of Security checks but because the people around you care about you because we are a community and that makes us strong not people looking inside of our luggage thank you uh thank you I think we’ll confiscate that sandwich though um all right here you go all right everyone so my name is yopa BOS and together with Andreas huling we are the editor in Chief for this new icr Journal so the icr communications in cryptology and I just wanted to give a brief update because I think it’s yeah very related to all the things we have been uh discussing the last couple days about scalability of the icr so for people who have not seen um yeah the main principles of the cic I posted them here so as you can see the no travel scalability it’s all in here um and in in the process of creating this journal over the last two years we have been working a lot behind the scenes to get things ready one of the things and Kevin will be talking about this later in the ROM session is about the whole infrastructure for the copy editing and the other is about the latex style file we we created so if you have any comments go to this website file file your issues uh and and let us know so some statistics um the very first issue now has been published next week we will publish the second issue we received 104 submissions out of uh 100 were proper and a very senior member in our community and he allowed me to to tell you this we desk rejected his paper because he honestly forgot that his submission already appeared in another Journal so this is not even a joke um so remember this journal we don’t have any page limits but we separate between regular papers and long papers and I really would like to point out um that really the proofs you can stuff them in the appendix but they will be part of this page count and we require reviewing of all the proofs um so we received 75 regular papers 25 long um and in the end we for the first issue accepted uh 32 papers some statistics so we have various areas um and you can see the number of submissions per areas number of accepted papers and from this I think it’s pretty clear if you want to get the highest acceptance rate you should work in theory so how does this compare to the other area or to the other venues we have um you can see that here so I think eurocrypt um is very prestigious so if you average out the acceptance rates of The Last 5 Years you can really see that it’s most difficult to get into eurocrypt so if you got a paper here then congratulations um we have a very large editorial board around 80 people our goal was to minimize reviewing it was already said before if you were a PC member of eurp you had an enormous load of refs to do our goal was two to three refs we failed because we got too many submissions it was 3 to four we extended the editorial board and I think we fixed that problem for the second issue already so I think the acceptance rate is was 32% and we fit right uh in the middle uh compared to the other icr venues and finally to conclude um next week as I said we have the notification of the second issue if you’re interested and uh you want to publish in the communications in cryptology um the next deadline is July 8th feel free uh to submit your paper to the cic thank [Applause] you okay you may not be aware of this but next year in Switzerland there will be an event of even greater reach than eurocrypt and it will be your vision and why because Switzerland won this year W now you may not know that the artist after they won they immediately dropped the trophy so that prompted one of our biggest insurance companies in Switzerland to run this ad now these guys are pretty famous for their ads uh I’ll give you some examples so here’s another one or maybe this like if you lose your phone on a ski lift but my personal favorite is this now you may not find this funny but m in German means Mason and it’s really funny if you think about the fact that there’s a cryptographer and a former president of Switzerland called Willie mower now also maybe you don’t know that next year there will be another event called Euro crisan which is a song contest but based on cryptography and maybe you want to hear or learn about some of the entries from various different countries yes okay let’s go first count oh basic it’s also known in you know under its old French name of now Norway first entry unfortunately the title is in Norwegian now could somebody please translate this what I wish we had mountains like Switzerland that is correct now in case you ever need help distinguishing Swiss Mountains from Norwegian mountains I give you an almost perfect strategy if the picture contains a mountain it’s in Switzerland okay next entry Israel unfortunately again I cannot read this what does it say anybody who speaks Hebrew oh please throwing shoes say it foundations of throwing shoes correct the foundations of shoe throwing Volume Two basic throws now if you understand this joke I guess you’re a little older next Switzerland who speaks Roman Kish where are you not here okay I’ll take this it means I’m out of money and if you need a sketch for your insurance company I already prepared one for you next up mdova now some of you may see where this is going others may not but the singer from mova is a very famous very influential singer that now lives in the United States and the song is based on a crypto paper from 2014 and in fact there is a little dance would you like to see the dance can we see the dance please can we cue the shorter video please oh unfortunately it’s [Music] sideways very good thank you okay finally who speaks Greek nobody there are no Greek people what does it say shout it correct my boss is Greek I don’t make jokes about Greece I’m Swiss I’m not scared of cowbells now this is uroborus and it’s it gave the name to a famous blockchain protocol and if you’re interested in blockchains look out for this paper on ePrint and we revisit the input endorser technique and we do so with a very realistic Network model that models blockchains under high capacity uh under high near capacity load thank you okay thank you that’s all I wanted to say see you next year at Euro cision thank you [Applause] I feel like an idiot standing up here giving a serious talk but it’s not the first time so uh you might have seen this in the panel discussion this number from ACM what their Open Access charge will be price per paper of $1,300 $1,800 for a non-member so I want to show you how much better iacr is so we when we started doing the communications and cryptology when I first heard about this proposal I thought oh man that’s going to be hard to do and then I got to thinking about it and I said well what maybe we should set about trying to do this and keep the cost to a minimum and we decided that the best way to do that is to minimize the amount of human labor required for this so step one y and I wrote a new latch class which uh looks somewhat different than the LL NCS class when thing it happens is when you run PDF latch it actually spits out all the metadata into a separate file so that means nobody has to enter that there’s no form to fill out step two I figured we needed better software I mean if we learned anything from the information age better software makes people function better so we have these three pieces the submission piece the copy editing piece and the indexing and web hosting piece the submission piece we’re just using an open source version of uh of hot crap and I must say that this is non-standard for a journal to actually do reviewing this way you know if you look around in the academic landscape nobody uses this but it’s what icr wanted to use next is the copy editing and production editing now about 10 years ago there was a rump session talk about copy editing from Springer I advise you to go look up that that uh presentation because it’s quite good I will say that this is potentially the most expensive part because humans are required to do this right now but what we do is we push back on the authors but when we push back on them we try to give them good tools so that they can also solve their problems so I actually wrote a parser for the bib Tech log and the latch log which if you really want to have an exercise in futility I advise you to try that and you know once the the author is satisfied with it they send it to the copy editor copy editor sends back items to be fixed the author responds to each item and then they send the final version then the copy editor check that the changes were satisfactory they have a side by-side view of both the latex source and the PDF and when they approve it then it goes into the issue to