Invited Talk 1

Jens Groth,
University College London, United Kingdom,
"Discrete logarithm based zero-knowledge arguments"

Abstract: Sigma-protocols are a special class of 3-move honest verifier zero-knowledge arguments, which can be used by a prover to convince the verifier about the truth of a statement. Since Schnorr's protocol was introduced more than two decades ago we have seen the development of simple and efficient Sigma-protocols to solve problems commonly arising in cyclic groups where the discrete logarithm problem is believed to be hard. It is for instance simple to prove that two discrete logarithms are equivalent, a secret committed value is zero, or three committed values satisfy that one is a product of the two others. Extending the Sigma-protocol framework by relaxing the special soundness requirement or increasing the number of rounds we can get even greater efficiency. We will give an overview of recent techniques we have developed that give very compact logarithmic size honest-verifier zero-knowledge arguments for large statements. These statements can be of a specialized nature such as a committed value being one of many listed values, or of a general nature such as the satisfiability of an arithmetic circuit.

Biography: Jens Groth is Professor of Cryptology in the Department of Computer Science at University College London and the Director UCL's Academic Centre of Excellence in Cyber Security Research. His work revolutionized the area of zero-knowledge proofs with the invention of practical pairing-based non-interactive zero-knowledge proofs, which was recognized early on with the UCLA Chancellor's Award for Postdoctoral Research in 2007. He initiated the use of pairings to construct succinct non-interactive arguments, so-called SNARGs, with minimal communication. He has also invented the world's most efficient verifiable shuffles, which are used as a component of many mix-nets and voting schemes. Other areas of contribution include structure-preserving cryptography, ring signatures and group signatures, private information retrieval, and public key cryptography

Invited Talk 2

Jung Hee Cheon,
Seoul National University, Korea,
"Multilinear Maps and Their Cryptanalysis"

Abstract: We discuss approximate multilinear maps and their cryptanalysis. After introduced by Boneh and Silverberg in 2002, multilinear maps was regarded as a source of many interesting cryptographic constructions including multiparty key exchange and broadcast encryption. It has taken 10 years to have the first plausible candidates by Garg, Gentry and Halevi (GGH13). Later, two more schemes have been suggested, one by Coron, Lepoint and Tibouchi (CLT13) and the other by Gentry, Gorbunov, Halevi (GGH15). They draw lots of attention and yield several interesting new cryptographic primitives such as Functional Encryption (FE), indistinguishable Obfuscation (iO) and Key Homomorphic Pseudo Random Functions., all of these constructions are suffering serious attacks. In this talk, we introduce recent constructions and describe a polynomial-time cryptanalysis of CLT13, GGH13, and GGH15. As a fix of CLT13, Coron, Lepoint, and Tibouchi proposed another candidate of new multilinear maps over the integers (CLT15) in Crypto 2015. We also describe an attack on CLT15. As a consequence, we don't have any plausible candidates of Mmaps at this moment. We conclude this talk by giving an open problem: how to break private multilinear maps which leads to an attack on iO schemes.

Biography: Jung Hee Cheon is Professor in the Department of Mathematical Sciences and a director of Cryptographic Hard Problems Research Initiatives at Seoul National University (SNU). He received his B.S. and Ph.D. degrees in mathematics at KAIST in 1991, and 1997, respectively. He is particularly known for his work on an efficient algorithm on strong DH problem. He received the best paper award in Asiacrypt 2008 for improving Pollard rho algorithm, and the best paper award in Eurocrypt 2015 for attacking Multilinear Maps. His research interests include computational number theory, cryptography and information security.