• 9:00 - 9:45 Arrival + breakfast
  • 9:45 - 10:00 Opening remarks
  • 10:00 - 10:45 Alex Davidson
  • 10:45 - 11:00 Short break
  • 11:00 - 11:45 Elizabeth Crites
  • 11:45 - 12:30 Ioana Boureanu
  • 12:30 - 14:00 Lunch
  • 14:00 - 14:45 Christian Weinert
  • 14:45 - 15:00 Short break
  • 15:00 - 15:45 Ben Dowling
  • 15:45 - 16:15 Break
  • 16:15 - 17:00 Mary Maller
  • 17:00 - 17:30 Lightning talks
  • 17:30 - 19:00 Reception


Please register using this link.


10:00-10:45 Alex Davidson (Brave): STAR: Low-Cost Private Analytics for Everyone

We present STAR, a new protocol framework that allows clients to provide software measurements to an untrusted aggregation server with concrete privacy guarantees: ensuring that client data is revealed only if it is shared by a sufficiently large crowd of other clients. The cryptographic primitives used in STAR are deliberately chosen to emphasise simplicity in the protocol design, and to ensure that it is extremely efficient to run — even on millions of client measurements. Together, these properties ensure that STAR can be used by any system or software project, regardless of scale or technical expertise of implementers. STAR is actively used by the Brave Internet browser at large-scale, is a candidate for standardisation with the IETF, and an implementation is provided open-source (with permissive licensing) for anybody to use.

11:00-11:45 Elizabeth Crites (University of Edinburgh): Recent Developments on Multi-Party Schnorr Signatures

Schnorr signatures are one of the most widely used and studied primitives in public key cryptography. Recently, there has been a flurry of research activity around multi-party Schnorr signatures, driven in part by their use in securing cryptocurrency wallets. Of particular interest are multisignatures and threshold signatures, which allow a group of signers, or some threshold of them, to jointly compute a Schnorr signature. In this talk, I will discuss recent developments on multi-party Schnorr signatures as well as new directions, and describe my own research therein.

11:45 - 12:30 Ioana Boureanu (University of Surrey): How fast do you heal? A taxonomy for post-compromise security in secure-channel establishment

Post-Compromise Security (PCS) is a property of secure-channel establishment schemes, which limits the security breach of an adversary that has compromised one of the endpoint to a certain number of messages, after which the channel heals. An attractive property, especially in view of Snowden’s revelation of mass-surveillance, PCS features in prominent messaging protocols such as Signal. In this paper, we introduce a framework for quantifying and comparing PCS security, with respect to a broad taxonomy of adversaries. The generality and flexibility of our approach allows us to model the healing speed of a broad class of protocols, including Signal, but also an identity-based messaging protocol named SAID, and even a composition of 5G handover protocols. We also apply the results obtained for this latter example in order to provide a quick fix, which massively improves its post-compromise security. This paper has been accepted to Usenix 2023, and it is joint work with Leo Robert (Universite Clermont Auvergne), Olivier Blazy (École Polytechnique, France), Cristina Onete (University of Limoges/XLIM/CNRS 7252) and Pascal Lafourcade (Universite Clermont Auvergne)

14:00-14:45 Christian Weinert (Royal Holloway, University of London): Secure Quantized Aggregation for Federated Learning

Privacy concerns in federated learning (FL) are commonly addressed with secure aggregation schemes that prevent a central party from observing plaintext client updates. However, most such schemes neglect orthogonal research that aims at reducing communication between clients and the aggregator, which is instrumental to facilitate cross-device FL with thousands of (mobile) participants. In this talk, we will discuss efforts to unite both research directions with an efficient secure aggregation scheme based on outsourced multi-party computation (MPC) that supports a wide range of linear quantization schemes. Additionally, we will present ideas to ensure robustness with a novel method to detect malicious client updates, thereby effectively defending against state-of-the-art poisoning attacks.

15:00-15:45 Ben Dowling (University of Sheffield): Matrix Reviewed

Matrix is a decentralised, federated group messaging protocol that intends to achieve strong (but subtle) notions of secure messaging by combining symmetric ratcheting encryption schemes with two-party secure messaging protocols. Recently announced vulnerabilities in the Matrix protocol and its client implementation Element have demonstrated the difficulty in designing group messaging protocols, even when composing together secure building blocks. In addition, Matrix’s design reveals interesting functionalities that have yet to be captured in a formal security model. In this talk, we explore the Matrix messaging protocol, discussing its underlying subprotocols and highlight the exact security notions that Matrix aims to achieve.

16:15-17:00 Mary Maller (Ethereum Foundation): Caulk: Lookup Arguments in Sublinear Time

We present position-hiding linkability for vector commitment schemes: one can prove in zero knowledge that one or m values that comprise commitment cm all belong to the vector of size N committed to in C. Our construction Caulk can be used for membership proofs and lookup arguments and outperforms all existing alternatives in prover time by orders of magnitude. For both single- and multi-membership proofs the Caulk protocol beats SNARKed Merkle proofs by the factor of 100 even if the latter is instantiated with Poseidon hash. Asymptotically our prover needs O(m2 + m log N) time to prove a batch of m openings, whereas proof size is O(1) and verifier time is O(log(log N)). As a lookup argument, Caulk is the first scheme with prover time sublinear in the table size, assuming O(N log N) preprocessing time and O(N) storage. It can be used as a subprimitive in verifiable computation schemes in order to drastically decrease the lookup overhead. Our scheme comes with a reference implementation and benchmarks.