be published and when all the papers have been you know prepared and have been copyedited all the editor asked to do is push a button to publish the issue so the web pages go live the dois get registered with crossref.org the preservation archive gets registered indexing is performed and we’re launched and so it actually works pretty smoothly I was surprised that it actually worked out I will say there’ have been a lot of people looking over our shoulders you have to coordinate launching a journal with a lot of people crossr for the org for the dois issn for your issn number the indexing agencies the archiving it’s kind of a zoo to run a a journal but it’s possible to do so then you ask the question what does it actually cost to run a journal what do we actually pay for communications and cryptology so this sort of inescapable cost and the software development luckily we’ve got me who retired and I have nothing better to do so I I donated that my time for the software but it will be open source so hopefully it’ll be maintainable thank you thank you so then if you look at what it would cost to publish 200 papers a year I actually total up all the costs so running the web server and paying for the dois and paying for the archiving and all of that totals up to $900 to publish 200 papers and if you did a th000 papers it’d be $1,700 so that means that if you’re comparing to the ACM or the ACM non-member price for publishing one issue we undercut that by a factor of a thousand so my question is where the hell’s the money going in ACM okay and the final thing is about the copy Ed thank you the final thing is about the copy editing we’re using volunteers to do that but I actually have a plan to use large language models to try to do that thank you very [Applause] much all right cool perfect is this the right one oh yeah there right one okay good all right hello everyone uh I’m sorry to be giving like a serious talk I’ll will be talking about a physical Hardware implementation of an interactive protocol called uh Quantum tic tactoe so you all love you all know and you love or hate normal Tic Tac Toe I guess all of you solved it when you were four years old um and uh a couple of years ago a guy called Evert figured out that if you just add a couple of quantum moves this actually becomes quite a deep game and we it is like it’s currently an open research question whether optimal strategies for this game exist so this was sort of a rabbit hole that I kind of fell into uh and I wanted to play against my friends but nobody wanted to go online and play with me so my solution was to buy a bunch of dice and figure out how to play it on the board now basically to introduce a game there are three moves the first one is a classical one and you place one of the die with a one up meaning that there’s a 100% probability that if you collapse the wave function your X will be in this Square otherwise you can of course do a superposition move in which case it collapses is in one of the squares with 50/50% probability and more interestingly you can now start to entangle with your opponent and in this case there there are of course correlated probabilities where One X will appear either on top or the middle and the other Square will be an O and you can even entangle with superposition States in which case the dice get turned with a four up to indicate that there is a quarter probability that your X or o will appear where you want it to be so this is my implementation of the game as it exists on uh the website I’ve been having a lot of fun with this and I can uh happily uh convey to you that I have succeeded in cornering almost all of my friends and forcing them to play against me um once the board is full the uh state of course gets uh observed and therefore collapses into one of the many board configurations that is possible based on the moves that was done and then you simply observe okay did anybody win yet and in this case X1 on the diagonal of course uh in cases where nobody has one yet and there are still open squares left the game simply continues great now uh once I have this dice idea I started thinking like okay can we do more can we introduce Quantum phases for example like phase cancellations and the answer is yes because you can Orient these triangular dies in two different ways so let’s say right side up is a pH of plus one and upside down is a face of minus one and then you introduce the rule that faces cancel between the players of course otherwise it would be a boring game uh so this is one of the moves that you can make now you see that there is exactly one die here that is upside down and if You observe this then the middle square has been cancelled and therefore there only appears either an X or an o in the top square of course you can cancel both of them and then observe it and then the board will be simply empty uh and yet I claim to use that as long as both players do use at least some Quantum moves we will get a game that it s that does not simply go on forever um I will leave this as a sort of challenge to you in order to keep my time constraints here and get some chocolate afterwards uh but uh you can try and think about what will the resulting probabilities be if you uh do a phase cancellation on a superposition State thank you very much and come find me in order to try it out [Applause] W yeah come come on your timer starting Okay who wants the quicker Ni No I the okay I can do all of that yes you say when it starts it starts no so who has ever seen the Wing cat oh no Make Some Noise if you have come on go yeah okay you might have seen it on the break slides announcing the woman and allies discussion session that happened yesterday so Karina how did it go well actually it went so well we even forget got to put the photos into our slides but we had some really nice discussions and a lot of suggestions for the next conferences cool but what does Wing stands for really well Wing stands for women in cryptography and we have are a community that has been created roughly two years ago and we are active in many many ways so we have a Discord server with over 200 people woo yeah and we have already mingled over 75 pairs in coffee breaks wow and we are currently running our second edition of women in cryptography seminars and we are also Crea uh organizing inperson meet apps look at the great pictures from RWC so yeah and our next uh speaker in the seminar is really great and they’re sitting just there so please join us on the 12th of June 2 p.m. CST and it’s on Zoom so it’s super easy to join and we’re counting on you but we have a little problem that is the win cat is actually really really heavy and currently we are missing some people some hands to help us organizing all the things we want to organize so uh for example you could help us organize something at crypto or Asia Crypt uh you could help with the infrastructure or you can just give us some money and funding that would be really nice yeah join us yes so please join join us no no wait wait wait wait wait we don’t need only female hands so whatever your hand identifies at please come and join us okay we need help thank you thank you I I have heard a rumor that that next seminar talk might have some good jokes in it so come check it out all right next up here we go okay there’s only two buttons this is really easy um hi everyone so I’m not sure this is crypto Doodles Revisited it was going to be um what happened to crypto dles but Allison has really funny jokes and she was like this is more crypto so if you guys don’t know what crypto dles is um welcome to the internet it was a novelty Twitter account that was dedicated to bad puns and funny talk moments uh such as gate bygate gobbling uh this was a pandemic joke about doing MPC over small groups because you know what stay safe and Allison blob and you know we got some really cool very philosophical moments like why does Bob have so many laptops anyways if you um have been on the internet at all you’ve noticed that maybe Twitter doesn’t exist anymore which is kind of sad because that’s where it lived so what happened to it well it briefly was a WordPress site uh somebody asked me you know oh hello 2012 like didn’t realize you were back uh it was also briefly in Instagram turns out not a lot of cryptographers aren’t Instagram kind of sad um is it a blue sky you know it’s it’s a it’s a it’s a lonely Blue Sky uh but realistically it just lives on my tablet um never to see the light of day oh sorry I guess I de anonymize myself hi I’m crypto Doodles uh so anyways yeah it was actually kind of pseudo Anonymous this is a weird way to out myself um