Registration

If you want to attend, then we kindly ask you to register here.

Call for Talks

Deadline for submitting talks is Sunday February 22nd. Talk submission is done via e-mail to robip@dtu.dk. Selected talks will appear in the agenda by Wednesday 25th. Depending on the number of submitted talks, the allocated slot length will be either 30mins or 15mins. 

Program

10:00 – 10:20 Coffee and snacks

10:20 – 10:50 Efficient, UC-secure and Publicly Auditable MPC from OLE and VOLE-in-the-head

Chiara-Marie Zok (DTU)

Abstract Secure Multiparty Computation (MPC) computes on private input data but generally does not guarantee correctness of the output towards third parties. This property, also called public auditability, was first studied explicitly by Baum et al. (SCN 2014). Their work and its follow-ups generate a Non-Interactive Zero-Knowledge proof of correctness of the MPC outcome during the MPC protocol, ensuring validity of the output even if all parties are corrupted. 

In this work, we revisit and improve the MPC with Public Auditability blueprint. While the original work uses a version of the SPDZ MPC protocol with lattice-based preprocessing, our construction combines any generic OLE-based preprocessing with a publicly verifiable somewhat linearly homomorphic commitment scheme from VOLE-in-the-head in a non-trivial way. Our commitment scheme relies solely on random oracle calls instead of previously used linearly homomorphic commitments based on structured Public-Key assumptions.

10:50 – 11:20 Concretely Efficient Blind Signatures Based on VOLE-in-the-Head Proofs and the MAYO Trapdoor

Marvin Beckmann (DTU)

Abstract Blind signatures (Chaum, CRYPTO 82) are important building blocks in many privacy-preserving applications, such as anonymous credentials or e-cash schemes. Recent years saw a strong interest in building Blind signatures from post-quantum assumptions, primarily from lattices. While performance has improved, no construction has reached practical efficiency in terms of computation and communication. The state of the art requires at least 20 KB size of communication for each showing of a lattice-based Blind signature to a verifier, and more than 100 ms in prover time.

In this work, we propose an alternative direction with a plausibly post-quantum Blind signature scheme called PoMFRIT. It builds on top of the VOLE-in-the-head Zero-Knowledge proof system (Baum et al. CRYPTO 2023), which we combine with the MAYO digital signature scheme (Beullens, SAC 2021). We implement multiple versions of PoMFRIT to demonstrate security and performance trade-offs, and provide detailed benchmarks of our constructions. Signature issuance requires 0.45 KB communication for Blind signatures of size 6.7 KB.

Showing a Blind signature can be done in < 76 ms even for a conservative construction with 128 bit security. As a building block for our Blind signature scheme, we implement the first VOLE-in-the-head proof for hash functions in the SHA-3 family, which we consider of independent interest.

11:20 – 11:40 Coffee break

11:40 – 12:10 A Maliciously-Secure Post-Quantum OPRF from Crypto Dark Matter

Aron van Baarsen (AU)

Abstract We construct protocols for oblivious pseudorandom functions (OPRFs) based on alternating moduli assumptions in the "Crypto Dark Matter" paradigm (Boneh et al, TCC 2016). Prior OPRFs based on this type of assumption were only secure against a semi-honest adversary. We show how to obtain maliciously secure protocols, by leveraging new cut-and-choose techniques for generating correlated randomness based on vector oblivious linear evaluation (VOLE), which allow efficient conversions between different moduli in zeroknowledge and secure two-party computation.

Compared with the state-of-the-art GOLD OPRF (Yang et al, S&P 2025), our construction has a faster online phase in all settings, as well as overall better efficiency in the small-batch setting. Furthermore, our construction supports obtaining a secret-shared output, and can be extended to handle secret-shared inputs. This opens up additional applications in variants of private set intersection and secure database operations.

