21-06-2024 Program 10:45h - SQIsign, one- or two-dimensional? Krijn Reijnders The NIST candidate SQIsign achieves incredibly small signatures and public keys in comparison to all other post-quantum signature schemes. However, signing is currently very slow, and verification is only fast if compared to other isogeny-based protocols. In this talk, we explain SQIsign, and two recent developments. The first development is AprèsSQI, an approach to SQIsign that explores the fastest verification possible at the cost of possibly slowing down signing even mroe. The second development is two-dimensional SQIsign2D, which uses isogenies between higher-dimensional abelian varieties. This achieves much faster signing, and relatively fast verification. Finally, we show our most recent work, which shows that the original, one-dimensional SQIsign verification can alsow be viewed similarly as a higher-dimensional isogeny, and we explore how such an approach is feasible. This talk presents joint work with Maria Corte-Real Santos, Jonathan Komada Eriksen, and Michael Meyer. 11:30 Coffee Break 11:45h Towards formal security proofs for secure multiparty computation Sabine Oeschsner TBA 12:30h Lunch 14:00h Compiling secure computation circuits: From high-level circuits to arithmetic circuits and beyond Jelle Vos A common misconception is that the computational abilities of circuits composed of additions and multiplications are restricted to simple formulas only. Such arithmetic circuits over finite fields are actually capable of computing any function, including equality checks, comparisons, and other highly non-linear operations. While all those functions are computable, the challenge lies in computing them efficiently. We refer to this search problem as arithmetization. The objective in arithmetization has typically been to minimize the number of multiplications (multiplicative size), as multiplications are significantly more expensive to compute than additions. However, the multiplicative depth of a circuit arguably plays an even more important role in deciding the computational cost: For homomorphic encryption, it strongly affects the choice of cryptographic parameters and the number of bootstrapping operations required, which are orders of magnitude more expensive to compute than multiplications. In fact, if we can limit the multiplicative depth of a circuit such that we do not need to perform any bootstrapping, we can omit the large bootstrapping keys required to perform them all together. For secret sharing, the multiplicative depth strongly affects the number of interactions required. We argue that arithmetization should be treated as a multi-objective minimization problem, in which a trade-off can be made between a circuit's multiplicative size and depth. We present such depth-aware arithmetization methods for many primitive operations such as equality checks, comparisons, and ANDs and ORs. We also show how to intelligently compose arithmetized primitives in larger circuits to further trade-off depth and size. We implement these methods in the new Oraqle compiler, which allows non-expert users to generate efficient circuits. 14:45h – Coffee Break 15:00h Distributed homomorphic encryption in practice. Stefan van den Berg We created a pilot with Rabobank, ABN Amro and TNO to combat money laundering. For the pilot we are using homomorphic encryption to share and analyze the transaction network. The key used is generated in a distributed manner between the banks. In the presentation the challenges, both legally and technically, we encountered will be discussed. 15:45h End of activities