but yeah so I guess like maybe it’s going to come back to Blue Sky you know I feel very in theme so maybe that’s where it’s going to live but I’m also a little bit uninspired so if anybody has some nice puns or whatever I would love to like you know get the creative jues flowing or if anybody else wants to draw some fun stuff um it’s actually really nice you should consider making little little jokes um but yeah this didn’t take four minutes [Applause] okay hello all right F I’m sorry okay can start starting now hello everyone I want to thank first of all Chad GPT for being here I’m mean for the jokes of course uh and um we present the hungry cryptographer problem so this problem has been uh noticed since I came here to the conference so let’s say that let’s say that um I’m participating this conference as can see I have crutches so getting food or getting drinks is a tough work for me so I would say that I was expecting people to run for food but not to run like animals they were going for it taking stocking up food and I was like okay so I’m a cryptographer let’s analyze this so at this point I had uh some ideas some background checking so as an Italian I would say where is my espresso where can I get it and in some breaks there was no espresso so I was sad so I went back some theorems and there was this sneakers guys they were doing some ads about you know food and they were say you’re not you when you’re hungry so who are you and I asked Gemini to explain me that so cryptographers they are human people uh for now of course and they solve complex and Mathematics problems uh with the help of coffee and tea and sometimes they have curiosity or Hobbies but most of the times they just go for a math problem and you might say why should we care about cryptographers growing hungry but that’s what we’ve been doing since the beginning of this field we’ve always worried about what’s going to happen for dinner it’s just we’re a bit more naive back then I would say you know we just cared if NSA is going to pay for our dinner and turns out NSA is willing to pay as long as you don’t ask them to confirm it but food is nice and all the more important thing for cryptographers who pays for their drinks and we might be able to do some convincing here and thinking back we care about how much food we can get and how we can make sure that we’re not the ones paying for it so let’s see what we can do in this situation right and this is a very realistic setting so crypto is going big the community is growing we manag to find this gem from the last ramp station and yeah even this year you know it’s like at least it’s good we have our priorities straight you know we can go without a bit of food but drinks must be provided so so what what kind of cryptographer are you people that are taking drinks and food are you the budget cryptographer that just goes on meet up for the food and they expect the burger but the burger never comes it happen or you are a venture capitalist funded cryptographer you don’t care about money right and you don’t care about the miners problem or are you the trending Quantum cryptographer that doesn’t care about if learning with errors is broken or not but cares if there is the slice of pizza and yeah so I analyzed a bit of the psychology of cryptographers and they have a lot of fear of missing out they miss out news but they are more fear uh the fear is more about missing out food so the food on the buffet is uh found is um um to is is taken with the principle of hard now and the world later so as I said initially people were stacking up sandwiches on each other and I was with crutches without taking anything and I was like okay this must be a principal like fif leaf or something and I call it her now and the later and um actually where people are inside doing conferences sometimes people were waiting outside for the food and the staff was saying hey I’m sorry the food is not already uh can you wait one minute more so yeah we had a lot of interesting Insight but when it come to actually doing the work thank you CH GPT the only problem is I think he has a different idea of what kind of problem we trying to solve here so let’s go for a second time and be a bit more specific NPC let’s say some secret sharing but I think he likes more to share sandwiches than secrets so given our attendance that doesn’t seem to really work out I guess the overhead would be too insane so the problem seems pretty difficult can we fix it probably not but at least now I know it’s a problem so someone can probably write a real session about it and for the rest of us I guess there always McDonald’s but then again we’re in Switzerland so maybe just go straight for the [Applause] drinks hello everyone I’m ch Mo today I’m inviting you to pay a bit more attention on the privac right of Wei together the story I’m going to tell is between two old friends that many of you may be familiar with there are the Prov and the verify and enet proof where the strong Pro uh trying to convince the V about something sometime it’s a honest and the kind with the tell they verify the rising some other can be malicious you are try to bully the V and F to access some wrong answer even more with crypto graer even help arming the pro with the know proof ensuring that the wer cannot learn anything from the Prov during the protocol that just send the ver in a rather vulnerable situation so question today is uh what if the ver want some privacy of the secet such as this uh it’s okay if you didn’t take a notice because it was ignored in the last few decades that is why we need the instant hiding T proof this is a kind of proof system where the proof make Pro make a proof to the vile without learning uh the exact statement it is proving so to be a little bit in detail in such a inant hiding proof or IP the in input instance is only private to the VII and the approver would only receive the input lens as the input we in addition to some the standard compl and sness we also need the pro learn nothing about the instance in the interaction or in the other way uh what the pro can see in the interaction well not Beyond it can generate by itself uh though this notion was uh proposed in early 1919 uh almost the same time as Z knowledge proof we have a little understanding about it and in recent study we found that it Shar some common property with the St Z proof which is those Z proof where the Z property and the and the sness hold for a very information theoretic strong manner more detail we show that the IP and the S the both contain in am km meaning that unlikely uh the MP is contained in them unless on collapse of polom hierarchy and also show that as long as any H problem that is contained in any of these two classes this would imply existence of oneway function but there are also evidence showing that these two classes should be distinct from each other specifically uh we don’t know how to construct instant hiding Pro for some natural AIC problem such as a graph isomorphism and also we show a language with respect to some Oracle that has instant hiding T proof but doesn’t have a STIs proof the the difference is that the instant hiding T proof is close under any composition of efficient function while similar result uh only holds for S with a pol polinomial size formula so to find more about the instant hiding 20 proof uh you may go our study and where uh you may find a few interesting result and quite a few open problems thank you all right thank you we have a break now we’re going to resume on time at 8:45 e e e e e e e e e e e e e e e e e e e e e e e hello we will be resuming in 30 seconds there you go any green button I guess green button yes not hello [Applause] [Applause] I can start I can start hello good evening everyone uh I’m a contractor at nist and I will be giving an update on on seven nist projects so this is going to be quite fast I suggest you focus on the projects you’re interested in and then in the rest you can zone out okay so postquantum cryptography uh nist will publish the final fibs uh standards for kyber lithium and finx plus in the summer of this year and later in the year it will publish the the draft fibs for Falcon last month nist hosted a workshop videos and slides are online where it outlined the changes that were made uh between the draft fibs and the final versions of the fibs as result of public feedback there are currently still uh many candidates being analyzed the fourth round of the cam selection will end in Fall of 2024 and there are currently 40 onramp submissions for signatures being analyzed and very soon there will be a filtering out of these submissions into