12:10 – 12:40 Faster proofs and VRFs from isogenies

Robi Pedersen (DTU)

Abstract We improve recent generic proof systems for isogeny knowledge by Cong, Lai, Levin based on circuit satisfiability, by using radical isogeny descriptions to prove a path in the underlying isogeny graph. We then present a new generic construction for a verifiable random function (VRF) based on a one-more type hardness assumption and zero-knowledge proofs.

We argue that isogenies fit the constraints of our construction and instantiate the VRF with a CGL walk and our new proofs. As a different contribution, we also propose a new VRF in the effective group action description of isogenies. Our protocol takes a novel approach based on the polynomial-in-the-exponent technique, but without the need of a trusted setup or heavy preprocessing. We compare our protocols to the current state-of-the-art isogeny VRFs by Leroux and Lai, with a particular emphasis on computational efficiency.

12:40 – 14:00 Lunch break

14:00 – 14:30 The Landscape of Reusable Garbling

Rahul Satish (ITU)

Abstract Reusability is a recurring theme in cryptography, appearing in various contexts where a one-time setup produces an encoded program that can be applied to multiple inputs. A particularly clean setting for reusability arises in garbling schemes: a garbler publishes a garbled circuit that can be evaluated on multiple inputs chosen by an evaluator. While one-time garbling has become a central and widely applicable primitive, its reusable variant has received comparatively little attention, typically studied only as a consequence of public-key functional encryption (FE).

In this work, we revisit the foundations of reusable garbling and develop a framework that clarifies its relationship to other reusable primitives. We show that reusable garbling is equivalent to a single-key private-key variant of FE, capturing exactly the guarantees required for reusability and isolating it as a primitive in its own right. This equivalence implies a blackbox separation between reusable garbling and public-key FE, establishing that reusability can be realized entirely within the private-key setting without invoking public-key mechanisms.

Building on this perspective, we demonstrate direct constructions from several inherently reusable primitives, including indistinguishability obfuscation (iO), laconic function evaluation (LFE), homomorphic secret-sharing (HSS), and function secret-sharing (FSS), each offering different trade-offs in efficiency and functionality.

14:30 – 15:00 Security of Fischlin Transform in Quantum Random Oracle Model

Jaya Sharma (DTU)

Abstract The Fischlin transform yields non-interactive zero-knowledge proofs with straightline extractability in the classical random oracle model. This is done by forcing a prover to generate multiple accepting transcripts through a proof-of-work mechanism. Whether the Fischlin transform is straightline-extractable against quantum adversaries has remained open due to the difficulty of reasoning about the likelihood of query transcripts in the quantum-accessible random oracle model (QROM), even using the compressed oracle methodology.

In this work, we prove that the Fischlin transform remains straight-line extractable in the QROM, via an extractor based on the compressed oracle. This establishes the post-quantum security of the Fischlin transform, providing a post-quantum straightline-extractable NIZK alternative to Pass’ transform with smaller proof size. Our techniques include tail bounds for sums of independent random variables and martingales as well as symmetrization, query amplitude and quantum union bound arguments.

15:00 – 15:30 Snack break

15:30 – 16:00 Protection Against Subversion Corruptions via Reverse Firewalls

Paula Arnold (Universität Lübeck)

Abstract TBA

16:00 – 16:30 Provable decryption failure security for practical lattice-based PKE

Fabrizio Sisinni (DTU)

Abstract Recently, Hövelmanns, Hülsing, and Majenz introduced a security notion called Find Failing Plaintext – Non Generic (FFP-NG), which captures the ability of an adversary to find decryption failures by making non-trivial use of the public key. A first analysis of this property for lattice-based schemes was presented by Majenz and Sisinni, who showed that the Learning With Errors (LWE) problem reduces to breaking the FFP-NG security of the PVW scheme with discrete Gaussian noise. In this work, we generalize their result by analysing the FFP-NG security of widely used schemes based on Ring-LWE and Module-LWE. To keep our analysis as general as possible, we consider a family of subgaussian distributions that includes, among others, discrete Gaussians and centered binomials.