Below are the abstracts of the invited talks (when available).
Damiano Abram (University of Edinburgh)
TBA
Martin Albrecht (Kings College London)
In this talk I will reflect on our experiences analysing cryptography deployed “in the wild” and give recommendations to fellow researchers about this process.
Based on joint work with Kenny Paterson
https://eprint.iacr.org/2024/532
Elette Boyle (NTT Research)
TBA
Sofia Celi (Brave)
Zero-knowledge proofs (ZKPs) are increasingly positioned as the privacy-preserving foundation for high-stakes identity systems: from decentralized authorization to government-mandated age verification. Yet the promise of cryptographic privacy can obscure the practical fragility of the systems built around it. We present our analysis of zkLogin, the most widely deployed Zero-Knowledge Authorization system, showing that its security cannot be reduced to the underlying ZKP: the real vulnerabilities lie in JWT parsing, issuer trust, and outsourced proving infrastructure, none of them cryptographic in nature. We then extend this lens to age verification, arguing that ZKP-based deployments can embed surveillance infrastructure even when the cryptography is sound.
Anders Dalskov (Partisia)
This talk will focus on the classical CIA triad framed in the context of a real-life MPC systems I have worked with. At a high level, this talk will attempt to tell a story of how notions of Confidentiality, Integrity, and Availability—as defined in the MPC literature—aren’t always quite enough for a real system. This shouldn’t come as a surprise. Nevertheless, I believe (and hope) that this talk provides interesting food for thought.
An outline of the topics covered is provided below.
On Confidentiality. MPC protocols are all defined over some ring R—typically a finite field. It is rarely the case that R is a perfect match for the data type that the user expects. At “best” this mismatch leads to a poor use experience; at worst, it can lead to loss of confidentiality.
On Integrity. I will examine publicly verifiable protocols, for which I see to ways to construct: Assume it holds (and use a blockchain for good measure). This is often good enough in practice. If this is insufficient, techniques related to ZK proofs can be used. However, here we have to be careful, lest we end up with strange threat models (that might actually be worse in practice).
On Availability. Some MPC protocols provide a bit of availability. E.g., an honest majority protocol can tolerate t crashes and still perform a computation (which implies the secret isn’t lost). On the topic of availability, I’ll showcase a fun solution to the problem of squeezing a four party protocol into a typical datacenter setup with three availability zones. The solution to this problem requires thinking of availability “non adversarially”, which is often the case in practice.
David Heath (University of Illinois Urbana-Champaign)
Securely computing programs that manipulate complex data structures remains a bottleneck for MPC. Circuit-based protocols incur prohibitive overhead, and while Oblivious RAM (ORAM) can be integrated with MPC to partially alleviate this cost, MPC protocols supporting RAM remain expensive due to their generality.
This talk explores a different approach: rather than treating all programs as generic RAM computations, we design techniques tailored to specific classes of programs. By exploiting program structure, these techniques achieve asymptotically lower cost than general-purpose RAM-based approaches in the same setting.
This approach is surprisingly general and supports rich classes of non-trivial programs. We will examine algorithmic techniques that yield asymptotic improvements for graph traversals, string searches, range queries, and more. More broadly, restricting attention to pointer-machine and purely functional programs can yield asymptotic advantage over RAM-based formulations.
Yuval Ishai (Technion and AWS)
We revisit the question of computing on encrypted data, in the following secret-key setting. A client uploads an encryption of a large input X to an untrusted server and then wishes to make an unbounded number of queries q(X) while hiding q and X from the server, using only its secret key. How efficiently can this be done and under what assumptions?
We present efficient solutions for useful special cases, including matrix-vector multiplication and private information retrieval (PIR). These solutions rely on either the standard Learning Parity with Noise assumption, in a parameter regime not known to imply public-key encryption, or new assumptions related to the hardness of learning a secret linear subspace from noisy samples. The latter assumptions yield efficiency features that no prior approach meets, including a vanishing computational overhead on the server side.
Our core idea, inspired by prior works on PIR with preprocessing, is to encode the input X and the queries q using a pair of secret dual codes, while avoiding linear algebra attacks by adding noise.
Based on joint works with Fabrice Benhamouda, Caicai Chen, Shai Halevi, Hugo Krawczyk, Tamer Mour, Tal Rabin, and Alon Rosen
Bhavana Kanukurthi (IISc Bangalore)
TBA
Marcel Keller (CSIRO's Data61)
TBA
Xiao Liang (The Chinese University of Hong Kong)
TBA
Rachel Lin (University of Washington)
Garbled circuits are a cornerstone of modern cryptography. A central challenge in this area is to construct succinct garbling schemes whose size is asymptotically smaller than Yao’s classical construction, which requires (\Omega(\lambda)) bits per gate.
In the quest for succinct garbled circuits, early works established the feasibility of full succinctness—where the garbled circuit size is independent of the circuit size—using powerful tools such as indistinguishability obfuscation or combinations of attribute-based encryption and homomorphic encryption. However, these approaches incur extremely high computational overhead.
More recent works aim to better balance succinctness and efficiency by relying only on lightweight public-key tools. Concretely, we present a unified framework for constructing partially succinct garbling schemes, yielding one-bit-per-gate garbled circuits, that can be instantiated under a variety of standard group- and lattice-based assumptions. This framework, based on lightweight homomorphic secret sharing together with a new tool called algebraic homomorphic MACs, achieves significantly improved efficiency over prior fully succinct constructions and opens new avenues toward practical succinct garbling.
Joop van de Pol (Trail of Bits)
TBA
Thomas Schneider (TU Darmstadt)
In this talk, I will share some lessons learned from combining ideas in garbling and secret sharing. Motivated by hybrid 2PC protocols as in our ABY framework (NDSS'15), I will give an overview on the state-of-the-art protocols based on garbling and secret sharing. For garbling, I will start with Gate Evaluation Secret Sharing (Kolesnikov, ASIACRYPT'05) which naturally led to Free XOR (ICALP'08), where Choi et al. (TCC'12) refined the exact security properties needed. Using concrete garbling schemes under standard assumptions as example, I'll demonstrate that circuit compilation and garbling should be considered together (JoC'23). In the area of secret sharing-based protocols, I will survey our recent protocols ABY2.0 (USENIX Security'21) to efficiently evaluate multi-input AND gates and dot products and our generalization to efficient evaluation of lookup tables in FLUTE (S&P'23). Finally, I conclude with our approach to use secret sharing for encrypted multi-channel communication which can be easily understood by a broad general audience (WPES'24).
Phillipp Schoppmann (Google)
TBA
Xiao Wang (Northwestern University)
TBA