round number two multi-party threshold cryptography uh there are two reports whose drafts have been published uh quite a bit ago in 2023 and 2022 the final versions will be published expectably within a couple of months uh the N call for multiparty threshold schemes is calling for specifications implementation and evaluation of threshold schemes notably involving uh multiparty computation ful morphic encryption zero knowledge proofs one of the um Novelties in the final version as compared to the draft is that we will split deadlines one will be for public abstracts in the end of 2024 and the the other one for the final packages in early 2025th uh we intend to encourage collaboration and in particular we are enabling differentiation of authors across different modules of the uh submissions there’s also an IR on uh notes on threshold atsa and schnor there won’t be many modifications but we will integrate new references that have appeared since the draft version privacy enhancing cryptography this project intends to accompany emerging uh PEC and promote reference material we have an upcoming a virtual Workshop WC 2024 this will take place in September 24th to 26 you can submit abstracts for a talk until July 22nd we have chosen a main feature topic private set intersection which will occupy about 50% of the workshop but the workshop is also open to broader techniques uh there’s the block Cipher modes of operation uh project the goal is to address limitations in the nist approved set of block Cipher modes of operation uh currently in consideration is the development of an accordian Cipher mode this will be a new tweakable as-based variable input length strong sud the random permutation uh and with respect to This n is organizing a workshop on the requirements for this mode it will be an in-person workshop on June 20 to 21 you can still register until June 13th it will be in Rockville USA there’s also a discussion DFT about the requirements it has been published in on April 10th and public comments are due by July first lightweight cryptography here the main update is simply to say that the draft standard on ascon will be published later in 2014 the selection of ascon was explained in a previous report and workshop the standard will include an authentication authenticated encryption with Associated data uh mode and we also include a hash and or an extendable output function random bit generation this is the project that handles the sp890 series part A is about deterministic random Generations uh generators Part B is about entropy sources and part C is about RBG constructions part C has been in draft mode for a long time a fourth draft will be uh published very soon and it actually adds a new uh RBG Mode called rbgc that allows for the use of U the RBG chains later meaning after this publication there’s also the intention of producing a revision number two of the the RBG constructions and the plan here is to add uh the RBG based on on extendable output functions finally nist has a crypto publication review process uh project the goal is to ensure that uh standards that are older than 5 years are eventually reviewed a review can end in a decision of reaffirming updating revising converting or withdrawing the draft related to this the current news are upcoming soon there will be a special publication about hmac that essentially converts the old document with the hmac standard and it includes also some of the requirements for uh message authentication using hmac recently comp completed reviews that resulted in a decision to to Revis uh include a special publication on key derivation functions and two special Publications that include GCM GMAC and XTS Cipher modes under review are also the Chri Publications the standard and also special publication on cha R derived functions and recently withdrawn finally uh on January 1st of this year tdaa has been withdrawn thank you very much for your attention you can find a lot of information online and most of these projects have a forum that you can subscribe to thank [Applause] you uh one quick announcement we do have three rum session awards that we will be giving at the end so if you and the audience would like to influence the r session chairs as to who you think should get an award uh please be you know interactive and um and make your make your approval known all right there you go thank you oh okay hello everyone so as you might or might not know uh on Sunday as part of the Affiliated events to eurocrypt we organized a workshop on cryptographic code audit and attached to it there was a captur the flag so a CTF is a challenge where teams uh try to compete for solving in this case cryptographic challenges and uh it’s maybe something not super typical for eurocrypt but we were very happy of the uh you know uh we got very professional teams participating and I think it’s finally time to announce the winners of the eurocrypt 2024 CTF so uh can can somebody do a drum roll or something like that and the winner is West Ham defense AIT group congratulation please come on stage and claim your prize so this is a very Swiss prize as you can see it’s an engraved fondu set and uh in case you get hungry and you want to try it immediately here is some uh uh artificial instant Fu that we found at migros so want to say something West Ham remains well capitalized and well defended thank you very much so uh we have to say that uh they were very good but there was another team who did extremely well it was really it was really a tie break and so at the end we decided to also give a second priz and let’s welcome kowar and Robin [Applause] congratulations here you go another very Swiss prize for you and your team members this is a set of uh Swiss knives so so maybe it’s better than the first prize so please uh accept it at uh want to say something impressed by you guys not necessary so yeah I think it’s super cool to have some of these yeah trying to bring the CDF crypto community in with the research Community bit more because there’s a lot of overlap between active researchers and some of the top level of CDF players both here and a lot of people in the audience so it’s really cool to see them brought together okay thank you sorry we needed to get the chocolate so uh thank you everyone and uh see you next time thanks for playing thank thank you very much thank [Applause] you all right let’s have our next speaker come on [Applause] up thank you thank you uh very kind very kind um I want to start with good news and bad news uh the good news is I did not get teargas this year um but Britta hail offered to taser me off of the stage so there’s that the bad news is I also had different food expectations I’ve read Aster in Switzerland so I thought the coffee breaks would be like this and the lunch break would be like this but it was not anyway my talk is called cryptographic identities What boat are you on um and I want to say like first very seriously I think it’s really cool as a community that uh pronoun stickers at conferences have become a normal thing I think this this is great we should keep doing this uh really really and this is this is the most serious part of my talk I really think this is cool and then this year we had other stickers as well and those I have questions about I saw uh I love MPC I saw I soy lover uh I saw I Break Stuff prove nerd those we have I saw lettuce person and here already as a lettuce person I noticed that the person making the stickers got like Progressive less excited which everyone let this person uh and then there was codes okay those are yeah no comment then this uh I think this is for people who like rainbow signatures um and then there was gbat and this this is not a primitive I know I had questions about this one uh and admittedly I stopped like learning German after middle school but in my middle school German this means pleasure boat uh and uh according to Google Translate it also means pleasure boat and pleasure boat to me sounds like you know kind of what happens on the pleasure boat stays on the pleasure boat situation I don’t know why you would put that on your name tag um it’s kind of wild I don’t know if you remember when we had Cards Against cryptography like the Cards Against Humanity spin-off I think you have like a winning hand and here if you have like uh I’m meeting my isogen lover after the r session at the pleasure boat I I think like this is basically the one that always wins eat sleep pleasure boat repeat you’re there uh this you cannot lose uh I’m on the pleasure boat and all I’m wearing is my red lanyard uh there’s the but but really you know the pant the I think this is very uh good because this really these you have three kinds of cryptographers right you have pant you have the whole all things come into the the the heresia thing like the holistic view of cryptography then you have altia if you like fonts and and you know and then you have pleasure boat if you just like the pleasure boat uh if i’ if I’d made the slides after adish shamir’s talk this would have said vigorously wiggling probably uh I just want to quickly mention we’re hosting pkc in Ros next year please support your papers but like I mean these darned identity things are going too far is what I imagine some older people are saying and this I this I understand this I understand we should stop this so I have a a proposed alternative solution for this we get rid of name tags like with with names you get to the conference and you can choose if you want a feminine name you can get Alice if you want a masculine name you can get Bob and if you want a gender neutral alternative you can get Charlie and this has all kinds of advantages no identity politics no need to remember many names no fancy affiliations yes we get it you work for a rich University um and it’s easier for the conference at and these because they just print 300 of each and put them on the desk and then what I learned is that the ISR is already starting to implement this which I don’t know if you noticed but if I look for myself on the ePrint archive it already says you maybe are actually called Bob du so that is that is good and with that I want to conclude use lots of stickers the stickers are really cool come to pkc 25 and live every day like you are on the pleasure boat thank you very much [Applause] that’s not my talk huh that’s not my talk no because no it should be mine should be mine are you next I also don’t think here looks like my slid though yeah just go for okay cool okay yeah looks it looks like my slides all right thank you okay hello everyone um my name is Charlotte and B already said like there’s a new label which is proof nerd as well and I must admit I am one of those so yes I literally say proves are important and even more than that because I’m an easy CP person I even think mechanized proofs are important which I think not everyone is agreeing anymore uh especially because if you get into working with easy Crypt you very soon realize that this name might be a bit misleading because meches proofs are actually quite hard if you st with them so I started with working with uh formalizing proofs for protocols and got a bit lost in the beginning and some people did that as well at D cor and oxner published a paper where they tried to make this easier by using a new technique called SSP State separating proofs and map that concept into easy Crypt and they used something called cryptobox as their illustrating example for that uh and they realize we get an easier uh code or like easier implementation easy CP but something still remain hard so that’s where I started in the discussion with easy group people what happens if we don’t be that dogmatic about using SSP in our BRS and yes I wrote a new proof for Crypts which is hopefully coming soon on ePrint I’m working on that and this led me to the question which I would like to discuss with some of you how should we do proof from now on so there are multiple ways of doing proofs now and the question is can we find something that’s actually better than something else and as you see there are a lot of question marks Because the actual question I would like to discuss is how to name this because I’m completely done with naming I don’t know any acronyms that are good for this I have some name suggestions that I got from people on this conference I would take out the hybrid approach because we use hybrid too often already but yes please come to me if you want to vote for one of those claims or if you have any suggestions because I really need a new name yes thank you and just text me [Applause] [Applause] okay um I get right to the point um our community is divided uh who here is team additive notation who here is team multiplicative notation okay so um as we see our community is divided uh at least in my head this argument goes something like this um uh first we have additive notation starting with uh do you even uh do you disrespect wean do you just wish to make abble and jakobi die it has always been uh additive notation since Abel’s addition serums it’s always been the complex numbers modos some latis that is an additive group why are we even talking about this uh to which multiplicative side responds with well uh always an additive group yeah sure also um we doing cryptography here why are we caring about characteristic zero um in cryptography it’s always been multiplicative since the start of time when Diffy and Helman came up with the first time that we used Diffy and Helman um to which the additive side can can’t let that be so they respond with uh yeah just because we by accident used the wrong notation when we did uh cryptography on the curve y^2 = x^2 * x + one why should we not correct this historic mistake and go back to the additive notation that was always the right thing to do these are divisors divisors are formal sums sums are sums with pluses and so on not products um the multiplicative notation will respond to that that uh yeah you cannot actually use V devices on uh on an singular curve so these must be CER devices and if you pay close attention they’re little uh multiplication signs because multiplicative notation is clearly uh what what the mass was trying to tell us uh so is that it are we for to uh argue over this for the end of time until a cryptographically relevant quantum computer will finally um get rid of this debate and I am here to say no this is not all there is to to notation we can do better than this we can do the one true notation because what we’re doing here is not operating on points we’re not even really using div vises what we’re doing is we using line bundles line bundles uh are uh uh Vector spaces one-dimensional Vector spaces carefully glued to every single point of the curve and in their very structure they encode what what they want to tell us what the algebraic structure is so line bundels use tensor products so um this does look a lot better doesn’t it like look at all these calligraphic letters look at all this nice tensors in in their Circle like this is how it was meant to be this is what we always wanted and uh even when quantum computers arrive we don’t need to we don’t need to give up on on tensor s because of course we can also do that for isogenes uh because why would you use some additive or multiplicative notation when there is also a way better notation right there and if now you think that you don’t really care about either additive or multiplicative notation anymore you just hate this very very much then I have done my job and have United us uh to a new future where we do not longer fight about uh notation because we know which one is the worst thank you [Applause] a result to be presented at ACM CCS 2024 blah blah blah blah blah blah blah blah blah blah a poem let’s agree on a common subset in a Flash asynchronously with nothing more than a hash resilience has to be perfect communication just cubic in theory and practice we hope to make a splash a very bad poem but not AI generated so I take full [Applause] responsibility hello hi sorry for the boring name uh it’s don’t get serious about it so basically this is the classical even monsu Cipher very nice very cool but what about if we put this in a white box so what is a white box well it’s white you know everything about it you know every input and output of every component so it’s not even monso is not secure so the first attempt was taken with this you replace the key addition part with multiple uh table lookup secure table lookup key Des box so we ask one question why so many rounds two rounds even moner is already secure in this setting so we did this we replace one layer with multiple layers but here is an obvious problem in this thing is that if you get a Collison you get some table lookup for free but it works we managed to do the proof and also you can uh do it for continuous leakage you can mask the input output and get a nice Cipher we try to compute the security and we get comparative security and uh competitive uh performance thank you [Applause] hello this will be some vague rumbling about cryptographic as boxes and linear approximations do we have the slides uh so this is uh coming from qualcom I work for qualcom and we do uh communication and processors uh so I’m going to tell you about large size linear approximations for the whole sbox not just for some bits um so it’s maximum size approximations uh we have an information Theory tool for work on sboxes to uh see that sboxes with high DMI will be weak uh motivation is actually differential linear attacks and collision search attacks on Kat and other har functions and it’s going to be a linear weakness in ason and kak sbox and a theor about all quadratic sboxes so here is our tool so we have a uh the following idea can you predict the output difference of an sbox from the input difference so you can measure this by information Theory so it’s simply the mutual information between the two differences this is what we do it’s expressed in bits and so we have here we have the ketak and ask on ask on S box and uh this is uh has been used a lot in cryptography since 1995 appears in Demon stasis and here is the problem it’s possible to see that every small sbox is weak because every SBO leaks at least one bits of information this is undeniable so for example in ascon uh the whole nonlinear layer is passing through 122 bits of information and we would get just 42 bits with the as s box if it replace the ascon sbox and here is interesting um uh law it’s an empirical low um basically from this Mutual information we can actually predict the number of uh cases in which an aine space is mapped to aine space which is very widely used property in in cryptography uh and by the way this never happens for ideal s boxes but it like like in a uh our motivation is also Crypt analysis so we have uh uh differential linear attacks and they work on with connectors like differential property produces two linear properties at the output okay and um uh this is related to some spaces and our observation is actually aine spaces are not required for this sort of property to work uh so here is actually what you do uh in ketak and ascon crypt analysis you are looking for a simple whole sbox aine approximations with a vector and a matrix and the classical method in the literature for showing this like eurocrypt 19 2017 is to use an aine space with four points uh and um what we show that you can forget aine spaces you don’t need aine spaces and then we can do the same thing with 11 points and this is like a football team and then we show The Following result if you have a football team of 11 players for which the whole sbox is approximated you can transfer it to another football field and get another team of 11 players and it also works so here is the general theorem if you get one Matrix which works we can transfer by AB travel in our translation and we get another Matrix which also works so that’s the uh the interesting result thank you very much [Applause] [Music] wa all right we’re going to take our second break and we will resume at 9:30 e e e e e e e e e e e e e e e e e e e e e e e e e e e e e e e [Applause] [Applause] all e [Applause] yes yes thank you so you don’t have to say Quee the video and then they will know to play the video okay yeah okay welcome back everybody we will continue um there will be a surprise talk uh in the the third because we missed one previously you will notice but let’s get back home hello everyone I’m uren and this is Miram so tomorrow is our talk and we’re going to present the trailer of our talk C the music oh video uh you uh play the video please oh we do [Music] in this C fi where ts [Music] are does a great make come to World in this crypto death where Secrets being true B comes to the play joining the game [Music] oh those single state I’m broadcas stay no coming the way hard to on this road I’ll take a s again withing [Music] Don’t Be Afraid is here verify and idenify the [Music] man with our AQA everyone join the crew proves are everywhere CL they it CL in called R we fly away there to the end that’s what we did [Music] [Applause] stay tuned for our talk tomorrow thank [Applause] you yes so if if you want to need the music video you yes I will signal yes yes yes of course all right hello everyone hello everyone and uh Sandra already told you Switzerland won the Eurovision song contest wooo so now I’m here for the eurocrypt song contest and you can think of this as an attacker villain song please start the music welcome to the show let everybody know I’m done proving with gains I’m breaking the blockchains you better Buck on up I’m coming for your app like rainbow now we can your protocols come down w w I found your Bri I found a way to H with my L attack I broke your code wo ho ho and when you sign I just measure the time short no is I broke your c yeah let me tell you a from my with the people who C got the right they don’t have a proof Insight this all my trust just just took one night there’s no ma on your bik your can’t right when you use the CRT and I cover b d home I bur your private I found a way to H with My lasses ATT attack I broke the Cod wo ho ho and when you sign I just measure the time sh no say mind I broke your code W ho somewhere between the O and one [Music] your zero knowledge proves not sound you used wi somewhere between the and [Music] on your zero knowledge proves not sound you me [Music] oh I have found the way to hack with My lasses ATT attack I broke your C wo ho ho and one you son I just measur the time short is I broke up wo wo thank you [Applause] Switzerland hi everyone actually speaking of breaking codes in real life we’d like to announce our winners of the ti melis challenges that we launched one year ago so this was about melis we want we had um we had challenges for message recovery and key recovery on actual Mel crypto system we started one year ago and actually 3 weeks ago we stopped the competition we had three tracks the first track was um M Mel’s C recovery Theory Mel’s Q recovery practice and Mel’s message recovery and today I’m here to announce the winners um for the first track we award $110,000 to the team from France whose name is rura he should be here in the audience for his paper called um well his and his team’s paper called a new approach based on quadratic forms our second winner for the meles Practical key recovery track that also wins $10,000 is Lawrence PNY also here he broke what we estimated as 83 bit security uh challenge so this the pr song is for you well done and for the melis message recovery we have a winner with a cryptic name run timer who solved the 60 bit uh instance so yeah that’s that’s the end of our challenge we’re really happy with the result we think that uh we really advanced in Mel’s C recovery uh problem and we also think that the massage recovery in Mel is is pretty stable given the results and we’d like to thank all the participants thank you can I take two yeah you’re finished in time so you’re allowed to talk h ah yes hello oh yes yes no you’re good why is there a thing that says vigorously wiggling why does it say vigorously wiggling I I don’t know yes oh oh okay hi guys um this is submit to se fail I haven’t seen most of these slides um but let’s do it this is actually slideshow caraoke thank you con for making the slides maybe anyways so everyone’s favorite Workshop is back you know today I’ll be presenting myself as sefil and who are you exactly that’s sefil okay yeah so sefil is the conference for failed approaches and insightful losses in cryptology which is an Affiliated workshop at crypto woo um and this venue is not exclusive for things that haven’t been solved it can be things that you end up reaching solution for it’s all about the process you know the real friends were the oh darn it the Christmas was the real friends we been along the way anyways a potential venue for workshopping ideas that you’re stuck on and you want to talk to other people to get ideas for um the community wants to hear from you what do you mean why anyways so Comm consider submitting to se fail if C you were supposed to fill this out okay consider sub to C fail if your failure is a perfectly fine pizza maybe there’s little burns on the edges but you know what they’re con if you submit somewhere else that’s not [Laughter] us what do you mean it’s quiz time okay so when is the submission deadline for Seafield 2024 is it a June 1st 2024 no you’re not supposed to show the answer yeah you dummy okay um sorry KH told me I cannot be sober for this so thank him for this anyways B June 2nd 2024 C June 5th 2024 or D June 9th 2024 con already showed you the answer so you guys are all millionaires now congrats wait what sorry you guys are not millionaires um what is the final submission dead wait con you’re supposed to tell them we’re going to extend it um okay that’s a surprise but we are going to extend the deadline um because oh you know deadlines are hard whatever uh what is the final submission deadline for sefil 2024 I’m not going to read these out no yeah it’s June 8 so guys submit to sefil uh what else is there wait con this enough of decent numers there’s a sea song coming soon but I can’t read um now it’s FC oh straight from Zur let’s go um a freestyle I got 99 PS but CH cf8 won what is a bar he’s finished with the next line I got 99 PBS but a cherry and se8 one you have to WR say another line which rhymes with one oh it ain’t one um one minute there’s a one another try suffering so hard I need Escape From Success um I’m going to put you in the iron press sorry this is not a threat this is not recorded right um anyways they’re even funnier lines in the full version of the song when we get a real rapper whose name is Con well my time is almost up so I want to let you know um don’t forget to submit to the zero knowledge Workshop that the deadline is in 2 weeks in Edinburgh find markhof and umage and and they have like it’s icr funded and there’s spots for 60 people I don’t know just go to Ed is fun thank you [Applause] hey so yeah this is a boring broadcast for do dkg so let’s talk about uh Frost T ofn threshold signatures you may have heard of frost it’s awesome scheme by Klo and Goldberg uh it has a lot of applications and cryptocurrencies people want to implement and it uh there is even an RC up upcoming so cool so let’s implement this thing so okay so the first thing we we going to need is a distributed key generation okay and H well unfortunately the RFC says it’s out of scope so uh well whatever so uh dkg is is a solve problem in theory right for example if you want to have a look at our crypto Piper from last year there’s a nice algorithm so okay let’s can we just implement this algorithm okay let’s let’s go ahead and implement this and so ah well okay if you have a look at the fine print there’s different in practice right so it requires reliable broadcast protocol and Ah that’s kind of hard in practice so what does it even mean like reliable though the paper of course won’t tell you and then none of the papers will tell you and like can can we even do this I mean this Frost supports this honest majority can we get reliable podcast in this honest majority like how how can we even do that okay so this is really a problem and then then practice and we really really believe that this holds back the deployment of frost in the in the real world even though a lot of teams announce they will implement this and deploy it they they can’t get it into to work in practice because they don’t know what to do with the broadcast channel and the and the dkg so why do we even need broadcasts and uh have let’s have a look at the two of three uh at this two of three example so there is an attacker um let’s say we don’t have broadcast what the attacker can do it again attacker can equivocate and send a valid message to one of the participants the participant thinks okay cool awesome the dkg has finished let’s just send some money to the resulting public key and the other guy thinks oh well I’m not sure it hasn’t finished whatever so now we’re in a really bad situation because there’s just one signer left but we need two signers to create the signature so the money is gone right so this signer is out of the game and well this is the adversary it won’t they won’t have be there so the money is gone this is bad this is what we want to avoid and the essential requirement here forget about prodcast but what what I really need here is if I finish as honest participant icon conv wince every honest participant to finish and this is this is really the property we need and what what can we do to achieve this and here is the most boring thing we can do so first run the dkg protocol without a podcast Channel but don’t finish yet then everyone signs the transcript of the dkg protocol sends the signature to everyone and then only as a participant only if you received all the end signatures you you finish so it really means just get a signed statement from everyone that they agree on the on the um transcrip toal protocol and this works right and uh why does it work well if the if the upper guy finishes now he can convince the the lower guy because he has a transcript and the signatures and the other guy will also finish so this is exactly the property that we needed and when I tell this to people they tell me all kind of objections and one common objection I hear is that well but this is trival but okay I mean it’s true but I want to use this thing I don’t want to publish about it okay so let’s just do this and if you if you think this is interesting actually not boring we think it’s not that boring uh here has ch re writing us back about this uh talk about it talk to us if you’re [Applause] interested all right hello everyone today we’re going to talk about the tier list of random Oracle model so we already know what random Oracle model is it is something that returns consistent random values uh but these days there are many variants for different constructions and so it is more like a roll your own model now and we’re going to do a tier list of these models if you have never seen a tier list it’s basically an S for Zoomers so it is just uh uh the higher the better and it’s all subjective and we’re just having fun here so keep a note of that and let’s start with the good old drum uh let’s be conservative and put it on B tier so now we have the back door Dr theorical model this is the one that governments use but it has a friend l so I think it’s a tier then your you have the signing random Oracle in this one the random Oracle signs with the query so that you don’t have to recheck it with the random Oracle to check the consistency you just verify the signature but then you need a trust execution for realizing this so in my opinion it’s CER then you have the low degree R in which you have a low degree extension of your random Oracle so you can execute scharle so you make constant number of queries to check the consistency of n queries I think it’s better than srom So it’s b tier then you have a this basically have two different query this is this stands for artiz random Oracle this have Oracle for your arithmetic representation of the random Oracle and another one this solves these like non Black Box issues of uh using random Oracles in snarks and a a tier then you have sha three this is not really a model but this along with sha two this is the most common Ed random Oracle so definitely s tier then you have posidon this is also becoming popular because of the ZK stuff but I don’t believe in random Oracle that looks like polinomial so see it here then you have the global random Oracle which is uh used for having this random orle stuff in the UC setting first of all I don’t understand any of that and for me you standun for under SE here then you have the universal random Oracle which is the same thing like a global random Oracle for but for game based proofs so a tier then you have axillary input random Oracle model which actually implies Universal Rand morle so I wanted to put it on the same tier as the eurom but it has AI inside so I put it on B tier but then I thought like maybe I should be more optimistic about like AI so we have these things now so after some prom hacking I would like to introduce you to large language and the morac model so as you can see here you can have any input and you get back a 256bit result and it’s consistent if you do it again and even if you change it slightly you get a complet different number and note that it doesn’t forget the Old State but the problem is this is not enough because if you’re writing uh uh proofs you do more things with TR morle for instance you want to do reprogramming you want to set the query but it obviously tells you you cannot do that but would be practically secure but if you’re writing a proof you can just depend that okay please I’m writing a proof then it will happily do it for you so you can requery your a different query and then it just resets it so programming is enough not enough enough you need to do pre-image interception as well so to do proofs again so normally it can’t do it but using the same trick you can get the pre-image which was 1 2 3 4 so I think this is like quite practical and it lives in uh Both Worlds so maybe AI is not that bad so l r definitely s tier of course I didn’t uh forget about Cur and I would actually wanted to try whether L implies curome so I wrapped my input put in uh Quantum register and asked but it still doesn’t understand the complexion and moral stuff so it’s definitely Zander tier so that’s our tier list I think there are like many more and as a future work I would very I would be very happy to see a last this Blood space assumption tier list so ideas for the new other R ration talks and that’s it and you can see the full conversation of the L ROM here thanks thank [Music] [Applause] you all right y’all I know you’re tired of seeing me up here I just I’m also tired of speed up here this is a terrible idea um but let’s talk about epig cuz um these people are guilty of making me come up here when I just want to have fun thank you Ron Jack Anna and Lance so if you were doal at like the right moment in time you probably saw a talk by Anna that had this slide and like okay so I’m going to talk about IG I’m sorry for everyone who hates you see him whatever um but don’t worry like ideal signatures were also considered by people other than ketti there’s a long list of references there’s even more but anyways you might be wondering if there’s like such a long history of people messing with fig what’s so hard about it like everyone knows what a signature is well let’s take a look at one of the Fig things I’m not going to make you read this because it’s a rum session um but anyway so essentially the thing is that oh yeah sorry this is a serious talk um but yeah so the thing is that like this epic has the signature supplied by the adversary but it’s kind of not great because you pass your activation out of the functionality and so like weird things can happen trust me um well okay let’s try to patch it let’s try to not pass activation outside of the adversary um outside of the functionality maybe what if we Supply algorithms by the adversary and now when we want to generate a signature we’re going to run that algorithm well notice that now you can actually produce error messages which whole new Avenue of weird things that can happen and so you can even block an honest party from producing signatures which if you’ve ever run a signature algorithm that’s kind of wild so you right now probably like oh I sure wish there was an AB that couldn’t stop so early wow it’s my besties this group of people you wouldn’t happen to have anything that you’re working on right wow but we do coming soon aint and um hopefully somewhere else like it’d be nice to travel it might be nice to do other things we’re going to have an Unstoppable ideal functionality for signatures and a modular analysis A do of strong broadcast wow strong also because I can’t do any talk with not showing off my cats you’ve been [Applause] lobstered you go so hello everyone uh fortunately this is the very last serious talk of the but I will keep it short uh I would like to announce uh basically uh newpaper that we recently printed uh which introduces a new digital signature which is both Anonymous and civil resilience uh called seral signatures um so seral signatures are civil uh resilience in a sense that uh we bind users unique real world identities to their digital signatures generating credentials uh which results in at maximum uh basically one credential per context or application and uh they are Anonymous in a sense that all these credentials are unlinkable and basically reveal no information about the identity of designer uh and the question actually me together with my co-authors ailos Marco F and Elizabeth CH ask ourselves was that how can we efficiently basically handle this mapping between uh real world identities to credentials distributed it across multiple shes with bentin f tolerance uh in a way that all these issues are completely stateless with basically no memory while maintaining privacy and ensuring civil resilience all at the same time which seems like a paradox how can you prevent civil attacks in a fully Anonymous setting with absolutely uh no State no memory which actually resulted uh in this uh basically paper uh the answer to this question so yeah thank you very much uh if you are interested in this topic please reach out to me [Applause] [Music] cheers so so attention everyone so I it’s my pleasure to announce the next edition of eurocrypt uh [Applause] 2025 so if you don’t know yet so it’s going to be in Madrid Spain from uh May 4th to May 8th 2025 and the Affiliated events are going to be in the weekend before uh May 3 and 4 so uh this is going to be uh okay you know how to reach Madrid so it’s a very uh uh convenient ly located um with an airport that reached many cities with direct flights so uh this is going to be our venue so it’s the hotel rasa ESP is in it’s an historical building in the her of Madrid City Center it’s walking dist to the uh lot of main attractions of the city like the Royal Palace the museums the very nice parks and uh it’s uh also conveniently located so you can reach it uh very easily with an extensive public transportation Network uh we are going to use its Congress Center uh that features lots of rooms and um and Conference facilities so let me advertise Madrid so what you may not if you don’t know Madrid so it’s a city that offers lots of stuff so it’s has a lot of Arts lots of beautiful museums um with lots of masterpieces there’s a lot of monuments side seeeing and the Vian vibrant night life lots of good [Applause] food and uh it also offers a lots of entertainment and Sport activities if you are into uh football or tennis for example May 4 will be the final of the Madrid tennis open and well next year is going to be the scene for U so if you want to come start uh getting ready to submit your papers these are the tentative deadlines so October uh 2 uh for the submissions uh and uh September 4 it’s a tentative deadline for proposing your Affiliated events so some more information the program co-chairs are going to be search fair and pieren fuk so General coachers it’s myself ignasio gudo and marel gonzale Vasco that are uh with me here and our website is up and running from today so if please check it out for more information and on behalf of Inda that is our uh main uh organizing institution it’s uh my pleasure to say that we are looking forward to OST in Madrid all right I want it noted that we are ending on time so we’re going to take all the rest of the chocolates um we have two prizes that we want to award for the for the rum session talks um the first of which I’m forgetting the exact title but I think it was what happens on the pleasure boat stays on the pleasure boat [Applause] congratulations thank you your prize and the prize is chocolate and a set of Cards Against cryptography and appropriately for our second prize I think it’s a good answer to the question of why that code sticker looks so sad uh the song I broke your code [Music] thank you very [Music] much we have time for a second rendition I I think we do actually have time for a second rendition if you’re willing to do it again I I think the audience would enjoy that do we need to get the slides up one second this time let’s have the audience sing along when you feel moved thank you very much thank you for your love everybody and thank you for all the rum session talks they were amazing and in the meantime I would also like to thank you my wonderful helpers who are here Mato Shannon Matilda almost there almost there almost there almost there don’t worry they still need to prepare a little bit okay all right whenever you want they also have to find the file back I guess we got it okay there we go yeah almost [Applause] there okay thank you thank [Applause] you yeah I also want to say that this song was written uh while on the pleasure boat by the way W welcome to the show that everybody know I’m don’t proving with games I’m breaking the block chains you better back up I’m coming for your up the we can your come down [Music] I found your I found the way to HCK with my lce I broke your C W and when you side I just measure the time show say ever I broke up C W yeah let me tell you my with the people who C got right they don’t have a proof Insight CP do work got nothing right there so much worse than S the attack just took one night L on your right your key I can right like when you use the CRT and I cover a be home I find your bra I have found the way to hug with my last I broke up G W back home and when you sign I just measured the time shes mind I broke up somewhere between the and was your zero knowledge proves not sound you used somewhere between the and on you’re zero knowledge proves not sound you use me [Music] I have found the way to HCK with my L attack I broke your home and when you sign I just measur the time sosters have I BR up go wo ho ho wo ho ho [Applause] and that concludes the rum session thank you all for attending [Applause] w e e e e e e e e e e